Professional Documents
Culture Documents
Thc hin:
L Minh Ch
Nguyn Sn Tng
Thng 4/2012
Page 1
Page 2
Thng 4/2012
Page 3
Cloud computing
IaaS
Infrastructure as a Service
PaaS
Platform as a Service
SaaS
Software as a Service
CSA
SLA
NIST
AWS
HH
H iu Hnh
VMM
Thng 4/2012
Page 4
Thng 4/2012
Page 5
Data center l thut ng ch khu vc ch server v cc thit b lu tr, bao gm ngun in v cc thit b khc
nh rack, cables, c kh nng sn sng v n nh cao. Ngoi ra cn bao gm cc tiu ch khc nh: tnh
module ha cao, kh nng m rng d dng, ngun v lm mt, h tr hp nht server v lu tr mt cao [3].
Thng 4/2012
Page 6
5 tnh nng trong CC ty thuc vo m hnh trin khai thc t c th khc nhau. V d
trong m hnh private cloud, ti nguyn c s dng bi ch 1 doanh nghip th tnh
nng On-demand service hay resource pool s khc so vi cc m hnh khc.
o
o
o
o
o
[4]
Tng s linh hot ca h thng (Increased Flexibility): khi cn thm hay bt mt hay
vi thit b (storaged devices, servers, computers, ) ch cn mt vi giy.
S dng ti nguyn theo yu cu (IT Resources on demand): ty thuc vo nhu cu
ca khch hng m administrator setup cu hnh h thng cung cp cho khch hng.
Tng kh nng sn sng ca h thng (Increased availability) : cc ng dng v dch
v c cn bng ng m bo tnh kh dng. Khi mt trong cc hardware b h
hng khng lm nh hng n h thng, ch suy gim ti nguyn h thng.
Tit kim phn cng (Hardware saving): m hnh truyn thng trong nhiu trng
hp cn mt h thng ring bit cho mi tc v, dch v. iu ny gy ra lng ph,
Thng 4/2012
Page 7
Trc khi i vo chi tit cc cng ngh o ha xin c s lc mt s khi nim lin quan
n vic x l trn ti nguyn phn cng ca mt h iu hnh. Thng thng mt HH khi
c ci t s c 2 modes hot ng chnh:
Page 8
Monolithic hypervisor: hypervisor c driver ring bit truy cp ti nguyn phn cng bn
di. Cc VMs truy cp ti nguyn h thng thng qua drivers ca hypervisor. iu ny
mang li hiu sut cao, tuy nhin khi driver trn hypervisor b s c th c h thng ngng
hot ng, hoc phi i mt vi vn an ninh khi drivers c th b gi dng bi malware,
mt ri ro trong mi trng o ha.
Micro-kernelized hypervisor: loi hypervisor ny khng c driver bn trong hypervisor m
chy trc tip trn mi partition. Mt VM s ng vai tr partition cha qun l v khi to
cc partition con (VM con). VM cha cng bao gm nhiu tnh nng khc nh qun l
memory, lu tr drivers, iu ny mang li s an ton v tin cy. Tuy nhin n cng gp
phi vn v sn sng (availability) khi partition cha gp s c, h thng cng b ngng
tr.
3.3. Full-virtualization:
Figure 3: Full-virtualization
Thng 4/2012
Page 9
Figure 4: Para-virtualization
Thng 4/2012
Page 10
Thng 4/2012
Page 11
OpenNebula
Produced by
Santa Barbara
university
Eucalyptus System
Co mpany European Un ion
Main purpose
EC2 Cloud
Enterprise
Researchers on Cloud
Co mputing and
Virtualizat ion
Users
Nimbus
University of
Chicago
AbiCl oud
Citrix XenServer
Abico
Cloud Co mputing
scientific solution
Scientific
communit ies
- Evolution of Citrix
XenServer
Cloud management
Enterprise
Enterprise
Most Linu x
distributions
- Linu x (Fedora,
RedHat, CentOS et
Suse
Linu x Enterprise
Server)
- Windows 7
Linu x (Ubuntu et
CentOS)
- Windows XP
- Mac OS
OpenStack
Rackspace, NASA,
Dell, Citrix, Cisco,
Canonical etc.
