HOW TO RUN OPENSTACK IN PRODUCTION ENVIRONMENTS: SECURITY, PROCESSES, AND CUSTOMIZATIONS REQUIRED

Julio Villarreal Pelegrino

Chief Architect, Cloud & Infrastructure, Red Hat

@juliovp01

RED HAT SERVICES2

In 2017, there were nearly 1,000 unique OpenStack deployments, a 95% increase compared to 2016.

Also, 63% of all the OpenStack deployments were consider Production environments.

OpenStack User Survey 2017 (Jun - Dec)OpenStack Foundation

“DO YOU KNOW THE EFFECT YOU INTEND TO CREATE?”

Paraphrasing sci-fi/fantasy author Melissa McPhail

RED HAT SERVICES4

WHAT IS DRIVING YOUR OPENSTACK ADOPTION?

WHAT ARE YOUR INITIAL GOALS & OBJECTIVES

(AKA STRATEGY)

TECHNOLOGY REASONSBUSINESS REASONS

WHAT WILL BE THE IMPACT IN YOUR ORGANIZATION

RED HAT SERVICES

HOW TO START WITH A MODERN, ELASTIC, FLEXIBLE OPENSTACK PRIVATE CLOUD

On-demand

Cloud infrastructure provisioning that rapidly scales up, down, and out.

Fully Automated

Standardized CI/CD process and Operations tools to accelerate development, test and release pipelines.

Self-service

Autonomous compute, network, and storage resources with a comprehensive API.

Providing the features that end users want, like:

ARCHITECTING YOUR CLOUD!

RED HAT SERVICES7

CONTROL PLANE ARCHITECTURE

Create a control plane architecture that:

● It’s able to deliver your use cases● It’s flexible● Use the latest and greatest technologies to enable you, e.g.:

● Containerized services● Composable roles● Composable networks● Last generation hardware for the networker nodes

RED HAT SERVICES8

COMPOSABLE ROLES EXAMPLEComposable Role Functions Description

Core Controller Nodes APIs, MariaDB, GaleraRabbitMQ, Apache (Horizon), HAProxy, Pacemaker, OpenStack Services (except the ones in the Networker and Telemetry nodes)

• At least three (3) nodes in a highly available cluster

• Could be virtualized• Sizing could be: 8 vCPU, 64GB

RAM, 600 GB disk per node

Telemetry Nodes Ceilometer, Gnocchi, Aodh, Panko • At least two (2) nodes for Telemetry

• Could be virtualized• SSD storage recommended• Sizing could be: 8 vCPU, 64GB

RAM, 800 GB disk per node

Networker Nodes Neutron and agents • Baremetal servers• Fast network interconnects for

provider networks

RED HAT SERVICES9

COMPOSABLE NETWORKS EXAMPLEComposable Network Description Role AttachedProvisioning Untagged network to provisioned the cloud. • All nodes

Internal API OpenStack components use this network to communicate with the various API endpoints.

• Controllers, Networker, Compute, Cinder Storage, Swift Storage

External API Is where OpenStack APIs are made public to connections coming from outside the cloud.

• Controllers

Storage A private network for storage components to communicate state data, replicate storage data, or for multiple tiers to communicate in a distributed storage solution.

• All nodes (but Networker)

Storage Management OpenStack Object Storage (swift) uses this network to data objects between participating replica nodes.

• Controller, Ceph Storage, Cinder Storage, Swift Storage

External or Floating IP The network that provide external connectivity for Tenant virtual machines. • Networker

Tenant Virtual machines communicate over these networks within the cloud deployment.

• Networker, Compute

Provider These are optional networks created by the OpenStack administrator that map directly to existing physical networks in the data center.

• Compute

RED HAT SERVICES10

CONTROLLER LOGICAL DIAGRAM

RED HAT SERVICES11

CLOUD LOGICAL DIAGRAM

BEST PRACTICES

RED HAT SERVICES13

SELECT THE RIGHT INSTALLER AND APPROACH

Select the right installer: ○ Select more than an installer, chose a provisioning system that allows you to:

■ Install and configure all the cloud components (controllers, compute, storage)

■ Provide complete lifecycle of the cloud: " Install" Configure" Update " Upgrade

■ The installers uses a IaC (infrastructure-as-code) approach" Use Definition files that are self-documented

RED HAT SERVICES14

NETWORKING AND STORAGE

Networking best practices: ○ Select the right encapsulation for the Tenant networks : VXLAN, GRE, GENEVE. ○ Select a networking model that meet your requirements:

■ Tenant + Floating IPs ■ Provider networks■ OVS vs OVN ■ DVR vs L3■ SRIOV and/or DPDK

Storage: ○ Multiple storage backends for :

■ Glance (image), Cinder (volume), Nova (ephemeral), Metrics, Swift (object)○ Use multiple tiers for the storage based in IO requirements○ Distributed storage that allows you to grow on demand

RED HAT SERVICES15

SECURITY

Security best practices: ○ Network isolation! ○ Limited access to the installer system and cloud components○ Define security boundaries, e.g.: public, guest, storage, management, admin zones○ The Operating System matter. Make sure to run a secure and updated OS. ○ Integrate Keystone with a external provider e.g.: LDAP, IDM, ActiveDirectory. ○ Enable multi-factor authentication○ Use SSL/TLS everywhere○ Use Barbican to manage secrets on your OpenStack cloud:

■ Volume encryption ■ Glance Image Signing■ Certificate management for Octavia

○ Use Fernet tokens○ Don’t disable SELinux!!!

DAY 2 OPERATIONS

RED HAT SERVICES17

DAY 2Keep the lights on:

■ Monitor your cloud to ensure: ■ Services are running ■ API endpoint are responding as expected

○ Hardware failures are detected○ Create remediation procedures for all of the above○ Centralize logging, learn what errors○ Internal Expectations are managed○ Leverage your vendor and/or the OpenStack Community○ Respect your SLAs ( Prod vs Non-Prod)

" Build multiple environments for you to test: ○ Configuration changes ○ Updates and Upgrades ○ Automation procedures○ Disaster recovery procedures

RED HAT SERVICES18

DAY 2What will work for you:

○ Build a beach head with a primary internal customer/champion○ Control the internal narrative about your cloud

■ plan for lots of status updates, reports, and metrics○ Champion your internal successes

■ call out staff that helped■ build notoriety for your OpenStack cloud engineers■ allow people to speak publicly and internally about your cloud

Infrastructure as Code approach:○ Treat your infrastructure as code: ○ Check all configuration files on an VCS (git,svn)○ Automate everything ○ Use your lifecycle environments as part of your CI/CD strategy○ No manual changes into production (no ssh approach)!

RED HAT SERVICES19

PEOPLE PROCESS

COLLABORATIVE CONTINUOUS ANDAGILE

TECHNOLOGY

Portals

Cloud Management

Integrations

Network/SDN

Automation

Guest Operating Systems

Apps

WHEN THE TECHNOLOGY IS RIGHT YOU’RE ONLY HALFWAY THERE

Hardware

Storage

Hypervisor

SHIFT YOUR TECH ORGANIZATION CULTURE !

THANK YOUplus.google.com/+RedHat

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHatNews