Intel in OpenStack:

Contributions & Challenges

Krish Raghuram, Intel Open Source Technology Center

Thomas von Bauer, Intel Strategic Relationship Manager for SuSE

SuSEcon, Lake Buena Vista, FL, Nov’13

2

Legal Disclaimers:

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS.

Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information.

The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel product plans in this presentation do not constitute Intel plan of record product roadmaps. Please contact your Intel representative to obtain Intel's current plan of record product roadmaps.

Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. Go to: http://www.intel.com/products/processor_number.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm

Code names featured are used internally within Intel to identify products that are in development and not yet publicly announced for release. Customers, licensees and other third parties are not authorized by Intel to use code names in advertising, promotion or marketing of any product or services and any such use of Intel's internal code names is at the sole risk of the user

Intel, and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others.

Copyright ©2013 Intel Corporation.

IT Pros

Growth & IT Challenges Drive Need for Cloud Computing

1 Cisco Global Cloud Index Nov 2011

2 IDC Digital Universe Study 2011

3 Intel estimate

4 Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2012-2017 , Feb 2013

5 Datacenter Dynamics Global Datacenter Energy Demand 2012 forecast http://www.datacenterdynamics.com/research/energy-demand-2011-12; projected to 2015 by Intel; Assume $0.10/kWh 4

15Bconnected devices by 20153

>3Bconnected users by 20151

Up to 2X or $27B5

in additional data center power costs by 2015

13X increase in mobile data traffic by 20174

2X growthin information every two years2

Growth IT Challenges

Avoid Lock-InSeek interoperable solutions & services

Improve Agility Reduce service delivery times, improve TCO

Greater Efficiencies Reduce complexity & deploy new workloads

Gain Better InsightsVia intelligent analytics

4

Cloud Adoption Growing & Delivers Benefits

5

Resource provisioning

Virtualized Platforms

Asset Utilization

Capacity

Traditional IT – 2009 Private cloud - 2012

90 days 45 minutes

12% 75%

10-20% >60%

Silos Shared globally

$15M in savings4Cost Savings

1 ODCA global member survey, Aug 2012, N=63

2 Gartner, 2013 - http://www.eweek.com/small-business/hybrid-cloud-deployments-rising-gartner.html

3 Source: Intel IT- http://premierit.intel.com/docs4. Intel IT 2011-2012

Intel IT example3

PublicCloud

PrivateCloud

Hybrid Cloud

50% of enterprise by 20172

Today: 6%2015: 25%

Today: 19%2015: 59%

IT Survey Results

>40% of IT operations1 >40% of IT operations1

PublicCloud

PrivateCloud

5

Enterprise Cloud Maturity Journey

Server

Consolidatio

n

Distributed

Virtualizatio

n

Private

Cloud

Hybrid

Cloud

Virtualization replacing silos; Automation replacing manual;

Standards replacing proprietary

Virtualize Pool Automate Scale

6

Security is Top Barrier to Cloud Adoption

Lack of visibility1 Lack of control over data1 Compliance concerns1

57%61% 55%

IT PRO SURVEY OF KEY CONCERNS:

