This document summarizes Intel's contributions and technologies for enhancing OpenStack. It discusses how Intel technologies can enhance OpenStack compute, storage, networking, and data collection. Specific technologies covered include Trusted Compute Pools, key management, erasure coding for Swift storage, and the Intel Open Network Platform for SDN/NFV. The presentation concludes by providing resources for learning more about Intel's OpenStack solutions and contributions.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Améliorer OpenStack avec les technologies Intel
1. 1
Enhancing OpenStack*
with Intel®
Technologies for Public, Private and
Hybrid Cloud
Girish Gopal – Strategic Planning, Intel Corporation
Malini Bhandaru – Security Architect, Intel Corporation
EDCS003
2. 2
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
3. 3
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
4. 4
Intel Enables OpenStack*
Cloud Deployments
Contributions
Intel IT
Open Cloud
Intel® Cloud
Builders
• Across OpenStack projects plus tools
released to Open Source
• Top 10 contributor to Grizzly and
Havana releases1
• Optimizations, validation and patches
• Intel IT Open Cloud with OpenStack
• Deliver Consumable Services
• Automated Management of Cloud
• Collection of best practices
• Intel IT Open Cloud Reference Arch
• Share best practices with IT and CSPs
1Source: stackalytics.com
5. 5
OpenStack*
Architecture
Identity (Keystone)
Authentication and
authorization for services
Object Storage (Swift)
Allows you to store or
retrieve files
Image (Glance)
Catalog and repository
for virtual disk images
Dashboard (Horizon)
Modular web-based user
interface for all services
Compute (Nova)
Provides virtual servers
upon demand
Networking (Neutron)
Provides "network
connectivity as a service"
Block Storage (Cinder)
Provides persistent block
storage to guest VMs
Heat
Orchestrate multiple
composite cloud applications
Ceilometer
Collect measurements for
metering and monitoring
New Components in Havana
6. 6
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
– Trust
– Security
– Enhanced Platform Awareness (EPA)
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
7. 7
Trusted Compute Pools (TCP)
Enhance visibility, control and compliance
- Key IT concerns (61%, 55% and 57% respectively1)
• TCP Solution
- Place workloads & VMs in trusted pools
of virtualized servers
- Trusted Computing Group
Compliant Platform (TPM)
- Intel® Xeon® processor initiates a
trusted boot
- OpenStack*
Folsom release or later
- Policy Engine / Console
- Trust level of VM specified as Trusted
Compute (Nova) – Trust Filter
Dashboard (Horizon) – Trust Filter UI
- Open Attestation (OAT) SDK
https://github.com/OpenAttestation/OpenAttestation
• Core technologies
- Intel® Trusted Execution Technology
- Intel® Virtualization Technology FlexMigration
1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012
Trust
TCP is enabled in OpenStack (Folsom release)
• Vendors: Bundle OAT into your OpenStack offering
• Providers/IT: Implement TCP in your OpenStack Cloud
• Users: Request and deploy VMs on Trusted nodes
8. 8
Trusted Compute Pools with Geo-Tagging
Use asset descriptor information to control virtual workloads
- E.g., Enforce policies to control migration or bursting to trusted systems in
specific geographical locations
• Enhance OpenStack*
services
- Dashboard – display
VM/storage geo
- Flavor – Geo for VM Instances
and Storage
- Aggregate filter
- Geo attestation service
- Configure geo attestation
service
- Provision geo certificate
for trusted machines
Provide feedback, use cases
Trust
11. 11
Key Management
Facilitates server-side encryption; Data-at-rest security
