OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack...
-
Upload
openstack -
Category
Technology
-
view
1.091 -
download
2
Transcript of OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack...
![Page 1: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/1.jpg)
OpenStack® Summit Austin 2016OpenStack® Summit Austin 2016
Infrastructure as Code in OpenStackwith Ansible
Alex TeschCloud Consultant
@tesch75
Anthony ReesCloud Consultant
@anthonyrees
![Page 2: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/2.jpg)
Advanced Neutron Use CasesWhat will we cover ?– LBaaS
– Proactive auto Scaling
– FWaaS– Dynamic security
– VPNaas– Connecting two clouds
– Bare Metal as a Service
2
![Page 3: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/3.jpg)
LBaaSLoad Balancer as a Service
3
![Page 4: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/4.jpg)
Load Balancer as a ServiceWhy was the customer interested in LBaaS?
– Auto scaling via threshold
– Variety of load balancers supported
– Control load balancers by code
4
![Page 5: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/5.jpg)
Current Neutron LimitationsHow do we overcome them?LBaaS v2 Limitations in current enterprise distros– Lack of Autoscaling capabilities using the traditional scaling group approach.
– Instead of using Ceilometer / heat to trigger the autoscaling, we decided to use an enterprise monitoring tool to keep track of the CPU utilisation in the Tomcat instances and use scripts to trigger the scale up / down once thresholds are reached.
– No HA capabilities for LBaaS v2 control plane and data plane.– An external HW Load Balancer with supported LBaaS v2 API can be used to achieve
HA in the data plane. HA for the control plane remains a concern…
5
![Page 6: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/6.jpg)
Current Neutron LimitationsHow do we overcome them?LBaaS v2 Limitations in current enterprise distros– The LBaaS agent runs inside the kernel namespaces of the network node or
compute (when DVR is used). If the network node is down, the kernel namespace is gone and there is no way to bring up the load balancer in an alternate network node. – This limitation will be addressed by Octavia in the next Enterprise release.
6
![Page 7: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/7.jpg)
Current Neutron LimitationsHow do we overcome them?LBaaS v2 Limitations in current enterprise distros– No Horizon integration
– LBaaS needs to be managed from neutron CLI or using API (This is not a bad thing).
– LBaaS v2 has no integration with Heat. (This is a bad thing…)– The work around presented in the demo makes possible to orchestrate a full two tier
infrastructure (Tomcat / Oracle) combining heat orchestration templates with neutron API calls driven from a single Ansible playbook or a single shell script.
7
![Page 8: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/8.jpg)
FWaaSFire Wall as a Service
8
![Page 9: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/9.jpg)
Fire Wall as a ServiceWhy was the customer interested in FWaaS?
– Simple interface for Firewall
– Dynamic changes applied | No restart required
– Control the Firewall via code
– Advantages beyond what’s offered by Security Groups for LBaaS
9
![Page 10: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/10.jpg)
Current Neutron LimitationsHow do we overcome them?FWaaS v1 Limitations in current enterprise distros– This is by no mean an Enterprise HW firewall replacement.
– External FW support is in place for major vendors (checkpoint, Brocade,
– If DVR is enabled the firewall service does not filter east / west traffic, only north south traffic is filtered.– A combination of security group policies / FWaaS can be used to address this.
10
![Page 11: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/11.jpg)
Current Neutron LimitationsHow do we overcome them?FWaaS v1 Limitations in current enterprise distros– Security groups are not able to block ICMP targeting the LBaaS floating IP
(since the LBaaS is an agent, not a VM) FWaaS can address this (as shown in the demo).
11
![Page 12: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/12.jpg)
VPNaaSVirtual Private Network as a Service
12
![Page 13: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/13.jpg)
VPN as a ServiceWhy was the customer interested in VPNaaS?
– Securely connect two clouds to create a ‘region’ like experience
– Enable ‘Back-end’ as a Service
– Enable ‘Bi-Modal’ IT
– A way to link legacy systems of record, databases etc. to cloud instances
13
![Page 14: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/14.jpg)
VPN as a ServiceHow it works
14
Site A(Private Cloud)
Site B(Public Cloud)
DB
WebWeb
Web
IPSec Site Connections
![Page 15: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/15.jpg)
Current Neutron LimitationsHow do we overcome them?VPNaaS limitations in current enterprise distros– VPNaaS doesn’t work with FIP if DVR is being used.
– VPNaaS currently supports only Pre-shared keys (PSK).– If certificate based security is required, VPNaaS is not a viable option in the current
enterprise distributions.
15
![Page 16: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/16.jpg)
Current Neutron LimitationsHow do we overcome them?VPNaaS limitations in current enterprise distros– The VPNaaS implementation is based on OpenSwan which runs an ipsec
process as root in the network nodes. A vulnerability in this process could lead to a root compromise in the network nodes.– If this is a major concern, operators should consider deploying additional protection
mechanisms.
16
![Page 17: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/17.jpg)
BMaaSBare Metal as a Service
17
![Page 18: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/18.jpg)
Bare Metal as a ServiceWhy was the customer interested in Bare Metal?
– Automated way to add compute nodes to their cloud
– Automated way to provision Bare Metal for applications that don’t perform on cloud instances
– Control bare metal via code
– One code base to control cloud instances or bare metal
18
![Page 19: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/19.jpg)
Bare Metal ProvisioningProvisioning new servers into the cloudThe Ansible Model
– The model holds existing and new bare metal servers
19
![Page 20: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/20.jpg)
– Ansible passes the metadata required to Cobbler
– Ansible configures the DHCP server for the new bare metal machine
20
Bare Metal ProvisioningProvisioning new servers into the cloudThe Ansible Model
![Page 21: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/21.jpg)
– Ansible powers up the new bare metal machine
21
Bare Metal ProvisioningProvisioning new servers into the cloudThe Ansible Model
![Page 22: OpenStack Australia Day 2016 - Anthony Rees + Alex Tesch, HPE: Infrastructure as Code in OpenStack with Ansible - Advanced Neutron use cases](https://reader034.fdocuments.in/reader034/viewer/2022052117/5885f0741a28ab864f8b5b65/html5/thumbnails/22.jpg)
Thank you
22