HRMfg

Traditional Data Center Private/Public Cloud

User & Intelligent Devices

Networks

1 source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012 7

Helping Fuel Innovation—and Opportunities

#2 Linux Contributor

improving performance, stability &

efficiency

Across the Stack

contributions span every layer of the

stack

Red Hat

11.1%

Intel SUSE IBM

9.3%

4.9%4.2%

Proven Components

building blocks simplify development, reduce costs and speed time-to-market

0% 20% 40% 60% 80% 100%

QT

KVM

Ofono

Clutter

Code Contributions to Open Source Projects

Intel is single largest contributor to these

projects

Intel in

Open Source

Project Contributor

X.org GNU

Webkit JQuery

Eclipse

OpenStackYocto

Project

Hadoop

3,000

2,500

2,000

1,500

1,000

500

0

KVM

Th

rou

gh

pu

t

MC-DP WSM-EP SNB-EP WSM-EX

SPCEvirt_sc2010* Performance

01.org

kernel.org

8

9

20 Years of Enterprise Solutions Powered by Intel and SUSE

Customer

Intel

SUSE

• Deliver IA differentiation TTM in open source solutions

• Migrate enterprises to open standards-based platforms

• Deliver SUSE solutions on robust platforms

• Leverage Intel contributions

• Joint GTM for demand gen and sales

• Gets proven solutions at lower cost

• Gets fast access to new technologies

10

20 Years: Partnering for CustomersSolutions Powered by Intel and SUSE

• Increased performance, reliability, efficiency and security

• Proven solutions and support for virtualization, cloud and

mission-critical applications

• Lower IT Infrastructure cost

• Cost-effectively manage most demanding data center

requirements

• Enterprise customer support

• Fast access to new technology

Intel Enables OpenStack Cloud Deployments

Contributions

Intel® IT Open Cloud

Intel® Cloud Builders

• Across OpenStack projects • Open Source Tools• Top contributor to Grizzly and Havana releases1

• Optimizations, validation, and patches

• Intel IT Open Cloud with OpenStack• Delivering Consumable Services• Single Control Plane for all Infrastructure

• Collection of best practices• Intel IT Open Cloud Reference Arch • Share best practices with IT and CSPs• http://www.intel.com/cloudbuilders

1Source: www.stackalytics.com11

Stress on Datacenter Operations

1: Source: Intel IT internal estimate; 2: 3: IDC’s Digital Universe Study, sponsored by EMC, December 2012; 4: IDC Server Vir tualization and The Cloud 2012

Network2-3 weeks to provision new services1

Storage40% data growth CAGR, 90% unstructured3

ServerAverage utilization <50% despite virtualization4

New Challenges are coming….

12

The Intel SDI Vision

1: Source: Intel IT internal estimate

Datacenter Today Software-defined

Infrastructure

Time to Provision New Service: Minutes1Time to Provision New Service: Months1

Idea for

service

IT scopes

needs

Balance

user demandsIdea for

service

Service

running

Manually configuredevices

Set up service components,

assemble software

Service

runningSoftware

components assembled

Private

Public

Self service

catalog &

services

orchestration

Automated

composition

of resources

13

Self-provisioning, automated orchestration, composable resource pools

Open Data Center Alliance Cloud Adoption Roadmap

Year 1 Year 2 Year 3 Year 4 Year 5

End User

App Dev

App Owner

IT Ops

Federated, Interoperable,

and Open Cloud

Simple SaaS

Enterprise Legacy Apps

Compute, Storage, and

Network

Simple Compute IaaS

Simple SaaS

Enterprise Legacy Apps

Cloud Aware Apps

Complex Compute IaaS

Simple Compute IaaS

Compute, Storage, and

Network

Complex SaaS Hybrid SaaS

Full Private IaaS

Hybrid IaaS

Cloud Aware Apps

Legacy Apps

Private PaaS Hybrid PaaS

Cloud Aware Apps

Legacy Apps

Consumers

Lega

cy A

pp

licat

ion

s o

n d

edic

ated

In

fras

tru

ctu

reSt

art

14

Intel IT Quick History

Design Grid since 1990’s

60k servers across 60+ datacenters

Cloud’s Uncle

Enterprise Private Cloud 2010

13k VMs across 10 datacenters

75% of Enterprise Server Requests

80% virtualized

Open Source Private Cloud 2012

1.5k VMs across 2 datacenters

Running cloud-aware and some traditional apps

OpenStack

Silicon Design

Validation Labs

Enterprise Hosting

Existing Infrastructure New Infrastructure

OpenStack - Intel IT Convergence Platform

Top Challenges & Technical Responses

Security & Compliance

Unit Cost Reduction

Business Uptime

• Trusted Compute Pools• Geo-tagging• Key Management• Enhanced Platform Awareness (crypto processing)

• Erasure Code (storage cost)• Enhanced Platform Awareness (PCIe Accelerators)• Usage monitoring/metering• Intelligent workload & storage scheduling/

allocation

• Live Migration, Rack-level redundancies

1Source: stackalytics.com17

Intel Contributions* to OpenStack

*Note: A mixture of features that are completed, in development or in Planning

Compute Networking Storage

• Enhanced Platform Awareness• CPU Feature Detection• PCIe SR-IOV Accelerators• OVF Meta-Data Import

• Trusted Compute Pools• With Geo Tagging

• Key Management• Intelligent Workload

Scheduling (Metrics)

