Embed Size (px)
Citation preview
CONTENTSINTRODUCTION
WHOTHISBOOKISFOR
WHATTHISBOOKCOVERS
HOWTHISBOOKISSTRUCTURED
WHATYOUNEEDTOUSETHISBOOK
CONVENTIONS
SOURCECODE
ERRATA
P2P.WROX.COM
PARTIOPENSTACKOVERVIEW
1INTRODUCINGOPENSTACK
WHATISCLOUDCOMPUTING?
WHYSHOULDICARE?
UNDERSTANDINGTHEARCHITECTURE
SUMMARY
2UNDERSTANDINGTHEOPENSTACKECOSYSTEM:COREPROJECTS
IDENTITY
COMPUTE
STORAGE
IMAGING
DASHBOARD
NETWORKING
BRINGINGITALLTOGETHER
SUMMARY
3UNDERSTANDINGTHEOPENSTACKECOSYSTEM:ADDITIONALPROJECTS
OPENSTACKHEAT
OPENSTACKDATABASEASASERVICE:TROVE
DESIGNATE:DNSASASERVICE
MAGNUM
MURANO:APPLICATIONASASERVICE
CEILOMETER:TELEMETRYASASERVICE
SUMMARY
PARTIIDEVELOPINGANDDEPLOYINGAPPLICATIONSWITH
OPENSTACK
4APPLICATIONDEVELOPMENT
CONVERTINGALEGACYAPPTOANOPENSTACKAPP
BUILDINGAPPSFROMSCRATCH
OPENSTACKAPPDESCRIPTIONANDDEPLOYMENTSTRATEGIES
SUMMARY
5IMPROVINGONTHEAPPLICATION
FAILURESCENARIOS
HOSTNAMEANDIPADDRESSING
SCALING
IMPROVINGOURAPPLICATION
SUMMARY
6DEPLOYINGTHEAPPLICATION
BAREMETAL,VIRTUALMACHINES,ANDCONTAINERS
ORCHESTRATIONANDCONFIGURATIONMANAGEMENT
MONITORINGANDMETERING
ELASTICITY
UPDATINGANDPATCHING
SUMMARY
BOOKWRAPUP
TITLEPAGE
COPYRIGHT
ABOUTTHEAUTHOR
ABOUTTHETECHNICALEDITORS
CREDITS
ACKNOWLEDGMENTS
EULA
ListofIllustrationsChapter1
Figure1.1
Figure1.2
Figure1.3
Figure1.4
Figure1.5
Figure1.6
Chapter2
Figure2.1
Figure2.2
Figure2.3
Figure2.4
Figure2.5
Figure2.6
Figure2.7
Figure2.8
Figure2.9
Figure2.10
Figure2.11
Figure2.12
Figure2.13
Chapter3
Figure3.1
Figure3.2
Figure3.3
Figure3.4
Figure3.5
Figure3.6
Figure3.7
Figure3.8
Figure3.9
Figure3.10
Figure3.11
Figure3.12
Figure3.13
Chapter4
Figure4.1
Figure4.2
Figure4.3
Figure4.4
Figure4.5
Figure4.6
Chapter5
Figure5.1
Figure5.2
Figure5.3
Figure5.4
Figure5.5
Figure5.6
Figure5.7
Figure5.8
Figure5.9
Figure5.10
Chapter6
Figure6.1
Figure6.2
Figure6.3
Figure6.4
Figure6.5
INTRODUCTIONOpenStackisasetofsoftwarepackagesthatmanagevirtualizedresources,includingcomputing,networking,andstorage.Itenablesyoutocreateanddestroyvirtualmachines,connectthemtogetherwithprivatenetworks,providenetwork-basedstorage,andmakethemavailabletotherestofyournetworkandtheworld.OpenStackprovidesconsistent,uniformAPIservicesforallofthis,hidinghypervisorandvendorspecificdetailsfromtheapplicationsthatareusingtheAPIs.Italsoprovidesauserinterface,builtontopofthesameAPIs,thatallowsuserstoseeandmanagetheirvirtualresources.
WHOTHISBOOKISFORThisbookisforapplicationdevelopersthatareinterestedinlearningmoreaboutOpenStackandhowitwilltransformtheapplicationdesignanddevelopmentprocess.Itisforsomeonewhoisnewtothecloudenvironment,whowantsabroadunderstandingofthatenvironment,aswellasadeepenoughknowledgetomakepracticaluseofOpenStack.
WHATTHISBOOKCOVERSThisbookwillprovideabroadunderstandingofcloudconceptsandhowtheyfitintothelifeofanapplicationdeveloper.ItwilldrillindeeplytotheOpenStackservicesthataremostimportanttoanapplicationdeveloper,andshowyouhowtheseserviceswillchangenotonlyhowyoudeployapplications,butalsohowyoudesignthem.Itwillprovidedetailedinformationoneachservice,andprovideexamplesofhoweachservicemaybeusedbyanapplicationdeveloper.
HOWTHISBOOKISSTRUCTUREDThisbookwaswrittenintwoparts.Part1providesanoverviewofOpenStack.Thepurposeofthispartistolaythegroundwork,coveringalloftheOpenStacktechnologiesandwhatismostimportant.
Part2takesthereaderthroughdevelopinganddeployingapplicationswithOpenStack.InthispartyouwillbuildanexampleontopofOpenStackthatdrillsdownmuchdeeperonthetechnologies,providestips,andhelpsyoulearnaboutOpenStackthroughthelensofthesesametechnologies.
Hereisalistofthechapters:
PartI:OpenStackOverview
Chapter1:IntroductiontoOpenStack
Chapter2:UnderstandingtheOpenStackEcosystem:CoreProjects
Chapter3:UnderstandingtheOpenStackEcosystem:AdditionalProjects
PartII:DevelopingandDeployingApplicationswithOpenStack
Chapter4:ApplicationDevelopment
Chapter5:ImprovingontheApplication
Chapter6:DeployingtheApplication
WHATYOUNEEDTOUSETHISBOOKYoushouldunderstandthebasicsofapplicationdevelopment-howapplicationsarecomposedofmultipleserverslikewebservers,applicationservers,anddatabaseservers.Youdonotneedanycloud-specificknowledge,thoughyoushouldbeawareofwhatvirtualizationandvirtualmachinesare,andhaveabasicunderstandingofnetworks.
CONVENTIONSTohelpyougetthemostfromthetextandkeeptrackofwhat’shappening,we’veusedanumberofconventionsthroughoutthebook.
Examplesthatyoucandownloadandtryoutforyourselfgenerallyappearinaboxlikethis:
EXAMPLETITLEThissectiongivesabriefoverviewoftheexample.
Source
Thissectionincludesthesourcecode.
Sourcecode
Sourcecode
Sourcecode
Output
Thissectionliststheoutput:
Exampleoutput
Exampleoutput
Exampleoutput
NOTENotesindicatesnotes,tips,hints,tricks,orandasidestothecurrentdiscussion.
Asforstylesinthetext:
Wehighlightnewtermsandimportantwordswhenweintroducethem.
Weshowcodewithinthetextlikeso:persistence.properties.
SOURCECODEAsyouworkthroughtheexamplesinthisbook,youmaychooseeithertotypeinallthecodemanually,ortousethesourcecodefilesthataccompanythebook.Allthesourcecodeusedinthisbookisavailablefordownloadatwww.wrox.com.Specificallyforthisbook,thecodedownloadisontheDownloadCodetabat:
www.wrox.com/go/openstackcloudappdev
andat:
https://github.com/johnbelamaric/openstack-appdev-book
Youcanalsosearchforthebookatwww.wrox.combyISBN(theISBNforthisbookis978-1-119-19431-6)tofindthecode.AndacompletelistofcodedownloadsforallcurrentWroxbooksisavailableatwww.wrox.com/dynamic/books/download.aspx.
NoteBecausemanybookshavesimilartitles,youmayfinditeasiesttosearchbyISBN;thisbook’sISBNis978-1-119-19431-6.
Onceyoudownloadthecode,justdecompressitwithyourfavoritecompressiontool.Alternately,youcangotothemainWroxcodedownloadpageatwww.wrox.com/dynamic/books/download.aspxtoseethecodeavailableforthisbookandallotherWroxbooks.
ERRATAWemakeeveryefforttoensurethattherearenoerrorsinthetextorinthecode.However,nooneisperfect,andmistakesdooccur.Ifyoufindanerrorinoneofourbooks,likeaspellingmistakeorfaultypieceofcode,wewouldbeverygratefulforyourfeedback.Bysendinginerrata,youmaysaveanotherreaderhoursoffrustration,andatthesametime,youwillbehelpingusprovideevenhigherqualityinformation.
Tofindtheerratapageforthisbook,goto
www.wrox.com/go/openstackcloudappdev
AndclicktheErratalink.OnthispageyoucanviewallerratathathasbeensubmittedforthisbookandpostedbyWroxeditors.
Ifyoudon’tspot“your”errorontheBookErratapage,gotowww.wrox.com/contact/techsupport.shtmlandcompletetheformtheretosendustheerroryouhavefound.We’llchecktheinformationand,ifappropriate,postamessagetothebook’serratapageandfixtheprobleminsubsequenteditionsofthebook.
P2P.WROX.COMForauthorandpeerdiscussion,jointheP2Pforumsathttp://p2p.wrox.com.TheforumsareaWeb-basedsystemforyoutopostmessagesrelatingtoWroxbooksandrelatedtechnologiesandinteractwithotherreadersandtechnologyusers.Theforumsofferasubscriptionfeaturetoe-mailyoutopicsofinterestofyourchoosingwhennewpostsaremadetotheforums.Wroxauthors,editors,otherindustryexperts,andyourfellowreadersarepresentontheseforums.
Athttp://p2p.wrox.com,youwillfindanumberofdifferentforumsthatwillhelpyou,notonlyasyoureadthisbook,butalsoasyoudevelopyourownapplications.Tojointheforums,justfollowthesesteps:
1. Gotohttp://p2p.wrox.comandclicktheRegisterlink.
2. ReadthetermsofuseandclickAgree.
3. Completetherequiredinformationtojoin,aswellasanyoptionalinformationyouwishtoprovide,andclickSubmit.
4. Youwillreceiveane-mailwithinformationdescribinghowtoverifyyouraccountandcompletethejoiningprocess.
NOTEYoucanreadmessagesintheforumswithoutjoiningP2P,butinordertopostyourownmessages,youmustjoin.
Onceyoujoin,youcanpostnewmessagesandrespondtomessagesotheruserspost.YoucanreadmessagesatanytimeontheWeb.Ifyouwouldliketohavenewmessagesfromaparticularforume-mailedtoyou,clicktheSubscribetothisForumiconbytheforumnameintheforumlisting.
FormoreinformationabouthowtousetheWroxP2P,besuretoreadtheP2PFAQsforanswerstoquestionsabouthowtheforumsoftwareworks,aswellasmanycommonquestionsspecifictoP2PandWroxbooks.ToreadtheFAQs,clicktheFAQlinkonanyP2Ppage.
PARTIOpenStackOverview
CHAPTER1:INTRODUCINGOPENSTACK
CHAPTER2:UNDERSTANDINGTHEOPENSTACKECOSYSTEM:COREPROJECTS
CHAPTER3:UNDERSTANDINGTHEOPENSTACKECOSYSTEM:ADDITIONALPROJECTS
1IntroducingOpenStackWHAT’SINTHISCHAPTER?
Modelsofcloudcomputing
Relevanceofcloudcomputingtoapplicationdevelopers
WhyOpenStackisagoodcloudplatformchoice
HowOpenStackisputtogether
WHATISCLOUDCOMPUTING?Thereissomuchhypearoundcloudcomputingthatitisoftendifficulttogetaclearsenseofwhatanyonemeansbythosewords.Isitjustvirtualization?IsitSoftware-as-a-Service(SaaS),suchasMicrosoft’sOffice365andSalesforce.com?OrisittheabilitytogetavirtualmachineinstantlyfromAmazonWebServices(AWS)orAzure?AndwhataboutonlinestoragesuchasDropbox?
TypesofCloudComputingTherealityisthatcloudcomputingreferstoallofthesethingsjustdescribedandmore.TheNationalInstituteofStandardsandTechnology(NIST)hascomeupwithan“official”definitionbaseduponfivekeycomponents:on-demandself-service,broadnetworkaccess,pooledresources,elasticity,andmeteredservice.Ingeneral,thesecharacteristicsmaybeprovidedinseveraldifferentmodels.Thesemodelshelpsortouttheconfusionandhype.Infact,thesecanbethoughtofaslayersinastack,witheachlayerbeingbuiltontopofthepreviousone(seeFigure1.1).
Figure1.1
InFigure1.1,“ManuallyProvisionedInfrastructure”representsthetraditionalmethodofbuildingyourinformationtechnologyinfrastructure—thisisnotcloudcomputing.Inthisenvironment,physicalmachinesareracked,connected,andconfiguredonaone-by-onebasis.Thisprovidescompletecontrol,butrequiressubstantialtimeandefforttobuildout,ortochangewhennecessary.Ofcourse,allcloudsneedtorunonphysicalgearatsomepoint,sothisprovidesthebasicfoundationforeverythingelse.Oneofthekeystomakingcloudcomputingsuccessful,however,istomovethecomplexityoutofthislayeranduphigherinthestack.
Infrastructure-as-a-Service(IaaS)isthemostbasiclayerinthecloudcomputing
stack.ThisisOpenStack’sprimaryfocus,aswellastheprimaryfocusforAWS.Itenablesautomatedorself-serviceprovisioningofcompute,networking,andstorage.Typically,theseresourcesareprovidedasVirtualMachines(VMs),butyoucouldalsouseittospinupbaremetalservers(i.e.physicalhosts).Thisisknownas“Metal-as-a-Service,”andOpenStackprovidesaprojectformanagingthisserviceaswell.Alternatively,youcanalsospinupcontainersratherthanVMsorbaremetalservers.Theessentialpointisthatitenablestheprovisioningofcomputeinstances,with(optionally)attachednetworkingandstorage.
Platform-as-a-Service(PaaS)buildsontopofIaaStoenabletheprovisioningofapplications,ratherthansimplytheinfrastructurethatmightbeusedtoruntheapplication.So,aPaaSprovidescorecommonservicesneededbyapplications,alongwiththemachinerytoconfigureanddeployapplicationstousethoseservices.APaaStypicallywillprovideacompleteapplicationstack(webserver,applicationserver,databaseserver,etc.)intowhichyoucaneasilydeployyourapplication.Heroku(https://www.heroku.com)isanexampleofapopularPaaSforapplicationsbuiltwithavarietyofstandardframeworks,suchasRuby-on-Rails.WithHerokuyoucandeployyourapplicationtotheInternetwithasimplegitpush.Astheapplicationauthoranddeployer,youdon’tneedtoworryaboutconfiguringanddeployingthedifferenttiers,orevenworryabouthowtoscalethem.IfyoufollowtheHerokuconventions,everythingishandledbythePaaS.
Software-as-a-Service(SaaS)isthelayerfarthestfromtheunderlyingphysicalinfrastructure.ItmaybebuiltonIaaSoraPaaS,butneednotbe—thepointistheuserneverreallyknows.Thisisthesimplestformofcloudcomputingfromthepointofviewoftheuserbecausetheyhavenoinsightintotheactualmechanicsorsystemsbehindtheservice.It’sjustaservicetheyuse.Oftenthisisprovidedintheformofawebsite,suchasSalesforce.com.Butyoucanalsogetlower-levelservicessuchasDatabase-as-a-Service,whereyousimplyrequestviaanAPI(orwebsite)foradatabasewithcertainparameters,andaregivenanIPandporttoconnectto.Asauseroftheservice,youdon’tneedtoworryabouthowtoscalethatservice—thoughyouwillneedtopaymoreasyouruseoftheserviceincreases.
Putsuccinctly,IaaSprovidesthetoolsto“build”yoursystemsfromthegroundup.PaaSallowsyouto“deploy”yourapplications,withoutneedingtoworryabouttheunderlyinginfrastructure.SaaSallowsyouto“buy”yourapplications—youdonotevenneedtodeployormanagethematall.Thisisasteadyprogressionofdecreasingcontrolandcomplexity,whileincreasingdirectbusinessvalue.
Whilethesearegeneralmodelsforcloudcomputing,inrealitythedistinctionsbetweenthemarenotalwayscrystalclear.TherelationshipofSaaStoPaaSinparticularcanbecomplicated.Aspecific,complexSoftware-as-a-ServicemayusePaaSorevenothermoregranularSoftware-as-a-Service.EvenaPaaSmayassemblelower-levelpiecesasacollectionofsoftwareservices.Forexample,mostserviceswillrequireanidentitymanagement(authentication,authorization,andaccounting)service.ThisidentityserviceisoneofthekeyfeaturesaPaaSprovides
toapplications.However,thereisnoreasonthatservicecannotbe,inturn,providedbysomeexternalSaaS!Inthiscase,akeyfunctionofthePaaSisprovidedviaalow-levelSaaS.
CloudInfrastructureDeploymentModelsInadditiontothefunctionalityprovidedbyacloud,thereareseveraldifferentdeploymentmodelsforclouds.Publiccloudsaretheonesfamiliartomostdevelopers.Thesecloudservicesaremadeavailabletothegeneralpublicforafee.Thefeeisgenerallyonausagebasis,enablingorganizationstoutilizetheiroperatingbudgetsratherthantheircapitalbudgets.Thecustomershavenoneedtomaintainoroperatethehardwareorcloudinfrastructure,leavingthatresponsibilitycompletelytothecloudoperator.
AmazonWebServices(AWS)iscurrentlythelargestpubliccloudanddominatestheindustry.MicrosoftandVMwarealsooperatepublicclouds,andanumberofserviceprovidersdoaswell.Rackspace,inparticular,providesanOpenStack-basedpubliccloud,andisoneoftheprimarycontributorstotheOpenStackproject.
Privateclouds,ontheotherhand,areinternaltoanorganization.Theyrepresenttheevolutionofthetraditionalcorporatedatacenter.Onlyinternalcustomerswithintheenterprise,andperhapsclosepartners,useprivateclouds.ThecorporateITdepartmentoracontractorwillpurchase,setup,andmaintainthehardwareandsoftwareforthecloud.Thecloudinfrastructuremayusechargebacktodistributecostsamongthebusinessunits,buttheclouditselfisstilldedicatedtothesingleenterprise.
Organizationsmayoperateprivatecloudsforanumberofreasons.Thecostofaprivatecloud,ifwellrun,maybelessthanutilizingthepublicclouds.Additionally,manyindustrieshavesecurityorregulatoryreasonsthatdisallowtheuseofapubliccloudformanyworkloads.Theseorganizationsarerequiredtorunthoseworkloadsinaprivatecloud.SeeFigure1.2foralookatthestructureofpublic,private,andhybridclouds.
Figure1.2
Hybridcloudscombinebothprivateandpublicclouds.Thegoalwithhybridcloudsistokeepgeneraloperatingcostslowbyusingtheprivatecloudformostoftheworkloads,buttoenablespilloverintothepubliccloudwhennecessary.Thespillovercouldhappenduetocapacityreasons—perhapsduringtheholidayseasonyourprivateclouddoesn’thaveenoughcapacity—orfordisasterrecovery.Thismodelavoidsthecapacityconstraintsofaprivatecloudwhilestillkeepingcostsundercontrol.
WHYSHOULDICARE?Asanapplicationdeveloperorarchitect,youmaywonder—whydoesallofthismattertome?Allofthisdiscussioncoveredsofarfocusesonthereasonabusinessmaywanttomovetothecloud.Butwhyshouldthataffecttheapplicationdeveloper?Theanswerliesinacoupleofdifferentareas:theeffectonthedevelopmentprocess,andtheeffectonyourapplicationarchitecture.
Cloudservicesenablemuchmoreefficientprocessesformanagingdevelopment,test,andproductionenvironments.Theseupdatedprocessesandmethodsrepresentthe“DevOps”mentality—applyingstandardsoftwaredevelopmentpractices,suchassourcecodeversioncontrol,totheoperationalaspectsoftheapplication.Thismeanscapturingalloftheconfigurationanddeploymentinformationinscriptsandtemplates,andcontrollingtheirchangesjustasyouwouldapplicationcode.
Scriptsandtemplatescanbebuiltthatproduceacompleteapplicationenvironment.Thesecanbeusedtoautomaticallydeploynotonlytheapplication,butalsoinfrastructurerequiredfortheapplication,includingvirtualmachines,networking,firewalls,loadbalancers,domainnameservices—younameit,andsomeoneisworkingonmakingitavailable“as-a-Service.”Byautomatingthecreationanddestructionoftheseenvironments,youcanensureconsistencybetweendevelopment,test,andproductionenvironments.Forcomplexapplicationswithmanydifferentservicesrunningondifferentmachines,thiscanbeadramatictimesaver.
OpenStack,and“as-a-Service”thinkinginparticular,willalsoendupchangingthesoftwareanddeploymentarchitecturesofyourapplication.Byrelegatingthecommonandroutinefunctionstothecloudinfrastructure,youfreeyourtimeandthoughttofocusonthemostimportantthing—yourapplication’sfunctionality.Forexample,atraditionalapplicationthatallowslargefileuploadswillneedtodesignatetemporaryandpermanentstoragelocationsforthosefiles,andmanagethestorageresourcestoensurethatthediskdoesn’tfill.Thesystemadministratorordeployerwillneedtodeviseastrategytobackupthatdataorreplicateittootherdatacenters.Butwiththerightcloudplatform,youcansimplydelegatethatfunctiontotheinfrastructure,andgetallofthebenefitswithoutdevotingspecialeffort.
Designingyourapplicationtoworkwiththecloudservicesalsodramaticallysimplifiesscalingtheapplication.Thescalabilityoftheindividualservicesbecomestheresponsibilityofthecloudoperator,nottheapplicationdeveloperoradministrator.Aslongastheapplicationmakeseffectiveuseofthoseservices,itwillscaleasneededwithlittletonoworkfromthedevelopersthemselves.
Beingabletoutilize“as-a-Service”functionsisonewayyourdesignwillshift.Anotheristoplanforhorizontalscalingratherthanverticalscaling.Thatis,scalingbyaddingmoremachines(horizontally)ratherthancreatingbigger
machines(vertically).Withmostapplicationstoday,itiseasiesttoscalebygettingabigger,fastermachine.Thislocksyouintoplanningforpeakcapacityofeachapplicationindividually.Foreachapplicationyouneedtoprovisionthelargestmachineyoumayneedatpeakload.Butwithapplicationsbuiltforthecloud,youinsteadscalebyaddingmoremachines.Thesemachinescanbesmaller,andwithcloudautomation,canbeadded,removed,orresizedasneeded.Thisabilitytoscaleupanddownasneedediscalledelasticscaling,andisoneofthekeyfeaturesofcloudcomputing.
Afrequentlyusedanalogyisthattraditionalserversarelike“pets,”whilecloud-basedserversare“cattle.”Thisdescribesanecessaryshiftinmentalityforatraditionalapplicationarchitect.Theideaisthatapetisuniqueandspecial,withitsownuniquename.Alotofresourcesarespenttoraiseandnurtureone,andifitissick,itwillbenursedbacktohealth.Cattle,ontheotherhand,arenottreatedspeciallyorcarefullyraised.Theyaretreatedenmasse—theyaregivennumbers,notnames—andasickoneisculledtopreventanyspreadofdiseasethroughtheherd.
Theimplicationhereisthatcloud-basedserversshouldbedisposableandeasilyre-deployed,andnotrequirecarefulhandconfiguration.Thatway,ifthereisaproblemwithone,youdonotspendtimetryingtofigureitoutandfixit—yousimplyreplaceitwithanewone.Thisisthelogicalextensionoftheabilitytoscaleelastically.Whytakethetimetofigureoutwhat’swrongwithamachinewhenit’sbehavingbadly?Justpullitoutoftheapplicationandreplaceitwithanewonewhileyoudebugtheproblem(nottofixthatmachine,buttopreventtheissueinthefuture).
WhatIsOpenStack?OpenStackbillsitselfasa“cloudoperatingsystem.”Fundamentally,itsolvestheIaaSproblem.Itprovidestheabilitytoabstractthephysicalcompute,storage,andnetworkingresourcesintopools.Thoseresourcescanthenbedivviedupamongusersinasecureway.Usersonlyneedtopayforwhattheyareusing,ratherthanhavingtoprovisiontheirapplicationsforpeakload.
OpenStackisacollectionofopensourcesoftwareprojects,backedbyanon-profitorganization,theOpenStackFoundation.TheseprojectsworktogethertoprovideaconsistentAPIlayer,whileenablingtheactualservicestobeprovidedbyavarietyofdifferentvendororopensourceimplementations.Atthecore,theseservicesincludethefunctionalityyouneedtorunacloud,thatis,theabilitytospinupvirtualmachines,theabilitytoallocate,manage,andsharestorageamongthosemachines,andtheabilityenablethesemachinestocommunicatewithoneanothersecurelyoverthenetwork.
KEEPINGTRACKOFRELEASESOpenStackhasofficialreleaseseverysixmonths.Inordertomakeiteasiertokeeptrackofallthesereleases,theyaregivennamesinalphabeticalorder.Belowisthenameofeachrelease,anditsreleasedate,throughtheLibertyrelease.
Austin:October2010
Bexar:February2011
Cactus:April2011
Diablo:September2011
Essex:April2012
Folsom:September2012
Grizzly:April2013
Havana:October2013
Icehouse:April2014
Juno:October2014
Kilo:April2015
Liberty:October2015
Inadditiontothereleasename,eachreleaseisidentifiedbytheyearandreleaseduringthatyear—<year>.<release>.<patch>.Forexample,Kiloisalsoknownas2015.1,asthefirstreleasein2015.PatchreleasesforKiloare2015.1.1,2015.1.2,etc.Thesecondmajorreleaseof2015isLiberty,whichisalsoknownas2015.2.
AlloftheseservicesareaccessibleviaRESTfulAPIs,aswellascommand-lineinterfacesandaweb-baseduserinterfacecalledHorizon.Horizonisconvenientforsettingupthingsonanad-hocbasis,butdoesn’tofferthefullcapabilitiesoftheAPIs—andofcoursetheAPIsandCLItoolscanbeeasilyscripted(seeFigure1.3).
Figure1.3
ThenexttableshowsthemajorservicesprovidedbyOpenStack,alongwiththeirnames.OpenStackcommunitymemberswillusuallyrefertoeachservicebyitsname,soit’shelpfultoseethemallinoneplaceandgetahandleonwhateachonedoes.Infact,therearemanymoreservices,butthesearethemostcommononesyouwillfind.
Name Service Description
Horizon Dashboard Agraphicaluserinterfaceformanagingyourcloud
Keystone Identity Authentication,authorization,andOpenStackserviceinformation
Nova Compute Spinup,manage,andterminatevirtualmachines
Cinder BlockStorage Diskvolumes(thatoutliveaninstance)andsnapshotsofinstances
Swift ObjectStorage
Shared,replicated,redundantstorageforimages,files,andothermediaaccessibleviaHypertextTransferProtocol(HTTP)
Neutron Network Providesecuretenantnetworking
Glance Image ProvidestorageandaccesstoVMimagesandsnapshots
Heat Orchestration Spinupgroupsofmachines,networks,andotherresourcesviatemplates
Designate DNS CreatedomainsandrecordsintheDNSinfrastructure
Ceilometer Telemetry Monitorresourcesusageacrossthecloud
Trove Database Provideaccesstoprivatetenantdatabases
Ironic BareMetal Spinupinstancesonphysicalhardware
Magnum Containers Managecontainerswithininstances
Murano Application Deploypackagedapplicationsacrossmultipleinstances
Sahara DataProcessingCluster
ProvidesaHadooporSparkclusterasaservice
AdefaultinstallationofOpenStackwillinclude“reference”versionsofeachservice.Forexample,bydefaultanOpenStackcloudwillusetheKernel-basedVirtualMachine(KVM)hypervisortomanagevirtualmachines.OneofthemostimportantaspectsoftheOpenStackarchitecture,however,isthedriverorplugin-basednatureofeachservice.Withthisdesign,youcanuseanimplementationotherthanthereferenceone.Inyourcloud,youcanswapoutKVMwithESXi,Xen,orotherhypervisors.TheAPIsusedtolaunchandmanageVMsremainthesame,regardlessoftheunderlyinghypervisor.ThissameconceptextendsacrossOpenStackservices,enablingthesameAPIswithdifferentserviceimplementations.
Thislevelofflexibilitybehindthescenes,whileprovidingaconsistentAPI,isoneofthekeystothesuccessofOpenStack.UserscanbuildtheirapplicationsandautomationontopofOpenStack,withouthavingtoworrythattheyarelocking
themselvesintoasinglebackendproviderofcomputer,networking,orstorage.TheAPIswon’tchangeeveniftheyswapoutthebackend.
OpenStackisfrequentlyusedinenterprisesforprivateclouds,thoughtherearesomepubliccloudservicesthatarebasedonit.TherearealsocompaniesthatwillcreateandoperateaprivateOpenStackcloudforyouwithintheirdatacenters.Inthiscase,thehardwareisnotsharedwithothercustomers,soyouhavethepredictabilityandsecurityoftheprivatecloudbutdonothavetofindandhiretheexpertstomaintainit.
Eveninprivatecloudenvironments,OpenStackisamulti-tenantcloudplatform.Thismeansthatmultipleusersorgroupsofusers—tenants—canutilizethephysicalresourcesofthecloud,whilekeepingalloftheirvirtualizedresourcesprivate.Foratenant,theOpenStackenvironmentappears,forthemostpart,tobetheirsandtheirsalone.Butfortheoperator,theunderlyingphysicalresourcesandsoftwaresystemsareshared.InOpenStack,tenantsarealsosometimesreferredtoasprojects.
Inamulti-tenantOpenStackcloud,eachtenantisallocatedaquotaforthevarioustypesofresourcesthatmaybeused.Thequotaprovidesamaximumlimitforthattenantforthatparticularresource.YouwillhaveaquotaforCPUs,memory,storage,networks,subnets,andfloatingIPs,amongotherresources.Thispreventsanysingletenantfromconsumingalloftheresources.
WhyOpenStack?Thereareanumberofcloudmanagementplatformoptionsoutthere.ThemostobviousanddominantplayerisVMwarewiththeirvRealizesuiteofsoftware.So,whyshouldyoutakeyourtimetolearnaboutOpenStackratherthanvRealize,AWS,Azure,CloudStack,oranyoftheothersolutions?
About15yearsago,ITprofessionalsfacedaverysimilarsetofquestionsaboutLinuxandproprietaryUNIXsystems.Solaris,HP-UX,AIXandtheircompetitorsweresolid,wellknown,andwidelydeployedproducts,whereasLinuxwasagraduatestudent’sprojectthatwasdifficulttoinstallandoperateandwasfairlyimmature,withdriverandothercompatibilityissues.ItwasnotclearatallatthetimethatspendingeffortlearningandunderstandingLinuxwasworthit.Historythough,hasproventhatsuchachoicewouldhavebeentherightone.Allofthoseexpensive,proprietaryUNIXimplementationshavelosttheirvalueproposition—theyreallydon’thavemuchthatisuniquetoofferanymore.Linuxhascontinuedtogrowandhastakenovermostoftheenvironmentswherethosesystemsoncethrived.
Thisisn’tjustasimpleanalogy.Thereisarelentlesspressureinthisindustrytoreducecosts,andtoincreasethevelocityoffeaturedelivery—delivermore,faster,andcheaper.Thewaytoachieve“more,faster”isstandardization.Thisisthesamebasicprincipleasbuildinglibrariesandframeworksinprogramming.Astandardarchitecturebehavesinapredicablemanner,providingcoreservicesonwhichyou
canrelyandbuild.Thereisnoneedtorepeattheprocessofdevelopingthatarchitectureoverandover,allowingyoutofocusonthenewfunctionality.
Thewayyouachieve“cheaper”istomakethosestandardsopenandfree.Thiscombinationofopenandstandardleadstocommoditization—essentiallythedevelopmentofinterchangeablecomponentsthatarethesameregardlessofthemanufacturerorvendor.Commoditiesimplyalotofcompetition,andthereislittleornoproductdifferentiationforwhichtochargeextra.Thisdrivesdownthecostsdramatically.
Linuxhasbothofthesecharacteristics—openandstandard—inUNIX-likeoperatingsystems,andthatiswhyitwon.Notbecauseitwasbetter,butbecauseitwascheaperandfastertouseasabaseforbuildingnewfunctionality.Linuxisjustoneexample,ofcourse.Thisstoryhasrepeatedoverandoverinthetechnologyindustry.Withmachinearchitectureswehavethex86platform,andstandardarchitecturesformemory,disks,andserialbus-basedperipherals.
Infact,ifyoutakethebroaderview,youcanseethatthecommoditizationhascontinuouslymovedupthevaluechain.Itstartedwithhardware,movedtooperatingsystems,andthesedaysevensophisticateddatabasesanddistributedsystemcomponentsarebeingcommoditized.Indatabases,weusedtohaveInformix,DB2,Oracle,Sybase,andothers.ButMySQLandPostgresSQLareopenandstandard,andtheyhavecompletelydominatedthelow-endofthedatabasemarket.Oraclestillleadsinthehigh-end,andisabletoprovidevalueinthosemorespecializedenvironments,butastheopensourceproductsimprove,thespacefortheproprietaryvendorsconstricts.
Insomeway,cloudcomputingistheculminationofthiscommoditizationprocessintheindustry.Broadly,youcanthinkoftherevolutionhappeninginthecomputingindustryasarefocusingoftheindustryonthecorefunctionsofcomputing.Theabstractionofthecomputinginfrastructureintosimplycompute,storage,andnetworkingcomponents,andbreakingoftheseoutfrombeingverticallyintegrated,tohorizontallyintegrated,istrulytransformative.Itbringsfullcommoditizationtotheseelements,whicharethebasicfoundationoftheindustry.
Cloudplatformmanagementwillfollowthesamepattern.TheproprietaryplatformslikevRealizewillthriveforatime,butinthelongruntheopenandstandardsystemswillwin.Whiletheremayalwaysbeaplacefortheproprietarysolutionsinmorespecializedenvironments,themostcommonplatformswillbeopensource.Youcanseethisalreadyhappening:theZenoss2014StateoftheOpenSourceCloudSurvey(http://www.zenoss.com/resource-center/white-papers)foundthat30percentofrespondentswerealreadyusinganopensourcecloud,up72percentfrom17.2percentin2012.Another34percentoftherespondentsplannedtoimplementanopensourcecloudinthefuture.Understandingthisgivesyouanadvantagetofocusontheeventualwinner,insteadofchasingwhatwillultimatelybeasettingstar.
Thereareseveralopen,standardcloudmanagementplatforms.Soevenifyoubelievethatthebetonopenandstandardisthewaytogo,whyshouldyoubetonOpenStack?Theanswerhereissimple—momentum.OpenStackisbyfarthemostwidelyusedandsupportedopensourcecloudmanagementplatform,andithasthelargestcommunityofdevelopersandvendorspushitforward.Thesamesurveymentionedabovefoundthat69percentofrespondentswithanopensourcecloudwereusingOpenStackin2014,upfrom51percentin2012.Anamazing86percentofthoseconsideringanopensourceclouddeploymentarelookingatOpenStack.
TheOpenStackdeveloperandusercommunitieshavegrowndramaticallyaswell.TheOpenStackFoundation2014AnnualReport(https://www.openstack.org/assets/reports/osf-annual-report-2014.pdf)providesdetailedinsightintothisgrowth.In2013,thebestquarterformeanmonthlyactivedevelopershad391developers—in2014thismeasurewasup45percentto569developers.LargeinvestmentsfromHP,Cisco,RedHat,IBM,Dell,Mirantis,Rackspace,andmanyothervendorshavedriventhissurge.Theincrediblegrowthinthenumberofusers,developers,andotherinterestedpartiescanbeseenfromtheattendanceatthetwiceannualOpenStackSummits,seeninFigure1.4(source:openstack.org).
Figure1.4
ClearlyOpenStackhasthemomentumtosucceed.
UNDERSTANDINGTHEARCHITECTUREOpenStackisbuiltonalooselycoupledarchitecture.Eachcomponentisbuiltindependentlyandrunsitsownservices.Theseservicesmaybedistributedamonganumberofdifferentmachineswithdifferentresponsibilities.Thisenablesscalingofparticularfunctions,byaddingmachineswithparticularroles.Italsoenablesredundancy;ahighlyavailabledeploymentwillcontainseveralofeachtypeofmachine.
SoftwareArchitectureIndividualcomponentsinteractwithoneanotherviawell-definedapplicationprogramminginterfaces(APIs)—typicallybasedonrepresentationalstatetransfer(REST)conventions,thoughinsomecasesusingremoteprocedurecalls(RPC)ornotificationsoveramessagebus.Typically,theseserviceswillmaintaindatainarelationaldatabase—usuallyMySQLorPostgreSQL.Themessagebusanddatabasearesharedacrossservices,buttheinteractionsbetweenthoseservicesremainclearlydelineated.Thisenablesdifferentservicestogrowandchangeindependentlyfromtheothers,solongastheyprovidebackward-compatibilityintheAPIs.
Eachofthemajorservices—compute(Nova),networking(Neutron),blockstorage(Cinder),etc.—haveseveralinternalprocessesandcomponents.Generally,theywilleachhaveanAPIservicethatprovidesanHTTP-basedRESTfulAPI.ThisAPIservicewillcommunicatewiththeothercomponentsviathemessagebus.
TheHorizonserviceisaweb-basedUIthatinteractswiththevariousservices.Similarly,therearecommand-linetoolstointeractwitheachservice.Thesetoolsareoptional;youcanbuildyourowninterfacedirectlytotheserviceAPIsifyouwish.HorizonandtheofficialCLIclientsdonothaveanyspecialaccess;everyoneusesthesameAPIs.EachclientreallyonlyneedstobeinformedofthelocationofKeystone,theidentityservice.ThisservicecontainsacatalogofallservicesandAPIendpointsavailableintheOpenStackplatform(seeFigure1.5).
Figure1.5
InFigure1.5,whatyouseeisasimplifieddepictionofhowtheservicesinteract.EachservicehasanAPIcomponent,whichcommunicateswithKeystone’sAPIviaHTTPStoprovideauthenticationandauthorizationinformation.EachAPIserviceusesthemessagebustocommunicatewithseveralotherprocessesforthatservice(justcalled“Services”inthediagram).Asneeded,thesedownstreamserviceprocesseswillcalltheAPIsofotherservices.Forexample,NovawillcalltheNeutronAPItoacquireaportonaparticularnetwork.
DeploymentArchitectureHowareallofthesedifferentpiecesofsoftwaredeployedonthehardware?Thisisactuallyprettyflexible.Fordevelopmentorjustexperimentation,youcanevenruneverythingonasinglemachine.However,amoretypicaldeploymentwillhaveseveralcontrollernodes(forhighavailabilitypurposes),alongwithadditionalnetwork,compute,andcontrollernodes.
Eachhigh-levelservice(compute,networking,storage,andothers)consistsofmultipledaemons(backgroundprocesses).Thesedaemonsarespreadoutacrossthevarioustypesofnodes.Thatis,youdonotrunindividualservicesonindividualnodes,butratherspreadeachserviceoutacrossdifferenttypesofnodes.
Forexample,alloftheservicessharethedatabaseandmessagingcomponents(typicallyMySQLandRabbitMQ,respectively).Youmayruntheseeachon
separateclusters,witheachclusterspreadoverdifferentfailuredomains.Additionally,youmayhaveseveralphysicalnodesthatprovidetheAPIendpoints,behindaphysicalloadbalancer.DifferentdaemonsforNovaandNeutronwillbespreadacrossthenetworkandcomputenodes.Figure1.6showsasimplifieddiagramofthislayout.
Figure1.6
NoticethedifferenttypesofnodesinFigure1.6.ComputenodesrunthehypervisorandthereforetheactualVMinstances,aswellasprovidetheephemeralstorageforinstances.TheywillalsorunNeutronnetworkingagentstomanagetheconnectivitybetweenVMs(calledeast-westtraffic).
ThenetworknodesusuallyprovidetheconnectivitybetweenVMsandoutsidethecloud(callednorth-southtraffic),aswellastheadvancednetworkserviceslikeloadbalancingandVPNaccess.Dependingonthechoicesmadebytheadministratorsandusers,theremaybeagentsprovidingnetworkroutingservicesonthenetworknodes,directlyonthecomputenodes,orboth.
Theblockstoragenodesprovidevolumeservicestotheinstances—thatis,theyprovideaccesstopersistentstoragefordiskvolumesthatcanbeattachedand
detachedtoinstances.Cloudsthatofferobjectstoragewillalsohaveseparateclustersforthat.Objectstorageprovidesshared,replicated,redundantstorageforimages,files,andothermediaaccessibleviaHTTP.
Varioussegregatednetworksconnectallofthesenodes.Everynodeisaccessibleviathemanagementnetwork,whichisusedfordifferentpartsofOpenStacktocommunicatewithoneanother.Allofthemessagebus,database,andcross-projectAPItrafficgooverthemanagementnetwork.Thedatanetworkconnectsallofthecomputenodes,networknodes,andblockstoragenodes.Theinternalcloudtenanttrafficiscarriedonthisnetwork,whereastheexternalnetworkprovidesaccesstotheoutsideworld.Sincethecomputenodesdonotcommunicatewiththeoutsideworld,butonlywithothernodesinthecloudinfrastructure,theyneednothaveconnectivitytotheexternalnetwork,butonlyneedaccesstothedatanetwork.Onlythenetworknodesneedtoconnecttotheexternalnetwork.Finally,someinstallationswilluseanAPInetwork,whichprovidesaccessbetweentheoutsideworldandtheOpenStackendpoints(APIandHorizon),separatefromtheexternalnetworkusedbytenants.
ProsandConsThisarchitectureprovidesagreatdealofflexibility.Thisenablesthescalabilitybylettingthecloudoperatordeployadditionalnodestoscaletheinfrastructure.Italsoallowstheabilitytocreatehighlyavailableservices,sinceyoucanspliteachserviceoutandmakethemredundantacrossfailuredomains.However,itisverycomplex,andcanbequitedifficulttosetupandmaintain.
Asauserofthecloud,thiswillbetransparenttoyou.Butaproperlyruncloudwillhaveenoughredundancybuiltinthatyoucanexpectahigh-levelofreliabilityfromtheOpenStackinfrastructure.
Anothersubstantialbenefittothisarchitectureisavoidingvendorlock-in.Eachserviceprovidesapluginordriver-basedarchitecture.Thisenableseachservicetoworkwithanynumberofvendorplatformstoprovidetheactualservice.Forcompute,youcanusethedefaultKVMhypervisor,ESXi,Xen,oroneofmanyotherhypervisorchoices.ThenetworkingservicedefaultstousingOpenvSwitchtoprovideLayer2(thedatalinkorMACaddresslayer)connectivity,andtheLinuxnetworkingstack(iptables,routing,andnamespaces)toimplementLayer3(IPlayer)functionality.However,therearemorethan20differentvendorpluginstoswapallorpartofthatdefaultimplementation.Infact,thesevendorimplementationscanbeusedatthesametime,inthesamecloud.
Byavoidingvendorlock-in,OpenStackenablesmorecompetitionbetweenthevendors,pushingdownpricesinthemarket.Theabilitytousemultiplevendorsatoncemakestransitioningfromonevendortoanothermorefeasible,andalsoallowsthechoiceofvendorforsolvingspecificusecases.
AninterestingfeatureintroducedwiththeKiloreleaseofOpenStackisfederatedidentity.ThistakesthedistributednatureofOpenStackandallowsittospan
acrossmultipleclouds,evenfromdifferentproviders.Twocloudproviderscansetupatrustrelationship,enablingusersofoneprovidertousethesamecredentialswithanother,trustedprovider.Thusthesameworkloadmanagementtoolsyouuseforasinglecloudcantheoreticallybeusedtomanageworkloadsacrossmultipleclouds.Forcapacityburstusecases,thisisapowerfulfeature.
OpenStackDistributionsWiththecomplexityofthearchitecture,anumberofcompanieshavesteppedintohelpwithinstallationandmanagementofanOpenStackplatforminaprivatecloud.TheseincludenamesfamiliarfromtheLinuxdistributionworld,suchasRedHat,SUSE,andCanonical(Ubuntu),aswellasnewplayersthatarefocusedonlyonOpenStack,suchasMirantis.
INDUSTRYCONSOLIDATIONInfacttheOpenStackindustryhasseenagreatdealofconsolidationin2014and2015.Severalpure-playOpenStackcompanieshavebeengobbledupbythebiggerplayers.
ManylargeintegratorsandenterprisesoftwarevendorsarealsojumpingintotheOpenStackdistributiongame,withthelikesofIBM,HP,andOraclejoiningthefray.
Ifyoudon’thaveanOpenStackcloudavailablealready,oryouwanttolearnmoreaboutthearchitectureandhowallofthepiecesfittogether,youcansetupyourownOpenStackplayground.Youcanuseoneofthesedistributionstosetupyourownsmallcloud.EachofthedistributionvendorsprovidestheirowntoolsforsetupofOpenStack.Theyareprimarilytargetedatproductionenvironments,andassuchcanbeprettyhardtogetstartedwithonyourown.Forexample,Canonical’sofferingrequiresaminimumofsevenphysicalnodesjusttobringuptheenvironment.
Ifyouaresettingsomethingupsmall,yourbestoptionsareprobablyRedHat’sopensourcedistribution(asopposedtotheirsupportedversionrunningonRedHatEnterpriseLinux),calledRDO(www.rdoproject.org).Thenicethingaboutthisdistributionisthatitoffersasimple“allinone”optiontodeploytheentireenvironmentonasinglenode.
IfyouwouldliketotinkerwiththeactualcodeofthevariousOpenStackservices,youcouldalsosetupadevstackenvironment.Devstack(www.devstack.org)isapowerfulsetofscriptstocreateandconfigureanOpenStackdevelopmentenvironment.
Whilethedetailedinstructionsonlinearequitegood,hereareafewhintstomakeyourdevstacksetupgosmoothly.You’llwantafreshUbuntu(http://www.ubuntu.com)orFedora(www.fedoraproject.org)installation.Don’t
trytorundevstackonyourregularmachine—you’llwantadedicatedmachine(virtualorphysical).IfyouhaveavirtualizationproductlikeVMwareWorkstationorFusion,orthefreeVirtualBoxforyourlaptopordesktop,thebestthingtodoiscreateabaseserverinstallationofyourOSofchoice(enablingalloftheextrarepositories),andthensnapshotit.Thiswillmakeiteasytostartoverifyoutrashyourenvironment.
Theinstructionswillhaveyoucreatealocal.conffile,whichthedevstackscriptsusetocaptureallofthespecificsofyourinstallation.Thereareonlyafewitemsyouneedtosetinyourlocal.conf.
