OpenStack Cloud Application Developmentindex-of.co.uk/Cloud-Technology/Openstack Cloud Application...

CONTENTSINTRODUCTION

WHOTHISBOOKISFOR

WHATTHISBOOKCOVERS

HOWTHISBOOKISSTRUCTURED

WHATYOUNEEDTOUSETHISBOOK

CONVENTIONS

SOURCECODE

ERRATA

P2P.WROX.COM

PARTIOPENSTACKOVERVIEW

1INTRODUCINGOPENSTACK

WHATISCLOUDCOMPUTING?

WHYSHOULDICARE?

UNDERSTANDINGTHEARCHITECTURE

SUMMARY

2UNDERSTANDINGTHEOPENSTACKECOSYSTEM:COREPROJECTS

IDENTITY

COMPUTE

STORAGE

IMAGING

DASHBOARD

NETWORKING

BRINGINGITALLTOGETHER

SUMMARY

3UNDERSTANDINGTHEOPENSTACKECOSYSTEM:ADDITIONALPROJECTS

OPENSTACKHEAT

OPENSTACKDATABASEASASERVICE:TROVE

DESIGNATE:DNSASASERVICE

MAGNUM

MURANO:APPLICATIONASASERVICE

CEILOMETER:TELEMETRYASASERVICE

SUMMARY

PARTIIDEVELOPINGANDDEPLOYINGAPPLICATIONSWITH

OPENSTACK

4APPLICATIONDEVELOPMENT

CONVERTINGALEGACYAPPTOANOPENSTACKAPP

BUILDINGAPPSFROMSCRATCH

OPENSTACKAPPDESCRIPTIONANDDEPLOYMENTSTRATEGIES

SUMMARY

5IMPROVINGONTHEAPPLICATION

FAILURESCENARIOS

HOSTNAMEANDIPADDRESSING

SCALING

IMPROVINGOURAPPLICATION

SUMMARY

6DEPLOYINGTHEAPPLICATION

BAREMETAL,VIRTUALMACHINES,ANDCONTAINERS

ORCHESTRATIONANDCONFIGURATIONMANAGEMENT

MONITORINGANDMETERING

ELASTICITY

UPDATINGANDPATCHING

SUMMARY

BOOKWRAPUP

TITLEPAGE

COPYRIGHT

ABOUTTHEAUTHOR

ABOUTTHETECHNICALEDITORS

CREDITS

ACKNOWLEDGMENTS

ListofIllustrationsChapter1

Figure1.1

Figure1.2

Figure1.3

Figure1.4

Figure1.5

Figure1.6

Chapter2

Figure2.1

Figure2.2

Figure2.3

Figure2.4

Figure2.5

Figure2.6

Figure2.7

Figure2.8

Figure2.9

Figure2.10

Figure2.11

Figure2.12

Figure2.13

Chapter3

Figure3.1

Figure3.2

Figure3.3

Figure3.4

Figure3.5

Figure3.6

Figure3.7

Figure3.8

Figure3.9

Figure3.10

Figure3.11

Figure3.12

Figure3.13

Chapter4

Figure4.1

Figure4.2

Figure4.3

Figure4.4

Figure4.5

Figure4.6

Chapter5

Figure5.1

Figure5.2

Figure5.3

Figure5.4

Figure5.5

Figure5.6

Figure5.7

Figure5.8

Figure5.9

Figure5.10

Chapter6

Figure6.1

Figure6.2

Figure6.3

Figure6.4

Figure6.5

INTRODUCTIONOpenStackisasetofsoftwarepackagesthatmanagevirtualizedresources,includingcomputing,networking,andstorage.Itenablesyoutocreateanddestroyvirtualmachines,connectthemtogetherwithprivatenetworks,providenetwork-basedstorage,andmakethemavailabletotherestofyournetworkandtheworld.OpenStackprovidesconsistent,uniformAPIservicesforallofthis,hidinghypervisorandvendorspecificdetailsfromtheapplicationsthatareusingtheAPIs.Italsoprovidesauserinterface,builtontopofthesameAPIs,thatallowsuserstoseeandmanagetheirvirtualresources.

WHOTHISBOOKISFORThisbookisforapplicationdevelopersthatareinterestedinlearningmoreaboutOpenStackandhowitwilltransformtheapplicationdesignanddevelopmentprocess.Itisforsomeonewhoisnewtothecloudenvironment,whowantsabroadunderstandingofthatenvironment,aswellasadeepenoughknowledgetomakepracticaluseofOpenStack.

WHATTHISBOOKCOVERSThisbookwillprovideabroadunderstandingofcloudconceptsandhowtheyfitintothelifeofanapplicationdeveloper.ItwilldrillindeeplytotheOpenStackservicesthataremostimportanttoanapplicationdeveloper,andshowyouhowtheseserviceswillchangenotonlyhowyoudeployapplications,butalsohowyoudesignthem.Itwillprovidedetailedinformationoneachservice,andprovideexamplesofhoweachservicemaybeusedbyanapplicationdeveloper.

HOWTHISBOOKISSTRUCTUREDThisbookwaswrittenintwoparts.Part1providesanoverviewofOpenStack.Thepurposeofthispartistolaythegroundwork,coveringalloftheOpenStacktechnologiesandwhatismostimportant.

Part2takesthereaderthroughdevelopinganddeployingapplicationswithOpenStack.InthispartyouwillbuildanexampleontopofOpenStackthatdrillsdownmuchdeeperonthetechnologies,providestips,andhelpsyoulearnaboutOpenStackthroughthelensofthesesametechnologies.

Hereisalistofthechapters:

PartI:OpenStackOverview

Chapter1:IntroductiontoOpenStack

Chapter2:UnderstandingtheOpenStackEcosystem:CoreProjects

Chapter3:UnderstandingtheOpenStackEcosystem:AdditionalProjects

PartII:DevelopingandDeployingApplicationswithOpenStack

Chapter4:ApplicationDevelopment

Chapter5:ImprovingontheApplication

Chapter6:DeployingtheApplication

WHATYOUNEEDTOUSETHISBOOKYoushouldunderstandthebasicsofapplicationdevelopment-howapplicationsarecomposedofmultipleserverslikewebservers,applicationservers,anddatabaseservers.Youdonotneedanycloud-specificknowledge,thoughyoushouldbeawareofwhatvirtualizationandvirtualmachinesare,andhaveabasicunderstandingofnetworks.

CONVENTIONSTohelpyougetthemostfromthetextandkeeptrackofwhat’shappening,we’veusedanumberofconventionsthroughoutthebook.

Examplesthatyoucandownloadandtryoutforyourselfgenerallyappearinaboxlikethis:

EXAMPLETITLEThissectiongivesabriefoverviewoftheexample.

Source

Thissectionincludesthesourcecode.

Sourcecode

Output

Thissectionliststheoutput:

Exampleoutput

NOTENotesindicatesnotes,tips,hints,tricks,orandasidestothecurrentdiscussion.

Asforstylesinthetext:

Wehighlightnewtermsandimportantwordswhenweintroducethem.

Weshowcodewithinthetextlikeso:persistence.properties.

SOURCECODEAsyouworkthroughtheexamplesinthisbook,youmaychooseeithertotypeinallthecodemanually,ortousethesourcecodefilesthataccompanythebook.Allthesourcecodeusedinthisbookisavailablefordownloadatwww.wrox.com.Specificallyforthisbook,thecodedownloadisontheDownloadCodetabat:

www.wrox.com/go/openstackcloudappdev

andat:

https://github.com/johnbelamaric/openstack-appdev-book

Youcanalsosearchforthebookatwww.wrox.combyISBN(theISBNforthisbookis978-1-119-19431-6)tofindthecode.AndacompletelistofcodedownloadsforallcurrentWroxbooksisavailableatwww.wrox.com/dynamic/books/download.aspx.

NoteBecausemanybookshavesimilartitles,youmayfinditeasiesttosearchbyISBN;thisbook’sISBNis978-1-119-19431-6.

Onceyoudownloadthecode,justdecompressitwithyourfavoritecompressiontool.Alternately,youcangotothemainWroxcodedownloadpageatwww.wrox.com/dynamic/books/download.aspxtoseethecodeavailableforthisbookandallotherWroxbooks.

ERRATAWemakeeveryefforttoensurethattherearenoerrorsinthetextorinthecode.However,nooneisperfect,andmistakesdooccur.Ifyoufindanerrorinoneofourbooks,likeaspellingmistakeorfaultypieceofcode,wewouldbeverygratefulforyourfeedback.Bysendinginerrata,youmaysaveanotherreaderhoursoffrustration,andatthesametime,youwillbehelpingusprovideevenhigherqualityinformation.

Tofindtheerratapageforthisbook,goto

www.wrox.com/go/openstackcloudappdev

AndclicktheErratalink.OnthispageyoucanviewallerratathathasbeensubmittedforthisbookandpostedbyWroxeditors.

Ifyoudon’tspot“your”errorontheBookErratapage,gotowww.wrox.com/contact/techsupport.shtmlandcompletetheformtheretosendustheerroryouhavefound.We’llchecktheinformationand,ifappropriate,postamessagetothebook’serratapageandfixtheprobleminsubsequenteditionsofthebook.

P2P.WROX.COMForauthorandpeerdiscussion,jointheP2Pforumsathttp://p2p.wrox.com.TheforumsareaWeb-basedsystemforyoutopostmessagesrelatingtoWroxbooksandrelatedtechnologiesandinteractwithotherreadersandtechnologyusers.Theforumsofferasubscriptionfeaturetoe-mailyoutopicsofinterestofyourchoosingwhennewpostsaremadetotheforums.Wroxauthors,editors,otherindustryexperts,andyourfellowreadersarepresentontheseforums.

Athttp://p2p.wrox.com,youwillfindanumberofdifferentforumsthatwillhelpyou,notonlyasyoureadthisbook,butalsoasyoudevelopyourownapplications.Tojointheforums,justfollowthesesteps:

1. Gotohttp://p2p.wrox.comandclicktheRegisterlink.

2. ReadthetermsofuseandclickAgree.

3. Completetherequiredinformationtojoin,aswellasanyoptionalinformationyouwishtoprovide,andclickSubmit.

4. Youwillreceiveane-mailwithinformationdescribinghowtoverifyyouraccountandcompletethejoiningprocess.

NOTEYoucanreadmessagesintheforumswithoutjoiningP2P,butinordertopostyourownmessages,youmustjoin.

Onceyoujoin,youcanpostnewmessagesandrespondtomessagesotheruserspost.YoucanreadmessagesatanytimeontheWeb.Ifyouwouldliketohavenewmessagesfromaparticularforume-mailedtoyou,clicktheSubscribetothisForumiconbytheforumnameintheforumlisting.

FormoreinformationabouthowtousetheWroxP2P,besuretoreadtheP2PFAQsforanswerstoquestionsabouthowtheforumsoftwareworks,aswellasmanycommonquestionsspecifictoP2PandWroxbooks.ToreadtheFAQs,clicktheFAQlinkonanyP2Ppage.

PARTIOpenStackOverview

CHAPTER1:INTRODUCINGOPENSTACK

CHAPTER2:UNDERSTANDINGTHEOPENSTACKECOSYSTEM:COREPROJECTS

CHAPTER3:UNDERSTANDINGTHEOPENSTACKECOSYSTEM:ADDITIONALPROJECTS

1IntroducingOpenStackWHAT’SINTHISCHAPTER?

Modelsofcloudcomputing

Relevanceofcloudcomputingtoapplicationdevelopers

WhyOpenStackisagoodcloudplatformchoice

HowOpenStackisputtogether

WHATISCLOUDCOMPUTING?Thereissomuchhypearoundcloudcomputingthatitisoftendifficulttogetaclearsenseofwhatanyonemeansbythosewords.Isitjustvirtualization?IsitSoftware-as-a-Service(SaaS),suchasMicrosoft’sOffice365andSalesforce.com?OrisittheabilitytogetavirtualmachineinstantlyfromAmazonWebServices(AWS)orAzure?AndwhataboutonlinestoragesuchasDropbox?

TypesofCloudComputingTherealityisthatcloudcomputingreferstoallofthesethingsjustdescribedandmore.TheNationalInstituteofStandardsandTechnology(NIST)hascomeupwithan“official”definitionbaseduponfivekeycomponents:on-demandself-service,broadnetworkaccess,pooledresources,elasticity,andmeteredservice.Ingeneral,thesecharacteristicsmaybeprovidedinseveraldifferentmodels.Thesemodelshelpsortouttheconfusionandhype.Infact,thesecanbethoughtofaslayersinastack,witheachlayerbeingbuiltontopofthepreviousone(seeFigure1.1).

Figure1.1

InFigure1.1,“ManuallyProvisionedInfrastructure”representsthetraditionalmethodofbuildingyourinformationtechnologyinfrastructure—thisisnotcloudcomputing.Inthisenvironment,physicalmachinesareracked,connected,andconfiguredonaone-by-onebasis.Thisprovidescompletecontrol,butrequiressubstantialtimeandefforttobuildout,ortochangewhennecessary.Ofcourse,allcloudsneedtorunonphysicalgearatsomepoint,sothisprovidesthebasicfoundationforeverythingelse.Oneofthekeystomakingcloudcomputingsuccessful,however,istomovethecomplexityoutofthislayeranduphigherinthestack.

Infrastructure-as-a-Service(IaaS)isthemostbasiclayerinthecloudcomputing

stack.ThisisOpenStack’sprimaryfocus,aswellastheprimaryfocusforAWS.Itenablesautomatedorself-serviceprovisioningofcompute,networking,andstorage.Typically,theseresourcesareprovidedasVirtualMachines(VMs),butyoucouldalsouseittospinupbaremetalservers(i.e.physicalhosts).Thisisknownas“Metal-as-a-Service,”andOpenStackprovidesaprojectformanagingthisserviceaswell.Alternatively,youcanalsospinupcontainersratherthanVMsorbaremetalservers.Theessentialpointisthatitenablestheprovisioningofcomputeinstances,with(optionally)attachednetworkingandstorage.

Platform-as-a-Service(PaaS)buildsontopofIaaStoenabletheprovisioningofapplications,ratherthansimplytheinfrastructurethatmightbeusedtoruntheapplication.So,aPaaSprovidescorecommonservicesneededbyapplications,alongwiththemachinerytoconfigureanddeployapplicationstousethoseservices.APaaStypicallywillprovideacompleteapplicationstack(webserver,applicationserver,databaseserver,etc.)intowhichyoucaneasilydeployyourapplication.Heroku(https://www.heroku.com)isanexampleofapopularPaaSforapplicationsbuiltwithavarietyofstandardframeworks,suchasRuby-on-Rails.WithHerokuyoucandeployyourapplicationtotheInternetwithasimplegitpush.Astheapplicationauthoranddeployer,youdon’tneedtoworryaboutconfiguringanddeployingthedifferenttiers,orevenworryabouthowtoscalethem.IfyoufollowtheHerokuconventions,everythingishandledbythePaaS.

Software-as-a-Service(SaaS)isthelayerfarthestfromtheunderlyingphysicalinfrastructure.ItmaybebuiltonIaaSoraPaaS,butneednotbe—thepointistheuserneverreallyknows.Thisisthesimplestformofcloudcomputingfromthepointofviewoftheuserbecausetheyhavenoinsightintotheactualmechanicsorsystemsbehindtheservice.It’sjustaservicetheyuse.Oftenthisisprovidedintheformofawebsite,suchasSalesforce.com.Butyoucanalsogetlower-levelservicessuchasDatabase-as-a-Service,whereyousimplyrequestviaanAPI(orwebsite)foradatabasewithcertainparameters,andaregivenanIPandporttoconnectto.Asauseroftheservice,youdon’tneedtoworryabouthowtoscalethatservice—thoughyouwillneedtopaymoreasyouruseoftheserviceincreases.

Putsuccinctly,IaaSprovidesthetoolsto“build”yoursystemsfromthegroundup.PaaSallowsyouto“deploy”yourapplications,withoutneedingtoworryabouttheunderlyinginfrastructure.SaaSallowsyouto“buy”yourapplications—youdonotevenneedtodeployormanagethematall.Thisisasteadyprogressionofdecreasingcontrolandcomplexity,whileincreasingdirectbusinessvalue.

Whilethesearegeneralmodelsforcloudcomputing,inrealitythedistinctionsbetweenthemarenotalwayscrystalclear.TherelationshipofSaaStoPaaSinparticularcanbecomplicated.Aspecific,complexSoftware-as-a-ServicemayusePaaSorevenothermoregranularSoftware-as-a-Service.EvenaPaaSmayassemblelower-levelpiecesasacollectionofsoftwareservices.Forexample,mostserviceswillrequireanidentitymanagement(authentication,authorization,andaccounting)service.ThisidentityserviceisoneofthekeyfeaturesaPaaSprovides

toapplications.However,thereisnoreasonthatservicecannotbe,inturn,providedbysomeexternalSaaS!Inthiscase,akeyfunctionofthePaaSisprovidedviaalow-levelSaaS.

CloudInfrastructureDeploymentModelsInadditiontothefunctionalityprovidedbyacloud,thereareseveraldifferentdeploymentmodelsforclouds.Publiccloudsaretheonesfamiliartomostdevelopers.Thesecloudservicesaremadeavailabletothegeneralpublicforafee.Thefeeisgenerallyonausagebasis,enablingorganizationstoutilizetheiroperatingbudgetsratherthantheircapitalbudgets.Thecustomershavenoneedtomaintainoroperatethehardwareorcloudinfrastructure,leavingthatresponsibilitycompletelytothecloudoperator.

AmazonWebServices(AWS)iscurrentlythelargestpubliccloudanddominatestheindustry.MicrosoftandVMwarealsooperatepublicclouds,andanumberofserviceprovidersdoaswell.Rackspace,inparticular,providesanOpenStack-basedpubliccloud,andisoneoftheprimarycontributorstotheOpenStackproject.

Privateclouds,ontheotherhand,areinternaltoanorganization.Theyrepresenttheevolutionofthetraditionalcorporatedatacenter.Onlyinternalcustomerswithintheenterprise,andperhapsclosepartners,useprivateclouds.ThecorporateITdepartmentoracontractorwillpurchase,setup,andmaintainthehardwareandsoftwareforthecloud.Thecloudinfrastructuremayusechargebacktodistributecostsamongthebusinessunits,buttheclouditselfisstilldedicatedtothesingleenterprise.

Organizationsmayoperateprivatecloudsforanumberofreasons.Thecostofaprivatecloud,ifwellrun,maybelessthanutilizingthepublicclouds.Additionally,manyindustrieshavesecurityorregulatoryreasonsthatdisallowtheuseofapubliccloudformanyworkloads.Theseorganizationsarerequiredtorunthoseworkloadsinaprivatecloud.SeeFigure1.2foralookatthestructureofpublic,private,andhybridclouds.

Figure1.2

Hybridcloudscombinebothprivateandpublicclouds.Thegoalwithhybridcloudsistokeepgeneraloperatingcostslowbyusingtheprivatecloudformostoftheworkloads,buttoenablespilloverintothepubliccloudwhennecessary.Thespillovercouldhappenduetocapacityreasons—perhapsduringtheholidayseasonyourprivateclouddoesn’thaveenoughcapacity—orfordisasterrecovery.Thismodelavoidsthecapacityconstraintsofaprivatecloudwhilestillkeepingcostsundercontrol.

WHYSHOULDICARE?Asanapplicationdeveloperorarchitect,youmaywonder—whydoesallofthismattertome?Allofthisdiscussioncoveredsofarfocusesonthereasonabusinessmaywanttomovetothecloud.Butwhyshouldthataffecttheapplicationdeveloper?Theanswerliesinacoupleofdifferentareas:theeffectonthedevelopmentprocess,andtheeffectonyourapplicationarchitecture.

Cloudservicesenablemuchmoreefficientprocessesformanagingdevelopment,test,andproductionenvironments.Theseupdatedprocessesandmethodsrepresentthe“DevOps”mentality—applyingstandardsoftwaredevelopmentpractices,suchassourcecodeversioncontrol,totheoperationalaspectsoftheapplication.Thismeanscapturingalloftheconfigurationanddeploymentinformationinscriptsandtemplates,andcontrollingtheirchangesjustasyouwouldapplicationcode.

Scriptsandtemplatescanbebuiltthatproduceacompleteapplicationenvironment.Thesecanbeusedtoautomaticallydeploynotonlytheapplication,butalsoinfrastructurerequiredfortheapplication,includingvirtualmachines,networking,firewalls,loadbalancers,domainnameservices—younameit,andsomeoneisworkingonmakingitavailable“as-a-Service.”Byautomatingthecreationanddestructionoftheseenvironments,youcanensureconsistencybetweendevelopment,test,andproductionenvironments.Forcomplexapplicationswithmanydifferentservicesrunningondifferentmachines,thiscanbeadramatictimesaver.

OpenStack,and“as-a-Service”thinkinginparticular,willalsoendupchangingthesoftwareanddeploymentarchitecturesofyourapplication.Byrelegatingthecommonandroutinefunctionstothecloudinfrastructure,youfreeyourtimeandthoughttofocusonthemostimportantthing—yourapplication’sfunctionality.Forexample,atraditionalapplicationthatallowslargefileuploadswillneedtodesignatetemporaryandpermanentstoragelocationsforthosefiles,andmanagethestorageresourcestoensurethatthediskdoesn’tfill.Thesystemadministratorordeployerwillneedtodeviseastrategytobackupthatdataorreplicateittootherdatacenters.Butwiththerightcloudplatform,youcansimplydelegatethatfunctiontotheinfrastructure,andgetallofthebenefitswithoutdevotingspecialeffort.

Designingyourapplicationtoworkwiththecloudservicesalsodramaticallysimplifiesscalingtheapplication.Thescalabilityoftheindividualservicesbecomestheresponsibilityofthecloudoperator,nottheapplicationdeveloperoradministrator.Aslongastheapplicationmakeseffectiveuseofthoseservices,itwillscaleasneededwithlittletonoworkfromthedevelopersthemselves.

Beingabletoutilize“as-a-Service”functionsisonewayyourdesignwillshift.Anotheristoplanforhorizontalscalingratherthanverticalscaling.Thatis,scalingbyaddingmoremachines(horizontally)ratherthancreatingbigger

machines(vertically).Withmostapplicationstoday,itiseasiesttoscalebygettingabigger,fastermachine.Thislocksyouintoplanningforpeakcapacityofeachapplicationindividually.Foreachapplicationyouneedtoprovisionthelargestmachineyoumayneedatpeakload.Butwithapplicationsbuiltforthecloud,youinsteadscalebyaddingmoremachines.Thesemachinescanbesmaller,andwithcloudautomation,canbeadded,removed,orresizedasneeded.Thisabilitytoscaleupanddownasneedediscalledelasticscaling,andisoneofthekeyfeaturesofcloudcomputing.

Afrequentlyusedanalogyisthattraditionalserversarelike“pets,”whilecloud-basedserversare“cattle.”Thisdescribesanecessaryshiftinmentalityforatraditionalapplicationarchitect.Theideaisthatapetisuniqueandspecial,withitsownuniquename.Alotofresourcesarespenttoraiseandnurtureone,andifitissick,itwillbenursedbacktohealth.Cattle,ontheotherhand,arenottreatedspeciallyorcarefullyraised.Theyaretreatedenmasse—theyaregivennumbers,notnames—andasickoneisculledtopreventanyspreadofdiseasethroughtheherd.

Theimplicationhereisthatcloud-basedserversshouldbedisposableandeasilyre-deployed,andnotrequirecarefulhandconfiguration.Thatway,ifthereisaproblemwithone,youdonotspendtimetryingtofigureitoutandfixit—yousimplyreplaceitwithanewone.Thisisthelogicalextensionoftheabilitytoscaleelastically.Whytakethetimetofigureoutwhat’swrongwithamachinewhenit’sbehavingbadly?Justpullitoutoftheapplicationandreplaceitwithanewonewhileyoudebugtheproblem(nottofixthatmachine,buttopreventtheissueinthefuture).

WhatIsOpenStack?OpenStackbillsitselfasa“cloudoperatingsystem.”Fundamentally,itsolvestheIaaSproblem.Itprovidestheabilitytoabstractthephysicalcompute,storage,andnetworkingresourcesintopools.Thoseresourcescanthenbedivviedupamongusersinasecureway.Usersonlyneedtopayforwhattheyareusing,ratherthanhavingtoprovisiontheirapplicationsforpeakload.

OpenStackisacollectionofopensourcesoftwareprojects,backedbyanon-profitorganization,theOpenStackFoundation.TheseprojectsworktogethertoprovideaconsistentAPIlayer,whileenablingtheactualservicestobeprovidedbyavarietyofdifferentvendororopensourceimplementations.Atthecore,theseservicesincludethefunctionalityyouneedtorunacloud,thatis,theabilitytospinupvirtualmachines,theabilitytoallocate,manage,andsharestorageamongthosemachines,andtheabilityenablethesemachinestocommunicatewithoneanothersecurelyoverthenetwork.

KEEPINGTRACKOFRELEASESOpenStackhasofficialreleaseseverysixmonths.Inordertomakeiteasiertokeeptrackofallthesereleases,theyaregivennamesinalphabeticalorder.Belowisthenameofeachrelease,anditsreleasedate,throughtheLibertyrelease.

Austin:October2010

Bexar:February2011

Cactus:April2011

Diablo:September2011

Essex:April2012

Folsom:September2012

Grizzly:April2013

Havana:October2013

Icehouse:April2014

Juno:October2014

Kilo:April2015

Liberty:October2015

Inadditiontothereleasename,eachreleaseisidentifiedbytheyearandreleaseduringthatyear—<year>.<release>.<patch>.Forexample,Kiloisalsoknownas2015.1,asthefirstreleasein2015.PatchreleasesforKiloare2015.1.1,2015.1.2,etc.Thesecondmajorreleaseof2015isLiberty,whichisalsoknownas2015.2.

AlloftheseservicesareaccessibleviaRESTfulAPIs,aswellascommand-lineinterfacesandaweb-baseduserinterfacecalledHorizon.Horizonisconvenientforsettingupthingsonanad-hocbasis,butdoesn’tofferthefullcapabilitiesoftheAPIs—andofcoursetheAPIsandCLItoolscanbeeasilyscripted(seeFigure1.3).

Figure1.3

ThenexttableshowsthemajorservicesprovidedbyOpenStack,alongwiththeirnames.OpenStackcommunitymemberswillusuallyrefertoeachservicebyitsname,soit’shelpfultoseethemallinoneplaceandgetahandleonwhateachonedoes.Infact,therearemanymoreservices,butthesearethemostcommononesyouwillfind.

Name Service Description

Horizon Dashboard Agraphicaluserinterfaceformanagingyourcloud

Keystone Identity Authentication,authorization,andOpenStackserviceinformation

Nova Compute Spinup,manage,andterminatevirtualmachines

Cinder BlockStorage Diskvolumes(thatoutliveaninstance)andsnapshotsofinstances

Swift ObjectStorage

Shared,replicated,redundantstorageforimages,files,andothermediaaccessibleviaHypertextTransferProtocol(HTTP)

Neutron Network Providesecuretenantnetworking

Glance Image ProvidestorageandaccesstoVMimagesandsnapshots

Heat Orchestration Spinupgroupsofmachines,networks,andotherresourcesviatemplates

Designate DNS CreatedomainsandrecordsintheDNSinfrastructure

Ceilometer Telemetry Monitorresourcesusageacrossthecloud

Trove Database Provideaccesstoprivatetenantdatabases

Ironic BareMetal Spinupinstancesonphysicalhardware

Magnum Containers Managecontainerswithininstances

Murano Application Deploypackagedapplicationsacrossmultipleinstances

Sahara DataProcessingCluster

ProvidesaHadooporSparkclusterasaservice

AdefaultinstallationofOpenStackwillinclude“reference”versionsofeachservice.Forexample,bydefaultanOpenStackcloudwillusetheKernel-basedVirtualMachine(KVM)hypervisortomanagevirtualmachines.OneofthemostimportantaspectsoftheOpenStackarchitecture,however,isthedriverorplugin-basednatureofeachservice.Withthisdesign,youcanuseanimplementationotherthanthereferenceone.Inyourcloud,youcanswapoutKVMwithESXi,Xen,orotherhypervisors.TheAPIsusedtolaunchandmanageVMsremainthesame,regardlessoftheunderlyinghypervisor.ThissameconceptextendsacrossOpenStackservices,enablingthesameAPIswithdifferentserviceimplementations.

Thislevelofflexibilitybehindthescenes,whileprovidingaconsistentAPI,isoneofthekeystothesuccessofOpenStack.UserscanbuildtheirapplicationsandautomationontopofOpenStack,withouthavingtoworrythattheyarelocking

themselvesintoasinglebackendproviderofcomputer,networking,orstorage.TheAPIswon’tchangeeveniftheyswapoutthebackend.

OpenStackisfrequentlyusedinenterprisesforprivateclouds,thoughtherearesomepubliccloudservicesthatarebasedonit.TherearealsocompaniesthatwillcreateandoperateaprivateOpenStackcloudforyouwithintheirdatacenters.Inthiscase,thehardwareisnotsharedwithothercustomers,soyouhavethepredictabilityandsecurityoftheprivatecloudbutdonothavetofindandhiretheexpertstomaintainit.

Eveninprivatecloudenvironments,OpenStackisamulti-tenantcloudplatform.Thismeansthatmultipleusersorgroupsofusers—tenants—canutilizethephysicalresourcesofthecloud,whilekeepingalloftheirvirtualizedresourcesprivate.Foratenant,theOpenStackenvironmentappears,forthemostpart,tobetheirsandtheirsalone.Butfortheoperator,theunderlyingphysicalresourcesandsoftwaresystemsareshared.InOpenStack,tenantsarealsosometimesreferredtoasprojects.

Inamulti-tenantOpenStackcloud,eachtenantisallocatedaquotaforthevarioustypesofresourcesthatmaybeused.Thequotaprovidesamaximumlimitforthattenantforthatparticularresource.YouwillhaveaquotaforCPUs,memory,storage,networks,subnets,andfloatingIPs,amongotherresources.Thispreventsanysingletenantfromconsumingalloftheresources.

WhyOpenStack?Thereareanumberofcloudmanagementplatformoptionsoutthere.ThemostobviousanddominantplayerisVMwarewiththeirvRealizesuiteofsoftware.So,whyshouldyoutakeyourtimetolearnaboutOpenStackratherthanvRealize,AWS,Azure,CloudStack,oranyoftheothersolutions?

About15yearsago,ITprofessionalsfacedaverysimilarsetofquestionsaboutLinuxandproprietaryUNIXsystems.Solaris,HP-UX,AIXandtheircompetitorsweresolid,wellknown,andwidelydeployedproducts,whereasLinuxwasagraduatestudent’sprojectthatwasdifficulttoinstallandoperateandwasfairlyimmature,withdriverandothercompatibilityissues.ItwasnotclearatallatthetimethatspendingeffortlearningandunderstandingLinuxwasworthit.Historythough,hasproventhatsuchachoicewouldhavebeentherightone.Allofthoseexpensive,proprietaryUNIXimplementationshavelosttheirvalueproposition—theyreallydon’thavemuchthatisuniquetoofferanymore.Linuxhascontinuedtogrowandhastakenovermostoftheenvironmentswherethosesystemsoncethrived.

Thisisn’tjustasimpleanalogy.Thereisarelentlesspressureinthisindustrytoreducecosts,andtoincreasethevelocityoffeaturedelivery—delivermore,faster,andcheaper.Thewaytoachieve“more,faster”isstandardization.Thisisthesamebasicprincipleasbuildinglibrariesandframeworksinprogramming.Astandardarchitecturebehavesinapredicablemanner,providingcoreservicesonwhichyou

canrelyandbuild.Thereisnoneedtorepeattheprocessofdevelopingthatarchitectureoverandover,allowingyoutofocusonthenewfunctionality.

Thewayyouachieve“cheaper”istomakethosestandardsopenandfree.Thiscombinationofopenandstandardleadstocommoditization—essentiallythedevelopmentofinterchangeablecomponentsthatarethesameregardlessofthemanufacturerorvendor.Commoditiesimplyalotofcompetition,andthereislittleornoproductdifferentiationforwhichtochargeextra.Thisdrivesdownthecostsdramatically.

Linuxhasbothofthesecharacteristics—openandstandard—inUNIX-likeoperatingsystems,andthatiswhyitwon.Notbecauseitwasbetter,butbecauseitwascheaperandfastertouseasabaseforbuildingnewfunctionality.Linuxisjustoneexample,ofcourse.Thisstoryhasrepeatedoverandoverinthetechnologyindustry.Withmachinearchitectureswehavethex86platform,andstandardarchitecturesformemory,disks,andserialbus-basedperipherals.

Infact,ifyoutakethebroaderview,youcanseethatthecommoditizationhascontinuouslymovedupthevaluechain.Itstartedwithhardware,movedtooperatingsystems,andthesedaysevensophisticateddatabasesanddistributedsystemcomponentsarebeingcommoditized.Indatabases,weusedtohaveInformix,DB2,Oracle,Sybase,andothers.ButMySQLandPostgresSQLareopenandstandard,andtheyhavecompletelydominatedthelow-endofthedatabasemarket.Oraclestillleadsinthehigh-end,andisabletoprovidevalueinthosemorespecializedenvironments,butastheopensourceproductsimprove,thespacefortheproprietaryvendorsconstricts.

Insomeway,cloudcomputingistheculminationofthiscommoditizationprocessintheindustry.Broadly,youcanthinkoftherevolutionhappeninginthecomputingindustryasarefocusingoftheindustryonthecorefunctionsofcomputing.Theabstractionofthecomputinginfrastructureintosimplycompute,storage,andnetworkingcomponents,andbreakingoftheseoutfrombeingverticallyintegrated,tohorizontallyintegrated,istrulytransformative.Itbringsfullcommoditizationtotheseelements,whicharethebasicfoundationoftheindustry.

Cloudplatformmanagementwillfollowthesamepattern.TheproprietaryplatformslikevRealizewillthriveforatime,butinthelongruntheopenandstandardsystemswillwin.Whiletheremayalwaysbeaplacefortheproprietarysolutionsinmorespecializedenvironments,themostcommonplatformswillbeopensource.Youcanseethisalreadyhappening:theZenoss2014StateoftheOpenSourceCloudSurvey(http://www.zenoss.com/resource-center/white-papers)foundthat30percentofrespondentswerealreadyusinganopensourcecloud,up72percentfrom17.2percentin2012.Another34percentoftherespondentsplannedtoimplementanopensourcecloudinthefuture.Understandingthisgivesyouanadvantagetofocusontheeventualwinner,insteadofchasingwhatwillultimatelybeasettingstar.

Thereareseveralopen,standardcloudmanagementplatforms.Soevenifyoubelievethatthebetonopenandstandardisthewaytogo,whyshouldyoubetonOpenStack?Theanswerhereissimple—momentum.OpenStackisbyfarthemostwidelyusedandsupportedopensourcecloudmanagementplatform,andithasthelargestcommunityofdevelopersandvendorspushitforward.Thesamesurveymentionedabovefoundthat69percentofrespondentswithanopensourcecloudwereusingOpenStackin2014,upfrom51percentin2012.Anamazing86percentofthoseconsideringanopensourceclouddeploymentarelookingatOpenStack.

TheOpenStackdeveloperandusercommunitieshavegrowndramaticallyaswell.TheOpenStackFoundation2014AnnualReport(https://www.openstack.org/assets/reports/osf-annual-report-2014.pdf)providesdetailedinsightintothisgrowth.In2013,thebestquarterformeanmonthlyactivedevelopershad391developers—in2014thismeasurewasup45percentto569developers.LargeinvestmentsfromHP,Cisco,RedHat,IBM,Dell,Mirantis,Rackspace,andmanyothervendorshavedriventhissurge.Theincrediblegrowthinthenumberofusers,developers,andotherinterestedpartiescanbeseenfromtheattendanceatthetwiceannualOpenStackSummits,seeninFigure1.4(source:openstack.org).

Figure1.4

ClearlyOpenStackhasthemomentumtosucceed.

UNDERSTANDINGTHEARCHITECTUREOpenStackisbuiltonalooselycoupledarchitecture.Eachcomponentisbuiltindependentlyandrunsitsownservices.Theseservicesmaybedistributedamonganumberofdifferentmachineswithdifferentresponsibilities.Thisenablesscalingofparticularfunctions,byaddingmachineswithparticularroles.Italsoenablesredundancy;ahighlyavailabledeploymentwillcontainseveralofeachtypeofmachine.

SoftwareArchitectureIndividualcomponentsinteractwithoneanotherviawell-definedapplicationprogramminginterfaces(APIs)—typicallybasedonrepresentationalstatetransfer(REST)conventions,thoughinsomecasesusingremoteprocedurecalls(RPC)ornotificationsoveramessagebus.Typically,theseserviceswillmaintaindatainarelationaldatabase—usuallyMySQLorPostgreSQL.Themessagebusanddatabasearesharedacrossservices,buttheinteractionsbetweenthoseservicesremainclearlydelineated.Thisenablesdifferentservicestogrowandchangeindependentlyfromtheothers,solongastheyprovidebackward-compatibilityintheAPIs.

Eachofthemajorservices—compute(Nova),networking(Neutron),blockstorage(Cinder),etc.—haveseveralinternalprocessesandcomponents.Generally,theywilleachhaveanAPIservicethatprovidesanHTTP-basedRESTfulAPI.ThisAPIservicewillcommunicatewiththeothercomponentsviathemessagebus.

TheHorizonserviceisaweb-basedUIthatinteractswiththevariousservices.Similarly,therearecommand-linetoolstointeractwitheachservice.Thesetoolsareoptional;youcanbuildyourowninterfacedirectlytotheserviceAPIsifyouwish.HorizonandtheofficialCLIclientsdonothaveanyspecialaccess;everyoneusesthesameAPIs.EachclientreallyonlyneedstobeinformedofthelocationofKeystone,theidentityservice.ThisservicecontainsacatalogofallservicesandAPIendpointsavailableintheOpenStackplatform(seeFigure1.5).

Figure1.5

InFigure1.5,whatyouseeisasimplifieddepictionofhowtheservicesinteract.EachservicehasanAPIcomponent,whichcommunicateswithKeystone’sAPIviaHTTPStoprovideauthenticationandauthorizationinformation.EachAPIserviceusesthemessagebustocommunicatewithseveralotherprocessesforthatservice(justcalled“Services”inthediagram).Asneeded,thesedownstreamserviceprocesseswillcalltheAPIsofotherservices.Forexample,NovawillcalltheNeutronAPItoacquireaportonaparticularnetwork.

DeploymentArchitectureHowareallofthesedifferentpiecesofsoftwaredeployedonthehardware?Thisisactuallyprettyflexible.Fordevelopmentorjustexperimentation,youcanevenruneverythingonasinglemachine.However,amoretypicaldeploymentwillhaveseveralcontrollernodes(forhighavailabilitypurposes),alongwithadditionalnetwork,compute,andcontrollernodes.

Eachhigh-levelservice(compute,networking,storage,andothers)consistsofmultipledaemons(backgroundprocesses).Thesedaemonsarespreadoutacrossthevarioustypesofnodes.Thatis,youdonotrunindividualservicesonindividualnodes,butratherspreadeachserviceoutacrossdifferenttypesofnodes.

Forexample,alloftheservicessharethedatabaseandmessagingcomponents(typicallyMySQLandRabbitMQ,respectively).Youmayruntheseeachon

separateclusters,witheachclusterspreadoverdifferentfailuredomains.Additionally,youmayhaveseveralphysicalnodesthatprovidetheAPIendpoints,behindaphysicalloadbalancer.DifferentdaemonsforNovaandNeutronwillbespreadacrossthenetworkandcomputenodes.Figure1.6showsasimplifieddiagramofthislayout.

Figure1.6

NoticethedifferenttypesofnodesinFigure1.6.ComputenodesrunthehypervisorandthereforetheactualVMinstances,aswellasprovidetheephemeralstorageforinstances.TheywillalsorunNeutronnetworkingagentstomanagetheconnectivitybetweenVMs(calledeast-westtraffic).

ThenetworknodesusuallyprovidetheconnectivitybetweenVMsandoutsidethecloud(callednorth-southtraffic),aswellastheadvancednetworkserviceslikeloadbalancingandVPNaccess.Dependingonthechoicesmadebytheadministratorsandusers,theremaybeagentsprovidingnetworkroutingservicesonthenetworknodes,directlyonthecomputenodes,orboth.

Theblockstoragenodesprovidevolumeservicestotheinstances—thatis,theyprovideaccesstopersistentstoragefordiskvolumesthatcanbeattachedand

detachedtoinstances.Cloudsthatofferobjectstoragewillalsohaveseparateclustersforthat.Objectstorageprovidesshared,replicated,redundantstorageforimages,files,andothermediaaccessibleviaHTTP.

Varioussegregatednetworksconnectallofthesenodes.Everynodeisaccessibleviathemanagementnetwork,whichisusedfordifferentpartsofOpenStacktocommunicatewithoneanother.Allofthemessagebus,database,andcross-projectAPItrafficgooverthemanagementnetwork.Thedatanetworkconnectsallofthecomputenodes,networknodes,andblockstoragenodes.Theinternalcloudtenanttrafficiscarriedonthisnetwork,whereastheexternalnetworkprovidesaccesstotheoutsideworld.Sincethecomputenodesdonotcommunicatewiththeoutsideworld,butonlywithothernodesinthecloudinfrastructure,theyneednothaveconnectivitytotheexternalnetwork,butonlyneedaccesstothedatanetwork.Onlythenetworknodesneedtoconnecttotheexternalnetwork.Finally,someinstallationswilluseanAPInetwork,whichprovidesaccessbetweentheoutsideworldandtheOpenStackendpoints(APIandHorizon),separatefromtheexternalnetworkusedbytenants.

ProsandConsThisarchitectureprovidesagreatdealofflexibility.Thisenablesthescalabilitybylettingthecloudoperatordeployadditionalnodestoscaletheinfrastructure.Italsoallowstheabilitytocreatehighlyavailableservices,sinceyoucanspliteachserviceoutandmakethemredundantacrossfailuredomains.However,itisverycomplex,andcanbequitedifficulttosetupandmaintain.

Asauserofthecloud,thiswillbetransparenttoyou.Butaproperlyruncloudwillhaveenoughredundancybuiltinthatyoucanexpectahigh-levelofreliabilityfromtheOpenStackinfrastructure.

Anothersubstantialbenefittothisarchitectureisavoidingvendorlock-in.Eachserviceprovidesapluginordriver-basedarchitecture.Thisenableseachservicetoworkwithanynumberofvendorplatformstoprovidetheactualservice.Forcompute,youcanusethedefaultKVMhypervisor,ESXi,Xen,oroneofmanyotherhypervisorchoices.ThenetworkingservicedefaultstousingOpenvSwitchtoprovideLayer2(thedatalinkorMACaddresslayer)connectivity,andtheLinuxnetworkingstack(iptables,routing,andnamespaces)toimplementLayer3(IPlayer)functionality.However,therearemorethan20differentvendorpluginstoswapallorpartofthatdefaultimplementation.Infact,thesevendorimplementationscanbeusedatthesametime,inthesamecloud.

Byavoidingvendorlock-in,OpenStackenablesmorecompetitionbetweenthevendors,pushingdownpricesinthemarket.Theabilitytousemultiplevendorsatoncemakestransitioningfromonevendortoanothermorefeasible,andalsoallowsthechoiceofvendorforsolvingspecificusecases.

AninterestingfeatureintroducedwiththeKiloreleaseofOpenStackisfederatedidentity.ThistakesthedistributednatureofOpenStackandallowsittospan

acrossmultipleclouds,evenfromdifferentproviders.Twocloudproviderscansetupatrustrelationship,enablingusersofoneprovidertousethesamecredentialswithanother,trustedprovider.Thusthesameworkloadmanagementtoolsyouuseforasinglecloudcantheoreticallybeusedtomanageworkloadsacrossmultipleclouds.Forcapacityburstusecases,thisisapowerfulfeature.

OpenStackDistributionsWiththecomplexityofthearchitecture,anumberofcompanieshavesteppedintohelpwithinstallationandmanagementofanOpenStackplatforminaprivatecloud.TheseincludenamesfamiliarfromtheLinuxdistributionworld,suchasRedHat,SUSE,andCanonical(Ubuntu),aswellasnewplayersthatarefocusedonlyonOpenStack,suchasMirantis.

INDUSTRYCONSOLIDATIONInfacttheOpenStackindustryhasseenagreatdealofconsolidationin2014and2015.Severalpure-playOpenStackcompanieshavebeengobbledupbythebiggerplayers.

ManylargeintegratorsandenterprisesoftwarevendorsarealsojumpingintotheOpenStackdistributiongame,withthelikesofIBM,HP,andOraclejoiningthefray.

Ifyoudon’thaveanOpenStackcloudavailablealready,oryouwanttolearnmoreaboutthearchitectureandhowallofthepiecesfittogether,youcansetupyourownOpenStackplayground.Youcanuseoneofthesedistributionstosetupyourownsmallcloud.EachofthedistributionvendorsprovidestheirowntoolsforsetupofOpenStack.Theyareprimarilytargetedatproductionenvironments,andassuchcanbeprettyhardtogetstartedwithonyourown.Forexample,Canonical’sofferingrequiresaminimumofsevenphysicalnodesjusttobringuptheenvironment.

Ifyouaresettingsomethingupsmall,yourbestoptionsareprobablyRedHat’sopensourcedistribution(asopposedtotheirsupportedversionrunningonRedHatEnterpriseLinux),calledRDO(www.rdoproject.org).Thenicethingaboutthisdistributionisthatitoffersasimple“allinone”optiontodeploytheentireenvironmentonasinglenode.

IfyouwouldliketotinkerwiththeactualcodeofthevariousOpenStackservices,youcouldalsosetupadevstackenvironment.Devstack(www.devstack.org)isapowerfulsetofscriptstocreateandconfigureanOpenStackdevelopmentenvironment.

Whilethedetailedinstructionsonlinearequitegood,hereareafewhintstomakeyourdevstacksetupgosmoothly.You’llwantafreshUbuntu(http://www.ubuntu.com)orFedora(www.fedoraproject.org)installation.Don’t

trytorundevstackonyourregularmachine—you’llwantadedicatedmachine(virtualorphysical).IfyouhaveavirtualizationproductlikeVMwareWorkstationorFusion,orthefreeVirtualBoxforyourlaptopordesktop,thebestthingtodoiscreateabaseserverinstallationofyourOSofchoice(enablingalloftheextrarepositories),andthensnapshotit.Thiswillmakeiteasytostartoverifyoutrashyourenvironment.

Theinstructionswillhaveyoucreatealocal.conffile,whichthedevstackscriptsusetocaptureallofthespecificsofyourinstallation.Thereareonlyafewitemsyouneedtosetinyourlocal.conf.

