Tweaking openstack

© 2013 Nebula, Inc. All rights reserved.

Vishvananda Ishaya, Director of Open Source, Nebula Inc.

Private Cloud Toolkit:Tweaking OpenStack

© 2013 Nebula, Inc. All rights reserved. 2

Who am I?• OpenStack Technical Committee

Member

• Started at NASA the dayNova was created

• Nova Technical Lead for thefirst two years of its existence

• Designed and deployed multipleprivate clouds with OpenStack

© 2013 Nebula, Inc. All rights reserved.

The ProblemInsert photo here

© 2013 Nebula, Inc. All rights reserved. 4

A Perfect World

$ _

© 2013 Nebula, Inc. All rights reserved. 5

A Perfect World

$ (apt-get|yum) install openstack

© 2013 Nebula, Inc. All rights reserved. 6

A Perfect World

$ (apt-get|yum) install openstack...

© 2013 Nebula, Inc. All rights reserved. 7

A Perfect World

$ (apt-get|yum) install openstack...openstack installed successfully!$ _

© 2013 Nebula, Inc. All rights reserved. 8

The Real World

$ _

© 2013 Nebula, Inc. All rights reserved. 9

The Real World

$ (apt-get|yum) install openstack

© 2013 Nebula, Inc. All rights reserved. 10

The Real World

$ (apt-get|yum) install openstackunknown command$ _

© 2013 Nebula, Inc. All rights reserved. 11

The Real World

$ (apt-get|yum) install openstackunknown command$ _

© 2013 Nebula, Inc. All rights reserved. 12

The Real World

$ (apt-get|yum) install openstackunknown command$ _

© 2013 Nebula, Inc. All rights reserved. 13

The Real World

$ (apt-get|yum) install openstackunknown command$ _

© 2013 Nebula, Inc. All rights reserved. 14

The Real World

$ _

© 2013 Nebula, Inc. All rights reserved. 15

The Real World

$ git clone git::/github.com......$ cd devstack$ ./stack.sh

© 2013 Nebula, Inc. All rights reserved. 16

The Real World

$ git clone git::/github.com......$ cd devstack$ ./stack.sh

© 2013 Nebula, Inc. All rights reserved. 17

OpenStack is Configurable• Tiny to very large scale

• Pluggable backends

• Multiple components

© 2013 Nebula, Inc. All rights reserved. 18

OpenStack is Configurable• Tiny to very large scale

• Pluggable backends

• Multiple components

WAT!?

© 2013 Nebula, Inc. All rights reserved.

ChoicesInsert photo here

© 2013 Nebula, Inc. All rights reserved. 20

Network Configuration• Neutron OVS

• Neutron Vendor

• Nova-network vlan

• Nova-network flat

© 2013 Nebula, Inc. All rights reserved. 21

Hypervisor Choice• KVM

• Xen

• Hyper-V

• ESX

• Other

© 2013 Nebula, Inc. All rights reserved. 22

Object Storage• Swift

• Ceph

© 2013 Nebula, Inc. All rights reserved. 23

Block Storage Backend• Default LVM

• Ceph

• Solidfire

• Netapp

© 2013 Nebula, Inc. All rights reserved. 24

Suggested Projects Small Scale• Compute (nova)

• Object Storage (swift)

• Image Service (glance)

• Identity (keystone)

• Dashboard (horizon)

• Networking (neutron)

• Block Storage (cinder)

• Metering (ceilometer)

• Orchestration (heat)

© 2013 Nebula, Inc. All rights reserved. 25

• Compute (nova)

• Object Storage (swift)

• Image Service (glance)

• Identity (keystone)

• Dashboard (horizon)

• Networking (neutron)

• Block Storage (cinder)

• Metering (ceilometer)

• Orchestration (heat)

Suggested Projects Large Scale

© 2013 Nebula, Inc. All rights reserved.

Nova TweaksInsert photo here

© 2013 Nebula, Inc. All rights reserved. 27

Nova-network Tweaks• force_dhcp_release=true

• defer_iptables_apply=true

• multi_host=true

• share_dhcp_address=true

• dnsmasq_config_file=/path/to/file(configure dnsmasq to pass external gateway)

© 2013 Nebula, Inc. All rights reserved. 28

Nova-compute Tweaks• force_raw_images=False

• use_cow_images=False

• resume_guests_state_on_host_boot=True

• running_deleted_instance_action=reap

© 2013 Nebula, Inc. All rights reserved. 29

Network Stack Performance• Turn on jumbo frames

• Increase tx queue length

• Tweak guest tcp settings

• http://buriedlede.blogspot.com/2012/11/driving-100-gigabit-network-with.html

© 2013 Nebula, Inc. All rights reserved.

SecurityInsert photo here

© 2013 Nebula, Inc. All rights reserved. 31

Lock down the host machines• Normal linux hardening applies

• Control access to the host machines

• Keep software up-to-date

• Don’t have services listen on 0.0.0.0

• Separate mgmt and guest traffic

• http://aa4698cc2bf4ab7e5907-ed3df21bb39de4e57eec9a20aa0b8711.r41.cf2.rackcdn.com/OpenStackSecurityGuide.epub

© 2013 Nebula, Inc. All rights reserved. 32

Nova Security Considerations• Only enable api extensions your users need

• Only enable scheduler filters your users need

• Customize policy for administrative actions

• Use HTTPS in front of api services

• Consider disabling instance migration

© 2013 Nebula, Inc. All rights reserved.

Questions?Insert photo here

© 2013 Nebula, Inc. All rights reserved.

Thank you.Thank you.