[[local|localrc]]
ADMIN_PASSWORD=stack
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
SERVICE_TOKEN=some-random-string
FIXED_RANGE=10.0.0.0/24
FLOATING_RANGE=192.168.20.0/25
PUBLIC_NETWORK_GATEWAY=192.168.20.1
LOGFILE=/opt/stack/logs/stack.log
disable_servicen-net
enable_serviceneutronq-svcq-agtq-dhcpq-l3q-meta
Thefirstsectionheresetsupthenetworking.YoushouldpickaFIXED_RANGEthatdoesnotoverlapyourexistingnetwork.YourFLOATING_RANGEcancorrespondtoanexistingunusedsubnetonyournetwork,withthePUBLIC_NETWORK_GATEWAYbeingthelocaldefaultgatewayonyoursubnet.
TheLOGFILEsettingsimplyhelpsyoudebugifyourdevstackdoesnotcomeupproperly,whereastheremainderofthefiledisablesNovanetworkingandenablesNeutronnetworking.
YouwillneedaccesstoeitherdevstackoranotherOpenStackinstancetofollowtheexamplesthroughoutthisbook.
GETTINGTHEOPENSTACKCLICLIENTSTofollowalongwiththeexamples,you’llneedaccesstoamachinewiththeOpenStackclientsinstalled.Youcanlearnhowtoinstalltheclientsathttp://docs.openstack.org/cli-reference/content/,whichwillincludeinstructionsforavarietyofoperatingsystems.TheexamplesinthisbookwilluseLinux.
Theeasiestwaytousetheseclientsistosetthenecessaryauthenticationinformationinenvironmentvariables:
$exportOS_USERNAME=usernameOS_PASSWORD=password
OS_TENANT_NAME=tenant-name
$exportOS_AUTH_URL=http://keystone-ip:keystone-port/v2.0
Thisallowsyoutocalltheclientswithoutpassingthoseparameters:
$openstackflavorlist
+----+-----------+-------+------+-----------+-------+-----------+
|ID|Name|RAM|Disk|Ephemeral|VCPUs|IsPublic|
+----+-----------+-------+------+-----------+-------+-----------+
|1|m1.tiny|512|1|0|1|True|
|2|m1.small|2048|20|0|1|True|
|3|m1.medium|4096|40|0|2|True|
|4|m1.large|8192|80|0|4|True|
|42|m1.nano|64|0|0|1|True|
|5|m1.xlarge|16384|160|0|8|True|
|84|m1.micro|128|0|0|1|True|
+----+-----------+-------+------+-----------+-------+-----------+
IfyourservicesendpointsareusingHTTPS,you’llneedtochangetheOS_AUTH_URLtoreflectthat.Ifyouareusingself-signedcertificates,youalsoneedtopassinthe–insecureoption.
SUMMARYInthischapter,youhavelearnedaboutthevarioustypesofcloudcomputing—IaaS,PaaS,andSaaS—andhowtheyrelatedtooneanother.OpenStackfillstheIaaS,andperhapsinthefuturethePaaSfunctions,intheclouds.Moreimportantlyyoulearnedthatdrivingcostslowerwhiledeliveringmorefeatures,morequicklyisthedrivingforcebehindthecloudcomputingrevolution.Finally,youlearnedaboutthemajorcomponentsofOpenStack—Nova,Neutron,Glance,andKeystone,andhowtosetupaplaygroundforexperimentingwithOpenStack.
2UnderstandingtheOpenStackEcosystem:CoreProjectsWHAT’SINTHISCHAPTER?
HowthedifferentOpenStackcomponentsworktogetherandhowauthenticationworkswithintheinfrastructure
AlookathowacomputeinstanceiscomposedandthedifferenthypervisorssupportedinOpenStack
HowdataisstoredintheinfrastructureandunderstandingthedifferencesbetweenBlockStorageandObjectStorage
Howinstancetemplatesandsnapshotsarecreatedandwheretheyarestored
ThedifferentwaystomanageyourOpenStackresources:GUIversusCLIversusAPIs
HowthenetworkisdesignedinOpenStackandthedifferentnetworkcomponentsavailableandexposedthroughtheAPIs
Atthispoint,youhaveanunderstandingofwhycloudcomputingisimportanttoapplicationdevelopers,andageneraloverviewofOpenStack.Inthischapter,youwilllearnthecoreservicesinmoredetail.Thesearetheservicesmostcriticaltorunninganapplication—compute,network,andstorage.Youwillalsolearnaboutthemanagementservicestomakethosepossible,suchastheidentityservice,whichallowsyoutoauthenticateinordertocreateyourapplications.
Sometimes,itmayseemthatthedescriptionsinthischaptergointomoredetailthanyouneedtorunanapplication.However,youcanthinkofthesefeaturesastoolsandbuildingblocks.Youneedtohaveasolidunderstandingofwhatispossible,soyoucanseenewwaystobuildflexible,scalable,androbustapplications(seeFigure2.1).
Figure2.1
IDENTITYTheidentityservicewithinOpenStack,namedKeystone,isresponsibleforauthentication,authorizationandaccounting(AAA)andcurrentlyimplementsandprovidestheOpenStackIdentityAPI.
Themaingoalofthisidentityserviceistoprocessandvalidateauthenticationandauthorizationrequests,thenreturnan“authenticationtoken,”whichisusedtoauthenticatetheuseragainsttheAPIsandcanbeusedtocontacttheotherservicesofanOpenStackinfrastructure.Theseservicescanbediscoveredusingthecatalogreturnedintheauthenticationresponse(detailedlaterinthischapter).
KeystonecurrentlyimplementstwoversionsoftheIdentityAPI(v2,v3).ThesecondversionhasbeenusedforyearsandisstillmainlyusedtodayinthedifferentlibrariesandclientssupportingOpenStack.Thethirdversionisquiterecentandprovidesamorepluggableandflexibledesign,allowingusingmultipleauthenticationmechanisms(theoriginal“password”method,butmoreoverwell-knownandusedmechanisms,suchasOAuthorSAML2),andtheabilitytocombinethesemethodsinasinglerequest.
ThislastIdentityAPIhasamulti-tenantdesignandhassimpleresources:
Region:anOpenStackinfrastructurethatoptionallymayhavesub-regions
ServicewithEndpoints:anOpenStackregisteredserviceinKeystonethatcanhavezero,one,ormultipleendpointstoreachthisone(e.g.public,internal,admin)
Domain:acontainerfortheusers,groups,andprojects
Project(knownas“Tenant”inthesecondversionoftheAPI):owningasetofOpenStackresources
User:asingleAPIconsumer,whichshouldhavereallyrestrictedauthorizationsinyourapplication
Group:acollectionofdifferentusersofthesamedomain
Role:anauthorizationthatauseroragroupofuserscanobtainonaprojectoradomain
AlloftheseresourcescanbemanagedusingtheIdentityAdminAPI,whichisavailableasacreate,read,update,anddelete(CRUD)RESTfulAPI.
UsingTokensandRe-AuthenticationTheauthenticationagainstthedifferentOpenStackservicesisbasedontokensprovidedbytheidentityservice(Keystone)orconfiguredintheserviceitself(e.g.admintokens).
AtokenprovidedbyanidentityserviceisanarbitrarystringthatcontainstheUseridentityandoptionallyanauthorizationcalledscope.Theauthorization
attachedtothistokengrantsaccesstoaProjectoraDomain,allowingyoutoaccessProjectorDomain-relatedresources.
YoucaneasilycreateatokenusingtheIdentityAPIwiththemethodPOST/auth/tokenswithauseridentityandthewantedscope:
{
"auth":{
"identity":{...},
"scope":{...}
}
}
TokenIdentitiesWhenrequestinganewtoken,theidentityparameterwillcontaintheusedauthenticationmechanisms.Hereisanexampleusingpassword.Theuniqueidentifieroftheuserisusedhere,howeveritispossibletousetheusernameifthedomainisexplicitlyspecified.
{
"auth":{
"identity":{
"methods":[
"password"
],
"password":{
"user":{
"id":"042042",
"password":"secret-password"
}
}
}
}
}
ScopedandNon-ScopedTokensIfspecifiedintherequest,theauthorizationscopemustcontaintheprojectidentifierorthedomainidentifier.
{
"auth":{
"scope":{
"project":{
"id":"123456"
}
}
}
}
Ifascopehasbeenprovidedinthetokencreationrequest,theIdentityAPIwillreturnacatalogcontainingthedifferentOpenStackservicesthatcanbeusedbytheuserwiththetokenandtherolesgrantedtothisuser.
X-Subject-Token:ff00ff84
{
"token":{
"catalog":[
{
"endpoints":[
{
"id":"c3ac301342a381b895743659d0956de1",
"interface":"public",
"region":"RegionOne",
"url":"http://my.identity.service:5000"
}
],
"id":"9192d6fb0f120a188133cb569b8db832",
"type":"identity",
"name":"keystone"
}
],
"expires_at":"2015-07-14T13:37:00.000000Z",
"issued_at":"2015-07-15T13:37:00.000000Z",
"methods":[
"password"
],
"user":{
"id":"042042"
}
}
}
Ifnoscopeisspecifiedinthetokencreationrequest,theIdentityAPIwillreturnanon-scopedtokenthatcanbeusedtoidentifytheuserinanextIdentityAPIrequest.Oneexamplewouldbetocreateascopedtokenusingthetokenauthenticationmechanism.
Ascopedtokencanbere-scopedusingthetokenauthenticationmechanismwithasmallerscope,forexamplethisisextremelyusefultoprovidealimitedauthorizedtokentoanapplicationsub-componentoranotherAPIclientthatdoesn’tneedthefullauthorizationoftheoriginaltokentooperate.
UsinganAuthenticationTokenTheobtainedauthenticationtokenscanbepassedinalloftheHTTPrequestsagainstthedifferentRESTAPIsasaX-Auth-TokenHTTPheader.ThesetokenswillbecheckedbytherequestedOpenStackservicetoensuretheirvalidity(i.e.expiration,revocation,etc.)andiftheauthorizationofthistokenallowsaccesstotherequestedresourcewiththepolicyoftheserviceappliedtotheuserrole.
HowVariousPiecesofOpenStackCommunicatewithEachOtherOpenStackhasamodulararchitecturewhereallofthedifferentcomponentsareseparateservicesthatcommunicatetogetherusingstandardizedRESTAPIs(seeFigure2.2).ThisprincipleisfundamentalandrequiredintheOpenStackproject
lifebecausedifferentteamsledbydifferentpeoplearedevelopingeachcomponent.AlloftheOpenStackcomponents’featuresandupdatesstartbyanAPIdesigndiscussion.AlloftheseAPIsshouldbesimple,standard,re-usableandre-implementablebyanydeveloperwhowouldwanttousethemandhavecustomservicesthatwouldimplementtheAPIopen-specifications.Moreover,thesestandardRESTAPIshavefeaturesthatuseamessagingqueuetointernallyprocessthedifferentactionsandevents.
Figure2.2
TherequestsprocessedbetweenthedifferentOpenStackservicesareauthenticatedwiththetokensoftheoriginalrequest(seetheearliersectionaboutauthenticationtokengeneration)andtheauthorizationoftheserequestsbetweentheOpenStackservicesarecheckedasadirectrequesttotheend-service.
Forexample,whenausercreatesasnapshotofacomputeinstance,thecomputeserviceprocessesarequestagainsttheimageservicetostorethissnapshot.Whencreatingthisrequest,theoriginalauthenticationtokenispassedintheRESTAPIrequestbetweenthetwoservices.Ifthisimageserviceusestheobjectstorageserviceasastoragebackend,anauthenticatedrequestisgeneratedbetweenthese
twoservicesusingtheoriginalauthenticationtoken(seeFigure2.2).
CanApplicationsUseKeystone?WhencreatinganapplicationthatusesOpenStack,theusageofKeystoneisrequiredtoensureappropriateauthorizationsandstructureofthedifferentservicesorpartsoftheapplication.
Let’staketheexampleofanapplicationthatwouldhavedocuments(e.g.pictures)uploadedbyaguestuser.So,weneedaservicetoconvertorresizethesepictures.Wealsoneedtostorethepictures(thatwecallobjects)usinganOpenStackobjectstorageservice.Wethenneedtoautomaticallyprovisionandmanagetheinstancesusingthecomputeinstances.We’llhavetwodifferentrolesorprojectsandtwodifferentusersbecausewedon’twantthepublicaccessibleapplicationtomanageourinstancesforsecurityreasons.
DEMOAPPLICATIONSOURCECODEYoucanaccessthesourcecodefromourdemoapplicationviaGitHub:https://github.com/johnbelamaric/openstack-appdev-book.
COMPUTETheComputeprojectinOpenStack,namedNova,includesalloftheAPIsandtoolstoprovisionandmanagetheinstances(thevirtualmachinesprovisionedonphysicalcomputenodes)acrossmultiplephysicalhostsatscale.Thisprojectprovidesanabstractionoftheconfigurationofthemainusedhypervisorsintheworld,allowingyoutoeasilyprovisionvirtualmachineswithastandardAPI,independentofaspecifichypervisortechnology.
Inthispart,you’lldiscoverthedifferentpiecesthatcomposeaninstanceonOpenStack,howtheinstancesmodelsaremanaged(calledflavors),howtheinstancesarescheduledinacomputeinfrastructureandthemainhypervisorssupportedbytheproject(SeeFigure2.3).
Figure2.3
PiecesofanInstanceInOpenStack,aninstancehasthetraditionalcomponentsofavirtualizedserverprovidedbyahypervisor.Thesecharacteristicsaredefinedbytheflavorsinthecomputeservice:
OneormultipleallocateddedicatedorvirtualCPUs(vCPUs)
Someallocatedmemory(RAM)
Arootdiskthatcanbeanydeviceattachedtothehostserver(virtualornotvirtual,local,remote,ordistributed)
Theinstanceshaveusuallyoneormultiplenetworksconfigured.Thesenetworkscanbeconfiguredusingthenetworkservice(Neutron),andthenetworkdevices
canbeprovisionedbytheNovaserviceinthehostusingtheNetworkAPIandconfiguredintheinstancebythehypervisor.
Theinstancescanhavepersistentblockstoragesattachedtothem(i.e.avirtualharddriveintheinstance),whichcanbeprovisionedandmanagedusingthevolumeserviceandattachedbythehypervisortotheinstance.
Theconsole(screen)ofaninstancecanbeviewedusingtheVNCserviceinNova,whichcanbecomparedtoaphysicalkeyboard,videoandmouse(KVM)foraphysicalserver.KVMwastraditionallyusedtosharethesedeviceswithmultiplecomputers(https://en.wikipedia.org/wiki/KVM_switch).Todaythesametermisusedtodescribethevirtualaccesstotheseinput/outputsofanOpenStackinstance.ThisNovaserviceispresentedasagoodwaytoabstractthewaytoaccessallofthegraphicalinterfacesandconsolesofalltheinstances,regardlessoftheusedvirtualizationtechnologyandtheinstances’operativesystems.Therearedifferentprotocolstoaccessaninstance’sinterfaceandNovaprovidesaunifiedandtransparentwaytoaccessthem.Forexample,thisservicecanalsoproxyaRDP(RemoteDesktopProtocol)fortheinstancesthatrunMicrosoftWindows.
UnderstandingFlavorsAflavorinOpenStackrepresentsamodelofaninstance:asetofallocatedresourcesforavirtualmachineanditsspecificities.Inpubliccloudserviceswherehostserversaresharedacrossmultipleprojectsortenants(customers),theflavorscanbecomparedtocommercialoffers,wherethebilledresourcesarecalculatedusingthetotaltimetheinstancesofaspecificflavorrunduringamonth.ThisinformationiscalculatedusingtheOpenStackTelemetryService(Ceilometer,seesection3.6).
Acomputeflavorcontainssomeofthefollowingresourcedetails:
Thenameofauniqueidentifier
Theamountofcores(vCPUs)andtheweightiftheyaresharedwithmultipleinstances
Thememory(RAM)andtheswapsize
Therootdiskandephemeraldiskspace
Aflavormaycontainextraspecificationsthatareusefultomakedecisionsduringtheschedulingofaninstanceinacomputeinfrastructure,andtoallocatetherequiredresourcetoruntheinstance(e.g.processorarchitecture,over-provisioning,PCIdevicesrequiredetc.).TheflavorsmaybepublicorlinkedtosomespecificOpenStackprojects.Sincewecanassociatethistoacommercialofferoracomputeinstancemodel,aspecificmodel(orcomputeinstance)canbelimitedtoasimpleprojectorcanbepublicandusedbyanyprojectinanOpenStackinfrastructure.Forexample,whenyoulaunchanewprocessormodelforcustomersinapubliccloud,youcouldcreatededicatedflavorstoallowthem
tousethesenewphysicalservermodelstocreatenewinstances.
SchedulingFiltersWhenaninstanceisprovisionedonanOpenStackcomputeinfrastructure,onetaskofNova,andespeciallyofitsscheduler,istochoosethecomputenode(physicalhost)wheretheinstancewillbecreatedormoved.Youcanfindanoverviewofthescheduleroperations(FilteringandWeighting)inFigure2.4.
Figure2.4
FilteringThistaskisprocessedusingasimpleconcept:thecomputeschedulertakesasetofnodesavailabletouseandappliesasetoffilterstothislisttoeliminatetheonesthatdon’tmatchthedifferentcriteriaoftherequiredconfiguration(refertoFigure2.4).
Herearesomeexamplesofschedulingfilters:
Skipthehoststhatarefull(noCPU,Memoryordiskavailable)
Matchonlyahostthathastheexactamountofresourcesavailable
Usethesamehostofanotherinstance
UseaphysicalhostwheresomespecificPCIdevicesareavailable
Thephysicalhostscanbeaddedinaggregationgroupsthatareusuallyusedtomatchoneormultiplespecificflavorsorprojectsusingaschedulingfilter.Herearetwocommonusecasesofthisfeature:
Anaggregationgroupcanbecreatedforacustomerwithsomededicatedhostsandhardware.Usingextraspecificationsinadedicatedflavor(privateforadomain,aproject,ormultipleprojects),whentheuserwillcreateaninstanceusingthisspecificflavortheschedulerwillfilteronlythehostscontainedinthisspecificaggregationgroup.
Somehostswithspecifichardware(e.g.SSDharddrives,specificCPUarchitecture,etc.)orallocationrules(e.g.dedicatedresources,over-provisionedresources)canbesetinanaggregationgroupandthematchingflavorscreated.Herethehostsmaybesharedwithalloftheprojects(customers)ofthecomputeinfrastructureandtheflavorwillactasapubliccommercialofferwherethehostsaresharedwithsomespecifies.
WeightsOncethehostsarefiltered,theschedulerappliessomeweightsoneachresourceofthehostorinstancetodeterminethebesthosttochoosetoallocateandinstalltheinstance.Forexample,wecouldaddahigherweighttofillanalmostfullphysicalserverwithaninstancethatexactlymatchestheremainingamountofreservedandallocableresources,orconverselytosethigherweighttotheless-usedserversandgettheonethatiscurrentlythelessloaded.
TypesofHypervisorsThecompaniesorcontributorsofhypervisorproductsorprojectsareusuallythemaincontributorofcomputevirtualizationdrivers.Itiseasytoaddacustomdriverthatimplementsonepartorallofthefeaturesabstractedbythecomputeservice,whichisavailableviathecomputeAPI.
LibvirtThelibvirtinLinuxisanabstractionlibrarytoaccessandmanagethevirtualmachinesandcontainersinaLinuxserverandtheirnetworkandstorageconfiguration.Itsupportsmultipletechnologies:KVM/QEMU,Xen,VirtualBox,VMwareESX,Hyper-V,OpenVZ,LXC,etc.
ThisisthedefaultdriverusedbyOpenStackandthemostpopularoneforthekernel-basedvirtualmachine/quickemulator(KVM/QEMU)virtualization.Oneoftheproargumentsismanagingthevirtualmachinesregardlessofthevirtualizationtechnology.ButusingthelibvirtanditsOpenStackdriverhassome
weaknesses,especiallygivenhowitismainlydesignedforKVM/QEMU,andsomefeaturesprovidedbyothervirtualizationtechnologiesmightbehiddenbythisabstractionlayer.HopefullyothervirtualizationtechnologiesaredirectlysupportedusingtheirownNovadrivers.
VMwareUsingVMwareinOpenStackallowsyoutoenjoytheadvantagesofbothtechnologies:virtualizationfeaturesforVMwareandmanagement/standardAPIsforOpenStack.
VMwareprovidesagreatvirtualizationtechnologythatprovidesthefollowing:
HighAvailability(HA);theabilitytoautomaticallyrebootaninstanceonafullworkinghardwarewhenanissueisdetectedbythehypervisor.InthemarketedworldofVMware,the“HA”ismorebrandedas“faulttolerance.”
Faulttolerance(thelivemigrationwithoutrestartofaninstanceonaworkinghostwhenahostisdown).
DistributedResourceScheduler(DRS),thesmartdispatchingoftherunninginstancesdependingoftheresourcesusageinrealtime.
ForstorageyoucandirectlyusetheVMwaredatastoretechnologyinCinderandGlance,allowingyoutomanageallofyourblocksusingthestandardblockstorageAPIs.
STORAGETheconceptofobjectstorage(namedSwiftinOpenStack)canbequitecomplicatedtounderstandforanapplicationdeveloperwhenyouareusingalocalfilesystemtostoreallofthestaticmedias(e.g.images,videos,music,etc.)anddocumentscreatedandusedbyyourapplication.Butthisisoftenoneofthemainstepstohorizontallyscaleanapplicationthatusesthesemedias.
Goodexamplesarethetraditionalcontentmanagementsystems(CMS)andblogenginesthatbydefaultstorelocallyallofthemediasuploadedusingthewebapplication.Thistransitiontoanobjectstorageinfrastructureforanyapplicationisnotalwayseasytorealizesincethecodeoftenneedstobepartiallyrewrittentosupportthisnewstoragesystem.Itneedstobere-writtenbecauseanapplicationneedstochangethewayitaccessesfiles(objects),forinstanceaccessinglocalfilesinaharddriveisnotthesameasaccessingobjectsusingaRESTAPI.
Thereareadvantagesforswitchingtoobjectstorage:
Youdon’thavetoworryaboutthetotalspacesize;thisisthejoboftheinfrastructureprovider,andanobjectstorageservicelikeSwifteasilyscaleshorizontally.
Youcansplitobjectsintomultiplesmallblocksandthesizeofanobjectcanalmostbeunlimited.
Youcanstoreanunlimitednumberofobjectsinasinglecontainerorbucketofobjects.
Thereplicationoftheobjectsisdoneattheinfrastructurelevel;itcanevenbedoneacrossmultipleinfrastructureregions.
Herearesomepotentialblockingdesignandimplementationpointswhenyouwanttoswitchanapplicationusingalocalfilesystemtoanobjectstorageservice:
YoucanaccessyourobjectsonlyusingHTTP(s),butthiscanbegreatwhentheclientsofyourapplicationarealreadyusingtheHTTPprotocol:youcanprovideaccesstoanobjectwithouthavingtodownloaditinyourapplicationserver.
Objectstorageisnotafilesystemandshouldnotbeusedlikeone.Oneoftheworstexamplesistotrytomatchanexistingfilesystemhierarchywhendevelopinganapplicationusinganapplication.Inmanyusecases,thehierarchylogicshouldbeontheapplication-sideandtheobjectstorageshouldonlycontaintheobjectdata(blobs).Thebestexampleofthisbadusageisrenaming(moving)objectsinOpenStackSwift.Sincethedispatchingoftheobjectsacrossthestorageinfrastructureisbasedonahashoftheobjectname,theobjectwillbecopiedbetweentwoserversanddeletedfromthesourceserver.Moreoverrenamingavirtualdirectory(infactanobjectwithamime-typespecifictoadirectory)meansrenamingeachobjectofthedirectory.
IntroducingOpenStackSwiftTheSwiftservice(OpenStack’sobjectstorage)providesalloftheOpenStackprojectswithaHTTPRESTAPI,allowingtheprocessingofallthecommonoperationsonastoredobjectusingthestandardHTTPdesignandfeaturestomanagetheresources(seeFigure2.5).
Figure2.5
Thisprojectishorizontallyscalable,distributedandhighlyavailablebydesignwithdifferentmaincomponents:
Swiftproxyserver:thisservicedispatchestheHTTPrequestsaccessingthedifferentobjectstoallthebackendnodes.Thiscomponentcanbeeasilyscaledsincethepositionsofanobjectinaninfrastructurearedeterminedbyhashingitsnameandfindingitspositionusingaringalgorithm.
Swiftaccountserver:thisserviceisresponsibleforstoringthelistingofthecontainersinthedifferentexistingaccounts.
Swiftcontainerserver:thisissimilartotheaccountserver,butresponsibleforlistingtheobjectsinacontainer.
Swiftobjectserver:thisisastoragebackendinstallableonaphysicalhostthatprovidesaninternalobjectstorageAPItomanagetheobjectsstoredonthelocalserver.
Allofthesecomponentsmustbereplicatedandcanbehorizontallyreplicatedtoinfinity(seeFigure2.6).
Figure2.6
EventualConsistencyOpenStackSwiftiseventuallyconsistent.Forexample,ifacontainerserverisunderaheavyloadandanobjectisPUT,theobjectwillbeavailabletoGETassoonastheobjectisstoredindifferentobjectservers,andassoonastheSwiftproxyserverhandlingtheHTTPrequestrespondstotheclientwithsuccess.Inotherwords,theproxystorestheobjectinseveralobjects’servers,andthenrespondstothePUTwithasuccessfulHTTPresponse.However,theadditionoftheobjectinthelistingbythecontainerservermaybequeuedanddelayed,andaGETrequestonthecontainermaynotlistthisnewobject.Anotherexampleisthatbydeletinganobject(DELETE),anemptyobjectiscreatedwithamorerecentmodificationtimestamptoensurethatthefilecan’tbesynchronizedagainifobjectserverreplica,wheretheobjectisstored,isdown.Dependinguponthesynchronizationdelaybetweenthedifferentobjectserversstoringtheobject,thismightbeavailableforamomentaftertheDELETEoperation.
StoringYourFirstObjectInSwiftThefirststeptostoreanobjectinyourSwiftaccountistocreateacontainerforit.Containersregroupmultipleobjectswiththesamepurposeusingaspecificsetofsettings.Thegranttopubliclyreaditorlistitisanexample.YoucaneasilycreateitusingtheAPIwithcurlastheHTTPclient:
$curl–I-XPUT$swift/my-container-H"X-Auth-Token:$token"
HTTP/1.1202Accepted
Content-Length:76
Content-Type:text/html;charset=UTF-8
X-Trans-Id:5B44C388:EB0D_05C4F7D0:01BB_55AEDF79_18A38C8:4451
Date:Mon,27Jul201522:25:40GMT
Connection:close
Asmentionedearlier,theauthenticationisdoneusingatokencreatedusingtheidentityserviceandspecifiedasaX-Auth-TokenHTTPheader.
Oncethecontaineriscreated,itisnowpossibletostoretheobjectsinsideofit.Torealizethisaction,anotherPUTrequestcanbeprocessedagainstthenewstoredresourcepath:
$curl-I-XPUT-T$object$swift/my-container/my-object
HTTP/1.1201Created
Last-Modified:Mon,27Jul201522:25:43GMT
Content-Length:0
Etag:168e1afe97b471eb8948a1b612283d04
Content-Type:text/html;charset=UTF-8
X-Trans-Id:5B44C388:35C8_05C4F7D0:01BB_55B6AFE5_2125569:444C
Date:Mon,27Jul201522:25:42GMT
Connection:close
That’sall!YourfirstobjectisstoredinyourOpenStackobjectstorageserviceandisnowprivatelyaccessibleusingtheHTTPAPI:
$curl-XGET-i$swift/my-container/my-object.json\
-H"X-Auth-Token:$ktoken"
HTTP/1.1200OK
Content-Length:42
Accept-Ranges:bytes
Last-Modified:Mon,27Jul201522:25:43GMT
Etag:168e1afe97b471eb8948a1b612283d04
X-Timestamp:1438035942-04822
Content-Type:application/json
X-Trans-Id:5B44C388:CCFA_05C4F7C0:01BB_55B6B352_1039A1B:637A
Date:Mon,27Jul201522:40:18GMT
Connection:close
[…]
AlloftheserequestscanbeexecutedusingthecommandlinefromthePythonSwiftClient(https://github.com/openstack/python-swiftclient).Thisprovidesasimplewaytobrowseyouraccounts,containers,andobjects:
#Uploadanobject
$swiftupload<container><file_or_directory>
#Downloadanobject
$swiftdownload<container><object>
TemporarySwiftURLsAnyrequestprocessedagainsttheOpenStackSwiftAPIcanbepre-authenticatedwithacryptographicsignature.ThismechanismallowsthesharingofanauthorizationtoaccessasingleresourcewithasingleHTTPmethod(e.g.POSTswift/my-container/my-object)thatcanbeusedbythird-partysoftware,orabrowser.Thismechanismisreallyconvenientifyourapplicationismulti-tenant
andsharesasingleSwiftAccountformultipleusers.
Let’staketheexampleofanapplicationthatwillstoresomePDFbillsinanobjectcontainerandwillreturntoacustomerofthisapplicationatemporarylinktodownloadoneofthem.TheapplicationwillbeabletoreturntothebrowserasignedURLtoonlyGETtheobjectforalimitedtime.
Thesignaturewillbeverifiedusingasecretkeysetinyouraccount.
#Setthekeyasaaccountmetadata"X-Account-Meta-Temp-Url-Key"
$swiftpost-m"Temp-URL-Key:92cfceb39d57d914ed8b14d0e37643de0797ae56"
#Displaytheaccountinformation(returnedasHTTPheaderswhen
#processinga'GET/v1/AUTH_account'request)
$swiftstat
Account:AUTH_account
Containers:1
Objects:42
Bytes:4200
MetaTemp-Url-Key:92cfceb39d57d914ed8b14d0e37643de0797ae56
Connection:close
X-Timestamp:1365615113.11739
X-Trans-Id:5B44C388:D669_5CDEF184:01BB_55C72581_2160:50A3
Content-Type:text/plain;charset=utf-8
Accept-Ranges:bytes
HereisanexampleofatemporaryURLthatcontainstwoadditionalquerystrings:thetimestamprepresentingthelinkexpirationdate(temp_url_expires)andthecryptographicsignatureitself(temp_url_sign):
/v1/AUTH_acount/c/o?temp_url_sig=9da40a8a7e288027809129d03ea2e5b09be70
d57&temp_url_expires=1439116248
Fortestingpurposesandwhenusingaterminal,youcaneasilycreatetemporarylinksbyusingtheswift-temp-url(https://github.com/openstack/swift/blob/master/bin/swift-temp-url)toolfromtheOpenStackSwiftproject.Here,though,isaprogrammaticexampleinPythonthatcouldbeusedinyourapplication:
#!/usr/bin/envpython
importhmac
fromhashlibimportsha1
fromtimeimporttime
#Expirationtimestampforthelink,herethisoneisin1h
expires=int(time()+60*60)
#MethodauthorizedbythesignedURL
method='GET'
#Relativepathoftheobjectfromtheserverorigin
path='/v1/AUTH_account/c/o'
#The'X-Account-Meta-Temp-URL-Key'metaofyourSwiftaccount
key='92cfceb39d57d914ed8b14d0e37643de0797ae56'
#Signaturecalculation
hmac_body='%s\n%s\n%s'%(method,expires,path)
signature=hmac.new(key,hmac_body,sha1).hexdigest()
#FormattemporaryURL
u='https://{host}/{path}?temp_url_sig={sig}&temp_url_expires={expires}'
url=u.format(
host='swift.example.com',path=path,
sig=signature,expires=expires
)
PublicContainersandAccessControlList(ACLs)Ifyourapplicationwillonlystorepublicdocumentsinacontainer,youcanmarkthisoneaspublicbyusingOpenStackSwiftACLs.
InasimilarfashionthetemporaryURLkeycanbestoredasanaccountmetadata.TheseACLsarestoredatthecontainerlevelascontainermetadataX-Container-Readtoallowpublicaccessorlistingofthecontainer,orattheaccountlevelX-Account-Access-Controltoallowotheraccountsoftheinfrastructuretoaccesstotheaccount.
Let’sfocusonthecontainer-levelACLs.Theyhavethefollowingformat:[item[,item…]]andthuscanbecombined.Twoconceptsareusable:thereferraltogrant(.referrer:example.com,or.r:example.comtoreducethelengthofthelist)andtheabilitytolistthecontainerobject(.rlistings).
Hereishowyoucanallowanyonetoaccessyourpublicdocumentsinyourcontainerandlistthem.
#SetthenewACL
$swiftpost-r'.r:*,.rlistings'os-book
#Listthecontainer"os-book"metadatas
$swiftstatos-book
Account:AUTH_account
Container:os-book
Objects:42
Bytes:0
ReadACL:.r:*,.rlistings
WriteACL:
SyncTo:
SyncKey:
Accept-Ranges:bytes
X-Trans-Id:5B44C388:D847_5CDEF18E:01BB_55C72C0D_155E:1586
X-Storage-Policy:Policy-0
Connection:close
X-Timestamp:1439116292-30845
Content-Type:text/plain;charset=utf-8
UnderstandingBlockStorageSometimeswhenyouuseanOpenStackcomputeinstance,youmayneedadditionalstoragethatcanbemountedasvolumeintheinstance.Thistypeof
storageiscalled“block”or“blockstorage.”
Eachblockactsandisavailableinasingleinstanceasanindividualvolume.AblockisprovisionedbytheOpenStackblockstorageservice(Cinder),whichprovidesatargettoaccessandmountthevolumeinthehostandmakeitaccessibleinaninstance.
Multiplestoragebackenddriversareavailablethatallowyoutohavealmostanystorageinfrastructurebehindastandardabstractionlayer.HerearethemainstoragebackendtechnologiesthatcanbeusedwithCinder.
CephCephisadistributedascalablestoragesolutionthatreplicatesitsdataacrossmultiplestorageservers.Cephcanbeusedasobjectstorage(RADOS),blockstorage(RBD,RADOSblockdevice),andasharedfilesystem(CephFS).Cephblockdevices(RBD)areresizable,thin-provisioned,storethedatainRADOS,andarestripedacrossmultiplestoragedaemons(OSD).
GlusterGlusterisadistributedandsharedfilesystemthatcanbeusedbothasablockstoragebackendandobjectstoragebackend.InOpenStack,Glusterisexposedinasimilarwayasnetworkfilestorage(NFS).
ZFSZFS(orZettabyteFileSystem)isahugeevolutioncomparedtoalloftheexistingfilesystems.Asitsnamesuggests,thisonesupportsanalmostunlimitedstoragesizeandsimplifiestheadministrationandthesecurityofthefilessystems.
Toachievethisgoal,anextraabstractionlevelexistsbetweentheharddrivesandthefilesystemitself:thevolumemanagerthatallowsvirtualizingmultipleharddrivesasasinglevolume.
Onthetopofthisabstractionlayer,ZFSprovidesasystemofpools,whichisareallypowerfulsystemofsnapshotting(aread-onlyversionofafilesystemstoredonthesamevolume).ThespaceusedbytheZFSsnapshotsisthedeltabetweenthesnapshottedversionandthecurrentversionofthefilesystem(similartoanincrementalbackup),thatallowsreallysmallbackupsofthewholefilesystem.
Oneofthemethodsusedtoensuretheintegrityofthedataisthechecksumsinthefilesystem.Eachblockofdatahasachecksumthatisstoredinitsparentblockpointerthatisstoredintheblockitself.Anothermethodistousethecopyonwritemethodtolimitthepossibilityofcreatingerrorswhenwritingdata.
ZFSprovidesscrub,whichreplacesthetraditionalfsck(filesystemcheck)tochecktheintegrityofthedata.Ithasmultipleadvantages,forexample,theabilitytorunitwithouthavingtounmountthefilesystemandcheckthemetadataandthedata,unlikefsckthatonlychecksthemetadata.
LVMLVM(orLogicalVolumeManagement)allowsyoutomanagemultiplelocalharddrivesasasinglevolume,inasimilarwayasZFS,butonasingleserver.ThistechnologyissupportedasaNovadriver,allowingyoutoprovisionlocalharddrivesofNovahostsininstancesofthishost.
IMAGINGTheOpenStackcomputeservice(Nova)storesandaccessestwotypesofinstancesimages:thetemplatesusedtocreatetheinstancesandthesnapshotsyoucantakeofaninstance.
Thecomputeserviceactuallyusestheimagingservice(Glance)togetandstorethedataandthedetailsoftheseimages.Theimagedetailsincludethefollowinginformation:
Thedisplayablenameoftheimage(e.g.DebianJessie)
Thediskformat(e.g.QCOW2,RAW)
Thesizeoftheimageandtheminimumresourcesrequiredtorun
Thestatusoftheimageindicatingapotentialoperationanditsavailability(e.g.queued,saving,active)
Achecksumoftheimage
Theimagescanbeusedtocreatenewinstancesfromexistingdata,andthethreemainusecasesare:
Thebaseimagesofyourinfrastructureusedtocreateanewinstanceandconfigureitfromscratch,usingforexampleaprovisioningtooloraconfigurationmanagementtool(seesection6).
Thesnapshotyoutakefromanexistinginstanceyoucanreusetocreateaninstancewiththesameconfiguration,torestoreabackupofaninstance,ormoreoveritcanbeawaytoresizeaninstance(i.e.changingflavor).
Migrateyourinstancebetweeninfrastructures,regions,providers,andevenbetweenhypervisorsusingstandardimagesformats.
WhereIsItStored?Thedetailsoftheimagesarestoredinarelationaldatabase(bydefaultMySQL,whichisthedefaultforallOpenStackprojects).
Thedataoftheimagescanbestoredindifferentways:alocalfilesystem(thedefaultstoragesolution),blockstorage,andobjectsstorage,orVMwaredatastores.Infact,theimagesdatacanbestoredanywhere;theonlyrequirementistohaveabackendstoragedriverimplementedtosupporttheoperationsonthestoreddata.
Themostcommonwaytostorethedifferentimagesoftheinstancesistousetheinfrastructureitselftostorethem:byflatteningthemassinglefiles(QCOW2,RAW,etc.)andstoringthemintheobjectstorageservice(seeFigure2.7),ortokeepthemstoredasblocksbyusingtheblockstorageservice(Cinder).
Figure2.7
Storingimagesasblockscanbegreatifyouwanttousethesamestorageinfrastructureastheoneusedbytheblockstorageserviceandhavetheabilitytodirectlyattachanimagewithouthavingtodownloadit.Inthiscasetheblockdatawillbetheexactsameoneastheoriginalblockortheoriginaldevicedata.
IfyouareusingaCephinfrastructurebehindyourblockstorageserviceorbesideyourOpenStackinfrastructure,youmaywanttodirectlyusetheCephRBD(RADOSBlockDevice)driverinGlance.By“behind,”wemeanthattheCephinfrastructureisabstractedbytheCinderAPIandusedwiththeCinderdriver.By“beside,”wemeanthattheCephinfrastructureisnotusedinOpenStack,butasablockstorageservicebutcanstillbeusedtostoretheimageswithGlance.ThiswillavoidyouhavinganextraAPIbetweenyourimagingserviceandyourfinalstoragebackendoftheimages,andpotentiallyitcanaddtheabilitytoseparateyourproductionstoragebackendusedtorunyourblockstorageservicefromyourimagingservicethatwillcontainyourtemplateandsnapshot.Thiscouldbe,forexample,differentCephinfrastructures,differentCephOSD(objectstoragenodes),ordifferentCephstoragepoolswithdifferentresourcesallocatedinsideofthesameinfrastructure.
Conversely,youmaywanttostoreflattenversionsofyourimagesinanobjectstorageservice.Forexample,whenusingmainlytheimagingservicetostorealotofsnapshotsasbackups,theimagewillbesimplystoreasfiles,allowingyoutoeasilyuploadanddownloadthemwithouthavingtocreateablockdeviceorreadingallofthedatafromablockdevicetoreturnitovertheimageserviceHTTPAPI.Moreover,youcanstoreimagesinaformatthatusesanoptimizationstrategy,whichcanbegreatifyougeneratealotofdownloadrequestsontheImagingAPI.
IfyouwanttostoretheimagesinanexternalobjectstorageserviceofyourOpenStackinfrastructure,youcanusetheS3storagedriverinGlancetoputyourimages(templatesandsnapshots)intotheAWSS3(AmazonWebServicesSimpleStorageService).Thiscanbeaninterestingsolutiontostoresomebackupsofyourinfrastructureinanexternalsecureservice,allowingyoutopotentiallyhaveadisasterrecoveryplanonAWSEC2(ElasticCloudComputing,theComputeServicefromAWS)usingthedatafromyourOpenStackinfrastructure.
DifferentImageFormatsStoredimagesontheimagingservicecanhavedifferentformats,dependingupontheonesthataresupportedbyyourhypervisorandthefeaturesyouwanttouse.
Thenotionofimageformatincludestwodifferentnotions:thediskformat,whichcorrespondstotherealdataofthediskimageandthecontainerformatthatcontainsthemetadatainformationofadiskimage.
Herearethemostuseddiskformats:
Raw:themostsimpleformatpossible–anunstructuredandexactcopyofadevicedata.Thisoneisusuallyhugesinceitneedstoallocatethewholeimagespaceinasinglefile,sosomepartsareunusedandempty.
QCOW2:standsforQEMUCopyonWrite.Thisformatusesastrategytocompressthedatacontainedintheimage.Theallocationofthestoragesizeisdelayeduntilthespaceisactuallyrequiredtostorethedata.Thusthisformatisflexiblesincethisonecanbeexpandedifsomedataisadded,unliketherawimageofadevice.Moreover,itispossibletostoretheadditionalchangesinanotherfilethatwillcontainthedifferencefromtheoriginalbaseQCOW2image,usingtheCopyonWritefeatureprovidedbythisformat.
VHD:standsforVirtualHardDisk,whichisalmoststandardfortheMicrosofttechnologies(WindowsandHyper-V).Forexample,itispossibletoeasilyattachaVHDimagetoaWindowssystemwithouthavingavirtualizationenginebecausetheOperatingSystemnativelysupportsthisformat.AVHDimagecanbemodifieddirectly,thuschangingsomefiles,andmakingabackuporarecoveryinsidetheimage.
VMDK:thedefaultVMwareimageformat,whichissupportedbyothervirtualizationsolutionslikeQEMUorVirtualBox.Thissupportsmultipleprovisioningstrategiesincludingthethinprovisioning,andallowingprovisioningtheblockonlywhentheseonesarewrittenintheimage.
Theadditionalinformationoftheimages,suchasthemetadatainformation,canbestoredinexternalcontainersiftheyarenotintheimagefile.Inthesamewayastheimagesdataformat,themultiplecontainerformatexistsandaresupportedbyOpenStackandthevirtualizationdrivers.ThemostusedistheOVF(OpenVirtualizationFormat),anopenstandardbasedonanXMLdescriptorfiledetailingthepackagedvirtualmachine.
DASHBOARDOpenStackincludesadashboardprojectnamedHorizon,whichisawebinterfacebuiltwiththeDjangoframeworkandthedifferentOpenStackAPIsfromtheOpenStackservices.
TheGraphicalUserInterface(GUI)providedbytheHorizondashboardisagreatwaytogetstartedwithOpenStackanditsdifferentcomponents.Itallowsbootingyourfirstinstancewithasimplesetupassistant,andthencreatesyourfirstSwiftcontainer,thusmanagingafewresources(seeFigure2.8).
Figure2.8
UsingthisGUIcansimplifyyoureverydaylifeifyourOpenStackprojectsaresmalloruseonlythemainfeatures.Itdoesn’tscalewell,however,whenyoustarttohavehundredsorthousandsofinstancesandnetworks,andwanttousefeaturesthatarenotconsideredbasic.Forexample,creatinganewnetworkportwithaspecificconfigurationandattachingittoanexistinginstancewouldnotbebasic.
Thenextstepisthentousethecommandline(CLI)orthedifferentOpenStackAPIstoadministrateyouraccountorinfrastructureandstarttoautomatethedeployment,managementandtheuseofyourOpenStackresources.
BecausethecommandlineimplementsalloftheAPIs,thisisagoodwaytotestallofthefeatures,anddiscovertheAPImethods,theirrequests,andresponseformatsbeforestartingtodevelopanduseitinanapplication.Otherwisethisonecanbeeasilyscriptedtosimplyautomateandrepeatyoureverydayadministrative
tasksusingOpenStack.
NETWORKINGThenetworkingservicewithinOpenStackisresponsibleforprovidingnetworkconnectivitywithinthecloudaswellasbetweeninstancesinthecloudandtheoutsideworld.OpenStackprovidestwodifferentnetworkingservices.ThelegacysolutionispartoftheNovacomputemodule,andisreferredtoasnova-networkor“Novanetworking.”TheNeutronprojectprovidesthenewnetworkingsolution,andincludesmuchmorefunctionalityandflexibility.
BothsolutionsprovidetwodifferenttypesofIPaddresses:privateIPaddressesandfloatingIPaddresses.TheprivateaddressesaretheonesthattheVMsinstancesthemselvessee.Thatis,runningipaddronaLinuxVMinstancewillshowyoutheprivateaddress.Instancescommunicatewithinthecloudusingtheirprivateaddresses.InOpenStack,eachVMwillhaveatleastoneprivateIPaddress,butitdoesn’tneedafloatingIPaddress.
Thefloatingaddressesarethoseavailablefromoutsidethecloud(andoftenthepublicInternet),andaredirectedtoaspecificVMinstanceusingtheNetworkAddressTranslation(NAT).FloatingIPaddressesmaybeassociatedwithaVMatthetimeofitscreation,oranytimethereafter.TheymayalsobemovedtoadifferentVM–thisiswhatmakesthem“floating”IPaddresses.TheyarenotfixedtoaspecificVMoreventenant,andmaybefreelymovedfromonetoanother.
AnotherimportantconceptinOpenStacknetworkingisthedistinctionbetweenprovidernetworksandtenantnetworks.ProvidernetworksareobjectsdefinedinOpenStackthatprovideinformationaboutapartofthephysicalnetworkinfrastructure,andcanonlybecreatedbyadministrators.ThecloudadministratorcreatesprovidernetworkswithinOpenStackthatcorrespondtothephysicalnetworksconfiguredwithintheinfrastructure.ThisallowsOpenStacktomanagetheconnectivitybetweenthecloudandthephysicalnetwork.ThesenetworkscanbeusedtoprovideexternalaccessviafloatingIPaddresses,ortheycanprovideVMswithIPaddressesonthephysicalinfrastructuresubnets(thusavoidingtheuseoffloatingIPsforthoseVMs).
Incontrast,ordinaryuserscreatetenantnetworks.Thesenetworksareisolatedfromothertenants,andareunderthecontroloftheowner.Theymayormaynotmapdirectlytotheunderlyingphysicalnetworks,dependinguponthesegmentationstrategysetupbythecloudadministrator.Thatstrategyisdefinedbythecloudoperatorandhiddenfromthetenant.Fromanapplicationdeveloper’spointofview,theparticularsegmentationstrategyisnotimportant.Whatisimportantistounderstandthatthetenantnetworksareaccessibleonlytothetenantthatcreatesthem,exceptthroughfloatingIPaddresses.
NovaNetworkingNovanetworkingisdeprecatedinfavorofNeutronnetworking,butsomeexistingcloudsstilluseit,sohavingsomefamiliaritywithitcanbeuseful.