Enables new use cases and users, e.g., compliance
• Random Key generation
- Intel® Secure Key: true
randomness important
• Secure Storage –
keys encrypted with a
master key
• Access controlled
- Identity - Keystone and
access policies
• Audit logging -
create/delete/use
• High availability
• Pluggable backend – HSM, TPM
Security
Encryption Keys : Create, Store, Protect, and Ready Access
12. 12
OpenStack*
Key Manager
Key management as separate service; prototype in Havana,
incubation in Icehouse release of OpenStack*
Secure OpenStack Clouds
• Encrypt volumes, objects and communications
Status and
Next Steps
• Barbican Key Manager:
- https://github.com/cloudkeep/barbican
• Integration with OpenStack authentication and
authorization system
• Immediate: Provide volume/block encryption
Future
• Creation and certification of public-private key pairs
• Software support for periodic background tasks
• Client component that can work against HSM
• Examine KMIP
• Leverage AES-XTS to enhance performance
Building
Blocks
• Trusted Platform Module
• Intel® Secure Key
• Intel® AES-NI
• New instructions and wider registers
Security
Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions
13. 13
OpenStack*
Security Guide
http://docs.openstack.org/sec/
• OpenStack* services
• Public and Private clouds
• Security domains and bridges
• Layered security
• Secure node bootstrapping and
hardening
• Secure intra-service
communication
• Database security
• Hypervisor selection
• Trusted machine images
• VM Migration
• Logging
• Identity management
• Access control
• Compliance & Audit
Help update the Security Guide
Security
14. 14
CPU Features Exposure
Allows OpenStack*
to have a greater awareness of the
capabilities of the hardware platforms
• Expose CPU features to
OpenStack Nova scheduler
• Use ComputeCapabilities filter to
select hosts with required features
- Security workload could run faster &
more securely with Intel® AES-NI
• Enables premium flavors
- Enhanced capabilities for cloud
customers
- Enhanced revenue for cloud providers
Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions
Image (Glance)
Import host capabilities
request via VM metadata
Dashboard (Horizon)
Expose
Compute (Nova)
Host capabilities discovery,
reporting and filter
enhancements
Targeted for Havana and future OpenStack releases
EPA
15. 15
PCI Express*
(PCIe*
) Accelerator Exposure
• OpenStack*
updates to enable PCI Express* (PCIe*)
Accelerators
– Solution based on libvirt and KVM
– Add PCIe device info to the libvirt driver
– Extend Nova Scheduler to handle PCIe device allocation
– Configure the VM for Deployment
• Status
– Code released to the community
– Not yet integrated into the Havana release mainline
– NIC SR-IOV Virtual Function allocation to a VM possible
Not a recommended use case
Additional OpenStack updates necessary for a robust solution
Leverage PCI Express Accelerators to gain performance
• Crypto speed-up, hardware-based trust, faster I/O
SR-IOV = Single Root I/O Virtualization
EPA
16. 16
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
– Intelligent Volume Scheduling
– Erasure Code
– COSBench
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
17. 17
Intelligent Volume Scheduling - OpenStack*
Cinder
Maximize block storage efficiency by intelligently allocating
volume based on workload and type of service required
Example: Differentiated Service with Different Storage Backends
• CSP: 3 different storage systems, offers 4
levels of volume services
• Volume service criteria dictates which
storage system can be used
• Filter scheduler allows CSP to name storage
services and allocate correct volume
Intelligent Volume Scheduling is enabled in OpenStack*
(Grizzly release)
18. 18