[[local|localrc]]

ADMIN_PASSWORD=stack

DATABASE_PASSWORD=$ADMIN_PASSWORD

RABBIT_PASSWORD=$ADMIN_PASSWORD

SERVICE_PASSWORD=$ADMIN_PASSWORD

SERVICE_TOKEN=some-random-string

FIXED_RANGE=10.0.0.0/24

FLOATING_RANGE=192.168.20.0/25

PUBLIC_NETWORK_GATEWAY=192.168.20.1

LOGFILE=/opt/stack/logs/stack.log

disable_servicen-net

enable_serviceneutronq-svcq-agtq-dhcpq-l3q-meta

Thefirstsectionheresetsupthenetworking.YoushouldpickaFIXED_RANGEthatdoesnotoverlapyourexistingnetwork.YourFLOATING_RANGEcancorrespondtoanexistingunusedsubnetonyournetwork,withthePUBLIC_NETWORK_GATEWAYbeingthelocaldefaultgatewayonyoursubnet.

TheLOGFILEsettingsimplyhelpsyoudebugifyourdevstackdoesnotcomeupproperly,whereastheremainderofthefiledisablesNovanetworkingandenablesNeutronnetworking.

YouwillneedaccesstoeitherdevstackoranotherOpenStackinstancetofollowtheexamplesthroughoutthisbook.

GETTINGTHEOPENSTACKCLICLIENTSTofollowalongwiththeexamples,you’llneedaccesstoamachinewiththeOpenStackclientsinstalled.Youcanlearnhowtoinstalltheclientsathttp://docs.openstack.org/cli-reference/content/,whichwillincludeinstructionsforavarietyofoperatingsystems.TheexamplesinthisbookwilluseLinux.

Theeasiestwaytousetheseclientsistosetthenecessaryauthenticationinformationinenvironmentvariables:

$exportOS_USERNAME=usernameOS_PASSWORD=password

OS_TENANT_NAME=tenant-name

$exportOS_AUTH_URL=http://keystone-ip:keystone-port/v2.0

Thisallowsyoutocalltheclientswithoutpassingthoseparameters:

$openstackflavorlist

+----+-----------+-------+------+-----------+-------+-----------+

+----+-----------+-------+------+-----------+-------+-----------+

|1|m1.tiny|512|1|0|1|True|

|2|m1.small|2048|20|0|1|True|

|3|m1.medium|4096|40|0|2|True|

|4|m1.large|8192|80|0|4|True|

|42|m1.nano|64|0|0|1|True|

|5|m1.xlarge|16384|160|0|8|True|

|84|m1.micro|128|0|0|1|True|

+----+-----------+-------+------+-----------+-------+-----------+

IfyourservicesendpointsareusingHTTPS,you’llneedtochangetheOS_AUTH_URLtoreflectthat.Ifyouareusingself-signedcertificates,youalsoneedtopassinthe–insecureoption.

SUMMARYInthischapter,youhavelearnedaboutthevarioustypesofcloudcomputing—IaaS,PaaS,andSaaS—andhowtheyrelatedtooneanother.OpenStackfillstheIaaS,andperhapsinthefuturethePaaSfunctions,intheclouds.Moreimportantlyyoulearnedthatdrivingcostslowerwhiledeliveringmorefeatures,morequicklyisthedrivingforcebehindthecloudcomputingrevolution.Finally,youlearnedaboutthemajorcomponentsofOpenStack—Nova,Neutron,Glance,andKeystone,andhowtosetupaplaygroundforexperimentingwithOpenStack.

2UnderstandingtheOpenStackEcosystem:CoreProjectsWHAT’SINTHISCHAPTER?

HowthedifferentOpenStackcomponentsworktogetherandhowauthenticationworkswithintheinfrastructure

AlookathowacomputeinstanceiscomposedandthedifferenthypervisorssupportedinOpenStack

HowdataisstoredintheinfrastructureandunderstandingthedifferencesbetweenBlockStorageandObjectStorage

Howinstancetemplatesandsnapshotsarecreatedandwheretheyarestored

ThedifferentwaystomanageyourOpenStackresources:GUIversusCLIversusAPIs

HowthenetworkisdesignedinOpenStackandthedifferentnetworkcomponentsavailableandexposedthroughtheAPIs

Atthispoint,youhaveanunderstandingofwhycloudcomputingisimportanttoapplicationdevelopers,andageneraloverviewofOpenStack.Inthischapter,youwilllearnthecoreservicesinmoredetail.Thesearetheservicesmostcriticaltorunninganapplication—compute,network,andstorage.Youwillalsolearnaboutthemanagementservicestomakethosepossible,suchastheidentityservice,whichallowsyoutoauthenticateinordertocreateyourapplications.

Sometimes,itmayseemthatthedescriptionsinthischaptergointomoredetailthanyouneedtorunanapplication.However,youcanthinkofthesefeaturesastoolsandbuildingblocks.Youneedtohaveasolidunderstandingofwhatispossible,soyoucanseenewwaystobuildflexible,scalable,androbustapplications(seeFigure2.1).

Figure2.1

IDENTITYTheidentityservicewithinOpenStack,namedKeystone,isresponsibleforauthentication,authorizationandaccounting(AAA)andcurrentlyimplementsandprovidestheOpenStackIdentityAPI.

Themaingoalofthisidentityserviceistoprocessandvalidateauthenticationandauthorizationrequests,thenreturnan“authenticationtoken,”whichisusedtoauthenticatetheuseragainsttheAPIsandcanbeusedtocontacttheotherservicesofanOpenStackinfrastructure.Theseservicescanbediscoveredusingthecatalogreturnedintheauthenticationresponse(detailedlaterinthischapter).

KeystonecurrentlyimplementstwoversionsoftheIdentityAPI(v2,v3).ThesecondversionhasbeenusedforyearsandisstillmainlyusedtodayinthedifferentlibrariesandclientssupportingOpenStack.Thethirdversionisquiterecentandprovidesamorepluggableandflexibledesign,allowingusingmultipleauthenticationmechanisms(theoriginal“password”method,butmoreoverwell-knownandusedmechanisms,suchasOAuthorSAML2),andtheabilitytocombinethesemethodsinasinglerequest.

ThislastIdentityAPIhasamulti-tenantdesignandhassimpleresources:

Region:anOpenStackinfrastructurethatoptionallymayhavesub-regions

ServicewithEndpoints:anOpenStackregisteredserviceinKeystonethatcanhavezero,one,ormultipleendpointstoreachthisone(e.g.public,internal,admin)

Domain:acontainerfortheusers,groups,andprojects

Project(knownas“Tenant”inthesecondversionoftheAPI):owningasetofOpenStackresources

User:asingleAPIconsumer,whichshouldhavereallyrestrictedauthorizationsinyourapplication

Group:acollectionofdifferentusersofthesamedomain

Role:anauthorizationthatauseroragroupofuserscanobtainonaprojectoradomain

AlloftheseresourcescanbemanagedusingtheIdentityAdminAPI,whichisavailableasacreate,read,update,anddelete(CRUD)RESTfulAPI.

UsingTokensandRe-AuthenticationTheauthenticationagainstthedifferentOpenStackservicesisbasedontokensprovidedbytheidentityservice(Keystone)orconfiguredintheserviceitself(e.g.admintokens).

AtokenprovidedbyanidentityserviceisanarbitrarystringthatcontainstheUseridentityandoptionallyanauthorizationcalledscope.Theauthorization

attachedtothistokengrantsaccesstoaProjectoraDomain,allowingyoutoaccessProjectorDomain-relatedresources.

YoucaneasilycreateatokenusingtheIdentityAPIwiththemethodPOST/auth/tokenswithauseridentityandthewantedscope:

"auth":{

"identity":{...},

"scope":{...}

TokenIdentitiesWhenrequestinganewtoken,theidentityparameterwillcontaintheusedauthenticationmechanisms.Hereisanexampleusingpassword.Theuniqueidentifieroftheuserisusedhere,howeveritispossibletousetheusernameifthedomainisexplicitlyspecified.

"auth":{

"identity":{

"methods":[

"password"

"password":{

"user":{

"id":"042042",

"password":"secret-password"

ScopedandNon-ScopedTokensIfspecifiedintherequest,theauthorizationscopemustcontaintheprojectidentifierorthedomainidentifier.

"auth":{

"scope":{

"project":{

"id":"123456"

Ifascopehasbeenprovidedinthetokencreationrequest,theIdentityAPIwillreturnacatalogcontainingthedifferentOpenStackservicesthatcanbeusedbytheuserwiththetokenandtherolesgrantedtothisuser.

X-Subject-Token:ff00ff84

"token":{

"catalog":[

"endpoints":[

"id":"c3ac301342a381b895743659d0956de1",

"interface":"public",

"region":"RegionOne",

"url":"http://my.identity.service:5000"

"id":"9192d6fb0f120a188133cb569b8db832",

"type":"identity",

"name":"keystone"

"expires_at":"2015-07-14T13:37:00.000000Z",

"issued_at":"2015-07-15T13:37:00.000000Z",

"methods":[

"password"

"user":{

"id":"042042"

Ifnoscopeisspecifiedinthetokencreationrequest,theIdentityAPIwillreturnanon-scopedtokenthatcanbeusedtoidentifytheuserinanextIdentityAPIrequest.Oneexamplewouldbetocreateascopedtokenusingthetokenauthenticationmechanism.

Ascopedtokencanbere-scopedusingthetokenauthenticationmechanismwithasmallerscope,forexamplethisisextremelyusefultoprovidealimitedauthorizedtokentoanapplicationsub-componentoranotherAPIclientthatdoesn’tneedthefullauthorizationoftheoriginaltokentooperate.

UsinganAuthenticationTokenTheobtainedauthenticationtokenscanbepassedinalloftheHTTPrequestsagainstthedifferentRESTAPIsasaX-Auth-TokenHTTPheader.ThesetokenswillbecheckedbytherequestedOpenStackservicetoensuretheirvalidity(i.e.expiration,revocation,etc.)andiftheauthorizationofthistokenallowsaccesstotherequestedresourcewiththepolicyoftheserviceappliedtotheuserrole.

HowVariousPiecesofOpenStackCommunicatewithEachOtherOpenStackhasamodulararchitecturewhereallofthedifferentcomponentsareseparateservicesthatcommunicatetogetherusingstandardizedRESTAPIs(seeFigure2.2).ThisprincipleisfundamentalandrequiredintheOpenStackproject

lifebecausedifferentteamsledbydifferentpeoplearedevelopingeachcomponent.AlloftheOpenStackcomponents’featuresandupdatesstartbyanAPIdesigndiscussion.AlloftheseAPIsshouldbesimple,standard,re-usableandre-implementablebyanydeveloperwhowouldwanttousethemandhavecustomservicesthatwouldimplementtheAPIopen-specifications.Moreover,thesestandardRESTAPIshavefeaturesthatuseamessagingqueuetointernallyprocessthedifferentactionsandevents.

Figure2.2

TherequestsprocessedbetweenthedifferentOpenStackservicesareauthenticatedwiththetokensoftheoriginalrequest(seetheearliersectionaboutauthenticationtokengeneration)andtheauthorizationoftheserequestsbetweentheOpenStackservicesarecheckedasadirectrequesttotheend-service.

Forexample,whenausercreatesasnapshotofacomputeinstance,thecomputeserviceprocessesarequestagainsttheimageservicetostorethissnapshot.Whencreatingthisrequest,theoriginalauthenticationtokenispassedintheRESTAPIrequestbetweenthetwoservices.Ifthisimageserviceusestheobjectstorageserviceasastoragebackend,anauthenticatedrequestisgeneratedbetweenthese

twoservicesusingtheoriginalauthenticationtoken(seeFigure2.2).

CanApplicationsUseKeystone?WhencreatinganapplicationthatusesOpenStack,theusageofKeystoneisrequiredtoensureappropriateauthorizationsandstructureofthedifferentservicesorpartsoftheapplication.

Let’staketheexampleofanapplicationthatwouldhavedocuments(e.g.pictures)uploadedbyaguestuser.So,weneedaservicetoconvertorresizethesepictures.Wealsoneedtostorethepictures(thatwecallobjects)usinganOpenStackobjectstorageservice.Wethenneedtoautomaticallyprovisionandmanagetheinstancesusingthecomputeinstances.We’llhavetwodifferentrolesorprojectsandtwodifferentusersbecausewedon’twantthepublicaccessibleapplicationtomanageourinstancesforsecurityreasons.

DEMOAPPLICATIONSOURCECODEYoucanaccessthesourcecodefromourdemoapplicationviaGitHub:https://github.com/johnbelamaric/openstack-appdev-book.

COMPUTETheComputeprojectinOpenStack,namedNova,includesalloftheAPIsandtoolstoprovisionandmanagetheinstances(thevirtualmachinesprovisionedonphysicalcomputenodes)acrossmultiplephysicalhostsatscale.Thisprojectprovidesanabstractionoftheconfigurationofthemainusedhypervisorsintheworld,allowingyoutoeasilyprovisionvirtualmachineswithastandardAPI,independentofaspecifichypervisortechnology.

Inthispart,you’lldiscoverthedifferentpiecesthatcomposeaninstanceonOpenStack,howtheinstancesmodelsaremanaged(calledflavors),howtheinstancesarescheduledinacomputeinfrastructureandthemainhypervisorssupportedbytheproject(SeeFigure2.3).

Figure2.3

PiecesofanInstanceInOpenStack,aninstancehasthetraditionalcomponentsofavirtualizedserverprovidedbyahypervisor.Thesecharacteristicsaredefinedbytheflavorsinthecomputeservice:

OneormultipleallocateddedicatedorvirtualCPUs(vCPUs)

Someallocatedmemory(RAM)

Arootdiskthatcanbeanydeviceattachedtothehostserver(virtualornotvirtual,local,remote,ordistributed)

Theinstanceshaveusuallyoneormultiplenetworksconfigured.Thesenetworkscanbeconfiguredusingthenetworkservice(Neutron),andthenetworkdevices

canbeprovisionedbytheNovaserviceinthehostusingtheNetworkAPIandconfiguredintheinstancebythehypervisor.

Theinstancescanhavepersistentblockstoragesattachedtothem(i.e.avirtualharddriveintheinstance),whichcanbeprovisionedandmanagedusingthevolumeserviceandattachedbythehypervisortotheinstance.

Theconsole(screen)ofaninstancecanbeviewedusingtheVNCserviceinNova,whichcanbecomparedtoaphysicalkeyboard,videoandmouse(KVM)foraphysicalserver.KVMwastraditionallyusedtosharethesedeviceswithmultiplecomputers(https://en.wikipedia.org/wiki/KVM_switch).Todaythesametermisusedtodescribethevirtualaccesstotheseinput/outputsofanOpenStackinstance.ThisNovaserviceispresentedasagoodwaytoabstractthewaytoaccessallofthegraphicalinterfacesandconsolesofalltheinstances,regardlessoftheusedvirtualizationtechnologyandtheinstances’operativesystems.Therearedifferentprotocolstoaccessaninstance’sinterfaceandNovaprovidesaunifiedandtransparentwaytoaccessthem.Forexample,thisservicecanalsoproxyaRDP(RemoteDesktopProtocol)fortheinstancesthatrunMicrosoftWindows.

UnderstandingFlavorsAflavorinOpenStackrepresentsamodelofaninstance:asetofallocatedresourcesforavirtualmachineanditsspecificities.Inpubliccloudserviceswherehostserversaresharedacrossmultipleprojectsortenants(customers),theflavorscanbecomparedtocommercialoffers,wherethebilledresourcesarecalculatedusingthetotaltimetheinstancesofaspecificflavorrunduringamonth.ThisinformationiscalculatedusingtheOpenStackTelemetryService(Ceilometer,seesection3.6).

Acomputeflavorcontainssomeofthefollowingresourcedetails:

Thenameofauniqueidentifier

Theamountofcores(vCPUs)andtheweightiftheyaresharedwithmultipleinstances

Thememory(RAM)andtheswapsize

Therootdiskandephemeraldiskspace

Aflavormaycontainextraspecificationsthatareusefultomakedecisionsduringtheschedulingofaninstanceinacomputeinfrastructure,andtoallocatetherequiredresourcetoruntheinstance(e.g.processorarchitecture,over-provisioning,PCIdevicesrequiredetc.).TheflavorsmaybepublicorlinkedtosomespecificOpenStackprojects.Sincewecanassociatethistoacommercialofferoracomputeinstancemodel,aspecificmodel(orcomputeinstance)canbelimitedtoasimpleprojectorcanbepublicandusedbyanyprojectinanOpenStackinfrastructure.Forexample,whenyoulaunchanewprocessormodelforcustomersinapubliccloud,youcouldcreatededicatedflavorstoallowthem

tousethesenewphysicalservermodelstocreatenewinstances.

SchedulingFiltersWhenaninstanceisprovisionedonanOpenStackcomputeinfrastructure,onetaskofNova,andespeciallyofitsscheduler,istochoosethecomputenode(physicalhost)wheretheinstancewillbecreatedormoved.Youcanfindanoverviewofthescheduleroperations(FilteringandWeighting)inFigure2.4.

Figure2.4

FilteringThistaskisprocessedusingasimpleconcept:thecomputeschedulertakesasetofnodesavailabletouseandappliesasetoffilterstothislisttoeliminatetheonesthatdon’tmatchthedifferentcriteriaoftherequiredconfiguration(refertoFigure2.4).

Herearesomeexamplesofschedulingfilters:

Skipthehoststhatarefull(noCPU,Memoryordiskavailable)

Matchonlyahostthathastheexactamountofresourcesavailable

Usethesamehostofanotherinstance

UseaphysicalhostwheresomespecificPCIdevicesareavailable

Thephysicalhostscanbeaddedinaggregationgroupsthatareusuallyusedtomatchoneormultiplespecificflavorsorprojectsusingaschedulingfilter.Herearetwocommonusecasesofthisfeature:

Anaggregationgroupcanbecreatedforacustomerwithsomededicatedhostsandhardware.Usingextraspecificationsinadedicatedflavor(privateforadomain,aproject,ormultipleprojects),whentheuserwillcreateaninstanceusingthisspecificflavortheschedulerwillfilteronlythehostscontainedinthisspecificaggregationgroup.

Somehostswithspecifichardware(e.g.SSDharddrives,specificCPUarchitecture,etc.)orallocationrules(e.g.dedicatedresources,over-provisionedresources)canbesetinanaggregationgroupandthematchingflavorscreated.Herethehostsmaybesharedwithalloftheprojects(customers)ofthecomputeinfrastructureandtheflavorwillactasapubliccommercialofferwherethehostsaresharedwithsomespecifies.

WeightsOncethehostsarefiltered,theschedulerappliessomeweightsoneachresourceofthehostorinstancetodeterminethebesthosttochoosetoallocateandinstalltheinstance.Forexample,wecouldaddahigherweighttofillanalmostfullphysicalserverwithaninstancethatexactlymatchestheremainingamountofreservedandallocableresources,orconverselytosethigherweighttotheless-usedserversandgettheonethatiscurrentlythelessloaded.

TypesofHypervisorsThecompaniesorcontributorsofhypervisorproductsorprojectsareusuallythemaincontributorofcomputevirtualizationdrivers.Itiseasytoaddacustomdriverthatimplementsonepartorallofthefeaturesabstractedbythecomputeservice,whichisavailableviathecomputeAPI.

LibvirtThelibvirtinLinuxisanabstractionlibrarytoaccessandmanagethevirtualmachinesandcontainersinaLinuxserverandtheirnetworkandstorageconfiguration.Itsupportsmultipletechnologies:KVM/QEMU,Xen,VirtualBox,VMwareESX,Hyper-V,OpenVZ,LXC,etc.

ThisisthedefaultdriverusedbyOpenStackandthemostpopularoneforthekernel-basedvirtualmachine/quickemulator(KVM/QEMU)virtualization.Oneoftheproargumentsismanagingthevirtualmachinesregardlessofthevirtualizationtechnology.ButusingthelibvirtanditsOpenStackdriverhassome

weaknesses,especiallygivenhowitismainlydesignedforKVM/QEMU,andsomefeaturesprovidedbyothervirtualizationtechnologiesmightbehiddenbythisabstractionlayer.HopefullyothervirtualizationtechnologiesaredirectlysupportedusingtheirownNovadrivers.

VMwareUsingVMwareinOpenStackallowsyoutoenjoytheadvantagesofbothtechnologies:virtualizationfeaturesforVMwareandmanagement/standardAPIsforOpenStack.

VMwareprovidesagreatvirtualizationtechnologythatprovidesthefollowing:

HighAvailability(HA);theabilitytoautomaticallyrebootaninstanceonafullworkinghardwarewhenanissueisdetectedbythehypervisor.InthemarketedworldofVMware,the“HA”ismorebrandedas“faulttolerance.”

Faulttolerance(thelivemigrationwithoutrestartofaninstanceonaworkinghostwhenahostisdown).

DistributedResourceScheduler(DRS),thesmartdispatchingoftherunninginstancesdependingoftheresourcesusageinrealtime.

ForstorageyoucandirectlyusetheVMwaredatastoretechnologyinCinderandGlance,allowingyoutomanageallofyourblocksusingthestandardblockstorageAPIs.

STORAGETheconceptofobjectstorage(namedSwiftinOpenStack)canbequitecomplicatedtounderstandforanapplicationdeveloperwhenyouareusingalocalfilesystemtostoreallofthestaticmedias(e.g.images,videos,music,etc.)anddocumentscreatedandusedbyyourapplication.Butthisisoftenoneofthemainstepstohorizontallyscaleanapplicationthatusesthesemedias.

Goodexamplesarethetraditionalcontentmanagementsystems(CMS)andblogenginesthatbydefaultstorelocallyallofthemediasuploadedusingthewebapplication.Thistransitiontoanobjectstorageinfrastructureforanyapplicationisnotalwayseasytorealizesincethecodeoftenneedstobepartiallyrewrittentosupportthisnewstoragesystem.Itneedstobere-writtenbecauseanapplicationneedstochangethewayitaccessesfiles(objects),forinstanceaccessinglocalfilesinaharddriveisnotthesameasaccessingobjectsusingaRESTAPI.

Thereareadvantagesforswitchingtoobjectstorage:

Youdon’thavetoworryaboutthetotalspacesize;thisisthejoboftheinfrastructureprovider,andanobjectstorageservicelikeSwifteasilyscaleshorizontally.

Youcansplitobjectsintomultiplesmallblocksandthesizeofanobjectcanalmostbeunlimited.

Youcanstoreanunlimitednumberofobjectsinasinglecontainerorbucketofobjects.

Thereplicationoftheobjectsisdoneattheinfrastructurelevel;itcanevenbedoneacrossmultipleinfrastructureregions.

Herearesomepotentialblockingdesignandimplementationpointswhenyouwanttoswitchanapplicationusingalocalfilesystemtoanobjectstorageservice:

YoucanaccessyourobjectsonlyusingHTTP(s),butthiscanbegreatwhentheclientsofyourapplicationarealreadyusingtheHTTPprotocol:youcanprovideaccesstoanobjectwithouthavingtodownloaditinyourapplicationserver.

Objectstorageisnotafilesystemandshouldnotbeusedlikeone.Oneoftheworstexamplesistotrytomatchanexistingfilesystemhierarchywhendevelopinganapplicationusinganapplication.Inmanyusecases,thehierarchylogicshouldbeontheapplication-sideandtheobjectstorageshouldonlycontaintheobjectdata(blobs).Thebestexampleofthisbadusageisrenaming(moving)objectsinOpenStackSwift.Sincethedispatchingoftheobjectsacrossthestorageinfrastructureisbasedonahashoftheobjectname,theobjectwillbecopiedbetweentwoserversanddeletedfromthesourceserver.Moreoverrenamingavirtualdirectory(infactanobjectwithamime-typespecifictoadirectory)meansrenamingeachobjectofthedirectory.

IntroducingOpenStackSwiftTheSwiftservice(OpenStack’sobjectstorage)providesalloftheOpenStackprojectswithaHTTPRESTAPI,allowingtheprocessingofallthecommonoperationsonastoredobjectusingthestandardHTTPdesignandfeaturestomanagetheresources(seeFigure2.5).

Figure2.5

Thisprojectishorizontallyscalable,distributedandhighlyavailablebydesignwithdifferentmaincomponents:

Swiftproxyserver:thisservicedispatchestheHTTPrequestsaccessingthedifferentobjectstoallthebackendnodes.Thiscomponentcanbeeasilyscaledsincethepositionsofanobjectinaninfrastructurearedeterminedbyhashingitsnameandfindingitspositionusingaringalgorithm.

Swiftaccountserver:thisserviceisresponsibleforstoringthelistingofthecontainersinthedifferentexistingaccounts.

Swiftcontainerserver:thisissimilartotheaccountserver,butresponsibleforlistingtheobjectsinacontainer.

Swiftobjectserver:thisisastoragebackendinstallableonaphysicalhostthatprovidesaninternalobjectstorageAPItomanagetheobjectsstoredonthelocalserver.

Allofthesecomponentsmustbereplicatedandcanbehorizontallyreplicatedtoinfinity(seeFigure2.6).

Figure2.6

EventualConsistencyOpenStackSwiftiseventuallyconsistent.Forexample,ifacontainerserverisunderaheavyloadandanobjectisPUT,theobjectwillbeavailabletoGETassoonastheobjectisstoredindifferentobjectservers,andassoonastheSwiftproxyserverhandlingtheHTTPrequestrespondstotheclientwithsuccess.Inotherwords,theproxystorestheobjectinseveralobjects’servers,andthenrespondstothePUTwithasuccessfulHTTPresponse.However,theadditionoftheobjectinthelistingbythecontainerservermaybequeuedanddelayed,andaGETrequestonthecontainermaynotlistthisnewobject.Anotherexampleisthatbydeletinganobject(DELETE),anemptyobjectiscreatedwithamorerecentmodificationtimestamptoensurethatthefilecan’tbesynchronizedagainifobjectserverreplica,wheretheobjectisstored,isdown.Dependinguponthesynchronizationdelaybetweenthedifferentobjectserversstoringtheobject,thismightbeavailableforamomentaftertheDELETEoperation.

StoringYourFirstObjectInSwiftThefirststeptostoreanobjectinyourSwiftaccountistocreateacontainerforit.Containersregroupmultipleobjectswiththesamepurposeusingaspecificsetofsettings.Thegranttopubliclyreaditorlistitisanexample.YoucaneasilycreateitusingtheAPIwithcurlastheHTTPclient:

$curl–I-XPUT$swift/my-container-H"X-Auth-Token:$token"

HTTP/1.1202Accepted

Content-Length:76

Content-Type:text/html;charset=UTF-8

X-Trans-Id:5B44C388:EB0D_05C4F7D0:01BB_55AEDF79_18A38C8:4451

Date:Mon,27Jul201522:25:40GMT

Connection:close

Asmentionedearlier,theauthenticationisdoneusingatokencreatedusingtheidentityserviceandspecifiedasaX-Auth-TokenHTTPheader.

Oncethecontaineriscreated,itisnowpossibletostoretheobjectsinsideofit.Torealizethisaction,anotherPUTrequestcanbeprocessedagainstthenewstoredresourcepath:

$curl-I-XPUT-T$object$swift/my-container/my-object

HTTP/1.1201Created

Last-Modified:Mon,27Jul201522:25:43GMT

Content-Length:0

Etag:168e1afe97b471eb8948a1b612283d04

Content-Type:text/html;charset=UTF-8

X-Trans-Id:5B44C388:35C8_05C4F7D0:01BB_55B6AFE5_2125569:444C

Connection:close

That’sall!YourfirstobjectisstoredinyourOpenStackobjectstorageserviceandisnowprivatelyaccessibleusingtheHTTPAPI:

$curl-XGET-i$swift/my-container/my-object.json\

-H"X-Auth-Token:$ktoken"

HTTP/1.1200OK

Content-Length:42

Accept-Ranges:bytes

Last-Modified:Mon,27Jul201522:25:43GMT

Etag:168e1afe97b471eb8948a1b612283d04

X-Timestamp:1438035942-04822

Content-Type:application/json

X-Trans-Id:5B44C388:CCFA_05C4F7C0:01BB_55B6B352_1039A1B:637A

Connection:close

AlloftheserequestscanbeexecutedusingthecommandlinefromthePythonSwiftClient(https://github.com/openstack/python-swiftclient).Thisprovidesasimplewaytobrowseyouraccounts,containers,andobjects:

#Uploadanobject

$swiftupload<container><file_or_directory>

#Downloadanobject

$swiftdownload<container><object>

TemporarySwiftURLsAnyrequestprocessedagainsttheOpenStackSwiftAPIcanbepre-authenticatedwithacryptographicsignature.ThismechanismallowsthesharingofanauthorizationtoaccessasingleresourcewithasingleHTTPmethod(e.g.POSTswift/my-container/my-object)thatcanbeusedbythird-partysoftware,orabrowser.Thismechanismisreallyconvenientifyourapplicationismulti-tenant

andsharesasingleSwiftAccountformultipleusers.

Let’staketheexampleofanapplicationthatwillstoresomePDFbillsinanobjectcontainerandwillreturntoacustomerofthisapplicationatemporarylinktodownloadoneofthem.TheapplicationwillbeabletoreturntothebrowserasignedURLtoonlyGETtheobjectforalimitedtime.

Thesignaturewillbeverifiedusingasecretkeysetinyouraccount.

#Setthekeyasaaccountmetadata"X-Account-Meta-Temp-Url-Key"

$swiftpost-m"Temp-URL-Key:92cfceb39d57d914ed8b14d0e37643de0797ae56"

#Displaytheaccountinformation(returnedasHTTPheaderswhen

#processinga'GET/v1/AUTH_account'request)

$swiftstat

Account:AUTH_account

Containers:1

Objects:42

Bytes:4200

MetaTemp-Url-Key:92cfceb39d57d914ed8b14d0e37643de0797ae56

Connection:close

X-Timestamp:1365615113.11739

X-Trans-Id:5B44C388:D669_5CDEF184:01BB_55C72581_2160:50A3

Content-Type:text/plain;charset=utf-8

Accept-Ranges:bytes

HereisanexampleofatemporaryURLthatcontainstwoadditionalquerystrings:thetimestamprepresentingthelinkexpirationdate(temp_url_expires)andthecryptographicsignatureitself(temp_url_sign):

/v1/AUTH_acount/c/o?temp_url_sig=9da40a8a7e288027809129d03ea2e5b09be70

d57&temp_url_expires=1439116248

Fortestingpurposesandwhenusingaterminal,youcaneasilycreatetemporarylinksbyusingtheswift-temp-url(https://github.com/openstack/swift/blob/master/bin/swift-temp-url)toolfromtheOpenStackSwiftproject.Here,though,isaprogrammaticexampleinPythonthatcouldbeusedinyourapplication:

#!/usr/bin/envpython

importhmac

fromhashlibimportsha1

fromtimeimporttime

#Expirationtimestampforthelink,herethisoneisin1h

expires=int(time()+60*60)

#MethodauthorizedbythesignedURL

method='GET'

#Relativepathoftheobjectfromtheserverorigin

path='/v1/AUTH_account/c/o'

#The'X-Account-Meta-Temp-URL-Key'metaofyourSwiftaccount

key='92cfceb39d57d914ed8b14d0e37643de0797ae56'

#Signaturecalculation

hmac_body='%s\n%s\n%s'%(method,expires,path)

signature=hmac.new(key,hmac_body,sha1).hexdigest()

#FormattemporaryURL

u='https://{host}/{path}?temp_url_sig={sig}&temp_url_expires={expires}'

url=u.format(

host='swift.example.com',path=path,

sig=signature,expires=expires

PublicContainersandAccessControlList(ACLs)Ifyourapplicationwillonlystorepublicdocumentsinacontainer,youcanmarkthisoneaspublicbyusingOpenStackSwiftACLs.

InasimilarfashionthetemporaryURLkeycanbestoredasanaccountmetadata.TheseACLsarestoredatthecontainerlevelascontainermetadataX-Container-Readtoallowpublicaccessorlistingofthecontainer,orattheaccountlevelX-Account-Access-Controltoallowotheraccountsoftheinfrastructuretoaccesstotheaccount.

Let’sfocusonthecontainer-levelACLs.Theyhavethefollowingformat:[item[,item…]]andthuscanbecombined.Twoconceptsareusable:thereferraltogrant(.referrer:example.com,or.r:example.comtoreducethelengthofthelist)andtheabilitytolistthecontainerobject(.rlistings).

Hereishowyoucanallowanyonetoaccessyourpublicdocumentsinyourcontainerandlistthem.

#SetthenewACL

$swiftpost-r'.r:*,.rlistings'os-book

#Listthecontainer"os-book"metadatas

$swiftstatos-book

Account:AUTH_account

Container:os-book

Objects:42

Bytes:0

ReadACL:.r:*,.rlistings

WriteACL:

SyncTo:

SyncKey:

Accept-Ranges:bytes

X-Trans-Id:5B44C388:D847_5CDEF18E:01BB_55C72C0D_155E:1586

X-Storage-Policy:Policy-0

Connection:close

X-Timestamp:1439116292-30845

Content-Type:text/plain;charset=utf-8

UnderstandingBlockStorageSometimeswhenyouuseanOpenStackcomputeinstance,youmayneedadditionalstoragethatcanbemountedasvolumeintheinstance.Thistypeof

storageiscalled“block”or“blockstorage.”

Eachblockactsandisavailableinasingleinstanceasanindividualvolume.AblockisprovisionedbytheOpenStackblockstorageservice(Cinder),whichprovidesatargettoaccessandmountthevolumeinthehostandmakeitaccessibleinaninstance.

Multiplestoragebackenddriversareavailablethatallowyoutohavealmostanystorageinfrastructurebehindastandardabstractionlayer.HerearethemainstoragebackendtechnologiesthatcanbeusedwithCinder.

CephCephisadistributedascalablestoragesolutionthatreplicatesitsdataacrossmultiplestorageservers.Cephcanbeusedasobjectstorage(RADOS),blockstorage(RBD,RADOSblockdevice),andasharedfilesystem(CephFS).Cephblockdevices(RBD)areresizable,thin-provisioned,storethedatainRADOS,andarestripedacrossmultiplestoragedaemons(OSD).

GlusterGlusterisadistributedandsharedfilesystemthatcanbeusedbothasablockstoragebackendandobjectstoragebackend.InOpenStack,Glusterisexposedinasimilarwayasnetworkfilestorage(NFS).

ZFSZFS(orZettabyteFileSystem)isahugeevolutioncomparedtoalloftheexistingfilesystems.Asitsnamesuggests,thisonesupportsanalmostunlimitedstoragesizeandsimplifiestheadministrationandthesecurityofthefilessystems.

Toachievethisgoal,anextraabstractionlevelexistsbetweentheharddrivesandthefilesystemitself:thevolumemanagerthatallowsvirtualizingmultipleharddrivesasasinglevolume.

Onthetopofthisabstractionlayer,ZFSprovidesasystemofpools,whichisareallypowerfulsystemofsnapshotting(aread-onlyversionofafilesystemstoredonthesamevolume).ThespaceusedbytheZFSsnapshotsisthedeltabetweenthesnapshottedversionandthecurrentversionofthefilesystem(similartoanincrementalbackup),thatallowsreallysmallbackupsofthewholefilesystem.

Oneofthemethodsusedtoensuretheintegrityofthedataisthechecksumsinthefilesystem.Eachblockofdatahasachecksumthatisstoredinitsparentblockpointerthatisstoredintheblockitself.Anothermethodistousethecopyonwritemethodtolimitthepossibilityofcreatingerrorswhenwritingdata.

ZFSprovidesscrub,whichreplacesthetraditionalfsck(filesystemcheck)tochecktheintegrityofthedata.Ithasmultipleadvantages,forexample,theabilitytorunitwithouthavingtounmountthefilesystemandcheckthemetadataandthedata,unlikefsckthatonlychecksthemetadata.

LVMLVM(orLogicalVolumeManagement)allowsyoutomanagemultiplelocalharddrivesasasinglevolume,inasimilarwayasZFS,butonasingleserver.ThistechnologyissupportedasaNovadriver,allowingyoutoprovisionlocalharddrivesofNovahostsininstancesofthishost.

IMAGINGTheOpenStackcomputeservice(Nova)storesandaccessestwotypesofinstancesimages:thetemplatesusedtocreatetheinstancesandthesnapshotsyoucantakeofaninstance.

Thecomputeserviceactuallyusestheimagingservice(Glance)togetandstorethedataandthedetailsoftheseimages.Theimagedetailsincludethefollowinginformation:

Thedisplayablenameoftheimage(e.g.DebianJessie)

Thediskformat(e.g.QCOW2,RAW)

Thesizeoftheimageandtheminimumresourcesrequiredtorun

Thestatusoftheimageindicatingapotentialoperationanditsavailability(e.g.queued,saving,active)

Achecksumoftheimage

Theimagescanbeusedtocreatenewinstancesfromexistingdata,andthethreemainusecasesare:

Thebaseimagesofyourinfrastructureusedtocreateanewinstanceandconfigureitfromscratch,usingforexampleaprovisioningtooloraconfigurationmanagementtool(seesection6).

Thesnapshotyoutakefromanexistinginstanceyoucanreusetocreateaninstancewiththesameconfiguration,torestoreabackupofaninstance,ormoreoveritcanbeawaytoresizeaninstance(i.e.changingflavor).

Migrateyourinstancebetweeninfrastructures,regions,providers,andevenbetweenhypervisorsusingstandardimagesformats.

WhereIsItStored?Thedetailsoftheimagesarestoredinarelationaldatabase(bydefaultMySQL,whichisthedefaultforallOpenStackprojects).

Thedataoftheimagescanbestoredindifferentways:alocalfilesystem(thedefaultstoragesolution),blockstorage,andobjectsstorage,orVMwaredatastores.Infact,theimagesdatacanbestoredanywhere;theonlyrequirementistohaveabackendstoragedriverimplementedtosupporttheoperationsonthestoreddata.

Themostcommonwaytostorethedifferentimagesoftheinstancesistousetheinfrastructureitselftostorethem:byflatteningthemassinglefiles(QCOW2,RAW,etc.)andstoringthemintheobjectstorageservice(seeFigure2.7),ortokeepthemstoredasblocksbyusingtheblockstorageservice(Cinder).

Figure2.7

Storingimagesasblockscanbegreatifyouwanttousethesamestorageinfrastructureastheoneusedbytheblockstorageserviceandhavetheabilitytodirectlyattachanimagewithouthavingtodownloadit.Inthiscasetheblockdatawillbetheexactsameoneastheoriginalblockortheoriginaldevicedata.

IfyouareusingaCephinfrastructurebehindyourblockstorageserviceorbesideyourOpenStackinfrastructure,youmaywanttodirectlyusetheCephRBD(RADOSBlockDevice)driverinGlance.By“behind,”wemeanthattheCephinfrastructureisabstractedbytheCinderAPIandusedwiththeCinderdriver.By“beside,”wemeanthattheCephinfrastructureisnotusedinOpenStack,butasablockstorageservicebutcanstillbeusedtostoretheimageswithGlance.ThiswillavoidyouhavinganextraAPIbetweenyourimagingserviceandyourfinalstoragebackendoftheimages,andpotentiallyitcanaddtheabilitytoseparateyourproductionstoragebackendusedtorunyourblockstorageservicefromyourimagingservicethatwillcontainyourtemplateandsnapshot.Thiscouldbe,forexample,differentCephinfrastructures,differentCephOSD(objectstoragenodes),ordifferentCephstoragepoolswithdifferentresourcesallocatedinsideofthesameinfrastructure.

Conversely,youmaywanttostoreflattenversionsofyourimagesinanobjectstorageservice.Forexample,whenusingmainlytheimagingservicetostorealotofsnapshotsasbackups,theimagewillbesimplystoreasfiles,allowingyoutoeasilyuploadanddownloadthemwithouthavingtocreateablockdeviceorreadingallofthedatafromablockdevicetoreturnitovertheimageserviceHTTPAPI.Moreover,youcanstoreimagesinaformatthatusesanoptimizationstrategy,whichcanbegreatifyougeneratealotofdownloadrequestsontheImagingAPI.

IfyouwanttostoretheimagesinanexternalobjectstorageserviceofyourOpenStackinfrastructure,youcanusetheS3storagedriverinGlancetoputyourimages(templatesandsnapshots)intotheAWSS3(AmazonWebServicesSimpleStorageService).Thiscanbeaninterestingsolutiontostoresomebackupsofyourinfrastructureinanexternalsecureservice,allowingyoutopotentiallyhaveadisasterrecoveryplanonAWSEC2(ElasticCloudComputing,theComputeServicefromAWS)usingthedatafromyourOpenStackinfrastructure.

DifferentImageFormatsStoredimagesontheimagingservicecanhavedifferentformats,dependingupontheonesthataresupportedbyyourhypervisorandthefeaturesyouwanttouse.

Thenotionofimageformatincludestwodifferentnotions:thediskformat,whichcorrespondstotherealdataofthediskimageandthecontainerformatthatcontainsthemetadatainformationofadiskimage.

Herearethemostuseddiskformats:

Raw:themostsimpleformatpossible–anunstructuredandexactcopyofadevicedata.Thisoneisusuallyhugesinceitneedstoallocatethewholeimagespaceinasinglefile,sosomepartsareunusedandempty.

QCOW2:standsforQEMUCopyonWrite.Thisformatusesastrategytocompressthedatacontainedintheimage.Theallocationofthestoragesizeisdelayeduntilthespaceisactuallyrequiredtostorethedata.Thusthisformatisflexiblesincethisonecanbeexpandedifsomedataisadded,unliketherawimageofadevice.Moreover,itispossibletostoretheadditionalchangesinanotherfilethatwillcontainthedifferencefromtheoriginalbaseQCOW2image,usingtheCopyonWritefeatureprovidedbythisformat.

VHD:standsforVirtualHardDisk,whichisalmoststandardfortheMicrosofttechnologies(WindowsandHyper-V).Forexample,itispossibletoeasilyattachaVHDimagetoaWindowssystemwithouthavingavirtualizationenginebecausetheOperatingSystemnativelysupportsthisformat.AVHDimagecanbemodifieddirectly,thuschangingsomefiles,andmakingabackuporarecoveryinsidetheimage.

VMDK:thedefaultVMwareimageformat,whichissupportedbyothervirtualizationsolutionslikeQEMUorVirtualBox.Thissupportsmultipleprovisioningstrategiesincludingthethinprovisioning,andallowingprovisioningtheblockonlywhentheseonesarewrittenintheimage.

Theadditionalinformationoftheimages,suchasthemetadatainformation,canbestoredinexternalcontainersiftheyarenotintheimagefile.Inthesamewayastheimagesdataformat,themultiplecontainerformatexistsandaresupportedbyOpenStackandthevirtualizationdrivers.ThemostusedistheOVF(OpenVirtualizationFormat),anopenstandardbasedonanXMLdescriptorfiledetailingthepackagedvirtualmachine.

DASHBOARDOpenStackincludesadashboardprojectnamedHorizon,whichisawebinterfacebuiltwiththeDjangoframeworkandthedifferentOpenStackAPIsfromtheOpenStackservices.

TheGraphicalUserInterface(GUI)providedbytheHorizondashboardisagreatwaytogetstartedwithOpenStackanditsdifferentcomponents.Itallowsbootingyourfirstinstancewithasimplesetupassistant,andthencreatesyourfirstSwiftcontainer,thusmanagingafewresources(seeFigure2.8).

Figure2.8

UsingthisGUIcansimplifyyoureverydaylifeifyourOpenStackprojectsaresmalloruseonlythemainfeatures.Itdoesn’tscalewell,however,whenyoustarttohavehundredsorthousandsofinstancesandnetworks,andwanttousefeaturesthatarenotconsideredbasic.Forexample,creatinganewnetworkportwithaspecificconfigurationandattachingittoanexistinginstancewouldnotbebasic.

Thenextstepisthentousethecommandline(CLI)orthedifferentOpenStackAPIstoadministrateyouraccountorinfrastructureandstarttoautomatethedeployment,managementandtheuseofyourOpenStackresources.

BecausethecommandlineimplementsalloftheAPIs,thisisagoodwaytotestallofthefeatures,anddiscovertheAPImethods,theirrequests,andresponseformatsbeforestartingtodevelopanduseitinanapplication.Otherwisethisonecanbeeasilyscriptedtosimplyautomateandrepeatyoureverydayadministrative

tasksusingOpenStack.

NETWORKINGThenetworkingservicewithinOpenStackisresponsibleforprovidingnetworkconnectivitywithinthecloudaswellasbetweeninstancesinthecloudandtheoutsideworld.OpenStackprovidestwodifferentnetworkingservices.ThelegacysolutionispartoftheNovacomputemodule,andisreferredtoasnova-networkor“Novanetworking.”TheNeutronprojectprovidesthenewnetworkingsolution,andincludesmuchmorefunctionalityandflexibility.

BothsolutionsprovidetwodifferenttypesofIPaddresses:privateIPaddressesandfloatingIPaddresses.TheprivateaddressesaretheonesthattheVMsinstancesthemselvessee.Thatis,runningipaddronaLinuxVMinstancewillshowyoutheprivateaddress.Instancescommunicatewithinthecloudusingtheirprivateaddresses.InOpenStack,eachVMwillhaveatleastoneprivateIPaddress,butitdoesn’tneedafloatingIPaddress.

Thefloatingaddressesarethoseavailablefromoutsidethecloud(andoftenthepublicInternet),andaredirectedtoaspecificVMinstanceusingtheNetworkAddressTranslation(NAT).FloatingIPaddressesmaybeassociatedwithaVMatthetimeofitscreation,oranytimethereafter.TheymayalsobemovedtoadifferentVM–thisiswhatmakesthem“floating”IPaddresses.TheyarenotfixedtoaspecificVMoreventenant,andmaybefreelymovedfromonetoanother.

AnotherimportantconceptinOpenStacknetworkingisthedistinctionbetweenprovidernetworksandtenantnetworks.ProvidernetworksareobjectsdefinedinOpenStackthatprovideinformationaboutapartofthephysicalnetworkinfrastructure,andcanonlybecreatedbyadministrators.ThecloudadministratorcreatesprovidernetworkswithinOpenStackthatcorrespondtothephysicalnetworksconfiguredwithintheinfrastructure.ThisallowsOpenStacktomanagetheconnectivitybetweenthecloudandthephysicalnetwork.ThesenetworkscanbeusedtoprovideexternalaccessviafloatingIPaddresses,ortheycanprovideVMswithIPaddressesonthephysicalinfrastructuresubnets(thusavoidingtheuseoffloatingIPsforthoseVMs).

Incontrast,ordinaryuserscreatetenantnetworks.Thesenetworksareisolatedfromothertenants,andareunderthecontroloftheowner.Theymayormaynotmapdirectlytotheunderlyingphysicalnetworks,dependinguponthesegmentationstrategysetupbythecloudadministrator.Thatstrategyisdefinedbythecloudoperatorandhiddenfromthetenant.Fromanapplicationdeveloper’spointofview,theparticularsegmentationstrategyisnotimportant.Whatisimportantistounderstandthatthetenantnetworksareaccessibleonlytothetenantthatcreatesthem,exceptthroughfloatingIPaddresses.

NovaNetworkingNovanetworkingisdeprecatedinfavorofNeutronnetworking,butsomeexistingcloudsstilluseit,sohavingsomefamiliaritywithitcanbeuseful.

Novanetworkingprovidesasimplenetworkingsolutionwithlimitedflexibilityinthetopologyandconfiguration.Inparticular,tenantshavelittlecontroloverthetopologyandcannotcreatecomplexnetworkingenvironments.

