SEcure Cloud computing for CRitical Infrastructure IT Open

  • Slides: 25
Download presentation
SEcure Cloud computing for CRitical Infrastructure IT Open. Stack Ani Bicaku 18/04/2015 AIT Austrian

SEcure Cloud computing for CRitical Infrastructure IT Open. Stack Ani Bicaku 18/04/2015 AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys • Hellenic Telecommunications Organization OTE • Ayuntamiento de Valencia • Amaris

What is Open. Stack ? § Open-Source Cloud OS § Public and Private Cloud

What is Open. Stack ? § Open-Source Cloud OS § Public and Private Cloud § 18000 individual members § 140 countries around the world § Collection of open-source technologies 16. 09. 2020 © SECCRIT Consortium 2

Why Open. Stack ? § Research of assurance in Cloud environment § Monitor Cloud

Why Open. Stack ? § Research of assurance in Cloud environment § Monitor Cloud infrastructure § Testbed § Investigate open-source monitoring tools § Harmonize different monitoring tools 16. 09. 2020 © SECCRIT Consortium 3

What can you do with Open. Stack § Virtual Servers § Virtual network and

What can you do with Open. Stack § Virtual Servers § Virtual network and virtual data center § Scalable servers § Load balancing § Virtual Storage § Billing § Migrate data and applications § Disaster recovery 16. 09. 2020 © SECCRIT Consortium 4

Open. Stack Principles q Open Development q Open Design q Open Community 16. 09.

Open. Stack Principles q Open Development q Open Design q Open Community 16. 09. 2020 © SECCRIT Consortium 5

Open. Stack is Cloud OS User Your Application APIs Dashboard Hypervisor Hardware 16. 09.

Open. Stack is Cloud OS User Your Application APIs Dashboard Hypervisor Hardware 16. 09. 2020 © SECCRIT Consortium 6

Open. Stack Release 16. 09. 2020 © SECCRIT Consortium 7

Open. Stack Release 16. 09. 2020 © SECCRIT Consortium 7

Simplified Open. Stack Component Interaction User Interface Dashboard (HORIZON) Keystone : Authentication and authorization

Simplified Open. Stack Component Interaction User Interface Dashboard (HORIZON) Keystone : Authentication and authorization framework Neutron: Provide network as a service to compute Networking (NEUTRON) Compute (NOVA) Image (GLANCE) Nova : Provision and manage virtual networks for VM’s Glance : Registry for VMs image Horizon : Web Interface to manage instances Identity (KEYSTONE) 16. 09. 2020 Authentication © SECCRIT Consortium Stores Images 8

Open. Stack Service Relation Horizon Neutron Glance Nova Swift Cinder Keystone 16. 09. 2020

Open. Stack Service Relation Horizon Neutron Glance Nova Swift Cinder Keystone 16. 09. 2020 © SECCRIT Consortium 9

Open. Stack Optional Services Orchestration Service Load Balancer as a Service Database as Service

Open. Stack Optional Services Orchestration Service Load Balancer as a Service Database as Service Telemetry Service 16. 09. 2020 © SECCRIT Consortium 10

Running example Main server ü Keystone ü Glance ü Nova ü Cinder ü Heat

Running example Main server ü Keystone ü Glance ü Nova ü Cinder ü Heat ü Ceilometer Network controller ü Neutron ü Horizon ü Lbaas Compute 1 / 2 ü Nova-compute ü Neutron-compute ü Ceilometer-agent Network eth 0 - Administration Network eth 1 - Instance Tunneling Network eth 2 - Public Network for VMs 16. 09. 2020 © SECCRIT Consortium 11

Technical Requirements § Server (3 machines) § CPU supporting Hypervisor KVM & 64 -bit

Technical Requirements § Server (3 machines) § CPU supporting Hypervisor KVM & 64 -bit x 86 § 4 GB RAM § 160 GB HDD § Operating System § Ubuntu Server 14. 04 LTS 64 -bit § Network Configuration § NIC Gigabit 16. 09. 2020 © SECCRIT Consortium 12

Launch an Instance from Horizon 16. 09. 2020 © SECCRIT Consortium 13

Launch an Instance from Horizon 16. 09. 2020 © SECCRIT Consortium 13

Virtual Network Infrastructure § External Network provides external internet access for instances. § Tenant

