Cloud computing v OpenStack

Gii thiu Cloud computing v trin khai trn OpenStack

Thc hi n:

L Minh Ch Nguyn Sn Tng

Thng 4/2012

Page 1

Cloud computing v OpenStack

Contents
Thut ng vi t tt......................................................................................................................... 4 Tm lc ..................................................................................................................................... 5 Phn 1: Cloud Computing v cc gi i php...................................................................................... 6 I. Cloud computing.................................................................................................................... 6 1. Gii thiu v i n ton m my..................................................................................... 6 2. Nhng li ch ca in ton m my.............................................................................. 7 3. Cc cng ngh o ha (Virtualization Techn ologies) ............................................................. 8 Full-virtualization:.............................................................................................................. 8 Para-virtualization ........................................................................................................... 10 OS-level virtualization (Isolation) ...................................................................................... 10 4. Hng tip cn Cloud computing s dng cng c ngun m ......................................... 11 II. Cc gi i php m ngun m cho m hnh i n ton m my................................................ 11 1. Eucalyptus ...................................................................................................................... 14 2. OpenNebula .................................................................................................................... 14 3. Nimbus ........................................................................................................................... 14 4. Xen Cloud Platform (XCP) .............................................................................................. 14 5. AbiCloud ........................................................................................................................ 14 6. OpenStack....................................................................................................................... 14 Phn 2: OpenStack...................................................................................................................... 15 I. Amazon Web Service - ngun cm hng cho s ra i ca Openstack..................................... 15 II. Gi i thi u v OpenStack Projects.......................................................................................... 18 1. L ch s v Openstack........................................................................................................ 18 2. Tng quan v Openstack .................................................................................................. 19 2.1. Cc phin bn ca OpenStack .................................................................................... 19 2.2. OpenStack Diablo...................................................................................................... 19 2.1.1. OpenStack compute............................................................................................ 22 2.1.2. OpenStack Object Storage ................................................................................... 25 2.1.3. OpenStack Image Service .................................................................................... 28 2.1.4. OpenStack Dashboard (Horizon) OpenStack Identity ............................................ 30 II. M hnh tri n khai OpenStack.............................................................................................. 31 1. Cc cng c s dng ........................................................................................................ 31 2. Cc bc ci t trong th nghi m................................................................................... 32 ** Ci t MySql server.................................................................................................... 32 Thng 4/2012 Page 2

Cloud computing v OpenStack

** Ci t cc gi c bn nh unzip, rabbitmq-server, euca2tools... ................................... 32 ** Ci t v cu hnh Glance ........................................................................................... 32 ** Ci t v cu hnh Nova ............................................................................................. 32 ** To mt Nova project.................................................................................................. 33 ** To cc chng ch (credential) access key. .................................................................... 33 ** Upload image v khi chy instance ............................................................................. 33 ** Ci t v cu hnh Swift.............................................................................................. 33 Phn 3: Security trong Cloud computing ................................................................................... 35 I. CSA ..................................................................................................................................... 35 1. Qun l trong CC (5 phn) ................................................................................................ 35 2. Hot ng trong CC (8 phn) ............................................................................................ 35 II. NIST.................................................................................................................................... 36 III. Cc nghin cu t cc trng i hc.................................................................................. 36 1. Information Security Policies ............................................................................................ 37 2. Cloud RAS issues.............................................................................................................. 37 2.1. Data Leakage ............................................................................................................ 37 2.2. Cloud security issues ................................................................................................. 38 IV. Cc gi i php security cho m hnh Cloud Computing........................................................ 38 1. Access control and management ...................................................................................... 38 2. Cc bi n php i ph khi x y ra cc vn v security ..................................................... 39 3. DDoS............................................................................................................................... 39 III. OpenStack Security............................................................................................................. 40 Phn 4: Tng k t......................................................................................................................... 41 **** Nhng vic t c.................................................................................................. 41 **** Nhng vic cha t c .............................................................................................. 41 **** K hoch trong vi c th nghi m k ti p ........................................................................... 42 Ph lc:...................................................................................................................................... 43 Ph lc 1: Tutorial ci t OpenStack trn Ubuntu 11.10 64 bits ................................................ 43 Ph lc 2: Mt s link tham kho khc ..................................................................................... 43 References: ................................................................................................................................ 44

Thng 4/2012

Page 3

Cloud computing v OpenStack

Thut ng vit tt
CC IaaS PaaS SaaS CSA SLA NIST AWS HH VMM Cloud computing Infrastructure as a Service Platform as a Service Software as a Service Cloud Security Alliance Service Level Agreement National Institute of Standard and Technology Amazon Web Service H iu Hnh Virtual Machine Monitor

Thng 4/2012

Page 4

Cloud computing v OpenStack

Tm lc
Cloud computing (CC) ang l ch c bn lu n si n i nht hi n nay, cc cng ngh lin quan n 'cloud' nhn c r t nhi u quan tm t ng i dng v doanh nghip. c kh nhi u s n phm thng mi cng nh ngu n m min ph c gi i thi u cung cp cho ng i dng kh nng xy dng cc thnh ph n c a CC, t h t ng IaaS n PaaS v SaaS. Tuy nhin tt c vn ang trong qu trnh pht tri n, s r t sai l m n u ch nghe theo qu ng co t cc nh cung cp . c nh n xt chnh xc v chi tit hn v hi n tr ng c a cc sn ph m ny, cch tt nh t l hy th nghi m chng. Mt trong nhng u i m c a CC l n s dng hi u qu hn cc ti nguyn t h th ng vt l v hi u sut s d ng nng lng cao hn. IaaS chnh l thnh ph n quan tr ng nht gip cho CC thc hin c i u ny. L thnh ph n qu n l h t ng v ph n cng, m ng v phn ph i l i cc ti nguyn ny, IaaS chnh l ph n cung cp cho ng i dng kh nng xy dng h tng c s cho m my ring ca h (Private Cloud). Trong bo co ny nhm xin trnh by mt s th nghim bc u v mt trong nhng IaaS ang c quan tm nht hi n nay: Openstack. L mt d n ngu n m c tham gia b i hn 160 cng ty l n trn th gii, Openstack mang n cho cc doanh nghip kh nng xy dng cc m my ring phc v cho cng vic n i b ho c ln hn l m my cung cp dch v lin quan t i CC. Trong phn u c a bo co s gi i thi u mt s khi ni m v CC v cc cng ngh o ha. Ph n tip theo xin c trnh by v Openstack, cc cng vic th nghim v kt qu t c. Ph n cu i s phn tch security trong m t h th ng CC hon chnh so snh nh gi v i OpenStack. Cc ti li u tham kho cng nh h ng d n chi tit v ci t, c u hnh... c nh km trong ph n ph lc tham kho.

Thng 4/2012

Page 5

Cloud computing v OpenStack

Phn 1: Cloud Computing v cc gii php
I. Cloud computing
1. Gii thiu v in ton m my

in ton m my (cloud computing) hay cn gi l in ton my ch o ni cc tnh ton c nh hng dch v v pht trin da vo Inter net. C th hn, trong m hnh in ton m my, tt c cc ti nguyn, thng tin, v software u c chia s v cung cp cho cc my tnh, thit b, ngi dng di dng dch v trn nn tng mt h tng mng cng cng (thng l mng Internet) [1, 2]. Cc users s dng dch v nh c s d liu, website, lu tr, trong m hnh cloud computing khng cn quan tm n v tr a l cng nh cc thng tin khc ca h thng mng m my - in ton m my trong sut i vi ngi dng. Ngi dng cui truy cp v s dng cc ng dng m my thng qua cc ng dng nh trnh duyt web, cc ng dng mobile, hoc my tnh c nhn thng thng. Hiu nng s dng pha ngi dng cui c ci thin khi cc phn mm chuyn dng, cc c s d li u c lu tr v ci t trn h thng my ch o trong mi trng in ton m my trn nn ca data center.
Data center l thut ng ch khu vc ch server v cc thit b lu tr, bao gm ngun in v cc thit b khc nh rack, cables, c kh nng sn sng v n nh cao. Ngoi ra cn bao gm cc tiu ch khc nh: tnh module ha cao, kh nng m rng d dng, ngun v lm mt, h tr hp nht server v lu tr mt cao [3].

Hnh bn di m t mt nh ngha v CC bao gm 5 tnh nng chnh, vi 4 m hnh trin khai, v 3 m hnh dch v.

Thng 4/2012

Page 6

Cloud computing v OpenStack

Hnh 1: Tng quan Cloud Computing (NIS T)

[4]

5 tnh nng trong CC ty thuc vo m hnh tri n khai thc t c th khc nhau. V d trong m hnh private cloud, ti nguyn c s dng b i ch 1 doanh nghip th tnh nng On- demand service hay resource pool s khc so v i cc m hnh khc.
o Rapid elasticity : nh cung c p CC d dng ch nh cng nh thu h i ti nguyn ngi dng r t nhanh chng. V pha ngi dng c php yu cu m t ti nguyn khng gii hn v ch vic chi tr theo tin. Broad network access: truy cp vo cc ti nguyn my tnh d dng thng qua cc c ch network tiu chu n. Measured service : provider m b o vic tnh to n lng tiu dng c a khch hng. M hnh hng n l pay as you go. On-demand self-service : cho php khch hng ty ch nh ti nguyn s dng m khng c n ph i thng bo hay qua b t k s can thip no c a provider. Resource pooling : cc lo i ti nguyn v t l v o ca CC c chia s vi nhau v t ng cp cho cc users.

o o o o

C 3 m hnh tri n khai in ton m my chnh l public (cng c ng), private (ring), v hybrid (lai gia m my cng cng v ring). m my cng c ng l m hnh m my m trn , cc nh cung cp m my cung cp cc d ch v nh ti nguyn, platform, hay cc ng d ng lu tr trn m my v public ra bn ngoi. Cc d ch v trn public cloud c th mi n ph ho c c ph [5]. m my ring th cc dch v c cung cp n i b v th ng l cc d ch v kinh doanh, mc ch nh m n cung cp d ch v cho mt nhm ngi v ng ng sau firewall. m my lai l mi trng m my m k t hp cung cp cc d ch v cng c ng v ring [5]. Ngoi ra cn c community cloud l m my gia cc nh cung cp d ch v m my. V m hnh cung cp d ch v c 3 lo i chnh l IaaS cung cp h tng nh mt server, PaaS cung cp Platform nh m t service, v SaaS cung cp software nh m t service.

