title size 30pt -...

BRKCDN-1006: Building Scalable OpenStack based Clouds on Cisco Architectures Ram Durairaj, Sr. Technical Leader

Murali Raju, Product Manager

https://www.ciscolive2012.com/content/sessionDetail.do?SESSION_ID=2535



© 2012 Cisco and/or its affiliates. All rights reserved. BRKCDN-1006 3 Cisco Public

Agenda

Background

Technical Overview

OpenStack@Cisco

API Walk thru – Services Insertion using Quantum APIs

Q&A


Acknowledgement

We would like to thank the entire Openstack@Cisco team for their support, contribution and help in creating this session, particularly,

Daneyon Hansen

Edgar Magana

Masum Hasan

and

Sumit Naiksatam

for their content/slides contributions and reviews.


OpenStack: A Brief History

NASA Launches Nebula

– One of the first cloud computing platforms built by the Federal Government for the Federal Government

March 2010: Rackspace Open Sources Cloud Files software, aka Swift

May 2010: NASA open sources compute software, aka “Nova”

June 2010: OpenStack is formed

July 2010: The inaugural Design Summit

nebula.nasa.gov


OpenStack Community

160 and counting

+ &


OpenStack Vision

Seamless Cloud Interoperability

Public Clouds Private Clouds

Community Clouds


Agenda

Background

Technical Overview

OpenStack@Cisco


Q&A


OpenStack Introduction

A Cloud Operating System

– A collection of interrelated software components delivering capabilities to build and manage cloud infrastructure.

A global community of developers devoted to innovation and openness

Flexibility in deployment and features

Standards for broad deployment

No fear of vendor “lock-in”


OpenStack Terminology

Instance- Running virtual machine

Image- Non-running virtual machine, multiple formats (AMI, OVF, etc.)

Application Programming Interface (API)- Interface for computer programs

Message Queue- Acts as a hub for passing messages between daemons

Volume- Provides persistent block storage to instances

Project- aka Tenants, provides logical separation among cloud users

Flavors- Pre-created bundles of compute resources

Fixed IP- Associated to an instance on start-up, internal only

Floating IP- Public facing IP address


OpenStack Core Projects

OpenStack Compute (Nova) Software to provision virtual machines on commodity hardware at massive scale

OpenStack Object Storage (Swift) Software to reliably store billions of objects distributed across commodity hardware

OpenStack Image Service (Glance) Services for discovering, registering, and retrieving virtual machine images


OpenStack Core Projects Cont..

OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources

OpenStack Identity (Keystone) Provides “unified authentication” across all OpenStack projects and integrates with 3rd party authentication systems


OpenStack Incubation Projects

OpenStack Network Information Management (Melange) Intended to provide centralized network information management

OpenStack Network Service (Quantum) Provides “network connectivity as a service” between devices managed by other OpenStack services

Many Other Community Projects http://openstack.org/projects/


OpenStack Networking Options

Flat Mode All Instances are attached to a single Linux bridge. IP’s are injected into image on launch

FlatDHCP Mode Similar to Flat Mode, but includes a DHCP server to manage instance IP’s. Instances receive an IP through a dhcpdiscover message

VLAN Network Mode (Default Mode) A VLAN, Fixed IP Subnet, and Linux bridge per tenant. Switch must support 802.1Q VLAN tagging Quantum Network Manager A peer OpenStack service providing network connectivity services


OpenStack VLAN Networking Details

Libvirt-bin

Libvirt

dnsmasq

iptables

ebtables

virbr0

bridge-nf

Hypervisor

nova-network

bridge-utils

Linux Bridge 1 bridge, VLAN, Subnet per tenant

Physical Interface

--vlan_interface=

Virtual Interface

i.e. vlan 100

Virtual Port

i.e. vnet0

Instance vNIC

i.e. eth0 OpenStack

Instance

OpenStack Compute


Cloud Platforms and Network APIs

Compute Service

(VMs,

Memory, Local Disk)