Offers Cloud
Co mputing services
Enterprises, service
providers and
researchers
Supported OS
Linu x (Ubuntu,
Fedora, CentOS,
OpenSUSE et
Debian)
Architecture
- Hierarchical
- Five co mponents
- Min imu m t wo
servers
- Centralized
- Three co mponents Minimu m two servers
- Centralized
- Three co mponents
- Min imu m t wo
servers
- Centralized
- Three co mponents
- Min imu m t wo
servers
- Centralized
- Three co mponents
- Min imu m t wo servers
language
Python, java
Caml
Python
VastSky
HDFS
OpenStack Store
DHCP server
installed on nodes
Open vSwitch
WSManagement
OpenStack Co mpute
- EC2 WS API
- Nimbus WSRF
Co mmand lines XE
- X509 certificate
- Authentication
- Authentication
- Certification
Storage
Walrus
Network
Access
interface
- EC2 WS API
- Tools as:
HybridFo x,
ElasticFo x
User
Thng 4/2012
- SCP
- SQLite3
Manual configuration
- EC2 WS API
- OCCI API
- Authentication
- GridFTP,
Co mulus (new
version of
GridFTP)
- SCP
- Linu x
- Windows
- Requires x86 Server
Integration of
OpenStack object and
OpenStack co mpute
Page 12
- SSH connection
administrator
- SSH connection
- Root required
- SSL connection
- Integrate Globus
(certificat ion)
- SSH connection
- Authentication
- Certification
Load
balancing
Fault
tolerance
The cloud
controller
Ngin x
Le context broker
XAPI
AbiServer
Cluster controllers
separation
Database backend
(registers virtual mach ine
informat ion)
Period ic verification
of cloud nodes
Replication
Shared FS
VMs locati on
Compati bility
wi th EC2
Node controller
Cluster node
Physical nodes
Clouds nodes
OpenStack Co mpute
Yes
Yes
Yes
Yes
No
No
Used by
NASA
STAR
Li ve
migration
Thng 4/2012
Active in Span
Page 13
AbiCloud l gii php in ton m my private c pht trin bi Abiquo cho php
ngi dng c th xy dng mi trng IaaS. AbiCloud h tr cc k thut o ha Virtual
Box, VMWare, XEN, v KVM [13, 16].
6. OpenStack
Thng 4/2012
Page 14
Thng 4/2012
Page 15
AWS vn ang lin tc nghin cu ci thin v b sung nhng tnh nng mi cho tp cc
dch v ca h. Do khun kh ca vic nghin cu th nghim Openstack nn nhm s ch
a ra mt s gii thiu c bn v nhn xt v cc dch v chnh ca Amazon. T y s c
mt ci nhn trc quan hn v Openstack v c mt so snh vi 'i th' ln nht ca n. Sau
y l mt s mc thi gian quan trng ca AWS:
Nhng dch v chnh ca AWS phi k n l:
Amazon Elastic Cloud Compute (EC2) cung cp cc instance (my o) ty theo nhu
cu, vi kh nng tnh ton, m rng v cng linh hot. Hiu n gin, EC2 cung cp
cho ngi dng kh nng to cc my o trn h tng ca Amazon, h c th cp pht
Thng 4/2012
Page 16
Thng 4/2012
Page 17
Page 18
Openstack c chu k pht trin 6 thng, i cng vi s pht trin ca CC, vi mi phin bn
Openstack li b sung thm thnh phn mi tng ng vi nhng chc nng mi. Openstack
hon ton l ngun m, cc thnh phn ca n c vit trn Python - ngn ng ang c
nh gi rt cao nhng nm gn y.
2.1. Cc phin bn ca OpenStack
Thng 4/2012
Page 19
Thng 4/2012
Page 20
M hnh kin trc logic ca OpenStack c din gii qua 3 chnh sau y:
Ngi dng cui tng tc thng qua 1 giao din web (Horizon)
Tt c cc services u c chng thc thng qua Keystone
Cc dch v c nhn ring bit tng tc vi nhau thng qua cc APIs tng ng.
Page 21
Hyper-V 2008
KVM - Kernel-based Virtual Machine
LXC - Linux Containers (through libvirt)
QEMU - Quick EMUlator
UML - User Mode Linux
VMWare ESX/ESXi 4.1 update 1
Xen - XenServer 5.5, Xen Cloud Platform (XCP)
Page 22
Cc thnh phn ca Nova hot ng c lp, kt ni vi nhau bng cc thng ip (messagebased architecture). Cc thnh phn Compute Controller, Volume Controller, Network
Controller v Object Store c th ci t trn cc server vt l khc nhau. Nh trong hnh trn
c th thy Cloud Controller giao tip vi Object Store thng qua HTTP nhng giao tip vi
Scheduler thng qua AMQP (Advanced Message Queue Protocol) trnh vic tc nghn
khi khi i cc thnh phn phn hi, Nova s dng cc hm gi khng ng b
(asynchronous), vi mt call-back c gi khi m response c nhn.