Trn y l nh ngha ca NIST v CC, ph n tip theo s trnh by v cc l i ch c a CC nh m n i bt cc tnh nng so v i cc m hnh truy n th ng.
2. Nhng li ch ca in ton m my

C th k ra mt s li ch c bn v c trng ca h thng in ton m my nh sau [6]: Tng s linh hot ca h thng (Increased Flexibility) : khi cn thm hay bt mt hay vi thit b (storaged devices, servers, computers, ) ch cn mt vi giy. S dng ti nguyn theo yu cu (IT Resources on demand): ty thuc vo nhu cu ca khch hng m administrator setup cu hnh h thng cung cp cho khch h ng. Tng kh nng sn sng ca h thng (Increased availability) : cc ng dng v dch v c cn bng ng m bo tnh kh dng. Khi mt trong cc hardware b h hng khng lm nh hng n h thng, ch suy gim ti nguyn h thng. Tit kim phn cng (Hardware saving): m hnh truyn thng trong nhiu trng hp cn mt h thng ring bit cho mi tc v, dch v. iu ny gy ra lng ph,

Thng 4/2012

Page 7

Cloud computing v OpenStack

trong m hnh in ton m my, cc ti nguyn IT c qun l m bo s khng lng ph ny. Cung cp cc dch v vi sn sng gn nh 100% (taking down services in real time) Tr theo nhu cu s dng thc t (Paying-as-you- go IT) : m hnh Cloud computing tch hp vi h thng billing thc hin vic tnh cc da theo dung lng ngi dng i vi cc ti nguyn nh tc CPU, dung lng RAM, dung lng HDD,

Tm li, m hnh in ton m my khc phc c 2 yu im quan trng ca m hnh truyn thng v kh nng m rng (scalability) v linh hot (flexibility). Cc t chc cng nh cng ty c th trin khai ng dng v dch v nhanh chng, chi ph gim, v t ri ro [6]. Phn tip theo s gii thiu v o ha l cng ngh ct li v c xem nh l mt bc m chuyn tip t m hnh truyn thng sang CC.
3. Cc cng ngh o ha (Virtualization Technologies) 3.1. Kernel mode v User mode

Trc khi i vo chi tit cc cng ngh o ha xin c s lc mt s khi ni m lin quan n vic x l trn ti nguyn ph n cng c a mt h iu hnh. Thng th ng mt HH khi c ci t s c 2 modes hot ng chnh:
Kernel mode: y l khng gian c bo v ni m nhn ca HH x l v tng tc trc tip vi phn cng. M t v d in hnh cho Kernel mode l cc drivers ca thit b . Khi c s c th h thng ngng hot ng v thng bo li nh windows s hin th mn hnh xanh khi c l i giao tip phn cng. User mode: y l khng gian ni cc ng d ng ch y, v d Office, MySQL, hay Exchange server. Khi c s c cc ng d ng th ch c cc ng dng ngng hot ng m khng nh hng g n server.

Khi m t ng d ng c n truy cp vo ti nguyn ph n c ng, v d a c ng hay network interface, ng d ng cn giao tip v i driver thch hp ch y trong kernel mode. S chuy n i qua l i gia User mode v Kernel mode cng l nhng ti n trnh- process v cng chi m d ng ti nguyn h th ng (CPU, RAM, ).
3.2. Hypervisor

Tt c cc lo i o ha c qu n l b i VMM (Virtual Machine Monitor). VMM v b n cht cng c chia lm 2 lo i l:

VMM ng vai tr nh m t phn mm trung gian chy trn HH chia s ti nguyn v i HH. V d: VMware workstation, Virtual PC, KVM. VMM ng vai tr l m t hypervisor ch y trn phn cng. V d : VMware ESXi, Hyper-V, Xen.

Hypervisor l mt ph n m m n m ngay trn ph n ph n cng hoc bn di HH nh m mc ch cung cp cc mi tr ng tch bit g i l cc phn vng partition. M i phn vng ng v i m i my o-VM c th chy cc HH c lp. Hin nay c 2 h ng tip c n hypervisor khc nhau (lo i 2 hypervisor VMM) v i tn g i: Monolithic v Micro hypervisor.
Thng 4/2012 Page 8

Cloud computing v OpenStack

Figure 2: Monolithic v Microkernelized Hypervisor [7]

Monolithic hypervisor: hypervisor c driver ring bit truy cp ti nguyn phn cng bn di. Cc VMs truy c p ti nguyn h th ng thng qua drivers ca hypervisor. iu ny mang l i hiu su t cao, tuy nhin khi driver trn hypervisor b s c th c h thng ngng hot ng, ho c ph i i m t vi vn an ninh khi drivers c th b gi d ng b i malware, m t ri ro trong mi trng o ha. Micro-kernelized hypervisor: lo i hypervisor ny khng c driver bn trong hypervisor m ch y trc tip trn m i partition. M t VM s ng vai tr pa rtition cha qu n l v khi to cc partition con (VM con). VM cha cng bao g m nhiu tnh nng khc nh qun l memory, lu tr drivers, iu ny mang l i s an ton v tin c y. Tuy nhin n cng gp ph i vn v sn sng (availability) khi partition cha g p s c, h thng cng b ngng tr.

3.3. Full-virtualization:

Figure 3: Full-virtualization

Full- virtualization l cng ngh o ha cung cp 1 loi hnh my o di dng m phng ca 1 my ch tht vi y tt c cc tnh nng bao gm input/output operations, interrupts, memory access, Hnh 3 miu t m hnh o ha FullVirtualization vi layer Virtualization thc hin chc nng o ha, cung cp cc my ch o (Guest OS) [8]. Tuy nhin m hnh o ha ny khng th khai thc tt hiu nng khi phi thng qua mt trnh qun l my o (Virtual Machines monitor
Page 9

Thng 4/2012

Cloud computing v OpenStack

hay hypervisor) tng tc n ti nguyn h thng (mode switching). V vy s b hn ch bt 1 s tnh nng khi cn thc hin trc tip t CPU. Xen, VMWare workstation, Virtual Box, Qemu/KVM, v Microsoft Virtual Se rver h tr loi o ha ny [9].
3.4. Para-virtualization

Figure 4: Para-virtualization

Para-virtualization hay cn gi l o ha mt phn l k thut o ha c h tr v iu khin bi 1 hypervisor nhng cc Oss ca guest thc thi cc lnh khng phi thng qua Hypervisor (hay bt k 1 trnh qun l my o no) nn kh ng b hn ch v quyn hn. Tuy nhin nhc im ca loi o ha ny l cc OS bit ang chy trn 1 nn tng phn cng o v kh cu hnh ci t. o ha Para -Virtualization c h tr bi Xen, VMware, Hyper-V, v UML [9, 10].

3.5. OS-level virtualization (Isolation)

Figure 5: OS -Level virtualization (Isolation)

OS level virtualization, cn g i l containers Virtualization hay Isolation: l phng php o ha m i cho php nhn c a h i u hnh h tr nhiu instances c cch ly da trn mt HH c s n cho nhi u users khc nhau, hay ni cch khc l t o v ch y c nhi u my o cch ly v an ton (secure) dng chung 1 HH. u i m c a o ha ny l bo tr nhanh chng nn c ng d ng rng ri trong cc lnh vc hosting. OpenVZ, Virtuozzo, Linux-VServer, Solaris Zones, v FreeBSD Jails h tr lo i o ha ny [9, 11]. Mt lu l lo i o ha Isolation ny ch t n ti trn HH Linux.

Nu o ha ch l cng ngh n n t ng c a CC th vic tri n khai CC trong thc t da vo 2 gii php c b n sau: s d ng cc s n phm thng mi cho CC nh ca VMware, Microsoft (Hyper-V), hoc cc s n ph m ngu n m nh Eucalyptus v OpenStack. Ph n k s trnh by v l i ch c a h ng tip c n tri n khai CC dng ngu n m.

Thng 4/2012

Page 10

Cloud computing v OpenStack

4. Hng tip cn Cloud computing s dng cng c ngun m

Vi nhng li ch nu ca m hnh Cloud computing trong phn trc, c bit l v flexibility v cost benefits, y s l mt xu hng tip cn trong tng lai. Tuy nhin, c rt nhiu cng ngh cho in ton m my vi nhng chi ph v gii php khc nhau ty vo mc ch s dng v u im ca mi cng ngh nh d dng trin khai, kh nng m rng cao, gi r, S dng cng c m ngun m trin khai Cloud computing t c nhng u im sau [6]: S ph thuc vo cc ph n mm ng kn v b n quy n (Avoiding vendor lock- in): cc gii php thng mi th ng l 1 b gi i php v i cc tiu chu n c a nh s n xut ch ng hn cc APIs c trng, cc kiu nh dng image v lu tr ring, s lm cho cloud khng tng thch, hoc khng t n d ng c nhng c s h t ng s n c. Hoc cc m my vendor lock- in trong tng lai s i mt v i vn di chuy n (migration) mt s d ch v sang nhng h th ng cloud khc, s kh khn ny l mt h n ch. Getting best-of-breed technology: cc d n v open source cloud computing lun lun c h tr v gip b i cng ng ton th gi i vi hng ngn ng i tham gia pht tri n cc functions m i v sa l i bugs (fix bugs). L i th ny c a open source s khng th c c bt k mt cng ty n l no. Kh nng m r ng khng h n ch : chi ph l vn n i tr i trong vn m r ng mng cloud v i gi i php ph n m m b n quy n. Tuy nhin v i open source clouds, v d m ng clouds s d ng Ubuntu, h i u hnh Ubuntu h tr cloud computing hon ton mi n ph nn vic m r ng rt d dng. Aligning the cloud to specific business needs: khi gii php thng m i thi u mt chc nng g , s rt kh tm ra phng thc thay th tr khi ch mt phin b n mi hn h tr. Nhng v i k thu t open source c th thay i code thm cc chc nng ph hp cho mc ch kinh doanh ca h th ng.

II. Cc gii php m ngun m cho m hnh in ton m my

Thng 4/2012

Page 11

Cloud computing v OpenStack

Eucalyptus Produced by Main purpose Users Santa Barbara university EC2 Cloud Enterprise OpenNebula Eucalyptus System Co mpany European Un ion Build private Cloud Researchers on Cloud Co mputing and Virtualizat ion Linu x (Ubuntu, RedHat Enterprise Linu x, Fedora et SUSE Linu x, Enterprise Server) Nimbus University of Chicago Cloud Co mputing scientific solution Scientific communit ies Xen Cloud Platform Citrix XenServer - Evolution of Citrix XenServer Enterprise - Linu x (Fedora, RedHat, CentOS et Suse Linu x Enterprise Server) - Windows 7 - Centralized - Three co mponents - Min imu m t wo servers Caml AbiCl oud Abico Cloud management Enterprise OpenStack Rackspace, NASA, Dell, Citrix, Cisco, Canonical etc. Offers Cloud Co mputing services Enterprises, service providers and researchers

Supported OS

Linu x (Ubuntu, Fedora, CentOS, OpenSUSE et Debian)

Most Linu x distributions

Linu x (Ubuntu et CentOS) - Windows XP - Mac OS

- Linu x - Windows - Requires x86 Server

Architecture

- Hierarchical - Five co mponents - Min imu m t wo servers Java, C and python

- Centralized - Three co mponents Minimu m two servers Java, Ruby and C++

- Centralized - Three co mponents - Min imu m t wo servers Python, java - GridFTP, Co mulus (new version of GridFTP) - SCP DHCP server installed on nodes - EC2 WS API - Nimbus WSRF

- Centralized - Three co mponents - Min imu m t wo servers Java, Ruby, C++, and python

Integration of OpenStack object and OpenStack co mpute Python

language

Storage

Walrus

- SCP - SQLite3

VastSky

HDFS

OpenStack Store

Network

DHCP server on the cluster controller - EC2 WS API - Tools as: HybridFo x, ElasticFo x - Zip file that

Manual configuration

Open vSwitch Co mmand lines XE (Xen Center and Versiera (co mmercial solution for Windows) - Authentication

