2015 - what it leadership needs to know about openstack · what it leadership needs to know about...

What IT Leadership Needs to Know About OpenStack © 2015 Zefflin Systems All Rights Reserved

White Paper

Zefflin Systems LLC

What IT Leadership Needs to Know About

OpenStack

© 2015 Zefflin Systems All Rights Reserved

What IT Leadership Needs to Know About OpenStack

Table of Contents 1. Introduction ............................................................................................................................. 1

2. Business Case ........................................................................................................................... 1

3. Governance, and Why This is Important ................................................................................. 3

4. OpenStack Distributions: What Are They and Why Does it Matter? ..................................... 4

5. Open Source Software Licensing Models & Agreements ........................................................ 4

6. Risks in Adopting OpenStack and How to Mitigate Them ...................................................... 6

3. About Zefflin ............................................................................................................................ 8

P a g e | 1 © 2015 Zefflin Systems All Rights Reserved What IT Leadership Needs to Know About OpenStack

1. Introduction

As more and more companies decide to commit resources to

OpenStack, many are going into it with false assumptions or

without properly educating themselves. OpenStack shows

tremendous promise to streamline IT, reduce cost and improve

speed/quality of service. There are many aspects of planning,

purchasing, implementing and running OpenStack, however, that

differ significantly from enterprise software.

2. Business Case

When you've decided that OpenStack is worth a look from a technological, functional and organizational

perspective, there are a number of costs/benefits to consider. Some of these must be qualitatively

assessed. Others can be specifically quantified.


Research has been published regarding costs and benefits of adopting OpenStack, but each organization

is different. There are many variables involved and it is highly dependent upon several factors, including

workloads to be run, existing infrastructure, resource availability and many others. It is clear, however,

that increasing numbers of companies from small to larger enterprises are finding that the benefits out-

weigh the costs.


3. Governance, and Why This is Important

In the world of enterprise software, product

management and all the processes associated

with it are well understood. Enterprise

software companies constantly evaluate market

conditions and develop a product roadmap that

includes development of future functionality

and product direction.

With open source software, the rules are

different. For some open source software, the

product management function is still contained

inside a single software company. For

OpenStack (also in the case of Linux), the

product management function lies with the OpenStack Foundation, an independent non-profit

organization which has its own by-laws, procedures and governance. Its board members are also

elected by the community, which minimizes dominance by any single vendor. This changes the dynamic

completely because market requirements have a different path by which they become product

functionality. Any developer can submit a code change for consideration. Companies can employ (at

their own cost) any number of developers, thereby vying for influence by sheer number of heads.

Enterprise software companies like VMWare, HP, IBM and others are embracing OpenStack, but they

also have significant software license revenue that is complementary and/or competitive with

OpenStack. This is not a bad thing, but is an important nuance to understand for anyone considering a

long term commitment to OpenStack, because some product features may have genuine market pull,

while others may be influenced by enterprise software. There are advantages to this also. For example,

VMWare Integrated OpenStack (VIO) has strong integration to vSphere, vCloud Director and the entire

VCloud Automation suite (recently renamed to vRealize Suite). HP Helion OpenStack, has strong

integration to their cloud automation suite, including Cloud Service Automation (CSA) and Operations

Orchestration (OO) products.

The code development and management process is also a major consideration for any software user. In

the enterprise software world, the entire development process is owned by a single vendor from code,

build, test and QA to packaging and distribution. It is assumed that any enterprise software company

has safe-guards and processes that ensure code quality and security. With OpenStack, the development

community is very large. For the latest release (Kilo), some 1,500 developers put their weight behind

Kilo, merging over 19,500 patches and dispatching with nearly 14,000 tickets, all in a 6 month period.

The coding, QA and security processes have to be automated and very disciplined in order to enable this

volume and size of developer community. The OpenStack community has adopted modern DevOps and

automation practices. Code checks covering code quality and security are more stringent than most


software companies have internally. This is by necessity and is a very good thing for the user base,

because the structure applied represents a lower risk for users.

4. OpenStack Distributions: What Are They and Why Does it Matter?

OpenStack is following a similar path as Linux did in its path to mainstream adoption. Companies have

signed up to take the vanilla version ("Trunk"), integrate their own IP, then provide QA, packaging and

installation utilities, and offer support contracts. There are at least 15 companies that have entered the

market in this area, including HP, IBM, VMWare, Red Hat, Canonical, Mirantis, Piston and others. Each

company has a different approach to how they deliver OpenStack to market. Some have architected it

in a way that is easy to install and upgrade. Piston, for example, has developed a powerful IP layer that

enables OpenStack to run on commodity hardware, significantly reducing the cost of infrastructure

required to deploy. Each company incorporates their own IP, QA process and packaging, resulting in

different software from distributor to distributor. For these reasons, it is best to develop your

infrastructure roadmap and cloud strategy before picking a distributor.

5. Open Source Software Licensing Models & Agreements

Open source software has different models associated with it. It is important to understand the

different models and licensing agreements because it will give you insight into how many different

aspects of the the solution lifecycle, such as:

• Degree of vendor lock in

• Product management and how much input you will have

• Availability of skills in the market place for that software


Models

Open core - Base functionality is open source, but additional features are license based. Vendor will sell

support contracts for open source portion and license/support for additional functionality

Open source - All code is completely open and available. Vendor will sell support contracts only.