Do c to thnh t nhiu thnh phn khc nhau nn c mt s chc nng ang c xy
dng li, mt s chc nng b lp. in hnh nh trong Nova, thnh phn Object Store
dng lu cc image (file nh ca cc h iu hnh o khi cha c chy), ng thi
Glance cng l ni lu tr cc image . Tuy nhin vic ny khng nh hng g nhiu
Thng 4/2012
Page 23
Nova-network
Thnh phn ny tng tc vi nova-compute, c nhim v kt ni gia cc instance vi nhau
v cc instance vi public network. Cng ging nh AWS hay Eucalyptus mt instance trong
Openstack c th c 2 IP. Mt private IP c dng kt ni gia cc instance v public IP
c dng kt ni instance vi Internet (public network).
nova-network c ba cch qun l khc nhau:
Flat Network: to mt giao din bridge da trn ethernet adapter giao tip gia cc
node. Khi chn cu hnh l Flat Network, Nova s khng qun l cc thao tc v
networking ca cc instance. n gin lc IP s c gn cho cc instance thng
qua file system. Cc metadata phi c cu hnh th cng trn cc gateway nu l
yu cu ca mng ni b. Hnh sau y m t v cch cu hnh ny trn nhiu node
khc nhau thng qua mt ethernet adapter:
Thng 4/2012
Page 24
Page 25
Store and Manage files programmatically via API: qun l file thng qua giao din API
Create Public or Private containers
Leverages Commodity hardware
HDD/node failure agnostic: m bo khng mt d liu bng cc c ch backup v sao lu
t ng
Unlimited Storage: lu tr khng hn ch
Multi-dimensional scalability (scale out architecture)
Thng 4/2012
Page 26
Thng 4/2012
Page 27
Image-as-a-service
Multi-format/container support
Image status
Scalable API
Metadata
Image Checksum
Extensive Logging
Integrated testing
Back-end store options
Version control
CLI access
Built-in Mgmt. utilities
Drive auditing
VNC Proxy through web browser
Nh gii thiu Glance l mt trong nhng thnh phn chnh ca Openstack, nhim v ca
n l lu v cung cp cc file nh ca cc my o (instance).
Glance gm c ba phn:
Thng 4/2012
Page 28
Page 29
Trong phn th nghim nhm cng s dng ba thnh phn Nova, Glance v Swift. V c bn
cc file image ca instance s c upload ln Glance server, sau Nova s gi ti Glance
v yu cu ly mt trong nhng file image khi to instance bn trong nova-compute.
Nu c d liu cn lu ring (backup, d liu dng chung gia cc instance) th s c lu
trn Swift. Ba thnh phn ny c lp vi nhau, nhng c th kt hp vi nhau hot ng
nh mt th thng nht.
2.1.4. OpenStack Dashboard (Horizon) OpenStack Identity
Trong ln th nghim ny vn cha hon thin c vic ci t hai thnh phn ny cng vi
Nova, Glance, Swift. Trong phin bn Essex hy vng hai thnh phn ny s hot ng tt
hn. Sau y l mt s thng tin c bn v Keystone v Dashboard.
Keystone l thnh phn chng thc, token, catalog v policy service cho tt c cc dch v
khc ca Openstack. N c trin khai thng qua Identity API ca Openstack.
Dashboard cung cp mt giao din web nhm tng tc qun l cc thnh phn cn li ca
Openstack, n kt hp vi Keystone chng thc user. c pht trin da trn Django
framework. N cung cp mt giao din tng t nh AWS management console.
Thng 4/2012
Page 30
Page 31
Page 32
Nh ni trong phn user v role trong Nova, chng ta s to mt user vi tn: testuser v
sau s gn cho testuser quyn sysadmin. Tip chng ta to mt project tn testproject
v gn n cho testuser vi ton quyn.
** To cc chng ch (credential) access key.
Vi mi project, Nova s cung cp cc chng ch v access key cho user nhm thc hin vic
chng thc. Cc thng tin quan trng nht nm trong file novarc. File ny c s dng
to mt 'mi trng' vi nhng tham s tr ti server m Nova c ci t.
Gi s chng ta dng mt my client khc thc hin cc truy vn trn Nova. Trn client
ny chng ta cng phi ly cc chng ch v access key ny v. T client ny c th d
dng tng tc v 'ni chuyn' vi server chy Nova.
Chng ta cn m cng 22 cho SSH service v cng 80 cho HTTP service.
