Post on 29-Jun-2018
Intel in OpenStack:
Contributions & Challenges
Krish Raghuram, Intel Open Source Technology Center
Thomas von Bauer, Intel Strategic Relationship Manager for SuSE
SuSEcon, Lake Buena Vista, FL, Nov’13
2
Legal Disclaimers:
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.
A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.
The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel product plans in this presentation do not constitute Intel plan of record product roadmaps. Please contact your Intel representative to obtain Intel's current plan of record product roadmaps.
Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. Go to: http://www.intel.com/products/processor_number.
Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm
Code names featured are used internally within Intel to identify products that are in development and not yet publicly announced for release. Customers, licensees and other third parties are not authorized by Intel to use code names in advertising, promotion or marketing of any product or services and any such use of Intel's internal code names is at the sole risk of the user
Intel, and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Copyright ©2013 Intel Corporation.
IT Pros
Growth & IT Challenges Drive Need for Cloud Computing
1 Cisco Global Cloud Index Nov 2011
2 IDC Digital Universe Study 2011
3 Intel estimate
4 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012-2017 , Feb 2013
5 Datacenter Dynamics Global Datacenter Energy Demand 2012 forecast http://www.datacenterdynamics.com/research/energy-demand-2011-12; projected to 2015 by Intel; Assume $0.10/kWh 4
15Bconnected devices by 20153
>3Bconnected users by 20151
Up to 2X or $27B5
in additional data center power costs by 2015
13X increase in mobile data traffic by 20174
2X growthin information every two years2
Growth IT Challenges
Avoid Lock-InSeek interoperable solutions & services
Improve Agility Reduce service delivery times, improve TCO
Greater Efficiencies Reduce complexity & deploy new workloads
Gain Better InsightsVia intelligent analytics
4
Cloud Adoption Growing & Delivers Benefits
5
Resource provisioning
Virtualized Platforms
Asset Utilization
Capacity
Traditional IT – 2009 Private cloud - 2012
90 days 45 minutes
12% 75%
10-20% >60%
Silos Shared globally
$15M in savings4Cost Savings
1 ODCA global member survey, Aug 2012, N=63
2 Gartner, 2013 - http://www.eweek.com/small-business/hybrid-cloud-deployments-rising-gartner.html
3 Source: Intel IT- http://premierit.intel.com/docs4. Intel IT 2011-2012
Intel IT example3
PublicCloud
PrivateCloud
Hybrid Cloud
50% of enterprise by 20172
Today: 6%2015: 25%
Today: 19%2015: 59%
IT Survey Results
>40% of IT operations1 >40% of IT operations1
PublicCloud
PrivateCloud
5
Enterprise Cloud Maturity Journey
Server
Consolidatio
n
Distributed
Virtualizatio
n
Private
Cloud
Hybrid
Cloud
Virtualization replacing silos; Automation replacing manual;
Standards replacing proprietary
Virtualize Pool Automate Scale
6
Security is Top Barrier to Cloud Adoption
Lack of visibility1 Lack of control over data1 Compliance concerns1
57%61% 55%
IT PRO SURVEY OF KEY CONCERNS:
HRMfg
Traditional Data Center Private/Public Cloud
User & Intelligent Devices
Networks
1 source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012 7
Helping Fuel Innovation—and Opportunities
#2 Linux Contributor
improving performance, stability &
efficiency
Across the Stack
contributions span every layer of the
stack
Red Hat
11.1%
Intel SUSE IBM
9.3%
4.9%4.2%
Proven Components
building blocks simplify development, reduce costs and speed time-to-market
0% 20% 40% 60% 80% 100%
QT
KVM
Ofono
Clutter
Code Contributions to Open Source Projects
Intel is single largest contributor to these
projects
Intel in
Open Source
Project Contributor
X.org GNU
Webkit JQuery
Eclipse
OpenStackYocto