• Intel® DPDKvSwitch

• VPN-as-a-Service with Intel® QuickAssistAcceleration

• Filter Scheduler

• Erasure Code

• Object Storage Policies

User Interface (Horizon)

Object Store (Swift)

Image Store (Glance)

Compute (Nova) Block Storage (Cinder)

Network Services (Neutron)

Identity Services (Keystone)

Trusted Compute Pools

(Extended with Geo Tagging)

OVF Meta-Data Import

Intel® DPDK vSwitch

Enhanced Platform AwarenessErasure

Code

Expose Enhancements

Filter Scheduler

Monitoring/Metering (Ceilometer)

Object Storage Policy

Key Encryption & Management

VPN-as-a-Service(Accelerated with Intel® QuickAssist Technology)

Intelligent Workload Scheduling

Metrics

18

Trusted Compute Pools (TCP)

Enhance visibility, control and compliance

TCP Solution - Platform Trust - new attribute for Management- Intel® TXT initiates Measured Boot

- basis for Platform Trust- Open Attestation (OAT) SDK – Remote Attestation

Mechanism https://github.com/OpenAttestation/OpenAttestation

- TCP-aware scheduler controls placement & migration of workloads in trusted pools

1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012No computer system can provide absolute security under all conditions. Intel® Trusted Execution Technology (Intel® TXT) requires a computer system with Intel® Virtualization Technology, an Intel TXT-enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT-compatible measured launched environment (MLE). The MLE could consist of a virtual machine monitor, an OS or an application. In addition, Intel TXT requires the system to contain a TPM v1.2, as defined by the Trusted Computing Group and specific software for some uses. For more information, see here

TCP is enabled in OpenStack (Folsom release)

19

Server Security Technologies

Intel® Trusted Execution Technology (Intel® TXT)Hardens and Helps Control the Platform

• Enables isolation and tamper detection in boot process

• Complements runtime protections

• Hardware based trust provides verification useful in compliance

• Trust status and geo-location usable by security and policy applications to control workloads

Internet

Compliance Hardware support for compliance reporting enhances auditability of cloud environment

Trusted Launch Verified platform integrity reduces malware threat

Trusted, Tagged Compute Pools Control VMs based on platform trust and location to better protect data

20

Trusted Compute Pools with Geo-Tagging

• OpenStack* Enhancements • Secure mechanism for Provisioning geo

certificates• Dashboard – display VM/storage geo• Nova flavor extra spec – geo• Enhanced TCP scheduler filter • Geo Attestation Service (OAT +)

21

Work in progress - Provide feedback, use cases

Use geo-location descriptor stored in TPM on Trusted Servers to control workload placement & migration

Cloud Service

Provider Portal

Trust Attestation

OAT/MTW

Key Mgt

Service

Keys

CSP-Image

Server

(Glance)

Host + VMM

OAT

MH: OVF

Plug-in

DOM0

TXT + TPM

1

2

34

6

5

7

8

9

Customer

Data Center

MH Client

Cloud Service Provider

Data Center

Encrypted VM Image

Launch request(from anywhere)

Encryption Key (enveloped)

Policy

Encrypted VM Image

Launch command

Request Encryption Key (AIK, KeyID)

Request Host Trust Attestation

Encrypted VM SymKey

Response Trust Status, BindPubKey

MH ClientMH Client

Concept: Trusted Compute Pools (TCP) – VM Protection

Tenant-Controlled, Hardware-Assisted VM Protection in the Cloud

Concept in demonstration stage 22

Key ManagementEase Security Adoption, new use cases, compliance• Server-side encryption

• Data-at-rest security

• Random high quality keys

• Secure Key Storage

• Controlled key access via Keystone

• High availability

• Pluggable backend – HSM, TPM

• Barbican Key Manager:- https://github.com/cloudkeep/barbican

Intel technologies: Intel® Secure Key, Intel® AES-NI

Prototype in Havana, incubate in Icehouse23

Filter Scheduler (Cinder)Volume Service 1

Volume Service 2

Volume Service 3

Volume Service 4

Volume Service 5

Volume Service 1

Volume Service 2

Volume Service 3

Volume Service 4

Volume Service 5

Weight = 25

Weight = 20

Weight = 41

Volume Service 2

Volume Service 4

Volume Service 5

Filters Weighers

Winner!

