CloudStack vs OpenStack vs Eucalyptus
IaaS Private Cloud Brief Comparison
Daniel KranowskiBusiness Algorithms, LLChttp://www.bizalgo.com
October 1, 2012
public iaas private iaas
CloudStack Eucalyptus OpenStack
Architecture
Installation
Administration
Security
High Availability
Zone
Pod
Cluster
Host
Primary storage
Secondary storage
CloudStack installationBuild physical network, storage nodes, hypervisors
Unzip cloudstack .tar.gz, run install.sh(yum install cloudstack mysql)
Cloud-bridge RPM
Set up NFS shares (primary/secondary storage)
Download system & user templates
Database schema setup
UI-based cloud launch
See also http://www.bizalgo.com/2012/07/08/making-cloudstack-quick-install-quicker/
ec2-add-keypair mykeyec2-add-group grp1ec2-authorize grp1 -P tcp -p 22 -s 0.0.0.0/0ec2-run-instances ami-123456 --instance-count 1 --instance-type m1.small --key mykey --group grp1
ec2 APIscript
CloudBridge
(awsapi)?comand=createSSHKeyPair&name=mykey
?comand=createSecurityGroup&name=grp1
?comand=authorizeSecurityGroupIngress&securitygroupname=grp1&startport=22&endport=22&cidrList=0.0.0.0/0
?comand=deployVirtualMachine&serviceofferingid=m1smallid&templateid=ami123456id&zoneid=1&keypair=mykey&group=grp1
CloudStackREST API
baseline security: VLAN/Firewall
VLAN 1
outgress
ingress
tenant1
VM
Customer
financials
virtualrouter
switch
VLAN 2
tenant2Marketing
apps
outgress
ingress
VMvirtu
al route
r
CloudStack high availability
CloudStack #1
CloudStack #2
CloudStack #3
mysql #2
VM
VM
VM
VM
dom0
Hypervisor
VM
VM
VM
VM
Primary storage
Secondarystorage
VM
VM
VM
VM
dom0
Hypervisor
VM
VM
VM
VM
mysql #1
CloudStack high availability
CloudStack #1
CloudStack #2
CloudStack #3
mysql #2
mysql #1
Load balancedmulti-nodeManagement Server
Replicated databasefor disaster recovery
CloudStack
Architecture Monolithic controller. Datacenter model, not object storage.
Installation Fewest parts to install. RPM needed.
Administration Good web UI; a belated script CLI
Security Baseline vlan/firewall vm protection
High Availability Load-balanced multi-node controller
Cloud Controller (CLC)
WalrusCloud
Cluster Controlle
r (CC)
Storage Controlle
r (SC)
Cluster(Availability Zone)
Node Controller
VM VM
Node Controller
VM VM
Node Controller
VM VMNodes
Object storage
Walrus S3
Block storage
Storage Controller (SC)
Elastic Block Storage (EBS)
Command line scripts
euca2oolsEC2 API tools
Eucalyptus installationBuild physical network, storage nodes, hypervisors
Open firewall ports on cloud component nodes
(CLC to Walrus, CC to NC, etc)
Setup yum/dpkg repositories (eucalyptus.repo)
RPM/apt-get installation of eucalyptus components
Configure eucalyptus.conf
euca_conf: create postgres db
Register components and arbitrators
HA: configure DRBD
Web UI does NOT control guest instances!
Use euca2ools CLI instead.