WSManagement

OpenStack Co mpute

Access interface

- EC2 WS API - OCCI API

Web interface with Adobe Flex

Web interface Web

User

- Authentication

- X509 certificate

- Authentication

- Certification

Thng 4/2012

Page 12

Cloud computing v OpenStack

contains certifications - HTTPS connection administrator Load balancing Fault tolerance Li ve migration VMs locati on Compati bility wi th EC2 Used by - SSH connection - Root required The cloud controller Cluster controllers separation Node controller Yes NASA Root (On ly if necessary) Ngin x Database backend (registers virtual mach ine informat ion) Shared FS Cluster node Yes Reservoir Project , NUBA - SSL connection - Integrate Globus (certificat ion) Le context broker Period ic verification of cloud nodes Physical nodes Yes STAR - SSH connection (password stored in MD5 format)

- SSH connection XAPI Virtual mach ine states synchronization - Open Virtualizat ion Format - Shared Storage XCP Host Yes

- Authentication AbiServer

- Certification The cloud controller Replication

Clouds nodes No Active in Span

OpenStack Co mpute No

Thng 4/2012

Page 13

Cloud computing v OpenStack

1. Eucalyptus

Eucalyptus l mt ph n m m ngu n m Linux- based tri n khai in ton m my v i c 2 lo i hnh private hay hybrid (private and public). Eucalyptus cung c p IaaS (Infrastructure as a Service) thu n ti n cho vic ch nh ti nguyn (ph n cng, dung l ng lu tr, v h t ng m ng) da trn yu c u s dng. i m m nh c a Eucalyptus l tri n khai enterprise data centers m khng c n qu nhi u yu c u v c u hnh ph n cng. Hn na, Eucalyptus h tr kt n i v i d ch v m my n i ti ng c a Amazon AWS (Amazone Web ServicesT M) thng qua mt giao di n lp trnh chung. Ki n trc c a Eucalyptus n gi n, linh hot (flexible), c module ha (Modular) v t c nhiu u im nh chc nng snapshot, self- service, [12].
2. OpenNebula

OpenNebula l b cng c ngu n m s dng cho private, public, v hybrid cloud. OpenNebula hot ng tng thc h v i cc gi i php c a Xen, KVM, VMWare, v mi y l Virtual Box [13, 14].
3. Nimbus

Nimbus l mt d n i n to n m my ca Culumbus cung cp d ch v IaaS (Infrastructure as a Service). Nimbus h tr tri n khai 2 lo i o ha l Xen v KVM [13].
4. Xen Cloud Platform (XCP)

XCP l mt platform ngu n m cho vic tri n khai o ha my ch v in ton m my trn n n t ng c a Xen Hypervisor. XCP h tr nhi u Guest OS bao g m windows v linux, h th ng mng v lu tr cng nh cc cng c qu n tr n m trong XCP appliance. XCP c ngu n gc t Citrix XenServer v c chng nh n b n quy n b i GNU General Public License (GPL2) [13, 15]
5. AbiCloud

AbiCloud l gii php in ton m my private c pht tri n b i Abiquo cho php ng i dng c th xy dng mi tr ng IaaS. AbiCloud h tr cc k thut o ha Virtual Box, VMWare, XEN, v KVM [13, 16].
6. OpenStack

OpenStack l 1 d n m cng ng cho vic pht trin in ton m my ph hp v i cc nh cung cp (Cloud Providers) cng nh ng i dng (Cloud Customers) c pht tri n b i Rackspace hosting v Nasa. OpenStack bao g m 3 d n chnh: OpenStack Compute ( tri n khai vic qu n l v ch nh ti nguyn cho cc instances o), OpenStack Object Storage (thc thi vic lu tr, backup), v OpenStack Image Service ( m nh n vic pht hin, ng k, truy n t i d ch v cho cc images disk o) [13]. Hin nay OpenStack ang c nh gi l ph n m m ngu n m xy d ng CC m nh nht hi n nay v i s h tr c a cc hng my tnh l n trn th gii nh HP, Canonical, IBM, Cisco, Microsoft, y cng l b cng c quan trng ang c tri n khai v s c trnh by chi tit trong cc ph n tip theo.

Thng 4/2012

Page 14

Cloud computing v OpenStack

Phn 2: OpenStack I. Amazon Web Service - ngun cm hng cho s ra i ca Openstack
Ph n ny s gi i thi u s lc v mt trong nh ng nh cung cp d ch v v CC hng u hi n nay Amazon. Amazon xy d ng c m t h th ng d ch v AWS c b n kh hon chnh v n nh v IaaS v cc d ch v i km. Tip na AWS chnh l ngu n c m hng to ra nh ng n n t ng v IaaS nh Eucalyptus, Openstack...sau ny. T i sao l i nh v y? Chng ta s l t qua mt s mc th i gian, tr l i kho ng 10 nm trc t i th i i m m h u nh cha c m y cng ty c khi ni m v CC, tuy nhin c mt s ng i c t ng v vic cung cp ph n m m, h tng...nh l mt d ch v. Nhc n CC chng ta th ng ngh ngay n nhng tn tu i nh Google, Microsoft, Apple... Tuy nhin thc t, h khng ph i l nhng ng i i u trong cng ngh cng nh ng d ng v Cloud computing. Thc s v t m nhn s m v mc ng d ng v CC th ph i ni n Salesforce v tip l Amazon. Saleforce bt u t r t s m v i CC, ngay t nm 1999 hng c nh h ng pht tri n v SaaS, t vic cung cp cc d ch v qu n l khch hng, k ton, th ng k ti chnh... Theo nh bo co kinh doanh nm 2011, m ng d ch v v SaaS em l i cho Saleforce hn 3 t USD l m t con s ng ng ng m. Ngay c Google hay Microsoft nhng tn tu i 'non tr' trong cng m ng kinh doanh v CC cng ph i ghen t v i thnh tch ny. Khng d ng l i m c cung cp v SaaS nh Saleforce, Amazon t mt cng ty bn l cc m t hng dn d ng, i n t, sch... d n vn ln v c th ni l tn tu i l n nht hi n nay v d ch v h t ng cho CC. Cch y hn 10 nm, sau khi t n t i qua t khng ho ng bong bng dot com, Amazon d n ch ng minh phng chm bn hng qua m ng c a h l ng n. L cng ty c tc pht tri n nhanh nht sau 5 nm u tin (t nm 1995-2000 doanh thu l 2.8 t USD) v t xa Google (1998-2003 doanh thu 1.5 t USD). Ban u t ng ch ng i th c nh tranh c a Amazon ch l Wallmart hay BestBuy, eBay - nh ng cng ty bn l. Gi y Amazon l n sn v kinh doanh trong 16 lnh vc khc nhau trong m nh nh t v n l lnh vc bn l tip n l cc d ch v v CC.

Figure 6: Management console AWS

Thng 4/2012

Page 15

Cloud computing v OpenStack

Amazon thc s xy d ng c m t ch cng ngh hng m nh, c nh tranh trc tip v i cc nh cung cp d ch v hosting truy n th ng cng nh CC nh Rackspace, GoDaddy, Google... Theo nh n nh c a gi i chuyn mn Amazon to ra m t ki n trc v CC kinh i n AWS v i y cc d ch v v tnh ton, lu tr, c s d li u chuyn d ng... Thc t cho th y h u ht cc n n t ng khc nh Eucalyptus, Openstack... u c xy d ng theo m t ki n trc, cc thnh ph n ta nh AWS. Tt nhin cha c mt kh ng nh n n t ng c a ai t t hn mt cch r rng, nhng v i nh ng nh gi v tnh n nh, hi u nng v quan tr ng nht l gi c a d ch v. AWS v n ang l s n ph m tt nht hi n nay. Chng ta s lt qua mt s d ch v chnh c a AWS. Nh trong hnh d i y l ca s qu n l d ch v c a AWS.

AWS v n ang lin t c nghin cu c i thi n v b sung nhng tnh nng m i cho tp cc dch v c a h. Do khun kh c a vic nghin c u th nghi m Openstack nn nhm s ch a ra m t s gi i thi u c bn v nh n xt v cc d ch v chnh c a Amazon. T y s c m t ci nhn trc quan hn v Openstack v c m t so snh v i ' i th' l n nht c a n. Sau y l m t s mc th i gian quan tr ng c a AWS: Nhng d ch v chnh c a AWS ph i k n l: Amazon Elastic Cloud Compute (EC2) cung cp cc instance (my o) ty theo nhu cu, v i kh nng tnh ton, m r ng v cng linh hot. Hi u n gi n, EC2 cung cp cho ng i dng kh nng to cc my o trn h t ng c a Amazon, h c th cp pht
Thng 4/2012 Page 16

Cloud computing v OpenStack

ti nguyn (CPU, RAM) theo yu c u, v t Amazon s tnh ton cc chi ph. Cc instance c cc mc c u hnh khc nhau: nh nh t l mirco instance (1 CPU, 613 MB RAM) v l n nht t i hn 64GB RAM v 88 EC2 CPU (tng ng 2 x Intel Xeon E5-2670) Amazon Elastic Block (EBS) cung cp kh nng lu tr c lp, k t hp v i EC2. Hi u n gi n gi ng nh vic s d ng thm cc a m r ng trn cc my vt l. Khi m c s c t i instance th d li u lu trn EBS v n c th s d ng c lp, v c th chia s gia nh ng instace khc nhau. Amazon Simple Storage Service (S3) cung cp kh nng lu tr khng h n ch, cng gi ng nh EBS, S3 gi i quyt v n v lu tr, tuy nhin EBS c s d ng b i cc instance th S3 c s d ng nh m t a m ng. Thng qua m t giao di n (web hay m t GUI) ng i dng c th lu tr d li u c a mnh, backup d li u t cc ngu n khc nhau (t chnh EBS, EC2...) S3 s dng c s d li u Dynamo qu n l vic lu tr, ch khng s d ng cc CSDL quan h truy n th ng v i v i d ch v lu tr, ng i dng ch y u c v ghi d li u nn n u lu theo m hnh quan h s khng gi i quy t hi u qu. V cc thnh ph n trong AWS hot ng c lp v i nhau, chng c th kt hp l i c n c m t ph n trung gian gip truy n cc thng ip v ng b th i gian gi a cc d ch v. Amazon pht tri n ring m t d ch v tn Simple Queue Service - y chnh l thnh ph n u tin m Amazon pht tri n, v ph i m t t i 2 nm (2002-2004) m i c b n hon thi n. Tuy c v khng m y quan tr ng nhng y l i chnh l m t i m m u ch t gip to nn sc m nh c a h th ng cc d ch v AWS. Ngoi ra th AWS ang cung cp rt nhi u d ch v khc na nh SimpleDB (lu tr truy v n theo ki u quan h truy n th ng), Elastic MapReduce Service (p dng trong vic tnh ton hi u nng cao, x l d li u l n, thng qua S3 v EC2)... Ty theo lu l ng s d ng, ti nguyn h th ng b n c n...Amazon s tnh ton chi ph v yu c u b n thanh ton. V c b n b n ch ph i tr cho nh ng g b n s d ng. Khi b n khng cn dng n ti nguyn no , b n c th 'd ng' n l i v khng ph i tr ph trong th i gian . y chnh l m t trong nhng i m th v c th th y v i CC. Amazon hi n cho php ng i s d ng th nghi m cc d ch v c b n ( quy m nh nh t) mi n ph trong m t nm u tin. ng k r t n gi n, b n c n khai bo ti kho n ngn hng c a mnh, s khng m t m t kho n ph no n u ch c i u kho n t Amazon. V d khi s d ng EC2 n u b n 'l tay' ch n instance khng ph i lo i micro, v y l b n mt ph r i y. Nhm s demo mt s chc nng chnh c a AWS trong bu i gi i thi u, b n cng c th xem trong ph n ph lc. Ng i dng c th tng tc v i AWS thng qua AWS Management Console b ng cch ng nhp v i username v mt kh u, sau v i mt giao di n Web ng i dng c th s dng cc chc nng c a AWS. V i t ng d ch v c th nh EC2, S3... AWS s cung cp cho

Thng 4/2012

Page 17

Cloud computing v OpenStack

ng i dng cc ch ng ch, public/private key ch ng thc v i h th ng, sau ng i dng c th tng tc thng qua mi tr ng dng l nh (trong Linux s dng gi ec2tools). AWS h tr m t s ngn ng lp trnh c b n nh Java, PHP, Ruby, .NET, Python... thng qua cc API. Cc lp trnh vin c th s d ng nh ng API ny tng tc, lp lch, t ng kh i to m r ng...v i cc d ch v c a AWS. Theo nh gi t c ng ng th AWS API ho t ng r t t t trn cc n n tng khc nhau. Ngn ng c AWS khuy n co s d ng l Python, Java.