• AvailabilityZoneFilter

• CapabilitiesFilter

• JsonFilter• CapacityFilter• RetryFilter

• CapacityWeigher• AllocatedVolumesWeigher• AllocatedSpaceWeigher

Example Use Case: Differentiated Service with Different Storage Back-ends

• CSP: 3 different storage systems, offers 4 levels of volume services

• Volume service criteria dictates which storage system can be used

• Filter scheduler allows CSP to name storage services and allocate correct volume

2424

Data Collection for Efficiency:Intelligent Workload Scheduling

Enhanced usage statistics allow advanced scheduling decisions

• Pluggable metric data collecting framework

• Compute (Nova) - New filters

/ weighers for utilization-based

scheduling

25

Metering in Havana release (ceilometer), scheduling in future release

Enhanced Platform Awareness

Allows OpenStack* to have a greater awareness of the capabilities of the hardware platforms

• Expose CPU & platform features to OpenStack Nova scheduler

• Use ComputeCapabilities filter to select hosts with required features

- Intel® AES-NI or PCI Express acceleratorsfor security and I/O workloads

- Upto 10x encryption & 8x decryption performanceimprovement observed 1

26Intel® AES-NI = Intel® Advanced Encryption Standard New InstructionsSee http://www.oracle.com/us/corporate/press/173758

Some features in Havana, more in future releases

ProcessorUnencrypted

Data

ABCDEFGHIJKLMNOPQRSTUVW

Faster Encryptions

Faster Decryptions

Data In Motion

EncryptedData

#@$%&%@#&%@#$@&%$@

#$@%&&

Benefits of Enhanced Platform Awareness

27

Enabler for Enhanced Cloud Efficiency & Deploying SDN/NFV WorkloadsSome features enabled in Havana, more coming in future releases

Intel® QuickAssist Accelerator Intel® Data Plane Development Kit

Intel® AES New Instructions Intel® Advanced Vector Extensions 2 (AVX2)

Intel® Secure Key

SDN & NFV: Driving Architectural Transformation

To This:

Networking within VMs

Standard x86 COTS HW

Open SDN standard solutions

From This:

Traditional networking topology

Monolithic vertical integrated box

TEM proprietary solutions

VM: Firewall

VM:VPN

VM: IDS/IPS

SDN/NFV

Firewall VPN IDS/IPS

IA CPUChipset

AccelerationSwitchSilicon

NICSilicon

Wind RiverLinux + Apps

TEM/OEMProprietary OS

ASIC, DSP, FPGA, ASSP

28

29

Intel® DPDK Accelerated Open vSwitch In Neutron

Open vSwitch ML2 Driver/Agent in Development

Neutron APIAPI

Extensions

Neutron-ML2-PluginDB

External Controller

vSwitch

VMVMVMVM

L2 Agent

DPDK vSwitch

VMVMVMVM

DPDK vSwitchL2 Agent

DPDK vSwitchMechanism Driver

Intel DPDK vSwitch

10x

Unleashing Intel® DPDK vSwitch Performance in Neutron

Erasure Code for OpenStack* SwiftSaves disk space, does not impact QoS for hot objects

• Swift uses tri-replication today (3x storage)

• Add daemon on storage node

• Scans all existing objects offline

• Selects cold objects of large enough size

• Replaces tri-replication algorithm with erasure code

30

Work in progress - Collaborate on Erasure Code

Capacity Tier (Storage)

Access Tier (Concurrency)

Zone 1 Zone 2 Zone 3 Zone 4 Zone 5

Clients

RESTful API, Similar to S3

Download

Frag 1

Frag 2

Frag 3

Frag 4

Frag N

Decoder

Upload

Encoder

Obj A Obj A• Applications control policy• EC can be inline or offline

Erasure Code Technology Lowering TCO for Swift

• Supports multiple policies• EC flexibility via plug-in

AuthService

Detailed Tutorial at: https://intel.activeevents.com/sf13/connect/sessionDetail.ww?SESSION_ID=1180&tclass=popupCommunity Collaboration: https://intel.activeevents.com/sf13/connect/sessionDetail.ww?SESSION_ID=1180&tclass=popupand https://blueprints.launchpad.net/swift/+spec/swift-ec