Storage Service

(Block,

Massive Key-value store)

User and System Admin

Basic Network Connectivity

Developer API

Servers Disks Accounts

Networking is only used for connectivity. Cloud APIs are being standardized using a very simplistic network model


Quantum: Network-as-a-Service As a peer to compute and storage

Compute Service

(VMs, Memory,

Local Disk)

Storage Service

(Block, Massive

Key-value store)

Network Service

(Virtual

Networks, Services)

Rich set of Network Connectivity and Features

Developer API

Servers Disks Networks

OpenStack and Cisco’s contribution


Quantum Architecture

Quantum API

Quantum Service • L2 network abstraction definition and management • Device and service attachment framework • Does NOT implement any abstractions

Quantum Plug-in API

API Extensions

Vendor/User Plug-In • Maps abstraction to implementation on physical network • Makes all decisions about *how* a network is implemented • Can provide additional features through API extensions


Agenda

Background

Technical Overview

OpenStack@Cisco


Q&A


Cisco Plugin’s for Quantum

Quantum API

Quantum Service

Quantum Plug-in API

API Extensions

Cisco Cloud Networking Plug-In

NX-OS, UCS, Cisco Network Services Manager, VXLAN, …

Cisco Infrastructure Products

Unified Fabric

Unified Computing

Unified Network Services


Software Architecture

Queue (RabbitMQ)

Nova-

Scheduler

Nova-API

Nova-Network

DB MySQL)

Nova API

calls

Nova-

Compute

User VM 1

User VM 2

Compute controller (Nova)

Compute Node 1

Network controller (Quantum)

Quantum Manager

Quantum-API

Quantum-Plugin

Quantum API calls A user can interface with the Quantum directly

Or via a Quantum Client/Proxy (Quantum Manager) interfaced with Nova-Network

Request to launch a Server in Nova may result in call to Quantum to provision and connect Server to network


Quantum Abstractions

Quantum provides abstractions and relevant functions and interfaces (API) for CRUD of

– Virtual Network (VN)

– Virtual port (VPT) on a VN

– Attachment of a virtual interface (VIF) of a virtual server (VM) to VPT, thus connecting the VM to the network

SW 11

VM1

WS1

OS

vNIC1

vETH1

ETH1 Hypervisor

vETH2

VM2

App

OS

vNIC2

VM42

App

OS

vNIC4

vETH3 vETH4

VM3

WS2

OS

vNIC3

VN-Red-E2

VN-Blue-E1


Quantum Abstractions

Via the CRUD API a A VM can be dynamically

– Taken On or off network

– Moved from one port to another changing on-demand

• VLAN

• QoS

• Network access (for example private to public)

2

SW 11

VM1

WS1

OS

vNIC1

vETH1

ETH1 Hypervisor

vETH2

VM2

App

OS

vNIC2

VM42

App

OS

vNIC4

vETH3 vETH4

VM3

WS2

OS

vNIC3

VN-Red-E2

VN-Blue-E1


Realization of Quantum Abstractions

Virtual network can be realized via (or mapped to)

– Linux Bridge

– VLAN

– Linux Bridge + VLAN

– Any network configuration via Plug-in

Virtual port mapped to

– Linux TAP/TUN

• TAP: L2 virtual port, TUN: L3 tunnel

– vETH in VM-FEX environment

2

SW 11

VM1

WS1

OS

vNIC1

vETH1

ETH1 Hypervisor

vETH2

VM2

App

OS

vNIC2

VM42

App

OS

vNIC4

vETH3 vETH4

VM3

WS2

OS

vNIC3

VN-Red-E2

VN-Blue-E1


Plugin

Create Network/Port and attachment are abstract APIs

These abstractions can be mapped to multiple network technologies

Any technology or vendor specific networking features/capabilities can be interfaced/integrated via Quantum Plug-in mechanism