Inmostinstallations,Novanetworkingwillbeconfiguredwitheitherasingle“flat”networksharedbyalltenants,orwithaVLANpertenant(SeeFigure2.9).

Figure2.9

InNovanetworking,asanapplicationdeveloper,youhavelittlecontroloverbuildingoutthetopology.

NeutronNetworkingNeutronnetworkingisthenew,standalonenetworkingservicewithinOpenStack.Asasoftware-definednetworkingsolution,itprovidestheabilitytocreatecomplextenanttopologies,anditintegrateswithawidevarietyofvendorSDNproducts.Theideaistobeabletoreproducephysicalnetworktopologiesinacompletelyvirtualenvironment.JustlikeNovaCompute,whichletsyouvirtualizemachineinstances,NeutronNetworkingletsyouvirtualizenetworkingcomponentssuchasrouters,firewalls,andloadbalancers,asshowninFigure2-10.

InNeutron,thereareseparateNetworknodes(showninFigure2.10),asopposedtoNovaNetworking,whichreliessolelyonthecomputenodes.TheNetwork

nodeshandletheadvancedservicessuchasLoadBalancer-as-a-Service,Firewall-as-a-Service,andVirtualPrivateNetwork-as-a-Service.Additionally,theyprovidetheconnectivitytotheexternalworldoutsidethecloud.InearlyversionsofNeutron(priortoJuno),allLayer3trafficbetweendifferentsubnetswentthroughthenetworknode,evenifitwasbetweenVMsonthesamecomputenode.OnlyLayer2trafficcouldtransitfromdirectlybetweenthecomputenodes,orevenwithinacomputenode.InJuno,theDistributedVirtualRouter(DVR)functionalitywasaddedtoprovidelocalroutingonthecomputenode.However,trafficstillgoesthroughthenetworknodestoleavethecloud,ortoaccessadvancedservices.

Figure2.10

HowNeutronHelpsApplicationsConsiderdeployingathree-tierapplicationinatraditionalenvironment.Youneedtobuyservers,switches,routers,firewalls,loadbalancers,andSSLoffloadloadbalancers–andyou’llneedtheminpairsforredundancy.Eachofthemneedstoberacked,connectedintheexactmannerneededfortheapplication,andmanuallyconfigured.You’llneedtoplanoutthespace,power,andcoolingneedscreatedbythenewapplication.Evenifyouvirtualizetheservers,youstillneedtosetupallofthenetworkinggear.Thisrequiresalotofexpenseincapitalequipmentaswellasalotoftimeforsetup.

APracticalNoteInpractice,youwouldn’tuseallofthisequipment.Modernnetworkdevicescanserveseveralofthesepurposes,eitherdirectlyorthroughservicemodules.InthatcaseyoucanuseVLANtaggingtocreateisolatedsegments,sofromasecurityperspectiveitisequivalent.However,eveninthatcase,Figure2.11illustratesthecomplexityofthisdeployment,aseachoftheseservicesstillneedsmanualconfiguration.

Figure2.11

Inasoftware-definedworld,allofthatcomplexitymovestothesoftwarelayer.Atthehardwarelayer,wehaveuniformracksofservers,withtop-of-rackswitches,typicallyconnectedtoaspine-and-leafnetworkingfabric(seeFigure2.12).

Figure2.12

Theserversherearethecompute,network,storageandotherphysicalnodesinyourcloud.Theleavesarethetop-of-rackswitchesthatallofthesepluginto.Thespinesaggregateallofthetrafficfromtheleaves,andeveryleafcanreacheveryotherleafwithjusttwohops,sinceeveryleafconnectstoeveryspine.Additionally,inter-leaftrafficcanbespreadacrossthespineswithouttakingalongerpath.Thishelpsreducebottlenecks.Inthislayout,youstillhavefullredundancyaseachserverisduallyconnectedtotwoleaves.

Noneofthehardwarelayerchangesarebaseduponapplicationdeployments,aslongasthereiscapacity.Andwhenthereisachange,youcanaddaserversorracksinasimpleandconsistentway,withouthavingtoknowanythingabouttheapplicationsthatwillberunningonthem.

Asnewapplicationsareprovisionedanddecommissioned,thereisnolongeraneedtorack,cableandconfigurespecifichardwaredevicesforthoseapplications.Networksareoverlaidontopoftheconsistenthardwareviaautomationandpuresoftware-basednetworkdevices.Youcreatevirtualrouters,loadbalancers,andfirewallsinsoftware,andconnectthemviaAPIcalls.Thiscandramaticallycutdownonthetimeittakestodeployanapplication,aswellasenablerepeatable,template-baseddeployment.

Ofcourse,softwaremaynotperformaswellasspecializedhardware.Additionally,therearemanyfeaturesthatthestandardOpenStackreferenceimplementationdoesn’tsupport.Neutronprovidesarichsetofpluggableinterfacestoaddresstheseconcerns.Thesepluginsenablethird-partyvendorstointegratedirectlyinto

theNeutronservice,extendingitsfunctionality.PluginscaninteractwithexternalSDNcontrollersorexistingphysicalnetworkinggear,provideadvancedservicessuchasVPN-as-a-Service,orintegratewithexternalIPAddressManagementplatforms.Thedifferencebetweenthisandsettingupatraditionalnetworkforanapplication,though,isthatitisstillalldonewiththesame,simpleAPIs,ratherthanthroughvendor-specificproprietaryconfigurationprotocols.

UnderstandingCoreNeutronObjectsTheNeutronobjectmodelconsistsofsomefamiliaranalogswiththephysicalworld,suchasports,subnets,androuters.TherearealsosomelogicalconceptsthatreallyonlyexistinOpenStack,suchassubnetpoolsandaddressscopes.

ANeutronnetworkcorrespondstoaLayer2broadcastdomain.Ifyou’renotthatfamiliarwithnetworking,inthephysicalworldyoucanthinkofthisasessentiallyasingle“wire”fornodestotalkover.Layer2dealsexclusivelywithMACaddresses–thereisnoneedforIPaddressesinthislayer.Switchesprovideoptimizationsontopofthe“singlewire”modelbyforwardingEthernetframesdownonlythenecessarylinks.TheyalsoprovideVLANs–orVirtualLocalAreaNetworks–whichallowyoutodivideasingleswitchintomultiplebroadcastdomains.Essentially,yougettosaywhichports“gotogether”.InNeutron,thenetworkmodelcapturesthisconcept.

ANeutronsubnetprovidestheLayer3connectivity.Thatis,itprovidestheIPaddressingandenablesNeutronrouterstopasstrafficbetweenNeutronnetworks.Thisisverysimilartothestandardnetworkingmodel.AsubnetisassociatedwithaparticularLayer2network,andaNeutronrouterisusedtointerconnectsubnets,justlikeinthephysicalworld.

InNeutron,whencreatingarouteryoucanadditionallyspecifythatitprovidehighavailability(HA),orthatitbeadistributedvirtualrouter,whichasmentionedaboveisspreadoutacrossallofthecomputenodes.DVRisamorerecentimplementationthanthestandardrouter,andassuchhassomelimitations.AsoftheKilorelease,DVRdoesnotworkwithFWaaSforeast-west(betweenVM)traffic.Also,itrequirescomputenodestohaveapublicIPtohandledistributedfloatingIPaddresses.

ANeutronportisassociatedwithanetwork.ItsanalogintherealworldisanactualswitchportwhereyouwouldpluginanEthernetcable.Itisthepointofattachmenttoanetwork.NeutronwillprovideNovawithaportto“plugin”theinstanceinterface.OnedistinctionthoughbetweentherealworldandNeutronisthatinNeutronaportisalsoautomaticallyassociatedwithoneormoreIPaddresses(oneforeachsubnetonthenetwork).ThisisablurringoftheLayer2andLayer3semantics,andmayberesolvedinalaterreleaseofNeutron.

ANeutronsecuritygroupprovidessimple,firewall-likefunctionality.Rulesmaybedefinedforingressandegresstraffic,andthoseruleswillbeappliedattheNeutronport.Thereisadefaultsecuritygroupthatwillallowtrafficbetween

instancesinthatgroup,andtrafficoutboundfrominstancesinthegroup(egresstraffic),butitrestrictsallinboundtraffic.YoucanutilizetheFirewall-as-a-Serviceprojectformoresophisticatedfeatures.

TheKiloreleaseofNeutronaddedanotherconceptthatismoreabstractthanthosedescribedpreviously–thesubnetpool.AsubnetpoolisacollectionofIPnetworkprefixesfromwhichatenantmayallocatesubnets.Thatis,inJunoandearlier,thetenanthadtospecifyaspecificsubnet–like10.10.10.0/24–toallocate.InKilo,thecloudadministratorcancreateasubnetpool–say10.10.0.0/16–fromwhichthetenantcanaskfor“anysubnet”ofaparticularsize.Thisway,thetenantreallydoesnotneedtofigureoutaheadoftimewhatthesubnetshouldbe–theycanjustaskthesubnetpooltofigureitout.Forexample,withoutsubnetpools,youwouldusethisAPIcalltocreateanewsubnet:

neutronsubnet-createprivate-network10.1.0.0/24

Thisrequiresthecallertoknowthat10.1.0.0/24isavalid,availablesubnetthatcanbeused.Withsubnetpools,theadministratorcancreateapoolforspecificuses–say,forwebservers.Thispoolcontainsawiderangeofaddressesfromwhichtoallocatesubnets,aswellasadefaultprefixlength(the“/24”above,whichcorrespondstothesubnetmask).So,insteadoftheabove,youcanexecuteasimplercommand:

neutronsubnet-createprivate-network–subnetpoolweb-pool

ThiscompletelyseparatesthedecisionsaboutIPaddressandsubnetallocationfromthesubnetcreationprocess.This,alongwiththePluggableIPAddressManagementfeatureaddedinLiberty,iscriticaltousingcloudsinlargerorganizationsthathavedifferentgroupsmanagingIPspaceandapplications.

InLiberty,onemoreconceptisadded,calledanaddressscope.ThisrepresentsauniqueLayer3addressspace.InNeutron,youcancreatethesamesubnetCIDR(forexample,10.0.0.0/24)ontwodifferentnetworks.ThiscanleadtooverlappingIPaddresses.ThisisperfectlyvalidinNeutron,exceptthatyoucannotconnectthosetwonetworkstothesamerouter.Ifyoudid,thenNeutronwouldnotbeabletodistinguishbetweenthesameIPaddressoneachnetwork.Theaddressscopegeneralizesthis,providinganobjectwithinNeutrontorepresenttheaddressspacetowhichasubnetbelongs.Bydoingthis,Neutronenablesbettercontroloverrouting,andpreventsmultipleusersfromaccidentallycreatingoverlappingspace.ItalsoletsNeutronknowwhenNetworkAddressTranslation(NAT)maybeneededevenbetweennon-overlappingsubnets–thiscanpreventaccidentaloverlapbetweenothersubnetsontherouter.

UnderstandingOverlayNetworksOneofthekeyfeaturesprovidedbyNeutronistheconceptofoverlaynetworks.Anoverlaynetworkisjustasegmentation,orsegregation,ofthenetworktrafficthatridesonthephysicalnetwork.Thekeypartisthatfromthepointofviewof

theVM,thereisasingle,ordinarynetwork.Butinfact,thisisanillusioncreatedbyNeutron,sincethedataisactuallymovingacrossvariousphysicalboundariesinthedatacenter.Forexample,whenaVMsendsoutaLayer2broadcastsuchasanARPrequest,thatrequestmaybepackagedupandsentacrossthephysicalnetworktoseveraldifferentcomputenodes.Then,itisunwrappedonthosenodesanddeliveredtoeachVMonthesameoverlaynetwork.Itisoverlaynetworksthatprovidetheabilitytoseparatetenanttraffic,enablingustosharetheunderlyingphysicalinfrastructureandthusmakefulluseofit(SeeFigure2.13).

Figure2.13

ThesimplestandmostfamiliarformofanoverlaynetworkistheVLAN.AVLANtagsEthernetframeswitha12-bitnumber,andthisenablesthephysicalnetworkinggeartodifferentiatebetweenthetrafficthatbelongswithindividualVLANs.WhenausercreatesatenantnetworkinNeutron,itcanbeassignedaparticularVLANtag,andNeutroncanthenkeepallofthattrafficsegregatedfromothertrafficwithinthenetwork.

Abigdrawback,however,isthata12-bittagprovidesatmost4096VLANs.Inalargemulti-tenantcloud,theremaybemanymoreseparatenetworksrequired.Othertechnologieshavebeendevelopedtoaddressthisgap.ThetwoyouwillseeinOpenStack’sreferenceimplementationareVirtualExtensibleLocalAreaNetwork(VXLAN)andGenericRoutingEncapsulation(GRE).WhileVLANsarebasedonLayer2technology–theytagEthernetframes–thesetwotechnologiesarebaseduponLayer3technology.Thatis,theyworkbyencapsulatingthedatainIPpacketsratherthanbytaggingEthernetframes.Thiscanallowtheoverlaynetworkstostretchacrosslargernetworks.Additionally,theVXLANprotocolprovidesa24-bitnumbertodifferentiatenetworks,allowingover16milliondistinctoverlaynetworks.

BRINGINGITALLTOGETHERTohelpunderstandhowthesedifferentpiecesinteract,let’sstepthroughwhathappenswhenyoulaunchaVMandseehowallofthepiecesfittogether.ThisisasimplifiedworkflowthattheuserandthevariousserviceswillgothroughinatypicalcaseoflaunchingaVMwithephemeralstorageonly(i.e.,thestorageandalldiskcontentsgoawaywhentheVMisterminated).Manyinternalstepsareglossedoverhere,sincethefocusisontheinteractionbetweentheservices.

InordertobootanyVM,you’llneedtoprepareafewthingsfirst.Forthisexample,wewillusetheindividualserviceCLIclients.Thereisalsoageneralopenstackclientbutitdoesnotofferallofthefeaturesoftheseparateserviceclients.

First,youneedtodecideontheflavoroftheVMyouwant.TheflavorrepresentsthecombinationofCPUs,memory,andstoragefortheVM.TheflavorscanberetrievedfromNova(somecolumnsomittedforbrevity):

$novaflavor-list

+----+-----------+-----------+------+-----------+------+-------+

+----+-----------+-----------+------+-----------+------+-------+

|1|m1.tiny|512|1|0||1|

|2|m1.small|2048|20|0||1|

|3|m1.medium|4096|40|0||2|

|4|m1.large|8192|80|0||4|

|42|m1.nano|64|0|0||1|

|5|m1.xlarge|16384|160|0||8|

|84|m1.micro|128|0|0||1|

+----+-----------+-----------+------+-----------+------+-------+

Wewillusem1.tiny.

Next,youneedtoknowwhatimagetouse.TheimagecontainsthebootableoperatingsystemfortheVM.Untilweneedtoactuallybuildanapplication,examplesinthisbookwillgenerallyuseCirrOS(https://launchpad.net/cirros),whichisaverysmall,minimalOSthatisusefulfortestingofthecloudplatform.Ifyouarefollowingalong,thenotherimagesmaybeavailableonyourOpenStackinstance.Chooseasmalloneforexperimentation.

$glanceimage-list

+---------+---------------------------------+...+----------+--------+

+---------+---------------------------------+...|----------+--------+

|6d…e0|cirros-0.3.4-x86_64-uec|...|25165824|active|

|5f…92|cirros-0.3.4-x86_64-uec-kernel|...|4979632|active|

|06…c6|cirros-0.3.4-x86_64-uec-ramdisk|...|3740163|active|

+---------+---------------------------------+...+----------+--------+

Sincewewanttobeabletoaccessourinstanceoverthenetwork,ratherthanjust

viatheconsole,youneedtoattachittoanetwork.So,calltheNeutronservicetofindouttheavailablenetworks.

$neutronnet-list

+---------+---------+------------------------------------------------------

|id|name|subnets

+-------------------+------------------------------------------------------

|50…56|public|09c872aa-02fa-4e81-9cb1-846399938c642001:db8::/64

||b9d882f3-8378-42cc-b5fa-4cb2576c7fb4192-168.20.0/25

|fa…ea|private|5bd94138-3a4a-4966-b216-b4530a0f489d

fddc:b6e3:ede0::/64|

||ece9ba64-cf28-424c-8187-8df763301a5610.0.0.0/24

+---------+---------+------------------------------------------------------

NowwehaveeverythingNovaneedstoknowatboottime,sowesimplyrunthenovabootcommand(outputhasbeenabbreviated).

$novaboot–flavorm1.tiny–imagecirros-0.3.4-x86_64-uec\

–nicnet-id=fa3282e4-64ba-44fa-9644-46da784234eai-1

+--------------------------------------+-----------------------------------

|Property|Value

+--------------------------------------+-----------------------------------

|OS-EXT-STS:power_state|0

|OS-EXT-STS:task_state|scheduling

|OS-EXT-STS:vm_state|building

|OS-SRV-USG:launched_at|-

|OS-SRV-USG:terminated_at|-

|created|2015-07-24T05:52:20Z

|flavor|m1.tiny(1)

|id|a9d9e891-e85a-471b-9844-

cd3eda0659a0|

|image|cirros-0.3.4-x86_64-uec(6d…e0)

|key_name|-

|metadata|{}

|name|i-1

|progress|0

|security_groups|default

|status|BUILD

|tenant_id|56082fc3830e43d4af307bed5d1d5f90

|updated|2015-07-24T05:52:20Z

|user_id|e749c12a525d4b259e0e291fd91ca53a

+--------------------------------------+-----------------------------------

SowhatdoesNovadowhenweinitiatethebootcommand?First,itvalidatesourcredentialswithKeystone,tomakesurewehavetheauthoritytolaunchtheVM.Afterthat,thebootprocessisastatemachinethattakestheinstancestatefromBUILDtoACTIVEundernormalcircumstances.NovafirststorestheinstanceinthedatabasewithStatusBUILDandTaskStatescheduling.TheprimaryStatusremainsBUILD,sotoseetheprogressofthebootweneedtolookatthesecondaryTaskStatus.BothstatusesaretrackedintheNovadatabase.

$novalist

+---------+------+--------+------------+-------------+--------------+

+---------+------+--------+------------+-------------+--------------+

|a9…a0|i-1|BUILD|scheduling|NOSTATE||

+---------+------+--------+------------+-------------+--------------+

Next,novasendsarequesttotheNovascheduler(runningonthecontrollernode)viathemessagequeue.Itisthescheduler’sjobtofigureoutthephysicalcomputenodeonwhichtoruntheinstance.ItwillselectanodebaseduponthecharacteristicsoftheVM–howmuchCPUandmemoryitneeds,forexample–andtheavailablecapacityofeachhost.Itwillthenpostarequestbacktothemessagequeuethatincludestheselectedhost.Thecommandresultsaboveshowtheschedulingstate,however,inpracticeschedulingwilllikelybefastenoughthatyouwon’tcatchitinthatstate.

Novapicksthescheduledinstancerequestoffthequeueandupdatesthedatabase,thensendsamessageacrossthequeueagain–thistimetothenova-computeprocessthatsitsontheselectedcomputehost.ThenovacomputeagentmakesaRESTfulAPIcalltotheGlanceimageservicetoretrievetheimage.

Eachtimeoneservicetalkstoanother,Keystonemaybeinvokedtovalidatethetoken(thedetailsdependonthetypeoftoken).Inthiscase,Glancewouldverifythattheuserhaspermissiontotheselectedimage.Ifso,Novadownloadstheimagetoitsimagecache.

Nowthehostisselectedandtheimageisavailableonthathost.ButNovastillneedstoknowhowtoconnecttheinstancetoanetwork.Itsetsthetaskstatustonetworking,andthencallstheNeutronnetworkingservicetocreateaport.Theportcanbethoughtofjustlikeareal,physicalswitchport.Itprovidesaplaceto“plugin”theinstancenetworkinterfacetothevirtualswitchingfabric.Again,thisbetween-serviceinteractionisdoneviathesameRESTfulAPIsthatotherclientsuse.Infact,wecouldhavecreatedtheportaheadoftime,andprovidedaport_idtoNovainsteadofanetwork_id.

NeutroncreatestheportandallocatesandIPaddressonasubnetassociatedwiththesuppliednetwork_id.LikeNova,Neutronhasagentsrunningoneachcomputenode.Itisonthatnodethatitwillcreatethevirtualport.

FinallyNovatakesallofthisinformation,setsthetaskstatustospawning,andcallsthehypervisor(KVMbydefault)toactuallyspinuptheinstance.

SUMMARYInthischapteryoulearnedindetailaboutthecorecomponentsofOpenStackandhowtheyworktogethertocreateacloud.Finally,youputitalltogethertounderstandthedetailsofhowNovainteractswithKeystone,Neutron,Glance,andCindertospinupvirtualmachines.ThesearethebasicservicesyouwillfindinmostOpenStackclouds,butthereareahostofotherservices.Inthenextchapter,wewilllookatsomeofthelesscore–butstillimportant–servicesofferedinsomeOpenStackclouds.

3UnderstandingtheOpenStackEcosystem:AdditionalProjectsWHAT’SINTHISCHAPTER?

UnderstandingCloudOrchestration

OrchestrationcapabilitiesinOpenStack

OpenStackHeatindetails

Software-defined-storage(SDS)

ClouddatabasesasausecaseofSDS

Clouddatabases:maintainorconsume

OpenStackDatabaseasaService:Trove

AlookatMagnumandContainersasaService

CoverageofMuranoandCeilometer

ThecorecomponentsdiscussedinChapter2coverthebasicIaaSfunctionalityofOpenStack.Justusingthosefeatures,OpenStackenablesyoutosetupandrunapplications.However,thereismoretobuilding,deploying,andsupportinganapplicationthaniscoveredinthosecomponents.ThischapterwilldiscussadditionalOpenStackprojectsthatenableyoutodefinerepeatableapplicationdeploymentsonVMsorcontainers,makethoseapplicationsavailableviaDNS,andmonitorthevirtualinfrastructureonwhichthoseapplicationsarehosted.Althoughthesearen’tlabeledasorchestration,suchapplicationsalsorequiremanualconfigurationanddeploymentinsomemanner.ThischapterwillcoverhowtouseOpenStacktomanagecontainer-basedapplications,howtopackageapplicationsforusebyothers,andhowtotakeadvantageoftheDatabase-as-a-Servicefeaturetoshiftmorecomplexityfromyourapplicationtothecloudinfrastructure.

OPENSTACKHEATIncloudcomputingtheory,itiswellknownthatthereismorethanonetypeofservice.Oneofthemostpopularandinteresting(intermsofflexibility)servicesisthePlatform-as-a-Service(PaaS),whichallowsyoutotapintocloudcapabilitiesindifferentways,suchaswithacloudorchestrationservice.Let’stakealookatthescientificdefinitionofcloudorchestration:

Itprovidesyouwiththeabilitytocontrolandarrangeasetofunderlyingtechnologyinfrastructures(hardwareandhypervisor).Youcanmatchtheintendedcommandsinputtedbytheuserstocreateasetofautomatedeventsthatdelivertherequestwiththemaximumefficiency(source:http://howtobuildacloud.com/cloud-enablement/cloud-orchestration-starts-to-play-its-tune/)

Itprovidesyouwiththeabilitytomanage,coordinate,andprovisionallpartsofacustomersolutionautomatically,withnoadministrativeintervention,ideallyfromaself-serviceinterface.Thisismuchlikeaconductorwhoconductsanorchestramakingsurethatalloftheinstruments/performersareintuneandintime(source:https://www.flexiant.com/).

Puttingdefinitionsaside,themostimportantpointofcloudorchestrationservicesisnotwhattheyare,butwhattheydo.Asacloudconsumer,aprovider,oraresellerofcloudservices,allthatmattersisthatcloudorchestrationmakesyourcloudconsumptionexperiencebetter.Ifyouarelookingforsomeserviceorcapabilitythatwillmakeyourcloudapplicationresourcesmorescalable,instantlydeployable,efficient,simplertouse,andeasiertobillandmanage,youarelookingatcloudorchestrationservicecapabilities.

Youmayquestiontheideathatanorchestrationserviceisaplatformservice,butcloudorchestratorswerethefirstservicesthatgaveusanabilitytoconsume/operatecloudresourcesinapre-definedway(specificDSL)withinasingleAPIspecification(justrememberolddays,whenyouhadtolearntonsofAPIspecstoaccomplishyourbusinessneeds).

OrchestrationCapabilitiesinOpenStackSo,cloudorchestrationissomethingthatyoucan’tlivewithout,butwhataboutOpenStack?Canyousaythesamething?Let’sexaminetheOpenStackorchestrationservice,calledHeat.

HeatisthemainprojectintheOpenStackorchestrationprogram.Itimplementsanorchestrationenginetolaunchmultiplecompositecloudapplicationsbasedupontemplatesintheformoftextfilesthatcanbetreatedlikecode.AnativeHeattemplateformatisevolving,butHeatalsoprovidesthecompatibilitywiththeAWSCloudFormationtemplateformat.ThisallowsmanyexistingCloudFormationtemplatestobelaunchedonOpenStack.HeatprovidesbothanOpenStack-nativeRESTAPIandaCloudFormation-compatibleQueryAPI

(source:https://wiki.openstack.org/wiki/Heat).

OpenStackHeatinDetailsLet’sexaminewhatHeatcandoforyou.BelowyoucanseealistoftemplatetypesthatHeatsupports:

HOT:(HeatOrchestrationTemplate).HOTtemplatesareanewgenerationoftemplatesthataren’tbackwards-compatiblewithAWSCloudFormationtemplates,andcanonlybeusedwithOpenStack(DSLforHOT—YAML).

CFN:ShortforAWSCloudFormation.ThistypewasinitiallysupportedsinceHeat’sfirstreleases(DSLforCFN-JSON).

Eachtemplatedefinesinfrastructureresourcerequirements,therelationshipbetweeneachoftheresources,andanysoftwareconfigurationnecessaryinordertomanageacompleteapplicationresourcelifecycle.

Beforelookingatatemplateitisnecessarytounderstandafewterms:stack,resource,parameter,andoutput.

Stack:acollectionofobjectsdescribedbyatemplatewithitsrelationships/dependenciesthatwillbedeployedinthecloud.stackincludesinstances(VMs),networking,blockstorage,objectstoragebuckets,andauto-scalingrules.

Resource:anelementofstack.Forexample,VM,securitygroup,subnet,andblockstoragearetheresourcesofstack.

Parameters:thesearetidbitsofinformation,likeaspecificimageID,flavor,volumesize,oraparticularnetworkIDthatispassedtotheHeattemplatebytheuser.Ingeneralcases,templatesareparameterizedtoallowsomeflavorofflexibility,yetincommoncasesitisuptotheuser.Thegeneralapplicationofparameterslaysinconfiguringresources.Forexample,ifyouneedtodeployavirtualmachine(VM)resource,youhavetoexplicitlydefinetheflavorandtheimageID.Theseareparametersforresourcesandinthetemplateitispossibletohaveahugesectionforparametersinreallife.Parametersarenotamandatorything,however,butitispossiblethattheresourcedefinitionputssomedefaultvaluesinresourceconfiguration.

Outputs:thisisinteresting,sinceincommoncasesitoutputsafullycustomdatastructurethatisbeingdefinedattheendofasuccessfuldeployment.Let’sjustreviewasmallexample.Let’ssayyouhavethreeresources:VM,securitygroupwithrules,andsoftwaredeployment.TheideahereistodeployaVMwithsoftwareinit(Nodecellar,Wordpress,MySqlorwhatever)andweneedtorestricttheaccesstothatdeployedapplication.Thisdeploymentconfigurationassumesthatwe’redeployingaPaaSapplicationandusersareabletoaccessitwithinspecificconnectionstrings.Herearethetemplateoutputs:oncedeploymentisready,Heatwilltrytogetoutputsaccordingtoitsdefinition

fromthetemplateusingbuilt-intemplateDSLfunctions.

Nowit’stimetotakealookatareal-lifeexampleofaHeattemplate:

heat_template_version:2013-05-23

description:>

AHOTtemplatethatholdsaVMinstancewithanattached

Cindervolume.TheVMdoesnothing,itisonlycreated.

parameters:

key_name:

type:string

description:Nameofanexistingkeypairtousefortheinstance

constraints:

-custom_constraint:nova.keypair

description:Mustnameapublickey(pair)knowntoNova

flavor:

type:string

description:Flavorfortheinstancetobecreated

default:m1.small

constraints:

-custom_constraint:nova.flavor

description:MustbeaflavorknowntoNova

image:

type:string

description:>

NameorIDoftheimagetousefortheinstance.

Youcangetthedefaultfrom

http://cloud.fedoraproject.org/fedora-20.x86_64.qcow2

Thereisalso

http://cloud.fedoraproject.org/fedora-20.i386.qcow2

Anyimageshouldworksincethistemplate

doesnotasktheVMtodoanything.

constraints:

-custom_constraint:glance.image

description:MustidentifyanimageknowntoGlance

network:

type:string

description:ThenetworkfortheVM

default:private

vol_size:

type:number

description:ThesizeoftheCindervolume

default:1

resources:

my_instance:

type:OS::Nova::Server

properties:

key_name:{get_param:key_name}

image:{get_param:image}

flavor:{get_param:flavor}

networks:[{network:{get_param:network}}]

my_vol:

type:OS::Cinder::Volume

properties:

size:{get_param:vol_size}

vol_att:

type:OS::Cinder::VolumeAttachment

properties:

instance_uuid:{get_resource:my_instance}

volume_id:{get_resource:my_vol}

mountpoint:/dev/vdb

outputs:

instance_networks:

description:TheIPaddressesofthedeployedinstance

value:{get_attr:[my_instance,networks]}

Asyoucansee,thistemplatewaswrittenusingHOTDSL,andhereisthelistofparameters:

key_name

flavor

network

vol_size

Andhereisthelistofresources:

my_instance

my_vol

vol_attr

Herearethestackoutputs(asyoucanseenow,HOTDSLprovidesasetoffunctionstoretrievespecificresourceattributesorgetdeploymentparameters):

instance_networks

Let’sfigureoutwhatthistemplatedoes.ItdeploysaVM,provisionsablockstorage(datavolume),attachesvolumetotheVM,andaspartoftheoutput,itreturnsanIPaddressoftheVM.AsforOpenStackoperators,let’sexaminethearchitectureofHeat(seeFigure3.1):

heat-apiisanOpenStack-nativeRESTfulAPI.ThiscomponentprocessesAPIrequestsbysendingthemtotheHeatengineserviceviaAMQP.

heat-api-cfnissimilartotheCloudFormation-compatibleRESTfulAPI.

heat-engineprovidesthemainorchestrationfunctionality.

Figure3.1

Thischapterisnotaboutthehands-onbestpracticesfordeployingHeatintoyourOpenStackenvironment.You’veseenwhatHeatcando,though,andhowitcandoit.IfyouareinterestedindevelopingorconsumingHeat,itisnecessarytolearnitsAPIandtechnologystack.

Let’ssumupwhatwe’velearnedaboutorchestrationinOpenStack.Ithasarichecosystemofmodulesavailabletofacilitateautomationthroughoutallstagesofthestack’sresourcesandtheirlifecycle,resultingingreatlyreducedtime-to-marketformanyITdemands/projects.HeatistheleadingorchestrationtoolforOpenStack-basedclouds,anditisanofficialpartoftheOpenStackdistribution.Withstrongenterprisesupportandsubstantialon-goingcontribution,HeatisfastbecomingthegreattoolofchoiceforOpenStackprivateandpublicclouds.

OPENSTACKDATABASEASASERVICE:TROVEWehavecoveredorchestrationinthecloudandhowitcanhelpyourbusiness.Let’sspendsometimecoveringthedifferencesbetweencreatingapplicationsinandoutofacloud.Asasoftwarearchitectyouneedtogiveeveryonethebasicideaofhowyourapplicationshouldbedeployedandhowitshouldwork,especiallyinacloudinfrastructure.Ingeneral,youneedapersistentstorageforyourapp—youneedadatabase.So,whatcloudcangivethattoyou?WouldthatbeaclouddatabaseorjustInfrastructure-as-a-Service(IaaS)?

CloudDatabaseAsUseCaseofSoftware-Defined-Storage(SDS)YoumaywonderifHeatisabletobethesoftwarethatdefinesstoragewiththehelpofitsDSL.Thisistrue,butitisnecessarytohaveanabilitytomanagestorageinaveryspecificway.Forexample,giventhatsoftwareshouldenableasoftware-definedstorageenvironment,itmayalsoprovidepolicymanagementforfeatureoptionssuchasdeduplication,replication,clustering,fault-tolerance,thinprovisioning,snapshots,andbackup.

InthecaseofHeat,itisprettycomplicatedtoprovideallofthesecapabilities,sinceitwouldmakecloudorchestrationverycomplicatedandhardlymaintainable.ThatiswhyyoushoulduseHeatorimplementyourownorchestration,sinceacustomengineforserviceswilldothestorageprovisioning.WithinOpenStack,youcanfindabigvarietyofservicesthatdostorageprovisioning:Cinder,Swift,andManila.

Speakingofpersistentstorage,asadeveloperyouneedtohavethecapabilityofdeliveringadatabaseasaspecificusecaseofsoftware-definedstorage.ThisisgreathavingaservicethatusesdatabasedeliveryusingconceptsofSDS,andtakingalldeploymentsandmaintainingthembehindthescene.

Aclouddatabaseisadatabasethattypicallyrunsonacloudcomputingplatform,inourcasethatisOpenStack,andprovideslimitedaccess,allowinguserstointeractwiththedatabasethroughitsnativeAPI.Foralongperiodoftimetherewerenoclouddatabases,sodatabaseconsumerstriedtodealwithitintheirownway.Therearetwocommondeploymentmodels:userscanrundatabasesonthecloudindependently,usingapre-configuredvirtualmachineimage,ortheycanpurchaseaccessproprietarysolutionsthatareworkingabovedifferentcloudplatforms.Sowhat’stheproblemwiththelastapproach?

OpenStackandTroveThereareproblemswithusingproprietarysolutionsthatareworkingondifferentcloudplatforms.Itisnotenoughtobuyaproduct,sincewithinsomeperiodoftimetheproductmustbesupported.Andifyouareawareofsoftwareservicesandsoftwareproductbusinessmodels,youwoulddefinitelychooseaservicethatprovidesdatabasesinsteadofdevelopingandsupportingyourowncustom

solution.Thisisbecauseitseemsthatproductsalwayscostlessbecauseofaone-timepurchaseandnosupport,yeteveryproblemisyourpersonalheadache,andsupportforproductsingeneralbecomesmoreexpensivethanthecostoftheproduct.Ontheotherhand,purchasingaservicesubscriptiontakeslessmoneyduetoitstimeaccessrestrictions,butinthecaseofsoftwareservicessupport,itisbeinghandledbytheserviceprovider.

NotethatthefirstclouddatabaseservicewasprovidedbyAmazonAWS,calledAmazonRDBS.Itisonlyrelational,NoSQLnotevenonce,butwhenRDBSwasreleased,NoSQLwasnotwidelyavailable,soAmazonAWScustomerswerecompletelysatisfiedbySQLdatabases.Currently,RDBSisstillaliveandpopular,andnothingmuchhaschanged(newflavorsofdatabaseswereadded,whichareareplicationforMySQL).

Enterprisesneedclustersanddatacentersfullofclusters,andtheyneedthemasquicklyaspossible.So,hereareourdemands:weneednewSQL/NoSQLsolutions,weneedclusters,andweneedautomatedmanagementoperations(seeSDScapabilities),andfinally,weneeditallinOpenStackbytheendoftoday.So,OpenStackdefinitelymissedsuchabilities,primarilythewaytodeclarestorageasadatabaseusingaspecificlanguage.ThereareacoupleofpossiblewaystoaccomplishdatabaseinstallationwithinOpenStack:

Firstboot.dorcloud-init

Puppet

Ansible

Post-provisioningscriptsexecutionwithfabric

Itiseasytodeployadatabase.Butwhataboutthecostofyourtimetoautomatemanagementtasks?Ifyouchoosethispath,eventuallyyouwouldendupspendingtime/moneytoupdateyourscriptstoadoptthemtonewrequirements.

Obviously,enterprisecustomerswouldlovetoconsumeservicesandresourcesinsteadofmaintainingthem.CustomandveryspecificsolutionsmaynotworkintermsofSDS,however,sinceSDSDSLshouldbeflexible.So,weneedaservicefordatabasesthatmeettheconceptsofSDS.Let’sgobackto2012.RackspaceandHPdecidedtocollaborateandimplementsuchaserviceforOpenStack:OpenStackdatabaseservice,Trove.

BeforedescribingtheconceptsofTroveitself,pleasekeepinmindthatTroveisnotadatabase.Evenifitwasdefinedasadatabaseasaservice,Troveisnotadatabase.Troveisatoolthatdeliversandmanagesdatabaseinstancesinacloudenvironment.OpenStack’sDatabaseasaService(DBaaS)projectisinactivedevelopmentbutholdsarealtreasure.ThisserviceisdesignedtoprovideallofthegoodsofbothSQLandNoSQLdatabaseswithoutthehassleofhavingtohandlecomplexadministrativetasks.Itisnecessarytohaveadedicatedservicethat

completelyimplementsallSDSmanagementoperations.Theideawastoprovideascalableandreliableclouddatabaseasaserviceprovisioningfunctionalityforbothrelationalandnon-relationaldatabaseengines,andtocontinuetoimproveitsfully-featuredandextensibleopensourceframework(includingreplication,clustering,backup,restore,user/databasesCRUDoperations).

So,whatarethosedifferencesbetweenTroveandAmazonRDBS?TrovedoesNoSQLbootstrapping,however,startingwiththeJunoreleaseTrovedoesreplicationforMySQLandPercona5.5,aswellasshardedclusteringforMongoDB2.x.x.

OpenStackDBaaSInDetailLet’sdefinewhatTroveis.Incloudcomputingtherearetwodefinitionsforclouddatabases:adatasourceAPIserviceandadataplaneAPIservice.Let’stakeacloselookatthecloudpioneer,Amazon.AmazonAWSprovidestwodifferenttypesofdatabaseservices:AmazonRDBSandAmazonDynamoDB(andSimpleDB,thecheapversionofDynamoDB).Bothoftheseservicesaredatabaseservices,andbothdealwithdatabases,butincompletelydifferentways:

AmazonRDBS:adataplaneAPIservicethatdeploysdatabaseswithinasingleaccount.Thisisbestfordeploymentondemand.

AmazonDynamoDB:adatasourceAPIservicethatcreatesschemaentitiesoverpre-deployedNoSQLdatabaseclusters.

FromthisperspectiveTroveisnotadatabase.Troveisinsteadadatabaseinstancedeliveryservice.Trovedoesinstantdatabasedeploymentondemand.

BeforelookingatTrove’sAPI,youneedtounderstandafewtermsthatTroveuses.

Datastore:adatastructurethatdescribesasetofdatastoreversions,whichconsistsof:

ID:simpleauto-generatedUUID

Name:user-definedattribute;actualnameofadatastore

DefaultdatastoreVersionsID

Example:Mysql,Cassandra,Redis,etc.

DatastoreVersion:adatastructurethatdescribesaversionofaspecificdatabasepinnedtodatastore,whichconsistsof:

ID:simpleauto-generatedUUID

DatastoreID:referencetodatastore

Name:user-definedattribute;actualnameofadatabaseversion

Datastoremanager:trove-guestagentmanagerthatisusedfordatastoremanagement

ImageID:referencetoaspecificGlanceimageID

Packages:databasedistributionpackagesthatwouldbedeployedontoadatastoreVM

Active:booleanflagthatdefinesifaversioncanbeusedforinstancedeploymentornot

Example:Name-5.6

Packages:mysql-server=5.5,percona-xtrabackup=2.1

So,bothofthesetermsaredescribingwhichdatabaseflavorversionshouldbedeployed.

Alsoitisnecessarytounderstandwhichimagesshouldbeused.Unfortunately,Troveisnotabletoworkwithpurecloud-readyimagesduetoitsarchitecturalspecialties—eachGlanceimageshouldcontainTrove’sguestagent(anRPCservicethatmanagesadatabaseinstancewhereitwasinstalled).FormoreinformationonhowtocreateimagesforTrove,pleasetakealookatthisdocument:https://github.com/openstack/trove/blob/master/doc/source/dev/building_guest_images.rst

NowitistimetoproceedtoTrove’sAPIandwhatitcando:

Databaseinstancemanagement(withinsupporteddatastores)

Databasebackup/restore(forMySQLandPerconaitisalsosupportedtocreateanincrementalbackup)

Post-provisioningconfigurationmanagement

Clustering(startingwiththeJunoreleaseforMongoDB2.x.x,VerticaDB)

Replication(fromMySQLandPercona)

Users/databaseCRUDoperations(note,whenthisbookwaswrittennotallsupporteddata-storedriversinTrovewereabletoprovidesuchability)

Let’stakeapreciselookatTrove’sworkflowandwhichOpenStackservicesareinvolvedwithinstanceprovisioning.InFigure3.2youcanseeimportantTroveelements.

Figure3.2

ItisnecessarytoexplainwhathappenswhenausersubmitsaninstanceprovisioningtasktoTrove.Firstofall,wehavetodealwithhoweachnewinstanceisanewVMwithanattachedblockstorage.So,thereisnobaremetal(saygoodbyetoOracleanditslicense),andnocontainers.Secondly,forprovisioning,Troverequiresspecialimageswithadditionalsoftware,whichwillbedescribedlaterinthischapter.

So,eachtimeausercreatesaninstance,Trovedoesthefollowing:

NovaVMbootstrap

Cinderblockstorageprovisioning

OncetheVMisreadyandthevolumeprovisioned,TrovesendsoveranAMQPRPCmessagetotheTroveagentthatisbeingdeployedattheVMtosetupthedatabase.So,ifit’snotinstalled,installit,doadditionalconfiguration,andreportthatthedatabaseisready.YouprobablynotedthatTrovedoesitsownorchestration,sothisisacommunitydecision.FornowTrovedoesn’tsupportfullyHeat-basedprovisioning.InFigure3.3youcanseeCLIcallstoTroveforinstancecreationusingpython-troveclient.

Figure3.3

DatabaseBackupNowlet’stakealookathowtheinstancebackupprocedureisimplemented.Onceausersubmitsabackuprequest,itasksitsagenttoperformabackup.Dependinguponitsimplementationbackup,itcanbeonlineoroff-line.So,theagentusesnativedatabasetoolstoperformbackups(xtrabackupforMySQLflavors,nodetoolforCassandra,etc.).Oncebackupisready,theagentpackagesitintoanarchiveandthensendsittoremotebucketstorage:Swift.IntermsofsecurityconcernstheagentencryptsthebackupusinganAESblockcipher.Butthere’saproblem.AllinstancesareusingthesameAESkeywithinanydeployment.InFigure3.4youcanseeCLIcallsforbackinguptoTroveusingpython-troveclient(https://pypi.python.org/pypi/python-troveclient/1.2.0).

Figure3.4

TroveInstanceRestoreActuallytheTroveinstancerestoreisaninterestingoperation.YoushouldtakeintoaccountthatyoucanrestoredataonlyintoanewTroveinstance.So,inthiskey,therestorediffersfrominstanceprovisioningonlybyapplyingapulledbackupfromSwift.InFigure3.5youcanseeCLIcallstoTroveforrestoringanewinstanceusingpython-troveclient.

Figure3.5

TroveInstanceConfigurationManagementTakingintoaccountthatTroveisapurePaaS,there’snoaccesstoanyotherservicesonaninstanceinsteadofadatabase,andthere’sonlyonewaytomanageyourinstance—throughTrove’sAPI.OneoftheavailableAPIendpointsisconfigurationmanagementthatisbeingdeployed.FordifferenttypesofdatabasesTroveprovidesanabilitytomodifydifferenttypesofconfigurations.Forexample,inMySQLflavorsitispossibletomodifydynamicsystemvariablesthatarenotrequiredtoputthedatabaseintomaintenancemode,buttherearealsooptionsthatrequirethedatabaseservicetobeshutdown(datadir,logging,etc.).InFigure3.6youcanseeanexampleofachangingdatabaseconfigurationrightafteritsdeployment.

Figure3.6

So,youmaythinkthatwiththehelpofconfigurationmanagementyoucaneasilycreateareplicationgroupforMySQLflavors.Actually,Trovedevelopersdidthatforyou,asshowninFigure3.7—youcanseehowTroveaddressesreplicationwithinitsAPI.

Figure3.7

Speakingofreplication,aspartofitsreplicationcapabilities,Troveprovidesanabilitytopromoteslavetomasterandviceversa(i.e.,thedemotion).Forthesakeofstabilityandpredictabilityitwasdecidedtoimplementthisfeatureformanualmodeonlytoletusersdecidewhethertheywantordon’twanttodothat.Also,startingwiththeKiloreleaseTroveisabletoperformreplicationintwodifferentways(forMySQLflavors):regularbinlogreplication(binlogsarebeingtransferredthroughremotestorage,bythedefault—Swiftbuckets)andanewtypeofreplicationthatissupportedbyMySQL5.6andgreater—GTIDreplication(seemoreinfoathttps://dev.mysql.com/doc/refman/5.6/en/replication-gtids-concepts.html).

There’snothingmuchtosayaboutTroveclusterprovisioning.Basically,Trovecreatesasetofsingleinstancesofaspecificdatastoreanditsversion.Oncetheyareready,Trovestartstoexecuteoperationsforeachinstancetojointhemintoacluster.Thesetofoperationsalwaysfollowstheindustrybestpracticesforclusterbootstrapping(specifictoeachdatastore).

TroveArchitectureLikemostOpenStackservicesTroveitselfisdividedintomultipleservices:

trove-api:AservicethatprovidesaRESTfulAPIthatsupportsJSONtoprovisionandmanagesTroveinstances.

trove-taskmanage:Aservicethatdoestheheavyliftingasfarasprovisioninginstances,managingthelifecycleofinstances,andperformingoperationsonthedatabaseinstance.

trove-conductor:AservicethatismiddlewarebetweentheguestagentandTrove’sbackend.

trove-guestagent:AVM-siteservicethatmanagesdatabaseinstanceswithinitslifecycle.

InFigure3.8youcanseehowTrove’sarchitectureisorganized.

Figure3.8

Inthedatabaseworld,outsideofclouds,itisnecessarytoautomatetaskssuchasadailybackup,butitdoesseemthatTrovemissessuchabilityduetoheavydecisionsonwhichtechnologytopickorcreatingfromscratch.Implementingaschedulerisintheroadmap,butitisnotclearwhenitwillhappen.So,steppingasideofthecommunityplans,itisobviousthatsomedayTrove’sarchitecturewillbeextendedbythatscheduler.Sohereisthefutureofitsarchitecture—Figure3.9explicitlydescribeshowaschedulerwillbeintegrated.

Figure3.9

HerearesomelastwordsaboutTrove.TheideaforTrovewastocreateacompetitive(againstAmazonAWSorotherproprietarysolution)servicethatispartoftheOpenStackecosystem.Yes,itdoessupporttheprovisioningofmultipledatabaseflavorsandtheirversions(datastoreswithdatastoreversionsinTrove

terms).Andyes,itdoesbackup/restoreforsupporteddatabases.ItcandoclusteringforMongoDBandVerticaDB.Butareallofthesefeaturesneededbytheenterprise?Theanswerisyes.Andarethosesupporteddatabasesbeingrequestedandwantedbytheenterprise?Unfortunatelyno.Troveonlypartiallymeetscustomerneeds(atleasttheupstreamversion).SoOpenStackmustsupportwidelyuseddatabasessuchasOracle12c,MySQLandothers.