Novanetworkingprovidesasimplenetworkingsolutionwithlimitedflexibilityinthetopologyandconfiguration.Inparticular,tenantshavelittlecontroloverthetopologyandcannotcreatecomplexnetworkingenvironments.
Inmostinstallations,Novanetworkingwillbeconfiguredwitheitherasingle“flat”networksharedbyalltenants,orwithaVLANpertenant(SeeFigure2.9).
Figure2.9
InNovanetworking,asanapplicationdeveloper,youhavelittlecontroloverbuildingoutthetopology.
NeutronNetworkingNeutronnetworkingisthenew,standalonenetworkingservicewithinOpenStack.Asasoftware-definednetworkingsolution,itprovidestheabilitytocreatecomplextenanttopologies,anditintegrateswithawidevarietyofvendorSDNproducts.Theideaistobeabletoreproducephysicalnetworktopologiesinacompletelyvirtualenvironment.JustlikeNovaCompute,whichletsyouvirtualizemachineinstances,NeutronNetworkingletsyouvirtualizenetworkingcomponentssuchasrouters,firewalls,andloadbalancers,asshowninFigure2-10.
InNeutron,thereareseparateNetworknodes(showninFigure2.10),asopposedtoNovaNetworking,whichreliessolelyonthecomputenodes.TheNetwork
nodeshandletheadvancedservicessuchasLoadBalancer-as-a-Service,Firewall-as-a-Service,andVirtualPrivateNetwork-as-a-Service.Additionally,theyprovidetheconnectivitytotheexternalworldoutsidethecloud.InearlyversionsofNeutron(priortoJuno),allLayer3trafficbetweendifferentsubnetswentthroughthenetworknode,evenifitwasbetweenVMsonthesamecomputenode.OnlyLayer2trafficcouldtransitfromdirectlybetweenthecomputenodes,orevenwithinacomputenode.InJuno,theDistributedVirtualRouter(DVR)functionalitywasaddedtoprovidelocalroutingonthecomputenode.However,trafficstillgoesthroughthenetworknodestoleavethecloud,ortoaccessadvancedservices.
Figure2.10
HowNeutronHelpsApplicationsConsiderdeployingathree-tierapplicationinatraditionalenvironment.Youneedtobuyservers,switches,routers,firewalls,loadbalancers,andSSLoffloadloadbalancers–andyou’llneedtheminpairsforredundancy.Eachofthemneedstoberacked,connectedintheexactmannerneededfortheapplication,andmanuallyconfigured.You’llneedtoplanoutthespace,power,andcoolingneedscreatedbythenewapplication.Evenifyouvirtualizetheservers,youstillneedtosetupallofthenetworkinggear.Thisrequiresalotofexpenseincapitalequipmentaswellasalotoftimeforsetup.
APracticalNoteInpractice,youwouldn’tuseallofthisequipment.Modernnetworkdevicescanserveseveralofthesepurposes,eitherdirectlyorthroughservicemodules.InthatcaseyoucanuseVLANtaggingtocreateisolatedsegments,sofromasecurityperspectiveitisequivalent.However,eveninthatcase,Figure2.11illustratesthecomplexityofthisdeployment,aseachoftheseservicesstillneedsmanualconfiguration.
Figure2.11
Inasoftware-definedworld,allofthatcomplexitymovestothesoftwarelayer.Atthehardwarelayer,wehaveuniformracksofservers,withtop-of-rackswitches,typicallyconnectedtoaspine-and-leafnetworkingfabric(seeFigure2.12).
Figure2.12
Theserversherearethecompute,network,storageandotherphysicalnodesinyourcloud.Theleavesarethetop-of-rackswitchesthatallofthesepluginto.Thespinesaggregateallofthetrafficfromtheleaves,andeveryleafcanreacheveryotherleafwithjusttwohops,sinceeveryleafconnectstoeveryspine.Additionally,inter-leaftrafficcanbespreadacrossthespineswithouttakingalongerpath.Thishelpsreducebottlenecks.Inthislayout,youstillhavefullredundancyaseachserverisduallyconnectedtotwoleaves.
Noneofthehardwarelayerchangesarebaseduponapplicationdeployments,aslongasthereiscapacity.Andwhenthereisachange,youcanaddaserversorracksinasimpleandconsistentway,withouthavingtoknowanythingabouttheapplicationsthatwillberunningonthem.
Asnewapplicationsareprovisionedanddecommissioned,thereisnolongeraneedtorack,cableandconfigurespecifichardwaredevicesforthoseapplications.Networksareoverlaidontopoftheconsistenthardwareviaautomationandpuresoftware-basednetworkdevices.Youcreatevirtualrouters,loadbalancers,andfirewallsinsoftware,andconnectthemviaAPIcalls.Thiscandramaticallycutdownonthetimeittakestodeployanapplication,aswellasenablerepeatable,template-baseddeployment.
Ofcourse,softwaremaynotperformaswellasspecializedhardware.Additionally,therearemanyfeaturesthatthestandardOpenStackreferenceimplementationdoesn’tsupport.Neutronprovidesarichsetofpluggableinterfacestoaddresstheseconcerns.Thesepluginsenablethird-partyvendorstointegratedirectlyinto
theNeutronservice,extendingitsfunctionality.PluginscaninteractwithexternalSDNcontrollersorexistingphysicalnetworkinggear,provideadvancedservicessuchasVPN-as-a-Service,orintegratewithexternalIPAddressManagementplatforms.Thedifferencebetweenthisandsettingupatraditionalnetworkforanapplication,though,isthatitisstillalldonewiththesame,simpleAPIs,ratherthanthroughvendor-specificproprietaryconfigurationprotocols.
UnderstandingCoreNeutronObjectsTheNeutronobjectmodelconsistsofsomefamiliaranalogswiththephysicalworld,suchasports,subnets,androuters.TherearealsosomelogicalconceptsthatreallyonlyexistinOpenStack,suchassubnetpoolsandaddressscopes.
ANeutronnetworkcorrespondstoaLayer2broadcastdomain.Ifyou’renotthatfamiliarwithnetworking,inthephysicalworldyoucanthinkofthisasessentiallyasingle“wire”fornodestotalkover.Layer2dealsexclusivelywithMACaddresses–thereisnoneedforIPaddressesinthislayer.Switchesprovideoptimizationsontopofthe“singlewire”modelbyforwardingEthernetframesdownonlythenecessarylinks.TheyalsoprovideVLANs–orVirtualLocalAreaNetworks–whichallowyoutodivideasingleswitchintomultiplebroadcastdomains.Essentially,yougettosaywhichports“gotogether”.InNeutron,thenetworkmodelcapturesthisconcept.
ANeutronsubnetprovidestheLayer3connectivity.Thatis,itprovidestheIPaddressingandenablesNeutronrouterstopasstrafficbetweenNeutronnetworks.Thisisverysimilartothestandardnetworkingmodel.AsubnetisassociatedwithaparticularLayer2network,andaNeutronrouterisusedtointerconnectsubnets,justlikeinthephysicalworld.
InNeutron,whencreatingarouteryoucanadditionallyspecifythatitprovidehighavailability(HA),orthatitbeadistributedvirtualrouter,whichasmentionedaboveisspreadoutacrossallofthecomputenodes.DVRisamorerecentimplementationthanthestandardrouter,andassuchhassomelimitations.AsoftheKilorelease,DVRdoesnotworkwithFWaaSforeast-west(betweenVM)traffic.Also,itrequirescomputenodestohaveapublicIPtohandledistributedfloatingIPaddresses.
ANeutronportisassociatedwithanetwork.ItsanalogintherealworldisanactualswitchportwhereyouwouldpluginanEthernetcable.Itisthepointofattachmenttoanetwork.NeutronwillprovideNovawithaportto“plugin”theinstanceinterface.OnedistinctionthoughbetweentherealworldandNeutronisthatinNeutronaportisalsoautomaticallyassociatedwithoneormoreIPaddresses(oneforeachsubnetonthenetwork).ThisisablurringoftheLayer2andLayer3semantics,andmayberesolvedinalaterreleaseofNeutron.
ANeutronsecuritygroupprovidessimple,firewall-likefunctionality.Rulesmaybedefinedforingressandegresstraffic,andthoseruleswillbeappliedattheNeutronport.Thereisadefaultsecuritygroupthatwillallowtrafficbetween
instancesinthatgroup,andtrafficoutboundfrominstancesinthegroup(egresstraffic),butitrestrictsallinboundtraffic.YoucanutilizetheFirewall-as-a-Serviceprojectformoresophisticatedfeatures.
TheKiloreleaseofNeutronaddedanotherconceptthatismoreabstractthanthosedescribedpreviously–thesubnetpool.AsubnetpoolisacollectionofIPnetworkprefixesfromwhichatenantmayallocatesubnets.Thatis,inJunoandearlier,thetenanthadtospecifyaspecificsubnet–like10.10.10.0/24–toallocate.InKilo,thecloudadministratorcancreateasubnetpool–say10.10.0.0/16–fromwhichthetenantcanaskfor“anysubnet”ofaparticularsize.Thisway,thetenantreallydoesnotneedtofigureoutaheadoftimewhatthesubnetshouldbe–theycanjustaskthesubnetpooltofigureitout.Forexample,withoutsubnetpools,youwouldusethisAPIcalltocreateanewsubnet:
neutronsubnet-createprivate-network10.1.0.0/24
Thisrequiresthecallertoknowthat10.1.0.0/24isavalid,availablesubnetthatcanbeused.Withsubnetpools,theadministratorcancreateapoolforspecificuses–say,forwebservers.Thispoolcontainsawiderangeofaddressesfromwhichtoallocatesubnets,aswellasadefaultprefixlength(the“/24”above,whichcorrespondstothesubnetmask).So,insteadoftheabove,youcanexecuteasimplercommand:
neutronsubnet-createprivate-network–subnetpoolweb-pool
ThiscompletelyseparatesthedecisionsaboutIPaddressandsubnetallocationfromthesubnetcreationprocess.This,alongwiththePluggableIPAddressManagementfeatureaddedinLiberty,iscriticaltousingcloudsinlargerorganizationsthathavedifferentgroupsmanagingIPspaceandapplications.
InLiberty,onemoreconceptisadded,calledanaddressscope.ThisrepresentsauniqueLayer3addressspace.InNeutron,youcancreatethesamesubnetCIDR(forexample,10.0.0.0/24)ontwodifferentnetworks.ThiscanleadtooverlappingIPaddresses.ThisisperfectlyvalidinNeutron,exceptthatyoucannotconnectthosetwonetworkstothesamerouter.Ifyoudid,thenNeutronwouldnotbeabletodistinguishbetweenthesameIPaddressoneachnetwork.Theaddressscopegeneralizesthis,providinganobjectwithinNeutrontorepresenttheaddressspacetowhichasubnetbelongs.Bydoingthis,Neutronenablesbettercontroloverrouting,andpreventsmultipleusersfromaccidentallycreatingoverlappingspace.ItalsoletsNeutronknowwhenNetworkAddressTranslation(NAT)maybeneededevenbetweennon-overlappingsubnets–thiscanpreventaccidentaloverlapbetweenothersubnetsontherouter.
UnderstandingOverlayNetworksOneofthekeyfeaturesprovidedbyNeutronistheconceptofoverlaynetworks.Anoverlaynetworkisjustasegmentation,orsegregation,ofthenetworktrafficthatridesonthephysicalnetwork.Thekeypartisthatfromthepointofviewof
theVM,thereisasingle,ordinarynetwork.Butinfact,thisisanillusioncreatedbyNeutron,sincethedataisactuallymovingacrossvariousphysicalboundariesinthedatacenter.Forexample,whenaVMsendsoutaLayer2broadcastsuchasanARPrequest,thatrequestmaybepackagedupandsentacrossthephysicalnetworktoseveraldifferentcomputenodes.Then,itisunwrappedonthosenodesanddeliveredtoeachVMonthesameoverlaynetwork.Itisoverlaynetworksthatprovidetheabilitytoseparatetenanttraffic,enablingustosharetheunderlyingphysicalinfrastructureandthusmakefulluseofit(SeeFigure2.13).
Figure2.13
ThesimplestandmostfamiliarformofanoverlaynetworkistheVLAN.AVLANtagsEthernetframeswitha12-bitnumber,andthisenablesthephysicalnetworkinggeartodifferentiatebetweenthetrafficthatbelongswithindividualVLANs.WhenausercreatesatenantnetworkinNeutron,itcanbeassignedaparticularVLANtag,andNeutroncanthenkeepallofthattrafficsegregatedfromothertrafficwithinthenetwork.
Abigdrawback,however,isthata12-bittagprovidesatmost4096VLANs.Inalargemulti-tenantcloud,theremaybemanymoreseparatenetworksrequired.Othertechnologieshavebeendevelopedtoaddressthisgap.ThetwoyouwillseeinOpenStack’sreferenceimplementationareVirtualExtensibleLocalAreaNetwork(VXLAN)andGenericRoutingEncapsulation(GRE).WhileVLANsarebasedonLayer2technology–theytagEthernetframes–thesetwotechnologiesarebaseduponLayer3technology.Thatis,theyworkbyencapsulatingthedatainIPpacketsratherthanbytaggingEthernetframes.Thiscanallowtheoverlaynetworkstostretchacrosslargernetworks.Additionally,theVXLANprotocolprovidesa24-bitnumbertodifferentiatenetworks,allowingover16milliondistinctoverlaynetworks.
BRINGINGITALLTOGETHERTohelpunderstandhowthesedifferentpiecesinteract,let’sstepthroughwhathappenswhenyoulaunchaVMandseehowallofthepiecesfittogether.ThisisasimplifiedworkflowthattheuserandthevariousserviceswillgothroughinatypicalcaseoflaunchingaVMwithephemeralstorageonly(i.e.,thestorageandalldiskcontentsgoawaywhentheVMisterminated).Manyinternalstepsareglossedoverhere,sincethefocusisontheinteractionbetweentheservices.
InordertobootanyVM,you’llneedtoprepareafewthingsfirst.Forthisexample,wewillusetheindividualserviceCLIclients.Thereisalsoageneralopenstackclientbutitdoesnotofferallofthefeaturesoftheseparateserviceclients.
First,youneedtodecideontheflavoroftheVMyouwant.TheflavorrepresentsthecombinationofCPUs,memory,andstoragefortheVM.TheflavorscanberetrievedfromNova(somecolumnsomittedforbrevity):
$novaflavor-list
+----+-----------+-----------+------+-----------+------+-------+
|ID|Name|Memory_MB|Disk|Ephemeral|Swap|VCPUs|
+----+-----------+-----------+------+-----------+------+-------+
|1|m1.tiny|512|1|0||1|
|2|m1.small|2048|20|0||1|
|3|m1.medium|4096|40|0||2|
|4|m1.large|8192|80|0||4|
|42|m1.nano|64|0|0||1|
|5|m1.xlarge|16384|160|0||8|
|84|m1.micro|128|0|0||1|
+----+-----------+-----------+------+-----------+------+-------+
$
Wewillusem1.tiny.
Next,youneedtoknowwhatimagetouse.TheimagecontainsthebootableoperatingsystemfortheVM.Untilweneedtoactuallybuildanapplication,examplesinthisbookwillgenerallyuseCirrOS(https://launchpad.net/cirros),whichisaverysmall,minimalOSthatisusefulfortestingofthecloudplatform.Ifyouarefollowingalong,thenotherimagesmaybeavailableonyourOpenStackinstance.Chooseasmalloneforexperimentation.
$glanceimage-list
+---------+---------------------------------+...+----------+--------+
|ID|Name|...|Size|Status|
+---------+---------------------------------+...|----------+--------+
|6d…e0|cirros-0.3.4-x86_64-uec|...|25165824|active|
|5f…92|cirros-0.3.4-x86_64-uec-kernel|...|4979632|active|
|06…c6|cirros-0.3.4-x86_64-uec-ramdisk|...|3740163|active|
+---------+---------------------------------+...+----------+--------+
$
Sincewewanttobeabletoaccessourinstanceoverthenetwork,ratherthanjust
viatheconsole,youneedtoattachittoanetwork.So,calltheNeutronservicetofindouttheavailablenetworks.
$neutronnet-list
+---------+---------+------------------------------------------------------
----+
|id|name|subnets
|
+-------------------+------------------------------------------------------
----+
|50…56|public|09c872aa-02fa-4e81-9cb1-846399938c642001:db8::/64
|
||b9d882f3-8378-42cc-b5fa-4cb2576c7fb4192-168.20.0/25
|
|fa…ea|private|5bd94138-3a4a-4966-b216-b4530a0f489d
fddc:b6e3:ede0::/64|
||ece9ba64-cf28-424c-8187-8df763301a5610.0.0.0/24
|
+---------+---------+------------------------------------------------------
----+
NowwehaveeverythingNovaneedstoknowatboottime,sowesimplyrunthenovabootcommand(outputhasbeenabbreviated).
$novaboot–flavorm1.tiny–imagecirros-0.3.4-x86_64-uec\
–nicnet-id=fa3282e4-64ba-44fa-9644-46da784234eai-1
+--------------------------------------+-----------------------------------
---+
|Property|Value
|
+--------------------------------------+-----------------------------------
---+
|
|OS-EXT-STS:power_state|0
|
|OS-EXT-STS:task_state|scheduling
|
|OS-EXT-STS:vm_state|building
|
|OS-SRV-USG:launched_at|-
|
|OS-SRV-USG:terminated_at|-
|
|created|2015-07-24T05:52:20Z
|
|flavor|m1.tiny(1)
|
|id|a9d9e891-e85a-471b-9844-
cd3eda0659a0|
|image|cirros-0.3.4-x86_64-uec(6d…e0)
|
|key_name|-
|
|metadata|{}
|
|name|i-1
|
|progress|0
|
|security_groups|default
|
|status|BUILD
|
|tenant_id|56082fc3830e43d4af307bed5d1d5f90
|
|updated|2015-07-24T05:52:20Z
|
|user_id|e749c12a525d4b259e0e291fd91ca53a
|
+--------------------------------------+-----------------------------------
---+
$
SowhatdoesNovadowhenweinitiatethebootcommand?First,itvalidatesourcredentialswithKeystone,tomakesurewehavetheauthoritytolaunchtheVM.Afterthat,thebootprocessisastatemachinethattakestheinstancestatefromBUILDtoACTIVEundernormalcircumstances.NovafirststorestheinstanceinthedatabasewithStatusBUILDandTaskStatescheduling.TheprimaryStatusremainsBUILD,sotoseetheprogressofthebootweneedtolookatthesecondaryTaskStatus.BothstatusesaretrackedintheNovadatabase.
$novalist
+---------+------+--------+------------+-------------+--------------+
|ID|Name|Status|TaskState|PowerState|Networks|
+---------+------+--------+------------+-------------+--------------+
|a9…a0|i-1|BUILD|scheduling|NOSTATE||
+---------+------+--------+------------+-------------+--------------+
Next,novasendsarequesttotheNovascheduler(runningonthecontrollernode)viathemessagequeue.Itisthescheduler’sjobtofigureoutthephysicalcomputenodeonwhichtoruntheinstance.ItwillselectanodebaseduponthecharacteristicsoftheVM–howmuchCPUandmemoryitneeds,forexample–andtheavailablecapacityofeachhost.Itwillthenpostarequestbacktothemessagequeuethatincludestheselectedhost.Thecommandresultsaboveshowtheschedulingstate,however,inpracticeschedulingwilllikelybefastenoughthatyouwon’tcatchitinthatstate.
Novapicksthescheduledinstancerequestoffthequeueandupdatesthedatabase,thensendsamessageacrossthequeueagain–thistimetothenova-computeprocessthatsitsontheselectedcomputehost.ThenovacomputeagentmakesaRESTfulAPIcalltotheGlanceimageservicetoretrievetheimage.
Eachtimeoneservicetalkstoanother,Keystonemaybeinvokedtovalidatethetoken(thedetailsdependonthetypeoftoken).Inthiscase,Glancewouldverifythattheuserhaspermissiontotheselectedimage.Ifso,Novadownloadstheimagetoitsimagecache.
Nowthehostisselectedandtheimageisavailableonthathost.ButNovastillneedstoknowhowtoconnecttheinstancetoanetwork.Itsetsthetaskstatustonetworking,andthencallstheNeutronnetworkingservicetocreateaport.Theportcanbethoughtofjustlikeareal,physicalswitchport.Itprovidesaplaceto“plugin”theinstancenetworkinterfacetothevirtualswitchingfabric.Again,thisbetween-serviceinteractionisdoneviathesameRESTfulAPIsthatotherclientsuse.Infact,wecouldhavecreatedtheportaheadoftime,andprovidedaport_idtoNovainsteadofanetwork_id.
NeutroncreatestheportandallocatesandIPaddressonasubnetassociatedwiththesuppliednetwork_id.LikeNova,Neutronhasagentsrunningoneachcomputenode.Itisonthatnodethatitwillcreatethevirtualport.
FinallyNovatakesallofthisinformation,setsthetaskstatustospawning,andcallsthehypervisor(KVMbydefault)toactuallyspinuptheinstance.
SUMMARYInthischapteryoulearnedindetailaboutthecorecomponentsofOpenStackandhowtheyworktogethertocreateacloud.Finally,youputitalltogethertounderstandthedetailsofhowNovainteractswithKeystone,Neutron,Glance,andCindertospinupvirtualmachines.ThesearethebasicservicesyouwillfindinmostOpenStackclouds,butthereareahostofotherservices.Inthenextchapter,wewilllookatsomeofthelesscore–butstillimportant–servicesofferedinsomeOpenStackclouds.
3UnderstandingtheOpenStackEcosystem:AdditionalProjectsWHAT’SINTHISCHAPTER?
UnderstandingCloudOrchestration
OrchestrationcapabilitiesinOpenStack
OpenStackHeatindetails
Software-defined-storage(SDS)
ClouddatabasesasausecaseofSDS
Clouddatabases:maintainorconsume
OpenStackDatabaseasaService:Trove
AlookatMagnumandContainersasaService
CoverageofMuranoandCeilometer
ThecorecomponentsdiscussedinChapter2coverthebasicIaaSfunctionalityofOpenStack.Justusingthosefeatures,OpenStackenablesyoutosetupandrunapplications.However,thereismoretobuilding,deploying,andsupportinganapplicationthaniscoveredinthosecomponents.ThischapterwilldiscussadditionalOpenStackprojectsthatenableyoutodefinerepeatableapplicationdeploymentsonVMsorcontainers,makethoseapplicationsavailableviaDNS,andmonitorthevirtualinfrastructureonwhichthoseapplicationsarehosted.Althoughthesearen’tlabeledasorchestration,suchapplicationsalsorequiremanualconfigurationanddeploymentinsomemanner.ThischapterwillcoverhowtouseOpenStacktomanagecontainer-basedapplications,howtopackageapplicationsforusebyothers,andhowtotakeadvantageoftheDatabase-as-a-Servicefeaturetoshiftmorecomplexityfromyourapplicationtothecloudinfrastructure.
DEMOAPPLICATIONSOURCECODEYoucanaccessthesourcecodefromourdemoapplicationviaGitHub:https://github.com/johnbelamaric/openstack-appdev-book.
OPENSTACKHEATIncloudcomputingtheory,itiswellknownthatthereismorethanonetypeofservice.Oneofthemostpopularandinteresting(intermsofflexibility)servicesisthePlatform-as-a-Service(PaaS),whichallowsyoutotapintocloudcapabilitiesindifferentways,suchaswithacloudorchestrationservice.Let’stakealookatthescientificdefinitionofcloudorchestration:
Itprovidesyouwiththeabilitytocontrolandarrangeasetofunderlyingtechnologyinfrastructures(hardwareandhypervisor).Youcanmatchtheintendedcommandsinputtedbytheuserstocreateasetofautomatedeventsthatdelivertherequestwiththemaximumefficiency(source:http://howtobuildacloud.com/cloud-enablement/cloud-orchestration-starts-to-play-its-tune/)
Itprovidesyouwiththeabilitytomanage,coordinate,andprovisionallpartsofacustomersolutionautomatically,withnoadministrativeintervention,ideallyfromaself-serviceinterface.Thisismuchlikeaconductorwhoconductsanorchestramakingsurethatalloftheinstruments/performersareintuneandintime(source:https://www.flexiant.com/).
Puttingdefinitionsaside,themostimportantpointofcloudorchestrationservicesisnotwhattheyare,butwhattheydo.Asacloudconsumer,aprovider,oraresellerofcloudservices,allthatmattersisthatcloudorchestrationmakesyourcloudconsumptionexperiencebetter.Ifyouarelookingforsomeserviceorcapabilitythatwillmakeyourcloudapplicationresourcesmorescalable,instantlydeployable,efficient,simplertouse,andeasiertobillandmanage,youarelookingatcloudorchestrationservicecapabilities.
Youmayquestiontheideathatanorchestrationserviceisaplatformservice,butcloudorchestratorswerethefirstservicesthatgaveusanabilitytoconsume/operatecloudresourcesinapre-definedway(specificDSL)withinasingleAPIspecification(justrememberolddays,whenyouhadtolearntonsofAPIspecstoaccomplishyourbusinessneeds).
OrchestrationCapabilitiesinOpenStackSo,cloudorchestrationissomethingthatyoucan’tlivewithout,butwhataboutOpenStack?Canyousaythesamething?Let’sexaminetheOpenStackorchestrationservice,calledHeat.
HeatisthemainprojectintheOpenStackorchestrationprogram.Itimplementsanorchestrationenginetolaunchmultiplecompositecloudapplicationsbasedupontemplatesintheformoftextfilesthatcanbetreatedlikecode.AnativeHeattemplateformatisevolving,butHeatalsoprovidesthecompatibilitywiththeAWSCloudFormationtemplateformat.ThisallowsmanyexistingCloudFormationtemplatestobelaunchedonOpenStack.HeatprovidesbothanOpenStack-nativeRESTAPIandaCloudFormation-compatibleQueryAPI
(source:https://wiki.openstack.org/wiki/Heat).
OpenStackHeatinDetailsLet’sexaminewhatHeatcandoforyou.BelowyoucanseealistoftemplatetypesthatHeatsupports:
HOT:(HeatOrchestrationTemplate).HOTtemplatesareanewgenerationoftemplatesthataren’tbackwards-compatiblewithAWSCloudFormationtemplates,andcanonlybeusedwithOpenStack(DSLforHOT—YAML).
CFN:ShortforAWSCloudFormation.ThistypewasinitiallysupportedsinceHeat’sfirstreleases(DSLforCFN-JSON).
Eachtemplatedefinesinfrastructureresourcerequirements,therelationshipbetweeneachoftheresources,andanysoftwareconfigurationnecessaryinordertomanageacompleteapplicationresourcelifecycle.
Beforelookingatatemplateitisnecessarytounderstandafewterms:stack,resource,parameter,andoutput.
Stack:acollectionofobjectsdescribedbyatemplatewithitsrelationships/dependenciesthatwillbedeployedinthecloud.stackincludesinstances(VMs),networking,blockstorage,objectstoragebuckets,andauto-scalingrules.
Resource:anelementofstack.Forexample,VM,securitygroup,subnet,andblockstoragearetheresourcesofstack.
Parameters:thesearetidbitsofinformation,likeaspecificimageID,flavor,volumesize,oraparticularnetworkIDthatispassedtotheHeattemplatebytheuser.Ingeneralcases,templatesareparameterizedtoallowsomeflavorofflexibility,yetincommoncasesitisuptotheuser.Thegeneralapplicationofparameterslaysinconfiguringresources.Forexample,ifyouneedtodeployavirtualmachine(VM)resource,youhavetoexplicitlydefinetheflavorandtheimageID.Theseareparametersforresourcesandinthetemplateitispossibletohaveahugesectionforparametersinreallife.Parametersarenotamandatorything,however,butitispossiblethattheresourcedefinitionputssomedefaultvaluesinresourceconfiguration.
Outputs:thisisinteresting,sinceincommoncasesitoutputsafullycustomdatastructurethatisbeingdefinedattheendofasuccessfuldeployment.Let’sjustreviewasmallexample.Let’ssayyouhavethreeresources:VM,securitygroupwithrules,andsoftwaredeployment.TheideahereistodeployaVMwithsoftwareinit(Nodecellar,Wordpress,MySqlorwhatever)andweneedtorestricttheaccesstothatdeployedapplication.Thisdeploymentconfigurationassumesthatwe’redeployingaPaaSapplicationandusersareabletoaccessitwithinspecificconnectionstrings.Herearethetemplateoutputs:oncedeploymentisready,Heatwilltrytogetoutputsaccordingtoitsdefinition
fromthetemplateusingbuilt-intemplateDSLfunctions.
Nowit’stimetotakealookatareal-lifeexampleofaHeattemplate:
heat_template_version:2013-05-23
description:>
AHOTtemplatethatholdsaVMinstancewithanattached
Cindervolume.TheVMdoesnothing,itisonlycreated.
parameters:
key_name:
type:string
description:Nameofanexistingkeypairtousefortheinstance
constraints:
-custom_constraint:nova.keypair
description:Mustnameapublickey(pair)knowntoNova
flavor:
type:string
description:Flavorfortheinstancetobecreated
default:m1.small
constraints:
-custom_constraint:nova.flavor
description:MustbeaflavorknowntoNova
image:
type:string
description:>
NameorIDoftheimagetousefortheinstance.
Youcangetthedefaultfrom
http://cloud.fedoraproject.org/fedora-20.x86_64.qcow2
Thereisalso
http://cloud.fedoraproject.org/fedora-20.i386.qcow2
Anyimageshouldworksincethistemplate
doesnotasktheVMtodoanything.
constraints:
-custom_constraint:glance.image
description:MustidentifyanimageknowntoGlance
network:
type:string
description:ThenetworkfortheVM
default:private
vol_size:
type:number
description:ThesizeoftheCindervolume
default:1
resources:
my_instance:
type:OS::Nova::Server
properties:
key_name:{get_param:key_name}
image:{get_param:image}
flavor:{get_param:flavor}
networks:[{network:{get_param:network}}]
my_vol:
type:OS::Cinder::Volume
properties:
size:{get_param:vol_size}
vol_att:
type:OS::Cinder::VolumeAttachment
properties:
instance_uuid:{get_resource:my_instance}
volume_id:{get_resource:my_vol}
mountpoint:/dev/vdb
outputs:
instance_networks:
description:TheIPaddressesofthedeployedinstance
value:{get_attr:[my_instance,networks]}
Asyoucansee,thistemplatewaswrittenusingHOTDSL,andhereisthelistofparameters:
key_name
flavor
image
network
vol_size
Andhereisthelistofresources:
my_instance
my_vol
vol_attr
Herearethestackoutputs(asyoucanseenow,HOTDSLprovidesasetoffunctionstoretrievespecificresourceattributesorgetdeploymentparameters):
instance_networks
Let’sfigureoutwhatthistemplatedoes.ItdeploysaVM,provisionsablockstorage(datavolume),attachesvolumetotheVM,andaspartoftheoutput,itreturnsanIPaddressoftheVM.AsforOpenStackoperators,let’sexaminethearchitectureofHeat(seeFigure3.1):
heat-apiisanOpenStack-nativeRESTfulAPI.ThiscomponentprocessesAPIrequestsbysendingthemtotheHeatengineserviceviaAMQP.
heat-api-cfnissimilartotheCloudFormation-compatibleRESTfulAPI.
heat-engineprovidesthemainorchestrationfunctionality.
Figure3.1
Thischapterisnotaboutthehands-onbestpracticesfordeployingHeatintoyourOpenStackenvironment.You’veseenwhatHeatcando,though,andhowitcandoit.IfyouareinterestedindevelopingorconsumingHeat,itisnecessarytolearnitsAPIandtechnologystack.
Let’ssumupwhatwe’velearnedaboutorchestrationinOpenStack.Ithasarichecosystemofmodulesavailabletofacilitateautomationthroughoutallstagesofthestack’sresourcesandtheirlifecycle,resultingingreatlyreducedtime-to-marketformanyITdemands/projects.HeatistheleadingorchestrationtoolforOpenStack-basedclouds,anditisanofficialpartoftheOpenStackdistribution.Withstrongenterprisesupportandsubstantialon-goingcontribution,HeatisfastbecomingthegreattoolofchoiceforOpenStackprivateandpublicclouds.
OPENSTACKDATABASEASASERVICE:TROVEWehavecoveredorchestrationinthecloudandhowitcanhelpyourbusiness.Let’sspendsometimecoveringthedifferencesbetweencreatingapplicationsinandoutofacloud.Asasoftwarearchitectyouneedtogiveeveryonethebasicideaofhowyourapplicationshouldbedeployedandhowitshouldwork,especiallyinacloudinfrastructure.Ingeneral,youneedapersistentstorageforyourapp—youneedadatabase.So,whatcloudcangivethattoyou?WouldthatbeaclouddatabaseorjustInfrastructure-as-a-Service(IaaS)?
CloudDatabaseAsUseCaseofSoftware-Defined-Storage(SDS)YoumaywonderifHeatisabletobethesoftwarethatdefinesstoragewiththehelpofitsDSL.Thisistrue,butitisnecessarytohaveanabilitytomanagestorageinaveryspecificway.Forexample,giventhatsoftwareshouldenableasoftware-definedstorageenvironment,itmayalsoprovidepolicymanagementforfeatureoptionssuchasdeduplication,replication,clustering,fault-tolerance,thinprovisioning,snapshots,andbackup.
InthecaseofHeat,itisprettycomplicatedtoprovideallofthesecapabilities,sinceitwouldmakecloudorchestrationverycomplicatedandhardlymaintainable.ThatiswhyyoushoulduseHeatorimplementyourownorchestration,sinceacustomengineforserviceswilldothestorageprovisioning.WithinOpenStack,youcanfindabigvarietyofservicesthatdostorageprovisioning:Cinder,Swift,andManila.
Speakingofpersistentstorage,asadeveloperyouneedtohavethecapabilityofdeliveringadatabaseasaspecificusecaseofsoftware-definedstorage.ThisisgreathavingaservicethatusesdatabasedeliveryusingconceptsofSDS,andtakingalldeploymentsandmaintainingthembehindthescene.
Aclouddatabaseisadatabasethattypicallyrunsonacloudcomputingplatform,inourcasethatisOpenStack,andprovideslimitedaccess,allowinguserstointeractwiththedatabasethroughitsnativeAPI.Foralongperiodoftimetherewerenoclouddatabases,sodatabaseconsumerstriedtodealwithitintheirownway.Therearetwocommondeploymentmodels:userscanrundatabasesonthecloudindependently,usingapre-configuredvirtualmachineimage,ortheycanpurchaseaccessproprietarysolutionsthatareworkingabovedifferentcloudplatforms.Sowhat’stheproblemwiththelastapproach?
OpenStackandTroveThereareproblemswithusingproprietarysolutionsthatareworkingondifferentcloudplatforms.Itisnotenoughtobuyaproduct,sincewithinsomeperiodoftimetheproductmustbesupported.Andifyouareawareofsoftwareservicesandsoftwareproductbusinessmodels,youwoulddefinitelychooseaservicethatprovidesdatabasesinsteadofdevelopingandsupportingyourowncustom
solution.Thisisbecauseitseemsthatproductsalwayscostlessbecauseofaone-timepurchaseandnosupport,yeteveryproblemisyourpersonalheadache,andsupportforproductsingeneralbecomesmoreexpensivethanthecostoftheproduct.Ontheotherhand,purchasingaservicesubscriptiontakeslessmoneyduetoitstimeaccessrestrictions,butinthecaseofsoftwareservicessupport,itisbeinghandledbytheserviceprovider.
NotethatthefirstclouddatabaseservicewasprovidedbyAmazonAWS,calledAmazonRDBS.Itisonlyrelational,NoSQLnotevenonce,butwhenRDBSwasreleased,NoSQLwasnotwidelyavailable,soAmazonAWScustomerswerecompletelysatisfiedbySQLdatabases.Currently,RDBSisstillaliveandpopular,andnothingmuchhaschanged(newflavorsofdatabaseswereadded,whichareareplicationforMySQL).
Enterprisesneedclustersanddatacentersfullofclusters,andtheyneedthemasquicklyaspossible.So,hereareourdemands:weneednewSQL/NoSQLsolutions,weneedclusters,andweneedautomatedmanagementoperations(seeSDScapabilities),andfinally,weneeditallinOpenStackbytheendoftoday.So,OpenStackdefinitelymissedsuchabilities,primarilythewaytodeclarestorageasadatabaseusingaspecificlanguage.ThereareacoupleofpossiblewaystoaccomplishdatabaseinstallationwithinOpenStack:
Firstboot.dorcloud-init
Chef
Puppet
Ansible
Post-provisioningscriptsexecutionwithfabric
Itiseasytodeployadatabase.Butwhataboutthecostofyourtimetoautomatemanagementtasks?Ifyouchoosethispath,eventuallyyouwouldendupspendingtime/moneytoupdateyourscriptstoadoptthemtonewrequirements.
Obviously,enterprisecustomerswouldlovetoconsumeservicesandresourcesinsteadofmaintainingthem.CustomandveryspecificsolutionsmaynotworkintermsofSDS,however,sinceSDSDSLshouldbeflexible.So,weneedaservicefordatabasesthatmeettheconceptsofSDS.Let’sgobackto2012.RackspaceandHPdecidedtocollaborateandimplementsuchaserviceforOpenStack:OpenStackdatabaseservice,Trove.
BeforedescribingtheconceptsofTroveitself,pleasekeepinmindthatTroveisnotadatabase.Evenifitwasdefinedasadatabaseasaservice,Troveisnotadatabase.Troveisatoolthatdeliversandmanagesdatabaseinstancesinacloudenvironment.OpenStack’sDatabaseasaService(DBaaS)projectisinactivedevelopmentbutholdsarealtreasure.ThisserviceisdesignedtoprovideallofthegoodsofbothSQLandNoSQLdatabaseswithoutthehassleofhavingtohandlecomplexadministrativetasks.Itisnecessarytohaveadedicatedservicethat
completelyimplementsallSDSmanagementoperations.Theideawastoprovideascalableandreliableclouddatabaseasaserviceprovisioningfunctionalityforbothrelationalandnon-relationaldatabaseengines,andtocontinuetoimproveitsfully-featuredandextensibleopensourceframework(includingreplication,clustering,backup,restore,user/databasesCRUDoperations).
So,whatarethosedifferencesbetweenTroveandAmazonRDBS?TrovedoesNoSQLbootstrapping,however,startingwiththeJunoreleaseTrovedoesreplicationforMySQLandPercona5.5,aswellasshardedclusteringforMongoDB2.x.x.
OpenStackDBaaSInDetailLet’sdefinewhatTroveis.Incloudcomputingtherearetwodefinitionsforclouddatabases:adatasourceAPIserviceandadataplaneAPIservice.Let’stakeacloselookatthecloudpioneer,Amazon.AmazonAWSprovidestwodifferenttypesofdatabaseservices:AmazonRDBSandAmazonDynamoDB(andSimpleDB,thecheapversionofDynamoDB).Bothoftheseservicesaredatabaseservices,andbothdealwithdatabases,butincompletelydifferentways:
AmazonRDBS:adataplaneAPIservicethatdeploysdatabaseswithinasingleaccount.Thisisbestfordeploymentondemand.
AmazonDynamoDB:adatasourceAPIservicethatcreatesschemaentitiesoverpre-deployedNoSQLdatabaseclusters.
FromthisperspectiveTroveisnotadatabase.Troveisinsteadadatabaseinstancedeliveryservice.Trovedoesinstantdatabasedeploymentondemand.
BeforelookingatTrove’sAPI,youneedtounderstandafewtermsthatTroveuses.
Datastore:adatastructurethatdescribesasetofdatastoreversions,whichconsistsof:
ID:simpleauto-generatedUUID
Name:user-definedattribute;actualnameofadatastore
DefaultdatastoreVersionsID
Example:Mysql,Cassandra,Redis,etc.
DatastoreVersion:adatastructurethatdescribesaversionofaspecificdatabasepinnedtodatastore,whichconsistsof:
ID:simpleauto-generatedUUID
DatastoreID:referencetodatastore
Name:user-definedattribute;actualnameofadatabaseversion
Datastoremanager:trove-guestagentmanagerthatisusedfordatastoremanagement
ImageID:referencetoaspecificGlanceimageID
Packages:databasedistributionpackagesthatwouldbedeployedontoadatastoreVM
Active:booleanflagthatdefinesifaversioncanbeusedforinstancedeploymentornot
Example:Name-5.6
Packages:mysql-server=5.5,percona-xtrabackup=2.1
So,bothofthesetermsaredescribingwhichdatabaseflavorversionshouldbedeployed.
Alsoitisnecessarytounderstandwhichimagesshouldbeused.Unfortunately,Troveisnotabletoworkwithpurecloud-readyimagesduetoitsarchitecturalspecialties—eachGlanceimageshouldcontainTrove’sguestagent(anRPCservicethatmanagesadatabaseinstancewhereitwasinstalled).FormoreinformationonhowtocreateimagesforTrove,pleasetakealookatthisdocument:https://github.com/openstack/trove/blob/master/doc/source/dev/building_guest_images.rst
NowitistimetoproceedtoTrove’sAPIandwhatitcando:
Databaseinstancemanagement(withinsupporteddatastores)
Databasebackup/restore(forMySQLandPerconaitisalsosupportedtocreateanincrementalbackup)
Post-provisioningconfigurationmanagement
Clustering(startingwiththeJunoreleaseforMongoDB2.x.x,VerticaDB)
Replication(fromMySQLandPercona)
Users/databaseCRUDoperations(note,whenthisbookwaswrittennotallsupporteddata-storedriversinTrovewereabletoprovidesuchability)
Let’stakeapreciselookatTrove’sworkflowandwhichOpenStackservicesareinvolvedwithinstanceprovisioning.InFigure3.2youcanseeimportantTroveelements.
Figure3.2
ItisnecessarytoexplainwhathappenswhenausersubmitsaninstanceprovisioningtasktoTrove.Firstofall,wehavetodealwithhoweachnewinstanceisanewVMwithanattachedblockstorage.So,thereisnobaremetal(saygoodbyetoOracleanditslicense),andnocontainers.Secondly,forprovisioning,Troverequiresspecialimageswithadditionalsoftware,whichwillbedescribedlaterinthischapter.
So,eachtimeausercreatesaninstance,Trovedoesthefollowing:
NovaVMbootstrap
Cinderblockstorageprovisioning
OncetheVMisreadyandthevolumeprovisioned,TrovesendsoveranAMQPRPCmessagetotheTroveagentthatisbeingdeployedattheVMtosetupthedatabase.So,ifit’snotinstalled,installit,doadditionalconfiguration,andreportthatthedatabaseisready.YouprobablynotedthatTrovedoesitsownorchestration,sothisisacommunitydecision.FornowTrovedoesn’tsupportfullyHeat-basedprovisioning.InFigure3.3youcanseeCLIcallstoTroveforinstancecreationusingpython-troveclient.
Figure3.3
DatabaseBackupNowlet’stakealookathowtheinstancebackupprocedureisimplemented.Onceausersubmitsabackuprequest,itasksitsagenttoperformabackup.Dependinguponitsimplementationbackup,itcanbeonlineoroff-line.So,theagentusesnativedatabasetoolstoperformbackups(xtrabackupforMySQLflavors,nodetoolforCassandra,etc.).Oncebackupisready,theagentpackagesitintoanarchiveandthensendsittoremotebucketstorage:Swift.IntermsofsecurityconcernstheagentencryptsthebackupusinganAESblockcipher.Butthere’saproblem.AllinstancesareusingthesameAESkeywithinanydeployment.InFigure3.4youcanseeCLIcallsforbackinguptoTroveusingpython-troveclient(https://pypi.python.org/pypi/python-troveclient/1.2.0).
Figure3.4
TroveInstanceRestoreActuallytheTroveinstancerestoreisaninterestingoperation.YoushouldtakeintoaccountthatyoucanrestoredataonlyintoanewTroveinstance.So,inthiskey,therestorediffersfrominstanceprovisioningonlybyapplyingapulledbackupfromSwift.InFigure3.5youcanseeCLIcallstoTroveforrestoringanewinstanceusingpython-troveclient.
Figure3.5
TroveInstanceConfigurationManagementTakingintoaccountthatTroveisapurePaaS,there’snoaccesstoanyotherservicesonaninstanceinsteadofadatabase,andthere’sonlyonewaytomanageyourinstance—throughTrove’sAPI.OneoftheavailableAPIendpointsisconfigurationmanagementthatisbeingdeployed.FordifferenttypesofdatabasesTroveprovidesanabilitytomodifydifferenttypesofconfigurations.Forexample,inMySQLflavorsitispossibletomodifydynamicsystemvariablesthatarenotrequiredtoputthedatabaseintomaintenancemode,buttherearealsooptionsthatrequirethedatabaseservicetobeshutdown(datadir,logging,etc.).InFigure3.6youcanseeanexampleofachangingdatabaseconfigurationrightafteritsdeployment.
Figure3.6
So,youmaythinkthatwiththehelpofconfigurationmanagementyoucaneasilycreateareplicationgroupforMySQLflavors.Actually,Trovedevelopersdidthatforyou,asshowninFigure3.7—youcanseehowTroveaddressesreplicationwithinitsAPI.
Figure3.7
Speakingofreplication,aspartofitsreplicationcapabilities,Troveprovidesanabilitytopromoteslavetomasterandviceversa(i.e.,thedemotion).Forthesakeofstabilityandpredictabilityitwasdecidedtoimplementthisfeatureformanualmodeonlytoletusersdecidewhethertheywantordon’twanttodothat.Also,startingwiththeKiloreleaseTroveisabletoperformreplicationintwodifferentways(forMySQLflavors):regularbinlogreplication(binlogsarebeingtransferredthroughremotestorage,bythedefault—Swiftbuckets)andanewtypeofreplicationthatissupportedbyMySQL5.6andgreater—GTIDreplication(seemoreinfoathttps://dev.mysql.com/doc/refman/5.6/en/replication-gtids-concepts.html).
There’snothingmuchtosayaboutTroveclusterprovisioning.Basically,Trovecreatesasetofsingleinstancesofaspecificdatastoreanditsversion.Oncetheyareready,Trovestartstoexecuteoperationsforeachinstancetojointhemintoacluster.Thesetofoperationsalwaysfollowstheindustrybestpracticesforclusterbootstrapping(specifictoeachdatastore).
TroveArchitectureLikemostOpenStackservicesTroveitselfisdividedintomultipleservices:
trove-api:AservicethatprovidesaRESTfulAPIthatsupportsJSONtoprovisionandmanagesTroveinstances.
trove-taskmanage:Aservicethatdoestheheavyliftingasfarasprovisioninginstances,managingthelifecycleofinstances,andperformingoperationsonthedatabaseinstance.
trove-conductor:AservicethatismiddlewarebetweentheguestagentandTrove’sbackend.
trove-guestagent:AVM-siteservicethatmanagesdatabaseinstanceswithinitslifecycle.
InFigure3.8youcanseehowTrove’sarchitectureisorganized.