Server Security Technologies

A Fresh Look at Intel® VTHardware Provides Stronger Isolation of VMs

Traditional server VMM-based usesIsolation needed for:

• Separation of development and production environments

• Technology demonstrations

New cloud security-related uses

• Isolation of workloads in multi-tenant cloud

• Memory monitoring for malware detection

• Device isolation for protection against DMA attacks

Intel® Virtualization Technology

Intel® VT for IA-32 and Intel® 64 (Intel®

VT-x)HW support for isolated

execution

Intel® VT for Directed I/O (Intel®

VT-d)HW support for isolated

I/O

VMM

VM2VM1

31

Summary: Top Challenges & Intel Responses

Security & Compliance

Unit Cost Reduction

Business Uptime

• Trusted Filter in nova, Filter UI in horizon• Geo-tagging work in progress• Key Management in Icehouse release• Enhanced Platform Awareness (AES-NI etc.)• OpenAttestation SDK

• Intelligent storage allocation in Cinder• Multiple publisher support in ceilometer• Erasure code in Icehouse release• COSbench performance measurement tool

• Intel® Virtualization Technology with FlexMigration

32

Intel is actively involved in the OpenStack community to deliver an interoperable, federated, efficient and secure Open Cloud ecosystem

Q&A

Source: http://lwn.net

0

2

4

6

8

10

12

14

Co

ntr

ibu

tio

n b

y P

ercen

tag

e

Kernel Releases

Intel

Red Hat

SUSE

IBM

Linux Kernel Contributions

34

Summary: Key Intel Contributions into OpenStackContribution Project Release Comments

Trusted Filter Nova Folsom Place VMs in Trusted Compute Pools

Trusted Filter UI Horizon Folsom GUI interface for Trusted Compute Pool management

Filter Scheduler Cinder Grizzly Intelligent scheduler allocates storage based on workload

Multiple Publisher Support

Ceilometer Havana Pipeline manager; pipelines of collectors, transformers, publishers

Open Attestation SDK To Open Source Remote Attestation service for Trusted Compute Pools

COSBench To Open Source Object store benchmarking tool

Enhanced Platform Awareness

Havana Leveraging PCIe devices and CPU features in cloud infrastructure

Key Manager Havana Makes data protection more readily available via server side encryption with key management

Erasure Code Havana Replacing tri-replication algorithm in Swift

35

6Months

6Months

Infr

ast

ruct

ure

As

a S

ervi

ce

Compute Storage Network 12-18 MonthsP

hys

ica

lIn

fra

stru

ctu

re

IaaS

Compute(Nova*)

Block Storage (Cinder*)

Object Storage(Swift*)

Network(Neutron*)

Dashboard (Horizon*)

OS Images(Glance*)

Open-Source (OpenStack*)

Manageability

3Months

Mo

nit

ori

ng

As

a S

ervi

ce

Watcher(Nagios*, Shinken*, Heat*)

Decider(Heat)

Collector(Hadoop*)

Actor(Puppet*, Cfengine*)

Open-Source Foundation

Inte

rfa

ces

GUI(Graphical User Interface)

API(Application Programming Interface)

ReleaseCadence

Ap

p P

latf

orm

Se

rvic

es PaaS

Analytics Messaging Data Web

3Months

Intel IT Open Cloud Components

36

2014+2012

Intel IT’s Cloud Transformation20102000-2009

Design

Office/Enterprise

Traditional Hosting Mainstream Virtualization Intel Cloud 1.0 Hybrid Cloud 2.0Converged Cloud

12% Virtualized 42% Virtualized 75% Virtualized 75%+ Virtualized

90+ Day Provisioning 10 day Provisioning On Demand Compute On Demand Compute, Network, Storage

Silos of Capacity Pooled Capacity Segmented Clouds Converged Clouds, burst capacity @ 3rd

Party

Manual Ticketed Service Request

Manual Ticketed Service Request

Some on demand Request fulfillment

Full Self Service Request fulfillment

Varying Server Reliability 99.7% VM Reliability 99.7-99.9% Availability 99.99% Availability Capable

PublicPhysical Hosting

Office Cloud

Public

Office/Enterprise/Services

Office/Enterprise/Services

37