2


OpenStack@Cisco

Turn-key OpenStack offering

Best practices and whitepapers have been developed

Cisco’s Quantum contribution available for download from OpenStack.org

Current Software Development

• Quantum L3 service for Essex release (April 2012)

• Expand Cisco-specific drivers (NX-OS, UCS, Palo)

• Stabilize OpenStack Core Projects

Cisco Intelligent Automation for Cloud integration (demo available)


Quantum API server

Cisco Plug-in

VIC/802.1qbh Driver NX-OS driver

UCS/VIC (Palo) NX-OS Fabric

RestFul API: CRUD operations 1. create-network 2. create-port 3. attach-port API – Cisco Extensions Port Profiles, Qos Policies

Plug-In Drivers UCSM using XML/APIs NX-OS resident Policy Agent APIs or NX-OS XML APIs ( based on availability) Use Case Driven Development Openstack-Compute refactoring

Cisco’s contribution to Quantum


Per device type, e.g. UCS Inventory Nexus Inventory

Quantum Logical Abstractions

L2 Network Plugin

Nexus Plugin

Nexus Driver

Realization of logical model, generic + extensions

Mapping of logical model to underlying physical topology and

network technology; global network view

Technology-specific; acts on one device per call;

local view

Device-interaction-transport-specific;

e.g. sending NETCONF commands

UCS Plugin

UCSM Driver

Static Configuration

Discovered Configuration

Pluggable modules via configuration files *

Modules external to Quantum *

Segmentation ID Manager

VLAN Manager

L2 Device Inventory

L2 Network Model

Device-specific Drivers

Device-specific Plugins

Cisco’s contribution to Quantum


Device-Driver

Device-Driver

Device drivers: XML-API based UCSM driver, and NetConf based Nexus Driver

L2-Device-Plugin L2-Device-Plugin

L2-Device Inventory L2-Device Inventory

L2-Network-Plugin

L2-Network-Model

Core & Extended API: create_network() create_port() create_portprofile() …

L2-Device Inventory

Core & Extended API: create_network() create_port() create_portprofile() …

Return: Device IP + Context

L2-Device-Plugin

Core & Extended API: create_network(device_ip, context) create_port(device_ip, context) create_portprofile(device_ip, context) … Return: Success/failure, other information relevant to that plugin

1

2

3

4 7

Device-Driver

5 6

8

Sequence of Operations


Compute Chassis

Compute Blade (Half slot)

Compute Blade (Full slot)

x86 Computer x86 Computer

X

I I

MGMT

S S

BMC

X X X X X

C C

A

G G

G G

SAN

G

R

A

G

G G

G

R

G

P M P

SAN LAN

Fabric Switch

Fabric Switch

Fabric Extender Fabric Extender

Adapter Adapter Adapter

UCS 6100 Series Fabric Interconnect

UCS 5100 Series Blade Server Chassis

UCS 2100 Series Fabric Extender

UCS B-Series Blade Servers

Mezzanine Palo Adaptors M81KR

Internal Fabric

Uplink

BMC

Host visible vNIC/vHBA

Active/Standby per vNIC Active Path

Cisco’s Quantum Plug-in – UCS/VIC support


Port-Profile Virtual Network port-profile type vethernet VN-1

vmware port-group

switchport mode access

switchport access vlan 15

service-policy type qos input VN-1-QoS

service-policy type qos output VN-1-QoS

no shutdown

state enabled

ip access-list ACL-1

permit ip any any

class-map type qos match-all CL-1

match access-group name ACL-1

policy-map type qos VN-1-QoS

class CL-1

set dscp cs7

VN-1 (mapped to) VLAN 15, VN-1-QoS

Cloud Provider’s DC 1

Enterprise E1 Site 1

OpenStack/ Quantum

CRUD Requests

VSM (NX-OS)