II. Gii thiu v OpenStack Projects

1. Lch s v Openstack

Trong ph n gi i thi u v AWS trn, chng ta c b n n m c mt s chc nng m mt sn ph m thng m i hi n t i ang cung c p c cho khch hng, t ta c th so snh m t cch tng i gi a nh ng chc nng m gi cng c ngu n m ny thc hi n c. lm r thm l do l y AWS lm ' i chi u', xin c trch qua m t s mc quan tr ng d n t i s ra i c a Openstack. Tr l i mc 2005 khi m Amazon ra m t th nghi m EC2, l m t thnh cng l n gy bt ng cho c ng ng. V i s n nh c a n, cc cng ty khc c th n gi n thu EC2 trong m t vi gi v i m t mc nng lc r t rt l n thc hi n cc cng vic tnh ton c n t i hi u nng cao c a h. V d m Amazon th ng em ra so snh l vic hp tc gia h v NASDAQ - sn chng khon c n x l m t l ng d li u tnh ton cc l n vo cu i tu n, thay v u t m t h th ng my ch phc tp, h ch thu EC2 trong vi gi v chi ph tit ki m r t r t nhi u hn na hi u qu cng vic l i tt hn. Mt trong nhng cng ty c n s dng kh nng tnh ton hi u nng cao ki u nh th l NASA. H c k ho ch ti c u trc l i trung tm d li u c a h, v h c n mt n n t ng IaaS c th s dng t t hn h t ng vt l m h c. Amazon EC2 l mt t m gng tt ng ng ng m. Vo kho ng nm 2008 NASA b t u s d ng tham gia vo Eucalyptus m t d n nh m cung cp mt IaaS gi ng nh AWS (EC2 v S3). Tuy nhin khng nh mong mu n ca NASA, Eucalyptus khng ph i l mt d n m hon ton, cng ty u cho n khng cho php NASA xem mt s thnh ph n ng kn c a Eucalyptus. R n nt b t u t y. Sau NASA bt u nghin c u d n ring c a h cng v i mc ch xy dng m t h t ng nh Amazon EC2, v codename c a d n l Nebula. V i s tc ng t nhi u pha khc nhau, cu i cng vo nm 2010 NASA quy t nh cng b m ngu n c a Nebula v pht tri n n d i d ng ngu n m v i codename l Nova. Sau Rackspace tip t c ng ghp n n t ng lu tr c a h vo d n v i codename Swift. D n Openstack c thnh lp v i cam kt pht tri n theo h ng m. N nhanh chng nh n c s ng thu n t rt nhi u hng cng ngh khc v cng ng. Hi n nay c hn 160 cng ty tham gia vo d n ny v i h u h t cc tn tu i l n nh: NASA, Rackspace, Cisco, Citrix, Microsoft, HP, Dell, Canonical... Nh ni AWS chnh l ngu n c m h ng to nn Openstack ngy nay, AWS l n n t ng ng c a Amazon v Openstack l mt n n t ng m dnh cho t t c cc cng ty v c ng
Thng 4/2012 Page 18

Cloud computing v OpenStack

ng s dng. M c ch ca Openstack l cung cp cho ng i dng kh nng xy dng mt h t ng cho c private cloud v public cloud. c nhi u cng ty s dng Openstack xy dng d ch v phc v nhu c u c a chnh h v cho thu nh chnh NASA v Rackspace.
2. T ng quan v Openstack

Openstack c chu k pht tri n 6 thng, i cng v i s pht tri n c a CC, v i m i phin b n Openstack l i b sung thm thnh ph n m i tng ng v i nh ng chc nng m i. Openstack hon ton l ngu n m, cc thnh ph n c a n c vi t trn Python - ngn ng ang c nh gi r t cao nhng nm g n y.
2.1. Cc phin b n ca OpenStack

Austin 10/2010: l phin bn u tin c a OpenStack bao g m 2 projects l Object storage (cn g i l Swift) v Compute (cn g i l Nova). Project Compute trong phin b n ny ch mc testing v h n ch nhiu tnh nng khi tri n khai. Bexar 2/2011: tch hp 1 project mi l Image Service, ng th i c nhi u s thay i c i ti n trong Nova v Swift. Phin bn ny cho php lu tr files ln hn 5Gb v tch hp mt service mi swauth cho vic chng thc, th m quyn. ng th i c i ti n nhiu tnh nng trong API cng nh m r ng vic h tr cc hypervisors cho o ha. Cactus 4/2011: phin bn ny cng bao gm 3 projects nh Bexar, tuy nhin c s c i ti n API v h tr thm 2 cng ngh o ha LXC containers v VMware. Glance gi i thi u cng c command- line m i phc v vic truy cp d ch v, thm cc nh d ng image, v thm nh image m bo ton v n d li u (integrity). Diablo 11/2011: y l phin bn ang c s d ng th nghi m, cng c 3 projects chnh nh phin b n Cactus. Essex 4/2012: phin b n m i va ra i s th nghi m trong th i gian t i v i s h tr v nng cp 2 projects m i l Identity v Dashboard.
2.2. OpenStack Diablo Kin trc conceptual v logical

Sau y l s ki n trc m c conceptual c a Openstack:

Thng 4/2012

Page 19

Cloud computing v OpenStack

Figure 7: Kin trc Logic OpenStack (conceptual)

Trong th nghi m, nhm s d ng b n Openstack ra m t ngy 22/11/2011 m Diablo. Trong phin b n ny g m ba thnh ph n chnh:
Compute (tn m Nova) cung cp kh nng tnh ton vi nh ng instance - tng ng vi EC2 ca Amazon. Image Service (tn m Glance) lu tr cc file nh ca cc instance trc khi c 'bung' ra s d ng bi Nova - AWS cng c m t thnh ph n tng t qun l cc image tuy nhin v l n n t ng ng, nn thng tin chi tit v n khng c cng b r rng. Object Storage (tn m Swift) cung cp kh nng lu tr - tng ng vi S3.

Phin b n m i nh t c a Openstack ra m t ngy 05/04/2012 v i codename Essex, b sung thm hai thnh ph n m i l:
Dashboard (tn m Horizon) cung c p giao din web qun l Openstack. Identity (tn m Keystone) cung cp kh nng authentication v authorization cho cc d ch v c a Openstack.

mc kin trc logical, OpenStack c minh ha sau y:

Thng 4/2012

Page 20

Cloud computing v OpenStack

Figure 8: Logical Architecture

M hnh ki n trc logic c a OpenStack c di n gii qua 3 chnh sau y: Ng i dng cui tng tc thng qua 1 giao di n web (Horizon) Tt c cc services u c ch ng thc thng qua Keystone Cc dch v c nhn ring bit tng tc vi nhau thng qua cc APIs tng ng.

Cng gi ng nh AWS, cc thnh ph n c a Openstack hot ng c lp, do v y c n ph i c m t ph n trung gian gia nh m trung chuy n, ng b th i gian, thng tin v ti nguyn cho c h th ng. Openstack hi n s d ng Rabbit queue message chuy n cc thng ip qua l i. Trong phin b n Diablo th nghi m hai thnh ph n Dashboard v Indentity cha ho t ng tt v i 3 thnh ph n Nova, Swift, Glance nn hi n nay v n cha th ci t chng hot ng ng.
Thng 4/2012 Page 21

Cloud computing v OpenStack

Sau y xin gi i thi u chi tit hn v cc thnh ph n chnh c a Openstack.
2.1.1. OpenStack compute

y l ph n c b n nh t ca Openstack c chc nng i u khi n IaaS v phn ph i l i ti nguyn h th ng cho cc instance v i kh nng tnh ton lu tr c lp. N tng ng v i Amazon EC2. V c bn Nova cung cp cho ng i dng kh nng ch y cc instance (my o) v giao di n qu n l cc instance trn h t ng ph n cng. Tuy nhin Nova khng bao g m b t c ph n m m o ha no. Ci n lm l s dng l i cc hypervisor (do ng i dng ty ch n ci t) thc hi n vic o ha tnh ton. Ng i dng c th s d ng cc hypervisor khc nhau trong cc zone khc nhau. D i y l cc hypervisor m Nova hi n h tr :
Hyper-V 2008 KVM - Kernel-based Virtual Machine LXC - Linux Containers (through libvirt) QEMU - Quick EMUlator UML - User Mode Linux VMWare ESX/ESXi 4.1 update 1 Xen - XenServer 5.5, Xen Cloud Platform (XCP)

Cc tnh nng chnh c a OpenStack Compute [17]

Qun l ti nguyn o ha bao gm CPU, memory, disks, network interfaces. Tt c cc ti nguyn c hp nht vo trong 1 b pool of computing. Vic ny s tng tnh t ng v tn dng ti nguyn, em li li ch ln v kinh t. Qun l mng ni b (LAN) Flat, Flat DHCP, VLAN DHCP, IPv6 OpenStack c lp trnh ch nh cc a ch IPs v VLAN (Virtual LAN). Chc nng ny gip cho vic cung cp dch v networking v nng tnh bo mt khi cc VLANs c tch ri nhau. ng thi tnh linh hot trong m hnh mng cng ph hp vi mi ng dng cho mi user/group. API vi nhiu tnh nng v xc thc: c thit k t ng v an ton qun l vic users truy cp vo cc ti nguyn v ngn chn truy cp tri php qua li gia cc users. Distributed and asynchronous architecture Massively scalable and highly available system (for increased assurance of system uptime) Virtual Machine (VM) image management Live VM management (Instance) khi to, khi ng, ng bng, hay xa instances. Ngoi ra cn c tnh nng lifecycle management. Floating IP addresses: Security Groups Role Based Access Control (RBAC) Projects & Quotas VNC Proxy through web browser Advanced Scheduler (Diablo v3 07/28 Started)

Nova c 7 thnh ph n chnh:

Thng 4/2012 Page 22

Cloud computing v OpenStack

Figure 9: Cc thnh phn ca Nova

Cloud Controller - qu n l v tng tc vi t t c cc thnh ph n ca Nova API Server - ging nh m t Web service u cu i ca Cloud Controller Compute Controller - cung cp, qun l ti nguyn t cc instance. Object Store - cung cp kh nng lu tr, thnh ph n ny i cng vi Compute Controller Auth Manager - d ch v authentication v authorization Volume Controller - lu tr theo block-level - gi ng nh Amazon EBS Network Controller - to qun l cc kt n i trong virtual network cc server c th tng tc vi nhau v vi public network Scheduler - chn ra compute controller thch h p nh t lu instance.