Sau khi ng li tt c cc dch v ca Nova v Glance. Nu khng c li th t by gi
chng ta c th s dng Nova v Glance.
** Upload image v khi chy instance
Thng 4/2012
Page 33
Thng 4/2012
Page 34
I. CSA
CSA l t chc phi chnh ph c thnh lp nm 2008 nhm mc ch nghin cu cc vn
v security trong CC vi s hp tc ca rt nhiu cng ty ln trn th gii nh Microsoft,
Google, IBM, VMware, Phin bn u tin ca CSA l 1.0 ra i thng 4/2009, sau l
phin bn 2.1 ra i thng 12 cng nm vi nhng nguy c security c thm mi nh
Information Lifecycle Management v Storage. Hin nay CSA ang phin bn 3.0 vi mt
s ci tin v m rng, chng hn Security as a Service.
Cc tiu chnh nh gi ca CSA u da trn cc nghin cu v c thm nh trong gii
hc thut (peer-review) trc khi c cng b thnh cc phin bn. Phn ny s tm lc
cc yu cu v security m CSA a ra c mt ci nhn v lnh vc rng ln security trong
CC. CSA chia cc yu cu v security ra 2 phn chnh vi cc vn nh sau:
1. Qun l trong CC (5 phn)
Phn ny CSA khuyn co vi nhiu phn mc [20], tuy nhin trong khun kh ti liu ch
cp n:
Governance and Enterprise Risk Management: kh nng qun l v kim sot cc mi nguy
hi trong mi trng kinh doanh (Enterprise), cc vn lin quan n nhn thc ngi
dng, s phi hp gia Provider vi ngi dng trong trch nhim bo v cc d liu b mt.
Information Management and Data Security: qun l d liu lu tr trong cloud, vic nh
danh d liu, chng tht thot, mt d liu khi di chuyn data. m bo tnh bo mt, ton
vn, v sn sng cho d liu (confidentiality, integrity, availability).
Interoperability and Portability: di chuyn d liu v service t 1 nh cung cp sang 1 nh
cung cp khc - interoperability, cng nh em ton b data back-in-house.
Page 35
Phn ny tm lc cc tnh nng lin quan n security trong cloud c CSA khuyn co
khi mun trin khai CC. Phn k s cng ch nhng c khuyn ngh bi NIST.
II. NIST
NIST National Institute of Standards and Technology khuyn ngh 1 guidelines honh
chnh cho security v privacy trong CC vo thng 12/2011. M c ch ca NIST l cung cp
mt ci nhn tng quan v CC v cc thch thc bo mt trong CC [21]. Cc vn c
NIST a ra l:
Governance
Compliance
Trust: cc vn v data ownweship, Insider Access, hay Risk management
Architecture: thit lp bo v cho cc my o (VM), mng o (Virtual Network), pha ngi
dng v pha server.
Identity and Access Management: thc thi Authentication v Access control
Software Isolation
Data Protection
Availability: bo v chng li cc mi nguy hi lin quan n sn sng ca h thng nh
DoS, outages (m bo h thng in, ngun).
Incident Response
Nhn chung, cc tiu ch ca NIST v CSA kh ging nhau khi gn nh r sot ton b cc
yu cu m bo cho mt h thng an ton, v d v m bo chng thc v quyn truy cp
(authentication v access control), hay cc phn ng khi c s c, cng nh
software/application security, V cc gii php v cc khuyn ngh (recommendation) c
th ca CSA hay NIST s c trnh by trong phn IV.
Thng 4/2012
Page 36
Patch and configuration management: vn update h thng thng xuyn ngay khi c
bn v v cu hnh
Countermeasure: cc bin php i ph khi gp s c v security
Cloud system using and access monitoring: qun l vic s dng v truy cp ca user vi
cloud.
c th ca mng m my vi nhiu loi hnh khch hng khc nhau t ngi dng ph
thng (ordinary users), gii nghin cu (academia) hay cc doanh nghip kinh doanh
(enterprise). S t l nghch gia security v performance lun l vn cn phi t ra
v gii quyt nu mun m bo 1 h thng m my an ton vi hiu sut cao. Tuy
nhin vi cc loi hnh khch hng khc nhau, nhu cu cng khc nhau. Chng hn vi khch
hng enterprise, nhu cu v security c u tin hng u trn c performance trong khi gii
academia u tin vn hiu sut cao. V bn cht, cloud computing cng l mt mi
trng mng public nh cc mng truyn thng nn vn phi i mt vi cc vn an ninh
c bn nh cc l hng ca web application (SQL injection hay Cross-site scripting), DNS
poisoning hay ARP poisoning, Tuy nhin, vn v security trong cloud computing t
trng tm vo vic nh gi qua Information Security Policies cc chnh sch bo v thng
tin v Cloud RAS (reliability, availability, and security) issues cc nguy hi v an ninh gp
phi trong c th mi trng cloud.