IaaS Admin

SW 11

VM1

WS1

OS

vNIC1

vETH1

ETH1 Hypervisor

vETH2

VM2

App

OS

vNIC2

VM42

App

OS

vNIC4

vETH3 vETH4

VM3

WS2

OS

vNIC3

VN-Red-E2

VN-Blue-E1

Nexus 1Kv VEM


VM-FEX port-profile type vethernet VM-App-E1

vmware port-group

switchport mode access

switchport access vlan 15

service-policy type qos input E1-QoS-PL-1

service-policy type qos output E1-QoS-PL-1

no shutdown

state enabled

ip access-list E1-ACL-1

permit ip any any

class-map type qos match-all E1-QoS-1

match access-group name E1-ACL-1

policy-map type qos E1-QoS-PL-1

class E1-QoS-CL-1

set dscp cs7

Cloud Provider’s DC 1

Enterprise E1 Site 1

VM1

App

OS

N1Kv VEM

Hypervisor

VM2

App

OS

vNIC2

VM42

App

OS

vNIC4

vETH3

vETH4

OpenStack/ Quantum

IaaS Admin

VM3

App

OS

vNIC3

vETH1

vETH2

vNIC1

FI (6100)

VM-FEX instances (vNIC) and associated vETH (on Fabric Interconnect or 5K) created automatically

802.1qbh

VLAN 15 SW 11

UCSM


Part 1 (Quantum Service & Network Creation)

Quantum service invokes Cisco Plugin

Cisco Plugin invokes Cisco NX-OS Driver (Sub-Plugin)

NX-OS driver creates a VLAN using the same ID that the one for UCSM

NX-OS driver sets-up the VLAN parameters

NX-OS driver sets-ups the ports associated to the UCS (Static Network Topology)

Cisco Plugin calls UCS driver to create the port, profile and makes a cluster association

Cisco’s Quantum Plugin – NX OS Driver


NX-OS driver maps the QoS configuration between the UCS and NX-OS.

NX-OS dirver configures the QoS parameters for the VLAN associated. (VLAN Level)

Part 2 (Nova Compute spawns VM)

Nova compute creates Palo-specific libvirt configuration for VM by invoking appropriate Quantum Client APIs

VM is spawned

VM has connectivity on the network created earlier

Cisco’s Quantum Plugin – NX OS Driver


POST /networks.json Create virtual network (json indicates body will be in JSON) In body: "network": "name”: ”…." Returns <network id>

POST /networks/<network id>/ports.json Create a virtual port on specified network (<network id> Returns <port id>

PUT /networks/<network id>/ports/<port id>/attachment.json

Attaches the VIF (of VM) to specified network and port

GET /tenants/tenant-id/networks List all networks of a tenant

GET /tenants/tenant-id/networks/detail

GET /tenants/tenant-id/networks/network-id

GET /tenants/tenant-id/networks/network-id/detail

PUT /tenants/tenant-id/networks/network-id Rename a network In body: "network”: "name": ”….”

DELETE /tenants/tenant-id/networks/network-id

Similarly for “port “and “attachment”

For Further Reference: http://docs.openstack.org/api/openstack-network/1.0/content/index.html

Quantum L2 API


Quantum & L3

Quantum today

Only L2; Nova currently handles some L3 constructs but this is not desirable

What do we need?

Extend Quantum to support L3 constructs in addition to available L2 constructs

Introduce Subnets and abstracted Routing constructs

Why?