Figure3.8
Inthedatabaseworld,outsideofclouds,itisnecessarytoautomatetaskssuchasadailybackup,butitdoesseemthatTrovemissessuchabilityduetoheavydecisionsonwhichtechnologytopickorcreatingfromscratch.Implementingaschedulerisintheroadmap,butitisnotclearwhenitwillhappen.So,steppingasideofthecommunityplans,itisobviousthatsomedayTrove’sarchitecturewillbeextendedbythatscheduler.Sohereisthefutureofitsarchitecture—Figure3.9explicitlydescribeshowaschedulerwillbeintegrated.
Figure3.9
HerearesomelastwordsaboutTrove.TheideaforTrovewastocreateacompetitive(againstAmazonAWSorotherproprietarysolution)servicethatispartoftheOpenStackecosystem.Yes,itdoessupporttheprovisioningofmultipledatabaseflavorsandtheirversions(datastoreswithdatastoreversionsinTrove
terms).Andyes,itdoesbackup/restoreforsupporteddatabases.ItcandoclusteringforMongoDBandVerticaDB.Butareallofthesefeaturesneededbytheenterprise?Theanswerisyes.Andarethosesupporteddatabasesbeingrequestedandwantedbytheenterprise?Unfortunatelyno.Troveonlypartiallymeetscustomerneeds(atleasttheupstreamversion).SoOpenStackmustsupportwidelyuseddatabasessuchasOracle12c,MySQLandothers.
DESIGNATE:DNSASASERVICEBeingabletoquicklydeployvirtualmachinesandapplicationsisthepromiseofOpenStackandcloudcomputingingeneral.However,ifitstilltakesaphonecallorservicetickettocreateaDomainNameService(DNS)entryfortheapplication,alotoftheeffectivenessofautomationislost.That’swhereDNS-as-a-Servicecomesintoplay.ItenablesapplicationdeploymentsscriptstocreateDNSzonesandrecordsasneeded.DesignateistheprojectinOpenStackthatmakesthispossible.
UnderstandingtheDesignateArchitectureLikeotherOpenStackservices,Designatecontainsseveralcomponents:anAPIendpoint(designate-api),acentralizedlogicalcontroller(designate-central),aninternalDNSserver(MiniDNSordesignate-mdns),andamanager(designate-pool-manager)toconfiguredownstream,outward-facingDNSservers.Thereisalsoanoptionaldesignate-sinkservicethatwatchesthemessagequeueandcantakeotheractionsasneededbaseduponfiredevents(seeFigure3.10).
Figure3.10
DesignatecanbebackedbyavarietyofopensourceandcommercialDNSservers,suchasBIND,Infoblox,orPowerDNS.Thisisnotvisibletothetenant—thetenantsimplyhasaccesstoAPIstocreateandmanagedomains(zones)andtherecordsinthosezones.Eachoftheseservicesisaccessedviaa“backend”plugin,whichcontainsthespecificlogicforinteractingwiththatDNSserver.
WhenausermakesarequestviaHorizon,theCLIclient,ortheAPIdirectly,therequestwillgotothedesignate-apiservice.ThisservicemanagestheinboundHTTPconnections,servinguptheRESTfulAPI.Itcommunicateswithdesignate-centraloverthemessagebus.
Thedesignate-centralserviceisthehubofactivity,coordinatingtheactionsrequiredtocarryouttheAPIrequests,andmanagingthepersistentstoragefortheDesignatedata.WhenanAPIcallrequiresaconfigurationchangeononeofthebackendDNSservers,designate-centralwillsendanRPCrequesttodesignate-pool-manager,whichmodifiestheDNSserverconfigurations.Thespecificsofwhatactionsittakeswilldependonthebackendplugin.
Whendomainsorrecordsarecreatedormodified,designate-centralwillalsoupdatethedesignate-mdnsservice.ThisisasmallDNSserverthatworksasa“hiddenmaster”serverforallDesignatemanageddomains.Thatmeansthatitisauthoritativeforthedomain,butitdoesnotshowupasanNSrecordforthedomain—inotherwords,itishiddenfromview.Clientscannotfindittodirectlyaccessit(it’salsonotaccessibleexternally)—onlyothernameserverscanaccessit.ThebackendDNSservers,whichactuallyserverequestsfromclients,areconfiguredtoseedesignate-mdnsastheprimaryserver,andacceptzonetransfersfromit.DNSzonetransfersareastandardDNSmethodforsharingzonedataamongservers.
UsingDesignateAsanapplicationdeveloper,yourinteractionwithDesignatewillprimarilybetocreate,modify,anddeletezonesandrecords.Let’slookatthedesignateCLIclientandhowtouseit.Likeotherservices,theclientnameissimplytheservicename,designate.Itusesthesame,consistentauthenticationmeansasotherCLIclients.Italsoprovidesquotasonthenumberofentitiesyoucancreate.
$designatequota-gettenant-id
+-------------------+-------+
|Field|Value|
+-------------------+-------+
|domains|10|
|domain_recordsets|500|
|recordset_records|20|
|domain_records|500|
+-------------------+-------+
$
Thedomainsentryisjustwhatyoumightexpect—itreferstodomainnamessuch
asexample.com.Mostlikely,youwillberestrictedtocreatingsub-domainsofyourorganization’sdomain(e.g.,foo.example.comorfoobar.example.com).Tounderstandtheentriesinthisquotalist,youneedtoknowalittlemoreaboutDNS.
FULLYQUALIFIEDDOMAINNAMESDesignaterequiresyoutousefullyqualifieddomainnames—thisincludesthetrailing“.”.Strictlyspeaking,anameisnotaFQDNwithoutthat,andDesignatewillenforcethis.
Foreachdomain,theDNSserverholdsrecords.Eachrecordhasatype,aname,atime-to-liveandanyassociateddata.Whiletherearemanyrecordtypes,DesignatesupportsninecommontypesasoftheKilorelease,showninthefollowingtable.Remember,eachrecordalsohasaname—theexampledatashownhereistheresultofaqueryforthatname.
RecordType
ExampleData Description
A 10.0.0.1 AnIPv4Addressrecord.
AAAA 2001:DB8::1 AnIPv6Addressrecord.
CNAME foo.example.com. Acanonicalname—thisisanentryusedtomaponenametoanother.Forexample,ifthereisaDNSArecordnamedbar.example.com,referringto10.0.0.1,thenyoucancreateaCNAMErecordnamedfoo.example.com.referringtobar.example.com.(thetrue,orcanonical,nameoftheresource).
MX 10mail.example.com.
Amailexchangeserverforthedomain.Thisisusedbymailagentstodecidehowtosendmailtoemailaddressesinthisdomain.
NS ns1.example.com. Anameserverrecord.TheNSrecordsonadomainspecifywhichnameserversareauthoritativeforthedomain.
SSHFP 12a4b1a288…8821ab33ef
ApublicSSHhostkeyfingerprint.Thiscanbeusedtohelpverifyhostsarewhotheysaywhenusingssh.
SPF v=spf1ip4:192.0.2.0/24a–all
ASenderPolicyFrameworkrecord,usedtohelppreventemailspoofing.Itenablesyoutospecifyrulestofilteroutincomingemail.TXTrecordsareoftenusedforthisinstead.
SRV 2055060sip.example.com.
Ageneralservicelocatorrecord.Thisisusedtolocatenewerservicesratherthanusingaservice-specifictypelikeMX.SeeRFC2782.
TXT Someexampletext.
Arbitrarytext,eitherforhumanormachineconsumption.
Mostoften,youwillusetheA,AAAA,CNAMEandperhapsMXrecords.FordeployingsomeapplicationsyoumayalsotakeadvantageofSRVrecordstoadvertisetheavailabilityoftheapplicationservicetotherestoftheorganization.Theremainderareprimarilyusedbytheadministratororforspecialpurposes.
Recordsetsaregroupsofrecordswiththesametype,name,andTTL,butwithdifferentdata.So,youcandefineanArecordsetwithmultipleIPaddressesasdata.Thenameiswhatyouareactuallyusingwhenyoulookuparesource.Forexample,tolookuptheaddress(A)recordnameblue.foobar.example.comfromtheDNSserverat172.16.98.136,youcanusethehostutilityinLinux:
$host-tAblue.foobar.example.com.172.16.98.136
Usingdomainserver:
Name:172.16.98.136
Address:172.16.98.136#53
Aliases:
blue.foobar.example.comhasaddress10.1.0.100
$
Inthequotalist,thedomain_recordsetsentryindicatesthemaximumnumberofrecordsets(ie,uniquetype/namecombinations)youmayhaveinasingledomain.Therecordset_recordsindicatesthemaximumnumberofrecordsinasinglerecordset.Andfinallythedomain_recordsentryputsanadditionalconstraintontotalrecordsinadomain.
CreatingadomainusingtheCLIisstraightforward—youusethedomain-createcommand.
$designatedomain-create--ttl3600--namefoobar.example.com.
+-------------+--------------------------------------+
|Field|Value|
+-------------+--------------------------------------+
|description|None|
|created_at|2015-08-10T19:11:22.000000|
|updated_at|None|
|email|[email protected]|
|ttl|3600|
|serial|1439233882|
|id|7254c2b3-187c-428e-974d-03bac08cb2af|
|name|foobar.example.com.|
+-------------+--------------------------------------+
$
Youwillnoticethatyoumustspecifyanemailaddressasthecontactforthedomain.YoualsomayspecifytheTTLvalue.Thisvalueisusedbydownstreamcachingnameserverstoknowhowlongtoholdontothedatabeforerefreshingtheircache.Thevalueisinseconds;thelongeryouspecify,themoretimeitwilltakeforchangestogointoeffectacrosstheentireInternet.However,specifyingtoolowofavalueforafrequentlylookedupdomaincanoverburdenyourDNSservers.ThedefaultvalueinDesignateis3600,oronehour.
Onceyouhavecreatedadomain,youcanstartcreatingrecords.WhenyouspinupanewVM,youcancreateaDNSentryforitsothatotherVMswithinthecloudcanaccessitbyname,ratherthanbyIPaddress.Tocreatetherecordweusedintheexamplelookupearlier,usethiscommand.
$designaterecord-create--typeA--nameblue.foobar.example.com.\
--data10.1.0.100foobar.example.com.
+-------------+--------------------------------------+
|Field|Value|
+-------------+--------------------------------------+
|description|None|
|type|A|
|created_at|2015-08-10T19:18:59.000000|
|updated_at|None|
|domain_id|7254c2b3-187c-428e-974d-03bac08cb2af|
|priority|None|
|ttl|None|
|data|10.1.0.100|
|id|fc83692a-f484-41fa-81c8-25300a908f7b|
|name|blue.foobar.example.com.|
+-------------+--------------------------------------+
$
Youwillnoticethatthestatementabovesays“withinthecloud.”TheVMIPaddressatspinupistypicallyaprivateaddress,somachinesexternaltothecloudwillnotbeabletoaccesstheaddressdirectly.ToenableexternalsystemstoaccesstheVMviathenamelookup,youneedtoassociateaDNSentrywiththefloatingIPaddress,nottheprivateIPaddress.
Oneoptiontohandlethiscleanlyistousetwodifferentdomainnamesforinternalandexternalreferences.Forexample,ifyouwantothersinyourorganizationtoaccessyourapplicationfromoutsidethecloud,youcouldcreateadomaincloud.example.comandanothercloud-local.example.com.WhenyouprovisionaVM(oraportinNeutron),youcreateanentryinthecloud-local.example.comdomain.WhenyouassociateafloatingIPaddresswiththatVM,youcreateaseparateentryforthefloatingIPincloud.example.com.Yourinternalcloudapplicationscanrefertothecloud-local.example.comdomainandtheexternalclientstothecloud.example.comdomain.
Thisworks,butit’saprettycumbersomesolution.ThealternativetypicallyusedinDNSiscalledsplit-horizonDNS.Inthisconfiguration,theDNSservercanlookatinformationabouttheinboundrequest,suchastheDNSserverIPaddressitcameinthrough,orthesourceIPaddressofthequery.ItusesthisinformationtochoosetheDNSviewinwhichtoevaluatethequeryresponse.DNSviewsenableyoutodefineadifferentresponseforthesamequery—oneineachview.So,youcandefineanArecordforwww.cloud.example.com.Intheinternalviewthatresolvesto10.1.0.100,andanArecordforwww.cloud.example.comintheexternalviewthatresolvestothefloatingIPaddress.
Unfortunately,asoftheKilorelease,Designatedoesnotyetsupportsplit-horizonDNS.However,itisontheroadmapsowecanlookforwardtoitinafuturerelease.
Designateisapowerfulandimportantpartinautomatingyourdeployments.TheabilitytomakeyourapplicationimmediatelyaccessibleviaaDNSentryiscriticaltotherapidspinupofapplications.WithoutthecapabilitiesofDesignate,applicationdeploymentsinOpenStackwouldbelimitedbytheoftenmanualDNSentrycreationprocess.
MAGNUMOneofthenewestandmostinterestingcomponentsintheOpenStackecosystemisacontainerfocusedprojectcalledMagnum.Ifyouareunfamiliarwiththem,containersareavirtualizationtechnologysimilartovirtualmachines,onlytheyworkwithoutahypervisor.Amoredetailedconversationaboutexactlywhatcontainersare,howtheycomparetovirtualmachines,andthechallenges/solutionstheyprovidecanbefoundatthebeginningofChapter6.Intruth,whenusedinanOpenStackenvironment,containersactuallyhavetoliveontopofclassicallyprovisionedinstances.However,forthepurposesofunderstandingwhatMagnumisandwhyitisimportant,containerscansimplybelookedatasanothertypeofvirtualmachinethatcannotbemanagedviaNovaorNeutron.
ContainersAsAServiceMagnumisgenerallydefinedasaservicethatprovidescontainersandcontainermanagementwithinOpenStack.Itallowsyoutoprogrammaticallyprovision,delete,andnetworkcontainerswithouthavingtorelyonaspecificvendor,anddoessoinamulti-tenantcapablemanner.
Therearecurrentlyanumberofthesevendorspecificcontainerorchestrationsystems.Google’sKubernetes,andDocker’sSwarmarethemostwellknown,andarebothsupportedbyMagnum.MorerecentofferingslikeMesosandothersarenotyetsupported,butarelikelytobeimplementedatsomepointinthenearfuture.OneofthemajorconceptsbehindMangumthough,isthatyoudon’thavetorelyonanyspecificvendor.Instead,OpenStackprovidesasetofagnosticAPIsandinterfacesthatallowyoutochooseyourowncontainertypeandorchestrationsystem.Thispreventsvendorlock-inandallowsyoutomoreeasilyadoptnewtechnologyasitcomesalong.
Itsabilitytomanagecontainersinamulti-tenancyfashionmeansthatMagnum’sfunctionalitycanbeextendedtoconsumerswithinanOpenStack-backedpubliccloud.Untilnow,inadditiontobeingvendorspecific,alloftheprevailingsolutionsforcontainermanagementwouldprovideanyonewithaccesstotheorchestrationlayer,accesstoeverycontainerwithinit.WithMagnum,containersareisolatedbytenant,andtheiraccessisbackedbyKeystone.
BuiltUsingFlannel,Kubernetes,andDocker?Magnumiscreatedfromofanumberofdifferentcomponents,butyouwilloftenhearthatitisbuiltuponthreeratherenigmatictechnologies:flannel,Kubernetes,andDocker.Itishelpfultoknowwhateachofthesethingsare,butasyouwillsee,it’sabitofamisnomertoconsiderMagnumassimplyacombinationofthesethings.
Thefirstofthesetechnologies,flannel(yesit’salowercasef),wascreatedbythepeopleatCoreOSInc.Itisavirtualnetworkthatgivesasubnettoeachhostfor
usewithcontainerruntimes.Itprovidesanetworkbindingbetweentheclassicallyprovisionedhostserverandthemultiplecontainersthatexistontopofit,allowingtraffictoberoutedtoandfromspecificcontainers.flannelistransparentinMagnum.TherearenoflannelAPIstospeakto,noristhereanyspecificflannelfunctionalitythathasbeenexposed.Rather,flannelsimplyprovidesthenetworkingtocontainersthatNeutroncouldnot.
Thenextone,Kubernetes,isaGoogle-backedopensourceprojectthatprovidesMagnumwithadriverfortheorchestrationofDockercontainers.Likeflannel,youdon’tinteractdirectlywithKubernetes.Instead,youinteractwiththeMagnumAPI,whichcanthenuseKubernetestoprovision,alter,orremovecontainers,podsandbays.Unlikeflannel,byusingalternatedriverssuchasSwarmorMesos,itispossibletoactuallyuseMagnumwithoutKubernetesatall.
Lastly,thereisDocker.Dockeristhetechnologyyouhavemostlikelyheardof,butitcanalsobethemostconfusingsinceitisanumberofdifferentthings.WhenpeoplerefertoDocker,theycanbereferringtoitasacompany.DockeractuallyoffersanumberofproductscenteredaroundcontainersincludingDockerHub(ahostedregistryservice)andDockerSwarm(mentionedearlierasanalternativetoKubernetes).TheDockerEngineisalsooftenreferredtoasjustDocker.TheDockerEngineisaruntimeaswellasanumberoftoolsthatallowyoutobuildandrunDockercontainers.
InthecaseofOpenStackMagnum,DockerisbasicallyacontainerformatorsoftwaretorunthisformatofcontainersonahostwhenusingSwarm,whichisanorchestrationdriverfortheseDockerformattedcontainers.Whilenotsupportedcurrently,itisalsopossiblethatothercontainerformatslikeRocketcouldallowyoutouseMagnumwithoutDockeratall.
ThereferencetothesetechnologiesasthebasisforMagnumisnotdeceptive.It’smeanttoexplainMagnuminitsmostcommonusecase.AnyreferenceonhowtouseMagnumwilllikelydemonstratehowtodeployDockercontainersusingKubernetesandflannelwillbackthenetworkingbehindthescenes.Intruththough,theyaresimplymoretechnologyinanarrayoftechnicaloptionsthatOpenStackandMagnumprovideinasimplifiedwaytouse.
BuiltUsingOpenStackInadditiontousingKeystoneforauthenticationandpermissions,MagnumisactuallybuiltusinganumberoftheotherOpenStackprojectsthathavealreadybeendiscussed.ItemploysHeatforcreatingpodsandbayswherecontainerscanlive,Novaasitscomputebackbone,andNeutrontohandlenetworkingoutsideofthecontainersthemselves.Thiscanprovideyouwithalotofflexibilityonexactlyhowcontainersareimplementedinyourenvironment.
Forexample,thecomputationalunitthatrunsaclusterofcontainers(ornode)canbeanythingthatNovacansupplyasaserver.Thismeanscontainerscanbeprovisionedontopofbaremetalseversorvirtualmachines.Sonotonlydoes
Magnumprovidevendoragnosticcontainers,butitcanbebackedbyvendoragnosticcomputing.Thesamecanbesaidforitsnetworkingandevenstoragecomponents.Thisisintentional,andisagreatillustrationofhowOpenStackallowsyoutoworkwithwhateverassetsyouhaveavailable.
BuildingontopoftheexistingtoolswithinOpenStackprovidesfamiliarinterfaces,butthatisnottosaythatusingMagnumisnodifferentthanprovisioningaVMandthrowingitonaprivatenetwork.ThespecificneedsofcontainersthatmadethemapoorfitforNova,alsomaketheirorchestrationandconfigurationaslightlydifferentprocess.
Bay,Pods,Nodes,andContainersAsmentionedbefore,allcontainersthatarepartofMagnumrunontopofNovaprovisionedservers.Whatwasn’tmentioned,wasthatthesecontainersactuallyrunontopofsomethingcalledBaysthatactuallyprovidesthecontainerorchestrationitself.Dependingonthedriver/vendor,containersorpodsarethencreatedontopofthesebaysingroupscallednodes.Figure3.11maymakethisalittleclearer.
Figure3.11
Toprovisionacontainer,youmustfirstselectandprovisionabaytype.Thiswillnormallybedoneusingoneofseveralbaymodelsthatcanbeself-defined,butwillmostlikelybeprovidedbythesystemnatively.BaymodelsaresimilartoFlavorswhendealingwithvirtualmachines.Therewilllikelybeonebaymodelavailableforeachvendor/driverthathasbeenconfiguredinthesystem,andlikemostassetswithinOpenStackthebaymodelscanbelistedwithacommand.However,fornow,selectingabaymodelessentiallymeanschoosingbetweenKubernetesandSwarm.
Whateverthechoice,thebaymodelisspecifiedwithinaheattemplateandtheactualbayiscreatedthroughHeat.BaysarethenavailableasstackswithintheheatAPIorintheHorizoninterface.
Fromthispoint,theMagnumAPItakesover.WithinabayyoucancallthemagnumAPItocreatecontainers(orpods),stop,startandrebootthemlikeyoucanwithVM’sinNova.Thiscoversthebasics,soyoushouldhavesomeideaofwhatMagnumisandhowitworks.
MagnumastheFutureofOpenStackTherehavebeenalotofquestionsinthecontainercommunitylatelyastotheneedforOpenStackinthefaceofprojectssuchasKubernetes.Afterall,KubernetesandDockerbothprovidenearlycompleteorchestrationsolutions.
AfewreasonshavealreadybeenmentionedastowhyyoumightlooktowardOpenStackasasolution.Multi-tenancyandvendoragnosticAPIsarebothhighlydesirablequalities.Nothavingtoacquirein-depthknowledgeofsomeofthemoreesoterictechnologiessuchasflannelcanalsobeabigplus.
ThebigwinherethoughisthatOpenStackistryingtobuildamorefuture-proofplatformandMagnumislikelytobeabigpartofOpenStack’sfuture.Containersareexcellenttechnology,buttheyareoneofthefastestchangingsolutionsoutthere.Likeanynewtechnologytheinitialwinnersareoftenlongtermlosers,soit’sriskytogetindeepwithanysinglecontainervendor/format/platformjustyet.Becauseitislargelyprovideragnostic,placingabetonMagnumisthusamuchlessriskyventure.Forexample,theabilitytoshiftgearsfromKubernetestoSwarmwithouthavingtomodifyyourdeploymentsystemcouldbeahugewin,andwhilevirtualmachinesarelikelytobeabigpartofthelandscapeformanyyearstocome,containersareheretostay.
MURANO:APPLICATIONASASERVICEFromaclouduserperspectivesinceOpenStackgotitsownorchestratoritmadeuserexperiencemoresolid.Itgavelotsofimprovements,butfromcloudappstheintegrationprocesswastoocomplicatedduetospecificlimitationsregardingthewayHeatallowsyoutodescribetheinfrastructurethatneedstobedeployed.So,evenusingthelatestHeatHOTDSLcloud,consumersstillcancreateaspecificconfiguration,butwritingatemplatewouldbecomeanightmare.
So,toimproveuserexperienceandprovidemoreflexiblecapabilitiesforclouduserstodeployandmaintaintheirowncloud-readyapplicationitwasdecidedtoimplementanewtypeofOpenStackservicethatwoulduseHeatasthedeploymenttoolthatprovidesanAPIthatwillallowyoutodefineapplicationsusingthesameenvironmenttemplates.
ApplicationCatalogMuranowasdesignedtoprovideawaytomakethird-partyapplicationsandservicesrunningonVMsorevenexternalservicesavailableasself-serviceforOpenStack.Theseapplicationsmaybeasimplemulti-tierapplicationwithauto-scalingandself-healing(withinHeatcapabilities).Fromthethird-partytooldeveloper’sperspective,theapplicationcatalogwillprovideawaytopublishapplications,includingdeploymentrulesandrequirements,suggestedconfigurations,outputparametersandbillingrules.Fromtheuser’sperspective,theapplicationcatalogwillbeaplacetofindandself-provisionthird-partyapplicationsandservices,andintegratethemintotheirenvironment,includingbillingcosts.
TheApplicationCatalogservicewasprovidedtosimplifytheprocessofcreatingapplicationsand/orservicesonOpenStack.Installingthird-partyservicesandapplicationscanbedifficultinanyenvironment,butthedynamicnatureofanOpenStackenvironmentcanmakethisproblemworse.MuranoisdesignedtosolvethisproblembyprovidinganadditionalintegrationlayerbetweenthirdpartycomponentsandtheOpenStackinfrastructure.ThisintegrationlayermakesitpossibletoprovidebothInfrastructure-as-a-ServiceandPlatform-as-a-Servicefromasinglecontrolplane.Forusers,thiscontrolplanisasingleinterfacefromwhichyoucanprovisionanentirefully-functionalcloud-basedapplicationenvironment.TheApplicationCatalogservicewasintegratedtoallOpenStackcomponentsdirectlyandindirectlyviaorchestrator(OpenStackHeat).TheCeilometerservicecollectsusageinformation,whichtheMurano-APIusesduringbillingrulesprocessingtocalculatebillinginformation.TheMuranoAPIwillexposeAPIcallstomanage(CRUD)servicesavailablefordeployment.ThisAPIwillbeusedbytheServiceadministratoruserinterfacetosimplifyservicemanagement.
ApplicationPublisher
TheprocessbeginswhenanApplicationPublishercreatesanewapplicationdescriptionandpublishestotheApplicationcatalog.Oncetheapplicationisuploadedthenit’llbeavailablewithinanyapplicationcataloginstances,dependingonthepoliciesforthatinstance.ApplicationPublishersshouldbeabletocreatenewapplicationsbydefiningservicemetadata,describingpropertiesandspecifyingallofthestepsnecessaryfordeployingtheapplicationanditsdependencies.Thedevelopercancreatethisdefinitionfromscratchoruseanexistingdefinitionbyextendingit,similartoinheritanceintheobject-orientedparadigm.TheApplicationPublishercandefinetheexternaldependenciesofanapplication.Thislistofdependenciesdefinestheotherservices(specifiedbytheirtype)thatmustbepresentintheenvironmentwhenanapplicationisbeingdeployed.
TheApplicationPublishermaydefineadditionaltermsofuseforanapplication.Forexample,thedevelopermaylimititsusageandextensibility(viainheritanceorreferencingfromanotherapplication)orspecifybillingrules.AnotherimportantsetofparametersthattheApplicationPublishermayspecifyintheServiceDefinitionaretheusagemetrics.TheseusagemetricsdefinewhichaspectsoftheserviceshouldbemonitoredbyCeilometerorothermonitoringtoolssupportedbyMuranowhenitsinstancesarerunning.TheApplicationPublishercanthenspecifythebillingrulesusedwiththosemetrics,essentiallydefininghowmuchserviceusagewillcosttheuser.AservicedefinitionisnotboundtoanyparticularOpenStackdeploymentorinstanceofMurano.Thedevelopermaycreateaservicedefinitionandthenpublishthatdefinitioninseveralservicecataloginstances.
ApplicationCatalogAdministratorApublishedservice/applicationdefinitionismanagedbythecatalogadministrator.Catalogadministratorsarethemaintainersoftheapplicationservicecatalog.Theyhavetheabilitytomanuallyaddorremoveservicedefinitionsinacatalog,oractasmoderatorsallowingordisallowingotherApplicationPublisherstopublishtheirservicedefinitions.Thiscontrolcanbegranularornot,astheadministratorchooses.Forexample,theadministratormayspecifythatanynewsubmissionsmustbeapprovedbeforebeingavailabletoanyendusers,ortheadministratormayinsteadchoosetomakeservicesavailableonlytotheOpenStacktenantassociatedwiththeapplicationpublisheruntilaserviceisapproved.
Administratorsmaydefinetheirownbillingrules,whichwillbeinadditiontothebillingrulesspecifiedbytheapplicationpublisher(iftheyweredefined).Thisenablescatalogadministratorstocoverthecostsinvolvedinrunningandmaintainingthecloud.
CatalogadministratorsconfiguresRole-BasedAccessControlrules(RBAC),whichdefineswhichusers(whichareassociatedwithtenants)ofthecloudhaveaccessto
whichservicesinthecatalog,andwhethertheymaybedirectlydeployedormustbeapproved.
ApplicationCatalogEndUsersOpenStackusersshouldbeabletocreateenvironmentscomposedofoneormoreavailableservices.Applicationcatalogconsumptionsbyendusersfollows:
Theuserbrowsesalistofavailableservices/applicationsandselectsoneormorefordeployment.Ifaselectedservicehasdependenciesthatrequireotherservicestobedeployedinthesameenvironment,theusermayeitherselectaninstanceofthenecessaryservicefrominstancesofthattypethatarealreadypresentintheenvironment,oraddanewinstanceofthattypeinstead.Dependenciesmayincludeotherservices,ortheymayincluderesourcessuchasafloatingIPaddressorlicensekey.Eachserviceaddedtotheenvironmentmustbeproperlyconfigured;theuserispromptedtoprovideallrequiredproperties,andtheinputisvalidatedaccordingtotherulesdefinedineachservicedefinition.Whentheuserhasfinishedconfiguringtheenvironment,heorshecandeploytheenvironment—ifheorshehastheappropriatepermissions.Deploymentoftheenvironmentmeansthatinstancesarecreated,servicesaredeployed,andallrequiredconfigurationactionstakeplaceandareaccomplishedproperly.
Insomeenvironments,itwillbemoreappropriateforenduserstosubmittheirdeploymentstoITasaticket.TheITdepartmentcanthensanity-checkthedefinitions,determinewhethertheyareappropriate,andapprove,modify,orrejectthedeployment.Iftherequestisapprovedormodified,theITdepartmentcantheninitiatethedeployment,ratherthantheuser.
Userscanbrowseanydeployedenvironmentsforwhichtheyhavepermissions,andinspecttheirstate.Inspectionincludestheabilitytodeterminewhichservicesarerunningonwhichnodes,howtheservicesareconfigured,andsoon.Userscanmodifyservicesettings,addnewservicesorremoveexistingones,validatethechanges(i.e.checkthatalltherequiredpropertiesaresettovalidvalues,alltheservicedependenciesexistandsoon),andredeploytheenvironmentbypropagatingthesechangesintotheCloud.Theusercanalsoinspecttheusagemetricsoftheservicesrunninginhisorherenvironments,andseebillableactivitiesandthetotalamountofmoneyspentforaparticularservice.
Itsoundsgoodwhenwe’resaying“anapplication”or“service,”butwehaven’tdefinedwhatanapplicationorserviceis,soitwouldbeveryusefultomentionafewexamplesofanapplicationthatmaybedeploywithinMurano:
RDBSandNoSQLdatabasesprovidedbyTrove
HadoopClusterprovidedbySahara
OpenShiftPaaSClusterprovisionedthroughHeat
MSSQLCluster
ChefServerorPuppetMasternodeinstalledmyMuranoworkflows
NagiosorZabbixmonitoringmanagedbyMuranoworkflows
MuranoArchitectureFollowingbestpracticesinOpenStack,Muranowasdesignedthatwaytohaveitscomponentsdecoupled(seeFigure3.12),anditdoesconsistof:
murano-api,aRESTfulservicethatfacestousers
murano-conductor,anactualenginethatdoesmostofheavyworkforcreatingdeployments
murano-agent,aVM-sideservicethatdoessoftwaredeploymentandconfigurationaccordingtoagivenapplicationdescription
backingservice(MySQL)
deploymentengine(Heat)
Figure3.12
MuranoUsageExampleMuranoasanApplicationcatalogintendstosupportapplications,definedindifferentformats.OnesuchexampleisHeatHOTDSLtemplatessupport.ItmeansthatanyHeattemplatecouldbeaddedasaseparateapplicationintotheApplicationCatalog.
Beforeuploadinganapplicationintothecatalog,itshouldbepreparedandpackagedappropriately.TheMuranocommandlinewilldoallofthatpreparationforyou.JustchoosethedesiredHeatOrchestrationTemplateandperformthefollowingcommand:
muranopackage-create–templateWordPress_2_Instances.yaml
NotethattheMuranoRESTclientallowsyoutospecifyadditionalparametersduringpackagecreation:
applicationname
applicationlogo(usedatUI)
applicationdescription
applicationauthor(s)
output(localstoragepathtosavecreatedpackage)
fullname
ButunderthehoodMuranodoesmorethancanbeseen;itcreatesamanifestaccordingtoagivendescription,soinourcasethemanifestforgiventemplatewouldlooksomethinglikethis:
Format:Heat.HOT/1.0
Type:Application
FullName:io.murano.apps.linux.Wordpress
Name:Wordpress
Description:|
WordPressiswebsoftwareyoucanusetocreateabeautifulwebsiteor
blog.
Thistemplateinstallsasingle-instanceWordPressdeploymentusinga
local
MySQLdatabasetostorethedata.
Author:'Openstack,Inc'
Tags:[Linux,connection]
Logo:logo.png
Oncethemanifesthasbeencreated,theuserwouldneedtopackagetheapplicationpackagebeforeuploadingittoMurano.Usersmustnamethetemplatefileastemplate.yaml,andthenameforthemanifestfileshouldbemanifest.yaml.Theuserthenneedstopackageanarchive*.ziportar.gzorwhatever.Youcandoapplicationimporting:
muranopackage-import–categoryWeb–templatewordpress.tar.gz
ThisisonlyabasicexampleofhowuserscanconsumeMuranoanditscapabilitiesasanApplicationcatalogforOpenStack.Forotherusecasesandusageexamplespleasetakealookathttp://murano.readthedocs.org/.
FromacloudusersperspectiveMuranoisveryuseful.OutsideoftheOpenStackecosystemyoushouldlookatRedHatOpenShift,whichisaPaaSplatformforapplicationdeploymentandmanagement.YoumightalsolookatGigaspacesCloudify,whichisaPaaSsolutionthataimstobeacompletesubstitutionforHeat,Murano,andSolumforOpenStackenterprisecustomers/consumers.ButMuranoisanofficialpartofOpenStack,soitmeansthatMuranoisfreeandcomesoutoftheboxforanyOpenStackdistributions.
CEILOMETER:TELEMETRYASASERVICEApplicationsandsystemsrequiremonitoring.Inordertoensurecontinuousservicedelivery,youneedtoknowwhetheryourapplicationsorinfrastructurerunningthoseapplicationshaveencounteredanyfaults,andwhethertheyareexperiencingheavyutilization.Ceilometerisprimarilyfocusedonthelatterfunction—monitoringresourceutilizationacrossthecloud,althoughitdoesprovidesomealarmingandnotificationfunctionalityaswell.Ceilometermonitoringmaybeusedforcapacityplanning,billingandchargeback,aswellaselasticscaling.
CeilometerArchitectureThemajorcomponentsoftheCeilometerarchitectureincludetheAPI,thepollingagents,collectorsforstoringagentresults,alarmevaluators,alarmnotifiers,andpossiblyseveraldifferentbackenddatabases(seeFigure3.13).
Figure3.13
TherearetwobasictypesofCeilometeragents:notificationreceiversandpollers.
Thepollingagentsperiodicallyrequestvariousmetricsfromotherservices.Forexample,theceilometer-agent-computewillrunonacomputenodeandgatherguestCPUstatisticsfromthehypervisoronthatcomputenode.Thenotificationreceiveragentssimplylistenonthemessagebus,andgatherinformationabouttheinnerworkingsofotherOpenStacksystemsbasedontheirnotificationoutputs.
Allofthisdatacollectedbytheagentsissentbacktotheceilometer-collector,whichisadaemon(ormanyinstancesofthedaemon)thattransformsandstoresthedataintothebackenddatabases.Theremaybeseveraldifferentdatabasesused,baseduponthedifferenttypesofdata.
Theceilometer-alarm-evaluatorprocessisconfiguredtolookatthedatainthesystemandevaluatewhetheralarmingcriteriaaremet.Thesecriteriaareuser-definedandconfigurable.Oncethecriteriaaremet,thenceilometer-alarm-notifierwilltakeanactionbasedupontheraisedalarm.ThiscouldbecallingaspecificURL,oranotheruser-specifiedaction.
ElasticScalingwithCeilometerInChapter6,youwillseeindetailhowyourapplicationscanscaleelasticallybycombiningthetelemetrydatafromCeilometerwiththeorchestrationcapabilitiesofHeat.Inshort,youconfigureHeatandCeilometertomonitortheCeilometermetricsforagroupofresources(say,VMsandyouaremonitoringCPUutilization).Whenathresholdisreached,analarmfires,whichinturncallsouttoHeattoscaleup(ordown)thenumberofinstances.Thisisapowerfulwaytomeetunevendemand,whileoptimizingthecostsassociatedwithanapplication.
SUMMARYThereisalottobesaidaboutusingOpenStackassimplyaplatformforprovisioningserversandnetworks.Indoingso,itwouldbeeasytodiscountmanyoftheprojectsdiscussedinthischapter.Afterall,mostofushavemadeitthisfarwithoutapplicationpackaging,containers,oranysortoforchestrationsystem.However,theexpandedecosystemoftechnologypresentedherehintsatalargergoalforOpenStack.ItistryingtobemorethanjustanIAASprovider.Infact,manyoftheseprojectsoffersolutionstothefundamentalneedsofwebdevelopment.It’salmostuncommonthesedaysforanapplicationnottoinvolveadatabase(Trove),DNSentries(Designate),andalerts(Ceilometer).Eventhoughitisn’tscriptedandlabeledasorchestration,suchapplicationsalsorequiremanualconfigurationanddeploymentinsomemanner.
Inthissense,OpenStackisattemptingtomaketheprocessofdevelopinganddeployingcloudbasedapplicationsnotjustpossible,buteasierandmoreformalized.It’salsotryingtoprovidescriptableself-servicesolutionsforsomeofthemorecommontasksinwebdevelopmentingeneral.Forthatreasonalone,thesesecondarycomponentsareworthlearningaboutandexperimentingwith.Sobeforewemoveonandstartlookingatwhatacloudapplicationlookslike,takeanotherlookatthischapterandaskyourselfiftheseprojectsprovidesolutionsforproblemsyoufrequentlyencounter.Inalllikelihood,theydo,andutilizingthemcanmakeyoumoreproductive,andyourapplicationslessproprietary.
PARTIIDevelopingandDeployingApplicationswithOpenStack
CHAPTER4:APPLICATIONDEVELOPMENT
CHAPTER5:IMPROVINGONTHEAPPLICATION
CHAPTER6:DEPLOYINGTHEAPPLICATION
4ApplicationDevelopmentWHAT’SINTHISCHAPTER?
Legacyapplications
Whydoyouneedmigrationtoclouds?
Migrate-to-cloudmethodology
ConvertyourapplicationintoanOpenStackapp
Buildingapplicationsfromscratch
Developmentstack
Applicationnetworkconnectivity
Applicationsecurity
Hands-onapplicationdeployment
Inthischapteryouwillbeexplicitlyshownhowtoperformalegacyapplicationmigrationfromaself-maintainedproprietaryenvironmenttoanOpenStackenvironment.Butbeforedivingin,let’smakesureweunderstandthefullmeaningoftheterm“legacyapplication.”Incomputerscience,legacyapplicationsarethosethatcomefromplatformsandtechniquesthatexistearlierthanthecurrenttechnologystack,andingeneraltheseareapplicationsthatareservingcriticalbusinessneedsinanorganization.Okay,let’sgetstarted.
CONVERTINGALEGACYAPPTOANOPENSTACKAPPWhentheword“legacy”appearswithinanycontext,thefirstthoughtisthatwe’retalkingaboutsomethingveryoldthatcan’tbeadjustedtothecurrentstateofthings.Butifwe’retalkingaboutsoftware,alegacyapplicationisnotnecessarilydefinedbyage.Legacymayrefertothelackofvendorsupportorasystem’sincapacitytomeetorganizationalrequirements.Legacyconditionsrefertoasystem’sdifficulty(orinability)tobemaintained,supportedorimproved.Alegacyapplicationisusuallyincompatiblewithnewlypurchasedsystems.Anorganizationmightcontinuetouselegacyapplicationsforawiderangeofreasons,suchasthefollowing:
Itworks,sowhyshouldweinvestmore?
Thelegacysystemiscomplex,anddocumentationispoor.Simplyitsdefiningscopecanbedifficult.
Aredesigniscostly,duetocomplexityoramonolithicarchitecture.
WhyMigratetoClouds?Inmostcases,itisreallycomplicatedtokeepappsrunningduringupdateswithoutamaintenancewindow.Inthecaseoflegacyapplications,“update”evenmeansthatthewholeapplicationwasre-writtenusingnewprogramminglanguages,andinvolvingnewtypesofservices(forexample,switchingfromself-maintaineddatabasestoclouddatabases).Thisshouldmakelegacyapplicationseasiertomaintaininthefuture,giventhatyoucanupdateapplicationswithouthavingtoentirelyrewritethem,whichallowsacompanytousetheirapplicationsonanyenvironmentsoroperatingsystems.
Yet,fortheenterpriseandtheirlegacyapplications,asystemredesignwouldtakealotofeffort(money,time,andanunclearvalue-add).
EnterpriseITorganizationsarefacingcriticalchallengesmaintaininglegacyapplications:
Costofproprietaryhardwareandsoftware
Attritioninpeoplewithqualifiedskillsandexperience
Inabilitytosupportthemoderncomputingdemandsofmobileandbigfastdata
CloudcomputingcanhelpwithlegacyapplicationsintermsofmaintenancefortheITdepartment.Unfortunately,manyITorganizationsseetheprospectofmodernizinglegacyapplicationsasa“missionimpossible”withthepathforward“toocloudy”andthecostsandriskstoogreat.Theyhaveapoint,buttherearesomefactorsthatcanhelpdetermineifourlegacyapplicationscanmigratetothecloud:
Structure:Alarge,single-tiered,monolithiclegacyapplicationisn’tagoodfitforclouds.Efficienciesaregainedwhentheapplicationismodularortheloadcanbespreadoutoverseveralapplicationinstancestoallowhighavailability(HA)andscalability.
Softwareandhardwaredependencies:Aparticularchipsetoranexternaldevicesuchasaneyescannermightnotbeagoodfitforthecloud.Thesamethingcanapplytosoftware,sincealegacyapplicationmayrequiretheuseofaspecificoperatingsystemorsetoflibrariesthatcan’tbeusedinacloudnorbevirtualized.Ifthisisthecase,thendefinitelyanapplikethisisnotagoodfitforthecloud.
Durabilityandfault-tolerance:DespiteapplicationServiceLevelAgreements(SLA),we’relivinginaworldwhereeverythingbreaks:networksaredisrupted,serversfail,andthemulti-tenantusageofanapplicationlookslikeaDistributedDenial-of-Serviceattack(DDoS)insteadofshowingregularbehavior.Applicationsmustsurviveorbesturdyenoughtocontendwithanygivenissues.
Asaresult,manyenterprisecompaniesareresigningthemselvestolivewithlegacyapplicationsbecausemovingtothecloudisnotastepforwardduetotheamountofeffortthatisrequired.Eventually,thebusinesslosesconfidenceinIT’sabilitytodeliver,andthecostscontinuetorisewithoutcorrespondingvalueoranyvisiblebenefit.Let’sexaminesomespecificadvantagesformovingfromalegacyapptoacloudapp.
First,movingyourlegacyapptothecloudlowersthetotalcostofownership.Maintainingmainframelicenseleasingcostsisoneareatolookat.Sincethecloudfurthercommoditizestheinfrastructure,modernizingmainframeappstothecloudshoulddecreasethetotalcostduetotheabsenceofneedingtomaintaintheenvironmentbyitself.
Inclouds,flexibilitydefinestherateatwhichlegacyapplicationneedscanbesuccessfullyadjustedtomeettheever-changingneedsofthebusiness.Inthecaseofenvironmentdelivery,cloudscomeoutontopcomparedtoself-managedhardware.Thisisduetotheflexibilityofthecloudenvironmentdefinitionandthepaceofprovisioningaswell.
Fromabusinessperspectiveit’salwaysbettertospendlessandachievemore.Inthecaseofclouds,hardwarecostslessbecausecloudconsumersdon’tneedtomanagetheirhardwarethemselves,sotheycanavoidspendingmoneyforelectricityandhardwareupgrades.
Inthecaseofproprietaryhardware,toscaleupyouneedtobuynewhardware,setitup,andmanageit.Atthepointwhenyoumustscaledown,theorganizationwillendupwithunusedhardware.Withacloudsolutionyoucanscaleyouroperationandyoudon’tneedtobuyhardware,allofwhichsavestime.
Developersofcoursecreatethecodethatmustbetestedintheenvironmentthat
isclosetoproduction.Inthecaseofproprietaryhardwareitisnecessarytohaveadedicateddevelopment/testingenvironmentmaintainedbytheITdepartment,probablyononeserver.Developinginthecloud,however,onlyrequiresdeveloperstohaveaseparateaccounttoworkwithanditiseasytocreateproduction-likeenvironmentstorunnewcodeand/orreproducebugs.
Theseareallgreatreasonswhyyoushouldconsidermovingfromalegacyenvironmenttoacloudenvironment,andtheclouddoesvirtualizeandorchestratealotofthemanualjobsthatarebeingperformedbyanITdepartment.Theseincludeprocessessuchasnetworking,softwareinstallation,VMhardwarecustomization,scaling,andmore.Anddon’tforgetupdatingtoacloud-readyapplicationcanbetherightbusinessmodelforenterprisecustomers.
Migrate-To-CloudsMethodologySo,ifyourapplicationisluckyenoughtobeacloud-readyapplication,anditseemslikeyouhaveconvincedyourcompanytomovefromself-maintainedhardwaretothecloud,itisimportanttounderstandthewidely-appliedstrategiesthatyoucanusetoswitchtothecloud:
Liftandshift:Ifyourapplicationenvironmentcaneasilymigratefromalegacyenvironmenttothecloudthenyoujustneedtoliftitandshiftittothecloudenvironment.
GreenFieldapproach(http://www.thegreenfieldorganisation.com/approach2.html):Fromthedefinition,youcanseethatthisisrisky.Thisapproachofrewritinganentirelegacyapplicationisthemostexpensiveandcriticalmodernizationapproach.However,automatedcodeanalysis,codeconversion,testing,andclouddeploymenttoolscangreatlyreducetherisksandcostsassociatedwiththis.So,inthiscaseitisstronglyrecommendedthatyoufigureoutthetrueriskratebeforeimplementingthisapproach.
Incrementalreplacement:Thisapproachrequiresyoutoreplacethesingleunitofanapplicationatatime.Thishasproventobecost-effectiveandlessrisky.Unfortunately,therearenoguidelinesthatcanreallyhelpyousincemosteveryapplicationisunique.
Consideralloftheintegrationsbetweenthelegacyapplicationinfrastructureandotherapplications—integratingapplicationswillneedtobeupdatedandtestedtakingintoaccountthecloudcapabilities.Thisisaveryimportantstepsinceit’snecessarytoimplementdeploymentarchitecture.Oncecomplete,youshoulddefinethehardwareconfigurationforeachapplication’scomponent(cloudsoffervarioustypesofbusinessmodels:payingforresourcesondemandorpayingforayear/monthsubscription).
Younextthingtoconsiderisaccessibility.Thisstepdefinesthenetworkingconfiguration,exposingwhichcomponentsofanapplicationshouldbeaccessible
tootherservices.Itisimportanttoleaveanapplicationnetworkingconfigurationinthesameconfigurationthatwasappliedbefore,soyouendupwiththeexpectedbehaviorthatwasobservedwiththelegacyapplicationhardware.