1. Information Security Policies
Thng 4/2012
Page 37
Bn cht ca cloud provider cng l s truyn thng trn Internet s dng giao thc
TCP/IP m trong cc user c nh danh bi a ch IP. Cng ging nh mng
thun vt l, mi my o trn Internet cng c nh danh bng t nht 1 a ch IP
m c th d dng tm thy bi ngi dng hay attackers. Tng t nh my vt l,
attackers c th xm nhp t my o qua my ch vt l.
Attacks in cloud: ngy nay c rt nhiu loi hnh tn cng mng, v v l thuyt, tt
c cc loi hnh c th c p dng e da cloud ty thuc mc khc
nhau. Chng hn khi 2 users trong cng mng cloud s dng my o, c th xem nh
2 my vt l chung 1 network.
DDoS attacks against Cloud: tn cng DDoS l kiu tn cng vi s lng ln gi tin
IP n 1 mng nht nh vi mc ch lm ngng tr ton b h thng mng . Vi
c im rt nhiu ngi dng trong 1 mng in ton m my, s nguy hi nu h
thng b ngng tr l rt ln hn trong m hnh kin trc n im [5]. Phn ln cc
mng khng th no bo v chng li tn cng DDoS bi v lng traffic v t
hng ngn, vn my trn internet, ng thi cng rt kh phn bit bad traffic v
good traffic. H thng IPS rt hu hiu ngn chn DDoS nhng vi cc kiu tn
cng c nhn dng hoc vi cc gi tin, tp tin nhim c c lu tr (preexisting signature). Tuy nhin vi nhng gi tin hp l mang ni dung xu vn c
cho qua. Gii php firewall cng khng cn hu hiu vi DDoS khi cc gi tin bypass
firewall cn d dng hn IDS/IPS [5].
Thit lp 1 c ch iu khin vic truy cp l rt cn thit cho vic an ton thng tin
ngn chn vic truy xut tri php. V d vic ch nh quyn hn cho user s dng cc d
liu v dch v. Mt lu cho c ch ny l phi bao trm tt c cc qu trnh ca 1 user t
khi mi bt u khi to (initial registration) cho n khi kt thc l khng truy cp vo h
thng v dch v na(de-registration). Theo tiu chun ca Information Technology
Infrastructure Library (ITIL) v ISO 27001/27002 v bo mt, mt h thng Security
management phi m bo cc chc nng sau [24]:
Thng 4/2012
Page 38
Partitioning: mt v d khi mun nng cao hiu sut tnh ton ca cc ng dng trn cloud l
chia d liu ra nhiu partitions thc hin tnh ton trn nhiu nodes nhm mc ch tng
hiu sut ca cc query v transaction. V th, cc kt qu c tnh ton rt nhanh chng v
tr v.
Migration: S linh hot l mt trong nhng yu cu chnh ca cloud, trong ng cnh cung
cp cc dch v cloud cn linh hot trong vic s dng ti nguyn. V d ti nguyn phi
c dnh ring cho cc hot ng cn thit v quan trng nht. Chnh iu ny lm cho
vic qu ti ca cc node trong cloud khng xy ra khi c s di chuyn (migration) ca h
thng, c bit l h thng CSDL ln, c bit vn m bo duy tr hot ng ca h thng
khi migration xy ra.
Workload analysis and allocation
Page 39
Keystone (hay OpenStack Identity) chnh l thnh phn chnh cho security vi cc chc nng
chng thc, chnh sch, trnh by s lc trn.
User v Project: vic to cc user v project cng m bo vic truy cp chng thc khi user
khng th truy cp vo cc project khng thuc ch qun ca mnh chc nng User v
Project trong Nova.
Keypairs: To cc kha gn cho instance khi khi to cng l 1 cng c m bo security
khi ch c user c cp kha mi thm quyn truy cp instance.
Vic trin khai keystone hin nay cha thnh cng nn mc nh gi cha chnh xc.
Nhng cc chc nng security trong keystone s m bo an ton cho vic trin khai mt
IaaS.
Thng 4/2012
Page 40
Page 41
Thng 4/2012
Page 42
Thng 4/2012
Page 43
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Thng 4/2012
Page 44
Thng 4/2012
Page 45