Project
Hadoop
3,000
2,500
2,000
1,500
1,000
500
0
KVM
Th
rou
gh
pu
t
MC-DP WSM-EP SNB-EP WSM-EX
SPCEvirt_sc2010* Performance
01.org
kernel.org
8
9
20 Years of Enterprise Solutions Powered by Intel and SUSE
Customer
Intel
SUSE
• Deliver IA differentiation TTM in open source solutions
• Migrate enterprises to open standards-based platforms
• Deliver SUSE solutions on robust platforms
• Leverage Intel contributions
• Joint GTM for demand gen and sales
• Gets proven solutions at lower cost
• Gets fast access to new technologies
10
20 Years: Partnering for CustomersSolutions Powered by Intel and SUSE
• Increased performance, reliability, efficiency and security
• Proven solutions and support for virtualization, cloud and
mission-critical applications
• Lower IT Infrastructure cost
• Cost-effectively manage most demanding data center
requirements
• Enterprise customer support
• Fast access to new technology
Intel Enables OpenStack Cloud Deployments
Contributions
Intel® IT Open Cloud
Intel® Cloud Builders
• Across OpenStack projects • Open Source Tools• Top contributor to Grizzly and Havana releases1
• Optimizations, validation, and patches
• Intel IT Open Cloud with OpenStack• Delivering Consumable Services• Single Control Plane for all Infrastructure
• Collection of best practices• Intel IT Open Cloud Reference Arch • Share best practices with IT and CSPs• http://www.intel.com/cloudbuilders
1Source: www.stackalytics.com11
Stress on Datacenter Operations
1: Source: Intel IT internal estimate; 2: 3: IDC’s Digital Universe Study, sponsored by EMC, December 2012; 4: IDC Server Vir tualization and The Cloud 2012
Network2-3 weeks to provision new services1
Storage40% data growth CAGR, 90% unstructured3
ServerAverage utilization <50% despite virtualization4
New Challenges are coming….
12
The Intel SDI Vision
1: Source: Intel IT internal estimate
Datacenter Today Software-defined
Infrastructure
Time to Provision New Service: Minutes1Time to Provision New Service: Months1
Idea for
service
IT scopes
needs
Balance
user demandsIdea for
service
Service
running
Manually configuredevices
Set up service components,
assemble software
Service
runningSoftware
components assembled
Private
Public
Self service
catalog &
services
orchestration
Automated
composition
of resources
13
Self-provisioning, automated orchestration, composable resource pools
Open Data Center Alliance Cloud Adoption Roadmap
Year 1 Year 2 Year 3 Year 4 Year 5
End User
App Dev
App Owner
IT Ops
Federated, Interoperable,
and Open Cloud
Simple SaaS
Enterprise Legacy Apps
Compute, Storage, and
Network
Simple Compute IaaS
Simple SaaS
Enterprise Legacy Apps
Cloud Aware Apps
Complex Compute IaaS
Simple Compute IaaS
Compute, Storage, and
Network
Complex SaaS Hybrid SaaS
Full Private IaaS
Hybrid IaaS
Cloud Aware Apps
Legacy Apps
Private PaaS Hybrid PaaS
Cloud Aware Apps
Legacy Apps
Consumers
Lega
cy A
pp
licat
ion
s o
n d
edic
ated
In
fras
tru
ctu
reSt
art
14
Intel IT Quick History
Design Grid since 1990’s
60k servers across 60+ datacenters
Cloud’s Uncle
Enterprise Private Cloud 2010
13k VMs across 10 datacenters
75% of Enterprise Server Requests
80% virtualized
Open Source Private Cloud 2012
1.5k VMs across 2 datacenters
Running cloud-aware and some traditional apps
OpenStack
Silicon Design
Validation Labs
Enterprise Hosting
Existing Infrastructure New Infrastructure
OpenStack - Intel IT Convergence Platform
Top Challenges & Technical Responses
Security & Compliance
Unit Cost Reduction
Business Uptime
• Trusted Compute Pools• Geo-tagging• Key Management• Enhanced Platform Awareness (crypto processing)
• Erasure Code (storage cost)• Enhanced Platform Awareness (PCIe Accelerators)• Usage monitoring/metering• Intelligent workload & storage scheduling/
allocation
• Live Migration, Rack-level redundancies
1Source: stackalytics.com17
Intel Contributions* to OpenStack
