Hitachi Block Storage Driver for OpenStack Newton User Guide
How to Run OpenStack in Production Environments
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of How to Run OpenStack in Production Environments
HOW TO RUN OPENSTACK IN PRODUCTION ENVIRONMENTS: SECURITY, PROCESSES, AND CUSTOMIZATIONS REQUIRED
Julio Villarreal Pelegrino
Chief Architect, Cloud & Infrastructure, Red Hat
@juliovp01
RED HAT SERVICES2
In 2017, there were nearly 1,000 unique OpenStack deployments, a 95% increase compared to 2016.
Also, 63% of all the OpenStack deployments were consider Production environments.
OpenStack User Survey 2017 (Jun - Dec)OpenStack Foundation
RED HAT SERVICES4
WHAT IS DRIVING YOUR OPENSTACK ADOPTION?
WHAT ARE YOUR INITIAL GOALS & OBJECTIVES
(AKA STRATEGY)
TECHNOLOGY REASONSBUSINESS REASONS
WHAT WILL BE THE IMPACT IN YOUR ORGANIZATION
RED HAT SERVICES
HOW TO START WITH A MODERN, ELASTIC, FLEXIBLE OPENSTACK PRIVATE CLOUD
On-demand
Cloud infrastructure provisioning that rapidly scales up, down, and out.
Fully Automated
Standardized CI/CD process and Operations tools to accelerate development, test and release pipelines.
Self-service
Autonomous compute, network, and storage resources with a comprehensive API.
Providing the features that end users want, like:
RED HAT SERVICES7
CONTROL PLANE ARCHITECTURE
Create a control plane architecture that:
● It’s able to deliver your use cases● It’s flexible● Use the latest and greatest technologies to enable you, e.g.:
● Containerized services● Composable roles● Composable networks● Last generation hardware for the networker nodes
RED HAT SERVICES8
COMPOSABLE ROLES EXAMPLEComposable Role Functions Description
Core Controller Nodes APIs, MariaDB, GaleraRabbitMQ, Apache (Horizon), HAProxy, Pacemaker, OpenStack Services (except the ones in the Networker and Telemetry nodes)
• At least three (3) nodes in a highly available cluster
• Could be virtualized• Sizing could be: 8 vCPU, 64GB
RAM, 600 GB disk per node
Telemetry Nodes Ceilometer, Gnocchi, Aodh, Panko • At least two (2) nodes for Telemetry
• Could be virtualized• SSD storage recommended• Sizing could be: 8 vCPU, 64GB
RAM, 800 GB disk per node
Networker Nodes Neutron and agents • Baremetal servers• Fast network interconnects for
provider networks
RED HAT SERVICES9
COMPOSABLE NETWORKS EXAMPLEComposable Network Description Role AttachedProvisioning Untagged network to provisioned the cloud. • All nodes
Internal API OpenStack components use this network to communicate with the various API endpoints.
• Controllers, Networker, Compute, Cinder Storage, Swift Storage
External API Is where OpenStack APIs are made public to connections coming from outside the cloud.
• Controllers
Storage A private network for storage components to communicate state data, replicate storage data, or for multiple tiers to communicate in a distributed storage solution.
• All nodes (but Networker)
Storage Management OpenStack Object Storage (swift) uses this network to data objects between participating replica nodes.
• Controller, Ceph Storage, Cinder Storage, Swift Storage
External or Floating IP The network that provide external connectivity for Tenant virtual machines. • Networker
Tenant Virtual machines communicate over these networks within the cloud deployment.
• Networker, Compute
Provider These are optional networks created by the OpenStack administrator that map directly to existing physical networks in the data center.
• Compute
RED HAT SERVICES13
SELECT THE RIGHT INSTALLER AND APPROACH
Select the right installer: ○ Select more than an installer, chose a provisioning system that allows you to:
■ Install and configure all the cloud components (controllers, compute, storage)
■ Provide complete lifecycle of the cloud: " Install" Configure" Update " Upgrade
■ The installers uses a IaC (infrastructure-as-code) approach" Use Definition files that are self-documented
RED HAT SERVICES14
NETWORKING AND STORAGE
Networking best practices: ○ Select the right encapsulation for the Tenant networks : VXLAN, GRE, GENEVE. ○ Select a networking model that meet your requirements:
■ Tenant + Floating IPs ■ Provider networks■ OVS vs OVN ■ DVR vs L3■ SRIOV and/or DPDK
Storage: ○ Multiple storage backends for :
■ Glance (image), Cinder (volume), Nova (ephemeral), Metrics, Swift (object)○ Use multiple tiers for the storage based in IO requirements○ Distributed storage that allows you to grow on demand
RED HAT SERVICES15
SECURITY
Security best practices: ○ Network isolation! ○ Limited access to the installer system and cloud components○ Define security boundaries, e.g.: public, guest, storage, management, admin zones○ The Operating System matter. Make sure to run a secure and updated OS. ○ Integrate Keystone with a external provider e.g.: LDAP, IDM, ActiveDirectory. ○ Enable multi-factor authentication○ Use SSL/TLS everywhere○ Use Barbican to manage secrets on your OpenStack cloud:
■ Volume encryption ■ Glance Image Signing■ Certificate management for Octavia
○ Use Fernet tokens○ Don’t disable SELinux!!!
RED HAT SERVICES17
DAY 2Keep the lights on:
■ Monitor your cloud to ensure: ■ Services are running ■ API endpoint are responding as expected
○ Hardware failures are detected○ Create remediation procedures for all of the above○ Centralize logging, learn what errors○ Internal Expectations are managed○ Leverage your vendor and/or the OpenStack Community○ Respect your SLAs ( Prod vs Non-Prod)
" Build multiple environments for you to test: ○ Configuration changes ○ Updates and Upgrades ○ Automation procedures○ Disaster recovery procedures
RED HAT SERVICES18
DAY 2What will work for you:
○ Build a beach head with a primary internal customer/champion○ Control the internal narrative about your cloud
■ plan for lots of status updates, reports, and metrics○ Champion your internal successes
■ call out staff that helped■ build notoriety for your OpenStack cloud engineers■ allow people to speak publicly and internally about your cloud
Infrastructure as Code approach:○ Treat your infrastructure as code: ○ Check all configuration files on an VCS (git,svn)○ Automate everything ○ Use your lifecycle environments as part of your CI/CD strategy○ No manual changes into production (no ssh approach)!
RED HAT SERVICES19
PEOPLE PROCESS
COLLABORATIVE CONTINUOUS ANDAGILE
TECHNOLOGY
Portals
Cloud Management
Integrations
Network/SDN
Automation
Guest Operating Systems
Apps
WHEN THE TECHNOLOGY IS RIGHT YOU’RE ONLY HALFWAY THERE
Hardware
Storage
Hypervisor
SHIFT YOUR TECH ORGANIZATION CULTURE !