DESIGNATE:DNSASASERVICEBeingabletoquicklydeployvirtualmachinesandapplicationsisthepromiseofOpenStackandcloudcomputingingeneral.However,ifitstilltakesaphonecallorservicetickettocreateaDomainNameService(DNS)entryfortheapplication,alotoftheeffectivenessofautomationislost.That’swhereDNS-as-a-Servicecomesintoplay.ItenablesapplicationdeploymentsscriptstocreateDNSzonesandrecordsasneeded.DesignateistheprojectinOpenStackthatmakesthispossible.

UnderstandingtheDesignateArchitectureLikeotherOpenStackservices,Designatecontainsseveralcomponents:anAPIendpoint(designate-api),acentralizedlogicalcontroller(designate-central),aninternalDNSserver(MiniDNSordesignate-mdns),andamanager(designate-pool-manager)toconfiguredownstream,outward-facingDNSservers.Thereisalsoanoptionaldesignate-sinkservicethatwatchesthemessagequeueandcantakeotheractionsasneededbaseduponfiredevents(seeFigure3.10).

Figure3.10

DesignatecanbebackedbyavarietyofopensourceandcommercialDNSservers,suchasBIND,Infoblox,orPowerDNS.Thisisnotvisibletothetenant—thetenantsimplyhasaccesstoAPIstocreateandmanagedomains(zones)andtherecordsinthosezones.Eachoftheseservicesisaccessedviaa“backend”plugin,whichcontainsthespecificlogicforinteractingwiththatDNSserver.

WhenausermakesarequestviaHorizon,theCLIclient,ortheAPIdirectly,therequestwillgotothedesignate-apiservice.ThisservicemanagestheinboundHTTPconnections,servinguptheRESTfulAPI.Itcommunicateswithdesignate-centraloverthemessagebus.

Thedesignate-centralserviceisthehubofactivity,coordinatingtheactionsrequiredtocarryouttheAPIrequests,andmanagingthepersistentstoragefortheDesignatedata.WhenanAPIcallrequiresaconfigurationchangeononeofthebackendDNSservers,designate-centralwillsendanRPCrequesttodesignate-pool-manager,whichmodifiestheDNSserverconfigurations.Thespecificsofwhatactionsittakeswilldependonthebackendplugin.

Whendomainsorrecordsarecreatedormodified,designate-centralwillalsoupdatethedesignate-mdnsservice.ThisisasmallDNSserverthatworksasa“hiddenmaster”serverforallDesignatemanageddomains.Thatmeansthatitisauthoritativeforthedomain,butitdoesnotshowupasanNSrecordforthedomain—inotherwords,itishiddenfromview.Clientscannotfindittodirectlyaccessit(it’salsonotaccessibleexternally)—onlyothernameserverscanaccessit.ThebackendDNSservers,whichactuallyserverequestsfromclients,areconfiguredtoseedesignate-mdnsastheprimaryserver,andacceptzonetransfersfromit.DNSzonetransfersareastandardDNSmethodforsharingzonedataamongservers.

UsingDesignateAsanapplicationdeveloper,yourinteractionwithDesignatewillprimarilybetocreate,modify,anddeletezonesandrecords.Let’slookatthedesignateCLIclientandhowtouseit.Likeotherservices,theclientnameissimplytheservicename,designate.Itusesthesame,consistentauthenticationmeansasotherCLIclients.Italsoprovidesquotasonthenumberofentitiesyoucancreate.

$designatequota-gettenant-id

+-------------------+-------+

|Field|Value|

+-------------------+-------+

|domains|10|

|domain_recordsets|500|

|recordset_records|20|

|domain_records|500|

+-------------------+-------+

Thedomainsentryisjustwhatyoumightexpect—itreferstodomainnamessuch

asexample.com.Mostlikely,youwillberestrictedtocreatingsub-domainsofyourorganization’sdomain(e.g.,foo.example.comorfoobar.example.com).Tounderstandtheentriesinthisquotalist,youneedtoknowalittlemoreaboutDNS.

FULLYQUALIFIEDDOMAINNAMESDesignaterequiresyoutousefullyqualifieddomainnames—thisincludesthetrailing“.”.Strictlyspeaking,anameisnotaFQDNwithoutthat,andDesignatewillenforcethis.

Foreachdomain,theDNSserverholdsrecords.Eachrecordhasatype,aname,atime-to-liveandanyassociateddata.Whiletherearemanyrecordtypes,DesignatesupportsninecommontypesasoftheKilorelease,showninthefollowingtable.Remember,eachrecordalsohasaname—theexampledatashownhereistheresultofaqueryforthatname.

RecordType

ExampleData Description

A 10.0.0.1 AnIPv4Addressrecord.

AAAA 2001:DB8::1 AnIPv6Addressrecord.

CNAME foo.example.com. Acanonicalname—thisisanentryusedtomaponenametoanother.Forexample,ifthereisaDNSArecordnamedbar.example.com,referringto10.0.0.1,thenyoucancreateaCNAMErecordnamedfoo.example.com.referringtobar.example.com.(thetrue,orcanonical,nameoftheresource).

MX 10mail.example.com.

Amailexchangeserverforthedomain.Thisisusedbymailagentstodecidehowtosendmailtoemailaddressesinthisdomain.

NS ns1.example.com. Anameserverrecord.TheNSrecordsonadomainspecifywhichnameserversareauthoritativeforthedomain.

SSHFP 12a4b1a288…8821ab33ef

ApublicSSHhostkeyfingerprint.Thiscanbeusedtohelpverifyhostsarewhotheysaywhenusingssh.

SPF v=spf1ip4:192.0.2.0/24a–all

ASenderPolicyFrameworkrecord,usedtohelppreventemailspoofing.Itenablesyoutospecifyrulestofilteroutincomingemail.TXTrecordsareoftenusedforthisinstead.

SRV 2055060sip.example.com.

Ageneralservicelocatorrecord.Thisisusedtolocatenewerservicesratherthanusingaservice-specifictypelikeMX.SeeRFC2782.

TXT Someexampletext.

Arbitrarytext,eitherforhumanormachineconsumption.

Mostoften,youwillusetheA,AAAA,CNAMEandperhapsMXrecords.FordeployingsomeapplicationsyoumayalsotakeadvantageofSRVrecordstoadvertisetheavailabilityoftheapplicationservicetotherestoftheorganization.Theremainderareprimarilyusedbytheadministratororforspecialpurposes.

Recordsetsaregroupsofrecordswiththesametype,name,andTTL,butwithdifferentdata.So,youcandefineanArecordsetwithmultipleIPaddressesasdata.Thenameiswhatyouareactuallyusingwhenyoulookuparesource.Forexample,tolookuptheaddress(A)recordnameblue.foobar.example.comfromtheDNSserverat172.16.98.136,youcanusethehostutilityinLinux:

$host-tAblue.foobar.example.com.172.16.98.136

Usingdomainserver:

Name:172.16.98.136

Address:172.16.98.136#53

Aliases:

blue.foobar.example.comhasaddress10.1.0.100

Inthequotalist,thedomain_recordsetsentryindicatesthemaximumnumberofrecordsets(ie,uniquetype/namecombinations)youmayhaveinasingledomain.Therecordset_recordsindicatesthemaximumnumberofrecordsinasinglerecordset.Andfinallythedomain_recordsentryputsanadditionalconstraintontotalrecordsinadomain.

CreatingadomainusingtheCLIisstraightforward—youusethedomain-createcommand.

$designatedomain-create--ttl3600--namefoobar.example.com.

--emailinfo@example.com

+-------------+--------------------------------------+

|Field|Value|

+-------------+--------------------------------------+

|description|None|

|created_at|2015-08-10T19:11:22.000000|

|updated_at|None|

|email|info@example.com|

|ttl|3600|

|serial|1439233882|

|id|7254c2b3-187c-428e-974d-03bac08cb2af|

|name|foobar.example.com.|

+-------------+--------------------------------------+

Youwillnoticethatyoumustspecifyanemailaddressasthecontactforthedomain.YoualsomayspecifytheTTLvalue.Thisvalueisusedbydownstreamcachingnameserverstoknowhowlongtoholdontothedatabeforerefreshingtheircache.Thevalueisinseconds;thelongeryouspecify,themoretimeitwilltakeforchangestogointoeffectacrosstheentireInternet.However,specifyingtoolowofavalueforafrequentlylookedupdomaincanoverburdenyourDNSservers.ThedefaultvalueinDesignateis3600,oronehour.

Onceyouhavecreatedadomain,youcanstartcreatingrecords.WhenyouspinupanewVM,youcancreateaDNSentryforitsothatotherVMswithinthecloudcanaccessitbyname,ratherthanbyIPaddress.Tocreatetherecordweusedintheexamplelookupearlier,usethiscommand.

$designaterecord-create--typeA--nameblue.foobar.example.com.\

--data10.1.0.100foobar.example.com.

+-------------+--------------------------------------+

|Field|Value|

+-------------+--------------------------------------+

|description|None|

|type|A|

|created_at|2015-08-10T19:18:59.000000|

|updated_at|None|

|domain_id|7254c2b3-187c-428e-974d-03bac08cb2af|

|priority|None|

|ttl|None|

|data|10.1.0.100|

|id|fc83692a-f484-41fa-81c8-25300a908f7b|

|name|blue.foobar.example.com.|

+-------------+--------------------------------------+

Youwillnoticethatthestatementabovesays“withinthecloud.”TheVMIPaddressatspinupistypicallyaprivateaddress,somachinesexternaltothecloudwillnotbeabletoaccesstheaddressdirectly.ToenableexternalsystemstoaccesstheVMviathenamelookup,youneedtoassociateaDNSentrywiththefloatingIPaddress,nottheprivateIPaddress.

Oneoptiontohandlethiscleanlyistousetwodifferentdomainnamesforinternalandexternalreferences.Forexample,ifyouwantothersinyourorganizationtoaccessyourapplicationfromoutsidethecloud,youcouldcreateadomaincloud.example.comandanothercloud-local.example.com.WhenyouprovisionaVM(oraportinNeutron),youcreateanentryinthecloud-local.example.comdomain.WhenyouassociateafloatingIPaddresswiththatVM,youcreateaseparateentryforthefloatingIPincloud.example.com.Yourinternalcloudapplicationscanrefertothecloud-local.example.comdomainandtheexternalclientstothecloud.example.comdomain.

Thisworks,butit’saprettycumbersomesolution.ThealternativetypicallyusedinDNSiscalledsplit-horizonDNS.Inthisconfiguration,theDNSservercanlookatinformationabouttheinboundrequest,suchastheDNSserverIPaddressitcameinthrough,orthesourceIPaddressofthequery.ItusesthisinformationtochoosetheDNSviewinwhichtoevaluatethequeryresponse.DNSviewsenableyoutodefineadifferentresponseforthesamequery—oneineachview.So,youcandefineanArecordforwww.cloud.example.com.Intheinternalviewthatresolvesto10.1.0.100,andanArecordforwww.cloud.example.comintheexternalviewthatresolvestothefloatingIPaddress.

Unfortunately,asoftheKilorelease,Designatedoesnotyetsupportsplit-horizonDNS.However,itisontheroadmapsowecanlookforwardtoitinafuturerelease.

Designateisapowerfulandimportantpartinautomatingyourdeployments.TheabilitytomakeyourapplicationimmediatelyaccessibleviaaDNSentryiscriticaltotherapidspinupofapplications.WithoutthecapabilitiesofDesignate,applicationdeploymentsinOpenStackwouldbelimitedbytheoftenmanualDNSentrycreationprocess.

MAGNUMOneofthenewestandmostinterestingcomponentsintheOpenStackecosystemisacontainerfocusedprojectcalledMagnum.Ifyouareunfamiliarwiththem,containersareavirtualizationtechnologysimilartovirtualmachines,onlytheyworkwithoutahypervisor.Amoredetailedconversationaboutexactlywhatcontainersare,howtheycomparetovirtualmachines,andthechallenges/solutionstheyprovidecanbefoundatthebeginningofChapter6.Intruth,whenusedinanOpenStackenvironment,containersactuallyhavetoliveontopofclassicallyprovisionedinstances.However,forthepurposesofunderstandingwhatMagnumisandwhyitisimportant,containerscansimplybelookedatasanothertypeofvirtualmachinethatcannotbemanagedviaNovaorNeutron.

ContainersAsAServiceMagnumisgenerallydefinedasaservicethatprovidescontainersandcontainermanagementwithinOpenStack.Itallowsyoutoprogrammaticallyprovision,delete,andnetworkcontainerswithouthavingtorelyonaspecificvendor,anddoessoinamulti-tenantcapablemanner.

Therearecurrentlyanumberofthesevendorspecificcontainerorchestrationsystems.Google’sKubernetes,andDocker’sSwarmarethemostwellknown,andarebothsupportedbyMagnum.MorerecentofferingslikeMesosandothersarenotyetsupported,butarelikelytobeimplementedatsomepointinthenearfuture.OneofthemajorconceptsbehindMangumthough,isthatyoudon’thavetorelyonanyspecificvendor.Instead,OpenStackprovidesasetofagnosticAPIsandinterfacesthatallowyoutochooseyourowncontainertypeandorchestrationsystem.Thispreventsvendorlock-inandallowsyoutomoreeasilyadoptnewtechnologyasitcomesalong.

Itsabilitytomanagecontainersinamulti-tenancyfashionmeansthatMagnum’sfunctionalitycanbeextendedtoconsumerswithinanOpenStack-backedpubliccloud.Untilnow,inadditiontobeingvendorspecific,alloftheprevailingsolutionsforcontainermanagementwouldprovideanyonewithaccesstotheorchestrationlayer,accesstoeverycontainerwithinit.WithMagnum,containersareisolatedbytenant,andtheiraccessisbackedbyKeystone.

BuiltUsingFlannel,Kubernetes,andDocker?Magnumiscreatedfromofanumberofdifferentcomponents,butyouwilloftenhearthatitisbuiltuponthreeratherenigmatictechnologies:flannel,Kubernetes,andDocker.Itishelpfultoknowwhateachofthesethingsare,butasyouwillsee,it’sabitofamisnomertoconsiderMagnumassimplyacombinationofthesethings.

Thefirstofthesetechnologies,flannel(yesit’salowercasef),wascreatedbythepeopleatCoreOSInc.Itisavirtualnetworkthatgivesasubnettoeachhostfor

usewithcontainerruntimes.Itprovidesanetworkbindingbetweentheclassicallyprovisionedhostserverandthemultiplecontainersthatexistontopofit,allowingtraffictoberoutedtoandfromspecificcontainers.flannelistransparentinMagnum.TherearenoflannelAPIstospeakto,noristhereanyspecificflannelfunctionalitythathasbeenexposed.Rather,flannelsimplyprovidesthenetworkingtocontainersthatNeutroncouldnot.

Thenextone,Kubernetes,isaGoogle-backedopensourceprojectthatprovidesMagnumwithadriverfortheorchestrationofDockercontainers.Likeflannel,youdon’tinteractdirectlywithKubernetes.Instead,youinteractwiththeMagnumAPI,whichcanthenuseKubernetestoprovision,alter,orremovecontainers,podsandbays.Unlikeflannel,byusingalternatedriverssuchasSwarmorMesos,itispossibletoactuallyuseMagnumwithoutKubernetesatall.

Lastly,thereisDocker.Dockeristhetechnologyyouhavemostlikelyheardof,butitcanalsobethemostconfusingsinceitisanumberofdifferentthings.WhenpeoplerefertoDocker,theycanbereferringtoitasacompany.DockeractuallyoffersanumberofproductscenteredaroundcontainersincludingDockerHub(ahostedregistryservice)andDockerSwarm(mentionedearlierasanalternativetoKubernetes).TheDockerEngineisalsooftenreferredtoasjustDocker.TheDockerEngineisaruntimeaswellasanumberoftoolsthatallowyoutobuildandrunDockercontainers.

InthecaseofOpenStackMagnum,DockerisbasicallyacontainerformatorsoftwaretorunthisformatofcontainersonahostwhenusingSwarm,whichisanorchestrationdriverfortheseDockerformattedcontainers.Whilenotsupportedcurrently,itisalsopossiblethatothercontainerformatslikeRocketcouldallowyoutouseMagnumwithoutDockeratall.

ThereferencetothesetechnologiesasthebasisforMagnumisnotdeceptive.It’smeanttoexplainMagnuminitsmostcommonusecase.AnyreferenceonhowtouseMagnumwilllikelydemonstratehowtodeployDockercontainersusingKubernetesandflannelwillbackthenetworkingbehindthescenes.Intruththough,theyaresimplymoretechnologyinanarrayoftechnicaloptionsthatOpenStackandMagnumprovideinasimplifiedwaytouse.

BuiltUsingOpenStackInadditiontousingKeystoneforauthenticationandpermissions,MagnumisactuallybuiltusinganumberoftheotherOpenStackprojectsthathavealreadybeendiscussed.ItemploysHeatforcreatingpodsandbayswherecontainerscanlive,Novaasitscomputebackbone,andNeutrontohandlenetworkingoutsideofthecontainersthemselves.Thiscanprovideyouwithalotofflexibilityonexactlyhowcontainersareimplementedinyourenvironment.

Forexample,thecomputationalunitthatrunsaclusterofcontainers(ornode)canbeanythingthatNovacansupplyasaserver.Thismeanscontainerscanbeprovisionedontopofbaremetalseversorvirtualmachines.Sonotonlydoes

Magnumprovidevendoragnosticcontainers,butitcanbebackedbyvendoragnosticcomputing.Thesamecanbesaidforitsnetworkingandevenstoragecomponents.Thisisintentional,andisagreatillustrationofhowOpenStackallowsyoutoworkwithwhateverassetsyouhaveavailable.

BuildingontopoftheexistingtoolswithinOpenStackprovidesfamiliarinterfaces,butthatisnottosaythatusingMagnumisnodifferentthanprovisioningaVMandthrowingitonaprivatenetwork.ThespecificneedsofcontainersthatmadethemapoorfitforNova,alsomaketheirorchestrationandconfigurationaslightlydifferentprocess.

Bay,Pods,Nodes,andContainersAsmentionedbefore,allcontainersthatarepartofMagnumrunontopofNovaprovisionedservers.Whatwasn’tmentioned,wasthatthesecontainersactuallyrunontopofsomethingcalledBaysthatactuallyprovidesthecontainerorchestrationitself.Dependingonthedriver/vendor,containersorpodsarethencreatedontopofthesebaysingroupscallednodes.Figure3.11maymakethisalittleclearer.

Figure3.11

Toprovisionacontainer,youmustfirstselectandprovisionabaytype.Thiswillnormallybedoneusingoneofseveralbaymodelsthatcanbeself-defined,butwillmostlikelybeprovidedbythesystemnatively.BaymodelsaresimilartoFlavorswhendealingwithvirtualmachines.Therewilllikelybeonebaymodelavailableforeachvendor/driverthathasbeenconfiguredinthesystem,andlikemostassetswithinOpenStackthebaymodelscanbelistedwithacommand.However,fornow,selectingabaymodelessentiallymeanschoosingbetweenKubernetesandSwarm.

Whateverthechoice,thebaymodelisspecifiedwithinaheattemplateandtheactualbayiscreatedthroughHeat.BaysarethenavailableasstackswithintheheatAPIorintheHorizoninterface.

Fromthispoint,theMagnumAPItakesover.WithinabayyoucancallthemagnumAPItocreatecontainers(orpods),stop,startandrebootthemlikeyoucanwithVM’sinNova.Thiscoversthebasics,soyoushouldhavesomeideaofwhatMagnumisandhowitworks.

MagnumastheFutureofOpenStackTherehavebeenalotofquestionsinthecontainercommunitylatelyastotheneedforOpenStackinthefaceofprojectssuchasKubernetes.Afterall,KubernetesandDockerbothprovidenearlycompleteorchestrationsolutions.

AfewreasonshavealreadybeenmentionedastowhyyoumightlooktowardOpenStackasasolution.Multi-tenancyandvendoragnosticAPIsarebothhighlydesirablequalities.Nothavingtoacquirein-depthknowledgeofsomeofthemoreesoterictechnologiessuchasflannelcanalsobeabigplus.

ThebigwinherethoughisthatOpenStackistryingtobuildamorefuture-proofplatformandMagnumislikelytobeabigpartofOpenStack’sfuture.Containersareexcellenttechnology,buttheyareoneofthefastestchangingsolutionsoutthere.Likeanynewtechnologytheinitialwinnersareoftenlongtermlosers,soit’sriskytogetindeepwithanysinglecontainervendor/format/platformjustyet.Becauseitislargelyprovideragnostic,placingabetonMagnumisthusamuchlessriskyventure.Forexample,theabilitytoshiftgearsfromKubernetestoSwarmwithouthavingtomodifyyourdeploymentsystemcouldbeahugewin,andwhilevirtualmachinesarelikelytobeabigpartofthelandscapeformanyyearstocome,containersareheretostay.

MURANO:APPLICATIONASASERVICEFromaclouduserperspectivesinceOpenStackgotitsownorchestratoritmadeuserexperiencemoresolid.Itgavelotsofimprovements,butfromcloudappstheintegrationprocesswastoocomplicatedduetospecificlimitationsregardingthewayHeatallowsyoutodescribetheinfrastructurethatneedstobedeployed.So,evenusingthelatestHeatHOTDSLcloud,consumersstillcancreateaspecificconfiguration,butwritingatemplatewouldbecomeanightmare.

So,toimproveuserexperienceandprovidemoreflexiblecapabilitiesforclouduserstodeployandmaintaintheirowncloud-readyapplicationitwasdecidedtoimplementanewtypeofOpenStackservicethatwoulduseHeatasthedeploymenttoolthatprovidesanAPIthatwillallowyoutodefineapplicationsusingthesameenvironmenttemplates.

ApplicationCatalogMuranowasdesignedtoprovideawaytomakethird-partyapplicationsandservicesrunningonVMsorevenexternalservicesavailableasself-serviceforOpenStack.Theseapplicationsmaybeasimplemulti-tierapplicationwithauto-scalingandself-healing(withinHeatcapabilities).Fromthethird-partytooldeveloper’sperspective,theapplicationcatalogwillprovideawaytopublishapplications,includingdeploymentrulesandrequirements,suggestedconfigurations,outputparametersandbillingrules.Fromtheuser’sperspective,theapplicationcatalogwillbeaplacetofindandself-provisionthird-partyapplicationsandservices,andintegratethemintotheirenvironment,includingbillingcosts.

TheApplicationCatalogservicewasprovidedtosimplifytheprocessofcreatingapplicationsand/orservicesonOpenStack.Installingthird-partyservicesandapplicationscanbedifficultinanyenvironment,butthedynamicnatureofanOpenStackenvironmentcanmakethisproblemworse.MuranoisdesignedtosolvethisproblembyprovidinganadditionalintegrationlayerbetweenthirdpartycomponentsandtheOpenStackinfrastructure.ThisintegrationlayermakesitpossibletoprovidebothInfrastructure-as-a-ServiceandPlatform-as-a-Servicefromasinglecontrolplane.Forusers,thiscontrolplanisasingleinterfacefromwhichyoucanprovisionanentirefully-functionalcloud-basedapplicationenvironment.TheApplicationCatalogservicewasintegratedtoallOpenStackcomponentsdirectlyandindirectlyviaorchestrator(OpenStackHeat).TheCeilometerservicecollectsusageinformation,whichtheMurano-APIusesduringbillingrulesprocessingtocalculatebillinginformation.TheMuranoAPIwillexposeAPIcallstomanage(CRUD)servicesavailablefordeployment.ThisAPIwillbeusedbytheServiceadministratoruserinterfacetosimplifyservicemanagement.

ApplicationPublisher

TheprocessbeginswhenanApplicationPublishercreatesanewapplicationdescriptionandpublishestotheApplicationcatalog.Oncetheapplicationisuploadedthenit’llbeavailablewithinanyapplicationcataloginstances,dependingonthepoliciesforthatinstance.ApplicationPublishersshouldbeabletocreatenewapplicationsbydefiningservicemetadata,describingpropertiesandspecifyingallofthestepsnecessaryfordeployingtheapplicationanditsdependencies.Thedevelopercancreatethisdefinitionfromscratchoruseanexistingdefinitionbyextendingit,similartoinheritanceintheobject-orientedparadigm.TheApplicationPublishercandefinetheexternaldependenciesofanapplication.Thislistofdependenciesdefinestheotherservices(specifiedbytheirtype)thatmustbepresentintheenvironmentwhenanapplicationisbeingdeployed.

TheApplicationPublishermaydefineadditionaltermsofuseforanapplication.Forexample,thedevelopermaylimititsusageandextensibility(viainheritanceorreferencingfromanotherapplication)orspecifybillingrules.AnotherimportantsetofparametersthattheApplicationPublishermayspecifyintheServiceDefinitionaretheusagemetrics.TheseusagemetricsdefinewhichaspectsoftheserviceshouldbemonitoredbyCeilometerorothermonitoringtoolssupportedbyMuranowhenitsinstancesarerunning.TheApplicationPublishercanthenspecifythebillingrulesusedwiththosemetrics,essentiallydefininghowmuchserviceusagewillcosttheuser.AservicedefinitionisnotboundtoanyparticularOpenStackdeploymentorinstanceofMurano.Thedevelopermaycreateaservicedefinitionandthenpublishthatdefinitioninseveralservicecataloginstances.

ApplicationCatalogAdministratorApublishedservice/applicationdefinitionismanagedbythecatalogadministrator.Catalogadministratorsarethemaintainersoftheapplicationservicecatalog.Theyhavetheabilitytomanuallyaddorremoveservicedefinitionsinacatalog,oractasmoderatorsallowingordisallowingotherApplicationPublisherstopublishtheirservicedefinitions.Thiscontrolcanbegranularornot,astheadministratorchooses.Forexample,theadministratormayspecifythatanynewsubmissionsmustbeapprovedbeforebeingavailabletoanyendusers,ortheadministratormayinsteadchoosetomakeservicesavailableonlytotheOpenStacktenantassociatedwiththeapplicationpublisheruntilaserviceisapproved.

Administratorsmaydefinetheirownbillingrules,whichwillbeinadditiontothebillingrulesspecifiedbytheapplicationpublisher(iftheyweredefined).Thisenablescatalogadministratorstocoverthecostsinvolvedinrunningandmaintainingthecloud.

CatalogadministratorsconfiguresRole-BasedAccessControlrules(RBAC),whichdefineswhichusers(whichareassociatedwithtenants)ofthecloudhaveaccessto

whichservicesinthecatalog,andwhethertheymaybedirectlydeployedormustbeapproved.

ApplicationCatalogEndUsersOpenStackusersshouldbeabletocreateenvironmentscomposedofoneormoreavailableservices.Applicationcatalogconsumptionsbyendusersfollows:

Theuserbrowsesalistofavailableservices/applicationsandselectsoneormorefordeployment.Ifaselectedservicehasdependenciesthatrequireotherservicestobedeployedinthesameenvironment,theusermayeitherselectaninstanceofthenecessaryservicefrominstancesofthattypethatarealreadypresentintheenvironment,oraddanewinstanceofthattypeinstead.Dependenciesmayincludeotherservices,ortheymayincluderesourcessuchasafloatingIPaddressorlicensekey.Eachserviceaddedtotheenvironmentmustbeproperlyconfigured;theuserispromptedtoprovideallrequiredproperties,andtheinputisvalidatedaccordingtotherulesdefinedineachservicedefinition.Whentheuserhasfinishedconfiguringtheenvironment,heorshecandeploytheenvironment—ifheorshehastheappropriatepermissions.Deploymentoftheenvironmentmeansthatinstancesarecreated,servicesaredeployed,andallrequiredconfigurationactionstakeplaceandareaccomplishedproperly.

Insomeenvironments,itwillbemoreappropriateforenduserstosubmittheirdeploymentstoITasaticket.TheITdepartmentcanthensanity-checkthedefinitions,determinewhethertheyareappropriate,andapprove,modify,orrejectthedeployment.Iftherequestisapprovedormodified,theITdepartmentcantheninitiatethedeployment,ratherthantheuser.

Userscanbrowseanydeployedenvironmentsforwhichtheyhavepermissions,andinspecttheirstate.Inspectionincludestheabilitytodeterminewhichservicesarerunningonwhichnodes,howtheservicesareconfigured,andsoon.Userscanmodifyservicesettings,addnewservicesorremoveexistingones,validatethechanges(i.e.checkthatalltherequiredpropertiesaresettovalidvalues,alltheservicedependenciesexistandsoon),andredeploytheenvironmentbypropagatingthesechangesintotheCloud.Theusercanalsoinspecttheusagemetricsoftheservicesrunninginhisorherenvironments,andseebillableactivitiesandthetotalamountofmoneyspentforaparticularservice.

Itsoundsgoodwhenwe’resaying“anapplication”or“service,”butwehaven’tdefinedwhatanapplicationorserviceis,soitwouldbeveryusefultomentionafewexamplesofanapplicationthatmaybedeploywithinMurano:

RDBSandNoSQLdatabasesprovidedbyTrove

HadoopClusterprovidedbySahara

OpenShiftPaaSClusterprovisionedthroughHeat

MSSQLCluster

ChefServerorPuppetMasternodeinstalledmyMuranoworkflows

NagiosorZabbixmonitoringmanagedbyMuranoworkflows

MuranoArchitectureFollowingbestpracticesinOpenStack,Muranowasdesignedthatwaytohaveitscomponentsdecoupled(seeFigure3.12),anditdoesconsistof:

murano-api,aRESTfulservicethatfacestousers

murano-conductor,anactualenginethatdoesmostofheavyworkforcreatingdeployments

murano-agent,aVM-sideservicethatdoessoftwaredeploymentandconfigurationaccordingtoagivenapplicationdescription

backingservice(MySQL)

deploymentengine(Heat)

Figure3.12

MuranoUsageExampleMuranoasanApplicationcatalogintendstosupportapplications,definedindifferentformats.OnesuchexampleisHeatHOTDSLtemplatessupport.ItmeansthatanyHeattemplatecouldbeaddedasaseparateapplicationintotheApplicationCatalog.

Beforeuploadinganapplicationintothecatalog,itshouldbepreparedandpackagedappropriately.TheMuranocommandlinewilldoallofthatpreparationforyou.JustchoosethedesiredHeatOrchestrationTemplateandperformthefollowingcommand:

muranopackage-create–templateWordPress_2_Instances.yaml

NotethattheMuranoRESTclientallowsyoutospecifyadditionalparametersduringpackagecreation:

applicationname

applicationlogo(usedatUI)

applicationdescription

applicationauthor(s)

output(localstoragepathtosavecreatedpackage)

fullname

ButunderthehoodMuranodoesmorethancanbeseen;itcreatesamanifestaccordingtoagivendescription,soinourcasethemanifestforgiventemplatewouldlooksomethinglikethis:

Format:Heat.HOT/1.0

Type:Application

FullName:io.murano.apps.linux.Wordpress

Name:Wordpress

Description:|

WordPressiswebsoftwareyoucanusetocreateabeautifulwebsiteor

Thistemplateinstallsasingle-instanceWordPressdeploymentusinga

MySQLdatabasetostorethedata.

Author:'Openstack,Inc'

Tags:[Linux,connection]

Logo:logo.png

Oncethemanifesthasbeencreated,theuserwouldneedtopackagetheapplicationpackagebeforeuploadingittoMurano.Usersmustnamethetemplatefileastemplate.yaml,andthenameforthemanifestfileshouldbemanifest.yaml.Theuserthenneedstopackageanarchive*.ziportar.gzorwhatever.Youcandoapplicationimporting:

muranopackage-import–categoryWeb–templatewordpress.tar.gz

ThisisonlyabasicexampleofhowuserscanconsumeMuranoanditscapabilitiesasanApplicationcatalogforOpenStack.Forotherusecasesandusageexamplespleasetakealookathttp://murano.readthedocs.org/.

FromacloudusersperspectiveMuranoisveryuseful.OutsideoftheOpenStackecosystemyoushouldlookatRedHatOpenShift,whichisaPaaSplatformforapplicationdeploymentandmanagement.YoumightalsolookatGigaspacesCloudify,whichisaPaaSsolutionthataimstobeacompletesubstitutionforHeat,Murano,andSolumforOpenStackenterprisecustomers/consumers.ButMuranoisanofficialpartofOpenStack,soitmeansthatMuranoisfreeandcomesoutoftheboxforanyOpenStackdistributions.

CEILOMETER:TELEMETRYASASERVICEApplicationsandsystemsrequiremonitoring.Inordertoensurecontinuousservicedelivery,youneedtoknowwhetheryourapplicationsorinfrastructurerunningthoseapplicationshaveencounteredanyfaults,andwhethertheyareexperiencingheavyutilization.Ceilometerisprimarilyfocusedonthelatterfunction—monitoringresourceutilizationacrossthecloud,althoughitdoesprovidesomealarmingandnotificationfunctionalityaswell.Ceilometermonitoringmaybeusedforcapacityplanning,billingandchargeback,aswellaselasticscaling.

CeilometerArchitectureThemajorcomponentsoftheCeilometerarchitectureincludetheAPI,thepollingagents,collectorsforstoringagentresults,alarmevaluators,alarmnotifiers,andpossiblyseveraldifferentbackenddatabases(seeFigure3.13).

Figure3.13

TherearetwobasictypesofCeilometeragents:notificationreceiversandpollers.

Thepollingagentsperiodicallyrequestvariousmetricsfromotherservices.Forexample,theceilometer-agent-computewillrunonacomputenodeandgatherguestCPUstatisticsfromthehypervisoronthatcomputenode.Thenotificationreceiveragentssimplylistenonthemessagebus,andgatherinformationabouttheinnerworkingsofotherOpenStacksystemsbasedontheirnotificationoutputs.

Allofthisdatacollectedbytheagentsissentbacktotheceilometer-collector,whichisadaemon(ormanyinstancesofthedaemon)thattransformsandstoresthedataintothebackenddatabases.Theremaybeseveraldifferentdatabasesused,baseduponthedifferenttypesofdata.

Theceilometer-alarm-evaluatorprocessisconfiguredtolookatthedatainthesystemandevaluatewhetheralarmingcriteriaaremet.Thesecriteriaareuser-definedandconfigurable.Oncethecriteriaaremet,thenceilometer-alarm-notifierwilltakeanactionbasedupontheraisedalarm.ThiscouldbecallingaspecificURL,oranotheruser-specifiedaction.

ElasticScalingwithCeilometerInChapter6,youwillseeindetailhowyourapplicationscanscaleelasticallybycombiningthetelemetrydatafromCeilometerwiththeorchestrationcapabilitiesofHeat.Inshort,youconfigureHeatandCeilometertomonitortheCeilometermetricsforagroupofresources(say,VMsandyouaremonitoringCPUutilization).Whenathresholdisreached,analarmfires,whichinturncallsouttoHeattoscaleup(ordown)thenumberofinstances.Thisisapowerfulwaytomeetunevendemand,whileoptimizingthecostsassociatedwithanapplication.

SUMMARYThereisalottobesaidaboutusingOpenStackassimplyaplatformforprovisioningserversandnetworks.Indoingso,itwouldbeeasytodiscountmanyoftheprojectsdiscussedinthischapter.Afterall,mostofushavemadeitthisfarwithoutapplicationpackaging,containers,oranysortoforchestrationsystem.However,theexpandedecosystemoftechnologypresentedherehintsatalargergoalforOpenStack.ItistryingtobemorethanjustanIAASprovider.Infact,manyoftheseprojectsoffersolutionstothefundamentalneedsofwebdevelopment.It’salmostuncommonthesedaysforanapplicationnottoinvolveadatabase(Trove),DNSentries(Designate),andalerts(Ceilometer).Eventhoughitisn’tscriptedandlabeledasorchestration,suchapplicationsalsorequiremanualconfigurationanddeploymentinsomemanner.

Inthissense,OpenStackisattemptingtomaketheprocessofdevelopinganddeployingcloudbasedapplicationsnotjustpossible,buteasierandmoreformalized.It’salsotryingtoprovidescriptableself-servicesolutionsforsomeofthemorecommontasksinwebdevelopmentingeneral.Forthatreasonalone,thesesecondarycomponentsareworthlearningaboutandexperimentingwith.Sobeforewemoveonandstartlookingatwhatacloudapplicationlookslike,takeanotherlookatthischapterandaskyourselfiftheseprojectsprovidesolutionsforproblemsyoufrequentlyencounter.Inalllikelihood,theydo,andutilizingthemcanmakeyoumoreproductive,andyourapplicationslessproprietary.

PARTIIDevelopingandDeployingApplicationswithOpenStack

CHAPTER4:APPLICATIONDEVELOPMENT

CHAPTER5:IMPROVINGONTHEAPPLICATION

CHAPTER6:DEPLOYINGTHEAPPLICATION

4ApplicationDevelopmentWHAT’SINTHISCHAPTER?

Legacyapplications

Whydoyouneedmigrationtoclouds?

Migrate-to-cloudmethodology

ConvertyourapplicationintoanOpenStackapp

Buildingapplicationsfromscratch

Developmentstack

Applicationnetworkconnectivity

Applicationsecurity

Hands-onapplicationdeployment

Inthischapteryouwillbeexplicitlyshownhowtoperformalegacyapplicationmigrationfromaself-maintainedproprietaryenvironmenttoanOpenStackenvironment.Butbeforedivingin,let’smakesureweunderstandthefullmeaningoftheterm“legacyapplication.”Incomputerscience,legacyapplicationsarethosethatcomefromplatformsandtechniquesthatexistearlierthanthecurrenttechnologystack,andingeneraltheseareapplicationsthatareservingcriticalbusinessneedsinanorganization.Okay,let’sgetstarted.

CONVERTINGALEGACYAPPTOANOPENSTACKAPPWhentheword“legacy”appearswithinanycontext,thefirstthoughtisthatwe’retalkingaboutsomethingveryoldthatcan’tbeadjustedtothecurrentstateofthings.Butifwe’retalkingaboutsoftware,alegacyapplicationisnotnecessarilydefinedbyage.Legacymayrefertothelackofvendorsupportorasystem’sincapacitytomeetorganizationalrequirements.Legacyconditionsrefertoasystem’sdifficulty(orinability)tobemaintained,supportedorimproved.Alegacyapplicationisusuallyincompatiblewithnewlypurchasedsystems.Anorganizationmightcontinuetouselegacyapplicationsforawiderangeofreasons,suchasthefollowing:

Itworks,sowhyshouldweinvestmore?

Thelegacysystemiscomplex,anddocumentationispoor.Simplyitsdefiningscopecanbedifficult.

Aredesigniscostly,duetocomplexityoramonolithicarchitecture.

WhyMigratetoClouds?Inmostcases,itisreallycomplicatedtokeepappsrunningduringupdateswithoutamaintenancewindow.Inthecaseoflegacyapplications,“update”evenmeansthatthewholeapplicationwasre-writtenusingnewprogramminglanguages,andinvolvingnewtypesofservices(forexample,switchingfromself-maintaineddatabasestoclouddatabases).Thisshouldmakelegacyapplicationseasiertomaintaininthefuture,giventhatyoucanupdateapplicationswithouthavingtoentirelyrewritethem,whichallowsacompanytousetheirapplicationsonanyenvironmentsoroperatingsystems.

Yet,fortheenterpriseandtheirlegacyapplications,asystemredesignwouldtakealotofeffort(money,time,andanunclearvalue-add).

EnterpriseITorganizationsarefacingcriticalchallengesmaintaininglegacyapplications:

Costofproprietaryhardwareandsoftware

Attritioninpeoplewithqualifiedskillsandexperience

Inabilitytosupportthemoderncomputingdemandsofmobileandbigfastdata

CloudcomputingcanhelpwithlegacyapplicationsintermsofmaintenancefortheITdepartment.Unfortunately,manyITorganizationsseetheprospectofmodernizinglegacyapplicationsasa“missionimpossible”withthepathforward“toocloudy”andthecostsandriskstoogreat.Theyhaveapoint,buttherearesomefactorsthatcanhelpdetermineifourlegacyapplicationscanmigratetothecloud:

Structure:Alarge,single-tiered,monolithiclegacyapplicationisn’tagoodfitforclouds.Efficienciesaregainedwhentheapplicationismodularortheloadcanbespreadoutoverseveralapplicationinstancestoallowhighavailability(HA)andscalability.

Softwareandhardwaredependencies:Aparticularchipsetoranexternaldevicesuchasaneyescannermightnotbeagoodfitforthecloud.Thesamethingcanapplytosoftware,sincealegacyapplicationmayrequiretheuseofaspecificoperatingsystemorsetoflibrariesthatcan’tbeusedinacloudnorbevirtualized.Ifthisisthecase,thendefinitelyanapplikethisisnotagoodfitforthecloud.

Durabilityandfault-tolerance:DespiteapplicationServiceLevelAgreements(SLA),we’relivinginaworldwhereeverythingbreaks:networksaredisrupted,serversfail,andthemulti-tenantusageofanapplicationlookslikeaDistributedDenial-of-Serviceattack(DDoS)insteadofshowingregularbehavior.Applicationsmustsurviveorbesturdyenoughtocontendwithanygivenissues.

Asaresult,manyenterprisecompaniesareresigningthemselvestolivewithlegacyapplicationsbecausemovingtothecloudisnotastepforwardduetotheamountofeffortthatisrequired.Eventually,thebusinesslosesconfidenceinIT’sabilitytodeliver,andthecostscontinuetorisewithoutcorrespondingvalueoranyvisiblebenefit.Let’sexaminesomespecificadvantagesformovingfromalegacyapptoacloudapp.

First,movingyourlegacyapptothecloudlowersthetotalcostofownership.Maintainingmainframelicenseleasingcostsisoneareatolookat.Sincethecloudfurthercommoditizestheinfrastructure,modernizingmainframeappstothecloudshoulddecreasethetotalcostduetotheabsenceofneedingtomaintaintheenvironmentbyitself.

Inclouds,flexibilitydefinestherateatwhichlegacyapplicationneedscanbesuccessfullyadjustedtomeettheever-changingneedsofthebusiness.Inthecaseofenvironmentdelivery,cloudscomeoutontopcomparedtoself-managedhardware.Thisisduetotheflexibilityofthecloudenvironmentdefinitionandthepaceofprovisioningaswell.

Fromabusinessperspectiveit’salwaysbettertospendlessandachievemore.Inthecaseofclouds,hardwarecostslessbecausecloudconsumersdon’tneedtomanagetheirhardwarethemselves,sotheycanavoidspendingmoneyforelectricityandhardwareupgrades.

Inthecaseofproprietaryhardware,toscaleupyouneedtobuynewhardware,setitup,andmanageit.Atthepointwhenyoumustscaledown,theorganizationwillendupwithunusedhardware.Withacloudsolutionyoucanscaleyouroperationandyoudon’tneedtobuyhardware,allofwhichsavestime.

Developersofcoursecreatethecodethatmustbetestedintheenvironmentthat

isclosetoproduction.Inthecaseofproprietaryhardwareitisnecessarytohaveadedicateddevelopment/testingenvironmentmaintainedbytheITdepartment,probablyononeserver.Developinginthecloud,however,onlyrequiresdeveloperstohaveaseparateaccounttoworkwithanditiseasytocreateproduction-likeenvironmentstorunnewcodeand/orreproducebugs.

Theseareallgreatreasonswhyyoushouldconsidermovingfromalegacyenvironmenttoacloudenvironment,andtheclouddoesvirtualizeandorchestratealotofthemanualjobsthatarebeingperformedbyanITdepartment.Theseincludeprocessessuchasnetworking,softwareinstallation,VMhardwarecustomization,scaling,andmore.Anddon’tforgetupdatingtoacloud-readyapplicationcanbetherightbusinessmodelforenterprisecustomers.

Migrate-To-CloudsMethodologySo,ifyourapplicationisluckyenoughtobeacloud-readyapplication,anditseemslikeyouhaveconvincedyourcompanytomovefromself-maintainedhardwaretothecloud,itisimportanttounderstandthewidely-appliedstrategiesthatyoucanusetoswitchtothecloud:

Liftandshift:Ifyourapplicationenvironmentcaneasilymigratefromalegacyenvironmenttothecloudthenyoujustneedtoliftitandshiftittothecloudenvironment.

GreenFieldapproach(http://www.thegreenfieldorganisation.com/approach2.html):Fromthedefinition,youcanseethatthisisrisky.Thisapproachofrewritinganentirelegacyapplicationisthemostexpensiveandcriticalmodernizationapproach.However,automatedcodeanalysis,codeconversion,testing,andclouddeploymenttoolscangreatlyreducetherisksandcostsassociatedwiththis.So,inthiscaseitisstronglyrecommendedthatyoufigureoutthetrueriskratebeforeimplementingthisapproach.

Incrementalreplacement:Thisapproachrequiresyoutoreplacethesingleunitofanapplicationatatime.Thishasproventobecost-effectiveandlessrisky.Unfortunately,therearenoguidelinesthatcanreallyhelpyousincemosteveryapplicationisunique.

Consideralloftheintegrationsbetweenthelegacyapplicationinfrastructureandotherapplications—integratingapplicationswillneedtobeupdatedandtestedtakingintoaccountthecloudcapabilities.Thisisaveryimportantstepsinceit’snecessarytoimplementdeploymentarchitecture.Oncecomplete,youshoulddefinethehardwareconfigurationforeachapplication’scomponent(cloudsoffervarioustypesofbusinessmodels:payingforresourcesondemandorpayingforayear/monthsubscription).

Younextthingtoconsiderisaccessibility.Thisstepdefinesthenetworkingconfiguration,exposingwhichcomponentsofanapplicationshouldbeaccessible

tootherservices.Itisimportanttoleaveanapplicationnetworkingconfigurationinthesameconfigurationthatwasappliedbefore,soyouendupwiththeexpectedbehaviorthatwasobservedwiththelegacyapplicationhardware.

Forsoftwareconfigurationoncloudinstancestherearetwosteps:softwareinstallation(canbedoneonpre-provisioningorpost-provisioning)andpost-installation(post-provisioning)configuration.Cloudprovidersareofferingbaseimageswithoperatingsystems,butthisisnotwhatshouldbeused,becauseoftheavailabilityofmoreadvancedwaysofsoftwareinstallationatthepre-provisioningstage.ItismorethanrecommendedtocreatecustomimagesforVMprovisioning,andforthistaskpleasetakealookathttp://docs.openstack.org/developer/diskimage-builder/.Atthispointwe’rereadytodeploythecloud-readyapplicationanddopost-provisioningsoftwareconfigurationtostarttheapplication.

Thelaststepistoapplymonitoringsystemstotracktheenvironmentstateduringitswork.Here’stheshortlistofwhatshouldbetakenintoaccountforthis:

Hardwareconfigurationforapplicationcomponents

Applicationcomponentsdeploymentstrategy

Networkingconfiguration

Customimagecomposing

Environmentdeployment

Post-provisioningsoftwareconfiguration

Applyingmonitoring

Testinganapplication

Itdoesn’tseemlikethislistiscomplete,butifyoucombineitwiththealreadypre-definedlistofapplicationdependenciesyoushouldbeabletoobservethefulllistofapplicationneeds.Onceyouhavethisfulllist,thenyoushouldbegintheactualconverting(inthiscaseconvertingmeansapplyingamigrationstrategytoanapplicationanddoingtheactualdeployment)ofthelegacyapplicationtoafull-gearOpenStackapplication.