Erasure Code for OpenStack*
Swift
Access Tier
(Concurrency)
Capacity Tier
(Storage)
Clients
Tri-replication pathErasure code path
Saves disk space, does not impact QoS for hot objects
• Swift uses tri-replication
today (3x storage)
• Add daemon on
storage node
• Scans all existing
objects offline
• Selects cold objects of
large enough size
• Replaces tri-replication
algorithm with erasure
code
Collaborate on Erasure Code
• CLDS007: “OpenStack Swift Erasure Code: A Smart
Cloud Storage Solution“ Wednesday, 5PM, Rm 2005
• https://blueprints.launchpad.net/swift/+spec/swift-ec
19. 19
Introducing COSBench
An Open Source Intel developed benchmarking tool to measure
Cloud Object Storage (e.g., OpenStack* Swift) performance
• Compare performance of cloud
object stores
• Evaluate internal options for
software stacks
• Identify bottlenecks and tune
performance
• Pluggable adaptors for different
storage systems
• Web-based UI
• Real-time performance monitoring
Throughput Response
Time
Bandwidth Success
Ratio
Download, Evaluate, Contribute
https://github.com/intel-cloud/cosbench
20. 20
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
– Intel® Open Network Platform
• Enhancing OpenStack Data Collection
• Intel® IT Open Cloud
• Summary and Next Steps
21. 21
Intel® Open Network Platform (ONP), OpenStack*
and SDN/NFV Framework
Node NodeNode Node NodeNode
Controller Controller
OpenStack (Orchestrator)
Network Applications
Northbound API
Southbound API
e.g., OpenFlow*, Open vSwitch
Network
Appliance
TOR Switch Cloud Server Virtual
Switch
EPC Media
Gateway
Neutron
SDN/NFV; Software Defined Networking/Network Functions Virtualization
Intel® ONP
Switch
Reference
Design
Intel ONP
Server
Reference
Design
Learn more about Intel ONP
• CLDS006: “Extending Open Networking Platform (ONP) for the Next
Generation Server Architectures“ Wednesday, 3:45PM, Rm 2005
22. 22
Agenda
• Intel and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
– Multiple Publisher Support
– Intelligent Workload Scheduling
• Intel® IT Open Cloud
• Summary and Next Steps
23. 23
Data Collection for Monitoring: Multiple Publisher
(Ceilometer)
Data
Collector
Transformer
Pipeline Manager
Transformer
Metering
Monitoring
Publisher
Publisher
Publisher
Transformer
Facilitates transformation and publishing of metered data
for consumption by various targets
• Send/publish collected measurements to different endpoint/utility
through different conduits with different format
• Provides ability to store collected data in different data stores
Targeted for OpenStack*
Havana release
• Create/add plugs-ins to store data in your own data stores
24. 24
Data Collection for Efficiency:
Intelligent Workload Scheduling
Enhanced usage statistics allow advanced scheduling decisions
• Pluggable metric data
collecting framework
- Collects data via
plug-ins
- Sends data to
notification bus for
use by other OpenStack*
components
• Compute (Nova) - New filters
/ weighers for utilization-based
scheduling
Targeted for OpenStack* Havana release
• Utilize pluggable framework to create/add your
own plugs-ins to monitor network
25. 25
Agenda
• Intel® and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
26. 26
Intel IT Open Cloud
• 77% Virtualized
• 80% of new servers in the Cloud
• Under 1 hour to deploy Infrastructure
• Small number of SaaS apps in usage
• Savings realized to date: $21M
• Land Applications in minutes
• Automation: lower cost w/ less resources
• Open Cloud for bursting capacity
• SaaS for non-differentiated apps (e.g. email)
Today: Large Private Cloud, Limited Public Cloud
Tomorrow: Hybrid Cloud
Learn more on Intel IT Open Cloud
• CLDS004 “Intel IT Open Cloud – What’s Under the Hood, and How Do We Drive It?”