Enable: Intra-tenant routing (multi-tier topologies), Public-Private, Private-Public, VPN, L3 Services (Load-balancer, Firewall, Caching, etc.), Hybrid Cloud, Network Containers


The Big Picture


Tenant VM

SP resources created for tenant

Project/Tenant

SP managed infrastructure

Public Network

SP-Local Network

Tenant owned network resources

Tenant VM Tenant VM

Plug

Create

Create

Internet Gateway Other Services

Tenant resources

Tenant VM ID, IP Addr

L2 Network L2 Network L2 Network L3 Subnet L3 Subnet L3 Subnet

Create Routes

Route-table

Map

“VPN” (Target) “VPN” (Target) VPN Gateway

VPN VPN VPN

Target Associate Targets

Target Entities

Legend: New resources

proposed for the L3 model in Quantum

Quantum L3 (tenant) Model ( Proposed)

Note: This is proposed and Under active discussions in Openstack community. Model and APIs are subject to change

3rd Party Resources

VM ID, IP Addr


Quantum L3 : Usecase 1 (one Private Subnet)

Note: This is proposed and Under active discussions in Openstack community. Model and APIs are subject to change

Private Subnet

(ID: Subnet-A)

10.0.0.0/24

Application 10.0.0.5

Application 10.0.0.8

Source Destination Target

Subnet-A 0.0.0.0 “My VPN Gateway”*

*Refers to the ID of a target resource created by the tenant with the following call:

create_target(tenantID, name=“My VPN Gateway”, type_id=“VPN 1”,

protocol=“IPSec”, version=“1”)


Quantum L3 : Usecase 2 (Public/Private Subnets)

Public Subnet

(ID: Subnet-A) 10.0.0.0/24

Web Server 10.0.0.5

198.51.100.1 (FIP)

Web Server 10.0.0.8

198.51.100.4 (FIP)

Private Subnet

(ID: Subnet-B) 10.0.1.0/24

DB Server 10.0.1.5

DB Server 10.0.1.6


Subnet-A 10.0.1.0/24 Subnet-B

Subnet-B 10.0.0.0/24 Subnet-A

Subnet-A 0.0.0.0 “My Internet Gateway”

Subnet-B 0.0.0.0 “My VPN Gateway”


Quantum L3 : Usecase 3 (Public/2 Private Subnets)

Public Subnet

(ID: Subnet-A) 10.0.10.0/24

Web Server 10.0.10.2

198.51.100.1 (FIP)

Web Server 10.0.10.3

198.51.100.4 (FIP)

Private Subnet

(ID: Subnet-B) 10.0.20.0/24

App Server 10.0.20.2

App Server 10.0.20.3

Private Subnet

(ID: Subnet-C) 10.0.30.0/24

DB Server 10.0.30.2

DB Server 10.0.30.3


Subnet-A 10.0.20.0/24 Subnet-B

Subnet-B 10.0.30.0/24 Subnet-C

Subnet-A 0.0.0.0 “My Internet Gateway”*

*Refers to the ID of a target resource created by the tenant with the following call:

create_target(tenantID, name=“My Internet Gateway”, type_id=“Public”)


Agenda

Background

Technical Overview

OpenStack@Cisco – Quantum


Q&A


Network Services Insertion

“It defines the way services will be inserted in the network, and the necessary configuration steps to maintain them up and running along all possible changes on the customers cloud infrastructure”


Network Services Types 1. Single Side Services: Just require one service instance to provide the

service and they are mostly deployed at the application server side of the network

2. Symmetric Services: Require one server instance running at each side of the edge routers of the network, one for the client side and one for the server application

Network Services Insertion Modes Gateway

Service / Service Clusters

Server

Out-of- Path Insertion (Redirection)

Gateway Service

Server

In-Path Insertion


Network Services Insertion Model

1. Network Templates – Orchestration

Building the entire network and all the required components based on templates designed for certain services or a combination of them.