BUILDINGAPPSFROMSCRATCHNoteveryapplicationintheworldisalegacyapplicationbecausemanyofthemweredevelopedwhencloudsbecamepopularandapplicationsthemselveswerealreadyhardware-agnostic,butnotbuiltforcloudsatall.Soitispossiblethatmigratingtothecloudmaynotgivethenecessaryvalueaddexpectedbyacloud-orientedbusinessmodel.Andthismeansthatcreatinganewapplicationfromscratchmaygivethatbenefit,butinalongerperiodoftime.

ApplicationDesignGuidelinesforOpenStackDevelopinganewapplicationthatwillgotothecloudrequiresspecificguidelineswhendevelopingandintegratingapplicationsspecificallytoOpenStack:

Beapessimisticaspossible.Everythingbreaksso,“loveyourchaosmonkey”(achaosmonkeyisaservicethatidentifiesgroupsofsystemsandrandomlyterminatesoneofthesystemsinagroup).

Putyoureggsintomultiplebaskets.Leveragemultipleregions,availabilityzones,andcomputehosts.Designportability(rememberliftandshift).

Thinkofscalability.

WhenintegratingintoOpenStackdon’tforgettobeparanoid—designsecuritywisely.

Manageyourdatawisely.Dataisalwaysacriticalresource,sodon’thesitatetoenabledatareplication/clustering,anddoaregularbackup.

Bedynamic.Letyourapplicationbesmartbyenablingauto-scaling.

Handsoff—automateallbusinessprocessestoincreaseconsistency.

Notallapplicationsrequirethesamehighlevelofsecurity.

Predictabilityandelasticity—withincreasing/decreasingamountofresourcestheapplicationshouldactinapredictableway.

Divideandconquer.Makeyourapplicationgranularasmuchaspossible,especiallywhenintegratingHAsolutions.

Duetonetworkinglatencyitisnecessarytokeepyourdatapartitionsclosetoeachotherbutnotonthesamecomputehostorregion.

Loosecoupling,serviceinterfaces,separationofconcerns,abstractionandwelldefinedAPIsdeliverflexibility.

Becostaware:autoscaling,datatransmission,virtualsoftwarelicenses,reservedinstances,andsooncanrapidlyincreasemonthlyusagecharges.Monitorusageclosely.

BestPracticesinCloud-ReadyAppDevelopment

IfyourapplicationisdividedintoaserverandclientsideyouneedtoconsiderifitisnecessarytoconsumetheOpenStackAPI(managingcloudresources).YoumustdecideifyouwanttouseexistingclientbindingsforOpenStackservicesorimplementyourown.Forexample,ifyouarereusingexistingones,itisrecommendedthatyouusePython,becausetheOpenStackcommunitydoesdevelopmentanddeliveryforclientbindingsforyou.Ifyoudon’tusePython,youwillhavetoresearchiftherearesupportedup-to-dateclientbindingsoryoumustimplementyourown.Soitisuptoyourdevelopmentteamtodecidewhichlanguageshouldbeusedfordevelopment,includingallgivenpoints(abilitytocodefast,workonvirtualizedhosts,etc.).

Onceyouhavemadeadecisionregardingbasedevelopmenttechnologies(includingcodinglanguage,additionalsoftware,SDKs,etc.)itistimetofigureoutyourbestpracticesforapplicationdevelopment.

ManageYourCodeAppropriatelyApplicationsthatarebeingdevelopedshouldbeversion-controlledusinganysoftwaresuchasGIT,Mercurial,orSVN.Itisveryimportantiftheapplicationisdistributedthateachofitscomponentsshouldbetreatedasseparatecloudapplications.Notethatmultipleapplicationsthataresharingthesamecodebaseisaviolationofthismethodology.So,basically,keepyourapplicationsseparate.Goingbacktotheversioncontrolsystem,itismorethanobvioustousethembecausetherewouldbeaneedtohave,forexample,astableproductionversionorstagingthatisbeingrecentlydeveloped.

DependencyManagementForanycloud-readyapplicationsitisnecessarythatyouexplicitlydefinetheirdependenciesinamannerthatisunderstandabletothepackagingsystemofthedistribution.Agoldenruleistoneverrelyonadeploymentenvironment,sinceitispossiblethatfromversiontoversiontherearesomepackagesthatmightnotbepresented,whichmeansexplicitisbetterthanimplicit.AsimpleexampleishowUbuntu12.04hasPostgreSQL9.1initssourcerepositories,butUbuntu14.XXdoesn’t.

ConfigurationManagementMakeyourapplicationconfigurable.Itispossiblethatthedeploymentenvironmentmayvary(deploymenthostname,credentials,IPaddressesincaseofSwitches,NATs,etc.).Therearealsoapplicationconfigurationparametersthatareremainingthesameacrossdeployments,soitdoesn’tmeantheyshouldnotbeconfigurable,butusesomesortofdefaultvalues.Anotherimportantitemtotakeadvantageofisconfigurationparametergrouping.Forexample,ifanapplicationusesadatabaseandanAMQPserviceforitsinternalneeds,pleaseputthoseoptionsintodifferentsectionssuchas[database],[messaging],andfordifferenttypesofdeploymentsitwouldbenicetohavesectionslike[production],

[staging],ifnecessary.

Build,Release,andHaveFunTherearefourmainstagesbeforeallowingaccesstoanapplication:

Build:Simple,right?Makeadistributionofyoursourcecode,anditdoesn’tmatterwhatitwillbe:DEB,RPM,PythonEGG,GitHubTag,orwhatever.

Staging:Oftentakesacoupleiterations.Intherealworld,astagingenvironmentwithaninstalledbuildisbeingexaminedusingpost-deploymentverifications.Bysaying“post-deployment”verificationwemeanthattheQAteamrunsasetofscenariosthatmimicuserbehavior.Duringstagingitispossibletodiscovercertainbugsorunexpectedapplicationbehavior.InthiscasetheQAteampreparesanadditionalsetoftestscenariosfornewstagingdeployment.

Release:TheKraken!Oftenthereleasestageinvolvesnewversionpublishing,soprepareversionreleasedocumentation,anddoanyannouncementswithinanyavailablecommunicationchannels.Beforedoingareleaseitisnecessarytoprepareamechanismfortheuserreports(JIRA,Slackchannel,oramailinglist).

Havefun:Yes,havefunwithuserreports,issues,andnewrequestedversionfeatures.

PrepareYourApptoWorkatScaleorDieMostdistributedapplicationsaredistributedbecausekeepingasingleinstanceofanapplicationgivesazerofault-tolerance.Butlet’sfigureouthowanapplicationcanscalewithoutconsumingmoreVMs.Almostalldevelopmentframeworkshavemultithreaded,processedlibrariesforcreatingaserviceslikeRESTfulservicesorapplicationenginesthatcanhandlemultiplerequestsatthesametime.Theterm“worker”isanentitythatisbeingmanagedbyataskbroker.Here’sasimpleexample:thePythonlibraryFlasksupportsprocessesandthreads,butbecauseofitsimplementationitisnotrecommendedtouseitasauseraccessibleservice.InproductionitisrecommendedtouseNginx+PythonGunicorn+Flask,butlet’sunderstandwhy.Nginxworksasaproxyanditdoesagoodjob,butPythonGunicornworksasalocalRESTfulservicewrapperandallowsyoutorunanapplicationwithinmultipleworkersthatarebeingexecutedasseparateprocesseswithacommontaskdistributor.TheFlaskapplicationholdsanimplementationoftheRESTfulapplication.

Speakingofthenumberofworkers,takeintoaccountthatit’sstronglysuggestedtorunonlyonetypeservicesperVMinstance.So,yourapplicationshouldrunanumberofworkersequaltothenumberofvCPU.However,wearestilltalkingaboutasingleVMwithmultipleworkersinit,andwestillatthepointwhereweare,anapplicationshouldsurviveandbeavailableforitsusers.Andherecomesloadbalancingandhighavailability—cloud-readyapplicationsshouldbereadyto

workcorrectlywithinmultipleinstancesbehindaloadbalancer(eachapplicationdoesn’tstoredatalocally,butdoespersistintoabackingservice)withinanHAmode.

Whyishighavailabilityandloadbalancingneeded?Firstofall,HAmodegivesyoutheabilitytoaccessapplicationswithinitsmultipleinstances(example,Galeramaster-2-musterreplication),soyouhaveaninstanceforanAtoZuserwhocangetthesamedatafromanyofthem.ThisishowHAmodeworks.Butindevelopinganapplicationthatisconsumingacloudapplication,itisnotveryusefultorememberasetofIPaddressesordomainnamesforeachapplicationinstance.LoadbalancingprovidesyouwiththeabilitytohidethecloudapplicationbehindoneIPaddressorDNSname.Thisisbeneficialbecausetheloadbalancerdistributesrequestsbetweencloudapplicationinstances.Becauseofthis,yourapplicationshouldnothavetoworryaboutaccessibilityofaspecificinstance.

MaximizeRobustnesswithFastBootstrappingandGracefulShutdownOpenStackapplicationsshouldstrivetominimizebootstraptime.Inanidealworld,anapplicationtakesafewsecondsfromthebootstrapexecutionuntiltheprocessisupandreadytoreceivetasks.Ashortstartuptimeprovidesmoreagilityforthereleaseprocessandscalingup;andithelpstoimproverobustness,becausetheapplicationinstancemanagercanmoreeasilymoveittonewphysicalmachines(byauto-scalingevents).ApplicationsshutdowngracefullywhentheyreceiveaSIGTERMsignalfromtheirmanager.Unfortunatelymostapplicationdevelopersareputtingworriesaboutagracefulshutdowntothebacklog.

KeepDevelopment,Staging,Pre-ProductionandProductionAsCloseAsPossibleAsdevelopersyouneedtokeepinmindthefollowing:

Makeyourtimegapsmallbetweenwritingcodeandputtingitintostaging/pre-production/production.

Makethepersonnelgapsmall.Youarethecommitterofnewcode,soyouareresponsiblefordeploymentwithinanyenvironment.

Makethetoolsgapsmall.Eachdevelopershouldkeeptheirenvironmentalmostsimilartoaproductionenvironment.

Keepthisinmindwhentestingyourcode.Asadeveloperyoushouldresisttheurgetousedifferentbackingservicesbetweendevelopmentandproduction,evenwhenadapterstheoreticallyabstractawayanydifferencesinbackingservices.Differencesbetweenbackingservicesmeansthattinyincompatibilitiescropup,causingcodethatworkedandpassedanytypesoftestsindevelopmentorstagingtofailinproduction.

TestAsMuchAsPossible

Inapplicationdevelopmentthatinvolvestheuseofattachedresourcesitisnecessarytowritethenexttypesoftesting:

Fake-modeintegrationtests:Thistypeoftestingallowsyoutoexamineyourcodenotinvolvingattachedresources(foron-demandservicesthatcostyoumoney)butuseinsteadtheirfakeimplementationstubs.

Real-modetests:HandleanyAPIbackingservices.

Post-deploymentchecks:Thistypeexaminesuserstories,scenariosagainstdeployedapplication,andoftentakespartatstagingandpre-production.

ContinuousIntegration/ContinuousDeliveryContinuousIntegration(CI)isthepracticeoftestingeachchangedonetoyourcodebaseautomaticallyandasearlyaspossible.So,forthesakeofstabilityinsurance,yourprojectshoulduseCIvotesaspartofcodereview,becauseCIwouldpreventyoufrommergingcodethatdoesn’tworkcorrectly.ContinuousDelivery(CD)followsyourtestsresultstopushyourchangestoeitherastagingorpre-production(pushingintoproductionmaycauseproblems).Inanycase,CDmakessureaversionofyourcodeisalwaysaccessible.ItispossiblethatyouneedtokeepyourownCI/CDduetospecificreasons.Butifyourorganizationissmallandyoudon’thaveenoughresourcestoinvestintobuildingyourownenvironment,youcanuseanyCI-as-a-Service.Therearetwowell-knownservices:TravisCI(https://travis-ci.org/)andCircleCI(https://circleci.com/).Feelfreetopicktheoneyoulike.

So,youhaveSDKs,andyouhaveguidelinesonhowtodothis,andhownotto.YouhaveCIandCD.Itisnowtimetodosometrickymagic—deployanapplication,arealcloudapplication.

OPENSTACKAPPDESCRIPTIONANDDEPLOYMENTSTRATEGIESSo,thisisagoodtimetotalkabitaboutlegacyapplicationdescription.

Comingbacktothemethodologyofmigratinganapplicationtothecloud,youneedtohaveallofthestepsimplementedthatwehavecoveredinthischapterforyourapplicationtobecomecloud-ready.Let’sassumethatyouhavetheseinputs:

Applicationconsistsofthesecomponents:WebUI,RESTfulservice,back-endservice,andabackingservice.

WebUIandRESTfulservicearefacingtousers.

Back-endserviceisaccessibleonlybyaRESTfulservice.

Backingservicecanbeanattachedserviceoritcanbethepartofanapplication.Onlyapplicationback-endservicestalktothebackingservice.

So,whatwouldbethebestsolutiontomakethisapplicationcloud-ready?

Cloud-ReadyAppDescriptionFollowingthemigrationsteps,youneedtodecoupleyourlegacyapplicationintomultiplenodes.Let’sassumethatyourapplicationconsistsofthesenodes(seeFigure4.1):

WebUInode

RESTfulservicenode

Back-endservicenode

Backingservice(MySQL)

Figure4.1

Youneedtodefinethehardwarerequirements,i.e.intermsofOpenStack–definespecificinstanceflavorsthatdescribethenumberofvCPUs,RAM,ephemeralandrootdisk.Forthesakeofsimplicitylet’sassumethatyouareokwithonlyoneflavor,butmostreal-worldcasesmustdefineflavorparametersforeachapplicationservice,becauseoftheworkflows.Inmostcases,someinstanceswouldrequirealotofvCPUstodocalculations,andotherinstanceswouldrequiretonsofRAMandarootdisktododataprocessing(HadoopanditsHDFSwithmap-reducewouldbeagoodexamplehere).

Forthecursoryglanceitlooksfine.UsersareabletoaccesstheapplicationwithintheWebUIorRESTfulservice.Suchanapplicationwouldbeagoodexampleofhowtointegrateintothecloudsincethatgivenappismulti-tiered.

Whenwe’retalkingaboutMySQLandbackingservicesingeneralwehavetoconsiderthatthistypeofserviceshouldbedurable,andavailablenomatterwhathappens.So,basedongiveninputsweneedtofigureoutwhichoperatingsystemisneeded,howmuchresources(RAM,vCPUareneeded),anddowewanttokeepMySQLdataasanattachedblockstorageprovidedbyGlance(thesestepsanddecisionsareveryimportant,becauseallofthisaffectsthelifecycleoftheservice).So,relyingonbackgroundknowledgewestronglyrecommendyouuseaflavor

thatdoeshaveatleast4vCPUsandattheveryleast8GBRAM.Regardingstorage,werecommendyouuseablockstoragevolumetoallowforquickfailrecoveryandconsistency.

TheapplicationcomponentsaretheWebUI,RESTfulservice,andback-endservicenodes.ByitselftheRESTfulservicenodeisnotastandaloneapplicationthatisbeingdeployedaspartofapplicationdelivery.Accordingtobestpracticesofapplicationdevelopment,itshouldbetreatedasaseparateapplication.Comingbacktowhatwe’vediscussedforMySQL,weneedtofigureoutwhatwouldbethebestoptionsfordeployingthisapplication.Byitself,theRESTfulserviceisastatelessapplication,butithastoworkfasttoservemultipleusersatthesametime.ItisrecommendedthatyouuseaflavorthathaslotsofRAM,avCPUquestionisnotcriticalfornow,andwedon’tneedblockstoragefornowbecausethere’snothingtostore,becausewejustprocesstherequests.Speakingofanapplicationback-endservice,thispartoftheapplicationistough,sinceitdoesalmostalloftheheavywork.Sothisnodeshouldbeverypowerful,andithastohavelotsofvCPUs,RAM,anddiskspacethatarerequiredbyanapplication’sworkflowdefinition(notblockstorage,butflavorrootdisk).ThereisnothingdifferentabouttheWebUInode—itshouldbefast,andtherearenootherdemands.

OncetheRESTfulserviceandWebUInodesgetdeployed,userswillbeabletoaccesstheRESTfulservicewithintheRESTfulservicenodebyitsIPaddressandWebUIindependently(accordingtoagivenschema,UIcanworkwithsingleinstanceofaRESTfulserviceatthesametime).Pleasekeepinmindthatintherealworld,eachservicethatisfacingtoauserneedsmustbesolidandreadytobestress-tested,becauseinsomecasesusersareactinglikeDDoSattackers.

Aftercompletingthissectionwehaveacloud-basedapplicationthathasbeendeployed,takingintoaccountallbestpracticesandapplicationdemands.

NetworkDeploymentStrategyLet’sgobackanddescribetheapplicationdeploymentschema.Wehavethreetypesofservices,inotherwordsthreedifferentcloudapplications,andeachapplicationdeservesitsownaccesslevelfromtheoutside.Forexample,thecurrentschemadescribesanapplicationdeploymentwithinasinglenetworkthatseemsokforanexample,butsuchSLAdoesn’tlookgoodforothercases.WebUIandRESTfulservicesarefacingtouserswithinapublicnetwork,sotheusercanaccessbothofthemandsuchthingsbreaktheconceptsofasecureSLA.

PublicandPrivate(Management)NetworkYoumightsuggestthateachcomponentuseitsownnetwork,butitwilladdanoverheadsinceyou’dneedtodoroutingandmighteventuallyendupwithcomplex,hardlymaintainablesolution.Ofcourseyouarenottryingtolinkmultipledatacentersintoasinglenetworkforthissolution.Inthiscaseitwould

beenoughtodefinetwonetworks—public(withInternet,andaccessiblefromtheoutside)andprivate(noInternet,andaccessiblefromapublicnetwork).Firstofall,itisnecessarytofigureoutwhichnetworkeachservicebelongsto.It’seasywithourexample:networkplacementisdescribedinFigure4.2;WebUIaspublicNICinFigure4.3;RESTfulservicesasprivateNICinFigure4.4;applicationback-endserviceasprivateNICsinFigure4.5;andMySQLnodeasprivateNICinFigure4.6.

Figure4.2

Figure4.3

Figure4.4

Figure4.5

Figure4.6

Asyoucansee,baseduponthedescriptiongivenabove,applicationtiersmayhaveacoupleofnetworksattachedtopreventunwantedaccess.Now,let’stakealookateachcomponent,startingwiththeWebUI.SincethistypeofapplicationtierneedstobeavailabletousersitshouldhaveapublicIPaddressanditdoesn’thaveinternalnetworkaccesstopreventsecurityrisks.So,thegreencolorwirecorrespondstothepublicnetworkshowninFigure4.3.

TheRESTfulservicetierissimilartotheWebUItierforthisapplication,sincethecomponentshouldbeaccessiblewithinthepublicIPaddress.But,sincethesecomponentsaretiedtothebackendservice,ithastohaveaccesstotheprivatenetwork(seeFigure4.4).Theredlinewirecorrespondstotheprivatenetworkaccess.

Goingforward,let’sexaminetheapplicationback-endservicetieranditsnetworking,showninFigure4.5.Thispartoftheapplicationisonlyaccessiblewithintheprivatenetwork.

Takealookatthelastcomponentofourapplication—MySQL(seeFigure4.6).Thispartoftheapplicationfollowsasimilarnetworkingstrategyastheback-endservice.Theprivatenetworkandthiscomponentareaccessibleonlybytheback-endservice.

KeepinmindthattheaccessibilityoftheapplicationcomponentandthenetworkstrategyrequiresanSLAsetupforanapplicationwithingivennetworks.InthecaseofOpenStackitisrecommendedthatyouusesecuritygroups(availableinNova-networkandNeutron):

FortheWebUIinstance:SupposeweuseNginxforhostingtheUIcodeanddefaultportsforHTTPandHTTPS.Itwouldbenecessarytocloseanyportsexcept80and443forinboundconnectionsandopentheportfortheloadbalancerforoutboundconnections.

ForRESTfulservicenodes:Securitygroupsforinboundconnectionsrequirealoadbalancerportonly.SecuritygroupsforoutboundconnectionsrequireAMQPbrokerportsordirectaccessportstotheapplicationback-endservice.

Fortheapplicationback-endservice:SecuritygroupsforinboundconnectionsrequireaRESTfulservicefornodesportsfromtheirIPsonlyornorules(inthecaseofAMQPtransport,therewouldbeonlyoutboundconnectionstotheAMQPbroker).SecuritygroupsforoutboundconnectionsrequireMySQLportswithaMySQLmasterinstanceIPasCIDR,andinthecaseofAMQP,brokerinstance(s)port(s).

ForMySQLnode:Securitygroupsforinboundconnectionsrequireanapplicationback-endserviceport,andMySQLslaveportswiththeirIPsasCIDRs.SecuritygroupsforoutboundconnectionsrequireamasternodeportandanIPasCIDR.

SUMMARYInthischapterwecoveredhowtodoamigration,includinglimitationsandcriticalpoints,butitwasn’tjustasimpleliftandshift.Wetriedtoexplicitlyexplainhowtodecoupleapplicationservices,andhowtoimplementadeploymentstrategy,includingnetworkingandSLA.We’veamendedstepslikeapplicationtestingandsoftwareconfiguration,duetothevarietyoftechniquesapplicableforsuchcases,andalsowe’veskippedmonitoringbecauseofthecomplexityoftryingtodescribethegenericusecaseforcloudapplicationmonitoring.Buteveryothercaseandtechniquedescribedinthischapterareapplicableforanytypesofcloud-readyapplications,regardlessiftheyarealegacyapplicationinthepastoracompletelynewapplicationthatisunderdesignrightnow.

5ImprovingontheApplicationWHAT’SINTHISCHAPTER?

Understandingthetypesoffailurescenariosthatcanaffectapplicationsrunninginthecloud

ProvidingaccessintotheapplicationandunderstandinghowhostnameandIPaddressesplayanimportantrole

Methodsforscalinganapplicationtomultipleinstancesandregionsandadaptingtoeventsintheenvironment

Improvingthebasicapplication

Itiscommonforapplicationstobeinitiallydevelopedforthecloudinaverysimplemanner.Thedevelopermaystartwithdeployingtheapplicationasasingleinstanceinthecloud.Iftheapplicationhasdifferenttypesoffunctions,suchasawebfront-endandadatabaseback-end,thesefunctionscanbebrokenintoacoupledifferentinstances.

Thischapterdiscusseswhatyouasthedeveloperneedtodonext.Youneedtoknowwhatkindoffailuresoccurinthecloudandhowthosefailurescouldaffecttheapplication.Youalsoneedtounderstandtheapplicationcomponentsandhowtheyrelatetofailuresinordertobuildamorerobustandreliableapplication.

Differenttechniquesareexaminedonhowtoscaletheapplicationinthecloud.Thechapteralsotakesalookatperformanceandwhyitisimportanttoknowwhenandwhereperformanceissuesoccur.Often,scalingtheapplicationintherightplacescanmitigateperformanceissueswhentheyoccur.

Thechapteralsotakesalookatdataprotection.Howimportantisthedatatotheapplication?Isitimportantthatdataisneverlost?Cansomedatabelostandrecreatedorreplacedlater?Howimportantisthedata?Theanswerstothesequestionscanaffectdecisionsonhowdataisprotectedinthecloud.

Highavailabilitymeansthattheapplicationisalwaysavailableandminimizesdowntime.Italsomeansthattheapplicationshouldrunreliablyandbeperformant.Thischaptertakesalookatwhatitmeanstobuildahighlyavailableapplicationandsomeofthechallengesdevelopersmayrunintoalongtheway.

Finally,wetakeabasicapplicationandimproveuponittodemonstratetheconceptsinthischapter.Threedifferentcomponentsareexaminedastheyaretakentothenextlevelinprovidinghighavailability.

FAILURESCENARIOSOperatorsoftheOpenStackcloudunderstandthatitisdifficulttokeepthecloudrunningproblem-free.Thelargeracloudenvironmentis,themorelikelyproblemswilloccur.Developersneedtounderstandwhattypesofproblemscanaffecttheapplicationandhowtodealwiththem.Applicationsthattakethesefailurescenariosintoaccountwillsufferlessdowntimeandcontinuetorun,evenwhenproblemsdooccur.

HardwareFailureAtypicalOpenStackenvironmentcontainsafewadministrativeserverstohelprunthecloud,aswellasabunchofotherservers,calledcomputenodes,thatprovidethemeansforapplicationstobedeployedtothecloud.Thebiggertheenvironment,themorehardwarethatwillberequiredtorunit.

Eventually,aserver’shardwareisgoingtofail.Themostcommontypesofhardwarefailureincludediskdrives,memory,CPU,powersupplies,andnetworkinterfaces.Somehardwarefailurescanbringtheserverdownentirely.Somehardwarefailuresmayresultinareducedserverperformance.Otherfailuresmaynotaffecttheserveratall,suchasoneofthepowersuppliesfailing.

Ifanapplicationisbuiltwithouthighavailabilityinmind,itislikelythattheapplicationhasmanysinglepointsoffailurebuiltintoit.Ifaserverfailsandanyoneofthosesinglepointsoffailuresisonthatserver,theapplicationwillfailaswell.

NetworkFailureThereareseveraldifferentwaysthatanetworkcanbesetupandoperatedwithinanOpenStackenvironment.However,fromtheperspectiveoftheinstancerunninginthecloud,ithasanetworkinterfacecardwithanactivenetworklinkandanassignedIPaddress.Allthatmatterstotheinstancesisthatitisconnectedtothenetworkandthatitcanaccessotherinstancesordevicesonthenetworkreliably.

OnewaythatinstancesexperiencenetworkfailuresiswhensomethingbreaksintheOpenStacknetworkstack.TheinstancestillseesanetworkandstillhasanIPaddress,butitisunabletoconnecttoanyotherdevicesonthenetworkandotherdevicesareunabletoconnecttotheinstance.Therootcauseofthenetworkissuewillaffecthownetworkconnectivityisrestoredintheinstance.Forexample,issueswithNeutronorOVSonthecomputenodewheretheinstanceexistsmayrequiretheinstancetoberebootedinordertorestoreconnectivity.

AnotherwaythatinstancesexperiencenetworkfailuresisthroughthelossoftheIPaddressonitsnetworkinterfacecard.TheIPaddressisprovidedtotheinstancebyaDHCPservicethatrunsonthenetworknode.ItisrarefortheDHCPserviceitselftogodown,butissuesintheOpenStacknetworkstackmaydisrupt

theabilityfortheDHCPservicetocommunicatetotheinstance.DefaultconfigurationsofOpenStacktendtoexpireDHCPleasesveryquickly,whichresultsintheinstancerenewingitsDHCPleaseoften.Networkcommunicationissuescandisrupttherenewalprocess,whichresultsintheIPaddressbeingreleasedfromtheinstanceandultimatelytakingitsnetworkdown.

Theoperatingsysteminstalledontheinstancecanmakeadifferenceonhowitrespondstonetworkissuesaswell.Forexample,whenaninstancelosesaDHCPaddress,UbuntutypicallycontinuestoretryrenewingtheDHCPaddress.Whenthenetworkissuesareresolved,therenewalprocesssucceedsandtheIPaddressisrestored.However,RedHatandCentOSarecommonlyconfiguredbydefaulttogiveupaftertherenewalprocessfails,whichmeansthatevenifthenetworkissuesareresolved,theinstanceisnolongerattemptingtorenewtheDHCPleaseandpermanentlystaysoffthenetwork.Theeasiestwaytoresolvethenetworkconnectivityissuewiththeinstanceistoreboottheinstance.AbettersolutionwouldbetoadjusttheDHCPclientforRedHatandCentOSinstancestoalwaysretryDHCPrenewalsinsteadofgivingup.

Externalnetworkissuescanalsooccur.AtypicalOpenStackenvironmentwillbesetupwithasetofadministrativenodes,numerouscomputenodes,oneormoreswitchestoconnectallthenodestogether,andarouterfortheswitchestoconnecttofortrafficcominginorleavingtheOpenStackenvironment.Theswitchesarecriticaltotheoperationoftheenvironment,asthatisthelifelinebetweenthecomputenodeandthenetworknode.Aswitchproblemcandisruptcommunicationbetweenthenodes.Anissueattheroutermaynotdisruptcommunicationbetweennodes,butitmaypreventaccesstootherthingsonthenetwork,suchasDNSlookups,accesstoauthenticationservers,andanyothernetworkservicestheinstancesmaydependon.

StorageFailureAnOpenStackinstancemakesuseofeitherephemeralstorageorpersistentstorage,orevenacombinationofboth.Ephemeralstorageisdefinedasstoragethatmaynotbepermanent.Forexample,thestorageassociatedwiththeinstancecouldbedeletediftheinstanceitselfisterminated.Persistentstorageisdefinedasstoragethatispermanent.Ifaninstanceisterminated,thepersistentstorageassociatedwiththeinstanceistypicallynotdeleted,butmaybedetachedandmadeavailabletobeattachedtoanotherinstance.

Persistentstorageistypicallyimplementedasobjectstorageorblockstorage.ObjectstorageisoftenimplementedusingSwiftorsomeotherproductthatimplementstheSwiftAPI,suchasCeph.Whenusingobjectstorage,containersarecreatedandbinaryobjectsarestoredinsidethecontainers.InstancescanretrievethestoredobjectsusingtheAPIimplementedbytheobjectstoragesystem.Blockstorageshowsuptoinstancesasblockdevicesintheoperatingsystem,whichcanthenbemountedonadirectoryorusedasarawdevice.

Ephemeralstorageissimilartoblockstorageinthewaythatitappearstotheinstanceasblockdevices.Thismeansthatinstancescanmounttheblockdeviceonadirectoryoruseitasarawdevice.EphemeralisconfiguredbydefaultinOpenStacktousethestoragefromthedisksinthecomputenodes.Itispossibletoconfigureephemeralstorageusingotherarchitecturestoo,butusingcomputenodedisksforephemeralstorageisthemostcommonusage.Unlessaninstanceislaunchedusinga“bootfromvolume”method,theinstancewillbecreatedusingthecomputenodeephemeralstorage.

OneofthemostcommonhardwarefailuresencounteredinanOpenStackenvironmentisdiskfailure.Diskfailurescanhaveawideeffectoninstances,dependingonhowOpenStackisconfiguredandhowthediskfailureaffectsthedeviceitisinstalledin.Ephemeralstoragewilllikelyhaveagreatereffectoninstancesthanpersistentstorage.Withephemeralstorage,dataisveryunlikelytobereplicatedandthechancefordatalosswillbehigher.Forpersistentstorage,dataisoftenreplicatedandcanbeaccessedinmultipleways.Ifasinglediskfailsinapersistentstoragecluster,theinstancemaynotevennotice,sincethedataremainsavailableandconsistent.

Let’slookatthecasewheretheinstanceisrunningonephemeralstorage.Theoperatingsystemisonanephemeralrootdiskthatlivesonacomputenode.ThecomputenodecouldbeconfiguredwithsomekindofRAIDthatreplicatesdatabehindthescenes.Asinglediskfailuremaynotaffecttheinstanceatall,muchlikeasinglediskfailureinpersistentstorage.However,itisnotuncommontoseeaRAIDdeviceexperienceadiskfailurethatresultsintheblockdevicegoingintoread-onlymodeinsidetheinstance.Eventhoughthedataisstillavailableandcanbereadbytheinstance,writesareblocked.Read-onlymodeusuallyoccursatthecomputenodelevel,whichaffectsalltheinstancesrunningonthatnode.Rebootingthecomputenodeisoftenneededtofixtheissue.

IfthecomputenodeisnotconfiguredwithRAIDorsomekindofdatareplicationforephemeralstorage,thenalossofadiskisusuallycatastrophictotheinstance.Ifthefaileddiskiswherethatinstance’sstoragewaslocated,thenthatdataispermanentlylost.Theinstancewillneedtobeterminatedandrebuilt.

Forblockstorage,instancesmayexperienceproblemswiththemountedvolume.Ifthereareseriousissuesinthepersistentstoragecluster,avolumemaybecomeunavailabletotheinstance.Ifthevolumeismounted,anyreadsandwritesmayhang,waitingforaresponse.Ifthevolumeisnotmounted,itmayrefusetomountorbedetectedasavaliddisk.Thisisseenmoreoftenwhenaninstanceisbeinglaunchedorrebooted.Ifthevolumeisunavailableforsomereason,theinstancemayfailtolaunchorneedadministratorinteractiontogettheinstancetoboottherestoftheway.

MostvolumeissuesoccurbecauseofissueswithintheOpenStackenvironmentandnotnecessarilywiththepersistentstoragecluster.TheremaybeanissuewithCinderoranissuewiththecommunicationbetweenNovaandCinder.Manyof

theseissuesmaynotaffectavolumethatisalreadymountedinaninstanceandcurrentlybeingused.However,theseissueswilllikelyaffectthelaunchingorrebootingofinstances.Thisalsoaffectstheabilitytodetachvolumesfromoneinstancesothattheycanbeattachedtoanotherinstance.Inmostcases,thisonlyaffectstheabilitytoaccessthedataanddoesnotresultindataloss.

Objectstorageisaccessedinadifferentmannerthanforblockstorage.Objectsarepushedintostorageorfetchedfromstorage.Ifthereareanyissuesintheobjectstoragesystem,itusuallymanifestsasobjectedbeingunavailableoroperationstimingout.

Persistentstorageismostoftenconfiguredwithsomekindofreplication.Replicationfactorsof2or3arecommon,buttheremaybecaseswherereplicationisdisabledforsomereason.Itisimportanttoasktheadministratorsabouthowreplicationisconfiguredinordertobetterunderstandhowfailurescouldaffectaccesstodataandthepotentialfordataloss.

Instanceshaveadifficulttimedealingwithstoragedevicesbecomingunavailable.Iftheapplicationdependsondataalwaysbeingavailable,itisimportantthatmonitoringisconfiguredtomonitorstorageavailableandintegrity.Forephemeralstorage,mostfailuresresultsintheinstancegoingdownaswell.However,instancesshouldmonitorforwhenfilesystemsgointoaread-onlystate.Instancesmayoperatefinewitharead-onlyfilesystem,especiallyiftheapplicationonlyreadsdataanddoesn’twritedata.Monitoringmaynotseetheissueeither,norwilltheissuebeseeninanyofthelogs.Sincearead-onlyfilesystemisanindicationthatthereisanunderlyingproblemwiththecomputenode,catchingitearlysotheapplicationcanadaptarounditisagoodidea.

SoftwareFailureAnothertypeoffailurescenarioispurelysoftwarespecific.Forexample,akernelbugwithintheoperatingsystemofthecomputenodemaycauseittocrashorhang.Thiswillresultintheinstancebecomingunavailable.Sometimes,itmaybebecauseofakernelbugintheinstance’soperatingsystem.Theinstanceitselfwillcrashorhang,requiringareboottoputitbackintooperation.

IssuesintheOpenStacksoftwaresuitemayalsocauseproblems.Mostproblemsofthisnaturedon’taffectaninstance,unlessitisanissuethatwillaffecttheinstance’snetworkorabilitytoaccessitsstorage.CommonOpenStacksoftwareissuesincludeproblemswithRabbitMQ,CinderandCeilometer.Theseissuesmaynotaffectcurrentinstances,buttheycouldverylikelyaffecttheuser’sabilitytolaunchnewinstances,terminateinstances,ordoanyotherOpenStackrelatedmanagement.Forapplicationsthatmakeuseoftheelasticnatureofthecloudtodynamicallygrowandshrinkinstancesbasedondemand,softwareproblemscanreducecloudelasticitysignificantly.

Anotherissuethatcouldoccurisalackofresourceavailability.Ifaninstanceisrunninganapplicationthatisleakingmemory,thatinstancewilleventuallyrun

outofmemoryandfail.Ifanapplicationislaunchinglotsofprocessesanddoesnotproperlycleanupafteritself,theinstancecanrunoutofprocessslotsandbeunabletolaunchnewprocesses.Ifanapplicationfailstoclosefilesthatitopensandisnolongerusedandopensalotoffilesovertime,theapplicationmayuseupalltheavailablefiledescriptors.Thiscancausetheapplicationtofailorevenpossiblytheinstance.Whenaninstancerunsoutofresources,itmayresultintheinstancecrashing,butitmoreoftenresultsintheinstancebecomingunavailable.Monitoringmaydetectmultiplealarmsandattemptstologinmaybeunsuccessful.Rebootingtheinstanceoftenfixestheproblem.However,iftheproblemoccursrepeatedly,theapplicationneedstobeexaminedforbugsandpotentialconfigurationtweaks.Itisbettertofixtheproblemwiththeapplicationthantotrysolvingtheproblembylaunchinglargerinstanceswithmoreresources.

ExternalFailuresInstancesmayexperienceDNSlookupissuesduetosomeexternalissue.ThiscouldbetheresultofanetworkoutagebetweentheOpenStackenvironmentandtheDNSservers.ItcouldalsobeanissuewiththeDNSserversthemselves.DNSissuescanlooklikeageneralnetworkissuefromtheperspectiveoftheinstance.NearlyeverythinganinstancedoesonthenetworkrequiresaDNSlookup.WhenaDNSissueexists,lookupsgenerallydonotjustfail,rathertheytimeout.Iftheinstanceisconfiguredtodolookupsonmultipleservers,thetimeoutscanstackupforeachrequest,compoundingproblemsforapplicationstryingtoconnecttoservicesonthenetwork.

InstancescanreducetheeffectthatDNSissueshavebytuningtimeoutsettingsinthe/etc/resolv.conffileandbydoingsomekindofDNScachinginsidetheinstanceitself.Ifcachingisused,onceahostnameisresolvedtoanIPaddress,itwillbekeptinthecacheforaperiodoftimesofutureDNSlookupsforthathostnamecanbeskipped.Manyinstancesareconfiguredwithoutcachingenabled.Dependingontheoperatingsysteminstalledintheinstance,NSCDordnsmasqmayneedtobetweakedinordertoenableDNScaching.

Anothercommonissuethatcanoccurtoinstancesisitsinabilitytotalktoimportantservicesonthenetwork.Agoodexampleofacommonserviceisanauthenticationservice.ActiveDirectory,LDAP,KerberosandRadiusareallexamplesofauthenticationservicesthatcouldbeused.Networkissuesandissueswiththeauthenticationserviceitselfcancauseanapplicationtomisbehaveorfail.Distributedapplicationsmayseeperiodicfailuresifonlyaportionoftheinstancesexperienceauthenticationissues.Forexample,usersmayseeaperiodicwebpagefailureiftheirclickresultedinanactionthattalksaninstancesthatisunabletodoauthentication.

Authenticationserviceissuesaredifficulttoovercomeintheinstance.Thebestwaytodealwithauthenticationserviceissuesistodetectthemwhentheyoccur,understandwhetherornotitistransientoriftheissueistrendingfrombadto

worse,andreacttotheissue.Adistributedapplicationcoulddetectauthenticationissuesinaportionoftheinstancesandchoosetoremovethoseinstancesfromthepool,workingaroundtheproblemuntilauthenticationservicehasbeenrestored.Attheveryleast,thereshouldbemonitoringthatalertstheapplicationownerstotheissuesothattherootcausecanbeinvestigatedandthenecessaryadministratorsinvolved.

Instancescanalsoexperienceissueswithtimeskew.Thisisasubtleproblemthatmaynotbenoticedwithoutpropermonitoring.Manyapplicationsmaynotevencareabouttimeskew,especiallyforinstancesthatarerunningportionsofanapplicationthatdoesnotrequirestate.However,authenticationcommonlydoesrequiretheinstance’stimetobeveryclosetothetimetheauthenticationserversees.Someauthenticationmethodsareverystrict,resultinginfailedauthenticationattemptsiftheinstance’stimeismorethanaminuteortwooff.Someapplications,suchasfinancialapplications,requireaccuratetimeaswell.

RunningNTPinsidetheinstancescanhelpkeeptheinstance’sclocksynchronizedtothecorrecttime.However,NTPisnotfullyreliable,becauseitdependsontheperformanceofthecomputenodetheinstancerunsonanditdependsonthenetworkperformancebetweentheinstanceandtheNTPservers.IfthecomputenodebecomesCPUbound,theinstance’stimemaystayoutofsync,evenwithNTPrunning.BythetimeNTPadjuststhetimefortheinstance,theadjustedtimecouldbewrong.Networkissuescandisrupttimeupdates.TheNTPservicecouldalsobehavinganissue.Forexample,oneoftheNTPserverscouldbeoutoftimesyncitselfandreportingthewrongtime.SomeoftheseissuescanbesolvedbyconfiguringtheinstancetopointtoseveralreliableNTPservers.Iftimesynchronizationisimportanttotheapplication’soperation,itisessentialthatmonitoringisconfiguredtocatchtheseissuessothatappropriateactionscanbetaken.

HOSTNAMEANDIPADDRESSINGApplicationstendtobeverycomplex,andcomprisedofmanyfunctionalunits,withoneunittalkingtoanother.Usersalsoneedawaytousetheapplication.ThisisaccomplishedbyassigninghostnamesandIPaddressestoallofthedifferencepiecesofanapplicationthatneedit.Anexampleforasimpleapplicationmightbeawebserverthattalkstoaback-enddatabase.ThewebserverhasanIPaddressthatusersconnectto,andthedatabasehasanIPaddressthatthewebservertalksto.

Whathappenswhenthewebserviceisactuallyawholebunchofinstances?Whathappensifthedatabaseback-endisactuallyadatabaseclusterrunningseveralservers?ItwouldcertainlybepossibletoassignpublicIPstoallinstancessothateverysingleinstanceisaccessible.However,ifauserisconnectingtothewebinterfaceofanapplication,itwouldbebadpracticetoprovidealltheIPstotheuserandforcetheusertoselectwhichonetouse.

SinglePointofEntryNormally,anapplicationhasasinglepointofentryfortheusers.Ifitisawebapplication,itisaURLtheyenterinthewebbrowser.Ifitisaclient/servertypeapplicationtheclientisconfiguredtohitaparticularserveraddress.Whathappenswhenawebapplicationisnowabunchofinstances?Ifthedatabaseback-endisseveralserversrunninginacluster,howisthewebfront-endconfiguredtotalktothedatabaseback-end?Thereareacoupletechniquesthatcanbeusedtodealwithapplicationconnectivityandthecommunicationbetweenthefunctionalunitswithintheapplication.

Mostapplicationsshouldhavejustasinglepointofentryforconnectionstocomeinto,whichisusuallyahostname.Whenaconnectiontotheapplicationismadeusingahostname,thehostnameisconvertedintoanIPaddressthroughtheuseofDNSservice,whichisaservicethatprovideshostnameandIPaddressmappings.TheDNSlookupoccursbehindthescenesandistransparenttotheuserorserviceconnectingtotheapplication.TheDNSservicemayreturnasingleIPaddressoralistofIPaddressesforthathostname.AnIPaddressisthenchosenandtheconnectionmadetotheapplication.

RoundRobinDNSWhenitcomestoassigningmorethanoneIPaddresstoasinglehostname,thereareacoupletechniquesthatcanbeemployed.ThefirsttechniqueistouseDNStoassignmultiple“Arecords”tothehostname.AnArecordinDNSisessentiallyanIPaddressassignment.WhenaDNSlookupoccursandtherearemultipleArecordsassignedtothename,theDNSserverreturnsalloftheIPaddressesassignedtothatname.However,eachtimetheDNSserverisqueried,thelistisrotatedbyonesothatthefirstIPaddressinthelistisalwaysdifferent.Thisisknownas“roundrobin.”

Forexample,thenamemywebhasthreeArecordsassignedtoit,1.1.1.1,2.2.2.2and3.3.3.3.ThefirsttimeDNSisqueried,theserverrespondswith1.1.1.1,2.2.2.2,3.3.3.3.ThesecondtimeDNSisqueried,theserverrespondswith2.2.2.2,3.3.3.3,1.1.1.1.ThethirdtimeDNSisqueried,theserverrespondswith3.3.3.3,1.1.1.1,2.2.2.2.ThefourthtimeDNSisqueried,theserverrespondswith1.1.1.1,2.2.2.2,3.3.3.3again.

TheclientthatisdoingtheDNSquerywillgetbackalistofIPaddressesandthenhastochoosewhichIPaddressitwilluse.Generally,clientsalwayspickthefirstIPaddressinthelist,whichiswhytheDNSserverrotatesthelisteverytimethelistisreturned.However,thereisadownsidetodoingroundrobininDNS.IfanyoftheserversintheIPaddresslistisnotresponding,theclientwillnotknowthatandwillattempttheconnectionanyways.ClientsveryrarelyhaveextralogicintheircodethattriestoconnecttothefirstIPandwhenthatfails,triesthenextIPinthelist.

Itmaybedifficultfortheadministratortoreactquicklytoserverunavailabilityorperformanceissues.Ifaserverisgoingtobedownforanextendedtimeperiod,thebadIPaddresscanbepulledoutofthelist.However,DNSserversareoftenconfiguredtocacheIPaddressinformationforaperiodoftime.ItiscommonforDNSentriestobecachedfor24hoursormore.Ifthatisthecase,removinganIPaddressfromthelistcouldtakeuptoadayormoretobereflectedintheDNSqueriesmadebytheclient.

IfaserverisgoingtobedownforplannedmaintenanceandtheadministratorknowsthatanIPaddresswillneedtocomeoutofthelist,acommontechniqueistoreducethecachetimetoashortperiodoftime,suchas1minute,wellaheadofthescheduledmaintenancetime.Whenmaintenanceisabouttobegin,theIPcanberemoved,whichclientswillseewithinaminuteoftheupdate.MaintenancecanoccurandtheIPaddressre-addedbacktothelist.Ifmaintenanceissuccessful,thecachetimecanbeadjustedbackuptoitsoriginalsetting.

GlobalServerLoadBalancing(GSLB)RoundRobinDNSisacheapandeasymeanstoallowaccesstomultipleinstancesthatprovideanimportantpieceoffunctionalitytoanapplication.Itwasalreadymentionedthatifoneoftheinstancesisdown,clientsmaystilltrytoconnecttotheinstance,beingunawareofthatissue.However,thereareotherlimitationstoRoundRobinDNSthatcanalsoaffecttheapplication.Forexample,theremightbenoabilitytoguidetheclientinselectinganappropriateIPaddressoutofthelistbasedonperformanceorpossiblyhowcloseaninstanceistotheclient.

GlobalServerLoadBalancing(GSLB)isaservicethatprovidesacombinationofDNSandloadbalancingfunctionality.GSLB’sareoftensetupinasimilarfashionasRoundRobinDNS.AhostnamemaybeassignedtomultipleIPaddresses.However,insteadoftheGSLBreturningarotatinglistofIPstotheclient,theGSLBwillreturnthelistofIPsinanorderthatmakesthemostsensefortheclient

thatisdoingtheDNSquery.IfaninstanceisdownintheIPlist,theGSLBwillremovetheIPentirelyfromthelistuntiltheinstanceisbackup.IPsareoftenorderedbygeographiclocationsothatthefirstIPaddressisphysicallyclosesttotheclientdoingthelookup.IPsmayalsobeorderedbasedonperformanceornumberofconnectionsgoingtothoseIPs.

