Post on 07-Jan-2017
Carlos MartínOpenNebula Software Engineer
linkedin.com/in/carlosmartinsanchez
Security, Federation & Hybrid Workshop
OpenNebulaConf 20164th edition
Agenda for the Workshop
● Infrastructure integration levels
○ Federation
○ Hybrid: OpenNebula - OpenNebula
○ Hybrid: OpenNebula - other technologies
● Security & Authentication
Data Center Federation OverviewWhat is OpenNebula Federation?
● Tightly coupled integration of 2 or more OpenNebula instances
● Each instance of the Federation is called a Zone
● One master and several slaves.
● Zones share the user accounts, groups, and permissions configuration
● A vDC is a group of users with part of the physical resources, generally one or more clusters belonging to one or several zones, assigned to them
● Seamless for Cloud users: ability to switch the active Zone in Sunstone
Under the HoodInner Workings of Federation● Master and slaves share DB tables: users, groups, ACL rules, zones● Only master writes to shared tables.● Slaves keep a read-only local copy, and proxy writing ops to the master● Sync is achieved configuring MySQL to replicate certain tables only● Performs well over long-distance/bad quality connections● If master zone fails, slaves continue to work, except for new user creation or
password updates, etc.● Slaves can be added at any moment (import or new)● Support of different OpenNebula versions● Sunstone server is connected to all the oned daemons in the Federation● One Sunstone for the entire Federation, or one Sunstone per Zone
Configuration● Enable Federation Mode = Master in the master’s oned.conf● Define the master’s xmlrpc endpoint: onezone update 0● Create a zone for every slave (name and endpoint)● Importing from existing slave: onedb import-slave
● Select merging policy+----------+-------------++------------+---------------+
| Master | Slave || With merge | Without merge |
+----------+-------------++------------+---------------+
| 5, alice | 2, alice || 5, alice | 5, alice |
| 6, bob | 5, bob || 6, bob | 6, bob |
| | || | 7, alice-1 |
| | || | 8, bob-1 |
+----------+-------------++------------+---------------+
● Configure MySQL Replication Master and Slave● Copy auth directory from master to slaves: /var/lib/one/.one_auth
Hybrid Cloud Computing(Cloud Bursting)● VMs can be local or remote● VM connectivity has to be configured, usually VPNs
● External Cloud are like any other host● Placement Constraints● Hybrid Cloud drivers
Installation● New drivers are available as an addon:
https://github.com/OpenNebula/addon-opennebula-hybrid
● Install and enable drivers in oned.conf
● Configure remote user credentials
● Add hybrid Host
● Fully supported in Sunstone!
● Several hybrid OpenNebula’s are supported
● Limit CPU and MEMORY with quotas
● Admin can define:
○ access to physical infrastructure
○ access to VM Templates
Configuration
Authentication DriversUser Authentication Drivers● Can be used to:
● Allow/deny access● Automatically create OpenNebula users (there is no need to import and
sync LDAP users, for example)
● Each user can have a different authentication driver● oned xml-rpc protocol remains untouched: seamless integration with CLI,
OCA, Sunstone…● Even with external authentication, OpenNebula user objects are needed to
keep track of resource ownership, usage, and quota limits
● OpenNebula will cache the successful authentication tokens for a while to reduce the driver workload. This can be adjusted or disabled in oned.conf
● A default driver can be configured for unknown usernames
Authentication DriversAuthentication driver scripts● authenticate
● From the session string “username:secret”, returns 0 or -1 to grant or deny access
● New usernames will be added as OpenNebula users if the driver prints to stdout ‘drivername username password’
● New in 5.2! The driver can return a list of groups that the user belongs to. The OpenNebula user group list is updated.
You can manage group ownership in your LDAP and OpenNebula will mirror the changes
Admins have many hats!Tell OpenNebula the one that’s on your head
Login TokensWhat is it?● A temporary password with an expiration date● New in 5.2! A token can have an effective group
Effective group● Filters all resources to show the ones in the defined group.
For instance: Focus your work on group ‘production’ or ‘development’
Authentication in Sunstone
● Basic user / password● x509 certificates, managed by the browser
● Remote auth: Do not miss the user workshop on Wednesday
OpenNebula Sunstone integration with FreeIPA using Single Sign On
Álvaro Simón, Ghent University
Some Colored Text Boxes
Sample Colored TexBoxAddresses Space (multiple, disjoint ranges)● IPv4● IPv6 (Global & ULA)● Ethernet - MAC addresses
Security Groups● Managed as a separate entity● Inbound & Outbound, TCP/UDP/ICMP
Custom Tags
Configuration & Physical Attributes● Network specific (e.g. BRIDGE, VLAN_ID)● VM Context (e.g. DNS, GATEWAY)
Virt
ual N
etw
ork
Def
initi
on
Sample Text Boxes
Virtual Machine Configuration (L3 - L4 - L5)● Context CD-ROM ISO with network information
● Stock guest packages include support for IP, GATEWAY, DNS, NETWORK_MASK but easily extensible
● NFV not imposed nor required (e.g. DHCP server per net) but supported.
Require as less as possible, accommodate any topology