2. On Demand – As Dynamic Virtual Machines (VMs)

Network services are provided on-demand by Cloud Service Providers and Third party entities through Network APIs (Quantum)


Network Services Insertion - On Demand Model

1. Cloud Service Providers (CSPs) deploy and administrate services



2. Tenants deploy and administrate services



3. Cloud Service Providers deploy and maintain services but tenants administrate their functionality


Use Case 1: Single In-Path Service Insertion create_network (tenant_id, net_name) network-X create_network (tenant_id, net_name) network-Y create_multiport (net_id, number_ports, tenant_id) Firewall euca-run-instances (Firewall) euca-run-instances (Tenant VMs) plug_iface (tenent_id, net_id, port_id) From FW to Net-X plug_iface (tenent_id, net_id, port_id) From FW to Net-Y plug_iface (tenent_id, net_id, port_id) From Net-Y to VMs plug_iface (tenent_id, net_id, port_id) From Net-X to GW

Creates the new networks and necessary ports

Instantiate both services from VM images

Re-connects Network X and V as well as the new services


Use Case 2: Multiple In-Path Services Insertion


create_network (net_name, tenant_id) network-G create_network (net_name, tenant_id) network-F create_multiport (net_id, number_ports, tenant_id) Firewall create_multiport (net_id, number_ports, tenant_id) Wan Opt unplug_iface (tenent_id, net_id, port_id) network-X unplug_iface (tenent_id, net_id, port_id) network-V euca-run-instances (Firewall) euca-run-instances (Wan Opt)


Creates the new networks and necessary ports

Unplugging interfaces between the GW and Network X and V

Instantiate both services from VM images


plug_iface (tenent_id, net_id, port_id) From Net-V to FW plug_iface (tenent_id, net_id, port_id) From Net-F to FW plug_iface (tenent_id, net_id, port_id) From Net-G to FW plug_iface (tenent_id, net_id, port_id) From Net-X to Web Opt plug_iface (tenent_id, net_id, port_id) From Wan Opt to Net-F plug_iface (tenent_id, net_id, port_id) From Net-G to GW Management Best Practices: create_network (net_name, tenant_id) management-network create_multiport (net_id, number_ports, tenant_id)

plug_iface (tenent_id, net_id, port_id) Firewall plug_iface (tenent_id, net_id, port_id) Web Opt


Re-connects Network X and V as well as the new services


Services Insertion Utility


Service Insertion Utility

insert_inpath_service <tenant_id> <service_image_id> <management_net_name> <northbound_net_name> <southbound_net_name> delete_service <tenant_id> <service_instance_id> connect_vm <tenant_id> <vm_image_id> <service_instance_id> disconnect_vm <vm_instance_id> Reference: https://github.com/openstack/quantum/blob/master/quantum/plugins/cisco/services/README


Questions?


Complete Your Online Session Evaluation Give us your feedback and you

could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.

56

http://www.ciscolive.com


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-demand session videos, networking, and more!

Follow Cisco Live! using social media: – Facebook: https://www.facebook.com/ciscoliveus

– Twitter: https://twitter.com/#!/CiscoLive

– LinkedIn Group: http://linkd.in/CiscoLI

57

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI

Backup Slides


Keystone

OpenStack Authentication Architecture

Nova

Swift object-api

nova-api (EC2, OS, Admin)

Glance

glance-api

Service & Admin API’s

OpenStack

Service Backends (KVS, SQL, PAM, Templated)

identity token Catalog Policy


OpenStack Image Service Architecture

Nova

Swift object-api


Glance Glance API Server (glace-api)

OpenStack

Registry Server

S3 Store

Store Adapter

Swift Store Filesystem Store HTTP Store

SQL

Keystone

Service API


OpenStack Compute Architecture

Nova


OpenStack

Users

Computer Programs

Message Queue (RabbitMQ)

Scheduler (nova-scheduler)

Compute Worker(s) (nova-compute)

Network Controller(s) (nova-network)

Volume Worker(s) (nova-volume)

Data Store

Glance Swift

object-api

Keystone

Service API glance-api glance-api


OpenStack Software Architecture

Other OpenStack Projects

Nova

Swift

object-api

Glance

glance-api

project-api


OpenStack




Nova

Swift

object-api

Glance

glance-api

project-api

OpenStack


title size 30pt -...

Documents