EnterprisesmayalsocombineGSLBswithRoundRobinDNSandusebothtechniques.Thisisusefulwhenanapplicationishostedatmultiplesites.Forexample,anapplicationhostedintheUnitedStatesandinEuropecouldhavetheGSLBprovideonlythelistofIPsassociatedwiththeUnitedStateswhenclientfromNorthAmericaqueriesDNS.Furthermore,thetrimmeddownlistcouldberotatedinthesamefashionasstandardRoundRobinDNS.SincetheGSLBisawareofserveruptimeandperformance,IPscanstillberemovedwhenaserverisdown.

GSLBcanbeaffectedbysomeofthesameissuesasRoundRobinDNS.SinceGSLBisessentiallyprovidingIPsbacktotheclientviaDNSrequests,makingchangestothelistofIPaddressescanbeaffectedbycachetime.ForGSLBsdesignedforfailoverwhenanissueoccurs,cachetimesmaybesettosmalltimesalready.However,clientsoftencacheDNSlookupsaswell.ThismeansthatwhenanIPaddressisremovedfromthelistbytheGSLB,aclientmaynotnoticethatuntilitsinternalcachehasexpiredforthatlist.

GSLBprovidesanotherlevelofservicebeyondwhatDNSprovidesbyitself.However,GSLBoftencomeswithextracost,soitmaynotbefeasibletotakeadvantageofit.IfGSLBisavailable,itisthebestwaytorunportionsoftheapplicationacrossmultiplesitesinareliableway.

FixedandFloatingIPAddressesOpenStackmakesuseoftwotypesofIPaddressesforitsinstances.AfixedIPaddressisautomaticallyassignedbyOpenStackwhenaninstanceisfirstlaunched.ThefixedIPaddresscanbeeitherapublicoraprivateaddress,dependingonhowtheenvironmentisconfigured.Publicaddressesallowconnectionsfromoutsidetheenvironmenttoconnectdirectlytotheinstances.Privateaddressesdonotallowoutsideconnections,butoftendoallowconnectionstootherinstanceswithinthesameenvironmenttobemade.

TheothertypeofIPaddressOpenStacksupportsisafloatingIPaddress.FloatingIPaddressesarenotautomaticallyassignedtoaninstancewhentheyarefirstlaunched.WhenOpenStackisconfiguredtousefloatingIPs,aglobalfloatingIPpoolissetupwithalloftheIPaddressespermittedtobeusedasafloatingIP.UserswillthenpullIPaddressesoutoftheglobalpoolandintotheirtenantpool,markingthoseIPsasonlyuseablebythatspecifictenant.UserscanthenassignIPaddressesfromtheirtenantpooltospecificinstancesrunninginthetenant.FloatingIPaddressesaremostoftenpublicIPaddresseswhichallowsoutsideconnectionstobemadetothatIPaddress.OpenStackenvironmentsthatmake

useoffloatingIPaddresseswilloftenconfigurefixedIPaddressestobeprivateaddressesandfloatingIPaddressestobepublicaddresses.

OneadvantagethatfloatingIPaddresseshaveoverfixedIPaddressesisthattheusercanassignandunassignthematanytime.TheusercanmoveafloatingIPaddressfromoneinstancetoanotherwithouthavingtoterminateandrelaunchaninstance.ItisalsopossibletohavemorethanonefloatingIPaddressassignedtoaninstance.Thisgivestheuseralotofflexibilityinhowaconnectioncomesintotheapplication.Ifaninstanceishavingproblemsorcrashes,thefloatingIPaddresscanbemovedtoaworkinginstance.Itisalsousefulinmaintenance.Forexample,apatchcanbeappliedtoallinstances.AninstancecanbepatchedandthenhavethefloatingIPmovedtoitsothattheotherinstancecanbepatchedwithoutaffectingserviceavailability.

AnotheradvantagethatfloatingIPshaveisthattheycanbeusedasameanstoconserveIPaddressusageinanetwork.ThefixedIPnetworkisoftenbigger,sizedtobelargerthanthenumberofinstanceslikelytoeverbelaunchedinthatenvironment.ThefloatingIPnetworkmaynotbeasbigandmaybeafinitevaluableresource.Ifthatisthecase,userscouldassignfloatingIPstoonlytheinstancesthatneedoutsideconnectivityandrelyonlyonfixedIPsforinstancesthatonlyrelyonconnectionsinsidetheenvironment.

Forexample,aparticularOpenStacksetuphasapublicnetworkassignedtothefloatingIPaddressesandaprivateinternallyroutednetworkassignedtothefixedIPaddresses.ThedevelopersetsupaninstancerunningHAProxyandassignsafloatingIPaddresstoit.Thedeveloperalsosetsupabunchofwebinstancesprovidingthewebfront-endfortheapplication.ThewebinstancesareconfiguredwithfixedIPaddressesonlyandarenotaccessiblefromtheoutsideworld.ThefixedIPsareaddedtotheHAProxysetupandanytimesomebodyconnectstothefloatingIP’softheHAProxyinstance,HAProxyconnectstooneofthewebinstancesandproxiesthetrafficbetweenthem.Ifoneofthewebinstancesgoesdown,HAProxysendstraffictoanotherwebinstance.Ifthedeveloperneedstologintoanyofthewebinstances,thiscanbedonebyfirstloggingintotheHAProxyinstanceandthenfromthere,byloggingintothedesiredwebinstance.

NeutronPortReservationNeutronassignsIPaddressestoinstancesusingtheconceptofportassignments.Aportisessentiallyavirtualswitchportthattheinstanceconnectsto.AportisassignedaMACaddressandafixedIPaddress.Whenaninstanceconnectstoaport,theinstance’snetworkinterfaceinheritstheMACaddressandIPassignmentaswell.

Bydefault,whenaninstanceislaunched,aportiscreatedwithaMACaddressandafixedIPaddressandthenassignedtothatinstance.Whentheinstanceisterminated,theportisdestroyed,whichfreesthefixedIPaddressupforfutureuse.IffloatingIPsarenotused,thereisnowaytopredictwhatIPaddressthe

instancewillget.NorisitpossibletoguaranteethatifaninstanceisrebuiltbybeingterminatedandthenrelaunchedthatitwillgetthesameIPaddressitoriginallyhad.

Neutronprovidesamechanismtoallowtheusertocreateaportaheadoftimeandassignthatporttoaninstanceasitisbeinglaunched.Whentheportiscreated,theuserhastheoptionofspecifyinganIPaddressorletOpenStackchosetheIPaddressinstead.Tocreateaport,usethe“neutronport-create”command.Whentheinstanceislaunched,theportIDofthenewlycreatedportcanbeassignedusingnovaboot––nicport-id=PORT_ID.Whentheinstancecomeup,itshouldhaveanetworkinterfaceconfiguredusingtheMACaddressandfixedIPaddressassociatedwiththeuser-createdport.

However,beawarethatiftheinstanceisterminated,OpenStackwillhappilydestroyboththeinstanceandanyassociatedport.IftheuserwantstopreservetheIPaddressassociatedwiththeinstance,theportmustbedetachedfromtheinstancefirstbeforetheinstanceisterminated.Thiscanbedonebyusingneutronport-updatePORT_ID––device_id''––device_owner''.Thisshouldworkonanyport,includingaportthatwascreatedatthetimetheinstancewaslaunched.Aftertheportisdetached,itcanbeusedagainwhenlaunchinganotherinstance.

InolderversionsofOpenStack,Neutronportreservationwasn’tveryreliable.Portscouldbedetachedfrominstances,buttheysometimesmaynotworkproperlywhenattachedtoanewlylaunchedinstance,especiallyiftheinstancetheportwasoriginallyattachedtoisstillrunning.Also,portscouldonlybeattachedtoinstanceswhentheywerelaunched.Itmaybepossibletoattachaporttoanexistinginstancebyusingneutronport-update.ConsulttheOpenStackdocumentationandtestvigorouslybeforeusingportreservationsforproductionwork.

PermanentIPAddressesUsersareaccustomedtohavingasingleknownIPaddressassociatedwiththeirapplication.AhostnameisusuallyassignedtothatIPaddress,buttheIPaddressrarelychanges.OncetheyhaveanIPaddress,firewallportsareopenedupspecificallyforthatIPaddressandthataddressmaypotentiallybeembeddedinapplicationcode.Ofcourse,ifthatIPaddresseverchanges,itcanbeanightmaretoupdatetheapplicationtosupportthatchange,asfirewallshavetobeupdatedandsourcecodescouredtofindallthehardcodedentries.

Whenusersaredevelopingapplicationsforthecloud,itishardforthemtoletgooftheconceptthatalltheirinstancesshouldhaveapermanentIPaddressassigned.Evenifanapplicationisbuiltwithmultipleinstancesandregionsinmind,usersmaystillhavetoopenfirewallportsforalltheIPaddressesassociatedwiththeirinstances.

IftheOpenStackenvironmentsupportsfloatingIPaddresses,thenhavingapermanentIPmaystillbepossible.Ifaninstanceneedstobedestroyedand

rebuilt,theusercanmovethefloatingIPaddressfromthedoomedinstancetoanewone.ThefirewallrulesassociatedwiththatIPaddresscontinuestowork.ThesamethingcanbeaccomplishedbycreatingandassigningNeutronportstonewinstances.However,itiscriticaltomakesurethatportisdetachedfromtheinstancebeforetheinstanceisterminated,otherwisetheportwillbedestroyedandtheIPaddressputbackintotheglobalIPpool.

AnotherthingusersshouldbecautiousofisifanIPaddressislostandfirewallrulesareassociatedwiththataddress,someotheruserandapplicationmaygetthatIPaddressandalltheassociatedfirewallruleswithit.Theotherapplicationwillhavenoideawhatportshavebeenopenedupinthefirewall.Thismaynotbeanissueifthesecuritygroupsareproperlysetupandrestrictinboundtraffic.However,itiscommonfordeveloperstosavenetworksecurityforlastornotaddressitatallandnotbeawareoftheadditionalexposuresthatIPaddressreusemaybringtotheirapplication.

SCALINGOnceabasicapplicationhasbeenbuiltforthecloud,itneedstoevolvesothatitcansurvivefailuresinthecloud,aswellastogrowsothatitcancontinuetomeetuserdemandandperformancerequirements.Scalinganapplicationverticallymayaddressperformanceissues,butitrarelyimprovesonitsabilitytodealwithcloudfailures.Scalingtheapplicationhorizontallycanaddressbothperformanceandresiliencytocloudfailures.

Whatdoesitmeantoscaleanapplicationhorizontally?Itmeansthattheapplicationisscaledbyaddingmoreinstancestoit.Thisisdifferentfromverticalscalingwheretheinstancesthemselvesaremadebigger.Horizontalscalingdoesn’tmeanmakingadditionalcopiesoftheapplicationandrunningthosecopiesinthecloud.Itmeanstakingasingleapplicationandspreadingitouttoruninmoreinstances.

Howcananapplicationbespreadacrossmultipleinstances?Thefirststepistounderstandallthedifferentpiecesthatmakeupanapplicationandthentakeeachpieceandruneachofthemintheirowninstance.Theneachpieceisexpandedtoruninmultipleinstances.Somepiecesmaybeeasiertoruninmultipleinstancesthanothers.Onceanapplicationcanscalesuccessfullyinasingleregion,thenstepscanbetakentoscaletheapplicationtootherregions.Anapplicationrunninginmultipleregionscanincreaseperformancebyhavinguserscommunicatewithinstancesphysicallyclosertothemandincreasesitsresiliencyindealingwithpotentialregion-wideoutages.

ApplicationAnatomyApplicationsaretypicallyverycomplex,oftencontainingmultipleprogramsworkinginconcerttoprovideasetofservicestotheend-user.Itisraretofindanapplicationthatisasingleprogramthatdoeseverything,suchasprovidingawebinterfaceandadatabaseserviceallinone.Understandingallofthedifferentpiecesofanapplicationisimportantwhentryingtobuildanddeployittothecloud.

Mostapplicationsprovidesomekindofuserinterface.Userinterfacescantakemanyforms,suchasaclientinterfacethatrunsontheuser’sdesktop,awebinterfaceaccessedfromabrowser,acommand-lineprogramtheuserrunsfromanoperatingsystemprompt,ormaybeanAPIthattheuserusesfromwithinascriptorprogram.

Userinterfacesprovideamechanismforaccessingandmanipulatingthedatatheapplicationmanages.Thisdataisoftenstoredinadatabase.Manyapplicationsuserelationaldatabasesthatprovidebetterorganizationandfasteraccesstothedata,suchaswithOracleandMySQL.Someapplicationsalsomakeuseofdocumentstoredatabases,suchaswithMongoDB.Documentstoredatabasesprovideameansofstoringunstructureddataandobjects.Applicationsmayalso

makeuseofmultipledatabasesanddatabasetypes,furtheraddingtothecomplexityoftheapplication.

Someapplicationsalsomakeuseofanapplicationlayercalledmiddleware.Middlewarecontainssoftwarethattypicallyisusedtoconnectapplicationcomponentstootherapplicationcomponents.Middlewareprovidesaconsistentmeansofconnectingdifferentpiecesoftheapplicationtoeachother,makingiteasiertoswitchcomponentsoutforothercomponentsinthefuture.

Applicationsmayhaveothercomponentstoo.Forexample,theremaybeanetworkorsecuritycomponentthatmonitorstrafficinsomeway.Theremaybealoggingcomponentthataggregatesthelogsofalltheothercomponentsintoasinglesearchablelocation.Theremaybeamonitoringcomponentthatchecksapplicationfunctionalityandperformance.

Eachcomponentneedstoaddresspotentialfailurescenariosasappropriate.Aweb-baseduserinterfacecandealwithfailurescenariosbysimplyscalingout.Sincemostweb-baseduserinterfacescanbestatelesswithrespecttodata,instancescanbelostwithlittleimpacttotheapplication,aslongasthereareenoughinstancestohandletheincomingload.Databasesoftendealwithfailurescenariosbyhavinganumberofinstancesparticipatinginacluster.Aslongasthemajorityoftheinstancesintheclusterremainavailable,thedatabaseislikelytoremainupandavailable.

Eachcomponentcanalsodealwithproblemsindependentlyofeachother.Forexample,ifaperformanceissueisfoundinthemiddlewarecomponent,thatcomponentcanbescaledoutmoretoaddresstheperformanceissue.Thereisn’taneedtoscaleoutthewebcomponentorthedatabasecomponent,sincetheproblemwasisolatedonlytothemiddlewarecomponent.Adjustingcomponentsindependentlywhenneededgivestheapplicationtremendousflexibilityindealingwithfailurescenariosandperformanceissues.

MultipleInstancesAnapplicationthatrunsinasingleinstanceorinjustafewinstancesismorelikelytobeaffectedbysimplefailurescenarios,suchashardwarefailureormaintenance.Asinglecomputenodefailurecouldrobtheapplicationofanimportantpieceoffunctionality,resultinginusersnotbeingabletoreachtheapplicationorimportantdatabeingavailabletothem.

Thebestwaytodealwithmostfailurescenariosistohavetheapplicationruninasmanyinstancesaspossible.Ifoneinstanceinagroupgoesdown,theotherinstancesinthatgroupcontinuetoprovidethesamefunctionalitysotheapplicationremainsoperational.

Mostapplicationscanbebrokendownintosmallerpiecesbasedonfunctionsthatcanbeisolatedfromotherfunctions.Forexample,aweb-baseduserinterfacecanoftenbeseparatedfromadatabaseback-endsinceusersdonotneeddirectaccess

tothedatabaseandthedatabasedoesn’tcareabouthowtheusersseeormakeuseofthatdata.Breakinganapplicationintosmallerfunctionalunitsisthefirststepinrunninganapplicationinmultipleinstances.Thewebinterfacecanruninoneinstanceandthedatabasecanruninanotherinstance.

Oncetheapplicationhasbeenbrokenintosmallerfunctionalunitsandeachfunctionalunitseparatedintomultipleinstances,theinstancescanthenbescaledoutsothateachfunctionalunitalsorunsinmultipleinstances.Forexample,theweb-baseduserinterfacecanruninseveralinstancesinsteadofjustasingleinstance.

Runningtheapplicationacrossmanyinstancesaddsaconsiderableamountofcomplexitytotheapplication.However,italsoprovidestwokeyimprovementstotheapplication.Thefirstkeyimprovementisthatitshouldmaketheapplicationmoreresilienttofailuresoccurringinthecloud.Acomputenodefailureisnotlikelytotakeoutalltheinstancesofthatfunctionalunit.Theotherkeyimprovementisthatitiseasiertoscaletheapplicationhorizontally.Forexample,ifuserdemandincreasestothepointaparticularfunctionalunitisbecomingperformance-boundorrunningintoresourcealimit,thenumberofinstancesforthatfunctionalunitcouldbeincreasedtohandletheuserdemand.Thisnotonlyspreadsperformanceacrossmoreinstances,butifaninstancecanonlyhandleacertainnumberofusers,multipleinstancescanincreasethetotalnumberofusersthatcanbehandled.

Statelessapplicationsaremucheasiertoruninamultipleinstancesetup.Datakeptinaninstanceisnotimportantenoughtoprotectagainstlossifthereisafailureinthecloud.Furthermore,oneinstancedoesn’tdependondatainanotherinstance.Ifaninstancegoesaway,ausercanberoutedthroughanotherinstanceseamlesslywithouthavingtoknowwhatthatuserwasdoingintheotherinstancebeforethat.

Statefulapplicationsaremoredifficulttoruninamultipleinstancesetup.Dataneedstobekeptaboutwhatishappeningandwhathasalreadyoccurredsothatwhathappensnextcanbedetermined.Forexample,youcanhaveamulti-requesttransactionthatisoccurringintheapplication.Ifalloftherequestsgothroughasingleinstance,theinstancehasallofthedataaboutthetransactionandcanhandlethetransactionend-to-endwithoutdifficulty.However,ifonerequestgoesthroughoneinstanceandanotherrequestgoesthroughotherinstances,howdoesoneinstanceknowabouttherequeststhatwentthroughtheotherinstances?Astatefulapplicationneedstotrackalltherequestsofatransaction,nomatterhowmanyinstancestherequestswentthrough.

MultipleLocationsJustasanapplicationneedstoruninmultipleinstancesinordertoscaleandbemoreresilienttofailuresinthecloud,theapplicationalsoneedstobedeployedinmultiplelocations.Asdiscussedpreviously,thereareallkindsoffailuresthatcan

occurinthecloud,orevenoutsidethecloud,thatcanaffectacloudapplication.Forexample,anoutageinthedatacentercantakeoutanentirelocationorregion.Eveniftheapplicationrunsinmanyinstances,ifallofthoseinstancesraninthesamelocation,theapplicationisstillunavailable.

ItisimportanttounderstandtheOpenStackenvironmentthattheapplicationisgoingtobedeployedto.Iftherearemultipleregionsavailable,findoutwheretheregionsarephysicallylocated.Theapplicationshouldbedeployedtogeographicallydiverselocations,suchasontheeastcoastandonthewestcoast.Ifapowerornetworkoutagetakesoutallofthedatacentersinaparticularregion,otherregionscanpickuptheloadandallowtheapplicationtocontinueoperating.

Itisalsoimportanttounderstandhowregionsmaydifferfromeachotherwithrespecttospeed,redundancyandreliability,andlocationwithrespecttotheusersthatmayneedtousetheapplication.AnOpenStackregioncanbeinstalledinareallynicedatacenterthatoffershighspeednetwork,lotsofbandwidth,powerandnetworkredundancy.Itcanalsobeinstalledinalowertierfacilitywheretheremaynotbeasmuchbandwidthorredundancy,whichmeansthatfailurescouldhappenmoreoftenandhaveagreatereffectonapplicationsdeployedthere.However,thoseregionsmaybeclosertotheend-userorprovidelowerlatencyconnectionsandultimatelyprovidemoreplussesthanminusesforbeinginthoseregions.Knowinghowregionsdiffermayresultinanapplicationbeingdeployedwithfewerinstancesinoneregionversusanother,ormaybecertainfunctionsofanapplicationmaybedeployedtoahigherriskregion.

Managinganapplicationthatrunsinmultipleregionsisevenmorecomplexthanjustmanaginganapplicationthatrunsinmultipleinstances.Someofthechallengescanbereducedifalltherequestsofatransactionorallthetransactionsforausercanbekepttothesameregion.Dataaccessandintegritycanalsobechallenging.Ifadatabaseisgoingtoruninmultipleregions,dataneedstobereplicatedandsynced.Iftheapplicationrequiresreal-timedataaccess,ensuringthedataiscurrentinalllocationsatalltimescanbedifficult,especiallyiftheregionsareseparatedgeographicallybyalargedistance.

LoadBalancingLoadbalancingprovidesameanstodirecttrafficflowtothoseinstancesthatshouldreceiveit.Inthemostbasicform,incomingtrafficcanbesplitequallytoalloftheinstances,whichspreadsloadevenlyandallowsforbetterscaling.Inmoreadvancedforms,instancescanbemonitoredsothattrafficissplitbasedonavailability,performanceandlevelofactivity.Inparticular,ifaninstancegoesdown,itcanbeexcludedfromreceivingadditionaltrafficuntilthatinstanceisrestoredbacktoservice.

Loadbalancerstypicallyprovideaneasymeanstoconfigurehowtrafficshouldflowinsideanapplication.Apooliscreatedtomonitoraparticularserviceandserverscanbeaddedandremovedfromthepoolonthefly.Loadbalancers

monitortheservicesofeachserveranddeterminewhattrafficshouldgotoit,ifany.ApooloftenhasanIPaddressandportassignedtoit.Aslongasatleastoneserverinthepoolisabletoreceivetraffic,thepool’sIPaddressandportisactive.

Loadbalancersmonitortheservicesinapoolbyconnectingtotheservice.Monitoringcanbeassimpleasjustconnectingsuccessfullytotheservice,oritcanbeascomplexasconnectingtotheserviceandexpectingaspecificbannerorstringtobereturned.Someloadbalancersprovideameansofattachingcustomscriptstothecheckssothatcomplexcheckscanbeperformed,suchasauthenticatingtotheserviceandperformingsomekindofaction.Loadbalancerscanalsomonitorperformanceinaway,bylookingathowlongitschecksaretakingandbasingdecisionsonthat.Successfulchecksmarktheserviceasavailableandunsuccessfulchecksmarktheserviceasunavailable.

Oncetheloadbalancerhascollectedallofthedatafromthechecksperformedontheservice,itneedstodecidehowtodistributetheincomingtraffic.Apoolsetuptousearoundrobinalgorithmwillsendtraffictoeachservice,oneaftertheotherinsequentialrotatingfashion.Apoolsetuptousealeastconnectionsalgorithmwillsendtraffictotheservicethathasthefewestactiveconnections.Apoolcouldalsobesetuptosendtraffictotheservicewiththeleastnetworklatency.Morecomplexalgorithmscanalsobesupported,combiningsimplealgorithms,orsettingupapriorityofservicesthatshouldgettrafficbeforeotherservicesgettraffic.

Therearemanytypesofloadbalancersavailable.Hardwareloadbalancersusuallyprovidethemostcapabilities,reliabilityandabilitytohandlelargeamountsoftraffic.However,theyarealsomoreexpensivethananyothertypeofloadbalancer.Also,hardwareloadbalancersmanagedbyanotherteammayaddadditionalcomplexitytoitsuse.Nonetheless,ifhardwareloadbalancersareavailable,itisrecommendedtotakeadvantageofthem.

Softwareloadbalancersarecheaperandcanbemoreflexiblethanhardwareloadbalancers.Youcanbuildandincorporatesoftwareloadbalancersintotheapplication,tightlycouplinghowloadbalancingisdonewiththeneedsoftheapplication.Therearemanytypesofsoftwareloadbalancers.OneofthemorepopularchoicesisHAProxy.ThereareanumberofloadbalancersavailableusingApacheandJavaaswell.

OpenStackalsoprovidesaLoad-Balancing-as-a-Service(LBaaS),whichisimplementedusingNeutron.Itsupportsmanyofthesamefeaturesthatregularloadbalancerssupport,suchasservicemonitoring,managementoftheservicesinthepool,managingconnectionlimits,andprovidingsessionpersistence.CheckwiththeOpenStackcloudadministratorstoseeifLBaaSisavailableandhowitcanbeused.

Oneofthethingsthatneedtobeconsideredwhensettinguploadbalancingforanapplicationiswhatkindoftrafficwillbegoingthroughit.Notallnetworkprotocolsmaybesupportedbyloadbalancers.Ifsessiontrackingisused,either

theapplicationneedstosharesessioninformationacrossalloftheneededservers,ortheloadbalancerneedstobeconfiguredtosendasinglesession’straffictothesameback-endserveruntilthatsessionisterminated.

Anotherthingtobeconsideredisthatloadbalancingwillincreaseloggingquiteabitontheserversinthepool.Generally,loadbalancersliketocheckserviceseveryfewsecondstomakesuretheyareup.Inanenterpriseenvironment,theremaybetwoormoreloadbalancersconfiguredidentically,allofthemcheckingeveryfewsecondsonthosesameservices.Unlesstheapplicationisconfiguredtonotlogthoseconnections,logscangrowquiteabit.

Ultimately,loadbalancingprovidesavaluablewaytoimproveanapplication.Itprovidesameanstomonitortheservicesandremoveserversfromapoolthatarenolongerworking.Italsoprovidesameanstoaddandremoveserversonthefly,whichisanimportantpartofapplicationscalability.

PerformanceWhenanapplicationisarchitectedsothatitsvariouspiecescanscaletomultipleinstancesandthosedifferenttypesofinstancescanscaleindependentlyofeachother,thecomplexityoftheapplicationincreasesdramatically.Whenproblemsoccurwithintheapplication,itbecomesmoredifficulttoidentifywheretheproblemisactuallyoccurring.Sometimes,problemsmanifestasbrokenfunctionalitywithintheapplication.However,moreoftenthannot,problemsmanifestasperformanceissues.

Whatkindofperformanceissuescouldanapplicationexperience?Performanceissuescantakemanyforms.Forexample,abackupsystemhastobackupallthedataofanapplicationeverynightandhastobecompletedbeforethenextbusinessday.However,overtime,backupsaretakinglongerandeventuallyrisknotfinishingintime.Anotherexamplemaybeanapplicationthatacceptsfileuploadsandithastoviruschecktheapplicationbeforeconfirmingtotheuseritwassuccessful.Itmaybethatviruscheckingistakinglongerandlongeranduploadsarefailingbecausetheyaretimingoutortheuserdoesn’twaitaroundlongenoughforittocomplete.

Applicationperformanceisoftencharacterizedastheamountoftimetoperformspecificactions.Forexample,awebuserclickingonalinkwithinawebpagewillexpecttheclicktoimmediatelyrespondwithanewpageandexpecttoseethenewpagecompletelyloadedwithinashortperiodoftime.Perceivedslownesscansometimesbeattributedtotheaccumulationofallthedifferentthingsthathastohappenbehindthescenes.Ifasingle-userclickresultsintwentydifferentactionsoccurring,eachactionmaybequick,butthetotaltimetoprocessalltwentyactionsmaybetoolong.

Itisincrediblyimportanttomonitoreveryaspectofanapplication.Datacanbecollectedonhowlongdatabasetransactionstake.Datacanbecollectedonhowlongdataistransferredoverthenetworkorwrittentodisk.Datacanbecollected

onthenumberofsuccessfulorfailedevents.Datacanbecollectedonnumberofconnectionsandlogins.Allofthisdatashouldbecollectedovertimesothatitcanbeanalyzedforpotentialissuesandunderstoodincontextwithotherevents,suchasholidays,specialeventsorabnormallyhighusage.

Whenperformanceissuesarediscovered,anumberofthingscanbedone.Someperformanceissuesmayberelatedtohigheractivityandcanbesolvedbysimplyaddingmoreinstancestothepooltohandleit.Otherperformanceissuesmayberelatedtoachangeintheusagepattern.Forexample,usersmaybesearchingonsomethinginadifferentway,andtheSQLquerycreatedtodothatsearchissomehowsearchinginefficientlyinthedatabase.Finetuningthesearchcapabilityorcreatinganewindexinthedatabaseorfinetuningdatabasesettingsmaybethemoreappropriatewaytofixtheperformanceissuethansimplyaddingmoreinstancestothedatabaseservice.

Operatingsystemperformanceshouldalsobeheavilymonitored.ForLinuxservers,itisagoodideatorunSARandcollectdataonCPU,memoryanddiskperformance.AgoodmetrictomonitoristheCPUstealtime,whichcanbeseenintheSARdataas%steal.Ifthisvalueisconsistentlynon-zero,itusuallymeansCPUcyclesarebeingstolenfromthatinstanceandgiventoanother.Lookingatthatmetricincombinationwiththe%idlemetricandlookingatthesevaluesacrossalltheinstancescollectivelycanprovidecluesastowhetherthehypervisorisoverloadedorthatmaybetheinstanceisundersized.

OpenStackprovidessomemetricsdataforapplicationdeveloperstotakeadvantageof.CeilometercollectsinformationaboutCPUandRAMusage,diskactivity,networkbandwidthandotherdata.ItispossiblethatMonascaisbeingusedaswell,whichprovidesmanyofthesamemetricsasCeilometer.BesuretotalkwiththeOpenStackcloudadministratorstoseeifmetricsarebeingcollectedinthecloudandhowtheycanbeusedbytheapplication.

DataStorageInOpenStackthereareanumberofdifferentwaysthatdatacanbestored.Bydefault,whenaninstanceislaunched,itusesephemeralstorage.Ephemeralstorageisusuallystorageassociatedwiththecomputenodeswheretheinstanceruns.Iftheinstanceisterminated,alltheephemeralstorageassociatedwiththatinstanceisalsodeleted.EphemeralstorageistheleastprotecteddatawithinOpenStack.Thestorageislikelynotbackeduporreplicated.Alostdiskorcomputenodecouldleadtodataloss.

BlockstorageisprovidedbyCinderinOpenStackandpresentsthatstorageasvolumesthatcanbeattachedtotheinstances.Volumesshowupasblockdevicesinsidetheinstancesandcanbemountedasdisksorfilesystems.Volumescanbeattached,unattachedandmovedtodifferentinstances.Whenaninstanceisterminated,thevolumesaredetachedfromtheinstanceandisnotdeleted.Thevolumecanthenbeattachedtoanewinstanceifneedbe.Blockstorageis

implementedinCinderthroughtheuseofdrivers,manyofwhicharevendorspecific.Veryoften,blockstorageissetuptobeperformantandtoreplicatedatatopreventissuesresultingindataloss.

ObjectstorageisprovidedbyOpenStackthroughtheSwiftAPI.Dataisstoredinacompletelydifferentwaythanwithblockstorage.Theapplicationcreatescontainersandthenuploadsfilesintothosecontainers.Accesstothefilesrequiresthemtobedownloadedfromthecontainerandintotheinstance.Containersandtheirassociatedfileshavenoconceptofinstances.Ifaninstancethatusesacontaineristerminated,nothinghappenstothecontainersoritsfiles,remainingaccessiblebyotherinstancesinthecloud.Infact,oneoftheadvantagesSwifthasoverCinderisthatcontainerscanbeaccessedbymanyinstances,butablockstoragevolumecanonlybeattachedandaccessedbyonlyoneinstanceatatime.Objectstorageisalsooftensetuptobeperformantandtoreplicatedatatoprotectagainstdataloss.

Whenbuildinganapplicationthatneedstostoredatapermanently,selectingtheappropriatedatastorageback-endisextremelyimportant.Howimportantisthedata?Isitokayforthedatatobelostifaninstancedies?Canthedatabereplacedorrebuiltifanewinstanceiscreated?Howlongisthedataneeded?Doesthedataneedtobealwaysimmediatelyavailable?Howmuchdataneedstobestored?Thesequestionscanplayabigroleindecidingwhatisusedtostoredataandhowitisstored.Besuretotalktothestorageadministratorstobetterunderstandtheavailableoptions.Inparticular,discusswiththemabouttheirdatareplicationsettings,howmuchstoragetheyhaveandwhatyourapplication’slongtermneedsaresotheycanplanaccordingly.

Ifdataisstoredinanenvironmentthatreplicatesdata,theapplicationshouldtakecarenottodoitsowndatareplication.Ifthestorageclusterreplicatesdatathreetimesandtheapplicationisalsoreplicatingdatathreetimes,thisreallymeansthatthedataisbeingstoredatotalofninetimesinthecluster!Thiscanaffectapplicationperformanceduetounnecessaryreplication,aswellasconsumewaymorediskspacethanisreallyneeded.

Applicationscantakeadvantageofmultiplestorageoptionsatthesametime.Sinceephemeralstorageisoftenfasterthanusingblockorobjectstorage,aninstancecankeepitsmoreoftenuseddataonephemeralstorageandthelessuseddataonblockstorage.Datathatisrarelyusedcouldbeputintoobjectstorageforlongtermstorage.Besuretoconsideralloptionswhenbuildinganapplicationthatrequiresstoringdata.

HighAvailabilityTobuildanapplicationforhighavailabilityinmindmeansthattheapplicationhastobeavailableasmuchaspossibleandthatitneedstorunproperlyandperformantatalltimes.Ahighlyavailableapplicationoftenrunseverywhereandisabletoadapttothechangesintheenvironmentwhereitruns.Buildingan

applicationishardenough,butbuildingahighlyavailableapplicationisevenharder.

Whataresomeofthetechniquesinvolvedinrunningahighlyavailableapplication?Oneofthemostimportanttechniquesistoensuretheapplicationandallofitspiecescanruninmanyinstances,andthatthoseinstancescanalsoruninmultipleenvironments.Themoreplacestheapplicationrunsin,themoreresilienttohardwareorevendatacenterfailures.Multipleinstancesalsoallowstheapplicationtoscaleappropriatelyasneeded.

Anothertechniqueistoputservicesbehindloadbalancerssothattrafficcanbeappropriatelydistributed.Furthermore,ifanyinstancesbecomeunavailable,theloadbalancerswillautomaticallyremovethoseservicesfromthepoolandredistributetraffictotheremainingservices.UsingGSLBcanalsofurtherincreasehighavailabilitybyredirectingtraffictodifferentdatacentersbasedonwereconnectionsarecomingfrom.Ifadatacentergoesoffline,GLSBscanautomaticallyredirectalltraffictoanotherdatacenteruntiltheissueisresolved.

Itisalsowisetounderstandapplicationusageandhowthattiesinwiththebiggerpicture.Externaleventscancausesignificantincreasesintrafficusage.Holidayscanresultinincreasesforholidayshopping,especiallyondayslikeBlackFridayandCyberMonday.Sportingevents,liketheSuperBowl,canincreasewebsiteactivityforviewingon-demanddata.Universitiescanseeincreasedactivityassociatedwiththebeginningoftheschoolyearorchangesinquartersandsemesters.Majornewseventscoulddriveupstockactivity.Alloftheseneedtobeconsideredwhenbuildinganapplicationforhighavailability.Ideally,ifaneventcanbeanticipatedaheadoftime,theapplicationcanbescaledupwardsaccordinglyaheadofthateventtodealwithexpecteddemandandthenscaledbackdownafterthateventhaspassed.

Howcantheapplicationscaletomeetdemand?Onewayisforsomebodytoactivelymonitortheservicesandmanuallyaddinstancesasneededuntiltheapplicationcanhandlethatneed.Thiscanbeanexpensivewaytoaddresstheproblemandintroducesahumanelementandrisktotheoverallprocess.Anotherandbetterwayistomonitortheapplicationsforproblemsandperformanceandauto-scaletheapplicationinapragmaticway.OpenStackprovidesmanyAPIsformanaginginstancesandservicesinthecloud.TheapplicationcandetectwhenitneedstogrowaparticularserviceandusetheAPItodothat.Whendemandsubsides,theapplicationcanreducethenumberofinstancesrunninginanautomaticway.

Anotherimportantthingtoconsiderisbuildinginextracapacityintheapplicationaheadoftime.Insteadofexpectingeachinstancetobe100percentbusyandonlydeploythenumberofinstancesneededtohandlealloftheload,buildeachinstancetobe60percentbusyandrunmoreinstances.Oneadvantagetothisstrategyisthatbriefspikesincapacitycanoccurthatmightnottriggerauto-scaling.Withextraheadroombuiltintotheinstancesthemselves,spikescan

behandledwithoutcausinganyissueswithperformanceintheapplication.Thekeyistoover-provisionandunder-utilize.

Highavailabilitydoespresentotherchallengesthough.Takingalookatacasewhereaparticularservicerunsinmultipleinstanceswithoneinstanceactingasamasterandtheotherinstancesactinginapassiverole.Veryoften,theinstancesaretalkingtoeachotherallthetime,ensuringthemasterisaliveandwell.Whathappensifsomethingbreaksthecommunicationbetweenthemasterandpassiveinstances?Themastermaynotbeawareofthisissueandcontinuestooperatenormally.Thepassiveinstanceseesthemastergoawayandimmediatelyputsitselfintomastermode.Whatiftheotherpassiveinstancedoesthesameexactthing?Therecouldbethreemasterserversallatthesametime.Thisiscommonlyknownassplit-brainsyndromeandcanbeahardproblemtoavoidincertainfailurescenarios.Thisproblemcanbeevenmorepronouncedbetweenregionswhennetworkcommunicationisdisrupted.

Now,we’regoingtoseehowwecanimplementwhatwe’vediscussedinthischaptertoimproveoursampleapplication.

IMPROVINGOURAPPLICATIONStartingwiththesimpleapplicationconceptintroducedinthepreviouschapter,wewanttobuildonthatandshowhowitcanbeimprovedupon.Conceptually,theprocessisn’tthatdifficult.However,notallofitiseasyeither.Forexample,anapplicationthatrequirespersistentsessionsneedstoworkinamulti-instanceenvironment.Inanycase,iftheapplicationcanbebrokenintoitsbasiccomponents,eachcomponentcanbeimproveduponindependentlyandinawaythatmakesthemostsenseforthatcomponent.

SimpleApplicationLet’staketheapplicationthatwasstartedinthepreviouschapter.Theapplicationhasthreecomponentstoit:aweb-basedfront-endthatuserswillaccess,anAPIlayerthatthefront-endtalksto,andadatabaseback-end.TheapplicationmaylooksomethinglikeFigure5.1.

Figure5.1

Initially,theapplicationmayhavebeenkeptsimpleinordertoprovideaproofofconceptsotheapplicationisviableinthecloudandtoseekapprovalforcontinuingitsdevelopment.Eachcomponentmayexistasasingleinstance.Fortheaboveexample,theapplicationwouldexistinthreeinstances,oneforeachofthedifferentcomponents.

ComplexApplicationTheaboveexamplecouldbeconsideredoverlysimplistic.MorecomplexapplicationsmayuseanAPIlayertoabstractaccesstomultipletypesofback-ends.TheAPIprovidesaconsistentmeanstoaccessdifferenttypesofdata,makingiteasiertoextendfunctionalityoreventoallowback-endstobeswappedoutwithouthavingtorecodeanyofthefront-ends.TheAPIcouldalsotakeinputfrommorethanjustawebfront-end.UserscouldaccesstheAPIusingcommandlinetoolsoraclientprogram.ThisapplicationmaylooklikeFigure5.2.

Figure5.2

Whenlookingatthecomponentstobuildthisapplication,itturnsoutthatitreallyisn’tthatcomplex.TheAPIlayerisstilljustasingleinstance.Thewebfront-endandthedatabasearealsoeachtheirowninstance.Theclientprogramandcommandlinetoolsdon’tneedtheirowninstances.TheyarejustabstractmethodsfortheusertoaccesstheAPIdirectly.TheAPIcanalsoaccessfilestoragedirectlyandcommunicatetootherapplicationsintheenvironment.Theendresultisthatthisapplicationisstillonlythreeinstances,evenwithmore“stuff”goingonwithit.

ImprovingtheWebUIComponentInordertoimproveonthewebfront-end,theapplicationneedstobescaledouttomultipleinstances.Thenumberofusersexpectedtousetheapplicationcanbeusedasaguidelinetodeterminethenumberofinstancesthatlikelywillbeneededtorunthewebfront-end.Also,usersneedaconsistentmeansofaccessingthewebservicewithouthavingtoworryaboutwhichinstancetheyareconnectingto.Thisisaccomplishedbyputtingthewebinstancesbehindaloadbalancer(seeFigure5.3).

Figure5.3

Onechallengethatmayneedtobeaddressedwhenputtingawebservicebehindaloadbalanceriswhenthewebservicedoessessionmanagementinordertotrackuseractivityduringthelifetimeofthesession.AsessionstartswiththeuserloggingintothewebserviceandgetsassignedaSessionID.Theuser’sSessionIDmaybetrackedbyembeddingitintheURLsorahiddenform,ormaybeeventhroughtheuseofwebbrowsercookies.Thewebservicemaintainsinformationaboutthesessionwhiletheuserisloggedin.Thesessionendswhentheuserlogsoutorthereisnoactivityfromtheuseraftersometime.

Thedifficultywithsessionmanagementisofteninitsimplementation.Whathappensifauserlogsinusingoneinstance,butthenextclickonawebpagesendstheusertoadifferentinstance.Howissessioninformationsharedbetweeninstances?Ifsessioninformationisstoredlocallywithinaninstance,otherinstancesmaynotevenhavethatuser’sinformation.

Mostloadbalancershaveawayofdealingwiththisissue,implementingafeaturecalledsessionaffinity,persistentsessions,orstickysessions.OnemethodusedinthefeatureassignsthesourceIPoftheusertoaspecificinstanceandalltrafficcomingfromthatsourceIPwillalwaysgotothatinstance.Anothermethodusesatrackingcookietheloadbalancercreatesandassignsalltrafficcontainingthatcookietoaspecificinstance.Onedrawbackbyusingsessionpersistenceinaloadbalanceristhatpinningtraffictospecificinstancessignificantlyreducestheloadbalancer’sabilitytobalancetrafficinmeaningfulways.Overtime,someinstancesmaybesignificantlybusierthanotherinstancessimplybecauseofhowusersareusingtheapplication.Ifaninstancebecomesoverloaded,addingmoreinstancestotheWebUIlayermaynothelpbecausethoseusersarepermanentlypinnedtotheoverloadedinstance.

Thebestwaytodealwithsessionmanagementusingmultipleinstancesistoabstractsessionmanagementtoashareddatabasethatallinstancescanaccess.Ifsessioninformationisnotkeptlocallywithinaninstance,itnolongermatterswhichinstancetheuserhitsoreveniftheusershitsmultipleinstancesinthesamesession.Thisalsoavoidstheproblemthatloadbalancershavewithpersistentsessions,sinceusertrafficisnotpinnedtospecificinstances.Thedrawback,however,isthatthedatabaseusedtostoresessioninformationneedstoalsobeimplementedinahighlyavailablemanner.Thispreventsasingledatabaseinstancefrombreakingthewebinterfacecompletely.

ImprovingtheAPIComponentInordertoimproveontheAPIlayer,italsoneedstobescaledouttomultipleinstances.ThenumberofinstancescanbechosenbasedonhowperformanttheAPIinstanceisindealingwithincomingconnections,communicatingwithitsvariousback-ends,andpassingthatdatabacktotherequestingsources.SincetheAPIlayerisoftenimplementedusingsimilartechnologiesemployedbythewebfront-end,themethodforrunningtheAPIusingmultipleinstancesissimilartothatusedbythewebfront-end.ThisisaccomplishedbyputtingtheAPIlayerbehindaloadbalancer(seeFigure5.4).

Figure5.4

OneadvantagethattheAPIlayeroftenhasoverthewebfront-endisthatitdoesn’thavetokeeptrackofusersessions.Thismakesiteasiertorunmultipleinstancesbehindtheloadbalancer,sinceitdoesn’tmatterwhichAPIinstanceisbeinghitatanyparticulartime.

However,APIsmayimplementtheirownformofsessionmanagementthroughtheuseofanauthenticationtoken.TheuserreceivestheauthenticationtokenwhentheyauthenticatesuccessfullywiththeAPI.Theusercanthenusethattokenineachfollow-upcalltotheAPIwithouthavingtoauthenticateeachrequest.Afteraperiodoftime,thetokenmayexpireandforcetheusertore-authenticate,whicheitherrenewsthetokenorgivestheuseranewtoken.

TheAPIlayeroftenmanagesauthenticationtokensusingaback-enddatabase.Thismeansthatifadatabaseisbeingused,thedatabaseneedstobehighlyavailableinordertopreventasingledatabaseinstancefromdisruptingAPIfunctionality.IftheAPIisonlymakinguseofthedatabasefortokenmanagement,theAPIcouldcontinuetofunctionwithouttokens,forcinguserstoauthenticateeachAPIrequest.

ImprovingtheDatabaseComponentForthedatabaselayer,scalingthedatabaseouttomoreinstancesisnotassimplesasjustrunningmultiplecopiesofthedatabaseinstance.ForthewebandAPIlayers,theinstancesreallydonotneedtoknowanythingabouttheotherinstancesinthatlayer.Therecouldbeasingle,severalormanywebandAPIinstancesandtheapplicationwouldrunthesameway.

So,howcanthedatabaselayerbeimproved?Thedatabaselayerisscaledout,butitisscaledonamuchsmallerlevel.WherethewebandAPIlayersmayhavehundredsofinstances,thedatabaselayermayonlyhaveafewinstances.Thedatabaseinstancesoftenreplicatedatasothateachinstanceisidenticaltotheother.Itishowthedataisreplicatedthatmakesthedatabaselayermorecomplex.Thereareacoupledifferentwaysthatthedatabaselayercanbeputtogethertoprovideredundancyandincreasedperformance.

OneofthemorepopularmethodsforscalingthedatabaselayeristorunaGaleraClusterforMySQL.AGaleraClusterallowsmultipleMySQLinstancestocommunicatetoeachotherandreplicatedata.Itrunsinmultimastermode,whichmeansthatread/writecommunicationcanoccurwithanyinstanceinthecluster.Whenatransactioniscommitted,thedataisreplicatedtoallinstancesandreturnssuccessfullyonlywhenthatdatawaswrittentoallofthedatabasessuccessfully(seeFigure5.5).

Figure5.5

AnothermethodforscalingthedatabaselayeristorunaMySQLCluster.Generally,MySQLClustersaresetupintwodifferentsetsofnodes,theSQLnodesandthedatanodes.TheAPIlayertalkstotheSQLnodes,whichdetermineswherethedataisstoredandthenmakesthenecessaryqueriestotheappropriatedatanodes.Thedatacanbesplitintosmallerchunks,calledpartitions,andstoredonasubsetofthedatanodes.Replicationoccurswithinpairsofdatanodeswithinthecluster.Themoredatanodesthereare,themorepartitionsthereare,spreadingthedataacrosstheentirecluster(seeFigure5.6).