Virtual Network Infrastructure § External Network provides external internet access for instances. § Tenant network provides internal network access for instances § Virtual router passes network traffic between two or more virtual networks § To enable internet access to individual instances they need floating IP and security group rules. 16. 09. 2020 © SECCRIT Consortium

Initial Network § Create the external network ü Internet access from instances § Create

Initial Network § Create the external network ü Internet access from instances § Create a subnet on external network ü Like a physical network, a virtual network requires a subnet assigned to it 16. 09. 2020 © SECCRIT Consortium 15

Initial Network § Create the tenant network ü Provides internal network access for instances

Initial Network § Create the tenant network ü Provides internal network access for instances § Create a subnet on the tenant network ü Like the external network , the tenant network requires a subnet attached to it 16. 09. 2020 © SECCRIT Consortium 16

Initial Network § Create the router ü Router connected with tenant and external network

Initial Network § Create the router ü Router connected with tenant and external network § Attach the Router to the tenant network § Attach the Router to the external network 16. 09. 2020 © SECCRIT Consortium 17

VM Provisioning Horizon CLI Controller 1 Keystone Glance Nova-api Endpoint Glance-api Scheduler Nova DB

VM Provisioning Horizon CLI Controller 1 Keystone Glance Nova-api Endpoint Glance-api Scheduler Nova DB Neutron-network 16. 09. 2020 Nova-compute take information for Neutron-network Hypervisor downloads update Nova-compute Nova Hypervisor Keystone api publishes validate request arequest API VM short from Nova-api Horizon Nova-api User Keystone specify sends validate sends VM POST sends HTTP itparameters from back request novahascreates an access to to Scheduler sends the VM User from DB, a coomand Horizon sends HTTP request to temporary db. If to request (flavor, image, key) validate token nova-api is valid to token Horizon it to saves via a tables image with using networking URL given info by message token image neutron-network and from to send scheduler Glance response via with hypervisor and delegates VM Keystone Horizon or CLI message to nova-compute db(signed entry Click about Keystone with “Create” HTTP given the new buton token) VM and VM Glance DB with networking accept/reject image VM info IDinfo rendering toentry hypervisor Glance-registry Nova Compute Nova-compute Hypervisor © SECCRIT Consortium 18

VM Provisioning Tenant is created, user has an access to Horizon / CLI Horizon

VM Provisioning Tenant is created, user has an access to Horizon / CLI Horizon CLI Controller 1 Keystone Glance Nova-api Endpoint Glance-api Scheduler Nova DB Neutron-network 16. 09. 2020 Glance-registry Nova Compute Nova-compute Hypervisor © SECCRIT Consortium 19

Create Instance § § § Name Flavor (Tiny / Small / Medium / Large

Create Instance § § § Name Flavor (Tiny / Small / Medium / Large / Xlarge) Instance Boot Source (Image/ Snap. Shot/ Volume ) Key Pair Networking 16. 09. 2020 © SECCRIT Consortium 20

Instance Console 16. 09. 2020 © SECCRIT Consortium 21

Instance Console 16. 09. 2020 © SECCRIT Consortium 21

Network Topology 16. 09. 2020 © SECCRIT Consortium 22

Network Topology 16. 09. 2020 © SECCRIT Consortium 22

Open-Source Monitoring Tools 16. 09. 2020 © SECCRIT Consortium 23

Open-Source Monitoring Tools 16. 09. 2020 © SECCRIT Consortium 23

Get involved! Website: www. openstack. org Mailing Lists: http: //lists. openstack. org Wiki: http:

Get involved! Website: www. openstack. org Mailing Lists: http: //lists. openstack. org Wiki: http: //wiki. openstack. org 16. 09. 2020 © SECCRIT Consortium 24

SEcure Cloud computing for CRitical Infrastructure IT Contact Ani Bicaku AIT 0043 660 28

SEcure Cloud computing for CRitical Infrastructure IT Contact Ani Bicaku AIT 0043 660 28 37 355 Ani. Bicaku@ait. ac. at AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys • Hellenic Telecommunications Organization OTE • Ayuntamiento de Valencia • Amaris