Cc thnh ph n c a Nova ho t ng c lp, kt n i v i nhau b ng cc thng ip (messagebased architecture). Cc thnh ph n Compute Controller, Volume Controller, Network Controller v Object Store c th ci t trn cc server vt l khc nhau. Nh trong hnh trn c th th y Cloud Controller giao tip v i Object Store thng qua HTTP nhng giao tip v i Scheduler thng qua AMQP (Advanced Message Queue Protocol) trnh vic tc ngh n khi khi i cc thnh ph n ph n h i, Nova s d ng cc hm g i khng ng b (asynchronous), v i m t call-back c g i khi m response c nh n. Do c to thnh t nhi u thnh ph n khc nhau nn c mt s chc nng ang c xy dng l i, m t s chc nng b lp . i n hnh nh trong Nova, thnh ph n Object Store dng lu cc image (file nh c a cc h i u hnh o khi cha c ch y), ng thi Glance cng l ni lu tr cc image . Tuy nhin vic ny khng nh h ng g nhi u
Thng 4/2012 Page 23

Cloud computing v OpenStack

n h th ng. Ng i dng c th ty ch n gia cc la ch n ny. Theo khuy n co th Glance v n c u tin hn. User v Project Nova c thit k s d ng cho nhi u i t ng khc nhau, n s d ng cc quy t c phn quy n c b n thng qua Role-Based Access Control (RBAC) bao g m 5 lut:
Cloud Aministrator (admin): Global role. User vi quyn ny c ton quyn vi c h th ng. IT Security (itsec): Global role. Quyn ny hn ch hn so vi admin. N cho php user gi v cch ly cc instance trong b t c project no n u c vn . Project Manager (projectmanager): Project role. Ngi s h u m t project no , ngi c quyn ny c th thm user vo project, tng tc vi cc image, chy v kt thc (terminate) cc instance trong vng project qu n l. Network Administrator (netadmin): Project role. nh v (allocate) v gn public IP cho instance. Thay i cc lu t ca firewall. Developer (developer): Project role. y l quyn mc nh c gn cho ngi dng.

Nova-network Thnh ph n ny tng tc v i nova-compute, c nhi m v k t n i gia cc instance v i nhau v cc instance v i public network. Cng gi ng nh AWS hay Eucalyptus mt instance trong Openstack c th c 2 IP. Mt private IP c dng k t n i gia cc instance v public IP c dng k t n i instance v i Internet (public network). nova-network c ba cch qu n l khc nhau: Flat Network: t o m t giao di n bridge da trn ethernet adapter giao tip gia cc node. Khi ch n c u hnh l Flat Network, Nova s khng qu n l cc thao tc v networking c a cc instance. n gi n lc IP s c gn cho cc instance thng qua file system. Cc metadata ph i c c u hnh th cng trn cc gateway n u l yu c u c a m ng n i b. Hnh sau y m t v cch c u hnh ny trn nhi u node khc nhau thng qua m t ethernet adapter:

Thng 4/2012

Page 24

Cloud computing v OpenStack

Figure 10: V d Flat Network

Flat DHCP Networking: v i ki u c u hnh ny th host ch y nova- network s ng vai tr nh m t gateway cho cc virtual node.

Figure 11: Flat DHCP networking

VLAN Networking: l c u hnh mc nh c a nova. N cho php admin gn cc vng private network cho m i project. V instance c th c truy cp thng qua VPN t ngoi Internet. Trong ki u cu hnh ny, m i project s c mt VLAN ring, mt Linux networking bridge v subnet. Subnet c ch nh b i admin v c gn ng cho project khi c yu c u. Mt DHCP server c ch y qu n l cho m i VLAN gn IP cho m i instance trong vng subnet c gn cho project. Tt c cc instance thuc cng project c t trong mt VLAN ring.
2.1.2. OpenStack Object Storage

OpenStack Object Storage hay cn g i l Swift c Rackspace open-source t nm 2010, n chnh l cng ngh c s dng ng sau Rackspace's Cloud Files m t trong nhng gi i php lu tr thng m i rt tt hi n nay c nh tranh v i Amazon S3.
Thng 4/2012 Page 25

Cloud computing v OpenStack

Swift l ph n m m ngu n m to ra cc phin b n gi ng nhau cho vic lu tr d li u, ng th i v i vic m rng lu tr rt linh hot v s d ng c ch clusters, kh nng ca swift c th lu tr ln n petabytes d li u truy cp. Swift khng ch l mt h th ng data th i gian thc, n cn l mt h thng lu tr l n v i tnh cht lu di long term v i mt l ng d li u cc l n m vn m bo vic truy xut, phn cp, v nng cp (retrieved, leveraged, and updated). Cc i tng lu tr (Object Storage) s d ng ki n trc phn tn so v i m hnh t p trung, nn s khng c i m trung tm. Vic ny gip cho nng kh nng m rng, backup, v duy tr (scalability, redundancy and permanence). Cc i tng c ghi ln nhi u thi t b ph n cng khc nhau m trong , OpenStack ng vai tr chu trch nhim m bo vic ti to, sao nguyn, v ton v n c a d li u qua cc cluster. M t khc, cc cm lu tr d li u c th c m rng theo chiu ngang d dng qua vic thm cc nodes lu tr m i. N u 1 nodes tr c trc, hot ng c a OpenStack ngay lp tc ti to l i n i dung c a n t mt nodes c active khc. T t c cc cng vic trn c OpenStack thc hi n v mt logic m khng ph thu c vo b t k thit b ph n c ng no, vic ny m bo chc chn hn trong vic ti to, sao chp d liu ng th i trnh vic ph thuc vo thit b ph n cng, c bit cc thi t b chuyn d ng gi thnh cao.

Figure 12: T ng quan OpenStack Object Storage Cc tnh nng ca OpenStack Object Storage [18]
Store and Manage files programmatically via API: qu n l file thng qua giao din API Create Public or Private containers Leverages Commodity hardware HDD/node failure agnostic: m b o khng m t d liu bng cc c ch backup v sao lu t ng Unlimited Storage: lu tr khng h n ch Multi-dimensional scalability (scale out architecture)

Thng 4/2012

Page 26

Cloud computing v OpenStack

Account/Container/Object structure: cho php m rng n nhiu Peta-bytes, v hng t objects Built-in Replication: N copies cc accounts, container, v objects Easily add capacity unlike RAID resize No central database: hiu su t cao, trnh c th t c chai RAID not required Built-in Mgmt. utilities: Acct. Management: Create, add, verify, delete users Container Management: upload, download, verify Monitoring: Capacity, Host, Network, Log trawling, cluster health Drive auditing: cho php kim tra cc a pht hin h hng. VNC Proxy through web browser

Hnh d i y m t ki n trc logic c a Swift:

Figure 13: Kin trc Logic ca Swift

Cc thnh ph n chnh c miu t c th nh sau: Proxy Server - nh n cc request v ch ng thc user. Sau khi qu trnh ch ng thc hon t t, d li u s c chuy n trc tip t (hoc t i) user. Proxy server s khng ki m tra chng. Object Server - lu tr, qu n l cc i t ng c lu. Cc object s c lu theo dng binary cng v i metadata miu t v d li u . Container Server - lu tr thng tin v tr v danh sch cc object ang c lu bn Object Store.N khng bi t chnh xc object c lu u nhng n bit c th object c lu t i container no. D li u c lu mc nh trong mt CSDL Sqlite,

Thng 4/2012

Page 27

Cloud computing v OpenStack

n u Swift c ci t trn cc cluster khc nhau th CSDL ny s c to thm cc bn sao tng t. Account Server - cng gi ng nh Container Server nhng nhi m v c a n l qu n l danh sch cc Container ch khng ph i l object. The Ring - Thnh ph n ny s to m t nh x gia tn c a cc thc th c lu trn a cng v a ch vt l c a n. C nhi u ring khc nhau cho account, container v bject. Khi m cc thnh ph n khc c n s d ng b t c thao tc no tr object, container hay account th c n ph i tng tc v i ring tng ng tm ra ng a ch lu tr trn cluster. Ring c s d ng b i proxy server v cc ti n trnh khc ch y trong background.
2.1.3. OpenStack Image Service

OpenStack Image Service (cn g i l Glance) cung cp cc tnh nng v discovery, ng k (registration), v v n chuy n (delivery) cc d ch v cho cc a images o. API c a OpenStack Image Service cung cp mt giao di n tiu chu n cho cc thng tin truy v n v cc a image o lu tr trong cc back-end, bao g m lun c OpenStack Object Storage. Clients c th ng k mt a image o v i cc d ch v c s n, thc hi n vic truy v n thng tin. Cc tnh nng hi n t i [19]:
Image-as-a-service Multi-format/container support Image status Scalable API Metadata Image Checksum Extensive Logging Integrated testing Back-end store options Version control CLI access Built-in Mgmt. utilities Drive auditing VNC Proxy through web browser

Nh gi i thi u Glance l mt trong nhng thnh ph n chnh c a Openstack, nhi m v c a n l lu v cung cp cc file nh c a cc my o (instance). Glance g m c ba ph n:

Thng 4/2012

Page 28

Cloud computing v OpenStack

Figure 14: Cc thnh phn ca Glance

Glance API server - nh n cc hm g i API, tng t nh nova-api, n ch cc API request sau giao tip v i cc thnh ph n khc (glance-registry v image store) sau thc hi n cc cng vic c yu c u: truy v n, upload, delete image... Glance Registry server - lu v cung cp cc thng tin (metadata) v image (nh dng, ID, dung l ng...) M c nh s dng Sqlite lu cc metadata. Ngoi ra glance-registry lun nghe c ng 9191. Image Storage - lu tr cc file image Glance h tr mt s nh d ng sau:

Figure 15: nh dng Glance

m t chc nng c a Glance, n gi n ta c th miu t b ng s hot ng nh sau:

Thng 4/2012 Page 29

Cloud computing v OpenStack

Figure 16: Hot ng ca Glance

Trong ph n th nghi m nhm cng s d ng ba thnh ph n Nova, Glance v Swift. V c b n cc file image c a instance s c upload ln Glance server, sau Nova s g i t i Glance v yu c u l y mt trong nh ng file image kh i to instance bn trong nova-compute. Nu c d li u c n lu ring (backup, d li u dng chung gia cc instance) th s c lu trn Swift. Ba thnh ph n ny c lp v i nhau, nhng c th kt hp v i nhau hot ng nh m t th th ng nht.
2.1.4. OpenStack Dashboard (Horizon) OpenStack Identity

Trong l n th nghi m ny v n cha hon thi n c vic ci t hai thnh ph n ny cng v i Nova, Glance, Swift. Trong phin b n Essex hy v ng hai thnh ph n ny s hot ng tt hn. Sau y l mt s thng tin c b n v Keystone v Dashboard. Keystone l thnh ph n ch ng thc, token, catalog v policy service cho t t c cc d ch v khc c a Openstack. N c tri n khai thng qua Identity API c a Openstack. Dashboard cung cp mt giao di n web nh m tng tc qu n l cc thnh ph n cn l i c a Openstack, n k t hp v i Keystone chng thc user. c pht tri n da trn Django framework. N cung cp mt giao di n tng t nh AWS management console.