Figure5.6

OneadvantageofrunningaMySQLClusteristhatitcanscaletomoreinstances.Themoreinstancesthatareadded,themorethedatacanbespreadacrossthatcluster.However,MySQLClusterismoresensitivetolatenciesandrequiresmoreCPUandnetworkresourcestorunefficiently.Theapplicationmayalsoneedtobereworkedtotakeadvantageofthepartitioningofdata,otherwise,asinglequerycouldhiteverydatanodeandresultinapotentiallyworseperformance.

ForGaleraMySQLCluster,itrequiresverylittlechangefromtheapplicationpointofview.Thereisnodatapartitioning,soeveryinstancehasacompletecopyofthedata.Thiscanalsobeadrawback,however,sincethemoreinstancesthereareinthecluster,themoredatathathastobereplicatedtoeveryotherinstance.ThisisgenerallywhyGaleraClustersaresmall,usuallyatleastthreeinstances,butnotmuchlarger.AnotherconsiderationwhenrunningaGaleraClusteristhattherealwayshastobeatleast50percentoftheinstancesrunningintheclusteratanypointintime.Iftheclusterdropsbelow50percent,theentireclusterstopsandthedatabasegoesoffline.Itcansometimesbedifficulttobringtheclusterbackonlinewithoutmakingchangestotheclusterconfigurationfiles.Thisiswhyaclusterneedstohaveatleastthreeinstancesinit.Ifoneinstanceislost,thereis

stillmajorityintheclustertokeepitoperational.

Yetanothermethodcombinestheconceptofaclusterabovewithmultipleread-onlydatabasesontheback-end.Thisistypicallycalledawrite-master/read-slavesetup.Iftheapplicationneedstowritedata,thewritesalwaysgotothewrite-masterdatabase.Iftheapplicationneedstoreaddata,thenthereadsarefarmedouttoanynumberofavailableread-slaves.Thewrite-mastercouldbesetupasaGaleraClusterorMySQLCluster,whichtheread-slavescouldbesetupasstandaloneMySQLserversinanon-clusteredsetup.Itisnotuncommontoseetheread-slavesusecachingsoftware,suchaswithMemcached,tofurtherspeedupreads.Aloadbalancercouldbeusedtoevenlydistributereadsacrossalltheread-slaves.Whenaread-slaveisinitiallylaunched,itcanpulldownwhateverdatafromthewrite-masteritneedstohaveandonceallthedataisloadedandverified,itcanadditselftotheread-slavecollectiveandtakeontraffic.Thismodelismorecomplicated,butitdoesprovidemoreflexibilityinregardstoscaling(seeFigure5.7).

Figure5.7

TheaboveexamplesuseMySQLastheexampledatabase.OtherdatabasescanalsobeputintotheOpenStackcloudaswell,andwithsimilartypesof

configurations.Forexample,MongoDBandPostgreSQLsupportnativeclusteringandreplication.Somedatabasesevenhavenativesupportforthemaster-write/read-slavemodel.Ingeneral,youshouldresearchwhattypesofcapabilitiesthechosendatabasesolutionhasandtakeadvantageofwhateverhighavailabilityoptionsitprovides.

Finally,itwouldberemisstopointoutanotherpotentialdatabaselayerimprovement,whichistotakeadvantageofDatabase-as-a-Service(DBaaS).InOpenStack,thisisTrove,whichwasdiscussedpreviouslyinChapter2.IfthereisaDBaaSsolutionavailablefortheOpenStackcloud,takealookatwhatfeaturesitprovidesandhowitcanbeleveragedintheapplication.Offloadingthedatabasepiecetoanotherservicesimplifiestheapplicationtremendouslyandprovidestheadditionalhighavailabilityanddataprotectionneededwithouthavingtoreinventthewheel.

PuttingItAllTogetherNowthateachofthelayershasbeenexamined,itistimetoputthemalltogether.Userscomeintotheapplicationviaasinglelocation,theloadbalancer,whichisthenroutedtooneofseveralWebUIinstances.TheWebUIlayertalkstotheAPIinstancesthroughaloadbalanceraswell,eachAPIrequestdistributedamongstalltheAPIinstances.TheAPIlayertalkstothedatabasethroughaloadbalancertoaback-endcluster(seeFigure5.8).Theclusterissetupasmultimaster,allowinganydatabaseinstancetobehitbytheAPIinstances.

Figure5.8

Multi-RegionInstancesManyoftheimprovementslistedabovearetypicallyappliedataregionlevel,wherealltheinstancesareinthesameregion.Itispossiblethatpartsoftheapplicationexistinmultipleregions.Forexample,theWebUIandAPIlayersmayexistinoneregion,butthedatabaselayerisinanotherregion.However,ideally,allofthelayersneedtoruninmultipleregions.

Themaintricktorunninganylayerinmultipleregionsisloadbalancing.Eachlayerineachregionstillhasitsownloadbalancer,butthenthereisagloballoadbalancerthatroutestraffictoeachoftheregionalloadbalancers.IfaGSLBisabletobeused,itisaperfectusecaseforspreadinganapplicationacrossmultipleregions,sincetrafficcanberedirectedtothenearestgeographicallylocatedregiontotheuser.Figure5.9showsanexampleofhowtheWebUIorAPIlayercanbeorganizedtoworkinamulti-regionOpenStackcloud.

Figure5.9

Forthedatabaselayer,itsimilarlyusestheGSLBtoredirecttraffictothenearestgeographicallylocateddatabase.Insteadofabstractingeachoftheregionstotheirownsetofloadbalancersanddatabaseclusters,however,itcanbesimplifiedbytreatingtheGSLBasthemainloadbalancerandalltheregionaldatabasesasdatabaseinstanceswithinthesamecluster.Anothersimplificationthatcomesfromthissetupisthatonlytwodatabaseinstancesareneededforeachregion,sinceevenifasingleinstancegoesdown,thereareplentyofinstancesacrossalltheregionstoensuremorethan50percentoftheclusterisup.Figure5.10showsanexampleofamulti-regiondatabasesetup.

Figure5.10

SUMMARYWehavenowpulledtogetherourexampleappcreatedfortheOpenStackcloud.Itisagoodidea,however,toassumethatthecloudisahostileenvironment,presentingrisktotheapplication’suptimeandtheintegrityofitsdata.Knowingwhatkindsofthingscanhappentotheapplicationandwhatkindsoffailuresthatcanoccurinthecloudopensthedoortoimprovingtheapplicationtobeabletosurvivewhenthingsdohappen.

Oneofthebasicimprovementsthatapplicationsundergointhecloudistoenabletheapplicationtoscalewhenitneedsto.Theapplicationneedstoscalehorizontallywithinaregionanditneedstoscaleouttomultipleregions.Thisgivesmoreresiliencetotheapplicationsothatpiecesofitshuttingdowndon’ttakeoutthewholeapplication.Usingloadbalancersaspartofthescalingalsogivestheapplicationatypeofself-healingcapability,allowingpiecesoftheapplicationthatarenolongeraccessibleorfunctioningproperlytoberemovedfromthepoolssothatusersdon’tinadvertentlytrytousethem.

Whenlookingattheindividualcomponentsofanapplication,somepiecesoftheapplicationneedtobeimprovedindifferentwaysthanotherpieces.Forexample,webcomponentscanbescaledoutwithoutmucheffort.However,databasecomponentstypicallycan’tbescaledoutasmuch,sincescalingcanmakeitmoredifficulttomanagethedatabehinditandaffectperformance.Databasescanbescaledout,buttheyarescaledoutdifferentlythanhowthewebcomponentisscaledout.Databasesarebestmanagedasaclusterofinstancesandthischapterpresentedseveralwaysthatdatabasescanberuninthecloud.

Thesuggestionspresentedinthischapterarejustthetipoftheiceberg.Thereareanumberofdifferentwaysanapplicationcanbeimproved,anddevelopersareencouragedtoreachouttotheOpenStackcommunityandresearchtechniquesthatotherdevelopersareusingwhenbuildingapplicationsforthecloud.Thenext,andfinal,chaptertakesthecloudapplicationtothenextlevel,sincesimplybuildinganapplicationforthecloudisnotenoughtojustrunitthere.Deployingtheapplicationtothecloudinanautomated,dynamicwayalsobringschallengestothedeveloper.

6DeployingtheApplicationWHAT’SINTHISCHAPTER?

Anoverviewofthedifferentvirtualizationtechnologiesandhowdeploymentvariesbetweenthem

AlookattheorchestrationtoolsavailableinOpenStack

Adiscussionontheroleofconfigurationmanagement

Theminimumroleofmonitoringinaclouddeployment

Adiveintoapplicationscalingandelasticity

AnexampleofhowtoputallofthistogetheranddeployamodernappinanOpenStack-drivensystem

Considerationsforupdatingandpatching

Devopsisatermyouhaveprobablyheardofrecently.It’sadescriptionofsomeone(orateamofpeople)whotacklestheissuesofbothdevelopinganapplicationandconfiguring/maintainingtheenvironmentforthatapplication.

Foryears,theroleofaserveradministratorhasbeenquitedifferentfromthatofanapplicationprogrammer.Eachroletakesaprettyspecificskillset,andalotcanbesaidaboutdevopsbeingadifficultcompromise.Thetermhowever,couldnotbebettersuitedtowhatit’sliketodeployapplicationsinanOpenStack-drivenenvironment.

Whenwetalkaboutdeployinganapplicationtothecloud,ithasaslightlydifferentdefinitionthanwhatithastraditionallymeant.Traditionaldeploymentsareoftenfocusedondeployingchangestoanapplication,orontheinitialdeploymentofapieceofsoftware.OpenStackandothercloud-basedtechnologies,however,makeitpossibletoprogrammaticallydeploysoftwarealongwithalloftheservers,storage,andnetworkingnecessarytorunthatapplication.

Asyouwillsee,thishasanumberofadvantagesandcanbeaccomplishedinanumberofdifferentways.Thischapterwilltakealookatthesetechnologies,howtochoosebetweenthem,andhowtousethemtoquicklydeployanelasticapplication—somethingnearlyimpossibletodoinahardware-basedworld.Wewillthenconcludewithashortdiscussionabouthowthisnewdefinitionofdeploymentaffectsthetraditionalprocessofpatchingandupdatingsoftware.

BAREMETAL,VIRTUALMACHINES,ANDCONTAINERSBeforeyoucandeterminehowyou’regoingtodeploy,youfirsthavetodeterminewhatyou’regoingtodeploy.LookingatthedemoapplicationdevelopedinChapters4and5,thefirstthingthatneedstobedeployedisanumberofservers.Whatwasn’tdiscussedmuchinthosechapters,though,waswhattypeofvirtualizationthoseserverswoulduse.

InthesamewayOpenStackallowsthosewhoimplementittochoosetheirownhypervisor,storagedevices,andnetworkingequipment,italsoallowsdeveloperstodetermineforthemselveswhattypeofvirtualizationtheywanttouseforanygivenproject/application.Instances,orservers,canbelaunchedasacompletelyphysicalcomputer,asavirtualmachine(VM)runninginahypervisor,orasacontainer—anisolatedprocessingspacethatcanexistontopofavirtualmachineorontopofactualhardware.

Thechoiceyoumakebetweenthesethreetechnologieswillbethebiggestdeterminantofhowyoudeployyourapplication.Youwillfindstaunchdefendersofeach,butthechoiceisoftenasubtleexerciseincompromiseandpersonalpreference.Thus,it’simportanttounderstandtheirdifferencesbeforemovingforward.

BareMetalBaremetalprovisioningisexactlywhatitsoundslike:thecreationofaserveronphysicalhardware.AsoftheJunoreleaseofOpenStack,baremetalprovisioninghasbeenmovedfromtheNovadrivertoitsownservicecalledIronic.HardwareisregisteredthroughtheIronicAPI,butonceproperlyconfigured,serversarestilldeployedinthesamemannerasvirtualmachinesthoughtheNovaAPIorHorizon(seeFigure6.1).

Figure6.1

Baremetalserversareprimarilyusedwhenyouneedtheabsolutehighestperformanceandstabilitypossible.Whiletheoverheadofvirtualmachinesandcontainershasdroppedovertheyears,thereisnosuchthingassoftwarethatdoesn’tconsumememoryandprocessortime.DiskIO,andCPUpriorityareallguaranteedinabaremetalscenario.BaremetalserversarealsoagoodoptionifGPUsorotherhardwaredevicesthatcan’tbeeasilyvirtualizedarepartofyourapplication.

Additionally,evenifperformanceisn’tofthehighestconcern,therearetimesforregulatorypurposes,whenyoumightfinditnecessarytodeploybaremetalserversanyway.HardwareisolationprovidestheabsolutemaximumamountofserversecurityinanyOpenStack-drivenenvironment.

Thatbeingsaid,ifperformanceandisolationaretheupside,thenefficiencyandflexibilityareitsmaindownsides.Baremetalserverscannotbesubdividedbeyondtheirhardwiredcomponents.Thiseithertendstoleavealotofunderutilizedhardwareoutthere,orresultsindeveloperspiggybackingmultipleapplicationsontoeachphysicalserver.

Toupgradeanapplicationrunningonbaremetaltobiggerhardwareoftenmeanstakingitdownwhilephysicalchangesaremade,orhavingalargevarietyofhardwareonhand.Thiscomeswithitsownsetofheadaches,andremovesmanyofthebenefitsprovidedbyasystemlikeOpenStack.Theabilitytostartsmall,growinstantly,andoffernumerousisolatedenvironments,areallgreatreasonstolookatothervirtualizationoptions.

VirtualMachinesFromtheperspectiveofdeployingaserverinOpenStack,virtualmachinesarestilltheindustrystandardatthemoment.Multiplevirtualmachinesrunontopofasinglehypervisorthatitselfrunsontopofasingleoperatingsystemresidingonasinglepieceofphysicalhardware(seeFigure6.2).

Figure6.2

Thebiggestadvantagestovirtualmachineswerealreadytouchedonearlierinthischapter.Virtualmachinesallowyoutosplitonelargephysicalserverintomanysmallerisolatedservers.Thesecaneachhaveauniqueconfigurationandrunningapplication.Thisavoidspiggybackingandhelpspreventoneapplicationfrom

takingdownanotherthatrunsonthesameserver.

UpgradingordowngradingavirtualserverisalsoasimplematterofaskingOpenStackforadifferentflavor.Thisisnotonlyhandyfortestingandtuningapplicationperformance,butcandrasticallyreducetheamountofhardwarerequiredforanygivenenvironment.Afterall,thereisnoneedtoplanfortheworstwhenyoucaninstantlydeployanewserverwithmoreresources.

Ofcoursetherearetrade-offswhenitcomestothiskindofvirtualization.WhileOpenStackcanbeconfiguredtoallowforover-subscriptionofresources,generallyspeaking,onceeitherallofthememory,CPU,ordrive-spacehasbeenallottedfromagivenpieceofhardware,theremainingassetscannotbeassignedtoanotherinstanceandessentiallygotowaste.Itisalsopossiblefortheschedulertofailtofindasinglepieceofhardwarethatmeetsalloftherequestedcriteria.Forexample,evenifaclusterhashundredsoffreegigabytes(GBs)ofRAMtotal,ifnosingleboxhasmorethan15GBfreeanda16GBserverisrequested,thenthecreationwillfail.Thisisagoodreasontoalwaysdeploythesmallestcomputingunitpossible.

Someefficiencyisalsolostduetothehypervisor.Whiletherehavebeengreatimprovementsinthistechnologyovertheyears,routingcallstoandfromthehostOSanddevicesisn’tfree.TheoverheadhereisdifficulttocalculateandcanvarybasedontheOS,device,andthesoftwareinvolved,butcaneasilyreachashighas15percent.Forsmallerenvironments,thisdoesn’tamounttomuch,butforlargerinstallations,thiscanbecomeadealbreaker.Entercontainers.

ContainersContainersarethenewbelleoftheball.Whiletheyarebasedonoldtechnology(variousformsofcontainershavebeenaroundforyears),theintroductionafewyearsagooftheDockertoolsettoeasilycreatenewcontainers,spurredthebigplayers(Google,Amazon,andMicrosoft)tobeginadoptingthetechnology.

ThereareseveraltypesofcontainerincludingLXC,BSDJails,andOpenVZ.LXChasgainedthemosttractionandcanbepackagedinseveralformats—DockerandRocketbeingthemostcommon.Therearesomegrowingdifferencesbetweenthesecontainertypes,formatsandpackagingtechnologies,butgenerallyspeakingtheyalldothesamething.Theyeachoffersoftwarethatcreatesvirtualenvironmentsmimickingafullvirtualmachine.ThetrickisthateachcontainerismissingthemainOSkernel.Callstothekernelareinsteadsentfromeachcontainertoasingledaemon,whichrunsonasingleinstanceofthehostOSoneachphysicalserver.ThismeanstheoverheadofhavingmultiplekernelsinaVMscenarioisgone(SeeFigure6.3).

Figure6.3

Thereisnodenyingthatcontainershavemanyadvantagesovervirtualmachinesorbaremetaldeployments.Containersallowforthecodeofanapplicationtobedeployedsimultaneouslywithitsserverconfigurationasthecontainerimagecancontainboth.TheydeploymuchfasterthanafullOSimage,astheyareonlyafractionofthesize(assmallasafewMBs),andtheycanprovideanexactcopyofanapplication(anditsconfiguration)fordevelopmentortesting(thiscanbeapositiveoranegativeintruth).

Dependingonwhomyouask,andthespecificsofyourapplication,containerscanalsobemuchfasterthantheirhypervisor-drivencounterparts.ThenativehostOSkernelandschedulerdecidewhichprocessesgetCPUtimeinsteadofhavingtogothroughoneschedulerperVMandthenanotherschedulerwherethehostOSdetermineswhichVMprocessgetsCPUtime.Greaterdensitycanalsobeachievedthroughtheuseofcontainers.Smallerimagesandfewerkernelsinmemorymeansmallercomputingunitsandgreatcostsavingsatscale.

Generallyspeaking,therenewedexcitementsurroundingcontainersiswelldeserved,butit’simportanttoacknowledgethattheyarenotasilverbulletforOpenStackDeployments.

Containersonamachine(orpod)mustsharetheexactsamekernel/operatingsystem.Thishasrepercussionsifanapplicationneedstomodifythekernel,orifthereisadesiretohostvariousoperatingsystems(orversions)onasinglepieceofhardware.

Therearealsosomesecurityconcernswhendeployingcontainersifanyofthemaretobegiventoanuntrustedsource.Exploitswhereauserescapestheircontainerandbreaksintoanotherhavebeenrecentlydemonstratedandreinforcethefactthatcontainersarenotaone-size-fits-allsolution,atleastnotyet.

Thebiggesthurdlewithcontainers,however,isthattheyaren’tyetavailableas

firstorderobjectswithinOpenStack.Fornow,containershavetobedeployedandconfiguredontopofvirtualmachinesthatarethemselvesmanagedbyOpenStack.Thediagramforthislooksalittledifferent(SeeFigure6.4).

Figure6.4

Thiscanprovidethesamelevelofisolation/securityasVMsifeachcustomerisgiventheirownVMtoruntheircontainerson,butOpenStackisessentiallyunawareofcontainersinthisscenario.ResizingandprovisioningcontainershastobedoneoutsideofNova.AdditionalconfigurationoutsideofNeutronisneededtocreateprivatenetworksandhandleinboundaccess.Containerscan’tbemanagedorvisualizedwithinHorizon,andtheperformancepenaltyofahypervisorinadditiontothecontainerdaemonactuallymakesthemlessperformantthanvirtualmachinesalone.

Therearesomeimpressivethird-partyoptionslikeCloudshiftandCloudifythatcanprovidecontainermanagementinthisconfiguration.However,thisstillhappensoutsideofOpenStack,anditremainstobeseenwhatplacethesetoolswillhaveoncecontainersonbaremetalbecomesavailable.

ContainersonBareMetalWhenpeoplespeakaboutcontainersonbaremetalinanOpenStack-drivenenvironment,theyaregenerallynotjustreferringtotheconceptofrunningcontainersdirectlyonthehostOS.

Thiscouldtheoreticallybeachievedbyprovisioningabaremetalserver,loadingonastandardLinuxdistribution(oramorededicatedoneforcontainerssuchasCoreOSorRancherOS),andrunningDockeroranothercontainersystemontopofthat.Thisideahassomeadvantagesoverbaremetalalone,likebeingabletosubdividehardware.Unfortunately,itstilllackstheorchestrationandmanagementcapabilitiesprovidedbyOpenStack.

Moreoften,whensomeonespeaksaboutcontainersonbaremetal,theyarereferringtoseveralnewprojectsthatattempttoprovideboththeefficiencyofeliminatingthehypervisoraswellasenablingOpenStacktomanagethesecontainersasfirstorderobjects.

Oneoftheseprojects,Magnum,wasdiscussedearlierinChapter3.IthasbeenavailablesinceKilo-2andmakesorchestrationengineslikeGoogle’sKubernetesandDocker’sSwarmavailableforcontainermanagement.Theparadigmisslightlydifferentandinvolvesthingslike“pods”and“bays,”butgenerallyspeaking,itprovidesvirtualmachine–stylemanagementforcontainersthatrundirectlyonhostoperatingsystems.

Intheory,containersonbaremetalprovidethebestofallworlds.Yougettheefficiency/densityofcontainers,thenativemanagementofVMs,and(accordingtosomeearlybenchmarks)nearlybaremetalperformance.

Unfortunately,aswithalotofrevolutionarytechnology,Magnumisn’talwaysavailable,andsupportedorchestrationengineslikeswarm,Mesos,andKubernetescouldstillusesometimetomatureandstabilize.Therearealsosomethird-partyoptionsoutsideofMangum/OpenStacklikeCloudifythatprovideinterestingsolutionsandsupport,but,youwilllikelyfindyourselfchoosingbetweenbaremetal,virtualmachines,andclassicallymanagedcontainersforquitesometime.

ChoosingtheRightTechnologyfortheProblemFromadeploymentperspective,virtualmachinesareusuallytheeasiestwaytogo.Unlikebaremetal,theyareefficient,andcanbescaledupwithacommand.UnliketraditionalcontainerstheycanbemanagednativelythroughOpenStack’sHorizonandthevariousAPIs.Unlikebaremetalcontainers,thetechnologyismature,andNova/Compute(asopposedtoMagnum)isdefinitelyavailable.

Inourdemoapplication,therearenospecificrequirementsforcustomhardwareorGPUutilizationineithertheweborresttiers.Neitheroftheseseemtorequirehardwarelevelperformance,nordotheyneedhardwarelevelisolation,sobaremetalisn’treallynecessary.Iflocaldrivesareused,itssometimespopulartouse

baremetalinMySQLservers(forperformancereasons),butgenerallyspeakingthisisn’tanissueaslongastheyareprovisionedwithenoughmemorytokeepthemfromaccessingthedisktoofrequently.Wealsowon’tbedeployingenoughserversinanyofthesetiersthatthesmalleroverheadofContainerswillreallycomeintoplay.Thisleavesuslittlereasontochooseanythingotherthantodeploystandardvirtualmachinesinallcaseshere.

Ifthiswerearealproductionproject,youwouldwanttoconsiderafewotherthingsbeforemakingthedecision:Whatkindofexpertiseisavailableonyourteam?WhatoptionsareavailableinyourOpenStackenvironment?Areyougoingtodistributethisapplicationinternallyorelsewhere?Theanswertothesequestionsshouldimpactyourdecision.Mostofthetime,asinglechoicewillmakethingseasier,butamixedenvironmentisalsoareasonableresponse.Certainsystems(Hadoop,MySql,etc.)maybenefitfromthemaximizedperformanceandstabilityofbaremetalprovisioning,whileyoumaywanttodeploypreconfiguredcontainersoremptyvirtualmachinesforothercomponents.

Whateveryouchoose,considerhowthiswillaffectyourdeployment.Forexample,sometoolslikeHeatareonlyavailabletofirstorderobjectslikevirtualmachinesandnotcontainers(fornow).Alternativelychoosingbaremetalmayrequireyoutopiggybacksomeofyourapplicationontoasingleserver.Regardless,theremainingsubjectsinthischapter:orchestration,configuration,andscalingarebuiltonthefoundationofthisinitialchoice,sochoosewisely.

ORCHESTRATIONANDCONFIGURATIONMANAGEMENTNowthatavirtualizationtechnologyhasbeenchosenforeachofourservertypes,theyactuallyneedtobeprovisionedandconfigured.Thenetworkfortheapplicationalsoneedstobesetupandappropriatesecuritygroupsandrestrictionsputinplace.ThiswasalldonemanuallyintheexamplesinChapters4and5,butinpracticeit’simportanttolookatdeployingacloudapplicationasmorethanjustusingOpenStackasaself-serviceportalforserverprovisioning(IAAS)and/oraseriesofavailableservices(PAAS).Embracingtheabilitytoscripttheconstructionofyourenvironmenthashugeadvantages.Meanwhile,treatingyourapplicationasifitliveswithinaclassicenvironment(deployingandconfiguringitthesameway)canresultinabsolutedisaster.

Inaclassicallyprovisionedenvironment,youmightbegivenaccesstoapowerfulserver,spendseveralhours/days/weeksmanuallyconfiguringit,andthendeployyourapplicationtothatserver.Thisworksmoderatelywell.Modernserversarebuiltwithharddrivearrays,multiplepowersupplies,andhavefaulttolerantram.Intheeventofafailure,thehopeisthattheredundantcomponentscantakeoveranddowntimecanbeavoided.

AswasdiscussedearlierinChapter5,resilienceinacloud-basedapplicationdoesn’trelyonredundanthardware.Instead,commodityhardwareisoftenused,andmultipleserversandisolatedapplicationtierscreatesresiliency.Expectinganygivenservertolockup,stoptakingrequests,orjustdisappearisallpartoftheplan.Evenifmorerobusthardwarewereused,whenitjusttakesthepushofabuttontopermanentlydeleteallofyourcarefullyconfiguredservers,itisimportanttobeabletorecreatethemquickly.

Thisiswhyscriptingtheorchestrationandconfigurationofyourenvironmentisavitalpartofdeployinganycloud-basedapplication.Doingthisnotonlyprovidesthepreviouslydescribedbenefits,butitalsoensuresconsistencybetweenservers,self-documents,andisaperfectopportunitytoworkonyourdevopsskills.Itisalsothebasisforaddingelasticitytoourdemoapplication,asyouwillseeshortly.

OrchestrationTools:Heat,Murano,Cloudify,andMoreMuchlikeweneededtolookatallofthevirtualizationoptionsbeforedeterminingwhatwasgoingtobedeployed,it’simportanttolookatalloftheorchestrationoptionsbeforemakingadecisiononhowthesethingsaregoingtobedeployed.Withrespecttothis,thereareanumberofoptionsthatarecommonlyemployedthatareallreferredtoasorchestrationtechniquesortools.

Thefirstoftheseisjusttocreateyourownscriptfromscratch.Thereisnothingtostopyoufromdoingthisinthelanguageofyourchoice.Thecompute,networking,andplatformAPIsprovideallofthebasicsyouneed.Aslongasa1:1ratioiskeptbetweenapplicationsandKeystoneprojects,Horizonwillevenprovideyouwitha

prettyclearvisualization/inspectionofyourenvironment.Thisisaperfectlyviableoption,andthoughitrequiresalotofinitialeffortupfront,itisacommonorchestrationsolution.ItisespeciallyusefulwhendealingwithcomponentsorservicesthatexistoutsideofOpenStack.

Asfarasintegratedsolutionsgo,Heat(beingthemainorchestrationcomponentofOpenStack)istheobviouschoice.Itstemplatefilesallowyoutodescribeyourenvironmentinawell-documentedmanner.UsingHeateliminatessomeofthegruntworkofmanualscripting,suchashavingtoprovidedetailedoutputanderrorhandling.Heatalsosupportsseveraldifferentconfigurationmanagementoptions,makingthenextstepinthedeploymentprocesseasierstill.

Muranoisanotheroptionforsomewhatprogrammaticorchestration.Asdiscussedearlier,itprovidesbothanapplicationcatalog,aswellasawaytozipupapplicationsforthird-partyconsumption.PackaginganapplicationforMuranoalongwithallthewizardsandscriptedorchestrationisgenerallyoverkillthough,unlessyouareplanningondistributingtousersinotherOpenStackenvironments.Ultimately,Muranoismoreaboutdistributionthanitisaboutorchestration,andsoitisnotgenerallyarecommendeddeploymentmechanismforcustomapplications.

Ofcourse,noconceptinOpenStackwouldbecompletewithoutahealthydoseofthird-partyapplicationsthatprovidealternatesolutions.CloudFoundryandCloudifybothofferorchestration.IftheseareavailablewithinyourOpenStackinstallationtheyaredefinitelyworthalook.TheirsuccessisdueinparttotheirfriendlierUIandtheirabilitytosimplifytheorchestrationprocess.However,becausetheycommunicatetoOpenStackviathesamenativeAPIsyouhaveaccessto,thereislittletheycanaccomplishthatyoucan’taccomplishyourselfwithalittlemanualscriptingworkorthroughHeat.

Lastly,therearenewcompanies,suchasRancherLabsandprojectslikeKubernetesandMesos,thatarestartingtoprovidecontainer-focusedorchestrationsolutionsthatliveontopof,orworkwith,OpenStack.Thesearethebleedingedgeofvirtualizationtechnologyandassucharelikelytoseehugechangesbeforemainstreamadoption.Theyare,however,worthmentioningincaseyouarelookingforacontainer-focusedsolution,needtospanmultipleclouds,and/orhaveexperienceusingRocket,Dockerorsimilartechnology.

Sincewehavechosentousevirtualmachinesovercontainersforourdemoapplication,andtheapplicationisn’tmeantforwidedistribution,thatleavestwogoodchoicesfororchestration:manualscriptingandHeat.IfthedemowasamorecomplexapplicationoriftherewerecomponentsthatsimplycouldnotbemanagedwithinHeat,thenrawscriptingwouldbethego-tosolution.ItisalsopossibletouseHeatasacomponentofalargerscript,asitisessentiallyanAPIaswell.Asisthough,HeatisreasonablywelldocumentedandprovidesasinglesimplifiedsystemforcommunicatingtoallofthedifferentOpenStackcomponentsthedemoapplicationisgoingtouse.Thismakesitthebestchoicefor

nowandtheremainderofthisbookwillfocusontheuseofHeattemplatesfordeployment.

ConfigurationManagementandCloudInitIforchestrationisanythingthatoccursabovetheserverlevel,configurationmanagementcangenerallybeconsideredtobeanythingthatneedstobemodifiedattheserverlevelorbelowinordertogetyourapplicationupandrunning.Addingspecificsoftware,updatingconfigurationfiles,orevenpullingdownanapplicationfromGitoccursundertheumbrellaofconfigurationmanagement.Inthecaseofthedemoapplication,thiscouldmeanApacheforthewebtierorNode.js/PythonfortheRestlayerandMySQLforthedatabase(s)alongwithalloftheirrespectiveconfigurationfiles.

BeforewegetintotoolslikePuppetandChef,whichreallyarethestandardforconfigurationmanagementthesedays,thereisanotheroptioncalledCloud-Initthatiswellworthyourtimetoexplore.Technicallyspeaking,itisjustaLinuxpackagethathandlesearlyinitializationofacloudinstance.Fromadeveloper(ordevops)perspective,itisalsooneofthesimplestwaystorunscriptsafteraserverhasbeenprovisioned.

Whatyouchoosetodointhesescriptsand/orwhatlanguageyouwanttoemployisuptoyou.Cloud-Initsimplyrunswhatyoutellittoeitherbyincludingthescriptunderuser_dataaspartofyourAPIcalltoNova,orthoughHeatasfollows:

description:Simpletemplatetodeployasinglecomputeinstance

parameters:

image_id:

type:string

label:ImageID

description:Imagetobeusedforcomputeinstance

resources:

web_server:

properties:

image:{get_param:image_id}

flavor:m1.small

user_data_format:RAW

user_data:

#!/bin/bash

echo"Youjustranthiscommand!"

Inthisexampletheserverwouldfirstbeprovisioned,andthenthecommandinuser_datawouldbeexecutedand“Youjustranthiscommand,”wouldbeoutputtothecommandline.Thiscanactuallybeviewedthoughthespice-consoleonceitisavailableinHorizonaspartofthebootsequence.

Itshouldbeprettyeasytoseehowyoucouldexpandonthisconcepttoconfigureaservertomeetyourneeds.InsteadofmanuallyinstallingXYZafterprovisioningit,youcouldsimplywriteascripttoinstallXYZandincludeitaspartofyourHeat

template.Aslightlymoreusefulexamplemightlooklikethefollowing:

parameters:

image_id:

type:string

label:ImageID

resources:

web_server:

properties:

flavor:m1.small

user_data:

#!/bin/bash

yuminstall–qygit

yuminstall–qynpm

gitclonehttps:/github.com/folder/package.git/var/usr/share/app

node/usr/share/app/server.js

echo"Youjustinstalledandstartedanodeapp!"

Creatingastackwiththistemplatewouldprovisionasinglesmallserverwiththespecifiedimage.ItwouldthenbeconfiguredwithGitandNPM(Node.js),soyoucandownloadaprojectfromGitHubandstartit.Forourdemoapplication,differentinstallationandconfigurationscriptswouldbeinsertedforeachoftheservertypes.

DependingonyourOpenStackconfigurationandyourbaseimage,Cloud-Init’sCloudconfigYamlformatmayalsobeavailable.Itprovidessomeexcellentfunctionalitywithouthavingtowritealotofcode.Convertingourearlierexamplewouldresultinsomethinglike:

parameters:

image_id:

type:string

label:ImageID

resources:

web_server:

properties:

flavor:m1.small

user_data:

runcmd:

-yuminstall–qygit

-yuminstall–qynpm

-gitclonehttps:/github.com/folder/package.git/var/usr/share/app

-node/usr/share/app/server.js

-echo"Youjustinstalledandstartedanodeapp!"

Thisisaprettysimpleexample,butitisafairlycomplexandpowerfulsystem.ForfurtherreadingonCloud-InitandsomegreatexamplesofhowtoconfigureaserverwiththeCloudconfigformattakealookathttp://cloudinit.readthedocs.org/en/latest/topics/examples.html.

Puppet,Chef,Salt,andAnsibleWhileCloud-Initisageneralsystemforrunningscriptsforwhateverpurposeyoulike,therearenumeroustoolsdedicatedsolelytoconfigurationmanagement.Puppet,Chef,Salt,andAnsiblearen’ttheonlyoptionsinthisrealm,buttheyaredefinitelythebiggestplayers,andtheyhavesomeimportantsimilaritiesanddifferencestoconsideriftheyaretobeusedaspartofanOpenStack-backeddeployment.

Firstoff,alloftheseapplicationssharetheideaofplugandplaymodules(calledrecipesinChef,andplaybooksinAnsible).TheseprebuiltblocksarethebiggestthingthatdifferentiatesthemfromconfiguringaserverwithBashorotherscriptingtoolslikeCloud-Init.Modulesareavailablefrompublicrepositoriesthatanyonecansubmittoorretrievefrom,similartoPIPinPythonorNPMinNode.js.Additionally,theyhaveallattemptedtocomeupwithasimplelanguage/structurefordescribingaserver’sconfiguration,handleinstallationerrors,andprovidedifferentconfigurationsforserversindifferentroles.Theformatsarefamiliar—JSON,YAML,etc.,buttheactualsyntaxandmethodologyareproprietaryandnotportableacrosssolutions.

Thelanguagetheywerebuiltupon,theirneedtohaveinstalledclients(Ansible,forexample,doesn’tneedone),andthebreadthanddepthoftheirmodulelibraries,arereallywhatdifferentiatesthesetoolsfromeachother.Aswithmosttechnologies,youwillfindenthusiasticsupportersanddissentersofeach,butformostpurposestheyareequivalent.Infact,theirsimilarity,andtheabilitytodevelopagenericsyntaxfortheiruse,isabigreasonwhythereisgrowingsupportforallofthesetoolswithinOpenStack.

Let’slookatwhatasimplePuppetManifestmightlookliketoconfigureaservertorunApacheandPHP:

#installapache

package{'apache2':

ensure=>installed

#startapacheandensureitsrunning

service{'apache2':,

require=>Package['apache2'],

ensure=>running

#installphp

package{'php5':

require=>Package['apache2'],

ensure=>installed

#createaninfo.phpfiletoshowthatthisallworked

file{'/var/www/html/info.php':

ensure=>file,

content=>'<?phpphpinfo();?>',

mode=>0444,

require=>Package['php5']

WiththePuppetclientcorrectlyinstalledandtheprecedingfilesavedasmanifest.pp,youcouldthenexecutethistemplateasfollows:

$sudopuppetapply./manifest.pp

Puppetdealswithanyerrorhandling,determinestheorderthingshavetohappeninbasedupontherequirestatements,andhandlesallofthedifferencesinOStypes.Forexample,usingthesetools,youdon’thavetowriteonescriptforCentOSthatinstallssoftwareviaYum,andanotherversionthatsupportsapt-getinstallationonDebianorUbuntu.

Aswasmentionedbefore,HeatactuallyprovideshooksforallofthesetoolsintheformofaSofwareConfigresource.IfyourconfigurationsupportsChef,thenaHeattemplatetosetupWordpressmightlooklikethis:

resources:

wordpress_config:

type:OS::Heat::SoftwareConfig::Chef

properties:

cookbook:http://www.mycompanycom/hot/chef/wordpress.zip

role:wordpress

#inputparametersthatthechefrole(s)need

inputs:

wp_admin_user:

type:string

mapping:wordpress/admin_user

wp_admin_pw:

type:string

mapping:wordpress/admin_password

db_endpoint_url:

type:string

mapping:wordpress/db_url

#variousotherinputparameters…

#Havechefoutputthefinalwordpressurl

outputs:

wp_url:

type:string

mapping:wordpress/url

FromtheOpenStackdocumentationathttps://wiki.openstack.org/wiki/Heat/Blueprints/hot-software-config-spec:

TheresourcetypeOS::Heat::SoftwareConfig::ChefindicatesthatthisisaChef-specificSoftwareConfigdefinition.ThecookbookpropertypointstotheusedChefcookbook,andtherolepropertypointstotheroletobesetupviathisSoftwareConfig.TheinputssectioncontainsthedefinitionofinputparametersthathavetobepassedtoChefforconfiguringtherole.Inputparametersaredefinedintermsofnameandtype.Inaddition,amappingspecifiestowhichroleattributetherespectiveinputparametersneedstobeassigned(i.e.Chef-specificmetadata).

Ifthisseemsconfusing,don’tworry.ThisexampleissimplymeanttoshowthedevelopersbehindOpenStackareawareofthesetools,andthatifyouarefamiliarwiththem,thereareanumberofwaystotightlyintegratethemintoyourdeployment.Again,exactlyhowyouchoosetoconfigureyourserversandyourapplicationisentirelyuptoyou.Yourcompanyand/oryouroperationsteammayhavealottosayonthesubject,orthechoicemightbeyoursalone.What’simportantistohaveageneralunderstatingoftheoptionsavailableandformagameplan.

Withthatinmind,let’stogoovertwootherimportantpiecesoffunctionalitythatalloftheseconfigurationmanagementsolutionsprovide.Firstoff,theyoffercentralizedmanagementofservers.Oncetheclientisinstalled,andtheserverhasbeenregisteredintothemaster,youcanuseawebinterfacetodothingslikesearchforaserver,seewhatsoftwareisinstalled,orevenpush/scheduleapatchforit(seeFigure6.5).

Figure6.5

Thisconfigurationisn’trequiredthough,andthesetoolscanallbeusedinmasterlessmodewherethiscentralauthorityisentirelyabsent.ThereisalotofcrossoverbetweenwhatthesecentralizedsystemsandwhatOpenStack/Horizoncanoffer,soit’snotunusualtousetheminthismasterlessmanner.

Theotherpieceoffunctionalitytheyallofferistheabilitytoexecutearbitrarycommandsonremoteservers.Thisisanaspectofthesamemechanismthatallowsthemasterserverstopatchremotecomputers.Ansibleinparticularcanbeanindispensibletoolwhenusedforthispurpose.

UnlikePuppet,Chef,andSalt(tosomeextent),Ansibledoesn’trequiretheinstallationofaspecializedclienttosupportremotecommandexecution.ItusesSSHandprivate/publickeystoachieveasimilarresult.ItisalsoeasytoconfigureAnsiblewithalocalfiletopushthesecommandstomanyserversatonce(asopposedtosequentially).ThismakesremoteexecutionquickandeasyfromanycomputerwithAnsibleinstalled.AconfigurationfileforAnsiblelookslikethis:

[devservers]

dev.cloud.mycompany.com

[prodservers]

prod01.cloud.mycompany.com

[otherservers]

server1.cloud.mycompany.com

server2.cloud.mycompany.com

Thisfiledefinesthreegroupsofservers(devservers,prodservers,andotherservers).Commandscanberunonanindividualbox,agroup,orallgroupsatonce.Youcanalsodeterminehowmanyserverstorunthecommandonsimultaneously.Soif,forexample,youwanttoupdateGitonallofyourproductionserversatonceyoucouldrun:

$ansibleprodservers-a"yumupdate-yqgit"-f3-umyusername

––sudo––ask-sudo-pass-i/myuser/ansible_hosts

SinceYumoftenrequiressudoaccess,theask-sudo-passvaluehasbeeninvoked,and-f3indicatesthatyouwanttorunitonthreeserversatonce.Iftherewere6serversdefinedintheprodserversgroup,thenitwouldrunthisintwoseparatebatches.Thisisoftenusefultoavoidthingslikecacheslammingortoavoidrebootingallofyourserversatonce,makingyourapplicationtemporarilyunavailable.

Ansibleishighlyrecommendedasaneasywaytoexecuteremotecommands,butthisdoesnotmakeitashoe-infortheconfigurationsolutionforourdemoapplication.Infact,thereisonedrasticallydifferentoptiontoconsider.

WhereDoSnapshotsFitIn?OrShouldThey?Withalloftheseconfigurationoptionsit’svalidtoaskwhereimagesfitintoadeployment.Ratherthanscripttheconfigurationofaserverorseveralserverswithdifferentroles,itisdefinitelypossibletotakeasnapshotofaserveronceit’sconfiguredandsimplydeployitinthisconfiguredstate.Whilethereareafewcaveatstothatand/orbuildingacustomimage,thiswillusuallywork.ImagescanbeuploadedthroughHorizonorthroughtheGlanceAPI,andanumberofpre-configuredimagesareavailablefromcompanieslikeBitnamitomakethiseveneasier.Generallyspeakingthough,thisisn’tagreatsolution.

Imagesarebulkyandcumbersome.Ifyouwanttomodifyasinglevalueinasinglefile,youcanenduphavingtore-createanentireimagealloveragain.ThisisactuallyoneofthemainproblemsthatDockerisattemptingtosolvewiththeDockerFilecontainersystem.Testingchanges,debugging,andevenstoringalltheseimagescanbeatimeandspaceconsumingprocess.Configurationscriptsontheotherhand,actliketinyzipfilesthatexpandonaservertocreatefullyconfiguredboxes.Theyareeasytoedit,store,andversion.Dependingonthesoftwareinvolved,it’sevenpossibletousethesamescripttoconfigurewindows

andLinuxboxes.

Thereareatleastafewsituations,though,wherecreatingcustomimagescanbeanextremelyeffectivesolution.Ifyouarenotusingcontainers,yourconfigurationscriptstakealongtimetorun,andyouaredeployingthemfrequently,thenusingimagesorsnapshotscanbeamuchfasteroption.Thisisoftenthecasewithlargewindowsbuilds..NETcomponentsandenterpriseclasswindowssoftwarecantakehourstocompletelyinstallandgetrunning.Imagescanalsobeusefulwaytodistributesoftware.EnsuringsoftwaresuchasPuppet,orGitisalreadyinstalledcanpreventanynumberofteamsfromhavingtoinstallandconfiguretheseitemsthemselves.Inthisscenario,acombinationofpre-configuredimagesandpostprovisioningconfigurationscriptsareusedeffectively.

Becausetheneedsofourdemoapplicationarerelativelysimple,andthetoolsarenativetoOpenStack,therestofthischapterwillfocusonusingCloud-Initanduser_datawithinHeattohandleserverconfiguration.Thiswillkeepthingslight,andwon’trequireadeepknowledgeofanyoftheconfigurationmanagementtools.Whenitcomestoyourownapplicationthough,weencourageyoutoexperimentandchoosewhatworksbestforyou,yourteam,andyourapplication.

MONITORINGANDMETERINGItmightseemoddatthispointtobeginadiscussiononmonitoring.Wehaveyettoevenlookatacompletedeploymentsolution.However,monitoringisapre-requisiteofelasticityandrequiredtosomeextenttomakescalinguseful.Afterall,withoutknowingtheloadonasystem,it’shardtoknowifyouneedtoincreasetheserverorstacksize.Thisholdstrueevenifsuchchangesaredonemanuallyorprogrammatically.

YoumayalsofindifPAASorexternalcomponentsaren’tused,thatyourdeploymentactuallyincludesitsownmonitoringsystem.ThismayseemalittleInception-like,butit’snotverycomplicatedinpractice.Monitoringserverscanbedeployedandconfiguredinasecondproject,stack,orevenseriallybeforetheapplicationserverswithinthesameproject.Itisalsolikely,ifyouworkwithinalargercompany,thatsomesortofcentralizedmonitoringisavailableforyoutouse.

OpenStackdoeshaveacoupleofbuilt-inmonitoringoptionsthatcanbeusefulfordeployments.MonascaisaPAAScomponentthatoffersmonitoringasaservice.Itconsistsofanumberofsub-components:anagentthatrunsoneachserver,aCLItospeaktotheMonascaRESTAPI,astoragesystemformetrics,analertsystem,andananalysisenginethatenablesthealertsandanumberofotherfeatures.

TheresultofcollaborationbetweenHPandRackspace,Monasca,canbeacapable,butstunninglycomplexmonitoringsolution.Forafullexplanationandsomeinterestingreading,visithttps://wiki.openstack.org/wiki/Monasca.

Theotherfirst-partysystemthatofferssomelevelofmonitoringisCeilometer.CeilometerisdiscussedinChapter3.Itwasprimarilybuiltasatelemetryservicetomeasureutilizationandtostorethatdataforlateranalysis.LikeMonasca,Ceilometercanmeasurethingslikeload,andtriggeralertswhencertainthresholdsaremet.UnlikeMonasca,itcanalsoreportdetailedinformationonthingslikehowmuchprocessortimewasusedbyagivenvirtualmachineorproject.Themoststraightforwarduseofthisistoenableusagebasedbillingormetering.Youmayfinditusefulforthingslikecomparingtheefficiencyofserverconfigurationsordeterminingwhichapplicationsareoverprovisioned.FurtherdocumentationonCeilometercanbefoundathttps://wiki.openstack.org/wiki/Ceilometer.

Ifyouarelookingforanofftheshelfsolutionthatisn’tintegratedwithOpensStack(or,asisoftenthecase,theseservicesarenotavailable),thenbothNagiosandSensuareworthalook.ThesesolutionsbothfunctionbyaddingaclienttoeachserverthatyouwanttomonitoranddeployingacentralizedmonitoringserverthatcollatesthisdataanddisplaysitwithinawebbasedGUI.SimilartoPuppetandChef,therearecommunitysubmittedchecksthatcanberunontheclientservers.ThesecommonlywatchthingslikeCPUuseandavailablememoryandsendresultsoralertstohandlersonthecentralhub.There

arealsoanumberofcommunity-builthandlersavailabletosendthingslikeSMSoremailmessages,orlogresultstoadatabaseforlateranalysis.