*Note: A mixture of features that are completed, in development or in Planning
Compute Networking Storage
• Enhanced Platform Awareness• CPU Feature Detection• PCIe SR-IOV Accelerators• OVF Meta-Data Import
• Trusted Compute Pools• With Geo Tagging
• Key Management• Intelligent Workload
Scheduling (Metrics)
• Intel® DPDKvSwitch
• VPN-as-a-Service with Intel® QuickAssistAcceleration
• Filter Scheduler
• Erasure Code
• Object Storage Policies
User Interface (Horizon)
Object Store (Swift)
Image Store (Glance)
Compute (Nova) Block Storage (Cinder)
Network Services (Neutron)
Identity Services (Keystone)
Trusted Compute Pools
(Extended with Geo Tagging)
OVF Meta-Data Import
Intel® DPDK vSwitch
Enhanced Platform AwarenessErasure
Code
Expose Enhancements
Filter Scheduler
Monitoring/Metering (Ceilometer)
Object Storage Policy
Key Encryption & Management
VPN-as-a-Service(Accelerated with Intel® QuickAssist Technology)
Intelligent Workload Scheduling
Metrics
18
Trusted Compute Pools (TCP)
Enhance visibility, control and compliance
TCP Solution - Platform Trust - new attribute for Management- Intel® TXT initiates Measured Boot
- basis for Platform Trust- Open Attestation (OAT) SDK – Remote Attestation
Mechanism https://github.com/OpenAttestation/OpenAttestation
- TCP-aware scheduler controls placement & migration of workloads in trusted pools
1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here
TCP is enabled in OpenStack (Folsom release)
19
Server Security Technologies
Intel® Trusted Execution Technology (Intel® TXT)Hardens and Helps Control the Platform
• Enables isolation and tamper detection in boot process
• Complements runtime protections
• Hardware based trust provides verification useful in compliance
• Trust status and geo-location usable by security and policy applications to control workloads
Internet
Compliance Hardware support for compliance reporting enhances auditability of cloud environment
Trusted Launch Verified platform integrity reduces malware threat
Trusted, Tagged Compute Pools Control VMs based on platform trust and location to better protect data
20
Trusted Compute Pools with Geo-Tagging
• OpenStack* Enhancements • Secure mechanism for Provisioning geo
certificates• Dashboard – display VM/storage geo• Nova flavor extra spec – geo• Enhanced TCP scheduler filter • Geo Attestation Service (OAT +)
21
Work in progress - Provide feedback, use cases
Use geo-location descriptor stored in TPM on Trusted Servers to control workload placement & migration
Cloud Service
Provider Portal
Trust Attestation
OAT/MTW
Key Mgt
Service
Keys
CSP-Image
Server
(Glance)
Host + VMM
OAT
MH: OVF
Plug-in
DOM0
TXT + TPM
1
2
34
6
5
7
8
9
Customer
Data Center
MH Client
Cloud Service Provider
Data Center
Encrypted VM Image
Launch request(from anywhere)
Encryption Key (enveloped)
Policy
Encrypted VM Image
Launch command
Request Encryption Key (AIK, KeyID)
Request Host Trust Attestation
Encrypted VM SymKey
Response Trust Status, BindPubKey
MH ClientMH Client
Concept: Trusted Compute Pools (TCP) – VM Protection
Tenant-Controlled, Hardware-Assisted VM Protection in the Cloud
Concept in demonstration stage 22
Key ManagementEase Security Adoption, new use cases, compliance• Server-side encryption
• Data-at-rest security
• Random high quality keys
• Secure Key Storage
• Controlled key access via Keystone
• High availability
• Pluggable backend – HSM, TPM
• Barbican Key Manager:- https://github.com/cloudkeep/barbican
Intel technologies: Intel® Secure Key, Intel® AES-NI
Prototype in Havana, incubate in Icehouse23
Filter Scheduler (Cinder)Volume Service 1
Volume Service 2
Volume Service 3
Volume Service 4
Volume Service 5
Volume Service 1
Volume Service 2
Volume Service 3
Volume Service 4
Volume Service 5
Weight = 25
Weight = 20
Weight = 41
Volume Service 2
Volume Service 4
Volume Service 5
Filters Weighers
Winner!