Figure 17: OpenStack DashBoard

Thng 4/2012

Page 30

Cloud computing v OpenStack

Thng qua Dashboard chng ta c th thc hi n h u ht cc thao tc i v i cc thnh ph n ca Openstack.

II. M hnh trin khai OpenStack

1. Cc cng c s dng

M i trin khai CC c thc hi n trn m t server DELL T710 Ubuntu 11.10 server amd64 Cc thnh ph n c a Openstack c ci t repository c a Ubuntu, tng ng v i phin b n Diablo c a Openstack. Tt c cc thnh ph n Nova, Glance, Swift c ci t trn mt server duy nh t. Do v y mt s thnh ph n ph nh ng b th i gian gia cc node l khng c n thit (khng c n s dng ntp server)

Figure 18: M hnh trin khai

Thm na ch c n s d ng m t adapter duy nh t cho vic c u hnh nova-network. Cc instance s c gn hai d i IP nh sau: Public IP dng k t n i cc instance ra Internet: 172.17.2.64/27 Private IP dng kt n i cc instnace v i nhau (mc nh lc kh i to s gn cho m i instance mt a ch): 10.0.0.0/22 32 32 Cc gi chnh s c ci t: Cc gi ph nh unzip gi i nn cc image, vnc v r t nhi u gi lin quan t i Python: python-software-properties memcached xfsprogs python-setuptools curl vncproxy unzip Chng ta s s d ng MySql server cho tt c cc d ch v: mysql-server Message queue server nh m chuy n cc thng ip gia cc thnh ph n c a Openstack: rabbitmq-server
Thng 4/2012 Page 31

Cloud computing v OpenStack

B cng c dng tng tc v i Openstack thng qua dng l nh, ban u n c thit k cho Eucalyptus nn m i c ti n t euca: euca2ools Cc gi lin quan t i Nova: nova-volume nova-api nova-nova-ajax-console-proxy nova-doc nova-scheduler nova-objectstore nova-network nova-compute Gi lin quan t i Glance: glance Gi lin quan t i Swift: swift swift-account swift-container swift-object swift-proxy Ch : v y khng ph i l "t t c " cc gi s c ci t, s c nhng gi ph na c t ng ci t km theo m chng ta cha cn quan tm. y ti liu ch xin nu ra cc gi c b n nht xy d ng mt m my Openstack trn m t node. Ph n ny khng i chi ti t vo qu trnh ci t m ch nu cc bc c n thi t c th c u hnh Openstack ch y c v i ba thnh ph n c b n. Trong chng ti s gi i thch r hn m t s i m m u cht. Ph n h ng d n ci t xin xem thm trong ph n ph lc.
2. Cc bc ci t trong th nghim

Sau y l m t s bc chnh ci t h th ng Openstack trong th nghi m c a nhm.

** Ci t MySql server

Mc nh th Glance v Swift s s d ng Sqlite server lu cc metadata cng nh cc d li u lin quan, chng ti ch n MySql l mt CSDL kh ph bi n v quen thuc v i cc nhu cu s d ng bnh th ng hi n nay t i mi tr ng chng ti lm vic. Chng ti s s d ng ba d ch v l Nova, Glance v Swift do v y c n to 3 CSDL nova_db, glance_db, swift_db tng ng v i cc user: nova, glance, swift s d ng trong nhng c u hnh ph n sau.
** Ci t cc gi c b n nh unzip, rabbitmq-server, euca2tools...

Cc ci t ny khng i h i thay i tham s g. Ch n gi n l ci v chng s ho t ng theo ng k ch b n.

** Ci t v c u hnh Glance

Cc file c u hnh c a Glance s c lu trong /etc/glance/ chng ta s thay i m t s thng tin v d nh trong glance-registry.conf. V CSDL s dng lu tr t Sqlite sang MySql. Ngoi ra trong th nghi m ny, khng c n thit ph i chnh thm thng s no khc c a Glance.
** Ci t v c u hnh Nova

Cc file c u hnh c a Nova c lu t i /etc/nova/. Trong th nghi m ny n gi n ha, nhm s ch thay i thng s trong /etc/nova/nova.conf. y l ni lu cc c u hnh quan tr ng nht c a Nova nh thng tin v CSDL, ki u c u hnh nova- network... Cu hnh nova-network ch VLAN. Ch s d ng m t interface eth0 t server DELL nh m kt n i cc instance ra Internet v to VLAN cho m i project.
Thng 4/2012 Page 32

Cloud computing v OpenStack

Nh ni trn, chng ta s d ng d i private IP l: 10.0.0.0/22 32 32 v d i public IP l 172.17.2.64/27 y l d i IP thc cng lp v i IP ca host (server DELL) do v y khi c u hnh xong v ch y cc instance, chng ta c th 'nhn' th y cc instance thng qua d i IP ny.
** T o mt Nova project

Nh ni trong ph n user v role trong Nova, chng ta s to m t user v i tn: testuser v sau s gn cho testuser quy n sysadmin. Tip chng ta to mt project tn testproject v gn n cho testuser v i ton quy n.
** T o cc chng ch (credential) access key.

V i m i project, Nova s cung cp cc ch ng ch v access key cho user nh m thc hi n vic ch ng thc. Cc thng tin quan tr ng nht n m trong file novarc. File ny c s dng to mt 'mi tr ng' v i nh ng tham s tr t i server m Nova c ci t. Gi s chng ta dng mt my client khc thc hi n cc truy v n trn Nova. Trn client ny chng ta cng ph i l y cc ch ng ch v access key ny v. T client ny c th d dng tng tc v 'ni chuy n' v i server ch y Nova. Chng ta c n m c ng 22 cho SSH service v c ng 80 cho HTTP service. Sau kh i ng l i t t c cc dch v c a Nova v Glance. Nu khng c l i th t by gi chng ta c th s dng Nova v Glance.
** Upload image v khi chy instance

Cc image c sn t cc server c a Ubuntu, Stackops... y cng l nhng file chu n m cc nh cung cp ny to s n cho ng i s d ng. Chng ta s c n ph i l y chng v v upload ln Glance (hoc nova object-store) V i m i instance chng ta cn gn cho n m t cp public/private key. M c ch l ng i dng c th s d ng chng ng nhp t i instance. Public key s c gn vo instace cn private key th ng i dng s lu l i ( l m t file .pem). T client ch c n s d ng private key tng ng v i instace b n c th SSH t i instance v thc hi n cc vic ci t thng qua dng l nh.
** Ci t v c u hnh Swift

Nh gi i thi u, m bo vic lu tr an ton v hi u qu, Swift lu mt object (d li u) trn nhi u zone khc nhau. th nghi m ny do chng ta ch c mt server nn t ng ch ng c ch ny khng m y hi u qu, nhng hy t ng t ng chng ta c nhi u server v xa hn na cc server n m t i cc v tr a l khc nhau. S an ton v d dng hn rt nhi u trong vic lu tr v c i thi n ch t l ng d ch v i v i ng i dng. th nghi m ny, nhm s dng m t phn vng a c ng khc Swift lu tr d li u trn . Nhm s to ra 4 server m ph ng cho vic lu tr object trn 4 node khc nhau. B n node ny t t nhin s cng IP nhng s s d ng cc c ng khc nhau cho t ng d ch v nh v y c th t m th i m ph ng c cch thc ho t ng c a Swift.

Thng 4/2012

Page 33

Cloud computing v OpenStack

Trong th nghi m chng ti s d ng Swauthkey nh m n gi n hn vic to user trong Swift, chng ta c th dng Swauthkey t o m i user ngay trn dng l nh ch khng c n ph i thay i thng s trong /etc/swift/proxy-server.conf. Chng ta c th tng tc v i Swift thng qua dng l nh. M t s trnh qu n l FTP nh CyberDuck c th tng tc v i Swift kh tt. Trn y ti liu trnh by qua cc bc chnh v ngha c a chng theo nh k ch b n ci t th nghi m. Ba thnh ph n ny u ho t ng, tuy nhin v n c r t nhi u tr c tr c, l i pht sinh trong qu trnh th nghi m s c trnh by ph n t ng kt.

Thng 4/2012

Page 34

Cloud computing v OpenStack

Phn 3: Security trong Cloud computing
nh gi v tnh bo m t trong CC, cn xc nh cc yu cu cng nh cc nh ngha v security trong cc gii php CC. iu ny ng ngha v i vic c n nghin c u v cc tiu chun t ra trong security. Ph n ny s trnh by v so snh cc tiu chu n CC security c a CSA, NIST, v cc nghin c u khc. Tip theo s xut cc gi i php trong CC v cu i cng l nh gi an ton c a OpenStack Diablo.

I. CSA
CSA l t chc phi chnh ph c thnh lp nm 2008 nh m mc ch nghin c u cc v n v security trong CC v i s hp tc c a rt nhi u cng ty l n trn th gii nh Microsoft, Google, IBM, VMware, Phin bn u tin ca CSA l 1.0 ra i thng 4/2009, sau l phin bn 2.1 ra i thng 12 cng nm v i nhng nguy c security c thm mi nh Information Lifecycle Management v Storage. Hin nay CSA ang phin bn 3.0 v i mt s c i ti n v m r ng, ch ng h n Security as a Service. Cc tiu chnh nh gi ca CSA u da trn cc nghin cu v c thm nh trong gi i hc thut (peer- review) trc khi c cng b thnh cc phin b n. Ph n ny s tm lc cc yu c u v security m CSA a ra c m t ci nhn v lnh vc r ng l n security trong CC. CSA chia cc yu c u v security ra 2 ph n chnh v i cc vn nh sau:
1. Qun l trong CC (5 phn)

Ph n ny CSA khuy n co v i nhi u phn mc [20], tuy nhin trong khun kh ti li u ch cp n:

Governance and Enterprise Risk Management: kh nn g qu n l v kim sot cc m i nguy h i trong mi trng kinh doanh (Enterprise), cc vn lin quan n nh n th c ngi dng, s ph i h p gia Provider v i ngi dng trong trch nhim bo v cc d liu b m t. Information Management and Data Security : qu n l d liu lu tr trong cloud, vic nh danh d liu, ch ng th t thot, m t d liu khi di chuyn data. m b o tnh b o m t, ton vn, v s n sng cho d liu (confidentiality, integrity, availability). Interoperability and Portability : di chuyn d liu v service t 1 nh cung cp sang 1 nh cung cp khc - interoperability, cng nh em ton b data back-in-house.

