BUILDING AN IAAS CLOUD WITH APACHE CLOUDSTACK

David Nalley david@cloudstack.org

Twitter/identi.ca: @ke4qqq / IRC: ke4qqq in #cloudstack on freenode

Licensing

• This presentation and it’s contents unless otherwise noted are released under a Creative Commons Attributions, Share-Alike 3.0 unported license and Apache Software License v2 at your discretion.

History

• Original company formed - 2008 (VMOps)

• Project open sourced (GPLv3) as CloudStack – May 2010

• Acquired by Citrix – July 2011

• Dropped open core – August 2011

• Relicensed under ASL v2 April 3, 2012

• Accepted as a Apache incubating project. April 16, 2012

What is CloudStack?

Open Source Infrastructure as a Service platform that supports multiple hypervisors, complex network, firewall, load balancer and VPN configurations, high availability, in a multi-tenant environment.

What does it really do?

• Provide separation for the varied tenants

• Allocate compute resources in a deterministic manner

• Expose to the end user the ability to provision various computing services in a controlled manner (VLAN allocation, firewall rules, load balancer deployment, VM creation, etc)

• Manage High Availability

• Massively Scalable

• Permit the placement of resource limits to be applied

• Measuring usage over time

Multiple hypervisor support

• KVM

• XenServer

• Xen Cloud Platform

• VMware (via vCenter)

• Oracle VM

• Bare Metal

Multi-tenant Separation

• Largely built around abstraction from an end-user POV – No interaction with hypervisor directly

– No knowledge of underlying storage

• Networking separation – Every account has at least one dedicated/isolated

VLAN (Tagged Networking)

– Layer 3 isolation aka Security Groups for untagged networking

• Option to use dedicated hardware

Networking

• CloudStack has a number of network models

• They are generally broken down by:

– Method of isolation (VLAN, Security Groups)

– Physical hardware or virtual

• CloudStack can manage network infrastructure

Networking

• Services managed by CloudStack

– DHCP

– VLAN allocation

– Firewall

– NAT/Port forwarding

– Routing

– VPN

– Load Balancing

Networking

• CloudStack can also manage physical network hardware (or the virtualized alternatives)

– F5-Big IP

– NetScaler

– Juniper SRX

• Additionally you can ‘mix and match’ some network elements as service offerings.

Security Groups

• Traditional isolation has been via VLAN

• VLANs isolate well, but have some problems scaling – Standard has a hard limit of 4096 VLANs

– Hardware that can actually keep up with 4096 VLANs is VERY expensive.

– Regardless people tend to not like having arbitrary limits on what they can do.

• Amazon and others use layer 3 isolation (Security Groups)

Security Groups

• Assumption of a quasi-trusted Layer 2 network

• Typically will only have hypervisors directly connected to that network.

• Filtering/isolation occurs at the bridge device (from a Linux perspective – think ebtables)

• Deny by default

Security Groups

Security Groups

High Availability

• RFMTTR – but apparently HA looks better in marketing slicks and is used that way across the virtualization industry.

• CloudStack is not a magical solution for HA – but might be a useful tool in the process to increase availability.

• CloudStack will watch for HA-enabled VMs to ensure that they are up, and that the hypervisor it’s on is up – and will restart on another hypervisor if it goes down.

• Redundant router

Allocation Algorithms

• How do you place VMs?, allocate storage, etc.

• CloudStack ships with a number of options:

– First Fit

– Fill first

– Disperse

– Create your own

• Tags

• OS Preference

Usage

• Not billing per se – but does give you something to bill against.

• Usage stats show VM count, CPU usage, disk allocation and usage, network usage; all over time.

• Lots of integration and howto’s - from Excel spreadsheets to Ubersmith, Amysta, and Cloud Portal.

High level Architectural Overview

© Copyright David Baird and licensed for reuse under CC-BY license

Secondary Storage

• Used for storing templates and snapshots

• Historically NFS – just added the option of object storage – Technically Swift, but Caringo, GlusterFS and

others should work.

• Managed by Secondary Storage VM – manages moving templates and snapshots from/to primary storage, aging snapshots out, etc.

Primary Storage

• In the UI we support NFS, iSCSI, and CLVM.

• We can also make use of local storage

– No HA, no live migration, etc.

• Shared mountpoint

– Anything that all the hypervisors can mount and write to.

Resource division

• We have somewhat arbitrary divisions of resources within CloudStack

– Zones

• Pods – Clusters

Zone

• In general practice this is used to designate a specific geographic location.

• Shares secondary storage resource across the entire zone

• Single network model for the entire zone

Pod

• In general practice – this is used to refer a rack of machines or a row of racks.

• Shares guest network

Cluster

• This is typically a max of 8-15 machines per cluster and homogenity is enforced:

– Same hypervisor (and same version of the hypervisor)

– Same CPUs

– Same networking (i.e. /dev/eth0 is connected to the same network across all machines)

• Primary storage is cluster specific

Plethora of Networks

• Management Network: Where the hypervisors and management server communicate

• Private Network: Default network for system VMs. (virtual router, secondary storage VM, Console proxy VM)

• Public Network: The public (often internet-facing network)

• Guest Network: The network that VMs are provisioned on.

• Link-local network: The RFC 3927 network used for communication between hypervisor and system VMs.

Management Server

• UI/API pieces are stateless (state is stored in a MySQL database.

• All UI functionality is an API call

API

• RESTful API interface

– Unauthenticated API interace on 8096 (for localhost, disabled by default)

– Authenticated API interface natively on port 8080

– Responses in XML or JSON

– http://demo4.cloudstack.org/client/api?apikey=ZRFLiXIkmAHqgRmZzdiXMfaROyK35P_dXxS517WSa9Tmy1Hg&command=deployVirtualMachine&serviceofferingid=1&templateid=291&zoneid=1&signature=eXW%2fxfqx%2fhu%2frMreFksVsp3cT4M%3d

UI

• Go play with the UI

Questions

• ASK!

Contact

• http://cloudstack.org

• Docs: http://docs.cloudstack.org

• IRC: #cloudstack on Freenode

• Twitter/identi.ca: @cloudstack

• Mailing Lists – cloudstack-users@incubator.apache.org

– cloudstack-dev@incubator.apache.org

• Forums