Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Open Source Tools for IT Infrastructure Management

Meenakshi Lakshmanan – Senior Manager and Leader Cloud Systems Development CoE

Satya Routray – Senior Engineer, Cloud Systems Development CoE

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• IT Infrastructure Model

• FCAPS and Applying FCAPS to the Virtual World / IaaS

• Introduction to some OpenSource Tools and Demo

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

• New IT Infrastructure Model

Virtualized Compute, Storage, Network Model.

Mix of Bare Metal and VMs

Mix of physical and virtual Devices

Mix of Hypervisors and OS’s

Traditional Apps and Mobile Apps into the traditional IT

In premise Apps and Mix of SaaS and PaaS

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Cloud Client

SP Net / Internet

NetworkCompute/VM Storage

Cloud Services Layer

IaaS

PaaS

SaaS

Abstraction KVM Hyper V ESX

Virtualization Hypervisor Layer

Fault Management

Accounting Management

Security Management

Capacity Management

Performance Management

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

App

OS

Virtual

Machine

App

OS

Virtual

Machine

Finance

App

OS

Virtual

Machine

Mktg

App

OS

Virtual

Machine

Engineering

App

OS

Virtual

Machine

App

OS

Virtual

Machine

HR

Physical

Server

Cloud Infrastructure Service

Storage

App

OS

Corp

Virtual

Machine

Physical

Server

Physical

Server

Storage

Physical

Server

DB ServiceQueue

Cloud Infrastructure Service FCAPS

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

• FCAPS was introduced within the first Working Drafts (N1719) of ISO 10040, the Open Systems Interconnection(OSI) Systems Management Overview (SMO) standard.

• FCAPS is an acronym for fault, configuration, accounting, performance, security, the management categories into which the ISO model defines the tasks

• Can we apply FCAPS to the new IT infrastructure model and review the opensource tools around.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

• Fault management is a set of functions that detects, isolates and corrects the malfunction.

• Mainly of 2 types

Active

Active fault management actively monitor devices via tools such as ping to determine if the device is active and responding. If the device stops responding, active monitoring will throw an alarm showing the device as unavailable and allows for the proactive correction of the problem

Passive

Passive fault management is done by collecting alarms from devices when something happens in the devices

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

• Nagios

• Telemetry

• OpenNMS

• NMIS

• Vendor Specific

CiscoWorks

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

• Pros:

Open Source

Polls actual services for response. (HTTP, SMTP, etc.)

Flexible Add-ons for specialized testing

Good Trending data and Uptime Statistics

• Cons:

Configuration is done via text files.

Linux only

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

• Monitoring OpenStack can be placed widely into two buckets.

Monitor OpenStack infrastructure

performed using Nagios. Monitoring aspects such as CPU, RAM, Disk Space, Network, installed OpenStack processes (e.g. nova-conductor, nova-scheduler, swift-proxy etc. )

Monitor OpenStack services grouped by tenants/projects

performed using Telemetry API.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

• Efficiently collects the metering data about the CPU and network usages.

• Collects data by monitoring notifications sent from services or by polling the infrastructure.

• Configures the type of collected data to meet various operating requirements. Accessing and inserting the metering data through the REST API.

• Expands the framework to collect custom usage data by additional plug-ins.

• Produces signed metering messages that cannot be repudiated.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

• Establish and maintain consistency of deployments across systems by controlling changes

• Keys:

Gather

Collect configuration on scheduled basis

Store

Storing the configurations

Track

Monitor and report the changes

Automate

Make changes across systems with limited user inputs

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

• Puppet

• Juju

• Ironic, etc.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

• Puppet Labs and OpenStack community members Cisco, Red Hat, Rackspace, and others have together designed and developed Puppet modules for OpenStack. There are several benefits of this collaboration:

Encapsulation of Best Practices. The community members all have significant IT experience, and the Puppet OpenStack configuration modules represent OpenStack deployment ‘best practices’ developed since the beginning of the project.