Forsoftwareconfigurationoncloudinstancestherearetwosteps:softwareinstallation(canbedoneonpre-provisioningorpost-provisioning)andpost-installation(post-provisioning)configuration.Cloudprovidersareofferingbaseimageswithoperatingsystems,butthisisnotwhatshouldbeused,becauseoftheavailabilityofmoreadvancedwaysofsoftwareinstallationatthepre-provisioningstage.ItismorethanrecommendedtocreatecustomimagesforVMprovisioning,andforthistaskpleasetakealookathttp://docs.openstack.org/developer/diskimage-builder/.Atthispointwe’rereadytodeploythecloud-readyapplicationanddopost-provisioningsoftwareconfigurationtostarttheapplication.
Thelaststepistoapplymonitoringsystemstotracktheenvironmentstateduringitswork.Here’stheshortlistofwhatshouldbetakenintoaccountforthis:
Hardwareconfigurationforapplicationcomponents
Applicationcomponentsdeploymentstrategy
Networkingconfiguration
Customimagecomposing
Environmentdeployment
Post-provisioningsoftwareconfiguration
Applyingmonitoring
Testinganapplication
Itdoesn’tseemlikethislistiscomplete,butifyoucombineitwiththealreadypre-definedlistofapplicationdependenciesyoushouldbeabletoobservethefulllistofapplicationneeds.Onceyouhavethisfulllist,thenyoushouldbegintheactualconverting(inthiscaseconvertingmeansapplyingamigrationstrategytoanapplicationanddoingtheactualdeployment)ofthelegacyapplicationtoafull-gearOpenStackapplication.
BUILDINGAPPSFROMSCRATCHNoteveryapplicationintheworldisalegacyapplicationbecausemanyofthemweredevelopedwhencloudsbecamepopularandapplicationsthemselveswerealreadyhardware-agnostic,butnotbuiltforcloudsatall.Soitispossiblethatmigratingtothecloudmaynotgivethenecessaryvalueaddexpectedbyacloud-orientedbusinessmodel.Andthismeansthatcreatinganewapplicationfromscratchmaygivethatbenefit,butinalongerperiodoftime.
ApplicationDesignGuidelinesforOpenStackDevelopinganewapplicationthatwillgotothecloudrequiresspecificguidelineswhendevelopingandintegratingapplicationsspecificallytoOpenStack:
Beapessimisticaspossible.Everythingbreaksso,“loveyourchaosmonkey”(achaosmonkeyisaservicethatidentifiesgroupsofsystemsandrandomlyterminatesoneofthesystemsinagroup).
Putyoureggsintomultiplebaskets.Leveragemultipleregions,availabilityzones,andcomputehosts.Designportability(rememberliftandshift).
Thinkofscalability.
WhenintegratingintoOpenStackdon’tforgettobeparanoid—designsecuritywisely.
Manageyourdatawisely.Dataisalwaysacriticalresource,sodon’thesitatetoenabledatareplication/clustering,anddoaregularbackup.
Bedynamic.Letyourapplicationbesmartbyenablingauto-scaling.
Handsoff—automateallbusinessprocessestoincreaseconsistency.
Notallapplicationsrequirethesamehighlevelofsecurity.
Predictabilityandelasticity—withincreasing/decreasingamountofresourcestheapplicationshouldactinapredictableway.
Divideandconquer.Makeyourapplicationgranularasmuchaspossible,especiallywhenintegratingHAsolutions.
Duetonetworkinglatencyitisnecessarytokeepyourdatapartitionsclosetoeachotherbutnotonthesamecomputehostorregion.
Loosecoupling,serviceinterfaces,separationofconcerns,abstractionandwelldefinedAPIsdeliverflexibility.
Becostaware:autoscaling,datatransmission,virtualsoftwarelicenses,reservedinstances,andsooncanrapidlyincreasemonthlyusagecharges.Monitorusageclosely.
BestPracticesinCloud-ReadyAppDevelopment
IfyourapplicationisdividedintoaserverandclientsideyouneedtoconsiderifitisnecessarytoconsumetheOpenStackAPI(managingcloudresources).YoumustdecideifyouwanttouseexistingclientbindingsforOpenStackservicesorimplementyourown.Forexample,ifyouarereusingexistingones,itisrecommendedthatyouusePython,becausetheOpenStackcommunitydoesdevelopmentanddeliveryforclientbindingsforyou.Ifyoudon’tusePython,youwillhavetoresearchiftherearesupportedup-to-dateclientbindingsoryoumustimplementyourown.Soitisuptoyourdevelopmentteamtodecidewhichlanguageshouldbeusedfordevelopment,includingallgivenpoints(abilitytocodefast,workonvirtualizedhosts,etc.).
Onceyouhavemadeadecisionregardingbasedevelopmenttechnologies(includingcodinglanguage,additionalsoftware,SDKs,etc.)itistimetofigureoutyourbestpracticesforapplicationdevelopment.
ManageYourCodeAppropriatelyApplicationsthatarebeingdevelopedshouldbeversion-controlledusinganysoftwaresuchasGIT,Mercurial,orSVN.Itisveryimportantiftheapplicationisdistributedthateachofitscomponentsshouldbetreatedasseparatecloudapplications.Notethatmultipleapplicationsthataresharingthesamecodebaseisaviolationofthismethodology.So,basically,keepyourapplicationsseparate.Goingbacktotheversioncontrolsystem,itismorethanobvioustousethembecausetherewouldbeaneedtohave,forexample,astableproductionversionorstagingthatisbeingrecentlydeveloped.
DependencyManagementForanycloud-readyapplicationsitisnecessarythatyouexplicitlydefinetheirdependenciesinamannerthatisunderstandabletothepackagingsystemofthedistribution.Agoldenruleistoneverrelyonadeploymentenvironment,sinceitispossiblethatfromversiontoversiontherearesomepackagesthatmightnotbepresented,whichmeansexplicitisbetterthanimplicit.AsimpleexampleishowUbuntu12.04hasPostgreSQL9.1initssourcerepositories,butUbuntu14.XXdoesn’t.
ConfigurationManagementMakeyourapplicationconfigurable.Itispossiblethatthedeploymentenvironmentmayvary(deploymenthostname,credentials,IPaddressesincaseofSwitches,NATs,etc.).Therearealsoapplicationconfigurationparametersthatareremainingthesameacrossdeployments,soitdoesn’tmeantheyshouldnotbeconfigurable,butusesomesortofdefaultvalues.Anotherimportantitemtotakeadvantageofisconfigurationparametergrouping.Forexample,ifanapplicationusesadatabaseandanAMQPserviceforitsinternalneeds,pleaseputthoseoptionsintodifferentsectionssuchas[database],[messaging],andfordifferenttypesofdeploymentsitwouldbenicetohavesectionslike[production],
[staging],ifnecessary.
Build,Release,andHaveFunTherearefourmainstagesbeforeallowingaccesstoanapplication:
Build:Simple,right?Makeadistributionofyoursourcecode,anditdoesn’tmatterwhatitwillbe:DEB,RPM,PythonEGG,GitHubTag,orwhatever.
Staging:Oftentakesacoupleiterations.Intherealworld,astagingenvironmentwithaninstalledbuildisbeingexaminedusingpost-deploymentverifications.Bysaying“post-deployment”verificationwemeanthattheQAteamrunsasetofscenariosthatmimicuserbehavior.Duringstagingitispossibletodiscovercertainbugsorunexpectedapplicationbehavior.InthiscasetheQAteampreparesanadditionalsetoftestscenariosfornewstagingdeployment.
Release:TheKraken!Oftenthereleasestageinvolvesnewversionpublishing,soprepareversionreleasedocumentation,anddoanyannouncementswithinanyavailablecommunicationchannels.Beforedoingareleaseitisnecessarytoprepareamechanismfortheuserreports(JIRA,Slackchannel,oramailinglist).
Havefun:Yes,havefunwithuserreports,issues,andnewrequestedversionfeatures.
PrepareYourApptoWorkatScaleorDieMostdistributedapplicationsaredistributedbecausekeepingasingleinstanceofanapplicationgivesazerofault-tolerance.Butlet’sfigureouthowanapplicationcanscalewithoutconsumingmoreVMs.Almostalldevelopmentframeworkshavemultithreaded,processedlibrariesforcreatingaserviceslikeRESTfulservicesorapplicationenginesthatcanhandlemultiplerequestsatthesametime.Theterm“worker”isanentitythatisbeingmanagedbyataskbroker.Here’sasimpleexample:thePythonlibraryFlasksupportsprocessesandthreads,butbecauseofitsimplementationitisnotrecommendedtouseitasauseraccessibleservice.InproductionitisrecommendedtouseNginx+PythonGunicorn+Flask,butlet’sunderstandwhy.Nginxworksasaproxyanditdoesagoodjob,butPythonGunicornworksasalocalRESTfulservicewrapperandallowsyoutorunanapplicationwithinmultipleworkersthatarebeingexecutedasseparateprocesseswithacommontaskdistributor.TheFlaskapplicationholdsanimplementationoftheRESTfulapplication.
Speakingofthenumberofworkers,takeintoaccountthatit’sstronglysuggestedtorunonlyonetypeservicesperVMinstance.So,yourapplicationshouldrunanumberofworkersequaltothenumberofvCPU.However,wearestilltalkingaboutasingleVMwithmultipleworkersinit,andwestillatthepointwhereweare,anapplicationshouldsurviveandbeavailableforitsusers.Andherecomesloadbalancingandhighavailability—cloud-readyapplicationsshouldbereadyto
workcorrectlywithinmultipleinstancesbehindaloadbalancer(eachapplicationdoesn’tstoredatalocally,butdoespersistintoabackingservice)withinanHAmode.
Whyishighavailabilityandloadbalancingneeded?Firstofall,HAmodegivesyoutheabilitytoaccessapplicationswithinitsmultipleinstances(example,Galeramaster-2-musterreplication),soyouhaveaninstanceforanAtoZuserwhocangetthesamedatafromanyofthem.ThisishowHAmodeworks.Butindevelopinganapplicationthatisconsumingacloudapplication,itisnotveryusefultorememberasetofIPaddressesordomainnamesforeachapplicationinstance.LoadbalancingprovidesyouwiththeabilitytohidethecloudapplicationbehindoneIPaddressorDNSname.Thisisbeneficialbecausetheloadbalancerdistributesrequestsbetweencloudapplicationinstances.Becauseofthis,yourapplicationshouldnothavetoworryaboutaccessibilityofaspecificinstance.
MaximizeRobustnesswithFastBootstrappingandGracefulShutdownOpenStackapplicationsshouldstrivetominimizebootstraptime.Inanidealworld,anapplicationtakesafewsecondsfromthebootstrapexecutionuntiltheprocessisupandreadytoreceivetasks.Ashortstartuptimeprovidesmoreagilityforthereleaseprocessandscalingup;andithelpstoimproverobustness,becausetheapplicationinstancemanagercanmoreeasilymoveittonewphysicalmachines(byauto-scalingevents).ApplicationsshutdowngracefullywhentheyreceiveaSIGTERMsignalfromtheirmanager.Unfortunatelymostapplicationdevelopersareputtingworriesaboutagracefulshutdowntothebacklog.
KeepDevelopment,Staging,Pre-ProductionandProductionAsCloseAsPossibleAsdevelopersyouneedtokeepinmindthefollowing:
Makeyourtimegapsmallbetweenwritingcodeandputtingitintostaging/pre-production/production.
Makethepersonnelgapsmall.Youarethecommitterofnewcode,soyouareresponsiblefordeploymentwithinanyenvironment.
Makethetoolsgapsmall.Eachdevelopershouldkeeptheirenvironmentalmostsimilartoaproductionenvironment.
Keepthisinmindwhentestingyourcode.Asadeveloperyoushouldresisttheurgetousedifferentbackingservicesbetweendevelopmentandproduction,evenwhenadapterstheoreticallyabstractawayanydifferencesinbackingservices.Differencesbetweenbackingservicesmeansthattinyincompatibilitiescropup,causingcodethatworkedandpassedanytypesoftestsindevelopmentorstagingtofailinproduction.
TestAsMuchAsPossible
Inapplicationdevelopmentthatinvolvestheuseofattachedresourcesitisnecessarytowritethenexttypesoftesting:
Fake-modeintegrationtests:Thistypeoftestingallowsyoutoexamineyourcodenotinvolvingattachedresources(foron-demandservicesthatcostyoumoney)butuseinsteadtheirfakeimplementationstubs.
Real-modetests:HandleanyAPIbackingservices.
Post-deploymentchecks:Thistypeexaminesuserstories,scenariosagainstdeployedapplication,andoftentakespartatstagingandpre-production.
ContinuousIntegration/ContinuousDeliveryContinuousIntegration(CI)isthepracticeoftestingeachchangedonetoyourcodebaseautomaticallyandasearlyaspossible.So,forthesakeofstabilityinsurance,yourprojectshoulduseCIvotesaspartofcodereview,becauseCIwouldpreventyoufrommergingcodethatdoesn’tworkcorrectly.ContinuousDelivery(CD)followsyourtestsresultstopushyourchangestoeitherastagingorpre-production(pushingintoproductionmaycauseproblems).Inanycase,CDmakessureaversionofyourcodeisalwaysaccessible.ItispossiblethatyouneedtokeepyourownCI/CDduetospecificreasons.Butifyourorganizationissmallandyoudon’thaveenoughresourcestoinvestintobuildingyourownenvironment,youcanuseanyCI-as-a-Service.Therearetwowell-knownservices:TravisCI(https://travis-ci.org/)andCircleCI(https://circleci.com/).Feelfreetopicktheoneyoulike.
So,youhaveSDKs,andyouhaveguidelinesonhowtodothis,andhownotto.YouhaveCIandCD.Itisnowtimetodosometrickymagic—deployanapplication,arealcloudapplication.
OPENSTACKAPPDESCRIPTIONANDDEPLOYMENTSTRATEGIESSo,thisisagoodtimetotalkabitaboutlegacyapplicationdescription.
Comingbacktothemethodologyofmigratinganapplicationtothecloud,youneedtohaveallofthestepsimplementedthatwehavecoveredinthischapterforyourapplicationtobecomecloud-ready.Let’sassumethatyouhavetheseinputs:
Applicationconsistsofthesecomponents:WebUI,RESTfulservice,back-endservice,andabackingservice.
WebUIandRESTfulservicearefacingtousers.
Back-endserviceisaccessibleonlybyaRESTfulservice.
Backingservicecanbeanattachedserviceoritcanbethepartofanapplication.Onlyapplicationback-endservicestalktothebackingservice.
So,whatwouldbethebestsolutiontomakethisapplicationcloud-ready?
DEMOAPPLICATIONSOURCECODEYoucanaccessthesourcecodefromourdemoapplicationviaGitHub:https://github.com/johnbelamaric/openstack-appdev-book.
Cloud-ReadyAppDescriptionFollowingthemigrationsteps,youneedtodecoupleyourlegacyapplicationintomultiplenodes.Let’sassumethatyourapplicationconsistsofthesenodes(seeFigure4.1):
WebUInode
RESTfulservicenode
Back-endservicenode
Backingservice(MySQL)
Figure4.1
Youneedtodefinethehardwarerequirements,i.e.intermsofOpenStack–definespecificinstanceflavorsthatdescribethenumberofvCPUs,RAM,ephemeralandrootdisk.Forthesakeofsimplicitylet’sassumethatyouareokwithonlyoneflavor,butmostreal-worldcasesmustdefineflavorparametersforeachapplicationservice,becauseoftheworkflows.Inmostcases,someinstanceswouldrequirealotofvCPUstodocalculations,andotherinstanceswouldrequiretonsofRAMandarootdisktododataprocessing(HadoopanditsHDFSwithmap-reducewouldbeagoodexamplehere).
Forthecursoryglanceitlooksfine.UsersareabletoaccesstheapplicationwithintheWebUIorRESTfulservice.Suchanapplicationwouldbeagoodexampleofhowtointegrateintothecloudsincethatgivenappismulti-tiered.
Whenwe’retalkingaboutMySQLandbackingservicesingeneralwehavetoconsiderthatthistypeofserviceshouldbedurable,andavailablenomatterwhathappens.So,basedongiveninputsweneedtofigureoutwhichoperatingsystemisneeded,howmuchresources(RAM,vCPUareneeded),anddowewanttokeepMySQLdataasanattachedblockstorageprovidedbyGlance(thesestepsanddecisionsareveryimportant,becauseallofthisaffectsthelifecycleoftheservice).So,relyingonbackgroundknowledgewestronglyrecommendyouuseaflavor
thatdoeshaveatleast4vCPUsandattheveryleast8GBRAM.Regardingstorage,werecommendyouuseablockstoragevolumetoallowforquickfailrecoveryandconsistency.
TheapplicationcomponentsaretheWebUI,RESTfulservice,andback-endservicenodes.ByitselftheRESTfulservicenodeisnotastandaloneapplicationthatisbeingdeployedaspartofapplicationdelivery.Accordingtobestpracticesofapplicationdevelopment,itshouldbetreatedasaseparateapplication.Comingbacktowhatwe’vediscussedforMySQL,weneedtofigureoutwhatwouldbethebestoptionsfordeployingthisapplication.Byitself,theRESTfulserviceisastatelessapplication,butithastoworkfasttoservemultipleusersatthesametime.ItisrecommendedthatyouuseaflavorthathaslotsofRAM,avCPUquestionisnotcriticalfornow,andwedon’tneedblockstoragefornowbecausethere’snothingtostore,becausewejustprocesstherequests.Speakingofanapplicationback-endservice,thispartoftheapplicationistough,sinceitdoesalmostalloftheheavywork.Sothisnodeshouldbeverypowerful,andithastohavelotsofvCPUs,RAM,anddiskspacethatarerequiredbyanapplication’sworkflowdefinition(notblockstorage,butflavorrootdisk).ThereisnothingdifferentabouttheWebUInode—itshouldbefast,andtherearenootherdemands.
OncetheRESTfulserviceandWebUInodesgetdeployed,userswillbeabletoaccesstheRESTfulservicewithintheRESTfulservicenodebyitsIPaddressandWebUIindependently(accordingtoagivenschema,UIcanworkwithsingleinstanceofaRESTfulserviceatthesametime).Pleasekeepinmindthatintherealworld,eachservicethatisfacingtoauserneedsmustbesolidandreadytobestress-tested,becauseinsomecasesusersareactinglikeDDoSattackers.
Aftercompletingthissectionwehaveacloud-basedapplicationthathasbeendeployed,takingintoaccountallbestpracticesandapplicationdemands.
NetworkDeploymentStrategyLet’sgobackanddescribetheapplicationdeploymentschema.Wehavethreetypesofservices,inotherwordsthreedifferentcloudapplications,andeachapplicationdeservesitsownaccesslevelfromtheoutside.Forexample,thecurrentschemadescribesanapplicationdeploymentwithinasinglenetworkthatseemsokforanexample,butsuchSLAdoesn’tlookgoodforothercases.WebUIandRESTfulservicesarefacingtouserswithinapublicnetwork,sotheusercanaccessbothofthemandsuchthingsbreaktheconceptsofasecureSLA.
PublicandPrivate(Management)NetworkYoumightsuggestthateachcomponentuseitsownnetwork,butitwilladdanoverheadsinceyou’dneedtodoroutingandmighteventuallyendupwithcomplex,hardlymaintainablesolution.Ofcourseyouarenottryingtolinkmultipledatacentersintoasinglenetworkforthissolution.Inthiscaseitwould
beenoughtodefinetwonetworks—public(withInternet,andaccessiblefromtheoutside)andprivate(noInternet,andaccessiblefromapublicnetwork).Firstofall,itisnecessarytofigureoutwhichnetworkeachservicebelongsto.It’seasywithourexample:networkplacementisdescribedinFigure4.2;WebUIaspublicNICinFigure4.3;RESTfulservicesasprivateNICinFigure4.4;applicationback-endserviceasprivateNICsinFigure4.5;andMySQLnodeasprivateNICinFigure4.6.
Figure4.2
Figure4.3
Figure4.4
Figure4.5
Figure4.6
Asyoucansee,baseduponthedescriptiongivenabove,applicationtiersmayhaveacoupleofnetworksattachedtopreventunwantedaccess.Now,let’stakealookateachcomponent,startingwiththeWebUI.SincethistypeofapplicationtierneedstobeavailabletousersitshouldhaveapublicIPaddressanditdoesn’thaveinternalnetworkaccesstopreventsecurityrisks.So,thegreencolorwirecorrespondstothepublicnetworkshowninFigure4.3.
TheRESTfulservicetierissimilartotheWebUItierforthisapplication,sincethecomponentshouldbeaccessiblewithinthepublicIPaddress.But,sincethesecomponentsaretiedtothebackendservice,ithastohaveaccesstotheprivatenetwork(seeFigure4.4).Theredlinewirecorrespondstotheprivatenetworkaccess.
Goingforward,let’sexaminetheapplicationback-endservicetieranditsnetworking,showninFigure4.5.Thispartoftheapplicationisonlyaccessiblewithintheprivatenetwork.
Takealookatthelastcomponentofourapplication—MySQL(seeFigure4.6).Thispartoftheapplicationfollowsasimilarnetworkingstrategyastheback-endservice.Theprivatenetworkandthiscomponentareaccessibleonlybytheback-endservice.
KeepinmindthattheaccessibilityoftheapplicationcomponentandthenetworkstrategyrequiresanSLAsetupforanapplicationwithingivennetworks.InthecaseofOpenStackitisrecommendedthatyouusesecuritygroups(availableinNova-networkandNeutron):
FortheWebUIinstance:SupposeweuseNginxforhostingtheUIcodeanddefaultportsforHTTPandHTTPS.Itwouldbenecessarytocloseanyportsexcept80and443forinboundconnectionsandopentheportfortheloadbalancerforoutboundconnections.
ForRESTfulservicenodes:Securitygroupsforinboundconnectionsrequirealoadbalancerportonly.SecuritygroupsforoutboundconnectionsrequireAMQPbrokerportsordirectaccessportstotheapplicationback-endservice.
Fortheapplicationback-endservice:SecuritygroupsforinboundconnectionsrequireaRESTfulservicefornodesportsfromtheirIPsonlyornorules(inthecaseofAMQPtransport,therewouldbeonlyoutboundconnectionstotheAMQPbroker).SecuritygroupsforoutboundconnectionsrequireMySQLportswithaMySQLmasterinstanceIPasCIDR,andinthecaseofAMQP,brokerinstance(s)port(s).
ForMySQLnode:Securitygroupsforinboundconnectionsrequireanapplicationback-endserviceport,andMySQLslaveportswiththeirIPsasCIDRs.SecuritygroupsforoutboundconnectionsrequireamasternodeportandanIPasCIDR.
SUMMARYInthischapterwecoveredhowtodoamigration,includinglimitationsandcriticalpoints,butitwasn’tjustasimpleliftandshift.Wetriedtoexplicitlyexplainhowtodecoupleapplicationservices,andhowtoimplementadeploymentstrategy,includingnetworkingandSLA.We’veamendedstepslikeapplicationtestingandsoftwareconfiguration,duetothevarietyoftechniquesapplicableforsuchcases,andalsowe’veskippedmonitoringbecauseofthecomplexityoftryingtodescribethegenericusecaseforcloudapplicationmonitoring.Buteveryothercaseandtechniquedescribedinthischapterareapplicableforanytypesofcloud-readyapplications,regardlessiftheyarealegacyapplicationinthepastoracompletelynewapplicationthatisunderdesignrightnow.
5ImprovingontheApplicationWHAT’SINTHISCHAPTER?
Understandingthetypesoffailurescenariosthatcanaffectapplicationsrunninginthecloud
ProvidingaccessintotheapplicationandunderstandinghowhostnameandIPaddressesplayanimportantrole
Methodsforscalinganapplicationtomultipleinstancesandregionsandadaptingtoeventsintheenvironment
Improvingthebasicapplication
Itiscommonforapplicationstobeinitiallydevelopedforthecloudinaverysimplemanner.Thedevelopermaystartwithdeployingtheapplicationasasingleinstanceinthecloud.Iftheapplicationhasdifferenttypesoffunctions,suchasawebfront-endandadatabaseback-end,thesefunctionscanbebrokenintoacoupledifferentinstances.
Thischapterdiscusseswhatyouasthedeveloperneedtodonext.Youneedtoknowwhatkindoffailuresoccurinthecloudandhowthosefailurescouldaffecttheapplication.Youalsoneedtounderstandtheapplicationcomponentsandhowtheyrelatetofailuresinordertobuildamorerobustandreliableapplication.
Differenttechniquesareexaminedonhowtoscaletheapplicationinthecloud.Thechapteralsotakesalookatperformanceandwhyitisimportanttoknowwhenandwhereperformanceissuesoccur.Often,scalingtheapplicationintherightplacescanmitigateperformanceissueswhentheyoccur.
Thechapteralsotakesalookatdataprotection.Howimportantisthedatatotheapplication?Isitimportantthatdataisneverlost?Cansomedatabelostandrecreatedorreplacedlater?Howimportantisthedata?Theanswerstothesequestionscanaffectdecisionsonhowdataisprotectedinthecloud.
Highavailabilitymeansthattheapplicationisalwaysavailableandminimizesdowntime.Italsomeansthattheapplicationshouldrunreliablyandbeperformant.Thischaptertakesalookatwhatitmeanstobuildahighlyavailableapplicationandsomeofthechallengesdevelopersmayrunintoalongtheway.
Finally,wetakeabasicapplicationandimproveuponittodemonstratetheconceptsinthischapter.Threedifferentcomponentsareexaminedastheyaretakentothenextlevelinprovidinghighavailability.
DEMOAPPLICATIONSOURCECODEYoucanaccessthesourcecodefromourdemoapplicationviaGitHub:https://github.com/johnbelamaric/openstack-appdev-book.
FAILURESCENARIOSOperatorsoftheOpenStackcloudunderstandthatitisdifficulttokeepthecloudrunningproblem-free.Thelargeracloudenvironmentis,themorelikelyproblemswilloccur.Developersneedtounderstandwhattypesofproblemscanaffecttheapplicationandhowtodealwiththem.Applicationsthattakethesefailurescenariosintoaccountwillsufferlessdowntimeandcontinuetorun,evenwhenproblemsdooccur.
HardwareFailureAtypicalOpenStackenvironmentcontainsafewadministrativeserverstohelprunthecloud,aswellasabunchofotherservers,calledcomputenodes,thatprovidethemeansforapplicationstobedeployedtothecloud.Thebiggertheenvironment,themorehardwarethatwillberequiredtorunit.
Eventually,aserver’shardwareisgoingtofail.Themostcommontypesofhardwarefailureincludediskdrives,memory,CPU,powersupplies,andnetworkinterfaces.Somehardwarefailurescanbringtheserverdownentirely.Somehardwarefailuresmayresultinareducedserverperformance.Otherfailuresmaynotaffecttheserveratall,suchasoneofthepowersuppliesfailing.
Ifanapplicationisbuiltwithouthighavailabilityinmind,itislikelythattheapplicationhasmanysinglepointsoffailurebuiltintoit.Ifaserverfailsandanyoneofthosesinglepointsoffailuresisonthatserver,theapplicationwillfailaswell.
NetworkFailureThereareseveraldifferentwaysthatanetworkcanbesetupandoperatedwithinanOpenStackenvironment.However,fromtheperspectiveoftheinstancerunninginthecloud,ithasanetworkinterfacecardwithanactivenetworklinkandanassignedIPaddress.Allthatmatterstotheinstancesisthatitisconnectedtothenetworkandthatitcanaccessotherinstancesordevicesonthenetworkreliably.
OnewaythatinstancesexperiencenetworkfailuresiswhensomethingbreaksintheOpenStacknetworkstack.TheinstancestillseesanetworkandstillhasanIPaddress,butitisunabletoconnecttoanyotherdevicesonthenetworkandotherdevicesareunabletoconnecttotheinstance.Therootcauseofthenetworkissuewillaffecthownetworkconnectivityisrestoredintheinstance.Forexample,issueswithNeutronorOVSonthecomputenodewheretheinstanceexistsmayrequiretheinstancetoberebootedinordertorestoreconnectivity.
AnotherwaythatinstancesexperiencenetworkfailuresisthroughthelossoftheIPaddressonitsnetworkinterfacecard.TheIPaddressisprovidedtotheinstancebyaDHCPservicethatrunsonthenetworknode.ItisrarefortheDHCPserviceitselftogodown,butissuesintheOpenStacknetworkstackmaydisrupt
theabilityfortheDHCPservicetocommunicatetotheinstance.DefaultconfigurationsofOpenStacktendtoexpireDHCPleasesveryquickly,whichresultsintheinstancerenewingitsDHCPleaseoften.Networkcommunicationissuescandisrupttherenewalprocess,whichresultsintheIPaddressbeingreleasedfromtheinstanceandultimatelytakingitsnetworkdown.
Theoperatingsysteminstalledontheinstancecanmakeadifferenceonhowitrespondstonetworkissuesaswell.Forexample,whenaninstancelosesaDHCPaddress,UbuntutypicallycontinuestoretryrenewingtheDHCPaddress.Whenthenetworkissuesareresolved,therenewalprocesssucceedsandtheIPaddressisrestored.However,RedHatandCentOSarecommonlyconfiguredbydefaulttogiveupaftertherenewalprocessfails,whichmeansthatevenifthenetworkissuesareresolved,theinstanceisnolongerattemptingtorenewtheDHCPleaseandpermanentlystaysoffthenetwork.Theeasiestwaytoresolvethenetworkconnectivityissuewiththeinstanceistoreboottheinstance.AbettersolutionwouldbetoadjusttheDHCPclientforRedHatandCentOSinstancestoalwaysretryDHCPrenewalsinsteadofgivingup.
Externalnetworkissuescanalsooccur.AtypicalOpenStackenvironmentwillbesetupwithasetofadministrativenodes,numerouscomputenodes,oneormoreswitchestoconnectallthenodestogether,andarouterfortheswitchestoconnecttofortrafficcominginorleavingtheOpenStackenvironment.Theswitchesarecriticaltotheoperationoftheenvironment,asthatisthelifelinebetweenthecomputenodeandthenetworknode.Aswitchproblemcandisruptcommunicationbetweenthenodes.Anissueattheroutermaynotdisruptcommunicationbetweennodes,butitmaypreventaccesstootherthingsonthenetwork,suchasDNSlookups,accesstoauthenticationservers,andanyothernetworkservicestheinstancesmaydependon.
StorageFailureAnOpenStackinstancemakesuseofeitherephemeralstorageorpersistentstorage,orevenacombinationofboth.Ephemeralstorageisdefinedasstoragethatmaynotbepermanent.Forexample,thestorageassociatedwiththeinstancecouldbedeletediftheinstanceitselfisterminated.Persistentstorageisdefinedasstoragethatispermanent.Ifaninstanceisterminated,thepersistentstorageassociatedwiththeinstanceistypicallynotdeleted,butmaybedetachedandmadeavailabletobeattachedtoanotherinstance.
Persistentstorageistypicallyimplementedasobjectstorageorblockstorage.ObjectstorageisoftenimplementedusingSwiftorsomeotherproductthatimplementstheSwiftAPI,suchasCeph.Whenusingobjectstorage,containersarecreatedandbinaryobjectsarestoredinsidethecontainers.InstancescanretrievethestoredobjectsusingtheAPIimplementedbytheobjectstoragesystem.Blockstorageshowsuptoinstancesasblockdevicesintheoperatingsystem,whichcanthenbemountedonadirectoryorusedasarawdevice.
Ephemeralstorageissimilartoblockstorageinthewaythatitappearstotheinstanceasblockdevices.Thismeansthatinstancescanmounttheblockdeviceonadirectoryoruseitasarawdevice.EphemeralisconfiguredbydefaultinOpenStacktousethestoragefromthedisksinthecomputenodes.Itispossibletoconfigureephemeralstorageusingotherarchitecturestoo,butusingcomputenodedisksforephemeralstorageisthemostcommonusage.Unlessaninstanceislaunchedusinga“bootfromvolume”method,theinstancewillbecreatedusingthecomputenodeephemeralstorage.
OneofthemostcommonhardwarefailuresencounteredinanOpenStackenvironmentisdiskfailure.Diskfailurescanhaveawideeffectoninstances,dependingonhowOpenStackisconfiguredandhowthediskfailureaffectsthedeviceitisinstalledin.Ephemeralstoragewilllikelyhaveagreatereffectoninstancesthanpersistentstorage.Withephemeralstorage,dataisveryunlikelytobereplicatedandthechancefordatalosswillbehigher.Forpersistentstorage,dataisoftenreplicatedandcanbeaccessedinmultipleways.Ifasinglediskfailsinapersistentstoragecluster,theinstancemaynotevennotice,sincethedataremainsavailableandconsistent.
Let’slookatthecasewheretheinstanceisrunningonephemeralstorage.Theoperatingsystemisonanephemeralrootdiskthatlivesonacomputenode.ThecomputenodecouldbeconfiguredwithsomekindofRAIDthatreplicatesdatabehindthescenes.Asinglediskfailuremaynotaffecttheinstanceatall,muchlikeasinglediskfailureinpersistentstorage.However,itisnotuncommontoseeaRAIDdeviceexperienceadiskfailurethatresultsintheblockdevicegoingintoread-onlymodeinsidetheinstance.Eventhoughthedataisstillavailableandcanbereadbytheinstance,writesareblocked.Read-onlymodeusuallyoccursatthecomputenodelevel,whichaffectsalltheinstancesrunningonthatnode.Rebootingthecomputenodeisoftenneededtofixtheissue.
IfthecomputenodeisnotconfiguredwithRAIDorsomekindofdatareplicationforephemeralstorage,thenalossofadiskisusuallycatastrophictotheinstance.Ifthefaileddiskiswherethatinstance’sstoragewaslocated,thenthatdataispermanentlylost.Theinstancewillneedtobeterminatedandrebuilt.
Forblockstorage,instancesmayexperienceproblemswiththemountedvolume.Ifthereareseriousissuesinthepersistentstoragecluster,avolumemaybecomeunavailabletotheinstance.Ifthevolumeismounted,anyreadsandwritesmayhang,waitingforaresponse.Ifthevolumeisnotmounted,itmayrefusetomountorbedetectedasavaliddisk.Thisisseenmoreoftenwhenaninstanceisbeinglaunchedorrebooted.Ifthevolumeisunavailableforsomereason,theinstancemayfailtolaunchorneedadministratorinteractiontogettheinstancetoboottherestoftheway.
MostvolumeissuesoccurbecauseofissueswithintheOpenStackenvironmentandnotnecessarilywiththepersistentstoragecluster.TheremaybeanissuewithCinderoranissuewiththecommunicationbetweenNovaandCinder.Manyof
theseissuesmaynotaffectavolumethatisalreadymountedinaninstanceandcurrentlybeingused.However,theseissueswilllikelyaffectthelaunchingorrebootingofinstances.Thisalsoaffectstheabilitytodetachvolumesfromoneinstancesothattheycanbeattachedtoanotherinstance.Inmostcases,thisonlyaffectstheabilitytoaccessthedataanddoesnotresultindataloss.
Objectstorageisaccessedinadifferentmannerthanforblockstorage.Objectsarepushedintostorageorfetchedfromstorage.Ifthereareanyissuesintheobjectstoragesystem,itusuallymanifestsasobjectedbeingunavailableoroperationstimingout.
Persistentstorageismostoftenconfiguredwithsomekindofreplication.Replicationfactorsof2or3arecommon,buttheremaybecaseswherereplicationisdisabledforsomereason.Itisimportanttoasktheadministratorsabouthowreplicationisconfiguredinordertobetterunderstandhowfailurescouldaffectaccesstodataandthepotentialfordataloss.
Instanceshaveadifficulttimedealingwithstoragedevicesbecomingunavailable.Iftheapplicationdependsondataalwaysbeingavailable,itisimportantthatmonitoringisconfiguredtomonitorstorageavailableandintegrity.Forephemeralstorage,mostfailuresresultsintheinstancegoingdownaswell.However,instancesshouldmonitorforwhenfilesystemsgointoaread-onlystate.Instancesmayoperatefinewitharead-onlyfilesystem,especiallyiftheapplicationonlyreadsdataanddoesn’twritedata.Monitoringmaynotseetheissueeither,norwilltheissuebeseeninanyofthelogs.Sincearead-onlyfilesystemisanindicationthatthereisanunderlyingproblemwiththecomputenode,catchingitearlysotheapplicationcanadaptarounditisagoodidea.
SoftwareFailureAnothertypeoffailurescenarioispurelysoftwarespecific.Forexample,akernelbugwithintheoperatingsystemofthecomputenodemaycauseittocrashorhang.Thiswillresultintheinstancebecomingunavailable.Sometimes,itmaybebecauseofakernelbugintheinstance’soperatingsystem.Theinstanceitselfwillcrashorhang,requiringareboottoputitbackintooperation.
IssuesintheOpenStacksoftwaresuitemayalsocauseproblems.Mostproblemsofthisnaturedon’taffectaninstance,unlessitisanissuethatwillaffecttheinstance’snetworkorabilitytoaccessitsstorage.CommonOpenStacksoftwareissuesincludeproblemswithRabbitMQ,CinderandCeilometer.Theseissuesmaynotaffectcurrentinstances,buttheycouldverylikelyaffecttheuser’sabilitytolaunchnewinstances,terminateinstances,ordoanyotherOpenStackrelatedmanagement.Forapplicationsthatmakeuseoftheelasticnatureofthecloudtodynamicallygrowandshrinkinstancesbasedondemand,softwareproblemscanreducecloudelasticitysignificantly.
Anotherissuethatcouldoccurisalackofresourceavailability.Ifaninstanceisrunninganapplicationthatisleakingmemory,thatinstancewilleventuallyrun
outofmemoryandfail.Ifanapplicationislaunchinglotsofprocessesanddoesnotproperlycleanupafteritself,theinstancecanrunoutofprocessslotsandbeunabletolaunchnewprocesses.Ifanapplicationfailstoclosefilesthatitopensandisnolongerusedandopensalotoffilesovertime,theapplicationmayuseupalltheavailablefiledescriptors.Thiscancausetheapplicationtofailorevenpossiblytheinstance.Whenaninstancerunsoutofresources,itmayresultintheinstancecrashing,butitmoreoftenresultsintheinstancebecomingunavailable.Monitoringmaydetectmultiplealarmsandattemptstologinmaybeunsuccessful.Rebootingtheinstanceoftenfixestheproblem.However,iftheproblemoccursrepeatedly,theapplicationneedstobeexaminedforbugsandpotentialconfigurationtweaks.Itisbettertofixtheproblemwiththeapplicationthantotrysolvingtheproblembylaunchinglargerinstanceswithmoreresources.
ExternalFailuresInstancesmayexperienceDNSlookupissuesduetosomeexternalissue.ThiscouldbetheresultofanetworkoutagebetweentheOpenStackenvironmentandtheDNSservers.ItcouldalsobeanissuewiththeDNSserversthemselves.DNSissuescanlooklikeageneralnetworkissuefromtheperspectiveoftheinstance.NearlyeverythinganinstancedoesonthenetworkrequiresaDNSlookup.WhenaDNSissueexists,lookupsgenerallydonotjustfail,rathertheytimeout.Iftheinstanceisconfiguredtodolookupsonmultipleservers,thetimeoutscanstackupforeachrequest,compoundingproblemsforapplicationstryingtoconnecttoservicesonthenetwork.
InstancescanreducetheeffectthatDNSissueshavebytuningtimeoutsettingsinthe/etc/resolv.conffileandbydoingsomekindofDNScachinginsidetheinstanceitself.Ifcachingisused,onceahostnameisresolvedtoanIPaddress,itwillbekeptinthecacheforaperiodoftimesofutureDNSlookupsforthathostnamecanbeskipped.Manyinstancesareconfiguredwithoutcachingenabled.Dependingontheoperatingsysteminstalledintheinstance,NSCDordnsmasqmayneedtobetweakedinordertoenableDNScaching.
Anothercommonissuethatcanoccurtoinstancesisitsinabilitytotalktoimportantservicesonthenetwork.Agoodexampleofacommonserviceisanauthenticationservice.ActiveDirectory,LDAP,KerberosandRadiusareallexamplesofauthenticationservicesthatcouldbeused.Networkissuesandissueswiththeauthenticationserviceitselfcancauseanapplicationtomisbehaveorfail.Distributedapplicationsmayseeperiodicfailuresifonlyaportionoftheinstancesexperienceauthenticationissues.Forexample,usersmayseeaperiodicwebpagefailureiftheirclickresultedinanactionthattalksaninstancesthatisunabletodoauthentication.
Authenticationserviceissuesaredifficulttoovercomeintheinstance.Thebestwaytodealwithauthenticationserviceissuesistodetectthemwhentheyoccur,understandwhetherornotitistransientoriftheissueistrendingfrombadto
worse,andreacttotheissue.Adistributedapplicationcoulddetectauthenticationissuesinaportionoftheinstancesandchoosetoremovethoseinstancesfromthepool,workingaroundtheproblemuntilauthenticationservicehasbeenrestored.Attheveryleast,thereshouldbemonitoringthatalertstheapplicationownerstotheissuesothattherootcausecanbeinvestigatedandthenecessaryadministratorsinvolved.
Instancescanalsoexperienceissueswithtimeskew.Thisisasubtleproblemthatmaynotbenoticedwithoutpropermonitoring.Manyapplicationsmaynotevencareabouttimeskew,especiallyforinstancesthatarerunningportionsofanapplicationthatdoesnotrequirestate.However,authenticationcommonlydoesrequiretheinstance’stimetobeveryclosetothetimetheauthenticationserversees.Someauthenticationmethodsareverystrict,resultinginfailedauthenticationattemptsiftheinstance’stimeismorethanaminuteortwooff.Someapplications,suchasfinancialapplications,requireaccuratetimeaswell.
RunningNTPinsidetheinstancescanhelpkeeptheinstance’sclocksynchronizedtothecorrecttime.However,NTPisnotfullyreliable,becauseitdependsontheperformanceofthecomputenodetheinstancerunsonanditdependsonthenetworkperformancebetweentheinstanceandtheNTPservers.IfthecomputenodebecomesCPUbound,theinstance’stimemaystayoutofsync,evenwithNTPrunning.BythetimeNTPadjuststhetimefortheinstance,theadjustedtimecouldbewrong.Networkissuescandisrupttimeupdates.TheNTPservicecouldalsobehavinganissue.Forexample,oneoftheNTPserverscouldbeoutoftimesyncitselfandreportingthewrongtime.SomeoftheseissuescanbesolvedbyconfiguringtheinstancetopointtoseveralreliableNTPservers.Iftimesynchronizationisimportanttotheapplication’soperation,itisessentialthatmonitoringisconfiguredtocatchtheseissuessothatappropriateactionscanbetaken.
HOSTNAMEANDIPADDRESSINGApplicationstendtobeverycomplex,andcomprisedofmanyfunctionalunits,withoneunittalkingtoanother.Usersalsoneedawaytousetheapplication.ThisisaccomplishedbyassigninghostnamesandIPaddressestoallofthedifferencepiecesofanapplicationthatneedit.Anexampleforasimpleapplicationmightbeawebserverthattalkstoaback-enddatabase.ThewebserverhasanIPaddressthatusersconnectto,andthedatabasehasanIPaddressthatthewebservertalksto.
Whathappenswhenthewebserviceisactuallyawholebunchofinstances?Whathappensifthedatabaseback-endisactuallyadatabaseclusterrunningseveralservers?ItwouldcertainlybepossibletoassignpublicIPstoallinstancessothateverysingleinstanceisaccessible.However,ifauserisconnectingtothewebinterfaceofanapplication,itwouldbebadpracticetoprovidealltheIPstotheuserandforcetheusertoselectwhichonetouse.
SinglePointofEntryNormally,anapplicationhasasinglepointofentryfortheusers.Ifitisawebapplication,itisaURLtheyenterinthewebbrowser.Ifitisaclient/servertypeapplicationtheclientisconfiguredtohitaparticularserveraddress.Whathappenswhenawebapplicationisnowabunchofinstances?Ifthedatabaseback-endisseveralserversrunninginacluster,howisthewebfront-endconfiguredtotalktothedatabaseback-end?Thereareacoupletechniquesthatcanbeusedtodealwithapplicationconnectivityandthecommunicationbetweenthefunctionalunitswithintheapplication.
Mostapplicationsshouldhavejustasinglepointofentryforconnectionstocomeinto,whichisusuallyahostname.Whenaconnectiontotheapplicationismadeusingahostname,thehostnameisconvertedintoanIPaddressthroughtheuseofDNSservice,whichisaservicethatprovideshostnameandIPaddressmappings.TheDNSlookupoccursbehindthescenesandistransparenttotheuserorserviceconnectingtotheapplication.TheDNSservicemayreturnasingleIPaddressoralistofIPaddressesforthathostname.AnIPaddressisthenchosenandtheconnectionmadetotheapplication.
RoundRobinDNSWhenitcomestoassigningmorethanoneIPaddresstoasinglehostname,thereareacoupletechniquesthatcanbeemployed.ThefirsttechniqueistouseDNStoassignmultiple“Arecords”tothehostname.AnArecordinDNSisessentiallyanIPaddressassignment.WhenaDNSlookupoccursandtherearemultipleArecordsassignedtothename,theDNSserverreturnsalloftheIPaddressesassignedtothatname.However,eachtimetheDNSserverisqueried,thelistisrotatedbyonesothatthefirstIPaddressinthelistisalwaysdifferent.Thisisknownas“roundrobin.”
Forexample,thenamemywebhasthreeArecordsassignedtoit,1.1.1.1,2.2.2.2and3.3.3.3.ThefirsttimeDNSisqueried,theserverrespondswith1.1.1.1,2.2.2.2,3.3.3.3.ThesecondtimeDNSisqueried,theserverrespondswith2.2.2.2,3.3.3.3,1.1.1.1.ThethirdtimeDNSisqueried,theserverrespondswith3.3.3.3,1.1.1.1,2.2.2.2.ThefourthtimeDNSisqueried,theserverrespondswith1.1.1.1,2.2.2.2,3.3.3.3again.
TheclientthatisdoingtheDNSquerywillgetbackalistofIPaddressesandthenhastochoosewhichIPaddressitwilluse.Generally,clientsalwayspickthefirstIPaddressinthelist,whichiswhytheDNSserverrotatesthelisteverytimethelistisreturned.However,thereisadownsidetodoingroundrobininDNS.IfanyoftheserversintheIPaddresslistisnotresponding,theclientwillnotknowthatandwillattempttheconnectionanyways.ClientsveryrarelyhaveextralogicintheircodethattriestoconnecttothefirstIPandwhenthatfails,triesthenextIPinthelist.
Itmaybedifficultfortheadministratortoreactquicklytoserverunavailabilityorperformanceissues.Ifaserverisgoingtobedownforanextendedtimeperiod,thebadIPaddresscanbepulledoutofthelist.However,DNSserversareoftenconfiguredtocacheIPaddressinformationforaperiodoftime.ItiscommonforDNSentriestobecachedfor24hoursormore.Ifthatisthecase,removinganIPaddressfromthelistcouldtakeuptoadayormoretobereflectedintheDNSqueriesmadebytheclient.
IfaserverisgoingtobedownforplannedmaintenanceandtheadministratorknowsthatanIPaddresswillneedtocomeoutofthelist,acommontechniqueistoreducethecachetimetoashortperiodoftime,suchas1minute,wellaheadofthescheduledmaintenancetime.Whenmaintenanceisabouttobegin,theIPcanberemoved,whichclientswillseewithinaminuteoftheupdate.MaintenancecanoccurandtheIPaddressre-addedbacktothelist.Ifmaintenanceissuccessful,thecachetimecanbeadjustedbackuptoitsoriginalsetting.