Ngoi ra cn c n i dung v SLA c xem nh l cc quy nh m bo mc an ton v s n sng c a h thng i vi ng i dng, ty chi ph m SLA c th cao hay thp.
2. Ho t ng trong CC (8 phn) Traditional Security, Business Continuity, and Disaster Recovery : CC cng phi i m t vi cc him h a an ninh nh cc h th ng truyn thng khc cng nh vn back-up h th ng v recovery khi c s c x y ra. Data Center Operations : m b o s hot ng c a Data Center v i y cc tnh nng ng th i vi n nh cao v lu di. Incident Response : kim sot, bo hiu trong vic x y ra cc s c . Application security Thng 4/2012 Page 35

Cloud computing v OpenStack

Encryption and Key Management: b o v vic truy c p vo ti nguyn h thng cng nh b o v d liu. Identity, Entitlement, and Access Management : m b o qu n l vic truy c p v ch ng th c user. Virtualization: nh ng nguy hi lin quan n VM isolation, l hng c a cc Hypervisor. Security as a Service : y l 1 yu cu mi v security trong phin b n ny v xc nhn m b o security t cc hng th 3 c uy tn trn th gii thng qua vic kim tra security. Vic ny m b o s tin tng ca khch hng cng nh to ra 1 ng lc nng cao security cho h thng.

Phn ny tm lc cc tnh nng lin quan n security trong cloud c CSA khuy n co khi mu n tri n khai CC. Ph n k s cng ch nhng c khuy n ngh b i NIST.

II. NIST
NIST National Institute of Standards and Technology khuy n ngh 1 guidelines honh chnh cho security v privacy trong CC vo thng 12/2011. M c ch ca NIST l cung cp m t ci nhn t ng quan v CC v cc thch thc bo m t trong CC [21]. Cc vn c NIST a ra l:
Governance Compliance Trust: cc vn v data ownweship, Insider Access, hay Risk management Architecture: thit lp b o v cho cc my o (VM), m ng o (Virtual Network), pha ngi dng v pha server. Identity and Access Management: th c thi Authentication v Access control Software Isolation Data Protection Availability: bo v ch ng l i cc m i nguy h i lin quan n s n sng c a h thng nh DoS, outages ( m b o h th ng in, ngun). Incident Response

Nhn chung, cc tiu ch c a NIST v CSA kh gi ng nhau khi gn nh r sot ton b cc yu cu m bo cho m t h th ng an ton, v d v m bo ch ng thc v quy n truy cp (authentication v access control), hay cc ph n ng khi c s c, cng nh software/application security, V cc gi i php v cc khuy n ngh (recommendation) c th c a CSA hay NIST s c trnh by trong ph n IV.

III. Cc nghin cu t cc trng i hc

Mt m hnh in ton m my, theo cc chuyn gia c a i hc Azad, Iran v cc nghin cu a ra trong h i ngh l n th 8-2009 ca IEEE, c n tha mn cc yu c u sau v security [5]:
Availability management: sn sng c a h th ng trong mi trng h p Access control management: qun l vic truy cp Vulnerability and problem management: kh nng ngn cn cc l h ng v thm nh p Page 36

Thng 4/2012

Cloud computing v OpenStack

Patch and configuration management: vn update h th ng thng xuyn ngay khi c b n v v c u hnh Countermeasure : cc bin php i ph khi gp s c v security Cloud system using and access monitoring : qu n l vic s d ng v truy c p ca user v i cloud.

c th c a mng m my v i nhi u lo i hnh khch hng khc nhau t ng i dng ph thng (ordinary users), gi i nghin c u (academia) hay cc doanh nghip kinh doanh (enterprise). S t l nghch gia security v performance lun l vn c n phi t ra v gi i quyt n u mun m bo 1 h thng m my an ton vi hi u sut cao. Tuy nhin v i cc lo i hnh khch hng khc nhau, nhu c u cng khc nhau. Ch ng h n v i khch hng enterprise, nhu c u v security c u tin hng u trn c performance trong khi gi i academia u tin vn hi u sut cao. V b n cht, cloud computing cng l m t mi tr ng mng public nh cc m ng truy n th ng nn v n phi i m t v i cc vn an ninh c bn nh cc l h ng c a web application (SQL injection hay Cross-site scripting), DNS poisoning hay ARP poisoning, Tuy nhin, vn v security trong cloud computing t tr ng tm vo vic nh gi qua Information Security Policies cc chnh sch bo v thng tin v Cloud RAS (reliability, availability, and security) issues cc nguy h i v an ninh gp phi trong c th mi tr ng cloud.
1. Information Security Policies

Mt s i m y u v Information security policies c th k ra nh sau [22]:

Privileged user access Regulatory compliance: khch hng (users) ph i ch u trch nhim hon ton v tnh an ton v ton vn (integrity) ca d liu. Trong m hnh truyn th ng vic ny c s gip c a cc t ch c kim ton (external audits) v cc security certifications. Data location: ngi s d ng cloud s khng th bit c chnh xc d liu ca h lu tr u. C ch lu tr phn tn gy ra s mt iu khin cho ngi dng v iu ny l m i lo khi chuyn t lu tr local sang lu tr trn m my. Data segregation: D liu ngi dng c lu tr chung v i nhau v vic b o v c th c thi bng m ha. Tuy nhin phng php c in ny khng th m b o vn an ton thng tin. Tuy nh in hin nay v n cha c 1 gi i php hon m cho vn ny. Recovery: m i vn v backup v khi ph c d liu c ngi dng mong mu n th c hin thng qua Cloud Provider m khng ph i 1 hng th 3. Investigative support Long-term viability

2. Cloud RAS issues

S pht tri n ca cloud n mc no i h i ph i c s kt hp gia cc nh cung cp cloud vi ngi dng pht tri n cc ng d ng. Vic chia s ny ng ngha v i vic gia tng cc m i hi m ha bo mt v i h i nhi u thch thc trong vic qu n l bo m t cho i ng IT. Cc nguy c ti m n m i trong m ng cloud c th k n:
2.1. Data Leakage

Khi chuyn h ng sang m hnh cloud s c 2 s thay i l n v mt d li u c a ng i dng cn c quan tm st sao: d li u s c lu tr cch xa ng i dng,
Page 37

Thng 4/2012

Cloud computing v OpenStack

khng cn trn a local truy n th ng v d li u s c lu tr trn nhi u ngu n (multi-tenant environment) thay v mt u mi nh trc y (single-tenant environment) [23]. y chnh l m i quan tm chnh trong vn bo mt.
2.2. Cloud security issues

B n ch t c a cloud provider cng l s truy n thng trn Internet s d ng giao thc TCP/IP m trong cc user c nh danh b i a ch IP. Cng ging nh m ng thu n vt l, m i my o trn Internet cng c nh danh b ng t nht 1 a ch IP m c th d dng tm th y b i ngi dng hay attackers. Tng t nh my v t l, attackers c th xm nhp t my o qua my ch vt l. Attacks in cloud: ngy nay c r t nhi u lo i hnh t n cng m ng, v v l thuyt, t t c cc lo i hnh c th c p dng e da cloud ty thuc mc khc nhau. Ch ng h n khi 2 users trong cng m ng cloud s d ng my o, c th xem nh 2 my vt l chung 1 network. DDoS attacks against Cloud: t n cng DDoS l ki u t n cng v i s l ng l n gi tin IP n 1 m ng nht nh v i mc ch lm ngng tr ton b h th ng mng . V i c i m r t nhiu ng i dng trong 1 mng in ton m my, s nguy h i n u h th ng b ngng tr l r t ln hn trong m hnh kin trc n i m [5]. Ph n l n cc m ng khng th no bo v ch ng l i t n cng DDoS bi v lng traffic v t hng ngn, vn my trn internet, ng thi cng rt kh phn bit bad traffic v good traffic. H th ng IPS r t h u hiu ngn chn DDoS nhng v i cc ki u t n cng c nh n d ng ho c v i cc gi tin, t p tin nhim c c lu tr (preexisting signature). Tuy nhin v i nh ng gi tin hp l mang n i dung x u vn c cho qua. Gii php firewall cng khng cn hu hi u v i DDoS khi cc gi tin bypass firewall cn d dng hn IDS/IPS [5].

IV. Cc gii php security cho m hnh Cloud Computing

Vi cc c trng ring ca cloud l gi i php cho mt s vn truy n th ng v security, ch ng h n vn downtime h thng, backup, lu tr phn tn, hay DoS. Mt s gi i php trong cloud c xut m bo an ton nh sau:
1. Access control and management

Thi t lp 1 c ch i u khi n vic truy cp l rt c n thit cho vic an ton thng tin ngn ch n vi c truy xu t tri php. V d vic ch nh quy n h n cho user s d ng cc d li u v d ch v. Mt lu cho c ch ny l ph i bao trm t t c cc qu trnh c a 1 user t khi m i bt u kh i to (initial registration) cho n khi k t thc l khng truy c p vo h th ng v d ch v na(de-registration). Theo tiu chu n c a Information Technology Infrastructure Library (ITIL) v ISO 27001/27002 v bo m t, m t h thng Security management phi m bo cc chc nng sau [24]:
Control access to information: truy c p vo thng tin Manage user access rights : qu n l quy n hn ngi dng Encourage good access practices Control access to network services. Control access to operating systems. Control access to applications and systems Page 38

Thng 4/2012

Cloud computing v OpenStack

Vic qu n l truy c p trong clouds c chia ra 3 ph n theo m hnh cung cp d ch v c a clouds
SaaS: mc d cloud providers qun l t t c cc lnh vc bao g m m ng, servers, v h t ng ng dng. Tuy nhin trong m hnh SaaS khi ng d ng c cung cp di d ng d ch v thng thng qua trnh duyt web, vic qun l network-based g n nh khng lin quan m t p trung vo v n qu n tr ngi dng, cc c ch ch ng th c m nh v s d ng one-time password [5, 24], Single Sign On [25], qu n l quyn h n, PaaS: Khc vi m hnh SaaS, trong PaaS, vic qu n l tr ng tm vo t ng network, servers, v cc platform h tng ng dng. Tuy nhin trong trng hp ny, ngi dng ph i ch u trch nhim cho vic qu n l cc ng dng t trn platform PaaS. Tuy nhin, vic truy c p vo cc ng dng phi c qu n l, ch nh, v ch ng th c. IaaS: cc khch hng ca IaaS ph i ch u hon ton trch nhim cho vic qu n l truy cp n ti nguyn ca h trn cloud. Vic truy cp vo cc server o, network o, h th ng lu tr o, v cc ng d ng trn m t IaaS platform s c thit k v qu n l b i khch hng. Vic qu n l truy cp m hnh IaaS bao g m 2 ph n chnh: qu n l host, network, v ng d ng thu c s h u ca cloud provider trong khi ngi dng ph i qu n l vic truy c p n cc server o, lu tr o, networks o, v cc ng dng chy trn cc virtual servers [24, 25].

