tweaking openstack
DESCRIPTION
TRANSCRIPT
© 2013 Nebula, Inc. All rights reserved.
Vishvananda Ishaya, Director of Open Source, Nebula Inc.
Private Cloud Toolkit:Tweaking OpenStack
© 2013 Nebula, Inc. All rights reserved. 2
Who am I?• OpenStack Technical Committee
Member
• Started at NASA the dayNova was created
• Nova Technical Lead for thefirst two years of its existence
• Designed and deployed multipleprivate clouds with OpenStack
© 2013 Nebula, Inc. All rights reserved.
The ProblemInsert photo here
© 2013 Nebula, Inc. All rights reserved. 4
A Perfect World
$ _
© 2013 Nebula, Inc. All rights reserved. 5
A Perfect World
$ (apt-get|yum) install openstack
© 2013 Nebula, Inc. All rights reserved. 6
A Perfect World
$ (apt-get|yum) install openstack...
© 2013 Nebula, Inc. All rights reserved. 7
A Perfect World
$ (apt-get|yum) install openstack...openstack installed successfully!$ _
© 2013 Nebula, Inc. All rights reserved. 8
The Real World
$ _
© 2013 Nebula, Inc. All rights reserved. 9
The Real World
$ (apt-get|yum) install openstack
© 2013 Nebula, Inc. All rights reserved. 10
The Real World
$ (apt-get|yum) install openstackunknown command$ _
© 2013 Nebula, Inc. All rights reserved. 11
The Real World
$ (apt-get|yum) install openstackunknown command$ _
© 2013 Nebula, Inc. All rights reserved. 12
The Real World
$ (apt-get|yum) install openstackunknown command$ _
© 2013 Nebula, Inc. All rights reserved. 13
The Real World
$ (apt-get|yum) install openstackunknown command$ _
© 2013 Nebula, Inc. All rights reserved. 14
The Real World
$ _
© 2013 Nebula, Inc. All rights reserved. 15
The Real World
$ git clone git::/github.com......$ cd devstack$ ./stack.sh
© 2013 Nebula, Inc. All rights reserved. 16
The Real World
$ git clone git::/github.com......$ cd devstack$ ./stack.sh
© 2013 Nebula, Inc. All rights reserved. 17
OpenStack is Configurable• Tiny to very large scale
• Pluggable backends
• Multiple components
© 2013 Nebula, Inc. All rights reserved. 18
OpenStack is Configurable• Tiny to very large scale
• Pluggable backends
• Multiple components
WAT!?
© 2013 Nebula, Inc. All rights reserved.
ChoicesInsert photo here
© 2013 Nebula, Inc. All rights reserved. 20
Network Configuration• Neutron OVS
• Neutron Vendor
• Nova-network vlan
• Nova-network flat
© 2013 Nebula, Inc. All rights reserved. 21
Hypervisor Choice• KVM
• Xen
• Hyper-V
• ESX
• Other
© 2013 Nebula, Inc. All rights reserved. 22
Object Storage• Swift
• Ceph
© 2013 Nebula, Inc. All rights reserved. 23
Block Storage Backend• Default LVM
• Ceph
• Solidfire
• Netapp
© 2013 Nebula, Inc. All rights reserved. 24
Suggested Projects Small Scale• Compute (nova)
• Object Storage (swift)
• Image Service (glance)
• Identity (keystone)
• Dashboard (horizon)
• Networking (neutron)
• Block Storage (cinder)
• Metering (ceilometer)
• Orchestration (heat)
© 2013 Nebula, Inc. All rights reserved. 25
• Compute (nova)
• Object Storage (swift)
• Image Service (glance)
• Identity (keystone)
• Dashboard (horizon)
• Networking (neutron)
• Block Storage (cinder)
• Metering (ceilometer)
• Orchestration (heat)
Suggested Projects Large Scale
© 2013 Nebula, Inc. All rights reserved.
Nova TweaksInsert photo here
© 2013 Nebula, Inc. All rights reserved. 27
Nova-network Tweaks• force_dhcp_release=true
• defer_iptables_apply=true
• multi_host=true
• share_dhcp_address=true
• dnsmasq_config_file=/path/to/file(configure dnsmasq to pass external gateway)
© 2013 Nebula, Inc. All rights reserved. 28
Nova-compute Tweaks• force_raw_images=False
• use_cow_images=False
• resume_guests_state_on_host_boot=True
• running_deleted_instance_action=reap
© 2013 Nebula, Inc. All rights reserved. 29
Network Stack Performance• Turn on jumbo frames
• Increase tx queue length
• Tweak guest tcp settings
• http://buriedlede.blogspot.com/2012/11/driving-100-gigabit-network-with.html
© 2013 Nebula, Inc. All rights reserved.
SecurityInsert photo here
© 2013 Nebula, Inc. All rights reserved. 31
Lock down the host machines• Normal linux hardening applies
• Control access to the host machines
• Keep software up-to-date
• Don’t have services listen on 0.0.0.0
• Separate mgmt and guest traffic
• http://aa4698cc2bf4ab7e5907-ed3df21bb39de4e57eec9a20aa0b8711.r41.cf2.rackcdn.com/OpenStackSecurityGuide.epub
© 2013 Nebula, Inc. All rights reserved. 32
Nova Security Considerations• Only enable api extensions your users need
• Only enable scheduler filters your users need
• Customize policy for administrative actions
• Use HTTPS in front of api services
• Consider disabling instance migration
© 2013 Nebula, Inc. All rights reserved.
Questions?Insert photo here
© 2013 Nebula, Inc. All rights reserved.
Thank you.Thank you.