GlobalServerLoadBalancing(GSLB)RoundRobinDNSisacheapandeasymeanstoallowaccesstomultipleinstancesthatprovideanimportantpieceoffunctionalitytoanapplication.Itwasalreadymentionedthatifoneoftheinstancesisdown,clientsmaystilltrytoconnecttotheinstance,beingunawareofthatissue.However,thereareotherlimitationstoRoundRobinDNSthatcanalsoaffecttheapplication.Forexample,theremightbenoabilitytoguidetheclientinselectinganappropriateIPaddressoutofthelistbasedonperformanceorpossiblyhowcloseaninstanceistotheclient.
GlobalServerLoadBalancing(GSLB)isaservicethatprovidesacombinationofDNSandloadbalancingfunctionality.GSLB’sareoftensetupinasimilarfashionasRoundRobinDNS.AhostnamemaybeassignedtomultipleIPaddresses.However,insteadoftheGSLBreturningarotatinglistofIPstotheclient,theGSLBwillreturnthelistofIPsinanorderthatmakesthemostsensefortheclient
thatisdoingtheDNSquery.IfaninstanceisdownintheIPlist,theGSLBwillremovetheIPentirelyfromthelistuntiltheinstanceisbackup.IPsareoftenorderedbygeographiclocationsothatthefirstIPaddressisphysicallyclosesttotheclientdoingthelookup.IPsmayalsobeorderedbasedonperformanceornumberofconnectionsgoingtothoseIPs.
EnterprisesmayalsocombineGSLBswithRoundRobinDNSandusebothtechniques.Thisisusefulwhenanapplicationishostedatmultiplesites.Forexample,anapplicationhostedintheUnitedStatesandinEuropecouldhavetheGSLBprovideonlythelistofIPsassociatedwiththeUnitedStateswhenclientfromNorthAmericaqueriesDNS.Furthermore,thetrimmeddownlistcouldberotatedinthesamefashionasstandardRoundRobinDNS.SincetheGSLBisawareofserveruptimeandperformance,IPscanstillberemovedwhenaserverisdown.
GSLBcanbeaffectedbysomeofthesameissuesasRoundRobinDNS.SinceGSLBisessentiallyprovidingIPsbacktotheclientviaDNSrequests,makingchangestothelistofIPaddressescanbeaffectedbycachetime.ForGSLBsdesignedforfailoverwhenanissueoccurs,cachetimesmaybesettosmalltimesalready.However,clientsoftencacheDNSlookupsaswell.ThismeansthatwhenanIPaddressisremovedfromthelistbytheGSLB,aclientmaynotnoticethatuntilitsinternalcachehasexpiredforthatlist.
GSLBprovidesanotherlevelofservicebeyondwhatDNSprovidesbyitself.However,GSLBoftencomeswithextracost,soitmaynotbefeasibletotakeadvantageofit.IfGSLBisavailable,itisthebestwaytorunportionsoftheapplicationacrossmultiplesitesinareliableway.
FixedandFloatingIPAddressesOpenStackmakesuseoftwotypesofIPaddressesforitsinstances.AfixedIPaddressisautomaticallyassignedbyOpenStackwhenaninstanceisfirstlaunched.ThefixedIPaddresscanbeeitherapublicoraprivateaddress,dependingonhowtheenvironmentisconfigured.Publicaddressesallowconnectionsfromoutsidetheenvironmenttoconnectdirectlytotheinstances.Privateaddressesdonotallowoutsideconnections,butoftendoallowconnectionstootherinstanceswithinthesameenvironmenttobemade.
TheothertypeofIPaddressOpenStacksupportsisafloatingIPaddress.FloatingIPaddressesarenotautomaticallyassignedtoaninstancewhentheyarefirstlaunched.WhenOpenStackisconfiguredtousefloatingIPs,aglobalfloatingIPpoolissetupwithalloftheIPaddressespermittedtobeusedasafloatingIP.UserswillthenpullIPaddressesoutoftheglobalpoolandintotheirtenantpool,markingthoseIPsasonlyuseablebythatspecifictenant.UserscanthenassignIPaddressesfromtheirtenantpooltospecificinstancesrunninginthetenant.FloatingIPaddressesaremostoftenpublicIPaddresseswhichallowsoutsideconnectionstobemadetothatIPaddress.OpenStackenvironmentsthatmake
useoffloatingIPaddresseswilloftenconfigurefixedIPaddressestobeprivateaddressesandfloatingIPaddressestobepublicaddresses.
OneadvantagethatfloatingIPaddresseshaveoverfixedIPaddressesisthattheusercanassignandunassignthematanytime.TheusercanmoveafloatingIPaddressfromoneinstancetoanotherwithouthavingtoterminateandrelaunchaninstance.ItisalsopossibletohavemorethanonefloatingIPaddressassignedtoaninstance.Thisgivestheuseralotofflexibilityinhowaconnectioncomesintotheapplication.Ifaninstanceishavingproblemsorcrashes,thefloatingIPaddresscanbemovedtoaworkinginstance.Itisalsousefulinmaintenance.Forexample,apatchcanbeappliedtoallinstances.AninstancecanbepatchedandthenhavethefloatingIPmovedtoitsothattheotherinstancecanbepatchedwithoutaffectingserviceavailability.
AnotheradvantagethatfloatingIPshaveisthattheycanbeusedasameanstoconserveIPaddressusageinanetwork.ThefixedIPnetworkisoftenbigger,sizedtobelargerthanthenumberofinstanceslikelytoeverbelaunchedinthatenvironment.ThefloatingIPnetworkmaynotbeasbigandmaybeafinitevaluableresource.Ifthatisthecase,userscouldassignfloatingIPstoonlytheinstancesthatneedoutsideconnectivityandrelyonlyonfixedIPsforinstancesthatonlyrelyonconnectionsinsidetheenvironment.
Forexample,aparticularOpenStacksetuphasapublicnetworkassignedtothefloatingIPaddressesandaprivateinternallyroutednetworkassignedtothefixedIPaddresses.ThedevelopersetsupaninstancerunningHAProxyandassignsafloatingIPaddresstoit.Thedeveloperalsosetsupabunchofwebinstancesprovidingthewebfront-endfortheapplication.ThewebinstancesareconfiguredwithfixedIPaddressesonlyandarenotaccessiblefromtheoutsideworld.ThefixedIPsareaddedtotheHAProxysetupandanytimesomebodyconnectstothefloatingIP’softheHAProxyinstance,HAProxyconnectstooneofthewebinstancesandproxiesthetrafficbetweenthem.Ifoneofthewebinstancesgoesdown,HAProxysendstraffictoanotherwebinstance.Ifthedeveloperneedstologintoanyofthewebinstances,thiscanbedonebyfirstloggingintotheHAProxyinstanceandthenfromthere,byloggingintothedesiredwebinstance.
NeutronPortReservationNeutronassignsIPaddressestoinstancesusingtheconceptofportassignments.Aportisessentiallyavirtualswitchportthattheinstanceconnectsto.AportisassignedaMACaddressandafixedIPaddress.Whenaninstanceconnectstoaport,theinstance’snetworkinterfaceinheritstheMACaddressandIPassignmentaswell.
Bydefault,whenaninstanceislaunched,aportiscreatedwithaMACaddressandafixedIPaddressandthenassignedtothatinstance.Whentheinstanceisterminated,theportisdestroyed,whichfreesthefixedIPaddressupforfutureuse.IffloatingIPsarenotused,thereisnowaytopredictwhatIPaddressthe
instancewillget.NorisitpossibletoguaranteethatifaninstanceisrebuiltbybeingterminatedandthenrelaunchedthatitwillgetthesameIPaddressitoriginallyhad.
Neutronprovidesamechanismtoallowtheusertocreateaportaheadoftimeandassignthatporttoaninstanceasitisbeinglaunched.Whentheportiscreated,theuserhastheoptionofspecifyinganIPaddressorletOpenStackchosetheIPaddressinstead.Tocreateaport,usethe“neutronport-create”command.Whentheinstanceislaunched,theportIDofthenewlycreatedportcanbeassignedusingnovaboot––nicport-id=PORT_ID.Whentheinstancecomeup,itshouldhaveanetworkinterfaceconfiguredusingtheMACaddressandfixedIPaddressassociatedwiththeuser-createdport.
However,beawarethatiftheinstanceisterminated,OpenStackwillhappilydestroyboththeinstanceandanyassociatedport.IftheuserwantstopreservetheIPaddressassociatedwiththeinstance,theportmustbedetachedfromtheinstancefirstbeforetheinstanceisterminated.Thiscanbedonebyusingneutronport-updatePORT_ID––device_id''––device_owner''.Thisshouldworkonanyport,includingaportthatwascreatedatthetimetheinstancewaslaunched.Aftertheportisdetached,itcanbeusedagainwhenlaunchinganotherinstance.
InolderversionsofOpenStack,Neutronportreservationwasn’tveryreliable.Portscouldbedetachedfrominstances,buttheysometimesmaynotworkproperlywhenattachedtoanewlylaunchedinstance,especiallyiftheinstancetheportwasoriginallyattachedtoisstillrunning.Also,portscouldonlybeattachedtoinstanceswhentheywerelaunched.Itmaybepossibletoattachaporttoanexistinginstancebyusingneutronport-update.ConsulttheOpenStackdocumentationandtestvigorouslybeforeusingportreservationsforproductionwork.
PermanentIPAddressesUsersareaccustomedtohavingasingleknownIPaddressassociatedwiththeirapplication.AhostnameisusuallyassignedtothatIPaddress,buttheIPaddressrarelychanges.OncetheyhaveanIPaddress,firewallportsareopenedupspecificallyforthatIPaddressandthataddressmaypotentiallybeembeddedinapplicationcode.Ofcourse,ifthatIPaddresseverchanges,itcanbeanightmaretoupdatetheapplicationtosupportthatchange,asfirewallshavetobeupdatedandsourcecodescouredtofindallthehardcodedentries.
Whenusersaredevelopingapplicationsforthecloud,itishardforthemtoletgooftheconceptthatalltheirinstancesshouldhaveapermanentIPaddressassigned.Evenifanapplicationisbuiltwithmultipleinstancesandregionsinmind,usersmaystillhavetoopenfirewallportsforalltheIPaddressesassociatedwiththeirinstances.
IftheOpenStackenvironmentsupportsfloatingIPaddresses,thenhavingapermanentIPmaystillbepossible.Ifaninstanceneedstobedestroyedand
rebuilt,theusercanmovethefloatingIPaddressfromthedoomedinstancetoanewone.ThefirewallrulesassociatedwiththatIPaddresscontinuestowork.ThesamethingcanbeaccomplishedbycreatingandassigningNeutronportstonewinstances.However,itiscriticaltomakesurethatportisdetachedfromtheinstancebeforetheinstanceisterminated,otherwisetheportwillbedestroyedandtheIPaddressputbackintotheglobalIPpool.
AnotherthingusersshouldbecautiousofisifanIPaddressislostandfirewallrulesareassociatedwiththataddress,someotheruserandapplicationmaygetthatIPaddressandalltheassociatedfirewallruleswithit.Theotherapplicationwillhavenoideawhatportshavebeenopenedupinthefirewall.Thismaynotbeanissueifthesecuritygroupsareproperlysetupandrestrictinboundtraffic.However,itiscommonfordeveloperstosavenetworksecurityforlastornotaddressitatallandnotbeawareoftheadditionalexposuresthatIPaddressreusemaybringtotheirapplication.
SCALINGOnceabasicapplicationhasbeenbuiltforthecloud,itneedstoevolvesothatitcansurvivefailuresinthecloud,aswellastogrowsothatitcancontinuetomeetuserdemandandperformancerequirements.Scalinganapplicationverticallymayaddressperformanceissues,butitrarelyimprovesonitsabilitytodealwithcloudfailures.Scalingtheapplicationhorizontallycanaddressbothperformanceandresiliencytocloudfailures.
Whatdoesitmeantoscaleanapplicationhorizontally?Itmeansthattheapplicationisscaledbyaddingmoreinstancestoit.Thisisdifferentfromverticalscalingwheretheinstancesthemselvesaremadebigger.Horizontalscalingdoesn’tmeanmakingadditionalcopiesoftheapplicationandrunningthosecopiesinthecloud.Itmeanstakingasingleapplicationandspreadingitouttoruninmoreinstances.
Howcananapplicationbespreadacrossmultipleinstances?Thefirststepistounderstandallthedifferentpiecesthatmakeupanapplicationandthentakeeachpieceandruneachofthemintheirowninstance.Theneachpieceisexpandedtoruninmultipleinstances.Somepiecesmaybeeasiertoruninmultipleinstancesthanothers.Onceanapplicationcanscalesuccessfullyinasingleregion,thenstepscanbetakentoscaletheapplicationtootherregions.Anapplicationrunninginmultipleregionscanincreaseperformancebyhavinguserscommunicatewithinstancesphysicallyclosertothemandincreasesitsresiliencyindealingwithpotentialregion-wideoutages.
ApplicationAnatomyApplicationsaretypicallyverycomplex,oftencontainingmultipleprogramsworkinginconcerttoprovideasetofservicestotheend-user.Itisraretofindanapplicationthatisasingleprogramthatdoeseverything,suchasprovidingawebinterfaceandadatabaseserviceallinone.Understandingallofthedifferentpiecesofanapplicationisimportantwhentryingtobuildanddeployittothecloud.
Mostapplicationsprovidesomekindofuserinterface.Userinterfacescantakemanyforms,suchasaclientinterfacethatrunsontheuser’sdesktop,awebinterfaceaccessedfromabrowser,acommand-lineprogramtheuserrunsfromanoperatingsystemprompt,ormaybeanAPIthattheuserusesfromwithinascriptorprogram.
Userinterfacesprovideamechanismforaccessingandmanipulatingthedatatheapplicationmanages.Thisdataisoftenstoredinadatabase.Manyapplicationsuserelationaldatabasesthatprovidebetterorganizationandfasteraccesstothedata,suchaswithOracleandMySQL.Someapplicationsalsomakeuseofdocumentstoredatabases,suchaswithMongoDB.Documentstoredatabasesprovideameansofstoringunstructureddataandobjects.Applicationsmayalso
makeuseofmultipledatabasesanddatabasetypes,furtheraddingtothecomplexityoftheapplication.
Someapplicationsalsomakeuseofanapplicationlayercalledmiddleware.Middlewarecontainssoftwarethattypicallyisusedtoconnectapplicationcomponentstootherapplicationcomponents.Middlewareprovidesaconsistentmeansofconnectingdifferentpiecesoftheapplicationtoeachother,makingiteasiertoswitchcomponentsoutforothercomponentsinthefuture.
Applicationsmayhaveothercomponentstoo.Forexample,theremaybeanetworkorsecuritycomponentthatmonitorstrafficinsomeway.Theremaybealoggingcomponentthataggregatesthelogsofalltheothercomponentsintoasinglesearchablelocation.Theremaybeamonitoringcomponentthatchecksapplicationfunctionalityandperformance.
Eachcomponentneedstoaddresspotentialfailurescenariosasappropriate.Aweb-baseduserinterfacecandealwithfailurescenariosbysimplyscalingout.Sincemostweb-baseduserinterfacescanbestatelesswithrespecttodata,instancescanbelostwithlittleimpacttotheapplication,aslongasthereareenoughinstancestohandletheincomingload.Databasesoftendealwithfailurescenariosbyhavinganumberofinstancesparticipatinginacluster.Aslongasthemajorityoftheinstancesintheclusterremainavailable,thedatabaseislikelytoremainupandavailable.
Eachcomponentcanalsodealwithproblemsindependentlyofeachother.Forexample,ifaperformanceissueisfoundinthemiddlewarecomponent,thatcomponentcanbescaledoutmoretoaddresstheperformanceissue.Thereisn’taneedtoscaleoutthewebcomponentorthedatabasecomponent,sincetheproblemwasisolatedonlytothemiddlewarecomponent.Adjustingcomponentsindependentlywhenneededgivestheapplicationtremendousflexibilityindealingwithfailurescenariosandperformanceissues.
MultipleInstancesAnapplicationthatrunsinasingleinstanceorinjustafewinstancesismorelikelytobeaffectedbysimplefailurescenarios,suchashardwarefailureormaintenance.Asinglecomputenodefailurecouldrobtheapplicationofanimportantpieceoffunctionality,resultinginusersnotbeingabletoreachtheapplicationorimportantdatabeingavailabletothem.
Thebestwaytodealwithmostfailurescenariosistohavetheapplicationruninasmanyinstancesaspossible.Ifoneinstanceinagroupgoesdown,theotherinstancesinthatgroupcontinuetoprovidethesamefunctionalitysotheapplicationremainsoperational.
Mostapplicationscanbebrokendownintosmallerpiecesbasedonfunctionsthatcanbeisolatedfromotherfunctions.Forexample,aweb-baseduserinterfacecanoftenbeseparatedfromadatabaseback-endsinceusersdonotneeddirectaccess
tothedatabaseandthedatabasedoesn’tcareabouthowtheusersseeormakeuseofthatdata.Breakinganapplicationintosmallerfunctionalunitsisthefirststepinrunninganapplicationinmultipleinstances.Thewebinterfacecanruninoneinstanceandthedatabasecanruninanotherinstance.
Oncetheapplicationhasbeenbrokenintosmallerfunctionalunitsandeachfunctionalunitseparatedintomultipleinstances,theinstancescanthenbescaledoutsothateachfunctionalunitalsorunsinmultipleinstances.Forexample,theweb-baseduserinterfacecanruninseveralinstancesinsteadofjustasingleinstance.
Runningtheapplicationacrossmanyinstancesaddsaconsiderableamountofcomplexitytotheapplication.However,italsoprovidestwokeyimprovementstotheapplication.Thefirstkeyimprovementisthatitshouldmaketheapplicationmoreresilienttofailuresoccurringinthecloud.Acomputenodefailureisnotlikelytotakeoutalltheinstancesofthatfunctionalunit.Theotherkeyimprovementisthatitiseasiertoscaletheapplicationhorizontally.Forexample,ifuserdemandincreasestothepointaparticularfunctionalunitisbecomingperformance-boundorrunningintoresourcealimit,thenumberofinstancesforthatfunctionalunitcouldbeincreasedtohandletheuserdemand.Thisnotonlyspreadsperformanceacrossmoreinstances,butifaninstancecanonlyhandleacertainnumberofusers,multipleinstancescanincreasethetotalnumberofusersthatcanbehandled.
Statelessapplicationsaremucheasiertoruninamultipleinstancesetup.Datakeptinaninstanceisnotimportantenoughtoprotectagainstlossifthereisafailureinthecloud.Furthermore,oneinstancedoesn’tdependondatainanotherinstance.Ifaninstancegoesaway,ausercanberoutedthroughanotherinstanceseamlesslywithouthavingtoknowwhatthatuserwasdoingintheotherinstancebeforethat.
Statefulapplicationsaremoredifficulttoruninamultipleinstancesetup.Dataneedstobekeptaboutwhatishappeningandwhathasalreadyoccurredsothatwhathappensnextcanbedetermined.Forexample,youcanhaveamulti-requesttransactionthatisoccurringintheapplication.Ifalloftherequestsgothroughasingleinstance,theinstancehasallofthedataaboutthetransactionandcanhandlethetransactionend-to-endwithoutdifficulty.However,ifonerequestgoesthroughoneinstanceandanotherrequestgoesthroughotherinstances,howdoesoneinstanceknowabouttherequeststhatwentthroughtheotherinstances?Astatefulapplicationneedstotrackalltherequestsofatransaction,nomatterhowmanyinstancestherequestswentthrough.
MultipleLocationsJustasanapplicationneedstoruninmultipleinstancesinordertoscaleandbemoreresilienttofailuresinthecloud,theapplicationalsoneedstobedeployedinmultiplelocations.Asdiscussedpreviously,thereareallkindsoffailuresthatcan
occurinthecloud,orevenoutsidethecloud,thatcanaffectacloudapplication.Forexample,anoutageinthedatacentercantakeoutanentirelocationorregion.Eveniftheapplicationrunsinmanyinstances,ifallofthoseinstancesraninthesamelocation,theapplicationisstillunavailable.
ItisimportanttounderstandtheOpenStackenvironmentthattheapplicationisgoingtobedeployedto.Iftherearemultipleregionsavailable,findoutwheretheregionsarephysicallylocated.Theapplicationshouldbedeployedtogeographicallydiverselocations,suchasontheeastcoastandonthewestcoast.Ifapowerornetworkoutagetakesoutallofthedatacentersinaparticularregion,otherregionscanpickuptheloadandallowtheapplicationtocontinueoperating.
Itisalsoimportanttounderstandhowregionsmaydifferfromeachotherwithrespecttospeed,redundancyandreliability,andlocationwithrespecttotheusersthatmayneedtousetheapplication.AnOpenStackregioncanbeinstalledinareallynicedatacenterthatoffershighspeednetwork,lotsofbandwidth,powerandnetworkredundancy.Itcanalsobeinstalledinalowertierfacilitywheretheremaynotbeasmuchbandwidthorredundancy,whichmeansthatfailurescouldhappenmoreoftenandhaveagreatereffectonapplicationsdeployedthere.However,thoseregionsmaybeclosertotheend-userorprovidelowerlatencyconnectionsandultimatelyprovidemoreplussesthanminusesforbeinginthoseregions.Knowinghowregionsdiffermayresultinanapplicationbeingdeployedwithfewerinstancesinoneregionversusanother,ormaybecertainfunctionsofanapplicationmaybedeployedtoahigherriskregion.
Managinganapplicationthatrunsinmultipleregionsisevenmorecomplexthanjustmanaginganapplicationthatrunsinmultipleinstances.Someofthechallengescanbereducedifalltherequestsofatransactionorallthetransactionsforausercanbekepttothesameregion.Dataaccessandintegritycanalsobechallenging.Ifadatabaseisgoingtoruninmultipleregions,dataneedstobereplicatedandsynced.Iftheapplicationrequiresreal-timedataaccess,ensuringthedataiscurrentinalllocationsatalltimescanbedifficult,especiallyiftheregionsareseparatedgeographicallybyalargedistance.
LoadBalancingLoadbalancingprovidesameanstodirecttrafficflowtothoseinstancesthatshouldreceiveit.Inthemostbasicform,incomingtrafficcanbesplitequallytoalloftheinstances,whichspreadsloadevenlyandallowsforbetterscaling.Inmoreadvancedforms,instancescanbemonitoredsothattrafficissplitbasedonavailability,performanceandlevelofactivity.Inparticular,ifaninstancegoesdown,itcanbeexcludedfromreceivingadditionaltrafficuntilthatinstanceisrestoredbacktoservice.
Loadbalancerstypicallyprovideaneasymeanstoconfigurehowtrafficshouldflowinsideanapplication.Apooliscreatedtomonitoraparticularserviceandserverscanbeaddedandremovedfromthepoolonthefly.Loadbalancers
monitortheservicesofeachserveranddeterminewhattrafficshouldgotoit,ifany.ApooloftenhasanIPaddressandportassignedtoit.Aslongasatleastoneserverinthepoolisabletoreceivetraffic,thepool’sIPaddressandportisactive.
Loadbalancersmonitortheservicesinapoolbyconnectingtotheservice.Monitoringcanbeassimpleasjustconnectingsuccessfullytotheservice,oritcanbeascomplexasconnectingtotheserviceandexpectingaspecificbannerorstringtobereturned.Someloadbalancersprovideameansofattachingcustomscriptstothecheckssothatcomplexcheckscanbeperformed,suchasauthenticatingtotheserviceandperformingsomekindofaction.Loadbalancerscanalsomonitorperformanceinaway,bylookingathowlongitschecksaretakingandbasingdecisionsonthat.Successfulchecksmarktheserviceasavailableandunsuccessfulchecksmarktheserviceasunavailable.
Oncetheloadbalancerhascollectedallofthedatafromthechecksperformedontheservice,itneedstodecidehowtodistributetheincomingtraffic.Apoolsetuptousearoundrobinalgorithmwillsendtraffictoeachservice,oneaftertheotherinsequentialrotatingfashion.Apoolsetuptousealeastconnectionsalgorithmwillsendtraffictotheservicethathasthefewestactiveconnections.Apoolcouldalsobesetuptosendtraffictotheservicewiththeleastnetworklatency.Morecomplexalgorithmscanalsobesupported,combiningsimplealgorithms,orsettingupapriorityofservicesthatshouldgettrafficbeforeotherservicesgettraffic.
Therearemanytypesofloadbalancersavailable.Hardwareloadbalancersusuallyprovidethemostcapabilities,reliabilityandabilitytohandlelargeamountsoftraffic.However,theyarealsomoreexpensivethananyothertypeofloadbalancer.Also,hardwareloadbalancersmanagedbyanotherteammayaddadditionalcomplexitytoitsuse.Nonetheless,ifhardwareloadbalancersareavailable,itisrecommendedtotakeadvantageofthem.
Softwareloadbalancersarecheaperandcanbemoreflexiblethanhardwareloadbalancers.Youcanbuildandincorporatesoftwareloadbalancersintotheapplication,tightlycouplinghowloadbalancingisdonewiththeneedsoftheapplication.Therearemanytypesofsoftwareloadbalancers.OneofthemorepopularchoicesisHAProxy.ThereareanumberofloadbalancersavailableusingApacheandJavaaswell.
OpenStackalsoprovidesaLoad-Balancing-as-a-Service(LBaaS),whichisimplementedusingNeutron.Itsupportsmanyofthesamefeaturesthatregularloadbalancerssupport,suchasservicemonitoring,managementoftheservicesinthepool,managingconnectionlimits,andprovidingsessionpersistence.CheckwiththeOpenStackcloudadministratorstoseeifLBaaSisavailableandhowitcanbeused.
Oneofthethingsthatneedtobeconsideredwhensettinguploadbalancingforanapplicationiswhatkindoftrafficwillbegoingthroughit.Notallnetworkprotocolsmaybesupportedbyloadbalancers.Ifsessiontrackingisused,either
theapplicationneedstosharesessioninformationacrossalloftheneededservers,ortheloadbalancerneedstobeconfiguredtosendasinglesession’straffictothesameback-endserveruntilthatsessionisterminated.
Anotherthingtobeconsideredisthatloadbalancingwillincreaseloggingquiteabitontheserversinthepool.Generally,loadbalancersliketocheckserviceseveryfewsecondstomakesuretheyareup.Inanenterpriseenvironment,theremaybetwoormoreloadbalancersconfiguredidentically,allofthemcheckingeveryfewsecondsonthosesameservices.Unlesstheapplicationisconfiguredtonotlogthoseconnections,logscangrowquiteabit.
Ultimately,loadbalancingprovidesavaluablewaytoimproveanapplication.Itprovidesameanstomonitortheservicesandremoveserversfromapoolthatarenolongerworking.Italsoprovidesameanstoaddandremoveserversonthefly,whichisanimportantpartofapplicationscalability.
PerformanceWhenanapplicationisarchitectedsothatitsvariouspiecescanscaletomultipleinstancesandthosedifferenttypesofinstancescanscaleindependentlyofeachother,thecomplexityoftheapplicationincreasesdramatically.Whenproblemsoccurwithintheapplication,itbecomesmoredifficulttoidentifywheretheproblemisactuallyoccurring.Sometimes,problemsmanifestasbrokenfunctionalitywithintheapplication.However,moreoftenthannot,problemsmanifestasperformanceissues.
Whatkindofperformanceissuescouldanapplicationexperience?Performanceissuescantakemanyforms.Forexample,abackupsystemhastobackupallthedataofanapplicationeverynightandhastobecompletedbeforethenextbusinessday.However,overtime,backupsaretakinglongerandeventuallyrisknotfinishingintime.Anotherexamplemaybeanapplicationthatacceptsfileuploadsandithastoviruschecktheapplicationbeforeconfirmingtotheuseritwassuccessful.Itmaybethatviruscheckingistakinglongerandlongeranduploadsarefailingbecausetheyaretimingoutortheuserdoesn’twaitaroundlongenoughforittocomplete.
Applicationperformanceisoftencharacterizedastheamountoftimetoperformspecificactions.Forexample,awebuserclickingonalinkwithinawebpagewillexpecttheclicktoimmediatelyrespondwithanewpageandexpecttoseethenewpagecompletelyloadedwithinashortperiodoftime.Perceivedslownesscansometimesbeattributedtotheaccumulationofallthedifferentthingsthathastohappenbehindthescenes.Ifasingle-userclickresultsintwentydifferentactionsoccurring,eachactionmaybequick,butthetotaltimetoprocessalltwentyactionsmaybetoolong.
Itisincrediblyimportanttomonitoreveryaspectofanapplication.Datacanbecollectedonhowlongdatabasetransactionstake.Datacanbecollectedonhowlongdataistransferredoverthenetworkorwrittentodisk.Datacanbecollected
onthenumberofsuccessfulorfailedevents.Datacanbecollectedonnumberofconnectionsandlogins.Allofthisdatashouldbecollectedovertimesothatitcanbeanalyzedforpotentialissuesandunderstoodincontextwithotherevents,suchasholidays,specialeventsorabnormallyhighusage.
Whenperformanceissuesarediscovered,anumberofthingscanbedone.Someperformanceissuesmayberelatedtohigheractivityandcanbesolvedbysimplyaddingmoreinstancestothepooltohandleit.Otherperformanceissuesmayberelatedtoachangeintheusagepattern.Forexample,usersmaybesearchingonsomethinginadifferentway,andtheSQLquerycreatedtodothatsearchissomehowsearchinginefficientlyinthedatabase.Finetuningthesearchcapabilityorcreatinganewindexinthedatabaseorfinetuningdatabasesettingsmaybethemoreappropriatewaytofixtheperformanceissuethansimplyaddingmoreinstancestothedatabaseservice.
Operatingsystemperformanceshouldalsobeheavilymonitored.ForLinuxservers,itisagoodideatorunSARandcollectdataonCPU,memoryanddiskperformance.AgoodmetrictomonitoristheCPUstealtime,whichcanbeseenintheSARdataas%steal.Ifthisvalueisconsistentlynon-zero,itusuallymeansCPUcyclesarebeingstolenfromthatinstanceandgiventoanother.Lookingatthatmetricincombinationwiththe%idlemetricandlookingatthesevaluesacrossalltheinstancescollectivelycanprovidecluesastowhetherthehypervisorisoverloadedorthatmaybetheinstanceisundersized.
OpenStackprovidessomemetricsdataforapplicationdeveloperstotakeadvantageof.CeilometercollectsinformationaboutCPUandRAMusage,diskactivity,networkbandwidthandotherdata.ItispossiblethatMonascaisbeingusedaswell,whichprovidesmanyofthesamemetricsasCeilometer.BesuretotalkwiththeOpenStackcloudadministratorstoseeifmetricsarebeingcollectedinthecloudandhowtheycanbeusedbytheapplication.
DataStorageInOpenStackthereareanumberofdifferentwaysthatdatacanbestored.Bydefault,whenaninstanceislaunched,itusesephemeralstorage.Ephemeralstorageisusuallystorageassociatedwiththecomputenodeswheretheinstanceruns.Iftheinstanceisterminated,alltheephemeralstorageassociatedwiththatinstanceisalsodeleted.EphemeralstorageistheleastprotecteddatawithinOpenStack.Thestorageislikelynotbackeduporreplicated.Alostdiskorcomputenodecouldleadtodataloss.
BlockstorageisprovidedbyCinderinOpenStackandpresentsthatstorageasvolumesthatcanbeattachedtotheinstances.Volumesshowupasblockdevicesinsidetheinstancesandcanbemountedasdisksorfilesystems.Volumescanbeattached,unattachedandmovedtodifferentinstances.Whenaninstanceisterminated,thevolumesaredetachedfromtheinstanceandisnotdeleted.Thevolumecanthenbeattachedtoanewinstanceifneedbe.Blockstorageis
implementedinCinderthroughtheuseofdrivers,manyofwhicharevendorspecific.Veryoften,blockstorageissetuptobeperformantandtoreplicatedatatopreventissuesresultingindataloss.
ObjectstorageisprovidedbyOpenStackthroughtheSwiftAPI.Dataisstoredinacompletelydifferentwaythanwithblockstorage.Theapplicationcreatescontainersandthenuploadsfilesintothosecontainers.Accesstothefilesrequiresthemtobedownloadedfromthecontainerandintotheinstance.Containersandtheirassociatedfileshavenoconceptofinstances.Ifaninstancethatusesacontaineristerminated,nothinghappenstothecontainersoritsfiles,remainingaccessiblebyotherinstancesinthecloud.Infact,oneoftheadvantagesSwifthasoverCinderisthatcontainerscanbeaccessedbymanyinstances,butablockstoragevolumecanonlybeattachedandaccessedbyonlyoneinstanceatatime.Objectstorageisalsooftensetuptobeperformantandtoreplicatedatatoprotectagainstdataloss.
Whenbuildinganapplicationthatneedstostoredatapermanently,selectingtheappropriatedatastorageback-endisextremelyimportant.Howimportantisthedata?Isitokayforthedatatobelostifaninstancedies?Canthedatabereplacedorrebuiltifanewinstanceiscreated?Howlongisthedataneeded?Doesthedataneedtobealwaysimmediatelyavailable?Howmuchdataneedstobestored?Thesequestionscanplayabigroleindecidingwhatisusedtostoredataandhowitisstored.Besuretotalktothestorageadministratorstobetterunderstandtheavailableoptions.Inparticular,discusswiththemabouttheirdatareplicationsettings,howmuchstoragetheyhaveandwhatyourapplication’slongtermneedsaresotheycanplanaccordingly.
Ifdataisstoredinanenvironmentthatreplicatesdata,theapplicationshouldtakecarenottodoitsowndatareplication.Ifthestorageclusterreplicatesdatathreetimesandtheapplicationisalsoreplicatingdatathreetimes,thisreallymeansthatthedataisbeingstoredatotalofninetimesinthecluster!Thiscanaffectapplicationperformanceduetounnecessaryreplication,aswellasconsumewaymorediskspacethanisreallyneeded.
Applicationscantakeadvantageofmultiplestorageoptionsatthesametime.Sinceephemeralstorageisoftenfasterthanusingblockorobjectstorage,aninstancecankeepitsmoreoftenuseddataonephemeralstorageandthelessuseddataonblockstorage.Datathatisrarelyusedcouldbeputintoobjectstorageforlongtermstorage.Besuretoconsideralloptionswhenbuildinganapplicationthatrequiresstoringdata.
HighAvailabilityTobuildanapplicationforhighavailabilityinmindmeansthattheapplicationhastobeavailableasmuchaspossibleandthatitneedstorunproperlyandperformantatalltimes.Ahighlyavailableapplicationoftenrunseverywhereandisabletoadapttothechangesintheenvironmentwhereitruns.Buildingan
applicationishardenough,butbuildingahighlyavailableapplicationisevenharder.
Whataresomeofthetechniquesinvolvedinrunningahighlyavailableapplication?Oneofthemostimportanttechniquesistoensuretheapplicationandallofitspiecescanruninmanyinstances,andthatthoseinstancescanalsoruninmultipleenvironments.Themoreplacestheapplicationrunsin,themoreresilienttohardwareorevendatacenterfailures.Multipleinstancesalsoallowstheapplicationtoscaleappropriatelyasneeded.
Anothertechniqueistoputservicesbehindloadbalancerssothattrafficcanbeappropriatelydistributed.Furthermore,ifanyinstancesbecomeunavailable,theloadbalancerswillautomaticallyremovethoseservicesfromthepoolandredistributetraffictotheremainingservices.UsingGSLBcanalsofurtherincreasehighavailabilitybyredirectingtraffictodifferentdatacentersbasedonwereconnectionsarecomingfrom.Ifadatacentergoesoffline,GLSBscanautomaticallyredirectalltraffictoanotherdatacenteruntiltheissueisresolved.
Itisalsowisetounderstandapplicationusageandhowthattiesinwiththebiggerpicture.Externaleventscancausesignificantincreasesintrafficusage.Holidayscanresultinincreasesforholidayshopping,especiallyondayslikeBlackFridayandCyberMonday.Sportingevents,liketheSuperBowl,canincreasewebsiteactivityforviewingon-demanddata.Universitiescanseeincreasedactivityassociatedwiththebeginningoftheschoolyearorchangesinquartersandsemesters.Majornewseventscoulddriveupstockactivity.Alloftheseneedtobeconsideredwhenbuildinganapplicationforhighavailability.Ideally,ifaneventcanbeanticipatedaheadoftime,theapplicationcanbescaledupwardsaccordinglyaheadofthateventtodealwithexpecteddemandandthenscaledbackdownafterthateventhaspassed.
Howcantheapplicationscaletomeetdemand?Onewayisforsomebodytoactivelymonitortheservicesandmanuallyaddinstancesasneededuntiltheapplicationcanhandlethatneed.Thiscanbeanexpensivewaytoaddresstheproblemandintroducesahumanelementandrisktotheoverallprocess.Anotherandbetterwayistomonitortheapplicationsforproblemsandperformanceandauto-scaletheapplicationinapragmaticway.OpenStackprovidesmanyAPIsformanaginginstancesandservicesinthecloud.TheapplicationcandetectwhenitneedstogrowaparticularserviceandusetheAPItodothat.Whendemandsubsides,theapplicationcanreducethenumberofinstancesrunninginanautomaticway.
Anotherimportantthingtoconsiderisbuildinginextracapacityintheapplicationaheadoftime.Insteadofexpectingeachinstancetobe100percentbusyandonlydeploythenumberofinstancesneededtohandlealloftheload,buildeachinstancetobe60percentbusyandrunmoreinstances.Oneadvantagetothisstrategyisthatbriefspikesincapacitycanoccurthatmightnottriggerauto-scaling.Withextraheadroombuiltintotheinstancesthemselves,spikescan
behandledwithoutcausinganyissueswithperformanceintheapplication.Thekeyistoover-provisionandunder-utilize.
Highavailabilitydoespresentotherchallengesthough.Takingalookatacasewhereaparticularservicerunsinmultipleinstanceswithoneinstanceactingasamasterandtheotherinstancesactinginapassiverole.Veryoften,theinstancesaretalkingtoeachotherallthetime,ensuringthemasterisaliveandwell.Whathappensifsomethingbreaksthecommunicationbetweenthemasterandpassiveinstances?Themastermaynotbeawareofthisissueandcontinuestooperatenormally.Thepassiveinstanceseesthemastergoawayandimmediatelyputsitselfintomastermode.Whatiftheotherpassiveinstancedoesthesameexactthing?Therecouldbethreemasterserversallatthesametime.Thisiscommonlyknownassplit-brainsyndromeandcanbeahardproblemtoavoidincertainfailurescenarios.Thisproblemcanbeevenmorepronouncedbetweenregionswhennetworkcommunicationisdisrupted.
Now,we’regoingtoseehowwecanimplementwhatwe’vediscussedinthischaptertoimproveoursampleapplication.
IMPROVINGOURAPPLICATIONStartingwiththesimpleapplicationconceptintroducedinthepreviouschapter,wewanttobuildonthatandshowhowitcanbeimprovedupon.Conceptually,theprocessisn’tthatdifficult.However,notallofitiseasyeither.Forexample,anapplicationthatrequirespersistentsessionsneedstoworkinamulti-instanceenvironment.Inanycase,iftheapplicationcanbebrokenintoitsbasiccomponents,eachcomponentcanbeimproveduponindependentlyandinawaythatmakesthemostsenseforthatcomponent.
SimpleApplicationLet’staketheapplicationthatwasstartedinthepreviouschapter.Theapplicationhasthreecomponentstoit:aweb-basedfront-endthatuserswillaccess,anAPIlayerthatthefront-endtalksto,andadatabaseback-end.TheapplicationmaylooksomethinglikeFigure5.1.
Figure5.1
Initially,theapplicationmayhavebeenkeptsimpleinordertoprovideaproofofconceptsotheapplicationisviableinthecloudandtoseekapprovalforcontinuingitsdevelopment.Eachcomponentmayexistasasingleinstance.Fortheaboveexample,theapplicationwouldexistinthreeinstances,oneforeachofthedifferentcomponents.
ComplexApplicationTheaboveexamplecouldbeconsideredoverlysimplistic.MorecomplexapplicationsmayuseanAPIlayertoabstractaccesstomultipletypesofback-ends.TheAPIprovidesaconsistentmeanstoaccessdifferenttypesofdata,makingiteasiertoextendfunctionalityoreventoallowback-endstobeswappedoutwithouthavingtorecodeanyofthefront-ends.TheAPIcouldalsotakeinputfrommorethanjustawebfront-end.UserscouldaccesstheAPIusingcommandlinetoolsoraclientprogram.ThisapplicationmaylooklikeFigure5.2.
Figure5.2
Whenlookingatthecomponentstobuildthisapplication,itturnsoutthatitreallyisn’tthatcomplex.TheAPIlayerisstilljustasingleinstance.Thewebfront-endandthedatabasearealsoeachtheirowninstance.Theclientprogramandcommandlinetoolsdon’tneedtheirowninstances.TheyarejustabstractmethodsfortheusertoaccesstheAPIdirectly.TheAPIcanalsoaccessfilestoragedirectlyandcommunicatetootherapplicationsintheenvironment.Theendresultisthatthisapplicationisstillonlythreeinstances,evenwithmore“stuff”goingonwithit.
ImprovingtheWebUIComponentInordertoimproveonthewebfront-end,theapplicationneedstobescaledouttomultipleinstances.Thenumberofusersexpectedtousetheapplicationcanbeusedasaguidelinetodeterminethenumberofinstancesthatlikelywillbeneededtorunthewebfront-end.Also,usersneedaconsistentmeansofaccessingthewebservicewithouthavingtoworryaboutwhichinstancetheyareconnectingto.Thisisaccomplishedbyputtingthewebinstancesbehindaloadbalancer(seeFigure5.3).
Figure5.3
Onechallengethatmayneedtobeaddressedwhenputtingawebservicebehindaloadbalanceriswhenthewebservicedoessessionmanagementinordertotrackuseractivityduringthelifetimeofthesession.AsessionstartswiththeuserloggingintothewebserviceandgetsassignedaSessionID.Theuser’sSessionIDmaybetrackedbyembeddingitintheURLsorahiddenform,ormaybeeventhroughtheuseofwebbrowsercookies.Thewebservicemaintainsinformationaboutthesessionwhiletheuserisloggedin.Thesessionendswhentheuserlogsoutorthereisnoactivityfromtheuseraftersometime.
Thedifficultywithsessionmanagementisofteninitsimplementation.Whathappensifauserlogsinusingoneinstance,butthenextclickonawebpagesendstheusertoadifferentinstance.Howissessioninformationsharedbetweeninstances?Ifsessioninformationisstoredlocallywithinaninstance,otherinstancesmaynotevenhavethatuser’sinformation.
Mostloadbalancershaveawayofdealingwiththisissue,implementingafeaturecalledsessionaffinity,persistentsessions,orstickysessions.OnemethodusedinthefeatureassignsthesourceIPoftheusertoaspecificinstanceandalltrafficcomingfromthatsourceIPwillalwaysgotothatinstance.Anothermethodusesatrackingcookietheloadbalancercreatesandassignsalltrafficcontainingthatcookietoaspecificinstance.Onedrawbackbyusingsessionpersistenceinaloadbalanceristhatpinningtraffictospecificinstancessignificantlyreducestheloadbalancer’sabilitytobalancetrafficinmeaningfulways.Overtime,someinstancesmaybesignificantlybusierthanotherinstancessimplybecauseofhowusersareusingtheapplication.Ifaninstancebecomesoverloaded,addingmoreinstancestotheWebUIlayermaynothelpbecausethoseusersarepermanentlypinnedtotheoverloadedinstance.
Thebestwaytodealwithsessionmanagementusingmultipleinstancesistoabstractsessionmanagementtoashareddatabasethatallinstancescanaccess.Ifsessioninformationisnotkeptlocallywithinaninstance,itnolongermatterswhichinstancetheuserhitsoreveniftheusershitsmultipleinstancesinthesamesession.Thisalsoavoidstheproblemthatloadbalancershavewithpersistentsessions,sinceusertrafficisnotpinnedtospecificinstances.Thedrawback,however,isthatthedatabaseusedtostoresessioninformationneedstoalsobeimplementedinahighlyavailablemanner.Thispreventsasingledatabaseinstancefrombreakingthewebinterfacecompletely.
ImprovingtheAPIComponentInordertoimproveontheAPIlayer,italsoneedstobescaledouttomultipleinstances.ThenumberofinstancescanbechosenbasedonhowperformanttheAPIinstanceisindealingwithincomingconnections,communicatingwithitsvariousback-ends,andpassingthatdatabacktotherequestingsources.SincetheAPIlayerisoftenimplementedusingsimilartechnologiesemployedbythewebfront-end,themethodforrunningtheAPIusingmultipleinstancesissimilartothatusedbythewebfront-end.ThisisaccomplishedbyputtingtheAPIlayerbehindaloadbalancer(seeFigure5.4).
Figure5.4
OneadvantagethattheAPIlayeroftenhasoverthewebfront-endisthatitdoesn’thavetokeeptrackofusersessions.Thismakesiteasiertorunmultipleinstancesbehindtheloadbalancer,sinceitdoesn’tmatterwhichAPIinstanceisbeinghitatanyparticulartime.
However,APIsmayimplementtheirownformofsessionmanagementthroughtheuseofanauthenticationtoken.TheuserreceivestheauthenticationtokenwhentheyauthenticatesuccessfullywiththeAPI.Theusercanthenusethattokenineachfollow-upcalltotheAPIwithouthavingtoauthenticateeachrequest.Afteraperiodoftime,thetokenmayexpireandforcetheusertore-authenticate,whicheitherrenewsthetokenorgivestheuseranewtoken.
TheAPIlayeroftenmanagesauthenticationtokensusingaback-enddatabase.Thismeansthatifadatabaseisbeingused,thedatabaseneedstobehighlyavailableinordertopreventasingledatabaseinstancefromdisruptingAPIfunctionality.IftheAPIisonlymakinguseofthedatabasefortokenmanagement,theAPIcouldcontinuetofunctionwithouttokens,forcinguserstoauthenticateeachAPIrequest.
ImprovingtheDatabaseComponentForthedatabaselayer,scalingthedatabaseouttomoreinstancesisnotassimplesasjustrunningmultiplecopiesofthedatabaseinstance.ForthewebandAPIlayers,theinstancesreallydonotneedtoknowanythingabouttheotherinstancesinthatlayer.Therecouldbeasingle,severalormanywebandAPIinstancesandtheapplicationwouldrunthesameway.
So,howcanthedatabaselayerbeimproved?Thedatabaselayerisscaledout,butitisscaledonamuchsmallerlevel.WherethewebandAPIlayersmayhavehundredsofinstances,thedatabaselayermayonlyhaveafewinstances.Thedatabaseinstancesoftenreplicatedatasothateachinstanceisidenticaltotheother.Itishowthedataisreplicatedthatmakesthedatabaselayermorecomplex.Thereareacoupledifferentwaysthatthedatabaselayercanbeputtogethertoprovideredundancyandincreasedperformance.