• AvailabilityZoneFilter
• CapabilitiesFilter
• JsonFilter• CapacityFilter• RetryFilter
• CapacityWeigher• AllocatedVolumesWeigher• AllocatedSpaceWeigher
Example Use Case: Differentiated Service with Different Storage Back-ends
• CSP: 3 different storage systems, offers 4 levels of volume services
• Volume service criteria dictates which storage system can be used
• Filter scheduler allows CSP to name storage services and allocate correct volume
2424
Data Collection for Efficiency:Intelligent Workload Scheduling
Enhanced usage statistics allow advanced scheduling decisions
• Pluggable metric data collecting framework
• Compute (Nova) - New filters
/ weighers for utilization-based
scheduling
25
Metering in Havana release (ceilometer), scheduling in future release
Enhanced Platform Awareness
Allows OpenStack* to have a greater awareness of the capabilities of the hardware platforms
• Expose CPU & platform features to OpenStack Nova scheduler
• Use ComputeCapabilities filter to select hosts with required features
- Intel® AES-NI or PCI Express acceleratorsfor security and I/O workloads
- Upto 10x encryption & 8x decryption performanceimprovement observed 1
26Intel® AES-NI = Intel® Advanced Encryption Standard New InstructionsSee http://www.oracle.com/us/corporate/press/173758
Some features in Havana, more in future releases
ProcessorUnencrypted
Data
ABCDEFGHIJKLMNOPQRSTUVW
Faster Encryptions
Faster Decryptions
Data In Motion
EncryptedData
#@$%&%@#&%@#$@&%$@
#$@%&&
Benefits of Enhanced Platform Awareness
27
Enabler for Enhanced Cloud Efficiency & Deploying SDN/NFV WorkloadsSome features enabled in Havana, more coming in future releases
Intel® QuickAssist Accelerator Intel® Data Plane Development Kit
Intel® AES New Instructions Intel® Advanced Vector Extensions 2 (AVX2)
Intel® Secure Key
SDN & NFV: Driving Architectural Transformation
To This:
Networking within VMs
Standard x86 COTS HW
Open SDN standard solutions
From This:
Traditional networking topology
Monolithic vertical integrated box
TEM proprietary solutions
VM: Firewall
VM:VPN
VM: IDS/IPS
SDN/NFV
Firewall VPN IDS/IPS
IA CPUChipset
AccelerationSwitchSilicon
NICSilicon
Wind RiverLinux + Apps
TEM/OEMProprietary OS
ASIC, DSP, FPGA, ASSP
28
29
Intel® DPDK Accelerated Open vSwitch In Neutron
Open vSwitch ML2 Driver/Agent in Development
Neutron APIAPI
Extensions
Neutron-ML2-PluginDB
External Controller
vSwitch
VMVMVMVM
L2 Agent
DPDK vSwitch
VMVMVMVM
DPDK vSwitchL2 Agent
DPDK vSwitchMechanism Driver
Intel DPDK vSwitch
10x
Unleashing Intel® DPDK vSwitch Performance in Neutron
Erasure Code for OpenStack* SwiftSaves disk space, does not impact QoS for hot objects
• Swift uses tri-replication today (3x storage)
• Add daemon on storage node
• Scans all existing objects offline
• Selects cold objects of large enough size
• Replaces tri-replication algorithm with erasure code
30
Work in progress - Collaborate on Erasure Code
Capacity Tier (Storage)
Access Tier (Concurrency)
Zone 1 Zone 2 Zone 3 Zone 4 Zone 5
Clients
RESTful API, Similar to S3
Download
Frag 1
Frag 2
Frag 3
Frag 4
Frag N
Decoder
Upload
Encoder
Obj A Obj A• Applications control policy• EC can be inline or offline
Erasure Code Technology Lowering TCO for Swift
• Supports multiple policies• EC flexibility via plug-in
AuthService
Detailed Tutorial at: https://intel.activeevents.com/sf13/connect/sessionDetail.ww?SESSION_ID=1180&tclass=popupCommunity Collaboration: https://intel.activeevents.com/sf13/connect/sessionDetail.ww?SESSION_ID=1180&tclass=popupand https://blueprints.launchpad.net/swift/+spec/swift-ec
Server Security Technologies