Wednesday, 5PM, Rm 2001
27. 27
Agenda
• Intel® and OpenStack*
• Enhancing OpenStack Compute
• Enhancing OpenStack Storage
• Enhancing OpenStack Networking
• Enhancing OpenStack Data Collection
• Intel IT Open Cloud
• Summary and Next Steps
28. 28
Summary: Intel® Technologies & Solutions for OpenStack*
Release
Trusted Compute Pools (TCP)
TCP With Geotagging
• Place workloads and VMs in trusted pools of
virtualized servers
• Determine and control location of sensitive
data in the cloud
• Intel® TXT, Intel® VT FlexMigration
Folsom
Icehouse
Key Manager • Manager for symmetric and public/private
keys, certificates
• Intel® AES-NI, Intel® Secure Key
Havana/
Icehouse
Enhanced Platform
Awareness
• Levering PCIe accelerator devices in cloud
infrastructure, and enabling access to Intel®
64 instruction set extensions
• Intel® QuickAssist, Intel AES-NI, Intel® AVX,
AVX2, Intel® SSE4, Intel Secure Key
Havana
Erasure Code • Replacing tri-replication algorithm in Swift Havana
Intelligent Volume Scheduling • Allocate block storage type of service required Grizzly
Multiple Publisher • Transformation & publishing of metered data Havana
Data Collection for Efficiency • Usage statistics for scheduling decisions Havana
Open Network Platform • Framework for SDN/NFV
• Intel® VT-d, Intel® DPDK, Intel® DDIO
Open Attestation SDK • Remote attestation service for TCP Open Source
COSBench • Object store performance characterization tool Open Source
Intel® TXT = Intel® Trusted Execution Technology; Intel® VT = Intel® Virtualization Technology; Intel® AES-NI = Intel® Advanced
Encryption Standard – New Instructions; Intel® AVX = Intel® Advanced Vector Extensions; Intel® VT-d = Intel® Virtualization for
Directed I/O; Intel® DPDK = Intel® Data Plane Development Kit; Intel® DDIO = Intel® Data Direct I/O
29. 29
Read, Download, Get Involved
• Compute
- Open Attestation SDK: https://github.com/OpenAttestation/OpenAttestation
- OpenStack*
on Intel® TXT (Fedora*):
https://fedoraproject.org/wiki/OpenStackOnTXT
- Mechanisms to Protect Data in the Open Cloud:
http://download-
software.intel.com/sites/default/files/Intel_TXT_Open_Cloud_Security_Final_Web.pdf
• Storage
- COSBench: https://github.com/intel-cloud/cosbench
• Networking
- Intel® Open Network Platform:
http://www.intel.com/content/www/us/en/switch-silicon/open-network-platform.html
• Intel IT use of OpenStack
- Accelerating Deployment of Cloud Services Using Open Source
Software: http://www.intel.com/content/dam/www/public/us/en/documents/best-
practices/accelerating-deployment-of-cloud-services-using-open-source-software.pdf
Intel® Trusted Execution Technology (Intel® TXT)
31. 31
Legal Disclaimer
• Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute
the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your
reseller or system manufacturer. For more information, see Intel® Advanced Encryption Standard Instructions (AES-NI).
• Built-In Security: No computer system can provide absolute security under all conditions. Built-in security features
available on select Intel® processors may require additional software, hardware, services and/or an Internet connection.
Results may vary depending upon configuration. Consult your system manufacturer for more details. For more
information, see http://security-center.intel.com/.
• Intel® 64 architecture requires a system with a 64-bit enabled processor, chipset, BIOS and software. Performance will
vary depending on the specific hardware and software you use. Consult your PC manufacturer for more
information. For more information, visit http://www.intel.com/info/em64t.
• Intel® Secure Key Technology: No system can provide absolute security. Requires an Intel® Secure Key-enabled
platform, available on select Intel® processors, and software optimized to support Intel Secure Key. Consult your
system manufacturer for more information
• Intel® Trusted Execution Technology (Intel® TXT): No computer system can provide absolute security under all
conditions. Intel® TXT requires a computer with Intel® Virtualization Technology, an Intel TXT enabled processor,
chipset, BIOS, Authenticated Code Modules and an Intel TXT compatible measured launched environment (MLE). Intel
TXT also requires the system to contain a TPM v1.s. For more information, visit
http://www.intel.com/technology/security.
• Trusted Platform Module (TPM): The original equipment manufacturer must provide TPM functionality, which requires a
TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.
• Intel® Virtualization Technology (Intel® VT) requires a computer system with an enabled Intel® processor, BIOS, and
virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and
software configurations. Software applications may not be compatible with all operating systems. Consult your PC
manufacturer. For more information, visit http://www.intel.com/go/virtualization.
32. 32
Risk Factors
The above statements and any others in this document that refer to plans and expectations for the third quarter, the year and
the future are forward-looking statements that involve a number of risks and uncertainties. Words such as “anticipates,”
“expects,” “intends,” “plans,” “believes,” “seeks,” “estimates,” “may,” “will,” “should” and their variations identify forward-looking
statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking
statements. Many factors could affect Intel’s actual results, and variances from Intel’s current expectations regarding such factors
could cause actual results to differ materially from those expressed in these forward-looking statements. Intel presently considers
the following to be the important factors that could cause actual results to differ materially from the company’s expectations.