Cross-Platform Support. The Puppet configuration modules for OpenStackenable deployment of OpenStack public or private clouds across a wide range of operating systems, databases, and hypervisors. You are not limited to a single vendor’s platform or technology.

Active Community. All community members have a vested interest in the Puppet OpenStack configuration modules and are actively contributing to the technology’s evolution and support. You are not reliant on any individual member’s ability to support or provide technical direction.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

• Cisco Webex uses Puppet+openstack

• Cisco Webex uses puppet to deploy openstack nodes and configuration changes across the nodes

• OpenStack technologies Cisco WebEx uses:

Openstack Compute (Nova)

Openstack Block Storage (Cinder)

Openstack Network(Neutron)

Openstack Dashboard (Horizon)

Openstack Identity Service (Keystone)

Openstack Image Service (Glance)

For More Details :http://www.openstack.org/user-stories/cisco-webex/

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

• When eNovance decided to build their own Public Cloud to provide Hybrid solutions to their clients, it turned to OpenStack.

• Deployment tool used puppet

• OpenStack technologies eNovance uses:

Openstack Compute (Nova)

Openstack Block Storage (Cinder)

Openstack Network(Neutron)

Openstack Dashboard (Horizon)

Openstack Identity Service (Keystone)

Openstack Image Service (Glance)

For more details: http://www.openstack.org/user-stories/enovance/

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

The goal of account management is to gather usage statistics for users.

Accounting management is concerned with tracking network utilization information, such that individual users, departments, or business units can be appropriately billed or charged for accounting purposes.

For non-billed networks, "administration" replaces "accounting". The goals of administration are to administer the set of authorized users by establishing users, passwords, and

permissions, and to administer the operations of the equipment such as by performing software backup and synchronization.

Accounting is often referred to as billing management. Using the statistics, the users can be billed and usage quotas can be enforced. These can be disk usage, link utilization, CPU time, etc.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

LDAP , OpenLDAP : The Lightweight Directory Access

Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network

Keystone : Typically used in an Openstack Environment, but can be used as a standalone auth as a service. Generates tokens with reference to each service providing access related info to the service. It can use a key/value pair, LDAP, Kerberos, etc as a backend

Kerberos : Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Telemetry (Cielometer ) : Metering project in Openstack that lets you know the utilisation of different resources in measurable units. Billing can be based upon the same.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Performance management is focused on ensuring that the systems’ performance remains at acceptable levels. It enables the manager to prepare the system for the future, as well as to determine the efficiency of the current network

In Openstack – Perfomance management is embedded in different components.

You can collect and track perfomance of various parameters related to Openstack Cloud Via Telemetry/Cielometer.

Telemetry (Cielometer ) : Metering project in Openstack that lets you know the utilisation of different resources in measurable units. Billing can be based upon the same.

Many 3rd party tools for VmWare and Hyper-V

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

The goal is to control the access to assets in the network

What is to be secured?

1. Data

2. Software

3. Physical devices etc.,

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Components to be monitored

1. Authentication, security policies and roles

2. Firewalls and security groups

3. Antivirus and protection against malware

4. Physical security of devices

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Authentication and Security policies

1. Token based authentication – Keystone

2. Authentication as a Service – SafeNet

3. Role based authorization and user access control – Tenants in cloud

4. Openstack policy.json

5. AWS Security Center

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Firewalls and security groups

1. Cisco ASA

2. Iptables/Sec groups of Openstack

3. Windows Firewall

4. SELinux

5. Openstack Security groups and rules

6. FWaaS

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Antivirus and protection against malware

1. Symantec Antivirus

2. Spybot search and destroy

3. McAfee antivirus

4. Vmware vShield Endpoint

5. Ciphercloud

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Physical security of devices

1. Secure devices with access to datacenter provided only to selected people

2. Monitor the temperature and employ automated temperature control system

3. Ensure emergency aid such as fire extinguishers and are easily available

4. Implement a reliable alarm system

Thank you.