Nagiosiscurrentlyfreeforuptosevenmonitoredservers,whileSensu(beingthenewkidontheblock)isfreeforthenon-enterpriseversion.Bothofthesesystemsarecompletelyscriptableandcanthusprovideanylevelofmonitoringnecessary,aswellasanyfunctionalityrequiredtotriggerelasticchangeswithintheapplication.

Generallyspeaking,it’shardtorecommendanyoftheseasgreatsolutions.Monascashouldbeaslamdunk,butit’sratherenigmaticandCeilometerdoesn’tprovidealotofflexibilitywhencomparedtosystemslikeSensuandNagios.Meanwhile,theexternalsolutionsbothoffergoodusability,butaren’tnativelyintegratedwithOpenStack.Addingthesetoourdemoapplicationforexample,wouldmeandeployingandconfiguringthecentralserversandclientsaswell.

Ceilometeralerts,though,arefairlywelldocumentedandcanbeconfiguredandusedwithinHeattemplatestoenablesomelevelofelasticity.Forthatreasonaloneit’sthebestchoiceforthedemoapplication.Inarealworldscenarioyouwouldwanttoseeperformancegraphs,andbeabletologandalertyourteammemberstospecificapprelatedmetrics(suchasthenumberofconnectionsorsessioncounts).Asafreesolution,Sensuisprobablyagreatplacetostartifyouneedtopushbeyondwhatwillbedemonstratedhere.

ELASTICITYAsmentionedinChapter5,elasticityistheideathatapplicationscanprogrammaticallyshrinkandgrowtomatchload.Inanon-cloudscenario,thesizeand/ornumberofserversdeployedaregenerallydeterminedbythemaximumcapacityyouwanttoaccommodate.Inanelasticcloudapp,thesizeand/ornumberofserversshouldideallybetheminimumrequiredtoaccommodatethecurrentload,andgrowtothemaximumthatcanbeaffordedasloadincreases.Thisisslightlydifferentthanscalability,whichissimplyanapplicationscapacitytogrow.

Theprimarymotivationbehindelasticityisthatusingtheabsoluteminimumcomputingunitsneededatanypointintimecanleadtogreatsavingsatscale.Evenifyouaren’tpayingbytheserveratahostedsolution,beingabletoscaleuponlytheapplicationsthatneeditatanytimecanleadtodrasticallysmallerserverrooms.

Thereareotherbenefitsaswell,though,beyondcostsavings.Elasticityandresiliencyareveryintertwined.Insteadofdealingwithdowntimeonanapplicationthatisgettingtoomuchtraffic,elasticapplicationsautomaticallygrowtomeetdemandandstayalive.Theycanalsobeforcedscaleupinorderhandlehardwareandnetworkfailuresevenintimesoflow/moderatetraffic.Usingconceptslikeanti-affinity(basicallyusingserversindifferentracks)anelasticappisalsoeasiertokeeprunningwhileapplyingpatches,orwhenservicinghardware.Additionalsetsofserverscanbemadeavailabletousewhilesetsofthemaretakendownformaintenance.

Ofcourse,noteverythingneedstobeelastic.

MakingSureYouNeedScaling/ElasticitySomethingyouwon’thearmuchofisthatnotallapplicationsneedtoscale.Notscalingisn’tinteresting.Notscalingisn’tcool.Notscalingwon’twinyouanyawards.However,ifyoucanavoidscaling,thenyoucanfocusyoureffortselsewhereandgreatlysimplifyyourdeployment.Someexamplesofapplicationsorenvironmentsthatmaynotneedtoscale:

Intranetwebsites:Theseseelimitedtrafficanddowntimedoesn’taffectcustomers.

Postprocessingsystems:Systemsthatanalyzedataorcrunchnumberscanbenefitfromscalingupandgoingfaster,butifit’snotmissioncriticalandyoucanwaitfortheresult,thenfasterresultsaren’talwaysworththeeffort.

Single/FixedServerApplications:Generallyspeaking,thereisstillplentyofsoftwareonlyrunswellonbig,fast,stablehardwareandcanprovidespeedbenefitswhenextramemory/processorispresent.Iftherequirementsofyourapplicationwon’tallowfordistributedcomputingacrossmultipleservers,and

itcansoakupasmanyresourcesasyoucangiveit,thengoasbigasyoucanonasingleinstanceandmoveon.

Evenifyourapplication,oragiventierofyourapplication,doesnotfitintooneofthesecategoriesandyouwantittoscale,thisdoesnotmeanitneedstobeelastic.Elasticityisgreatforcostsavingsandcanallowyourapplicationtogrowrapidlywithoutyourintervention,butthatisnotalwaysdesirableornecessary.Elasticityaddsyetanotherlayertoanalreadycomplicatedlistoftechnologiesandtakestimeandenergytoimplementandperfect.Somesituationsthatmaynotbeappropriateforelasticityinclude:

Anythingthatreceivesmanictrafficpatterns:Spinningupnewserversisfast,butevenwhenusingcontainersthereissomelatency.Thesamecanbesaidaboutspinningthemdown.Loadbalancingchangesandconfigurationupdatescanalsotaketimetocomplete.Ifyouhavetodealwithquick,massivefluctuationsintraffic,it’sbesttosimplyplanformaximumcapacityandletitrun24/7.

Whenworkingwithnobudget:Ifyou’reluckyenoughtohavenobudgetthenit’sonelessthingonthetodolist.Simplyscaleupbeyondanythingreasonableandaddmorecomputeifthingsevergetclosetomaxcapacityandrunwithabigmarginoferroratalltimes.

Whenworkingwithfixedbudgets:It’sunnecessarytogrowanapplicationifthereisnobudgettopayforadditionalservers.It’salsounfortunatelycommontoloosebudgetiflessserversareusedforagivenperiodoftime.Ifyouabsolutelyneedfixedcostsforfixedperiodsoftime,thenascalablebutnon-elasticapplicationisareasonablewaytogo.Youcanjustscalethingsmanuallyeachquarterorwhenthebudgetchanges.

Whenathereisanon-elasticbottleneck:Thereisnopointinquicklyscalingyourappupanddowntohandletrafficifanexternalfactorlimitstheutilityinthis.Ifyourapplicationhasanon-elasticthrottlethenconsiderscalingmanuallytomatchthis.

Intheend,ifit’spossibletoscaleyourapplication,it’sworthconsideringdoingso,anddoingsoprogrammaticallyinanelasticfashionaspartofyourdeployment.Ifyouwanttoseeallthebenefitsfromaclouddeployment,thenthisisallbutmandatory.Bothyourcustomapplications,aswellasmanyofftheshelfsystemscangainspeed,resilience,andcostsavingsifyoudo.

Lookingonceagainatourdemoapplication,it’seasytoseethattheuserfacingwebtieraswellastheResttiercouldbothbenefitfromelasticscaling.Thedatabaselayerthoughisn’tquiteasscalableandwouldnotimmediatelybenefitinperformancefromadditionalservers.It’salsonotatrivialprocesstoaddaservertoanexistingGalreaclusterasthereplicationcantakealongtimetocatchup.Sothisisgoodexampleofanapplicationthatisentirelyscalable,butonlybenefitsfromelasticityonseveralofthecomponents.

ScriptingVerticalVersusHorizontalScalingBeforeyoucanaddelasticitytoanapplication,itmustfirstbescalable.Beforeyoucanscale,youmustfirstdeterminethetypeofscalingyouwanttouse.Thesimplestformofthisisjusttoincreasethesizeoftheserversinvolved,addingmoreCPU,Ram,orDisk(dependingontheapplication).Thisiscalledverticalscaling,andcanbeappliedtoalmostanyapplicationrightoutofthebox.

BylettingyoudefinetheFlavor(size)ofanygiveninstancewhenyouprovisiontheserver,OpensStackmakesverticalscalingrathereasy.It’sworthnotingthatnotallOpenStacksetupswillletyouincreasethesizeofanexistingserver,anditisalmostalwaysnecessarytocreateanewinstanceifthedesiredsizeissmaller.Aslongasyourdeploymentisscriptedthough,itshouldn’tbehardtocreateandconfigureanewserver.

Imagineyouwereusingthefollowingheattemplate:

parameters:

flavor_size:

type:string

label:FlavorSize

description:Thesizefotheflavortobeused

resources:

web_server:

properties:

image:CentOS6_64

flavor:{get_param:flavor_size}

Savingthefiletotest.yamlandrunningthefollowingcommandwouldcreatethesmallestserverpossible:

$heatstack-createtest_stack-ftest.yaml-P"flavor_size=m1.tiny"

Toscalethisverticallytoalargerinstanceyoucouldsimplycall:

$heatstack-updatetest_stack-ftest.yaml-P"flavor_size=m1.large"

HeatwouldthenhandlethecallintoNovatoincreasethesizeofthisinstanceandyourapplicationwouldhavethatmuchmorehorsepowertorunwith.Horizontalscalingisalittlemorecomplicated.

Horizontalscalinginvolvesaddingextraserverstoanapplication,usuallybehindaloadbalancerthathandlestheinitialrequestandroutesittoanindividualinstance.Thiscanaddthecomplexityofprovisioningandconfiguringtheloadbalanceraspartofyourdeployment,butscalinganapplicationhorizontallyusuallyprovidesmuchgreatercapacity.It’snotuncommontorunhundredsofserversdedicatedtoaspecificpurposeinahorizontallyscaledapplication.Thelimitofaverticallyscaledapplicationmeanwhileisthemaximumsizeofasingle

instance/flavor.Verticallyscaledapplicationsalsomissoutontheresiliencyandmaintainabilityaddedbytheextraserversinvolved.

InChapter5wedeterminedthatboththewebtier,aswellastheAPItier,shouldbothusehorizontalscaling.Itwillprovidemuchgreatercapacity,andtheapplicationwillbenefitfromtheaddedresiliencythattheseparateserversprovide.Thatbeingsaid,it’sworthnotingthatmostofthetechniquesthatfollowcanalsobeappliedtoscalinginalimitedverticalfashion.Afterall,throwinghardwareattheproblemissometimesthefastestsolution.

LoadBalancingRevisitedChapter5discussesloadbalancingindepth.HardwaresolutionssuchasA10,softwaresolutionssuchasHAProxy,andloadbalancingasaservice(LBAAS)thoughNeutronarealloptions.Yourchoicehereaswellwillgreatlyaffectyourdeploymentsolution.

MostofthesesolutionshaveAPIsthatcanbetappedintobyeithertheorchestrationorconfigurationmanagementsolutions.Aswhenusingthirdpartysolutionsformonitoring,itmayalsobenecessarytoincludetheprovisioningandconfigurationofyourloadbalanceraspartofyourdeployment.HAProxysolutionsoftenlooklikethis,astheproxyservercansimplybeanotherVMwithinanOpenStackproject.

IfLBAASisavailableandfunctioningcorrectlyinyourOpenStackinstallation,itisagreatoption.ItiseasilyconfigurableviaHeat,and/orcanbetappeddirectlyviatheNeutronAPI.Thisisstillrelativelyimmaturetechnologythough,andformanypeople,hardwareorsoftwaresolutionsaretheonlyoption.

ThedeploymentofourdemoapplicationwillfocusonLBAASandNeutron.Astimegoeson,thissolutionisonlygoingtogetbetterandbemorewidelyavailable.Inthemeantime,ifforanyreasonyouneedtocreateyourownsolution,HAProxyisadecentchoice.Itdoesexposeasinglepointoffailure,asitgenerallyexistsonsinglemachine,butitisavailabletoeveryoneforfree,anditmakestheautomaticadditionorremovalofserversrelativelyeasy.

AnearlyinfiniteamountofinformationonhowtoinstallandconfigureHAProxyisavailableathttp://www.haproxy.org/.Assumingthatitisalreadydeployedandconfigured,thefollowingNode.jsscriptdemonstratesabasicauto-updateconceptthatcouldeliminatetheneedtoupdateyourloadbalanceraspartofyourdeployment:

#!/usr/bin/envnode

varHAProxy=require("haproxy");

varOSWrap=require("openstack-wrapper");

varFS=require("fs");

varuser='my_username';

varpass='my_password';

varpid='my_project_id';

varkurl='keystone_url';

varproxy_cfg='/etc/haproxy/haproxy.cfg';

varhaproxy=newHAProxy('optional/socket/path.sock',{});

OSWrap.getSimpleProject(user,pass,pid,kurl,function(error,project){

if(error){console.error(error);return;}

project.nova.listServers(error,server_array){

if(error){console.error(error);return;}

FS.writeFileSync('/etc/haproxy/haproxy.cfg','

listenapp*:80\n

modehttp\n

balanceroundrobin\n

optionhttpclose\n','utf8');

varip='';

for(vari=0;i<server_array.length;i++)

//assumingonlyonenetworkandafixedip

foreach(networkinserver_array[i].addresses)

{ip=network[0].addr;break;}

FS.appendFileSync(proxy_cfg,'server'+i+''+ip+':80\n','utf8');

haproxy.reload(function(error){

if(error){console.log(error);return;}

InstallingthisasacronjobontheproxyserverwouldcauseittocontactyourOpenStackinstallationeveryXminutes,retrievealistofservers,writethemtotheconfigurationfile,andhotreloadtheproxywiththenewconfigurationfile.

Withthedecisiononloadbalancingoutoftheway,andeitherhandledviaLBAAS/NeutronorautomaticallyviaHAProxy,wecanmoveforwardandlookmorecloselyatsomeoptionsforprogrammaticallyscalingourapplication.

ScalingwithHeatandResourceGroupsAsopposedtodefiningeveryserverasanindividualentry,HeattemplatesallowyoutospecifyaResourceGroupandthenumberofduplicatesthatyouwouldlikeofthatresource.ReworkingourHeattemplatefromearlier,weget:

description:Templatetomulitpleserversofthesamekind

parameters:

server_count:

type:number

label:ServerCount

description:Thenumberofserversdodeploy

resources:

tiny_cluster:

type:OS::Heat::ResourceGroup

properties:

count:{get_param:server_count}

resource_def:

properties:

image:CentOS6_64

flavor:m1.tiny

user_data:

runcmd:

-yuminstall–qygit

-yuminstall–qynpm

-gitclonehttps:/github.com/folder/package.git/var/usr/share/app

-node/usr/share/app/server.js

-echo"Youjustinstalledandstartedanodeapp!"

Savingthefiletogroup.yamlandrunningthefollowingcommandwouldcreatethesmallestserverpossible:

$heatstack-creategroup_stack-fgroup.yaml-P"server_count=2"

Toincreasethenumberofserversinthisstacktofouryoucouldcall:

$heatstack-updategroup_stack-fgroup.yaml-P"server_count=4"

Usingthistechnique,differenttypesofResourceGroupscanbedefinedforeachtierofthedemoapplicationandeachResourceGroupcanbescaledindependently.Thisconceptprovidesadeploymentsolutionthatcoverseverythingexceptloadbalancing,monitoring,andelasticity.ThesethingshavebeenleftoutbecauseitisquitepossibleoneormoreoftheminyourapplicationwillhavetobehandledoutsidetherealmofOpenStack.Thegoodnewsisthatifyoufindyourselfinthissituation,HeatandResourceGroupscanstillbeusedinthisfashionaspartofabroaderdeploymentscript.Theothertechnologiesdiscussedinthischapter,suchasanexternalA10,canthenbeincludedinthatscripttofilloutthedeploymentsolution.

Ifyouareluckythough,andLBAASthroughNeutronisavailablealongwithCeilometeralerts,youhaveacompletedeploymentsolutionforelasticscalingthatfitsneatlywithinaHeattemplate.

PuttingItAllTogetherwithHeat,Ceilometer,andAutoScalingGroupsBeforewegointothefinalexampleanddemonstrateacompletesolutionfordeployinganelasticapplication,let’sreviewthechoicesthathavebeenmadeinthischapterregardinghowthedemoapplicationwillbedeployed.

Virtualization—VirtualMachinesforallthreetiers

Orchestration—Heat

ConfigurationManagement—Cloud-Init/user_data

Monitoring—Ceilometer

Scaling—Horizontalforallthreetiers

Elasticity—ViableforthewebandAPItiers

LoadBalancing—Neutron/LBAAS

Withthatinmindlet’slookatanotherexample.Thisonewillconsistoftwodifferentfiles.Thefirst,willdescribeasingleserverasaresource.Forthesecond,aparentfilewillusethisresourceaspartofanauto-scalinggroup:

description:SimpleWebServer+LoadBalancerMember

parameters:

network:

type:string

description:thenetworkalloftheserverswilluse

pool_id:

type:string

description:theloadbalancerpool

parent_stack_id:

type:string

description:theIDofthecallingstack

resources:

server:

properties:

flavor:m1.tiny

image:cirros-0.3.4-x86_64-uec

metadata:{"metering.stack":{get_param:parent_stack_id}}

networks:[{network:{get_param:network}}]

user_data:|

#!/bin/sh

#AtinyHTTPserverthatrespondswiththeIPaddressoftheserver.

IP='ip-finetaddr|grepinet|grep-v127.0.0.1|awk'{print$2}'

|cut-d/-f1'

LENGTH='echox$IP|wc-c'

cat>/tmp/http-response<<EOF

HTTP/1.0200OK

Content-Type:text/plain

Content-Length:$LENGTH

unix2dos/tmp/http-response

nohupnc-p80-s$IP-n-lk-ecat/tmp/http-response&

#now,let'saddsomeloadtotriggerCPUalarms

#findanumberofsecondstoburnbaseduponIPaddress

#thiswaydifferentoneswillburnCPUatdifferenttimes

#60,180,300,420secondsatatime

#thensleep120s

SECONDS='echo$IP|awk-F.'{print60+$4%4*120}''

cat>/tmp/load.sh<<EOF

#!/bin/sh

while[1]

if["0"-eq\'echo|awk'{printsystime()%$SECONDS}'\'];then

sleep120

chmod777/tmp/load.sh

#cirrosdoessomethingweirdto/bin/shsoweneedsomethingelseto

#later-andthereisno"at"

nohupwatch-t/tmp/load.sh&

member:

type:OS::Neutron::PoolMember

properties:

pool_id:{get_param:pool_id}

address:{get_attr:[server,first_address]}

protocol_port:80

Let’scallthisfileweb-server.yaml.Lookingatitbriefly,ittakesparametersthatdescribewhichnetworkandloadbalancingpooltouseaswellasaparametertodefinetheparentstackthisserverwillexiston.Alloftheseparameterswillactuallybesuppliedbytheparenttemplate,whichwewilllookatmomentarily.Firstthough,it’simportanttogooverwhat’sbeingconfiguredinuser_data.AspartoftheCloud-Init,thisserverwillbeconfiguredtorunalittleHTTPservicethatjustreturnstheprivateIPoftheinstance.So,whenyoucallfromtheloadbalancerVIP,youcanseewhichinstancehandledtherequest.EachinstancealsorunsabackgroundprocessthatalternatelyburnsCPUforanywherefrom60-480seconds,dependingonitsIPaddress,andthensleepsfor120seconds.Thissimulatesloadandtriggerstheelasticscalingupanddown.

Asforthemain/parentheattemplate,thatwouldlooksomethinglikethis:

description:AutoScalingWebApplication

parameters:

network:

type:string

description:thenetworkalloftheserverswilluse

subnet_id:

type:string

description:theloadbalancersubnet

external_network_id:

type:string

description:theUUIDoftheexternalNeutronnetwork

resources:

web_server_group:

type:OS::Heat::AutoScalingGroup

properties:

min_size:2

max_size:5

resource:

type:web-server.yaml

properties:

pool_id:{get_resource:pool}

network:{get_param:network}

parent_stack_id:{get_param:"OS::stack_id"}

scaleup_policy:

type:OS::Heat::ScalingPolicy

properties:

adjustment_type:change_in_capacity

auto_scaling_group_id:{get_resource:web_server_group}

cooldown:30

scaling_adjustment:1

scaledown_policy:

type:OS::Heat::ScalingPolicy

properties:

adjustment_type:change_in_capacity

auto_scaling_group_id:{get_resource:web_server_group}

cooldown:30

scaling_adjustment:-1

cpu_alarm_high:

type:OS::Ceilometer::Alarm

properties:

description:IftheavgCPU>40%for30secondsthenscaleup

meter_name:cpu_util

statistic:avg

period:30

evaluation_periods:1

threshold:40

alarm_actions:

-{get_attr:[scaleup_policy,alarm_url]}

matching_metadata:{'metadata.user_metadata.stack':{get_param:

"OS::stack_id"}}

comparison_operator:gt

cpu_alarm_low:

type:OS::Ceilometer::Alarm

properties:

description:IftheavgCPU<15%for90secondsthenscaledown

meter_name:cpu_util

statistic:avg

period:90

evaluation_periods:1

threshold:15

alarm_actions:

-{get_attr:[scaledown_policy,alarm_url]}

matching_metadata:{'metadata.user_metadata.stack':{get_param:

"OS::stack_id"}}

comparison_operator:lt

monitor:

type:OS::Neutron::HealthMonitor

properties:

type:TCP

delay:5

max_retries:5

timeout:5

type:OS::Neutron::Pool

properties:

protocol:HTTP

monitors:[{get_resource:monitor}]

subnet_id:{get_param:subnet_id}

lb_method:ROUND_ROBIN

protocol_port:80

type:OS::Neutron::LoadBalancer

properties:

protocol_port:80

pool_id:{get_resource:pool}

lb_floating:

type:OS::Neutron::FloatingIP

properties:

floating_network_id:{get_param:external_network_id}

port_id:{get_attr:[pool,vip,port_id]}

outputs:

scale_up_url:

description:>

Invokethescale-upoperationbydoinganHTTPPOSTtothis

value:{get_attr:[scaleup_policy,alarm_url]}

scale_dn_url:

description:>

Invokethescale-downoperationbydoinganHTTPPOSTto

thisURL;

value:{get_attr:[scaledown_policy,alarm_url]}

pool_ip_address:

value:{get_attr:[pool,vip,address]}

description:TheIPaddressoftheloadbalancingpool

website_url:

value:

str_replace:

template:http://host/

params:

host:{get_attr:[lb_floating,floating_ip_address]}

description:>

ThisURListhe"external"loadbalancedurl

Let’scallthisfilefinal.yaml.Itcontainsallofthenecessaryinstructionstocreatemultipleserversasdefinedbytheweb-server.yamlfile.Itwillmaintainaminimumoftwooftheseservers,andscaleuptoamaximumoffiveasdefinedbytheminandmaxsizeoftheauto-scalinggroup.ItalsoimplementstheCeilometeralarmsthattriggerscalingupwhenaCPUaveragegoesabove40percentfor30seconds,triggerscalingdownwhenCPUaveragegoesbelow15percentfor90seconds,andappliesthesealarmstothesevergroupaspolicies.

Tocreate/updateastackwiththistemplateyouwouldfirstneedtomanuallycreateanetwork,subnet,androuterfortheservers/loadbalancer.Youwouldthenpassthesevaluesinasparameterslikethis:

$heatstack-create-ffinal.yaml-P"network=web-net;subnet_id=$subnet_id;

external_network_id=$public_net_id"autoscale;

Thatshouldoutputanumberofthingsincludingthewebaddressoftheloadbalancerthatwillroundrobintothetwowebservers.HittingthatURLrepeatedlyshoulddisplaythevariousIPaddressesoftheprovisionedserversinroundrobinfashion.Afterashortperiodoftime,newserversshouldbeaddedandnewaddresseswillappear,thenasloaddecreasestheyshoulddisappear.Ifyouwanttotrythisforyourself,thesetemplatesalongwithascripttocreatethenecessarynetworksareavailableinthefinal_deploymentfolderoftheGitHubrepoforthisbookat:https://github.com/johnbelamaric/openstack-appdev-book.

Tousethismethodtodeployourdemoapplication,wewoulduseacombinationoftwoAutoScalingGroups(oneforthewebandonefortheAPItier),andaResourceGroupfortheMySQLtier.Theuser_dataportionofeachgroupwouldthencontaintheconfigurationcommandsforthatservertypeandeachgroupcouldbescaledindependently.Scriptslikethisgenerallytakealotlongertocreatethanitwouldtomanuallyprovisionandconfigureanenvironmentonetime.Hopefullythough,youcannowseetheadvantagehereofbeingabletoprogrammaticallyrecreateeverythinganapplicationneedsatthepushofabutton.Ifaprojectwastobewipedout,oradev/testareaneeded,anotherenvironmentcouldbeinstantlycreatedandputtowork.

Thisisnotaonesizefitsallsolution.Thechoicesmadewereallbasedonpersonalpreference,easeofuse,andtherequirementsofthedemoapplicationandenvironment.Therearemanyotheroptions,andwhendeployingyourowncloudapplication,yourfinalsolutionwilllikelyinvolvedifferentchoicesandlookvastlydifferent.Thisistobeexpected.Hopefullythough,younowhavethebasicknowledgeandskillstomakethosechoices,andscriptthedeploymentofyourowncloudbasedapplication.

UPDATINGANDPATCHINGTherearetimeswhenyouwilldeployanapplicationandyourworkisessentiallydone.Applicationswilloftenkeepthemselvesuptodateviaautomaticupdate.Modernbrowsersareagoodexampleofthis.Manyofthemsimplycheckforanupdateonstartup,downloadthepatchandapplyitbeforestarting.Oftenthough,applicationshaveanumberofcomponentsthatneedtobemanuallyupdatedquitefrequently.ThejQuerylibrarywithinmanywebbasedapplicationisagoodexampleofthis.Theserversthemselvesmayalsoneedtobepatched.Securityupdatesforexploits,andfixesthatimproveperformancearebothcommonplaceinanycompany.

Atfirst,itmayseemlikethetraditionalmethodsshouldsimplybeemployedhere,andtheycanbe.Manuallyupdating,andrebootingserverswilldefinitelypatchthem.Anystandardmethodologyforpromotingcodechangeswillalsowork.Oncedeployed,anOpenStackbackedapplicationiscomparableforthemostparttoonelivinginahardwareonlyworld.

Theminimalcostofdeployingnewservers,though,andtheabilitytoprogrammaticallyscriptnetworkingallowsforsomeuniquewayshandleon-goingmaintenance.

PatchingOptionsIfyouworkwithinalargercorporatestructure,it’slikelythatsomekindofpatchingmechanismalreadyexistsforyou.Allowingevenafewmachinesonanetworktobecompromisedduetomissingsecurityupdatesisarealworldproblem.Evenifyouareinthissituationhowever,it’sunlikelythatallofyourpatchingwillbetakencareofbythismeans.Patchesforspecializedsoftwareforyourapplicationandupdatesthatdon’taddressaperformanceorsecurityissueareoftenstilltheresponsibilityofdevops.

Oneoptionforpatchingdependsonyourconfigurationmanagementchoice.IfyouoptedtousethirdpartytoolslikePuppetorChef,theircentralizedadministrativefeaturescanmakepatchingabreeze.Theybothallowforscheduledupdates,andaswasmentionedearlier,remoteexecution.Ifyoudesignedyourapplicationwithmultipleregionsormultipleload-balancedclustersasdiscussedinChapter5,itshouldbeasimplemattertopatch/rebootoneregion/clusteratatimeandavoidanydowntime.

Ansible’sremoteexecutionabilitycanbeasolidsolutionhereaswell.Yourapplicationwilllikelycontainmanysmallservers.YoucangrouptheseintoarbitrarysetsinanAnsibleconfigurationfileandthenexecuteupdatecommandsononegroupatatime.Thisisagoodwaytoavoidbothdowntimeandtheneedtore-provisionalltogether.

OpenStackdoesn’tprovideanyspecificfirstpartytoolsforpatching.Instead,thecomponentswehavealreadydiscussedcanbeusedandGlance/Imagesare

anothercommonavenueforpatching.Thoughstillnotrecommendedasacompletesolution,updatedimagesarefrequentlyavailableandcanbeusedtohandlebasicOSupdates.Tobringasystemtocompliance,anapplicationcansimplybere-deployedinpartorintotalwiththesenewimages.

ThiswouldbeagreatreasontoincludetheimageasaparameterinyourHeattemplate.Runningthefollowingcommandcouldthenupdatealloftheserverswiththisnewimage:

$heatstack-updatetest_stack-ftest.yaml-P"image=CentOS64-Update2"

Ofcoursethismayre-provisionallofyourserversatonce,soevenifyoudon’thavemultiplelogicalclusters,itmightbeusefultosplityourserversintodifferentResourceGroupssolelyforpatchingpurposes.Thiswayit’spossibletochangetheimageonjustonegroupatatime:

$heatstack-updatetest_stack-ftest.yaml-P"group1_image=CentOS

64-Update2;group2_image=CentOS64-Update3"

CI/CDinanOpenStackWorldNomoderntextfordevelopers(ordevops)wouldbecompletewithoutatleastsomementionofagilemethodology.Itstenantsarepervasiveinthemodernworkplaceandtechnicalcommunity.Theneedtofrequentlyreleaseupdates,toA/Btest,andtoprogrammaticallytestthecodebaseofanapplicationaspartofadeploymentareallchallengingaspectsofCI/CD(ContinuousIntegration/ContinuousDelivery)andagilephilosophyinanytypeofenvironment.Fortunately,withOpenStack,yourdeploymentsolutioncanactuallyprovidesomeuniquesolutionstothesechallenges.Let’slookattheseoneatatime.

Thefirstrequirementhereisforfrequentreleases.Ifyouaremigratinganapplicationtothecloud,theninalllikelihoodyourcurrentmechanismforupdatingproductioncodewillcontinuetowork.Thiscanbehandledinallofthesamemannersdiscussedpreviouslyforpatching.Onceanapplicationhaspassedallofitstests,itisajustamatterofcontactinganyofOpenStack’sAPIssuchasHeatorNovatoprovisionnewserversandteardowntheoldones.Ifcontainersareyourvirtualizationtechnologyofchoice,youwillalmostcertainlybedeployingallofyourchangesinthismanner.Ifnot,thenAnsibleorsimilartechnologycanalsobeusedremotelyexecutecommandsonbatchesofserverstoupdatecodefromacentralrepository.

OpenStackpresentsthenextchallengewithmoreintriguingsolutions.TheneedtoA/Btestcanbeintegraltomakinginformedchoicesinanapplication’sevolution.Traditionalmethodsofhandlingthisincludebuckets,whereanapplicationrunsseveraldifferentversionsonthesamemachine,orcodebasedsolutionsthatprogrammaticallypresentdifferentoptionstodifferentusers.Theabilitytoactuallyduplicateportionsofyourproductionenvironment,however,

canallowyoutoquicklydeploymultipleversionsoftheapplicationsimultaneously.ThisprovidesacompleteseparationofthecodebaseAfromcodebaseB,allowingperformancecomparisonsandpreventingonecodebasefromcrashingtheother.Oncethetestisconcluded,AorBcanthenbetorndownandthoseresourcesdedicatedtootherprojects.

Thelastitem,applicationtesting,whichusuallyincludesunitaswellasfunctionaltests,alsohassomeuniquesolutionsinacloud-basedworld.Unittestscanberunjustaboutanywhere,butfunctionaltestsoftenrequireafullyfunctionalenvironment.Thisisanotheropportunitytouseyourdeploymentscripttocreateanotherworkingenvironmenttorunthesetestsin.It’sreasonabletopictureasystemwhereacommithooksetsoffacalltocreateanenvironment,testsarerun,resultsarepublished,andtheenvironmentisthentorndown.Usingyourdeploymentscript,template,orwhatevertechnologychosen,ensuresthatthistestenvironmentcanperfectlymimictheproductionenvironmentandisneveraffectedbyprevioustests.It’sevenpossibleinthisscenarioformultipletestenvironmentstoberunningmultipleversionsoftheapplicationanditstests,asopposedtowaitinginaqueueforasinglededicatedtestenvironment.

Ingeneral,OpenStackshouldmakebothCI/CDandpatchingmucheasier,oratleastpresentawholehostofsolutionsthatwereunavailablebefore.Manyofthesesolutionsaren’tspecifictoOpenStackandareavailablewithinanycloudenvironment.However,yourdeploymentsolutionwilllikelybeveryOpenStackspecific,andwillimpacthowyougoaboutpatchingandupdatingyourapplication/environment.Itisforthatreasonthatthischapterisconcludedwiththisdiscussiononmaintenance.Itisonelastthingtoconsiderbeforesettlingonafinaldeploymentsolution.

SUMMARYIfyouhavebeenintheroleofadeveloperorasystemadministrator,makingallofthenecessarychoicesandscriptingthemcanbeabigshift.Bridgingthesetwoworldscomeswithalotofbenefitthough,anditislikelytobethewaythingsmovegoingforward,sincethesebenefitsoftenariseintheformofhugecostsavings.Thereiscurrentdemandfordevopsexpertiseforthisreason.Whilethedeploymentofcontainersandthird-partydevelopmentwillcontinuetoevolve,thefundamentalconceptofprovisioningyourhardwareandnetworking,alongwithyoursoftware,isheretostayinoneformoranother.ThefactthatOpenStacktriestoprovideanopen-endedplatformfortheseconceptstoflourish,makesitagreatchoiceregardlessofwhichtechnologiesendupwinningintheend.

BOOKWRAPUPInthisbookwehavediscussedexactlywhatOpenStackisandwhatitprovides.ThevariouscomponentsandprojectsthatcomprisethebulkofOpenStackhavebeendescribed.Examplesofhowtocreateandimproveapplicationsusingsomeoftheuniqueaspectsofthecloudhavebeencovered.Wehavealsoprovidedoptionsfordeployingandmaintainingtheseapplications,allofwhichwillhelpyougetstartedusingOpenStack.

OneofthegreatjoysofworkingwithinanOpenStackbackedenvironmentistheabilitytoexperimentwithoutconsequence.Youcanlockupaserverandrebootitfromawebsitewithoutcallingdowntotheserverroom.Youcanallocateandde-allocateassetslikedrivespace,IPaddressesanddatabaseswithoutthefrustrationofservicetickets.Evenmisconfiguringaservertothepointwhereitisunusable,canbefixedbydeletingandre-provisioningitinseconds.Thiskindofself-serviceinfrastructureisattheheartofthedevopsmovementandmakeslearningOpenStackfunandexciting.Itcanalsomakeitalittleoverwhelming.

ThesheerbreadthofwhatcanbeaccomplishedusingOpenStackisabitdaunting.It’smorethanjustanotherprogramtouseoranotherlanguagewithyetanotherwayofwritingifthenstatements.OpenStackandothercloud-basedsolutionsrepresentafundamentalshiftinhowthewebiscreated,andhowmodernweb-basedapplicationsaredesigned.Itrequiresacompletelynewskillsetaswellastheabilitytothinkofpreviouslyphysicalobjectslikeservers,andnetworkingequipmentasobjectsinasoftwareprogram.Eventhenamesofthesethingsthemselvescangetoverwhelming.SortingouttheNova’s,Neutrons,Kilos,andKubernetestakesbothtimeanddedicationaswellassomeinterestinthesubject.

Forsome,thismaycomenaturally,butformostofusittakesalotofexperimentation,failure,andwell…morefailure.Masterycomeswithitsownrewards,andinthecaseofOpenStack,itcanallowyoutodothingsthatyouhavewantedtodoforyearsandgiveyoucontroloveryourenvironmentinawaythatyouhaveneverhadbefore.

Inadditiontothisbook,thereareanumberofresourcestohelpyougainthismastery.Firstandforemost,thewebisfulloftutorials,blogs,andAPIdocumentationforOpenStack.Somesitesyoumightfindusefulinyourjourney:

https://www.openstack.org/:ThecentralhubforallthingsOpenStack,andworthexploringevenifyou’renotlookingforananswertoaspecificquestion.

http://developer.openstack.org/api-ref.html:OneofseveralAPIreferencesavailable.Italwaysseemstobemissingafewthings,butisupdatedfrequentlyandisprobablyyourbestbetforAPIdocumentationandexamples.

https://developer.rackspace.com/blog/:RackspacecontinuestoprovidegreatuptodatetutorialsandinterestingdiscussionsonalltopicsOpenStack.

https://wiki.openstack.org:Coversgreatdescriptionsofallofthemajor

projects,andisagoodplacetostartifyouwanttodigdeeperintoanyindividualcomponent.

Ifyouwanttogobeyondtheweb,moreandmoreclassesandphysicalworldresourcesarebecomingavailableasOpenStackadoptionincreases.AnothermajoravenuetoincreaseyourOpenStackknowledgeandexpertisemightbeoneofthesemi-annualconferencesheldallovertheworld.Youcanseewherethesearebeingheldat:https://www.openstack.org/summit/.

SharingyourexperienceswithOpenStackandparticipatinginthecommunityisalsoagreatgatewayofactuallycontributingtoOpenStack.Thiscanbeassimpleasprovidingdocumentationonamissingmethodorvalue,orascomplexasprovidingapatchforthenextmajorrelease.Exactlyhowmuchyouwanttogetinvolvedisuptoyou,butdoingsocanberewardingandisanexcitingpartofwhatitmeanstoutilizeopensourcesoftware.

Intheend,OpenStackisaboutchoice:thechoiceofhowtoimplementit,thechoiceofhowtouseit,andthechoiceofhowtoparticipateinitslifecycle.This,morethananythingelse,iswhatmakesOpenStackauniqueofferinginasurprisinglycrowdedfield.NowgoanduseOpenStacktobuildthenextgreatsuccessstory!

OpenStack®CloudApplicationDevelopment

ScottAdkinsJohnBelamaricVincentGierschDenysMakogonJasonRobinson

OpenStack®CloudApplicationDevelopment

PublishedbyJohnWiley&Sons,Inc.10475CrosspointBoulevardIndianapolis,IN46256www.wiley.com

PublishedsimultaneouslyinCanada

ISBN:978-1-119-19431-6

ISBN:978-1-119-23964-2(ebk)

ISBN:978-1-119-19434-7(ebk)

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.

ForgeneralinformationonourotherproductsandservicespleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(877)762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002.

Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.

LibraryofCongressControlNumber:2015953113

Trademarks:Wiley,theWileylogo,Wrox,theWroxlogo,ProgrammertoProgrammer,andrelatedtradedressaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.OpenStackisaregisteredtrademarkofOpenStackFoundation.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.,isnotassociatedwithanyproductorvendormentionedinthisbook.

ABOUTTHEAUTHORS

SCOTTADKINSisatechnicalleadfortheCloudOperationsteamatComcast.HehelpstheteamdeploynewinternalOpenStackenvironments,aswellashelpingonboardotherteamsintothecloud.Inparticular,ScotthelpsnewcomerstothecloudunderstandthepetversuscattlemodelandhowtheirapplicationscanbeadjustedtorunmoreeffectivelyintheOpenStackcloudenvironment.ScotthasbeenaUNIXandLinuxSystemsAdministratorformorethan30years.PriortohisworkatComcast,hewasatechnicalleadatSavvisCommunicationsfortheUNIXteam.ScottlivesinLeesburg,Virginiawithhiswifeandfourchildren.

JOHNBELAMARICisasoftwareandsystemsarchitectwithnearly20yearsofsoftwaredesignanddevelopmentexperience.Hiscurrentfocusisoncloudnetworkautomation.HeisakeyarchitectoftheInfobloxCloudproducts,concentratingonOpenStackintegrationanddevelopment.HebringstothishisexperienceastheleadarchitectfortheInfobloxNetworkAutomationproductline,alongwithawealthofnetworking,networkmanagement,software,andproductdesignknowledge.HeisacontributortoboththeOpenStackNeutronandDesignateprojects.HelivesinBethesda,MarylandwithhiswifeRobinandtwochildren,OwenandAudrey.

VINCENTGIERSCHistheco-founderandCTOofFlat.io,wherehemainlyworksontheautomationofdeploymentandscalingoftheSaaSapplication.Priortothat,attheUniversityofKentandinpartnershipwithJANET,hedesignedandimplementedthesupportoftheIETFABFAB(ApplicationBridgingforFederatedAccessBeyondWeb)inOpenStackKeystonetoprovideanon-webfederatedauthentication.RecentlyheworkedasanR&DPlatformEngineeratOVH.com,developingaDockerhostingplatformbasedonOpenStack.HeisfromNantes,France.

DENYSMAKOGONisadeveloperandsoftwarearchitectofcloudplatforms,mainlyfocusedondevelopinganddesigningplatformandSoftware-as-a-ServiceapplicationsforOpenStack.HeisaleadsoftwaredeveloperforGigaspaces,concentratingonCloudifyproductdevelopmentalongwithbringingwell-designedandproduction-readyintegrationwithVMwarecloudplatforms,includingvCloudAir.HeisacontributortotheOpenStackDBaaSplatformandOpenStackCloudValidationopensourceframework.HelivesinKharkiv,Ukraine.

JASONROBINSONisaseniorplatformdeveloperatGoDaddy.HehelpsteamstransitiontraditionalapplicationstotheirinternalOpenStackcloudwithafocusonorchestrationandresiliency.PriortohisworkwithOpenStack,hewasanarchitectonGoDaddy'scloudstorageproductandaprincipaldeveloperoftheirwebmailoffering.Jasonhasbeenworkingasaprofessionalwebdeveloperfor18years,andinadditiontoservingasaleadengineerfortech-centeredcompanieslikeGoDaddy,Verizon,andGTE,hehasdoneextensiveworkinthefieldsofe-commerce,telemedicine,andstreamingmedia.Whennotpursuingtheperfectlyscalableapplication,Jasonisanavidrunner,maker,amateurphilosopher,andmostrecentlyafather.

ABOUTTHETECHNICALEDITORSCHRISDENT,SeniorSoftwareEngineeratRedHat,primarilyfocusesonimproving,integrating,andtestingOpenStack.PriortoRedHatheworkedasafreelanceconsultantdesigninganddevelopingHTTPAPIsforcollaborativedocumentsystems.

LARSBUTLERisacoreengineerforZeroVMandledtheproject'sminidesignsummitatOpenStackSummitAtlanta.HispreviousF/OSSworkincludesOpenQuakeEngine,ascalabledistributedcalculationengineforcomputingglobalearthquakehazardandrisk,developedincollaborationwiththeSwissSeismologicalService.

JOETALERICO,PerformanceEngineeratRedHat,isaseasonedSeniorComputerEngineerexperiencedinintegratingleadingedgetechnologiesintoexistinginfrastructures.HehasdevelopedsolutionsandautomationframeworksaroundtechnologiesrangingfromCloud,Virtualization,Storage,EndUserComputing,UnifiedCommunications,Datacenter,IPTV,andAndroid.

CREDITSPROJECTEDITORCharlotteKughen

TECHNICALEDITORSChrisDent,LarsButler,JoeTalerico

PRODUCTIONEDITORChristineO'Connor

COPYEDITORChristinaRudloff

MANAGEROFCONTENTDEVELOPMENT&ASSEMBLYMaryBethWakefield

PRODUCTIONMANAGERKathleenWisor

MARKETINGDIRECTORDavidMayhew

PROFESSIONALTECHNOLOGY&STRATEGYDIRECTORBarryPruett

BUSINESSMANAGERAmyKnies

ASSOCIATEPUBLISHERJimMinatel

PROJECTCOORDINATOR,COVERBrentSavage

PROOFREADERChristinaRudloff

INDEXERRobertSwanson

COVERDESIGNERWiley

COVERIMAGEAlexandraLande/Shutterstock

ACKNOWLEDGMENTSIwouldliketothankmywifeandchildrenfortheirpatienceandsupportwhileIworkedonthisproject.IwouldliketoalsothanktheOpenStackcommunityforeverythingtheydotobuilduponandsupporttheopensourcecloud.WithouttheOpenStackcommunity,wewouldnothavethecloudplatformwehavetoday!

—SCOTTADKINS

Iwouldliketothankmywifeandchildrenfortheirsupportandencouragementthroughoutthisproject.

—JOHNBELAMARIC

Iwouldliketothanktheentireteam,whohelpedmetocompletethisprojectandgavetheappropriatelevelofsupport,andmyfamily,whohelpedmetostayfocusedonthisbook.

—DENYSMAKOGON

IwouldliketothankmywifeTarawhotookcareofallofuswhileIwasworkingonthisbook,mybrotherforgivingmemyfirstcomputerand,ofcourse,myparents,whosupportedmeevenwhenIdecidedtopursueaphilosophydegree(everyparent'sworstnightmare).

—JASONROBINSON

WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.

OpenStack Cloud Application Developmentindex-of.co.uk/Cloud-Technology/Openstack Cloud Application...

Documents

Transcript of OpenStack Cloud Application Developmentindex-of.co.uk/Cloud-Technology/Openstack Cloud Application...

OpenStack Cloud Platform

Dell OpenStack- Powered Cloud Solutioni.dell.com/.../en/Documents/dell-openstack-powered-cloud-solution... · Dell OpenStack-Powered Cloud Solution: Reference Architecture Guide 1.5

OpenStack Cloud Request Flow

OpenStack Components OpenStack Cloud Webinar Series ...

SUSE OpenStack Cloud€¦ · SUSE ® OpenStack Cloud How SUSE OpenStack Cloud helped transform i-Layer's Service Provision Gareth Chillingworth Director I-Layer Ltd

OPENSTACK & CLOUD COMPUTING - Huihoodocs.huihoo.com/.../OpenStack-Cloud-Computing... · Enterprise Cloud Adoption Path 20 ... OpenStack Cloud Computing by John Rhoton is an introduction

Audit my OpenStack Cloud v1.2 - SHARE My OpenStack Cloud!! Prabhakar Attaluri, IBM Distinguished Engineer, CTO Vinod Chavan, Cloud Executive ... Customer Specific OpenStack Private

Cloud Foundry and OpenStack - events.static.linuxfound.org · Communication Hub IRC (#openstack-dev) Mailing lists ... ③Stage application ④Deploy application ⑤Manage application

OpenStack on OpenStack - SCALE...OpenStack (KVM) OpenStack (Bare metal) OpenStack (KVM) Under and Over cloud Nova cannot reliably run two different hypervisors in one cloud today So

Openstack Cloud Administrator Guide

SUSE OpenStack Cloud · 2018. 12. 11. · SUSE OpenStack Cloud Positioning SUSE OpenStack Cloud is the open source private cloud solution of choice for enterprise business, designed

Puppet: automate OpenStack deployment · ///// Automate Openstack deployment- Cloud Computing School - Bari, 11/2014 ///// Deploy Openstack cloud infrastructure

SUSE OpenStack Cloud

OpenStack & Cloud Foundry (OpenStack Fall 2012 Summit)

Cloud Computing using OpenStack

Prying the Cloud Open: Dell Crowbar & OpenStack · Prying the Cloud Open: Dell Crowbar & OpenStack Rob Hirschfeld (@zehicle), Principal Cloud Architect ... CloudOps for OpenStack

OpenStack Cloud Storage

Openstack Cloud Webinar Series: Openstack Deployment For ...

Private Cloud Solution Package for OpenStack - F5 … · “OpenStack Object Storage ... The OpenStack private cloud solution package documented here ... The Private Cloud Solution

OpenStack & business of cloud