OneofthemorepopularmethodsforscalingthedatabaselayeristorunaGaleraClusterforMySQL.AGaleraClusterallowsmultipleMySQLinstancestocommunicatetoeachotherandreplicatedata.Itrunsinmultimastermode,whichmeansthatread/writecommunicationcanoccurwithanyinstanceinthecluster.Whenatransactioniscommitted,thedataisreplicatedtoallinstancesandreturnssuccessfullyonlywhenthatdatawaswrittentoallofthedatabasessuccessfully(seeFigure5.5).
Figure5.5
AnothermethodforscalingthedatabaselayeristorunaMySQLCluster.Generally,MySQLClustersaresetupintwodifferentsetsofnodes,theSQLnodesandthedatanodes.TheAPIlayertalkstotheSQLnodes,whichdetermineswherethedataisstoredandthenmakesthenecessaryqueriestotheappropriatedatanodes.Thedatacanbesplitintosmallerchunks,calledpartitions,andstoredonasubsetofthedatanodes.Replicationoccurswithinpairsofdatanodeswithinthecluster.Themoredatanodesthereare,themorepartitionsthereare,spreadingthedataacrosstheentirecluster(seeFigure5.6).
Figure5.6
OneadvantageofrunningaMySQLClusteristhatitcanscaletomoreinstances.Themoreinstancesthatareadded,themorethedatacanbespreadacrossthatcluster.However,MySQLClusterismoresensitivetolatenciesandrequiresmoreCPUandnetworkresourcestorunefficiently.Theapplicationmayalsoneedtobereworkedtotakeadvantageofthepartitioningofdata,otherwise,asinglequerycouldhiteverydatanodeandresultinapotentiallyworseperformance.
ForGaleraMySQLCluster,itrequiresverylittlechangefromtheapplicationpointofview.Thereisnodatapartitioning,soeveryinstancehasacompletecopyofthedata.Thiscanalsobeadrawback,however,sincethemoreinstancesthereareinthecluster,themoredatathathastobereplicatedtoeveryotherinstance.ThisisgenerallywhyGaleraClustersaresmall,usuallyatleastthreeinstances,butnotmuchlarger.AnotherconsiderationwhenrunningaGaleraClusteristhattherealwayshastobeatleast50percentoftheinstancesrunningintheclusteratanypointintime.Iftheclusterdropsbelow50percent,theentireclusterstopsandthedatabasegoesoffline.Itcansometimesbedifficulttobringtheclusterbackonlinewithoutmakingchangestotheclusterconfigurationfiles.Thisiswhyaclusterneedstohaveatleastthreeinstancesinit.Ifoneinstanceislost,thereis
stillmajorityintheclustertokeepitoperational.
Yetanothermethodcombinestheconceptofaclusterabovewithmultipleread-onlydatabasesontheback-end.Thisistypicallycalledawrite-master/read-slavesetup.Iftheapplicationneedstowritedata,thewritesalwaysgotothewrite-masterdatabase.Iftheapplicationneedstoreaddata,thenthereadsarefarmedouttoanynumberofavailableread-slaves.Thewrite-mastercouldbesetupasaGaleraClusterorMySQLCluster,whichtheread-slavescouldbesetupasstandaloneMySQLserversinanon-clusteredsetup.Itisnotuncommontoseetheread-slavesusecachingsoftware,suchaswithMemcached,tofurtherspeedupreads.Aloadbalancercouldbeusedtoevenlydistributereadsacrossalltheread-slaves.Whenaread-slaveisinitiallylaunched,itcanpulldownwhateverdatafromthewrite-masteritneedstohaveandonceallthedataisloadedandverified,itcanadditselftotheread-slavecollectiveandtakeontraffic.Thismodelismorecomplicated,butitdoesprovidemoreflexibilityinregardstoscaling(seeFigure5.7).
Figure5.7
TheaboveexamplesuseMySQLastheexampledatabase.OtherdatabasescanalsobeputintotheOpenStackcloudaswell,andwithsimilartypesof
configurations.Forexample,MongoDBandPostgreSQLsupportnativeclusteringandreplication.Somedatabasesevenhavenativesupportforthemaster-write/read-slavemodel.Ingeneral,youshouldresearchwhattypesofcapabilitiesthechosendatabasesolutionhasandtakeadvantageofwhateverhighavailabilityoptionsitprovides.
Finally,itwouldberemisstopointoutanotherpotentialdatabaselayerimprovement,whichistotakeadvantageofDatabase-as-a-Service(DBaaS).InOpenStack,thisisTrove,whichwasdiscussedpreviouslyinChapter2.IfthereisaDBaaSsolutionavailablefortheOpenStackcloud,takealookatwhatfeaturesitprovidesandhowitcanbeleveragedintheapplication.Offloadingthedatabasepiecetoanotherservicesimplifiestheapplicationtremendouslyandprovidestheadditionalhighavailabilityanddataprotectionneededwithouthavingtoreinventthewheel.
PuttingItAllTogetherNowthateachofthelayershasbeenexamined,itistimetoputthemalltogether.Userscomeintotheapplicationviaasinglelocation,theloadbalancer,whichisthenroutedtooneofseveralWebUIinstances.TheWebUIlayertalkstotheAPIinstancesthroughaloadbalanceraswell,eachAPIrequestdistributedamongstalltheAPIinstances.TheAPIlayertalkstothedatabasethroughaloadbalancertoaback-endcluster(seeFigure5.8).Theclusterissetupasmultimaster,allowinganydatabaseinstancetobehitbytheAPIinstances.
Figure5.8
Multi-RegionInstancesManyoftheimprovementslistedabovearetypicallyappliedataregionlevel,wherealltheinstancesareinthesameregion.Itispossiblethatpartsoftheapplicationexistinmultipleregions.Forexample,theWebUIandAPIlayersmayexistinoneregion,butthedatabaselayerisinanotherregion.However,ideally,allofthelayersneedtoruninmultipleregions.
Themaintricktorunninganylayerinmultipleregionsisloadbalancing.Eachlayerineachregionstillhasitsownloadbalancer,butthenthereisagloballoadbalancerthatroutestraffictoeachoftheregionalloadbalancers.IfaGSLBisabletobeused,itisaperfectusecaseforspreadinganapplicationacrossmultipleregions,sincetrafficcanberedirectedtothenearestgeographicallylocatedregiontotheuser.Figure5.9showsanexampleofhowtheWebUIorAPIlayercanbeorganizedtoworkinamulti-regionOpenStackcloud.
Figure5.9
Forthedatabaselayer,itsimilarlyusestheGSLBtoredirecttraffictothenearestgeographicallylocateddatabase.Insteadofabstractingeachoftheregionstotheirownsetofloadbalancersanddatabaseclusters,however,itcanbesimplifiedbytreatingtheGSLBasthemainloadbalancerandalltheregionaldatabasesasdatabaseinstanceswithinthesamecluster.Anothersimplificationthatcomesfromthissetupisthatonlytwodatabaseinstancesareneededforeachregion,sinceevenifasingleinstancegoesdown,thereareplentyofinstancesacrossalltheregionstoensuremorethan50percentoftheclusterisup.Figure5.10showsanexampleofamulti-regiondatabasesetup.
Figure5.10
SUMMARYWehavenowpulledtogetherourexampleappcreatedfortheOpenStackcloud.Itisagoodidea,however,toassumethatthecloudisahostileenvironment,presentingrisktotheapplication’suptimeandtheintegrityofitsdata.Knowingwhatkindsofthingscanhappentotheapplicationandwhatkindsoffailuresthatcanoccurinthecloudopensthedoortoimprovingtheapplicationtobeabletosurvivewhenthingsdohappen.
Oneofthebasicimprovementsthatapplicationsundergointhecloudistoenabletheapplicationtoscalewhenitneedsto.Theapplicationneedstoscalehorizontallywithinaregionanditneedstoscaleouttomultipleregions.Thisgivesmoreresiliencetotheapplicationsothatpiecesofitshuttingdowndon’ttakeoutthewholeapplication.Usingloadbalancersaspartofthescalingalsogivestheapplicationatypeofself-healingcapability,allowingpiecesoftheapplicationthatarenolongeraccessibleorfunctioningproperlytoberemovedfromthepoolssothatusersdon’tinadvertentlytrytousethem.
Whenlookingattheindividualcomponentsofanapplication,somepiecesoftheapplicationneedtobeimprovedindifferentwaysthanotherpieces.Forexample,webcomponentscanbescaledoutwithoutmucheffort.However,databasecomponentstypicallycan’tbescaledoutasmuch,sincescalingcanmakeitmoredifficulttomanagethedatabehinditandaffectperformance.Databasescanbescaledout,buttheyarescaledoutdifferentlythanhowthewebcomponentisscaledout.Databasesarebestmanagedasaclusterofinstancesandthischapterpresentedseveralwaysthatdatabasescanberuninthecloud.
Thesuggestionspresentedinthischapterarejustthetipoftheiceberg.Thereareanumberofdifferentwaysanapplicationcanbeimproved,anddevelopersareencouragedtoreachouttotheOpenStackcommunityandresearchtechniquesthatotherdevelopersareusingwhenbuildingapplicationsforthecloud.Thenext,andfinal,chaptertakesthecloudapplicationtothenextlevel,sincesimplybuildinganapplicationforthecloudisnotenoughtojustrunitthere.Deployingtheapplicationtothecloudinanautomated,dynamicwayalsobringschallengestothedeveloper.
6DeployingtheApplicationWHAT’SINTHISCHAPTER?
Anoverviewofthedifferentvirtualizationtechnologiesandhowdeploymentvariesbetweenthem
AlookattheorchestrationtoolsavailableinOpenStack
Adiscussionontheroleofconfigurationmanagement
Theminimumroleofmonitoringinaclouddeployment
Adiveintoapplicationscalingandelasticity
AnexampleofhowtoputallofthistogetheranddeployamodernappinanOpenStack-drivensystem
Considerationsforupdatingandpatching
Devopsisatermyouhaveprobablyheardofrecently.It’sadescriptionofsomeone(orateamofpeople)whotacklestheissuesofbothdevelopinganapplicationandconfiguring/maintainingtheenvironmentforthatapplication.
Foryears,theroleofaserveradministratorhasbeenquitedifferentfromthatofanapplicationprogrammer.Eachroletakesaprettyspecificskillset,andalotcanbesaidaboutdevopsbeingadifficultcompromise.Thetermhowever,couldnotbebettersuitedtowhatit’sliketodeployapplicationsinanOpenStack-drivenenvironment.
Whenwetalkaboutdeployinganapplicationtothecloud,ithasaslightlydifferentdefinitionthanwhatithastraditionallymeant.Traditionaldeploymentsareoftenfocusedondeployingchangestoanapplication,orontheinitialdeploymentofapieceofsoftware.OpenStackandothercloud-basedtechnologies,however,makeitpossibletoprogrammaticallydeploysoftwarealongwithalloftheservers,storage,andnetworkingnecessarytorunthatapplication.
Asyouwillsee,thishasanumberofadvantagesandcanbeaccomplishedinanumberofdifferentways.Thischapterwilltakealookatthesetechnologies,howtochoosebetweenthem,andhowtousethemtoquicklydeployanelasticapplication—somethingnearlyimpossibletodoinahardware-basedworld.Wewillthenconcludewithashortdiscussionabouthowthisnewdefinitionofdeploymentaffectsthetraditionalprocessofpatchingandupdatingsoftware.
BAREMETAL,VIRTUALMACHINES,ANDCONTAINERSBeforeyoucandeterminehowyou’regoingtodeploy,youfirsthavetodeterminewhatyou’regoingtodeploy.LookingatthedemoapplicationdevelopedinChapters4and5,thefirstthingthatneedstobedeployedisanumberofservers.Whatwasn’tdiscussedmuchinthosechapters,though,waswhattypeofvirtualizationthoseserverswoulduse.
InthesamewayOpenStackallowsthosewhoimplementittochoosetheirownhypervisor,storagedevices,andnetworkingequipment,italsoallowsdeveloperstodetermineforthemselveswhattypeofvirtualizationtheywanttouseforanygivenproject/application.Instances,orservers,canbelaunchedasacompletelyphysicalcomputer,asavirtualmachine(VM)runninginahypervisor,orasacontainer—anisolatedprocessingspacethatcanexistontopofavirtualmachineorontopofactualhardware.
Thechoiceyoumakebetweenthesethreetechnologieswillbethebiggestdeterminantofhowyoudeployyourapplication.Youwillfindstaunchdefendersofeach,butthechoiceisoftenasubtleexerciseincompromiseandpersonalpreference.Thus,it’simportanttounderstandtheirdifferencesbeforemovingforward.
BareMetalBaremetalprovisioningisexactlywhatitsoundslike:thecreationofaserveronphysicalhardware.AsoftheJunoreleaseofOpenStack,baremetalprovisioninghasbeenmovedfromtheNovadrivertoitsownservicecalledIronic.HardwareisregisteredthroughtheIronicAPI,butonceproperlyconfigured,serversarestilldeployedinthesamemannerasvirtualmachinesthoughtheNovaAPIorHorizon(seeFigure6.1).
Figure6.1
Baremetalserversareprimarilyusedwhenyouneedtheabsolutehighestperformanceandstabilitypossible.Whiletheoverheadofvirtualmachinesandcontainershasdroppedovertheyears,thereisnosuchthingassoftwarethatdoesn’tconsumememoryandprocessortime.DiskIO,andCPUpriorityareallguaranteedinabaremetalscenario.BaremetalserversarealsoagoodoptionifGPUsorotherhardwaredevicesthatcan’tbeeasilyvirtualizedarepartofyourapplication.
Additionally,evenifperformanceisn’tofthehighestconcern,therearetimesforregulatorypurposes,whenyoumightfinditnecessarytodeploybaremetalserversanyway.HardwareisolationprovidestheabsolutemaximumamountofserversecurityinanyOpenStack-drivenenvironment.
Thatbeingsaid,ifperformanceandisolationaretheupside,thenefficiencyandflexibilityareitsmaindownsides.Baremetalserverscannotbesubdividedbeyondtheirhardwiredcomponents.Thiseithertendstoleavealotofunderutilizedhardwareoutthere,orresultsindeveloperspiggybackingmultipleapplicationsontoeachphysicalserver.
Toupgradeanapplicationrunningonbaremetaltobiggerhardwareoftenmeanstakingitdownwhilephysicalchangesaremade,orhavingalargevarietyofhardwareonhand.Thiscomeswithitsownsetofheadaches,andremovesmanyofthebenefitsprovidedbyasystemlikeOpenStack.Theabilitytostartsmall,growinstantly,andoffernumerousisolatedenvironments,areallgreatreasonstolookatothervirtualizationoptions.
VirtualMachinesFromtheperspectiveofdeployingaserverinOpenStack,virtualmachinesarestilltheindustrystandardatthemoment.Multiplevirtualmachinesrunontopofasinglehypervisorthatitselfrunsontopofasingleoperatingsystemresidingonasinglepieceofphysicalhardware(seeFigure6.2).
Figure6.2
Thebiggestadvantagestovirtualmachineswerealreadytouchedonearlierinthischapter.Virtualmachinesallowyoutosplitonelargephysicalserverintomanysmallerisolatedservers.Thesecaneachhaveauniqueconfigurationandrunningapplication.Thisavoidspiggybackingandhelpspreventoneapplicationfrom
takingdownanotherthatrunsonthesameserver.
UpgradingordowngradingavirtualserverisalsoasimplematterofaskingOpenStackforadifferentflavor.Thisisnotonlyhandyfortestingandtuningapplicationperformance,butcandrasticallyreducetheamountofhardwarerequiredforanygivenenvironment.Afterall,thereisnoneedtoplanfortheworstwhenyoucaninstantlydeployanewserverwithmoreresources.
Ofcoursetherearetrade-offswhenitcomestothiskindofvirtualization.WhileOpenStackcanbeconfiguredtoallowforover-subscriptionofresources,generallyspeaking,onceeitherallofthememory,CPU,ordrive-spacehasbeenallottedfromagivenpieceofhardware,theremainingassetscannotbeassignedtoanotherinstanceandessentiallygotowaste.Itisalsopossiblefortheschedulertofailtofindasinglepieceofhardwarethatmeetsalloftherequestedcriteria.Forexample,evenifaclusterhashundredsoffreegigabytes(GBs)ofRAMtotal,ifnosingleboxhasmorethan15GBfreeanda16GBserverisrequested,thenthecreationwillfail.Thisisagoodreasontoalwaysdeploythesmallestcomputingunitpossible.
Someefficiencyisalsolostduetothehypervisor.Whiletherehavebeengreatimprovementsinthistechnologyovertheyears,routingcallstoandfromthehostOSanddevicesisn’tfree.TheoverheadhereisdifficulttocalculateandcanvarybasedontheOS,device,andthesoftwareinvolved,butcaneasilyreachashighas15percent.Forsmallerenvironments,thisdoesn’tamounttomuch,butforlargerinstallations,thiscanbecomeadealbreaker.Entercontainers.
ContainersContainersarethenewbelleoftheball.Whiletheyarebasedonoldtechnology(variousformsofcontainershavebeenaroundforyears),theintroductionafewyearsagooftheDockertoolsettoeasilycreatenewcontainers,spurredthebigplayers(Google,Amazon,andMicrosoft)tobeginadoptingthetechnology.
ThereareseveraltypesofcontainerincludingLXC,BSDJails,andOpenVZ.LXChasgainedthemosttractionandcanbepackagedinseveralformats—DockerandRocketbeingthemostcommon.Therearesomegrowingdifferencesbetweenthesecontainertypes,formatsandpackagingtechnologies,butgenerallyspeakingtheyalldothesamething.Theyeachoffersoftwarethatcreatesvirtualenvironmentsmimickingafullvirtualmachine.ThetrickisthateachcontainerismissingthemainOSkernel.Callstothekernelareinsteadsentfromeachcontainertoasingledaemon,whichrunsonasingleinstanceofthehostOSoneachphysicalserver.ThismeanstheoverheadofhavingmultiplekernelsinaVMscenarioisgone(SeeFigure6.3).
Figure6.3
Thereisnodenyingthatcontainershavemanyadvantagesovervirtualmachinesorbaremetaldeployments.Containersallowforthecodeofanapplicationtobedeployedsimultaneouslywithitsserverconfigurationasthecontainerimagecancontainboth.TheydeploymuchfasterthanafullOSimage,astheyareonlyafractionofthesize(assmallasafewMBs),andtheycanprovideanexactcopyofanapplication(anditsconfiguration)fordevelopmentortesting(thiscanbeapositiveoranegativeintruth).
Dependingonwhomyouask,andthespecificsofyourapplication,containerscanalsobemuchfasterthantheirhypervisor-drivencounterparts.ThenativehostOSkernelandschedulerdecidewhichprocessesgetCPUtimeinsteadofhavingtogothroughoneschedulerperVMandthenanotherschedulerwherethehostOSdetermineswhichVMprocessgetsCPUtime.Greaterdensitycanalsobeachievedthroughtheuseofcontainers.Smallerimagesandfewerkernelsinmemorymeansmallercomputingunitsandgreatcostsavingsatscale.
Generallyspeaking,therenewedexcitementsurroundingcontainersiswelldeserved,butit’simportanttoacknowledgethattheyarenotasilverbulletforOpenStackDeployments.
Containersonamachine(orpod)mustsharetheexactsamekernel/operatingsystem.Thishasrepercussionsifanapplicationneedstomodifythekernel,orifthereisadesiretohostvariousoperatingsystems(orversions)onasinglepieceofhardware.
Therearealsosomesecurityconcernswhendeployingcontainersifanyofthemaretobegiventoanuntrustedsource.Exploitswhereauserescapestheircontainerandbreaksintoanotherhavebeenrecentlydemonstratedandreinforcethefactthatcontainersarenotaone-size-fits-allsolution,atleastnotyet.
Thebiggesthurdlewithcontainers,however,isthattheyaren’tyetavailableas
firstorderobjectswithinOpenStack.Fornow,containershavetobedeployedandconfiguredontopofvirtualmachinesthatarethemselvesmanagedbyOpenStack.Thediagramforthislooksalittledifferent(SeeFigure6.4).
Figure6.4
Thiscanprovidethesamelevelofisolation/securityasVMsifeachcustomerisgiventheirownVMtoruntheircontainerson,butOpenStackisessentiallyunawareofcontainersinthisscenario.ResizingandprovisioningcontainershastobedoneoutsideofNova.AdditionalconfigurationoutsideofNeutronisneededtocreateprivatenetworksandhandleinboundaccess.Containerscan’tbemanagedorvisualizedwithinHorizon,andtheperformancepenaltyofahypervisorinadditiontothecontainerdaemonactuallymakesthemlessperformantthanvirtualmachinesalone.
Therearesomeimpressivethird-partyoptionslikeCloudshiftandCloudifythatcanprovidecontainermanagementinthisconfiguration.However,thisstillhappensoutsideofOpenStack,anditremainstobeseenwhatplacethesetoolswillhaveoncecontainersonbaremetalbecomesavailable.
ContainersonBareMetalWhenpeoplespeakaboutcontainersonbaremetalinanOpenStack-drivenenvironment,theyaregenerallynotjustreferringtotheconceptofrunningcontainersdirectlyonthehostOS.
Thiscouldtheoreticallybeachievedbyprovisioningabaremetalserver,loadingonastandardLinuxdistribution(oramorededicatedoneforcontainerssuchasCoreOSorRancherOS),andrunningDockeroranothercontainersystemontopofthat.Thisideahassomeadvantagesoverbaremetalalone,likebeingabletosubdividehardware.Unfortunately,itstilllackstheorchestrationandmanagementcapabilitiesprovidedbyOpenStack.
Moreoften,whensomeonespeaksaboutcontainersonbaremetal,theyarereferringtoseveralnewprojectsthatattempttoprovideboththeefficiencyofeliminatingthehypervisoraswellasenablingOpenStacktomanagethesecontainersasfirstorderobjects.
Oneoftheseprojects,Magnum,wasdiscussedearlierinChapter3.IthasbeenavailablesinceKilo-2andmakesorchestrationengineslikeGoogle’sKubernetesandDocker’sSwarmavailableforcontainermanagement.Theparadigmisslightlydifferentandinvolvesthingslike“pods”and“bays,”butgenerallyspeaking,itprovidesvirtualmachine–stylemanagementforcontainersthatrundirectlyonhostoperatingsystems.
Intheory,containersonbaremetalprovidethebestofallworlds.Yougettheefficiency/densityofcontainers,thenativemanagementofVMs,and(accordingtosomeearlybenchmarks)nearlybaremetalperformance.
Unfortunately,aswithalotofrevolutionarytechnology,Magnumisn’talwaysavailable,andsupportedorchestrationengineslikeswarm,Mesos,andKubernetescouldstillusesometimetomatureandstabilize.Therearealsosomethird-partyoptionsoutsideofMangum/OpenStacklikeCloudifythatprovideinterestingsolutionsandsupport,but,youwilllikelyfindyourselfchoosingbetweenbaremetal,virtualmachines,andclassicallymanagedcontainersforquitesometime.
ChoosingtheRightTechnologyfortheProblemFromadeploymentperspective,virtualmachinesareusuallytheeasiestwaytogo.Unlikebaremetal,theyareefficient,andcanbescaledupwithacommand.UnliketraditionalcontainerstheycanbemanagednativelythroughOpenStack’sHorizonandthevariousAPIs.Unlikebaremetalcontainers,thetechnologyismature,andNova/Compute(asopposedtoMagnum)isdefinitelyavailable.
Inourdemoapplication,therearenospecificrequirementsforcustomhardwareorGPUutilizationineithertheweborresttiers.Neitheroftheseseemtorequirehardwarelevelperformance,nordotheyneedhardwarelevelisolation,sobaremetalisn’treallynecessary.Iflocaldrivesareused,itssometimespopulartouse
baremetalinMySQLservers(forperformancereasons),butgenerallyspeakingthisisn’tanissueaslongastheyareprovisionedwithenoughmemorytokeepthemfromaccessingthedisktoofrequently.Wealsowon’tbedeployingenoughserversinanyofthesetiersthatthesmalleroverheadofContainerswillreallycomeintoplay.Thisleavesuslittlereasontochooseanythingotherthantodeploystandardvirtualmachinesinallcaseshere.
Ifthiswerearealproductionproject,youwouldwanttoconsiderafewotherthingsbeforemakingthedecision:Whatkindofexpertiseisavailableonyourteam?WhatoptionsareavailableinyourOpenStackenvironment?Areyougoingtodistributethisapplicationinternallyorelsewhere?Theanswertothesequestionsshouldimpactyourdecision.Mostofthetime,asinglechoicewillmakethingseasier,butamixedenvironmentisalsoareasonableresponse.Certainsystems(Hadoop,MySql,etc.)maybenefitfromthemaximizedperformanceandstabilityofbaremetalprovisioning,whileyoumaywanttodeploypreconfiguredcontainersoremptyvirtualmachinesforothercomponents.
Whateveryouchoose,considerhowthiswillaffectyourdeployment.Forexample,sometoolslikeHeatareonlyavailabletofirstorderobjectslikevirtualmachinesandnotcontainers(fornow).Alternativelychoosingbaremetalmayrequireyoutopiggybacksomeofyourapplicationontoasingleserver.Regardless,theremainingsubjectsinthischapter:orchestration,configuration,andscalingarebuiltonthefoundationofthisinitialchoice,sochoosewisely.
ORCHESTRATIONANDCONFIGURATIONMANAGEMENTNowthatavirtualizationtechnologyhasbeenchosenforeachofourservertypes,theyactuallyneedtobeprovisionedandconfigured.Thenetworkfortheapplicationalsoneedstobesetupandappropriatesecuritygroupsandrestrictionsputinplace.ThiswasalldonemanuallyintheexamplesinChapters4and5,butinpracticeit’simportanttolookatdeployingacloudapplicationasmorethanjustusingOpenStackasaself-serviceportalforserverprovisioning(IAAS)and/oraseriesofavailableservices(PAAS).Embracingtheabilitytoscripttheconstructionofyourenvironmenthashugeadvantages.Meanwhile,treatingyourapplicationasifitliveswithinaclassicenvironment(deployingandconfiguringitthesameway)canresultinabsolutedisaster.
Inaclassicallyprovisionedenvironment,youmightbegivenaccesstoapowerfulserver,spendseveralhours/days/weeksmanuallyconfiguringit,andthendeployyourapplicationtothatserver.Thisworksmoderatelywell.Modernserversarebuiltwithharddrivearrays,multiplepowersupplies,andhavefaulttolerantram.Intheeventofafailure,thehopeisthattheredundantcomponentscantakeoveranddowntimecanbeavoided.
AswasdiscussedearlierinChapter5,resilienceinacloud-basedapplicationdoesn’trelyonredundanthardware.Instead,commodityhardwareisoftenused,andmultipleserversandisolatedapplicationtierscreatesresiliency.Expectinganygivenservertolockup,stoptakingrequests,orjustdisappearisallpartoftheplan.Evenifmorerobusthardwarewereused,whenitjusttakesthepushofabuttontopermanentlydeleteallofyourcarefullyconfiguredservers,itisimportanttobeabletorecreatethemquickly.
Thisiswhyscriptingtheorchestrationandconfigurationofyourenvironmentisavitalpartofdeployinganycloud-basedapplication.Doingthisnotonlyprovidesthepreviouslydescribedbenefits,butitalsoensuresconsistencybetweenservers,self-documents,andisaperfectopportunitytoworkonyourdevopsskills.Itisalsothebasisforaddingelasticitytoourdemoapplication,asyouwillseeshortly.
OrchestrationTools:Heat,Murano,Cloudify,andMoreMuchlikeweneededtolookatallofthevirtualizationoptionsbeforedeterminingwhatwasgoingtobedeployed,it’simportanttolookatalloftheorchestrationoptionsbeforemakingadecisiononhowthesethingsaregoingtobedeployed.Withrespecttothis,thereareanumberofoptionsthatarecommonlyemployedthatareallreferredtoasorchestrationtechniquesortools.
Thefirstoftheseisjusttocreateyourownscriptfromscratch.Thereisnothingtostopyoufromdoingthisinthelanguageofyourchoice.Thecompute,networking,andplatformAPIsprovideallofthebasicsyouneed.Aslongasa1:1ratioiskeptbetweenapplicationsandKeystoneprojects,Horizonwillevenprovideyouwitha
prettyclearvisualization/inspectionofyourenvironment.Thisisaperfectlyviableoption,andthoughitrequiresalotofinitialeffortupfront,itisacommonorchestrationsolution.ItisespeciallyusefulwhendealingwithcomponentsorservicesthatexistoutsideofOpenStack.
Asfarasintegratedsolutionsgo,Heat(beingthemainorchestrationcomponentofOpenStack)istheobviouschoice.Itstemplatefilesallowyoutodescribeyourenvironmentinawell-documentedmanner.UsingHeateliminatessomeofthegruntworkofmanualscripting,suchashavingtoprovidedetailedoutputanderrorhandling.Heatalsosupportsseveraldifferentconfigurationmanagementoptions,makingthenextstepinthedeploymentprocesseasierstill.
Muranoisanotheroptionforsomewhatprogrammaticorchestration.Asdiscussedearlier,itprovidesbothanapplicationcatalog,aswellasawaytozipupapplicationsforthird-partyconsumption.PackaginganapplicationforMuranoalongwithallthewizardsandscriptedorchestrationisgenerallyoverkillthough,unlessyouareplanningondistributingtousersinotherOpenStackenvironments.Ultimately,Muranoismoreaboutdistributionthanitisaboutorchestration,andsoitisnotgenerallyarecommendeddeploymentmechanismforcustomapplications.
Ofcourse,noconceptinOpenStackwouldbecompletewithoutahealthydoseofthird-partyapplicationsthatprovidealternatesolutions.CloudFoundryandCloudifybothofferorchestration.IftheseareavailablewithinyourOpenStackinstallationtheyaredefinitelyworthalook.TheirsuccessisdueinparttotheirfriendlierUIandtheirabilitytosimplifytheorchestrationprocess.However,becausetheycommunicatetoOpenStackviathesamenativeAPIsyouhaveaccessto,thereislittletheycanaccomplishthatyoucan’taccomplishyourselfwithalittlemanualscriptingworkorthroughHeat.
Lastly,therearenewcompanies,suchasRancherLabsandprojectslikeKubernetesandMesos,thatarestartingtoprovidecontainer-focusedorchestrationsolutionsthatliveontopof,orworkwith,OpenStack.Thesearethebleedingedgeofvirtualizationtechnologyandassucharelikelytoseehugechangesbeforemainstreamadoption.Theyare,however,worthmentioningincaseyouarelookingforacontainer-focusedsolution,needtospanmultipleclouds,and/orhaveexperienceusingRocket,Dockerorsimilartechnology.
Sincewehavechosentousevirtualmachinesovercontainersforourdemoapplication,andtheapplicationisn’tmeantforwidedistribution,thatleavestwogoodchoicesfororchestration:manualscriptingandHeat.IfthedemowasamorecomplexapplicationoriftherewerecomponentsthatsimplycouldnotbemanagedwithinHeat,thenrawscriptingwouldbethego-tosolution.ItisalsopossibletouseHeatasacomponentofalargerscript,asitisessentiallyanAPIaswell.Asisthough,HeatisreasonablywelldocumentedandprovidesasinglesimplifiedsystemforcommunicatingtoallofthedifferentOpenStackcomponentsthedemoapplicationisgoingtouse.Thismakesitthebestchoicefor
nowandtheremainderofthisbookwillfocusontheuseofHeattemplatesfordeployment.
ConfigurationManagementandCloudInitIforchestrationisanythingthatoccursabovetheserverlevel,configurationmanagementcangenerallybeconsideredtobeanythingthatneedstobemodifiedattheserverlevelorbelowinordertogetyourapplicationupandrunning.Addingspecificsoftware,updatingconfigurationfiles,orevenpullingdownanapplicationfromGitoccursundertheumbrellaofconfigurationmanagement.Inthecaseofthedemoapplication,thiscouldmeanApacheforthewebtierorNode.js/PythonfortheRestlayerandMySQLforthedatabase(s)alongwithalloftheirrespectiveconfigurationfiles.
BeforewegetintotoolslikePuppetandChef,whichreallyarethestandardforconfigurationmanagementthesedays,thereisanotheroptioncalledCloud-Initthatiswellworthyourtimetoexplore.Technicallyspeaking,itisjustaLinuxpackagethathandlesearlyinitializationofacloudinstance.Fromadeveloper(ordevops)perspective,itisalsooneofthesimplestwaystorunscriptsafteraserverhasbeenprovisioned.
Whatyouchoosetodointhesescriptsand/orwhatlanguageyouwanttoemployisuptoyou.Cloud-Initsimplyrunswhatyoutellittoeitherbyincludingthescriptunderuser_dataaspartofyourAPIcalltoNova,orthoughHeatasfollows:
heat_template_version:2014-10-16
description:Simpletemplatetodeployasinglecomputeinstance
parameters:
image_id:
type:string
label:ImageID
description:Imagetobeusedforcomputeinstance
resources:
web_server:
type:OS::Nova::Server
properties:
image:{get_param:image_id}
flavor:m1.small
user_data_format:RAW
user_data:
#!/bin/bash
echo"Youjustranthiscommand!"
Inthisexampletheserverwouldfirstbeprovisioned,andthenthecommandinuser_datawouldbeexecutedand“Youjustranthiscommand,”wouldbeoutputtothecommandline.Thiscanactuallybeviewedthoughthespice-consoleonceitisavailableinHorizonaspartofthebootsequence.
Itshouldbeprettyeasytoseehowyoucouldexpandonthisconcepttoconfigureaservertomeetyourneeds.InsteadofmanuallyinstallingXYZafterprovisioningit,youcouldsimplywriteascripttoinstallXYZandincludeitaspartofyourHeat
template.Aslightlymoreusefulexamplemightlooklikethefollowing:
heat_template_version:2014-10-16
description:Simpletemplatetodeployasinglecomputeinstance
parameters:
image_id:
type:string
label:ImageID
description:Imagetobeusedforcomputeinstance
resources:
web_server:
type:OS::Nova::Server
properties:
image:{get_param:image_id}
flavor:m1.small
user_data_format:RAW
user_data:
#!/bin/bash
yuminstall–qygit
yuminstall–qynpm
gitclonehttps:/github.com/folder/package.git/var/usr/share/app
node/usr/share/app/server.js
echo"Youjustinstalledandstartedanodeapp!"
Creatingastackwiththistemplatewouldprovisionasinglesmallserverwiththespecifiedimage.ItwouldthenbeconfiguredwithGitandNPM(Node.js),soyoucandownloadaprojectfromGitHubandstartit.Forourdemoapplication,differentinstallationandconfigurationscriptswouldbeinsertedforeachoftheservertypes.
DependingonyourOpenStackconfigurationandyourbaseimage,Cloud-Init’sCloudconfigYamlformatmayalsobeavailable.Itprovidessomeexcellentfunctionalitywithouthavingtowritealotofcode.Convertingourearlierexamplewouldresultinsomethinglike:
heat_template_version:2014-10-16
description:Simpletemplatetodeployasinglecomputeinstance
parameters:
image_id:
type:string
label:ImageID
description:Imagetobeusedforcomputeinstance
resources:
web_server:
type:OS::Nova::Server
properties:
image:{get_param:image_id}
flavor:m1.small
user_data_format:RAW
user_data:
runcmd:
-yuminstall–qygit
-yuminstall–qynpm
-gitclonehttps:/github.com/folder/package.git/var/usr/share/app
-node/usr/share/app/server.js
-echo"Youjustinstalledandstartedanodeapp!"
Thisisaprettysimpleexample,butitisafairlycomplexandpowerfulsystem.ForfurtherreadingonCloud-InitandsomegreatexamplesofhowtoconfigureaserverwiththeCloudconfigformattakealookathttp://cloudinit.readthedocs.org/en/latest/topics/examples.html.
Puppet,Chef,Salt,andAnsibleWhileCloud-Initisageneralsystemforrunningscriptsforwhateverpurposeyoulike,therearenumeroustoolsdedicatedsolelytoconfigurationmanagement.Puppet,Chef,Salt,andAnsiblearen’ttheonlyoptionsinthisrealm,buttheyaredefinitelythebiggestplayers,andtheyhavesomeimportantsimilaritiesanddifferencestoconsideriftheyaretobeusedaspartofanOpenStack-backeddeployment.
Firstoff,alloftheseapplicationssharetheideaofplugandplaymodules(calledrecipesinChef,andplaybooksinAnsible).TheseprebuiltblocksarethebiggestthingthatdifferentiatesthemfromconfiguringaserverwithBashorotherscriptingtoolslikeCloud-Init.Modulesareavailablefrompublicrepositoriesthatanyonecansubmittoorretrievefrom,similartoPIPinPythonorNPMinNode.js.Additionally,theyhaveallattemptedtocomeupwithasimplelanguage/structurefordescribingaserver’sconfiguration,handleinstallationerrors,andprovidedifferentconfigurationsforserversindifferentroles.Theformatsarefamiliar—JSON,YAML,etc.,buttheactualsyntaxandmethodologyareproprietaryandnotportableacrosssolutions.
Thelanguagetheywerebuiltupon,theirneedtohaveinstalledclients(Ansible,forexample,doesn’tneedone),andthebreadthanddepthoftheirmodulelibraries,arereallywhatdifferentiatesthesetoolsfromeachother.Aswithmosttechnologies,youwillfindenthusiasticsupportersanddissentersofeach,butformostpurposestheyareequivalent.Infact,theirsimilarity,andtheabilitytodevelopagenericsyntaxfortheiruse,isabigreasonwhythereisgrowingsupportforallofthesetoolswithinOpenStack.
Let’slookatwhatasimplePuppetManifestmightlookliketoconfigureaservertorunApacheandPHP:
#installapache
package{'apache2':
ensure=>installed
}
#startapacheandensureitsrunning
service{'apache2':,
require=>Package['apache2'],
ensure=>running
}
#installphp
package{'php5':
require=>Package['apache2'],
ensure=>installed
}
#createaninfo.phpfiletoshowthatthisallworked
file{'/var/www/html/info.php':
ensure=>file,
content=>'<?phpphpinfo();?>',
mode=>0444,
require=>Package['php5']
}
WiththePuppetclientcorrectlyinstalledandtheprecedingfilesavedasmanifest.pp,youcouldthenexecutethistemplateasfollows:
$sudopuppetapply./manifest.pp
Puppetdealswithanyerrorhandling,determinestheorderthingshavetohappeninbasedupontherequirestatements,andhandlesallofthedifferencesinOStypes.Forexample,usingthesetools,youdon’thavetowriteonescriptforCentOSthatinstallssoftwareviaYum,andanotherversionthatsupportsapt-getinstallationonDebianorUbuntu.
Aswasmentionedbefore,HeatactuallyprovideshooksforallofthesetoolsintheformofaSofwareConfigresource.IfyourconfigurationsupportsChef,thenaHeattemplatetosetupWordpressmightlooklikethis:
resources:
wordpress_config:
type:OS::Heat::SoftwareConfig::Chef
properties:
cookbook:http://www.mycompanycom/hot/chef/wordpress.zip
role:wordpress
#inputparametersthatthechefrole(s)need
inputs:
wp_admin_user:
type:string
mapping:wordpress/admin_user
wp_admin_pw:
type:string
mapping:wordpress/admin_password
db_endpoint_url:
type:string
mapping:wordpress/db_url
#variousotherinputparameters…
#Havechefoutputthefinalwordpressurl
outputs:
wp_url:
type:string
mapping:wordpress/url
FromtheOpenStackdocumentationathttps://wiki.openstack.org/wiki/Heat/Blueprints/hot-software-config-spec:
TheresourcetypeOS::Heat::SoftwareConfig::ChefindicatesthatthisisaChef-specificSoftwareConfigdefinition.ThecookbookpropertypointstotheusedChefcookbook,andtherolepropertypointstotheroletobesetupviathisSoftwareConfig.TheinputssectioncontainsthedefinitionofinputparametersthathavetobepassedtoChefforconfiguringtherole.Inputparametersaredefinedintermsofnameandtype.Inaddition,amappingspecifiestowhichroleattributetherespectiveinputparametersneedstobeassigned(i.e.Chef-specificmetadata).
Ifthisseemsconfusing,don’tworry.ThisexampleissimplymeanttoshowthedevelopersbehindOpenStackareawareofthesetools,andthatifyouarefamiliarwiththem,thereareanumberofwaystotightlyintegratethemintoyourdeployment.Again,exactlyhowyouchoosetoconfigureyourserversandyourapplicationisentirelyuptoyou.Yourcompanyand/oryouroperationsteammayhavealottosayonthesubject,orthechoicemightbeyoursalone.What’simportantistohaveageneralunderstatingoftheoptionsavailableandformagameplan.
Withthatinmind,let’stogoovertwootherimportantpiecesoffunctionalitythatalloftheseconfigurationmanagementsolutionsprovide.Firstoff,theyoffercentralizedmanagementofservers.Oncetheclientisinstalled,andtheserverhasbeenregisteredintothemaster,youcanuseawebinterfacetodothingslikesearchforaserver,seewhatsoftwareisinstalled,orevenpush/scheduleapatchforit(seeFigure6.5).
Figure6.5
Thisconfigurationisn’trequiredthough,andthesetoolscanallbeusedinmasterlessmodewherethiscentralauthorityisentirelyabsent.ThereisalotofcrossoverbetweenwhatthesecentralizedsystemsandwhatOpenStack/Horizoncanoffer,soit’snotunusualtousetheminthismasterlessmanner.
Theotherpieceoffunctionalitytheyallofferistheabilitytoexecutearbitrarycommandsonremoteservers.Thisisanaspectofthesamemechanismthatallowsthemasterserverstopatchremotecomputers.Ansibleinparticularcanbeanindispensibletoolwhenusedforthispurpose.
UnlikePuppet,Chef,andSalt(tosomeextent),Ansibledoesn’trequiretheinstallationofaspecializedclienttosupportremotecommandexecution.ItusesSSHandprivate/publickeystoachieveasimilarresult.ItisalsoeasytoconfigureAnsiblewithalocalfiletopushthesecommandstomanyserversatonce(asopposedtosequentially).ThismakesremoteexecutionquickandeasyfromanycomputerwithAnsibleinstalled.AconfigurationfileforAnsiblelookslikethis:
[devservers]
dev.cloud.mycompany.com
[prodservers]
prod01.cloud.mycompany.com
prod02.cloud.mycompany.com
prod03.cloud.mycompany.com
[otherservers]
server1.cloud.mycompany.com
server2.cloud.mycompany.com
Thisfiledefinesthreegroupsofservers(devservers,prodservers,andotherservers).Commandscanberunonanindividualbox,agroup,orallgroupsatonce.Youcanalsodeterminehowmanyserverstorunthecommandonsimultaneously.Soif,forexample,youwanttoupdateGitonallofyourproductionserversatonceyoucouldrun:
$ansibleprodservers-a"yumupdate-yqgit"-f3-umyusername
––sudo––ask-sudo-pass-i/myuser/ansible_hosts
SinceYumoftenrequiressudoaccess,theask-sudo-passvaluehasbeeninvoked,and-f3indicatesthatyouwanttorunitonthreeserversatonce.Iftherewere6serversdefinedintheprodserversgroup,thenitwouldrunthisintwoseparatebatches.Thisisoftenusefultoavoidthingslikecacheslammingortoavoidrebootingallofyourserversatonce,makingyourapplicationtemporarilyunavailable.
Ansibleishighlyrecommendedasaneasywaytoexecuteremotecommands,butthisdoesnotmakeitashoe-infortheconfigurationsolutionforourdemoapplication.Infact,thereisonedrasticallydifferentoptiontoconsider.
WhereDoSnapshotsFitIn?OrShouldThey?Withalloftheseconfigurationoptionsit’svalidtoaskwhereimagesfitintoadeployment.Ratherthanscripttheconfigurationofaserverorseveralserverswithdifferentroles,itisdefinitelypossibletotakeasnapshotofaserveronceit’sconfiguredandsimplydeployitinthisconfiguredstate.Whilethereareafewcaveatstothatand/orbuildingacustomimage,thiswillusuallywork.ImagescanbeuploadedthroughHorizonorthroughtheGlanceAPI,andanumberofpre-configuredimagesareavailablefromcompanieslikeBitnamitomakethiseveneasier.Generallyspeakingthough,thisisn’tagreatsolution.
Imagesarebulkyandcumbersome.Ifyouwanttomodifyasinglevalueinasinglefile,youcanenduphavingtore-createanentireimagealloveragain.ThisisactuallyoneofthemainproblemsthatDockerisattemptingtosolvewiththeDockerFilecontainersystem.Testingchanges,debugging,andevenstoringalltheseimagescanbeatimeandspaceconsumingprocess.Configurationscriptsontheotherhand,actliketinyzipfilesthatexpandonaservertocreatefullyconfiguredboxes.Theyareeasytoedit,store,andversion.Dependingonthesoftwareinvolved,it’sevenpossibletousethesamescripttoconfigurewindows
andLinuxboxes.
Thereareatleastafewsituations,though,wherecreatingcustomimagescanbeanextremelyeffectivesolution.Ifyouarenotusingcontainers,yourconfigurationscriptstakealongtimetorun,andyouaredeployingthemfrequently,thenusingimagesorsnapshotscanbeamuchfasteroption.Thisisoftenthecasewithlargewindowsbuilds..NETcomponentsandenterpriseclasswindowssoftwarecantakehourstocompletelyinstallandgetrunning.Imagescanalsobeusefulwaytodistributesoftware.EnsuringsoftwaresuchasPuppet,orGitisalreadyinstalledcanpreventanynumberofteamsfromhavingtoinstallandconfiguretheseitemsthemselves.Inthisscenario,acombinationofpre-configuredimagesandpostprovisioningconfigurationscriptsareusedeffectively.
Becausetheneedsofourdemoapplicationarerelativelysimple,andthetoolsarenativetoOpenStack,therestofthischapterwillfocusonusingCloud-Initanduser_datawithinHeattohandleserverconfiguration.Thiswillkeepthingslight,andwon’trequireadeepknowledgeofanyoftheconfigurationmanagementtools.Whenitcomestoyourownapplicationthough,weencourageyoutoexperimentandchoosewhatworksbestforyou,yourteam,andyourapplication.
MONITORINGANDMETERINGItmightseemoddatthispointtobeginadiscussiononmonitoring.Wehaveyettoevenlookatacompletedeploymentsolution.However,monitoringisapre-requisiteofelasticityandrequiredtosomeextenttomakescalinguseful.Afterall,withoutknowingtheloadonasystem,it’shardtoknowifyouneedtoincreasetheserverorstacksize.Thisholdstrueevenifsuchchangesaredonemanuallyorprogrammatically.
YoumayalsofindifPAASorexternalcomponentsaren’tused,thatyourdeploymentactuallyincludesitsownmonitoringsystem.ThismayseemalittleInception-like,butit’snotverycomplicatedinpractice.Monitoringserverscanbedeployedandconfiguredinasecondproject,stack,orevenseriallybeforetheapplicationserverswithinthesameproject.Itisalsolikely,ifyouworkwithinalargercompany,thatsomesortofcentralizedmonitoringisavailableforyoutouse.