2. Cc bin php i ph khi xy ra cc vn v security

Mt trong nhng i m quan tr ng c a cloud security l tm ra cc vn v l h ng b o mt tn ti, sau tri n khai cc bi n php thch hp i ph. Nhn chung, h th ng cloud c xy dng trn m t b nhiu engines lu tr v i kh nng h tr high availability p ng c vic backup qua l i cho cc server o v th t n u c s c xy ra. t c linh ho t, kh nng m r ng v hi u su t s d ng, cloud providers phi i m t v i nh ng vn trong vic phn tch v tnh ton phn b hp l ti nguyn cho cc cng vi c tnh ton khc nhau.
Partitioning : m t v d khi mu n nng cao hiu su t tnh ton ca cc ng d ng trn cloud l chia d liu ra nhiu partitions th c hin tnh ton trn nhiu nodes nh m mc ch tng hiu su t c a cc query v transaction. V th , cc kt qu c tnh ton r t nhanh chng v tr v. Migration: S linh ho t l m t trong nh ng yu cu chnh c a cloud, trong ng cnh cung cp cc d ch v cloud cn linh ho t trong vic s d ng ti nguyn. V d ti nguyn ph i c dnh ring cho cc hot ng cn thit v quan tr ng nht. Chnh iu ny lm cho vic qu t i ca cc node trong cloud khng x y ra khi c s di chuyn (migration) ca h th ng, c bit l h th ng CSDL ln, c bit vn m b o duy tr hot ng c a h th ng khi migration x y ra. Workload analysis and allocation

Ngoi ra cn tnh n cc gi i php disaster recovery khi c cc s c bt ng xy ra nh thin tai, l lt, chy n,
3. DDoS

Nh trnh by, v i cc h thng c y Firewall v IDS/IPS v n c th b t n cng DDoS. Tuy nhin, n u v i mt h t ng mng m nh v n c th chu c vi lu l ng
Thng 4/2012 Page 39

Cloud computing v OpenStack

DDoS cc l n. H tng cloud m bo cho i u ny khi ton b h t ng l s lin kt c a hng trm, ngn my tnh. i u ny gip cho qu n tr vin c thi gian gi i quy t s c tm ra nguyn nhn khc phc. V d h th ng IPS s hc c cc quy t c t n cng m i hay qu n tr vin ti n hnh phn tch gi v thit lp cc rules drop cc gi tin n vi ph m.

IV. OpenStack Security

Bt k s tri n khai CC no trong thc t d l s n phm thng mi hay opensource cng phi p ng cc yu cu cng nh bi n php x l t ra v security. Hi n nay v i mc tiu s dng b cng c ngu n m OpenStack, vic tri n khai ch m i hon thi n mc c bn (3 projects u trnh by ph n 4) nn cc cng c h tr security trong OpenStack v n cn tip c n mc h n ch.
Keystone (hay OpenStack Identity) chnh l thnh ph n chnh cho security v i cc ch c nng ch ng th c, chnh sch, trnh by s lc trn. User v Project: vic to cc user v project cng m b o vic truy c p ch ng th c khi user khng th truy cp vo cc project khng thu c ch qu n c a mnh ch c nng User v Project trong Nova. Keypairs: To cc kha gn cho instance khi khi to cng l 1 cng c m b o security khi ch c user c cp kha mi th m quyn truy c p instance.

Vic tri n khai keystone hin nay cha thnh cng nn mc nh gi cha chnh xc. Nhng cc chc nng security trong keystone s m bo an ton cho vic tri n khai mt IaaS.

Thng 4/2012

Page 40

Cloud computing v OpenStack

Phn 4: Tng kt
Trong 8 tu n th nghim nhm gp kh nhiu kh khn trong qu trnh ci t c u hnh cc thnh ph n c a Openstack. y l mt h th ng phc tp nhi u thnh phn ang trong qu trnh pht tri n nn ti li u v n c nhi u ch khng c chnh xc v cp nh t k p th i. Sau khi tham kho nhiu h ng dn t nhng ngi khc cng ang th nghi m Openstack, nhm quyt nh ch tp trung thc hi n vic th nghi m ba thnh ph n Nova, Glance v Swift. Mt ph n v hai thnh ph n Dashboard v Keystone cha hot ng tt trong phin bn Diablo, m t ph n v th i gian ra m t phin b n mi Essex cng khp v i thi i m k t thc th nghi m. Do v y vic th nghi m t t c cc thnh ph n k trn c a Openstack s c ki m tra v i phin b n Essex trong th i gian ti trnh vic lng ph th i gian. Sau y l m t s i m t ng k t l i sau qu trnh th nghi m:

**** Nhng vic t c

hon tt ci t v v n hnh c ba thnh ph n chnh c a Openstack l Nova, Glance v Swift tng ng v i hai d ch v quan tr ng nh t l cung cp ti nguyn v Cloud compute v Cloud storage. th nghi m cc my o c a Linux c bn nh Ubuntu, Debian, CentOs. Tuy nhin, ch s d ng cc file image c cung cp s n t cc hng ny. Trong Ubuntu l nh cung cp tt nht v y nh t v cc phin b n. (L do mt ph n v h l i tc chnh c a AWS v Openstack, thm na cng ty ny ang u t r t l n vo CC) Swift - thnh phn lu tr hat ng bnh thng, tng tc c v i mt s GUI nh CyberDuck trn Windows v MacOS. Ki m tra c cc chc nng c b n thng qua API v dng l nh (euca2tools) Bn thn cc gi Nova, Glance v Swift cng cung cp cc chc nng xem thng tin, upload, qu n l instance v d li u, tuy nhin v tn c a cc cu l nh kh 'r i rc' nn thng thng ti n cho vic s d ng ngi ta hay dng euca2tools. Gi ny tng thch v i c Eucalyptus v Openstack. Tt c thao tc trong th nghim u s dng cc cu l nh euca* ny.

**** Nhng vic cha t c

Cha th nghi m c hai thnh ph n Keystone v Dashboard. Cc thao tc qu n l ch thc hi n c thng qua dng l nh. V i ti nguyn v tnh ton: c th ch y cc instance (my o) Linux kh n nh. Tuy nhin v i cc my o ch y Windows v n cha thnh cng. V n c nhi u l i pht sinh ch ng h n nh b mt instance ho c khng th ng nhp vo instance. Cc l i ny theo nh gi c th xut pht t tnh cha n nh c a Openstack, th na l do
Thng 4/2012 Page 41

Cloud computing v OpenStack

trnh c a nhm cha hi u r v Linux v Openstack c th tm hi u v gi i quy t trit . V i ti nguyn v lu tr : m i ch ki m tra c s b cch thc ho t ng, cha c tm hi u c su v kh nng lu tr m r ng, lu tr file kch thc l n... Ngoi ra v gi i h n b i i u ki n ph n c ng, th i gian tri n khai nn v n cha ki m tra c hi u nng c a cc thnh ph n. Mt s chc nng c n c nhi u hn m t my ch ki m tra nh vic di chuy n m t instance, cn b ng t i...v n cha c thc hi n.

**** K hoch trong vic th nghim k tip

Phin b n m i Essex c a Openstack m i ra mt u thng 04/2012 ha h n nhi u c i ti n, v n nh hn. Hai thnh phn Keystone v Dashboard cng c gi i thiu tng thch tt hn v i cc thnh ph n cn l i. K hoch tip theo l chuy n sang th nghi m phin b n ny, kt hp v i vic m r ng h t ng v t l. V i m t m hnh ln hn, kh nng ki m tra hiu nng ca cc thnh ph n trong Openstack s chi ti t v c nh gi chnh xc, ng hn.

Thng 4/2012

Page 42

Cloud computing v OpenStack

Ph lc:
Ph lc 1: Tutorial ci t OpenStack trn Ubuntu 11.10 64 bits Xem file PDF i km Ph lc 2: Mt s link tham kho khc Security Solutions for Cloud Computing http://infosecisland.com/blogview/5449-SecuritySolutions- for-Cloud-Computing.html Security Issues and Solutions in Cloud Computing http://wolfhalton.info/2010/06/25/security- issues-and-solutions- in-cloud-computing/
http://www.hastexo.com/resources/docs/installing-openstack-essex-20121-ubuntu-1204-precisepangolin

Thng 4/2012

Page 43

Cloud computing v OpenStack

References:
1. in ton m my. Available from: http://vi.wikipedia.org/wiki/%C4%90i%E1%BB%87n_to%C3%A1n_%C4%91%C3%A1m_m%C 3%A2y. Cloud computing. Available from: http://en.wikipedia.org/wiki/Cloud_computing. Data center. Available from: http://en.wikipedia.org/wiki/Data_center. Wind, S. Open source cloud computing management platforms: Introduction, comparison, and recommendations for implementation . in Open Systems (ICOS), 2011 IEEE Conference on. 2011. Sabahi, F. Cloud computing security threats and responses. in Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on . 2011. Ubuntu Cloud: Technologies for future-thinking companies. 2012; Available from: http://www.canonical.com/about-canonical/resources/white-papers/ubuntu-cloudtechnologies-future-thinking-companies. Wesselius, J. Windows Server Virtualisation: Hyper-V, an Introduction . 2009; Available from: http://www.simple-talk.com/sysadmin/virtualization/windows-server-virtualisation-hyperv,-an-introduction/. Full virtualization. Available from: http://en.wikipedia.org/wiki/Full_virtualization. o ha trong in ton m my. 2012; Available from: http://hpcc.hut.edu.vn/forum/archive/index.php/thread-658.html. Paravirtualization . Available from: http://en.wikipedia.org/wiki/Paravirtualization. Operating system-level virtualization . Available from: http://en.wikipedia.org/wiki/OSlevel_virtualization. Eucalyptus open source cloud computing infrastructure - Overview. 2011; Available from: http://go.eucalyptus.com/Eucalyptus-Open-Source-Cloud-Computing-Infrastructure-AnOverview-Download.html. Mahjoub, M., et al. A Comparative Study of the Current Cloud Computing Technologies and Offers. in Network Cloud Computing and Applications (NCCA), 2011 First International Symposium on. 2011. Leads, O.P. OpenNebula 3.2 Key Features and Functionality . 2012 [cited 2012 22nd March]; Available from: http://opennebula.org/documentation:features. Systems, C. Xen Cloud Platform Project. 2012 [cited 2012 22nd March]; Available from: http://www.xen.org/products/cloudxen.html. Abiquo. Abiquo Overview. 2012 [cited 2012 22nd March]; Available from: http://www.abiquo.com/products/abiquo-overview.php. OpenStack Compute. 2012; Available from: http://openstack.org/projects/compute/. OpenStack Object Storage. 2012; Available from: http://openstack.org/projects/storage/. OpenStack Image Service. 2012. Archer;, J., et al., Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. Cloud Security Alliance, 2011. Jansen, W. and T. Grance., Guidelines on security and privacy in public cloud computing, 2011. Brodkin, J. Gartner Seven cloud-computing security risks. 2008; Available from: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-securityrisks-853. Stokes, J., T-Mobile and Microsoft/Danger data loss is bad for the cloud. 2009. Security management in the cloud. 2010; Available from: http://mscerts.programming4.us/programming/Security%20Management%20in%20the%20 Cloud.aspx.

2. 3. 4.

5. 6.

7.

8. 9. 10. 11. 12.

13.

14. 15. 16. 17. 18. 19. 20. 21. 22.

23. 24.

Thng 4/2012

Page 44

Cloud computing v OpenStack

25. Security Management in the Cloud - Access Control. 2012; Available from: http://mscerts.programming4.us/programming/Security%20Management%20in%20the%20 Cloud%20-%20Access%20Control.aspx.

Thng 4/2012

Page 45