(Or RightScale/enStratus)
ec2-add-keypair mykeyec2-add-group grp1ec2-authorize grp1 -P tcp -p 22 -s 0.0.0.0/0ec2-run-instances ami-123456 --instance-count 1 --instance-type m1.small --key mykey --group grp1
ec2 APIscript
euca-add-keypair mykeyeuca-add-group grp1euca-authorize grp1 -P tcp -p 22 -s 0.0.0.0/0euca-run-instances ami-123456 --instance-count 1
--instance-type m1.small --key mykey --group grp1
equivalent
euca2ool script
euca2ools
Eucalyptus security
The CloudStack baseline(VLAN, API PKI, VM SSH)
Component registration(since not monolithic)
…and…
Eucalyptus high availabilityPrimary/secondary CLC, Walrus, SC, CC
NC and VM instancesare disposable
Eucalyptus high availability
Failover, NOT load balancing
Eight controller machines at cloud/cluster level
Storage redundancy relies on SAN vendor
Arbitrators monitor connectivityto CLC, Walrus, CC
Eucalyptus
Architecture Five main components. AWS clone
Installation Nice RPM/DEB, still medium effort
Administration Strong CLI compatible with EC2 API
Security Baseline + component registration
High Availability Primary/secondary component failover
nova-apirabbit-
mqnova-
compute
nova-volume
nova-network
nova-scheduler
VM
VM
VM
VM
VM
VM
hypervisor
swift-account
swift-container
swift-object
swift-proxy
glance-controlglance-registry
horizon
keystone: identity, token, catalog, policy
rdbms
OpenStack services
OpenStack installationBuild physical network, storage nodes, hypervisors
KEYSTONE setup
Install keystone, reconfigure from sqlite to mysqlManually create keystone database, init the serviceDefine tenants, users, roles; run keystone-init.pyDefine swift filter in keystone.confPopulate keystone service catalog from databaseVerify keystone with openssl
GLANCE setup
Install glance, reconfigure from sqlite to mysqlManually create glance databaseConfigure glance-api-paste.ini, glance-registry.confPopulate glance database, restart servicesVerify glance by uploading a test image
NOVA setup
Install nova and dependenciesManually create nova databaseConfigure hypervisor, database, keystone in nova.confPopulate nova database, restart servicesCreate nova network bridge interface for guest vmsConfigure openrc file with CLI credentialsDownload real vm image, upload to glance registryDefine security group, keypair, start an instance
SWIFT STORAGE setup
Do the following for each storage node.Install swift account, container, objectMake XFS filesystem on each disk partitionConfigure rsyncConfigure swift account, container, object serversStart storage services
SWIFT PROXY setup
Install swift proxyCreate SSL certificateConfigure memcached to listen on proxy local ip addressConfigure keystone admin tokenCreate proxy server confRun swift ring builder for account, container, object ringsEnumerate storage devices on each ringVerify and rebalance the ringsStart proxy services
HORIZON setup
Install apache and horizon dashboardManually create horizon databasePopulate horizon databaseRestart services
OpenStack administration
euca2ools work here!
OpenStack CLInova keypair-add --pub-key ~/.ssh/id_rsa.pub mykeynova secgroup-create grp1 "my security group"nova secgroup-add-rule grp1 tcp 22 22 192.168.1.1/0nova boot --flavor 2 --image f4addd24-4e8a-46bb-b15d-fae2591f1a35 --key_name mykey --security_group grp1 i-123456
euca-run-instances ami-123456 --instance-count 1 --instance-type m1.small --key mykey --group grp1
Keystone security
clientservic
e
keystone
(1) authenticate (2) token
(3) service request with token
(4) check token (5) authorize
(6) authorized service response
which services offer HA?
nova-apirabbit-
mqnova-
compute
nova-volume
nova-network
nova-scheduler
VM
VM
VM
VM
VM
VM
hypervisor
swift-account
swift-container
swift-object
swift-proxy
glance-controlglance-registry
horizon
keystone: identity, token, catalog, policy
rdbms
which services offer HA?
rabbit-mq
nova-network
swift-container
swift-object
rdbms
Run one per hypervisor(i.e. you manage HA yourself)
"The Ring": disk replication(not redundant service pids)
swift-account
Swift: The Ring (HA)
ZONE
diskpartitio
npartitionpartitionpartition
diskpartitio
npartitionpartitionpartition
ZONE
diskpartitio
npartitionpartitionpartition
diskpartitio
npartitionpartitionpartition
object 12345
Three replicas ofeach object.
OpenStack
Architecture Fragmented into lots of pieces
Installation Difficult: many choices, not enough automation
Administration Web UI, euca2ools, native CLI.
Security Baseline + Keystone
High Availability Swift Ring, otherwise manual effort
summary
CloudStack Eucalyptus OpenStack
Architecture Monolithic 5 part, AWS Fragments
Installation Medium Medium Difficult
Administration UI, EC2 CLI EC2 CLI Multi CLI
Security Baseline Registered Keystone
High Availability LB multi 2x failover Swift only
CloudStack vs OpenStack vs Eucalyptus
IaaS Private Cloud Brief Comparison
Daniel KranowskiBusiness Algorithms, LLChttp://www.bizalgo.com
October 1, 2012
This has been the brief version of a longer presentation on IaaS. For extra analysis regarding IaaS infrastructure, security, code, system compatibility and more, please
contact Daniel Kranowski.
Top Related