OpenStack follows this model, but there is a rich vendor ecosystem of technology companies that add

additional complimentary solutions, such as cloud management, software defined networking (SDN),

virtualization and much more. Some of those are open source, others are proprietary.

Agreements and Terms

All open source software is released to public domain under specific terms, in most cases referencing an

existing open source license model. There are specific differences and it is important to be aware of

which model is being used, in order to minimize IP infringement risks and avoid unjustified charges.

Read your open source license agreement carefully!

Here are some of the common licenses. Note that OpenStack is distributed under the Apache 2.0

license.


6. Risks in Adopting OpenStack and How to Mitigate Them

As with any new technology, there are risks associated with OpenStack adoption. These can be

significantly mitigated if they are known up front and thought through before beginning.

1. Security - this topic is top of mind for almost every IT leader. There are two main areas to consider

separately with respect to OpenStack: coding/development, and operational. Coding and development

addresses some of the code checks and QA processes that both the OpenStack community and the

distributors must adhere to in order to ensure that no malicious code is inserted into the core


OpenStack code set. With 1500 developers to keep track of, this is no small feat. Automation software

and tightened procedures have greatly reduced the risk associated with the code, but questions should

be asked of any distributor as to how they address this issue. On the operational side, a lot of work has

been put in by the OpenStack development community over the last year to ensure that the security is

ready for the enterprise. This includes incorporation of identity management functionality of the

Keystone project. There is a separate committee in the OpenStack Foundation dedicated to security for

applications and data.

2. IP Infringement - This issue is

often ignored or not given the

priority it deserves in the OpenStack

world. The risk is represented by

the exposure that would come from

a developer claiming that his/her

proprietary code somehow made it

into the OpenStack base code,

causing OpenStack to infringe on

their IP rights.

This is an actual real scenario, and

has happened. The Symantec case

demonstrates how real this scenario

is. If the claimant so chose, they could file suit against the entire OpenStack supply chain, starting with

the foundation, working through to the distributor, reseller and finally the end customer. If the claimant

wins in court, an injunction could be granted, forcing users to cease using the software. The latter

scenario is unlikely but should be factored into a risk analysis before adopting OpenStack. One key step

that all end customers can take to minimize the exposure, is ask your distributor for indemnification for

3rd party IP infringement. If a distributor provides indemnity, it shields the end user from liability and

cost of legal defense, which is definitely worth it! As of the writing of this newsletter, HP is the only

distributor that has publicly come forward and offered unlimited indemnity to customers for this. Other

distributors offer limited protection, some no protection. It is up to you as a customer and user to insist

on it.

3. Implementation - OpenStack is no different from an implementation perspective than any other

new technology. Implementation time, effort and cost is highly dependent upon how different business

requirements are from the out-of-box system, how many integration points there are, level of expertise,

and size/stability of scope. The best approach is to start small, implementing a limited scope, and

building from there. Internal training of personnel is highly recommended and you may look to outside

consulting companies for assistance in getting started. Outside help can not only help you set strategy

and direction, but accelerate learning of internal resources and cut implementation time and risk. Use a


phased approach and build complexity with each subsequent phase. For example, you can start phase 1

with compute (Nova) and block/object storage (Cinder/Swift), which would provide you with

provisioning and virtualization of OS and storage for apps running in your existing environment. Phase 2

might add networking (Neutron) and expansion of image storage (Glance).

There are tremendous gains to be had from

adopting OpenStack as part of a full private

cloud strategy. Each IT organization is unique

and you should approach it with your business

requirements, constraints and current

architecture in mind. Understanding of

OpenStack, its ecosystem and open source

software is essential, however.

As big as the advantages can be, it is critical to

understand that OpenStack, as an open source

component of your operation, represents a

different way of doing things than other proprietary enterprise software you might be used to. Those

who grasp the differences and leverage them to their advantage will be successful with OpenStack.

3. About Zefflin

Zefflin is focused exclusively on Data Center Automation and Cloud

Management solutions implementation and integration. As a world-class,

agile, center of excellence, our aim is to work with best of breed software, combined with the industry's

best technical consulting and integration talent. We provide consulting services in data center strategy,

DevOps Transformation, DevOps automation, OpenStack consulting and software implementation. We

cut through the hype, identifying which tools can be implemented and integrated to effectively

automate application development and IT operations. We offer high quality, cost effective solutions

addressing the automation of the entire lifecycle of complex computing environments, from

request/catalog management, automated provisioning (OS, application, database, storage, network), to

policy governance and compliance. Our vision is to bring to market consulting/software solutions that

enable the lights-out data center. This will allow our customers to implement fully automated private,

public and hybrid cloud systems, delivering low cost, high quality services to their customers while

minimizing personnel cost. Our current software resale and implementation portfolio includes Scalr and

CloudForms for cloud management and Cloudify for cloud orchestration, as well as support for all major

OpenStack distributions. www.zefflin.com

2015 - what it leadership needs to know about openstack · what it leadership needs to know about...

Documents