Demand could be different from Intel's expectations due to factors including changes in business and economic conditions;
customer acceptance of Intel’s and competitors’ products; supply constraints and other disruptions affecting customers; changes
in customer order patterns including order cancellations; and changes in the level of inventory at customers. Uncertainty in global
economic and financial conditions poses a risk that consumers and businesses may defer purchases in response to negative
financial events, which could negatively affect product demand and other related matters. Intel operates in intensely competitive
industries that are characterized by a high percentage of costs that are fixed or difficult to reduce in the short term and product
demand that is highly variable and difficult to forecast. Revenue and the gross margin percentage are affected by the timing of
Intel product introductions and the demand for and market acceptance of Intel's products; actions taken by Intel's competitors,
including product offerings and introductions, marketing programs and pricing pressures and Intel’s response to such actions; and
Intel’s ability to respond quickly to technological developments and to incorporate new features into its products. The gross
margin percentage could vary significantly from expectations based on capacity utilization; variations in inventory valuation,
including variations related to the timing of qualifying products for sale; changes in revenue levels; segment product mix; the
timing and execution of the manufacturing ramp and associated costs; start-up costs; excess or obsolete inventory; changes in
unit costs; defects or disruptions in the supply of materials or resources; product manufacturing quality/yields; and impairments
of long-lived assets, including manufacturing, assembly/test and intangible assets. Intel's results could be affected by adverse
economic, social, political and physical/infrastructure conditions in countries where Intel, its customers or its suppliers operate,
including military conflict and other security risks, natural disasters, infrastructure disruptions, health concerns and fluctuations in
currency exchange rates. Expenses, particularly certain marketing and compensation expenses, as well as restructuring and asset
impairment charges, vary depending on the level of demand for Intel's products and the level of revenue and profits. Intel’s
results could be affected by the timing of closing of acquisitions and divestitures. Intel's results could be affected by adverse
effects associated with product defects and errata (deviations from published specifications), and by litigation or regulatory
matters involving intellectual property, stockholder, consumer, antitrust, disclosure and other issues, such as the litigation and
regulatory matters described in Intel's SEC reports. An unfavorable ruling could include monetary damages or an injunction
prohibiting Intel from manufacturing or selling one or more products, precluding particular business practices, impacting Intel’s
ability to design its products, or requiring other remedies such as compulsory licensing of intellectual property. A detailed
discussion of these and other factors that could affect Intel’s results is included in Intel’s SEC filings, including the company’s
most recent reports on Form 10-Q, Form 10-K and earnings release.
Rev. 7/17/13
34. 34
Trusted Geolocation Preview
• Determine and control
location of server with
sensitive information in
the cloud
• Server location
information added to
server root of trust
• Three main phases:
1. Platform Attestation
and Safe
Hypervisor launch
2. Trust-based Secure
Migration
3. Trust- and
Geolocation-based
Secure Migration
35. 35
Key-Manager
Cinder Keys
Glance Keys
OpenStack
Service
Swift/Cinder/
Glance/Keystone
)
TPM
Key Creation and Storage
Random Number
Generator
(keys random)
Storage
(master keys)
put(key-id, enc-key-str)
get(key-id)
enc_key_str
success
Keystone Keys
Swift Keys
<key-id,
enc-key-str,
descriptors>
Swift authentication token, access Swift keys
Descriptors
Creation-time,
Expire-time,
Num-uses,
Type: public/private/
symmetric/unknown
(encrypted) communication
Formatter
KMIP
36. 36
Implementation Example
ONP Switch
ONP Server
OS / Hypervisor
DPDK Accelerated Open vSwitch
vEPC CDN CDN Billing
ONP Server
OS / Hypervisor
DPDK Accelerated Open vSwitch
vEPC vEPC vEPC Forecast
ONP Server
OS / Hypervisor
DPDK Accelerated Open vSwitch
vEPC vEPC CDN Analytics
Controller