A Fresh Look at Intel® VTHardware Provides Stronger Isolation of VMs
Traditional server VMM-based usesIsolation needed for:
• Separation of development and production environments
• Technology demonstrations
New cloud security-related uses
• Isolation of workloads in multi-tenant cloud
• Memory monitoring for malware detection
• Device isolation for protection against DMA attacks
Intel® Virtualization Technology
Intel® VT for IA-32 and Intel® 64 (Intel®
VT-x)HW support for isolated
execution
Intel® VT for Directed I/O (Intel®
VT-d)HW support for isolated
I/O
VMM
VM2VM1
31
Summary: Top Challenges & Intel Responses
Security & Compliance
Unit Cost Reduction
Business Uptime
• Trusted Filter in nova, Filter UI in horizon• Geo-tagging work in progress• Key Management in Icehouse release• Enhanced Platform Awareness (AES-NI etc.)• OpenAttestation SDK
• Intelligent storage allocation in Cinder• Multiple publisher support in ceilometer• Erasure code in Icehouse release• COSbench performance measurement tool
• Intel® Virtualization Technology with FlexMigration
32
Intel is actively involved in the OpenStack community to deliver an interoperable, federated, efficient and secure Open Cloud ecosystem
Source: http://lwn.net
0
2
4
6
8
10
12
14
Co
ntr
ibu
tio
n b
y P
ercen
tag
e
Kernel Releases
Intel
Red Hat
SUSE
IBM
Linux Kernel Contributions
34
Summary: Key Intel Contributions into OpenStackContribution Project Release Comments
Trusted Filter Nova Folsom Place VMs in Trusted Compute Pools
Trusted Filter UI Horizon Folsom GUI interface for Trusted Compute Pool management
Filter Scheduler Cinder Grizzly Intelligent scheduler allocates storage based on workload
Multiple Publisher Support
Ceilometer Havana Pipeline manager; pipelines of collectors, transformers, publishers
Open Attestation SDK To Open Source Remote Attestation service for Trusted Compute Pools
COSBench To Open Source Object store benchmarking tool
Enhanced Platform Awareness
Havana Leveraging PCIe devices and CPU features in cloud infrastructure
Key Manager Havana Makes data protection more readily available via server side encryption with key management
Erasure Code Havana Replacing tri-replication algorithm in Swift
35
6Months
6Months
Infr
ast
ruct
ure
As
a S
ervi
ce
Compute Storage Network 12-18 MonthsP
hys
ica
lIn
fra
stru
ctu
re
IaaS
Compute(Nova*)
Block Storage (Cinder*)
Object Storage(Swift*)
Network(Neutron*)
Dashboard (Horizon*)
OS Images(Glance*)
Open-Source (OpenStack*)
Manageability
3Months
Mo
nit
ori
ng
As
a S
ervi
ce
Watcher(Nagios*, Shinken*, Heat*)
Decider(Heat)
Collector(Hadoop*)
Actor(Puppet*, Cfengine*)
Open-Source Foundation
Inte
rfa
ces
GUI(Graphical User Interface)
API(Application Programming Interface)
ReleaseCadence
Ap
p P
latf
orm
Se
rvic
es PaaS
Analytics Messaging Data Web
3Months
Intel IT Open Cloud Components
36
2014+2012
Intel IT’s Cloud Transformation20102000-2009
Design
Office/Enterprise
Traditional Hosting Mainstream Virtualization Intel Cloud 1.0 Hybrid Cloud 2.0Converged Cloud
12% Virtualized 42% Virtualized 75% Virtualized 75%+ Virtualized
90+ Day Provisioning 10 day Provisioning On Demand Compute On Demand Compute, Network, Storage
Silos of Capacity Pooled Capacity Segmented Clouds Converged Clouds, burst capacity @ 3rd
Party
Manual Ticketed Service Request
Manual Ticketed Service Request
Some on demand Request fulfillment
Full Self Service Request fulfillment
Varying Server Reliability 99.7% VM Reliability 99.7-99.9% Availability 99.99% Availability Capable
PublicPhysical Hosting
Office Cloud
Public
Office/Enterprise/Services
Office/Enterprise/Services
37