OpenStackdoeshaveacoupleofbuilt-inmonitoringoptionsthatcanbeusefulfordeployments.MonascaisaPAAScomponentthatoffersmonitoringasaservice.Itconsistsofanumberofsub-components:anagentthatrunsoneachserver,aCLItospeaktotheMonascaRESTAPI,astoragesystemformetrics,analertsystem,andananalysisenginethatenablesthealertsandanumberofotherfeatures.
TheresultofcollaborationbetweenHPandRackspace,Monasca,canbeacapable,butstunninglycomplexmonitoringsolution.Forafullexplanationandsomeinterestingreading,visithttps://wiki.openstack.org/wiki/Monasca.
Theotherfirst-partysystemthatofferssomelevelofmonitoringisCeilometer.CeilometerisdiscussedinChapter3.Itwasprimarilybuiltasatelemetryservicetomeasureutilizationandtostorethatdataforlateranalysis.LikeMonasca,Ceilometercanmeasurethingslikeload,andtriggeralertswhencertainthresholdsaremet.UnlikeMonasca,itcanalsoreportdetailedinformationonthingslikehowmuchprocessortimewasusedbyagivenvirtualmachineorproject.Themoststraightforwarduseofthisistoenableusagebasedbillingormetering.Youmayfinditusefulforthingslikecomparingtheefficiencyofserverconfigurationsordeterminingwhichapplicationsareoverprovisioned.FurtherdocumentationonCeilometercanbefoundathttps://wiki.openstack.org/wiki/Ceilometer.
Ifyouarelookingforanofftheshelfsolutionthatisn’tintegratedwithOpensStack(or,asisoftenthecase,theseservicesarenotavailable),thenbothNagiosandSensuareworthalook.ThesesolutionsbothfunctionbyaddingaclienttoeachserverthatyouwanttomonitoranddeployingacentralizedmonitoringserverthatcollatesthisdataanddisplaysitwithinawebbasedGUI.SimilartoPuppetandChef,therearecommunitysubmittedchecksthatcanberunontheclientservers.ThesecommonlywatchthingslikeCPUuseandavailablememoryandsendresultsoralertstohandlersonthecentralhub.There
arealsoanumberofcommunity-builthandlersavailabletosendthingslikeSMSoremailmessages,orlogresultstoadatabaseforlateranalysis.
Nagiosiscurrentlyfreeforuptosevenmonitoredservers,whileSensu(beingthenewkidontheblock)isfreeforthenon-enterpriseversion.Bothofthesesystemsarecompletelyscriptableandcanthusprovideanylevelofmonitoringnecessary,aswellasanyfunctionalityrequiredtotriggerelasticchangeswithintheapplication.
Generallyspeaking,it’shardtorecommendanyoftheseasgreatsolutions.Monascashouldbeaslamdunk,butit’sratherenigmaticandCeilometerdoesn’tprovidealotofflexibilitywhencomparedtosystemslikeSensuandNagios.Meanwhile,theexternalsolutionsbothoffergoodusability,butaren’tnativelyintegratedwithOpenStack.Addingthesetoourdemoapplicationforexample,wouldmeandeployingandconfiguringthecentralserversandclientsaswell.
Ceilometeralerts,though,arefairlywelldocumentedandcanbeconfiguredandusedwithinHeattemplatestoenablesomelevelofelasticity.Forthatreasonaloneit’sthebestchoiceforthedemoapplication.Inarealworldscenarioyouwouldwanttoseeperformancegraphs,andbeabletologandalertyourteammemberstospecificapprelatedmetrics(suchasthenumberofconnectionsorsessioncounts).Asafreesolution,Sensuisprobablyagreatplacetostartifyouneedtopushbeyondwhatwillbedemonstratedhere.
ELASTICITYAsmentionedinChapter5,elasticityistheideathatapplicationscanprogrammaticallyshrinkandgrowtomatchload.Inanon-cloudscenario,thesizeand/ornumberofserversdeployedaregenerallydeterminedbythemaximumcapacityyouwanttoaccommodate.Inanelasticcloudapp,thesizeand/ornumberofserversshouldideallybetheminimumrequiredtoaccommodatethecurrentload,andgrowtothemaximumthatcanbeaffordedasloadincreases.Thisisslightlydifferentthanscalability,whichissimplyanapplicationscapacitytogrow.
Theprimarymotivationbehindelasticityisthatusingtheabsoluteminimumcomputingunitsneededatanypointintimecanleadtogreatsavingsatscale.Evenifyouaren’tpayingbytheserveratahostedsolution,beingabletoscaleuponlytheapplicationsthatneeditatanytimecanleadtodrasticallysmallerserverrooms.
Thereareotherbenefitsaswell,though,beyondcostsavings.Elasticityandresiliencyareveryintertwined.Insteadofdealingwithdowntimeonanapplicationthatisgettingtoomuchtraffic,elasticapplicationsautomaticallygrowtomeetdemandandstayalive.Theycanalsobeforcedscaleupinorderhandlehardwareandnetworkfailuresevenintimesoflow/moderatetraffic.Usingconceptslikeanti-affinity(basicallyusingserversindifferentracks)anelasticappisalsoeasiertokeeprunningwhileapplyingpatches,orwhenservicinghardware.Additionalsetsofserverscanbemadeavailabletousewhilesetsofthemaretakendownformaintenance.
Ofcourse,noteverythingneedstobeelastic.
MakingSureYouNeedScaling/ElasticitySomethingyouwon’thearmuchofisthatnotallapplicationsneedtoscale.Notscalingisn’tinteresting.Notscalingisn’tcool.Notscalingwon’twinyouanyawards.However,ifyoucanavoidscaling,thenyoucanfocusyoureffortselsewhereandgreatlysimplifyyourdeployment.Someexamplesofapplicationsorenvironmentsthatmaynotneedtoscale:
Intranetwebsites:Theseseelimitedtrafficanddowntimedoesn’taffectcustomers.
Postprocessingsystems:Systemsthatanalyzedataorcrunchnumberscanbenefitfromscalingupandgoingfaster,butifit’snotmissioncriticalandyoucanwaitfortheresult,thenfasterresultsaren’talwaysworththeeffort.
Single/FixedServerApplications:Generallyspeaking,thereisstillplentyofsoftwareonlyrunswellonbig,fast,stablehardwareandcanprovidespeedbenefitswhenextramemory/processorispresent.Iftherequirementsofyourapplicationwon’tallowfordistributedcomputingacrossmultipleservers,and
itcansoakupasmanyresourcesasyoucangiveit,thengoasbigasyoucanonasingleinstanceandmoveon.
Evenifyourapplication,oragiventierofyourapplication,doesnotfitintooneofthesecategoriesandyouwantittoscale,thisdoesnotmeanitneedstobeelastic.Elasticityisgreatforcostsavingsandcanallowyourapplicationtogrowrapidlywithoutyourintervention,butthatisnotalwaysdesirableornecessary.Elasticityaddsyetanotherlayertoanalreadycomplicatedlistoftechnologiesandtakestimeandenergytoimplementandperfect.Somesituationsthatmaynotbeappropriateforelasticityinclude:
Anythingthatreceivesmanictrafficpatterns:Spinningupnewserversisfast,butevenwhenusingcontainersthereissomelatency.Thesamecanbesaidaboutspinningthemdown.Loadbalancingchangesandconfigurationupdatescanalsotaketimetocomplete.Ifyouhavetodealwithquick,massivefluctuationsintraffic,it’sbesttosimplyplanformaximumcapacityandletitrun24/7.
Whenworkingwithnobudget:Ifyou’reluckyenoughtohavenobudgetthenit’sonelessthingonthetodolist.Simplyscaleupbeyondanythingreasonableandaddmorecomputeifthingsevergetclosetomaxcapacityandrunwithabigmarginoferroratalltimes.
Whenworkingwithfixedbudgets:It’sunnecessarytogrowanapplicationifthereisnobudgettopayforadditionalservers.It’salsounfortunatelycommontoloosebudgetiflessserversareusedforagivenperiodoftime.Ifyouabsolutelyneedfixedcostsforfixedperiodsoftime,thenascalablebutnon-elasticapplicationisareasonablewaytogo.Youcanjustscalethingsmanuallyeachquarterorwhenthebudgetchanges.
Whenathereisanon-elasticbottleneck:Thereisnopointinquicklyscalingyourappupanddowntohandletrafficifanexternalfactorlimitstheutilityinthis.Ifyourapplicationhasanon-elasticthrottlethenconsiderscalingmanuallytomatchthis.
Intheend,ifit’spossibletoscaleyourapplication,it’sworthconsideringdoingso,anddoingsoprogrammaticallyinanelasticfashionaspartofyourdeployment.Ifyouwanttoseeallthebenefitsfromaclouddeployment,thenthisisallbutmandatory.Bothyourcustomapplications,aswellasmanyofftheshelfsystemscangainspeed,resilience,andcostsavingsifyoudo.
Lookingonceagainatourdemoapplication,it’seasytoseethattheuserfacingwebtieraswellastheResttiercouldbothbenefitfromelasticscaling.Thedatabaselayerthoughisn’tquiteasscalableandwouldnotimmediatelybenefitinperformancefromadditionalservers.It’salsonotatrivialprocesstoaddaservertoanexistingGalreaclusterasthereplicationcantakealongtimetocatchup.Sothisisgoodexampleofanapplicationthatisentirelyscalable,butonlybenefitsfromelasticityonseveralofthecomponents.
ScriptingVerticalVersusHorizontalScalingBeforeyoucanaddelasticitytoanapplication,itmustfirstbescalable.Beforeyoucanscale,youmustfirstdeterminethetypeofscalingyouwanttouse.Thesimplestformofthisisjusttoincreasethesizeoftheserversinvolved,addingmoreCPU,Ram,orDisk(dependingontheapplication).Thisiscalledverticalscaling,andcanbeappliedtoalmostanyapplicationrightoutofthebox.
BylettingyoudefinetheFlavor(size)ofanygiveninstancewhenyouprovisiontheserver,OpensStackmakesverticalscalingrathereasy.It’sworthnotingthatnotallOpenStacksetupswillletyouincreasethesizeofanexistingserver,anditisalmostalwaysnecessarytocreateanewinstanceifthedesiredsizeissmaller.Aslongasyourdeploymentisscriptedthough,itshouldn’tbehardtocreateandconfigureanewserver.
Imagineyouwereusingthefollowingheattemplate:
heat_template_version:2014-10-16
description:Simpletemplatetodeployasinglecomputeinstance
parameters:
flavor_size:
type:string
label:FlavorSize
description:Thesizefotheflavortobeused
resources:
web_server:
type:OS::Nova::Server
properties:
image:CentOS6_64
flavor:{get_param:flavor_size}
Savingthefiletotest.yamlandrunningthefollowingcommandwouldcreatethesmallestserverpossible:
$heatstack-createtest_stack-ftest.yaml-P"flavor_size=m1.tiny"
Toscalethisverticallytoalargerinstanceyoucouldsimplycall:
$heatstack-updatetest_stack-ftest.yaml-P"flavor_size=m1.large"
HeatwouldthenhandlethecallintoNovatoincreasethesizeofthisinstanceandyourapplicationwouldhavethatmuchmorehorsepowertorunwith.Horizontalscalingisalittlemorecomplicated.
Horizontalscalinginvolvesaddingextraserverstoanapplication,usuallybehindaloadbalancerthathandlestheinitialrequestandroutesittoanindividualinstance.Thiscanaddthecomplexityofprovisioningandconfiguringtheloadbalanceraspartofyourdeployment,butscalinganapplicationhorizontallyusuallyprovidesmuchgreatercapacity.It’snotuncommontorunhundredsofserversdedicatedtoaspecificpurposeinahorizontallyscaledapplication.Thelimitofaverticallyscaledapplicationmeanwhileisthemaximumsizeofasingle
instance/flavor.Verticallyscaledapplicationsalsomissoutontheresiliencyandmaintainabilityaddedbytheextraserversinvolved.
InChapter5wedeterminedthatboththewebtier,aswellastheAPItier,shouldbothusehorizontalscaling.Itwillprovidemuchgreatercapacity,andtheapplicationwillbenefitfromtheaddedresiliencythattheseparateserversprovide.Thatbeingsaid,it’sworthnotingthatmostofthetechniquesthatfollowcanalsobeappliedtoscalinginalimitedverticalfashion.Afterall,throwinghardwareattheproblemissometimesthefastestsolution.
LoadBalancingRevisitedChapter5discussesloadbalancingindepth.HardwaresolutionssuchasA10,softwaresolutionssuchasHAProxy,andloadbalancingasaservice(LBAAS)thoughNeutronarealloptions.Yourchoicehereaswellwillgreatlyaffectyourdeploymentsolution.
MostofthesesolutionshaveAPIsthatcanbetappedintobyeithertheorchestrationorconfigurationmanagementsolutions.Aswhenusingthirdpartysolutionsformonitoring,itmayalsobenecessarytoincludetheprovisioningandconfigurationofyourloadbalanceraspartofyourdeployment.HAProxysolutionsoftenlooklikethis,astheproxyservercansimplybeanotherVMwithinanOpenStackproject.
IfLBAASisavailableandfunctioningcorrectlyinyourOpenStackinstallation,itisagreatoption.ItiseasilyconfigurableviaHeat,and/orcanbetappeddirectlyviatheNeutronAPI.Thisisstillrelativelyimmaturetechnologythough,andformanypeople,hardwareorsoftwaresolutionsaretheonlyoption.
ThedeploymentofourdemoapplicationwillfocusonLBAASandNeutron.Astimegoeson,thissolutionisonlygoingtogetbetterandbemorewidelyavailable.Inthemeantime,ifforanyreasonyouneedtocreateyourownsolution,HAProxyisadecentchoice.Itdoesexposeasinglepointoffailure,asitgenerallyexistsonsinglemachine,butitisavailabletoeveryoneforfree,anditmakestheautomaticadditionorremovalofserversrelativelyeasy.
AnearlyinfiniteamountofinformationonhowtoinstallandconfigureHAProxyisavailableathttp://www.haproxy.org/.Assumingthatitisalreadydeployedandconfigured,thefollowingNode.jsscriptdemonstratesabasicauto-updateconceptthatcouldeliminatetheneedtoupdateyourloadbalanceraspartofyourdeployment:
#!/usr/bin/envnode
varHAProxy=require("haproxy");
varOSWrap=require("openstack-wrapper");
varFS=require("fs");
varuser='my_username';
varpass='my_password';
varpid='my_project_id';
varkurl='keystone_url';
varproxy_cfg='/etc/haproxy/haproxy.cfg';
varhaproxy=newHAProxy('optional/socket/path.sock',{});
OSWrap.getSimpleProject(user,pass,pid,kurl,function(error,project){
if(error){console.error(error);return;}
project.nova.listServers(error,server_array){
if(error){console.error(error);return;}
FS.writeFileSync('/etc/haproxy/haproxy.cfg','
listenapp*:80\n
modehttp\n
balanceroundrobin\n
optionhttpclose\n','utf8');
varip='';
for(vari=0;i<server_array.length;i++)
{
//assumingonlyonenetworkandafixedip
foreach(networkinserver_array[i].addresses)
{ip=network[0].addr;break;}
FS.appendFileSync(proxy_cfg,'server'+i+''+ip+':80\n','utf8');
}
haproxy.reload(function(error){
if(error){console.log(error);return;}
});
});
});
InstallingthisasacronjobontheproxyserverwouldcauseittocontactyourOpenStackinstallationeveryXminutes,retrievealistofservers,writethemtotheconfigurationfile,andhotreloadtheproxywiththenewconfigurationfile.
Withthedecisiononloadbalancingoutoftheway,andeitherhandledviaLBAAS/NeutronorautomaticallyviaHAProxy,wecanmoveforwardandlookmorecloselyatsomeoptionsforprogrammaticallyscalingourapplication.
ScalingwithHeatandResourceGroupsAsopposedtodefiningeveryserverasanindividualentry,HeattemplatesallowyoutospecifyaResourceGroupandthenumberofduplicatesthatyouwouldlikeofthatresource.ReworkingourHeattemplatefromearlier,weget:
heat_template_version:2014-10-16
description:Templatetomulitpleserversofthesamekind
parameters:
server_count:
type:number
label:ServerCount
description:Thenumberofserversdodeploy
resources:
tiny_cluster:
type:OS::Heat::ResourceGroup
properties:
count:{get_param:server_count}
resource_def:
type:OS::Nova::Server
properties:
image:CentOS6_64
flavor:m1.tiny
user_data_format:RAW
user_data:
runcmd:
-yuminstall–qygit
-yuminstall–qynpm
-gitclonehttps:/github.com/folder/package.git/var/usr/share/app
-node/usr/share/app/server.js
-echo"Youjustinstalledandstartedanodeapp!"
Savingthefiletogroup.yamlandrunningthefollowingcommandwouldcreatethesmallestserverpossible:
$heatstack-creategroup_stack-fgroup.yaml-P"server_count=2"
Toincreasethenumberofserversinthisstacktofouryoucouldcall:
$heatstack-updategroup_stack-fgroup.yaml-P"server_count=4"
Usingthistechnique,differenttypesofResourceGroupscanbedefinedforeachtierofthedemoapplicationandeachResourceGroupcanbescaledindependently.Thisconceptprovidesadeploymentsolutionthatcoverseverythingexceptloadbalancing,monitoring,andelasticity.ThesethingshavebeenleftoutbecauseitisquitepossibleoneormoreoftheminyourapplicationwillhavetobehandledoutsidetherealmofOpenStack.Thegoodnewsisthatifyoufindyourselfinthissituation,HeatandResourceGroupscanstillbeusedinthisfashionaspartofabroaderdeploymentscript.Theothertechnologiesdiscussedinthischapter,suchasanexternalA10,canthenbeincludedinthatscripttofilloutthedeploymentsolution.
Ifyouareluckythough,andLBAASthroughNeutronisavailablealongwithCeilometeralerts,youhaveacompletedeploymentsolutionforelasticscalingthatfitsneatlywithinaHeattemplate.
PuttingItAllTogetherwithHeat,Ceilometer,andAutoScalingGroupsBeforewegointothefinalexampleanddemonstrateacompletesolutionfordeployinganelasticapplication,let’sreviewthechoicesthathavebeenmadeinthischapterregardinghowthedemoapplicationwillbedeployed.
Virtualization—VirtualMachinesforallthreetiers
Orchestration—Heat
ConfigurationManagement—Cloud-Init/user_data
Monitoring—Ceilometer
Scaling—Horizontalforallthreetiers
Elasticity—ViableforthewebandAPItiers
LoadBalancing—Neutron/LBAAS
Withthatinmindlet’slookatanotherexample.Thisonewillconsistoftwodifferentfiles.Thefirst,willdescribeasingleserverasaresource.Forthesecond,aparentfilewillusethisresourceaspartofanauto-scalinggroup:
heat_template_version:2014-10-16
description:SimpleWebServer+LoadBalancerMember
parameters:
network:
type:string
description:thenetworkalloftheserverswilluse
pool_id:
type:string
description:theloadbalancerpool
parent_stack_id:
type:string
description:theIDofthecallingstack
resources:
server:
type:OS::Nova::Server
properties:
flavor:m1.tiny
image:cirros-0.3.4-x86_64-uec
metadata:{"metering.stack":{get_param:parent_stack_id}}
networks:[{network:{get_param:network}}]
user_data_format:RAW
user_data:|
#!/bin/sh
#AtinyHTTPserverthatrespondswiththeIPaddressoftheserver.
IP='ip-finetaddr|grepinet|grep-v127.0.0.1|awk'{print$2}'
|cut-d/-f1'
LENGTH='echox$IP|wc-c'
cat>/tmp/http-response<<EOF
HTTP/1.0200OK
Content-Type:text/plain
Content-Length:$LENGTH
$IP
EOF
unix2dos/tmp/http-response
nohupnc-p80-s$IP-n-lk-ecat/tmp/http-response&
#now,let'saddsomeloadtotriggerCPUalarms
#findanumberofsecondstoburnbaseduponIPaddress
#thiswaydifferentoneswillburnCPUatdifferenttimes
#60,180,300,420secondsatatime
#thensleep120s
SECONDS='echo$IP|awk-F.'{print60+$4%4*120}''
cat>/tmp/load.sh<<EOF
#!/bin/sh
while[1]
do
if["0"-eq\'echo|awk'{printsystime()%$SECONDS}'\'];then
sleep120
fi
done
EOF
chmod777/tmp/load.sh
#cirrosdoessomethingweirdto/bin/shsoweneedsomethingelseto
runus
#later-andthereisno"at"
nohupwatch-t/tmp/load.sh&
member:
type:OS::Neutron::PoolMember
properties:
pool_id:{get_param:pool_id}
address:{get_attr:[server,first_address]}
protocol_port:80
Let’scallthisfileweb-server.yaml.Lookingatitbriefly,ittakesparametersthatdescribewhichnetworkandloadbalancingpooltouseaswellasaparametertodefinetheparentstackthisserverwillexiston.Alloftheseparameterswillactuallybesuppliedbytheparenttemplate,whichwewilllookatmomentarily.Firstthough,it’simportanttogooverwhat’sbeingconfiguredinuser_data.AspartoftheCloud-Init,thisserverwillbeconfiguredtorunalittleHTTPservicethatjustreturnstheprivateIPoftheinstance.So,whenyoucallfromtheloadbalancerVIP,youcanseewhichinstancehandledtherequest.EachinstancealsorunsabackgroundprocessthatalternatelyburnsCPUforanywherefrom60-480seconds,dependingonitsIPaddress,andthensleepsfor120seconds.Thissimulatesloadandtriggerstheelasticscalingupanddown.
Asforthemain/parentheattemplate,thatwouldlooksomethinglikethis:
heat_template_version:2014-10-16
description:AutoScalingWebApplication
parameters:
network:
type:string
description:thenetworkalloftheserverswilluse
subnet_id:
type:string
description:theloadbalancersubnet
external_network_id:
type:string
description:theUUIDoftheexternalNeutronnetwork
resources:
web_server_group:
type:OS::Heat::AutoScalingGroup
properties:
min_size:2
max_size:5
resource:
type:web-server.yaml
properties:
pool_id:{get_resource:pool}
network:{get_param:network}
parent_stack_id:{get_param:"OS::stack_id"}
scaleup_policy:
type:OS::Heat::ScalingPolicy
properties:
adjustment_type:change_in_capacity
auto_scaling_group_id:{get_resource:web_server_group}
cooldown:30
scaling_adjustment:1
scaledown_policy:
type:OS::Heat::ScalingPolicy
properties:
adjustment_type:change_in_capacity
auto_scaling_group_id:{get_resource:web_server_group}
cooldown:30
scaling_adjustment:-1
cpu_alarm_high:
type:OS::Ceilometer::Alarm
properties:
description:IftheavgCPU>40%for30secondsthenscaleup
meter_name:cpu_util
statistic:avg
period:30
evaluation_periods:1
threshold:40
alarm_actions:
-{get_attr:[scaleup_policy,alarm_url]}
matching_metadata:{'metadata.user_metadata.stack':{get_param:
"OS::stack_id"}}
comparison_operator:gt
cpu_alarm_low:
type:OS::Ceilometer::Alarm
properties:
description:IftheavgCPU<15%for90secondsthenscaledown
meter_name:cpu_util
statistic:avg
period:90
evaluation_periods:1
threshold:15
alarm_actions:
-{get_attr:[scaledown_policy,alarm_url]}
matching_metadata:{'metadata.user_metadata.stack':{get_param:
"OS::stack_id"}}
comparison_operator:lt
monitor:
type:OS::Neutron::HealthMonitor
properties:
type:TCP
delay:5
max_retries:5
timeout:5
pool:
type:OS::Neutron::Pool
properties:
protocol:HTTP
monitors:[{get_resource:monitor}]
subnet_id:{get_param:subnet_id}
lb_method:ROUND_ROBIN
vip:
protocol_port:80
lb:
type:OS::Neutron::LoadBalancer
properties:
protocol_port:80
pool_id:{get_resource:pool}
lb_floating:
type:OS::Neutron::FloatingIP
properties:
floating_network_id:{get_param:external_network_id}
port_id:{get_attr:[pool,vip,port_id]}
outputs:
scale_up_url:
description:>
Invokethescale-upoperationbydoinganHTTPPOSTtothis
URL;
value:{get_attr:[scaleup_policy,alarm_url]}
scale_dn_url:
description:>
Invokethescale-downoperationbydoinganHTTPPOSTto
thisURL;
value:{get_attr:[scaledown_policy,alarm_url]}
pool_ip_address:
value:{get_attr:[pool,vip,address]}
description:TheIPaddressoftheloadbalancingpool
website_url:
value:
str_replace:
template:http://host/
params:
host:{get_attr:[lb_floating,floating_ip_address]}
description:>
ThisURListhe"external"loadbalancedurl
Let’scallthisfilefinal.yaml.Itcontainsallofthenecessaryinstructionstocreatemultipleserversasdefinedbytheweb-server.yamlfile.Itwillmaintainaminimumoftwooftheseservers,andscaleuptoamaximumoffiveasdefinedbytheminandmaxsizeoftheauto-scalinggroup.ItalsoimplementstheCeilometeralarmsthattriggerscalingupwhenaCPUaveragegoesabove40percentfor30seconds,triggerscalingdownwhenCPUaveragegoesbelow15percentfor90seconds,andappliesthesealarmstothesevergroupaspolicies.
Tocreate/updateastackwiththistemplateyouwouldfirstneedtomanuallycreateanetwork,subnet,androuterfortheservers/loadbalancer.Youwouldthenpassthesevaluesinasparameterslikethis:
$heatstack-create-ffinal.yaml-P"network=web-net;subnet_id=$subnet_id;
external_network_id=$public_net_id"autoscale;
Thatshouldoutputanumberofthingsincludingthewebaddressoftheloadbalancerthatwillroundrobintothetwowebservers.HittingthatURLrepeatedlyshoulddisplaythevariousIPaddressesoftheprovisionedserversinroundrobinfashion.Afterashortperiodoftime,newserversshouldbeaddedandnewaddresseswillappear,thenasloaddecreasestheyshoulddisappear.Ifyouwanttotrythisforyourself,thesetemplatesalongwithascripttocreatethenecessarynetworksareavailableinthefinal_deploymentfolderoftheGitHubrepoforthisbookat:https://github.com/johnbelamaric/openstack-appdev-book.
Tousethismethodtodeployourdemoapplication,wewoulduseacombinationoftwoAutoScalingGroups(oneforthewebandonefortheAPItier),andaResourceGroupfortheMySQLtier.Theuser_dataportionofeachgroupwouldthencontaintheconfigurationcommandsforthatservertypeandeachgroupcouldbescaledindependently.Scriptslikethisgenerallytakealotlongertocreatethanitwouldtomanuallyprovisionandconfigureanenvironmentonetime.Hopefullythough,youcannowseetheadvantagehereofbeingabletoprogrammaticallyrecreateeverythinganapplicationneedsatthepushofabutton.Ifaprojectwastobewipedout,oradev/testareaneeded,anotherenvironmentcouldbeinstantlycreatedandputtowork.
Thisisnotaonesizefitsallsolution.Thechoicesmadewereallbasedonpersonalpreference,easeofuse,andtherequirementsofthedemoapplicationandenvironment.Therearemanyotheroptions,andwhendeployingyourowncloudapplication,yourfinalsolutionwilllikelyinvolvedifferentchoicesandlookvastlydifferent.Thisistobeexpected.Hopefullythough,younowhavethebasicknowledgeandskillstomakethosechoices,andscriptthedeploymentofyourowncloudbasedapplication.
UPDATINGANDPATCHINGTherearetimeswhenyouwilldeployanapplicationandyourworkisessentiallydone.Applicationswilloftenkeepthemselvesuptodateviaautomaticupdate.Modernbrowsersareagoodexampleofthis.Manyofthemsimplycheckforanupdateonstartup,downloadthepatchandapplyitbeforestarting.Oftenthough,applicationshaveanumberofcomponentsthatneedtobemanuallyupdatedquitefrequently.ThejQuerylibrarywithinmanywebbasedapplicationisagoodexampleofthis.Theserversthemselvesmayalsoneedtobepatched.Securityupdatesforexploits,andfixesthatimproveperformancearebothcommonplaceinanycompany.
Atfirst,itmayseemlikethetraditionalmethodsshouldsimplybeemployedhere,andtheycanbe.Manuallyupdating,andrebootingserverswilldefinitelypatchthem.Anystandardmethodologyforpromotingcodechangeswillalsowork.Oncedeployed,anOpenStackbackedapplicationiscomparableforthemostparttoonelivinginahardwareonlyworld.
Theminimalcostofdeployingnewservers,though,andtheabilitytoprogrammaticallyscriptnetworkingallowsforsomeuniquewayshandleon-goingmaintenance.
PatchingOptionsIfyouworkwithinalargercorporatestructure,it’slikelythatsomekindofpatchingmechanismalreadyexistsforyou.Allowingevenafewmachinesonanetworktobecompromisedduetomissingsecurityupdatesisarealworldproblem.Evenifyouareinthissituationhowever,it’sunlikelythatallofyourpatchingwillbetakencareofbythismeans.Patchesforspecializedsoftwareforyourapplicationandupdatesthatdon’taddressaperformanceorsecurityissueareoftenstilltheresponsibilityofdevops.
Oneoptionforpatchingdependsonyourconfigurationmanagementchoice.IfyouoptedtousethirdpartytoolslikePuppetorChef,theircentralizedadministrativefeaturescanmakepatchingabreeze.Theybothallowforscheduledupdates,andaswasmentionedearlier,remoteexecution.Ifyoudesignedyourapplicationwithmultipleregionsormultipleload-balancedclustersasdiscussedinChapter5,itshouldbeasimplemattertopatch/rebootoneregion/clusteratatimeandavoidanydowntime.
Ansible’sremoteexecutionabilitycanbeasolidsolutionhereaswell.Yourapplicationwilllikelycontainmanysmallservers.YoucangrouptheseintoarbitrarysetsinanAnsibleconfigurationfileandthenexecuteupdatecommandsononegroupatatime.Thisisagoodwaytoavoidbothdowntimeandtheneedtore-provisionalltogether.
OpenStackdoesn’tprovideanyspecificfirstpartytoolsforpatching.Instead,thecomponentswehavealreadydiscussedcanbeusedandGlance/Imagesare
anothercommonavenueforpatching.Thoughstillnotrecommendedasacompletesolution,updatedimagesarefrequentlyavailableandcanbeusedtohandlebasicOSupdates.Tobringasystemtocompliance,anapplicationcansimplybere-deployedinpartorintotalwiththesenewimages.
ThiswouldbeagreatreasontoincludetheimageasaparameterinyourHeattemplate.Runningthefollowingcommandcouldthenupdatealloftheserverswiththisnewimage:
$heatstack-updatetest_stack-ftest.yaml-P"image=CentOS64-Update2"
Ofcoursethismayre-provisionallofyourserversatonce,soevenifyoudon’thavemultiplelogicalclusters,itmightbeusefultosplityourserversintodifferentResourceGroupssolelyforpatchingpurposes.Thiswayit’spossibletochangetheimageonjustonegroupatatime:
$heatstack-updatetest_stack-ftest.yaml-P"group1_image=CentOS
64-Update2;group2_image=CentOS64-Update3"
CI/CDinanOpenStackWorldNomoderntextfordevelopers(ordevops)wouldbecompletewithoutatleastsomementionofagilemethodology.Itstenantsarepervasiveinthemodernworkplaceandtechnicalcommunity.Theneedtofrequentlyreleaseupdates,toA/Btest,andtoprogrammaticallytestthecodebaseofanapplicationaspartofadeploymentareallchallengingaspectsofCI/CD(ContinuousIntegration/ContinuousDelivery)andagilephilosophyinanytypeofenvironment.Fortunately,withOpenStack,yourdeploymentsolutioncanactuallyprovidesomeuniquesolutionstothesechallenges.Let’slookattheseoneatatime.
Thefirstrequirementhereisforfrequentreleases.Ifyouaremigratinganapplicationtothecloud,theninalllikelihoodyourcurrentmechanismforupdatingproductioncodewillcontinuetowork.Thiscanbehandledinallofthesamemannersdiscussedpreviouslyforpatching.Onceanapplicationhaspassedallofitstests,itisajustamatterofcontactinganyofOpenStack’sAPIssuchasHeatorNovatoprovisionnewserversandteardowntheoldones.Ifcontainersareyourvirtualizationtechnologyofchoice,youwillalmostcertainlybedeployingallofyourchangesinthismanner.Ifnot,thenAnsibleorsimilartechnologycanalsobeusedremotelyexecutecommandsonbatchesofserverstoupdatecodefromacentralrepository.
OpenStackpresentsthenextchallengewithmoreintriguingsolutions.TheneedtoA/Btestcanbeintegraltomakinginformedchoicesinanapplication’sevolution.Traditionalmethodsofhandlingthisincludebuckets,whereanapplicationrunsseveraldifferentversionsonthesamemachine,orcodebasedsolutionsthatprogrammaticallypresentdifferentoptionstodifferentusers.Theabilitytoactuallyduplicateportionsofyourproductionenvironment,however,
canallowyoutoquicklydeploymultipleversionsoftheapplicationsimultaneously.ThisprovidesacompleteseparationofthecodebaseAfromcodebaseB,allowingperformancecomparisonsandpreventingonecodebasefromcrashingtheother.Oncethetestisconcluded,AorBcanthenbetorndownandthoseresourcesdedicatedtootherprojects.
Thelastitem,applicationtesting,whichusuallyincludesunitaswellasfunctionaltests,alsohassomeuniquesolutionsinacloud-basedworld.Unittestscanberunjustaboutanywhere,butfunctionaltestsoftenrequireafullyfunctionalenvironment.Thisisanotheropportunitytouseyourdeploymentscripttocreateanotherworkingenvironmenttorunthesetestsin.It’sreasonabletopictureasystemwhereacommithooksetsoffacalltocreateanenvironment,testsarerun,resultsarepublished,andtheenvironmentisthentorndown.Usingyourdeploymentscript,template,orwhatevertechnologychosen,ensuresthatthistestenvironmentcanperfectlymimictheproductionenvironmentandisneveraffectedbyprevioustests.It’sevenpossibleinthisscenarioformultipletestenvironmentstoberunningmultipleversionsoftheapplicationanditstests,asopposedtowaitinginaqueueforasinglededicatedtestenvironment.
Ingeneral,OpenStackshouldmakebothCI/CDandpatchingmucheasier,oratleastpresentawholehostofsolutionsthatwereunavailablebefore.Manyofthesesolutionsaren’tspecifictoOpenStackandareavailablewithinanycloudenvironment.However,yourdeploymentsolutionwilllikelybeveryOpenStackspecific,andwillimpacthowyougoaboutpatchingandupdatingyourapplication/environment.Itisforthatreasonthatthischapterisconcludedwiththisdiscussiononmaintenance.Itisonelastthingtoconsiderbeforesettlingonafinaldeploymentsolution.
SUMMARYIfyouhavebeenintheroleofadeveloperorasystemadministrator,makingallofthenecessarychoicesandscriptingthemcanbeabigshift.Bridgingthesetwoworldscomeswithalotofbenefitthough,anditislikelytobethewaythingsmovegoingforward,sincethesebenefitsoftenariseintheformofhugecostsavings.Thereiscurrentdemandfordevopsexpertiseforthisreason.Whilethedeploymentofcontainersandthird-partydevelopmentwillcontinuetoevolve,thefundamentalconceptofprovisioningyourhardwareandnetworking,alongwithyoursoftware,isheretostayinoneformoranother.ThefactthatOpenStacktriestoprovideanopen-endedplatformfortheseconceptstoflourish,makesitagreatchoiceregardlessofwhichtechnologiesendupwinningintheend.
BOOKWRAPUPInthisbookwehavediscussedexactlywhatOpenStackisandwhatitprovides.ThevariouscomponentsandprojectsthatcomprisethebulkofOpenStackhavebeendescribed.Examplesofhowtocreateandimproveapplicationsusingsomeoftheuniqueaspectsofthecloudhavebeencovered.Wehavealsoprovidedoptionsfordeployingandmaintainingtheseapplications,allofwhichwillhelpyougetstartedusingOpenStack.
OneofthegreatjoysofworkingwithinanOpenStackbackedenvironmentistheabilitytoexperimentwithoutconsequence.Youcanlockupaserverandrebootitfromawebsitewithoutcallingdowntotheserverroom.Youcanallocateandde-allocateassetslikedrivespace,IPaddressesanddatabaseswithoutthefrustrationofservicetickets.Evenmisconfiguringaservertothepointwhereitisunusable,canbefixedbydeletingandre-provisioningitinseconds.Thiskindofself-serviceinfrastructureisattheheartofthedevopsmovementandmakeslearningOpenStackfunandexciting.Itcanalsomakeitalittleoverwhelming.
ThesheerbreadthofwhatcanbeaccomplishedusingOpenStackisabitdaunting.It’smorethanjustanotherprogramtouseoranotherlanguagewithyetanotherwayofwritingifthenstatements.OpenStackandothercloud-basedsolutionsrepresentafundamentalshiftinhowthewebiscreated,andhowmodernweb-basedapplicationsaredesigned.Itrequiresacompletelynewskillsetaswellastheabilitytothinkofpreviouslyphysicalobjectslikeservers,andnetworkingequipmentasobjectsinasoftwareprogram.Eventhenamesofthesethingsthemselvescangetoverwhelming.SortingouttheNova’s,Neutrons,Kilos,andKubernetestakesbothtimeanddedicationaswellassomeinterestinthesubject.
Forsome,thismaycomenaturally,butformostofusittakesalotofexperimentation,failure,andwell…morefailure.Masterycomeswithitsownrewards,andinthecaseofOpenStack,itcanallowyoutodothingsthatyouhavewantedtodoforyearsandgiveyoucontroloveryourenvironmentinawaythatyouhaveneverhadbefore.
Inadditiontothisbook,thereareanumberofresourcestohelpyougainthismastery.Firstandforemost,thewebisfulloftutorials,blogs,andAPIdocumentationforOpenStack.Somesitesyoumightfindusefulinyourjourney:
https://www.openstack.org/:ThecentralhubforallthingsOpenStack,andworthexploringevenifyou’renotlookingforananswertoaspecificquestion.
http://developer.openstack.org/api-ref.html:OneofseveralAPIreferencesavailable.Italwaysseemstobemissingafewthings,butisupdatedfrequentlyandisprobablyyourbestbetforAPIdocumentationandexamples.
https://developer.rackspace.com/blog/:RackspacecontinuestoprovidegreatuptodatetutorialsandinterestingdiscussionsonalltopicsOpenStack.
https://wiki.openstack.org:Coversgreatdescriptionsofallofthemajor
projects,andisagoodplacetostartifyouwanttodigdeeperintoanyindividualcomponent.
Ifyouwanttogobeyondtheweb,moreandmoreclassesandphysicalworldresourcesarebecomingavailableasOpenStackadoptionincreases.AnothermajoravenuetoincreaseyourOpenStackknowledgeandexpertisemightbeoneofthesemi-annualconferencesheldallovertheworld.Youcanseewherethesearebeingheldat:https://www.openstack.org/summit/.
SharingyourexperienceswithOpenStackandparticipatinginthecommunityisalsoagreatgatewayofactuallycontributingtoOpenStack.Thiscanbeassimpleasprovidingdocumentationonamissingmethodorvalue,orascomplexasprovidingapatchforthenextmajorrelease.Exactlyhowmuchyouwanttogetinvolvedisuptoyou,butdoingsocanberewardingandisanexcitingpartofwhatitmeanstoutilizeopensourcesoftware.
Intheend,OpenStackisaboutchoice:thechoiceofhowtoimplementit,thechoiceofhowtouseit,andthechoiceofhowtoparticipateinitslifecycle.This,morethananythingelse,iswhatmakesOpenStackauniqueofferinginasurprisinglycrowdedfield.NowgoanduseOpenStacktobuildthenextgreatsuccessstory!
OpenStack®CloudApplicationDevelopment
ScottAdkinsJohnBelamaricVincentGierschDenysMakogonJasonRobinson
OpenStack®CloudApplicationDevelopment
PublishedbyJohnWiley&Sons,Inc.10475CrosspointBoulevardIndianapolis,IN46256www.wiley.com
Copyright©2016byJohnWiley&Sons,Inc.,Indianapolis,Indiana
PublishedsimultaneouslyinCanada
ISBN:978-1-119-19431-6
ISBN:978-1-119-23964-2(ebk)
ISBN:978-1-119-19434-7(ebk)
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwaswrittenandwhenitisread.
ForgeneralinformationonourotherproductsandservicespleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(877)762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002.
Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.FormoreinformationaboutWileyproducts,visitwww.wiley.com.
LibraryofCongressControlNumber:2015953113
Trademarks:Wiley,theWileylogo,Wrox,theWroxlogo,ProgrammertoProgrammer,andrelatedtradedressaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.OpenStackisaregisteredtrademarkofOpenStackFoundation.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.,isnotassociatedwithanyproductorvendormentionedinthisbook.
ABOUTTHEAUTHORS
SCOTTADKINSisatechnicalleadfortheCloudOperationsteamatComcast.HehelpstheteamdeploynewinternalOpenStackenvironments,aswellashelpingonboardotherteamsintothecloud.Inparticular,ScotthelpsnewcomerstothecloudunderstandthepetversuscattlemodelandhowtheirapplicationscanbeadjustedtorunmoreeffectivelyintheOpenStackcloudenvironment.ScotthasbeenaUNIXandLinuxSystemsAdministratorformorethan30years.PriortohisworkatComcast,hewasatechnicalleadatSavvisCommunicationsfortheUNIXteam.ScottlivesinLeesburg,Virginiawithhiswifeandfourchildren.
JOHNBELAMARICisasoftwareandsystemsarchitectwithnearly20yearsofsoftwaredesignanddevelopmentexperience.Hiscurrentfocusisoncloudnetworkautomation.HeisakeyarchitectoftheInfobloxCloudproducts,concentratingonOpenStackintegrationanddevelopment.HebringstothishisexperienceastheleadarchitectfortheInfobloxNetworkAutomationproductline,alongwithawealthofnetworking,networkmanagement,software,andproductdesignknowledge.HeisacontributortoboththeOpenStackNeutronandDesignateprojects.HelivesinBethesda,MarylandwithhiswifeRobinandtwochildren,OwenandAudrey.
VINCENTGIERSCHistheco-founderandCTOofFlat.io,wherehemainlyworksontheautomationofdeploymentandscalingoftheSaaSapplication.Priortothat,attheUniversityofKentandinpartnershipwithJANET,hedesignedandimplementedthesupportoftheIETFABFAB(ApplicationBridgingforFederatedAccessBeyondWeb)inOpenStackKeystonetoprovideanon-webfederatedauthentication.RecentlyheworkedasanR&DPlatformEngineeratOVH.com,developingaDockerhostingplatformbasedonOpenStack.HeisfromNantes,France.
DENYSMAKOGONisadeveloperandsoftwarearchitectofcloudplatforms,mainlyfocusedondevelopinganddesigningplatformandSoftware-as-a-ServiceapplicationsforOpenStack.HeisaleadsoftwaredeveloperforGigaspaces,concentratingonCloudifyproductdevelopmentalongwithbringingwell-designedandproduction-readyintegrationwithVMwarecloudplatforms,includingvCloudAir.HeisacontributortotheOpenStackDBaaSplatformandOpenStackCloudValidationopensourceframework.HelivesinKharkiv,Ukraine.
JASONROBINSONisaseniorplatformdeveloperatGoDaddy.HehelpsteamstransitiontraditionalapplicationstotheirinternalOpenStackcloudwithafocusonorchestrationandresiliency.PriortohisworkwithOpenStack,hewasanarchitectonGoDaddy'scloudstorageproductandaprincipaldeveloperoftheirwebmailoffering.Jasonhasbeenworkingasaprofessionalwebdeveloperfor18years,andinadditiontoservingasaleadengineerfortech-centeredcompanieslikeGoDaddy,Verizon,andGTE,hehasdoneextensiveworkinthefieldsofe-commerce,telemedicine,andstreamingmedia.Whennotpursuingtheperfectlyscalableapplication,Jasonisanavidrunner,maker,amateurphilosopher,andmostrecentlyafather.
ABOUTTHETECHNICALEDITORSCHRISDENT,SeniorSoftwareEngineeratRedHat,primarilyfocusesonimproving,integrating,andtestingOpenStack.PriortoRedHatheworkedasafreelanceconsultantdesigninganddevelopingHTTPAPIsforcollaborativedocumentsystems.
LARSBUTLERisacoreengineerforZeroVMandledtheproject'sminidesignsummitatOpenStackSummitAtlanta.HispreviousF/OSSworkincludesOpenQuakeEngine,ascalabledistributedcalculationengineforcomputingglobalearthquakehazardandrisk,developedincollaborationwiththeSwissSeismologicalService.
JOETALERICO,PerformanceEngineeratRedHat,isaseasonedSeniorComputerEngineerexperiencedinintegratingleadingedgetechnologiesintoexistinginfrastructures.HehasdevelopedsolutionsandautomationframeworksaroundtechnologiesrangingfromCloud,Virtualization,Storage,EndUserComputing,UnifiedCommunications,Datacenter,IPTV,andAndroid.
CREDITSPROJECTEDITORCharlotteKughen
TECHNICALEDITORSChrisDent,LarsButler,JoeTalerico
PRODUCTIONEDITORChristineO'Connor
COPYEDITORChristinaRudloff
MANAGEROFCONTENTDEVELOPMENT&ASSEMBLYMaryBethWakefield
PRODUCTIONMANAGERKathleenWisor
MARKETINGDIRECTORDavidMayhew
PROFESSIONALTECHNOLOGY&STRATEGYDIRECTORBarryPruett
BUSINESSMANAGERAmyKnies
ASSOCIATEPUBLISHERJimMinatel
PROJECTCOORDINATOR,COVERBrentSavage
PROOFREADERChristinaRudloff
INDEXERRobertSwanson
COVERDESIGNERWiley
COVERIMAGEAlexandraLande/Shutterstock
ACKNOWLEDGMENTSIwouldliketothankmywifeandchildrenfortheirpatienceandsupportwhileIworkedonthisproject.IwouldliketoalsothanktheOpenStackcommunityforeverythingtheydotobuilduponandsupporttheopensourcecloud.WithouttheOpenStackcommunity,wewouldnothavethecloudplatformwehavetoday!
—SCOTTADKINS
Iwouldliketothankmywifeandchildrenfortheirsupportandencouragementthroughoutthisproject.
—JOHNBELAMARIC
Iwouldliketothanktheentireteam,whohelpedmetocompletethisprojectandgavetheappropriatelevelofsupport,andmyfamily,whohelpedmetostayfocusedonthisbook.
—DENYSMAKOGON
IwouldliketothankmywifeTarawhotookcareofallofuswhileIwasworkingonthisbook,mybrotherforgivingmemyfirstcomputerand,ofcourse,myparents,whosupportedmeevenwhenIdecidedtopursueaphilosophydegree(everyparent'sworstnightmare).
—JASONROBINSON
WILEYENDUSERLICENSEAGREEMENTGotowww.wiley.com/go/eulatoaccessWiley’sebookEULA.
