1

Enhancing OpenStack* with Intel® Technologies for Public, Private and Hybrid Cloud

Girish Gopal – Strategic Planning, Intel Corporation Malini Bhandaru – Security Architect, Intel Corporation

EDCS003

2

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps

3

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps

4

Intel Enables OpenStack* Cloud Deployments

Contributions

Intel IT Open Cloud

Intel® Cloud Builders

• Across OpenStack projects plus tools released to Open Source

• Top 10 contributor to Grizzly and Havana releases1

• Optimizations, validation and patches

• Intel IT Open Cloud with OpenStack • Deliver Consumable Services • Automated Management of Cloud

• Collection of best practices • Intel IT Open Cloud Reference Arch • Share best practices with IT and CSPs

1Source: stackalytics.com

5

OpenStack* Architecture

Identity (Keystone) Authentication and authorization for services

Object Storage (Swift) Allows you to store or retrieve files

Image (Glance) Catalog and repository for virtual disk images

Dashboard (Horizon) Modular web-based user interface for all services

Compute (Nova) Provides virtual servers upon demand

Networking (Neutron) Provides "network connectivity as a service"

Block Storage (Cinder) Provides persistent block storage to guest VMs

Heat Orchestrate multiple composite cloud applications

Ceilometer Collect measurements for metering and monitoring

New Components in Havana

6

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute – Trust – Security – Enhanced Platform Awareness (EPA)

• Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps

7

Trusted Compute Pools (TCP) Enhance visibility, control and compliance

- Key IT concerns (61%, 55% and 57% respectively1)

• TCP Solution - Place workloads & VMs in trusted pools

of virtualized servers - Trusted Computing Group

Compliant Platform (TPM) - Intel® Xeon® processor initiates a trusted boot - OpenStack* Folsom release or later - Policy Engine / Console - Trust level of VM specified as Trusted

Compute (Nova) – Trust Filter Dashboard (Horizon) – Trust Filter UI

- Open Attestation (OAT) SDK https://github.com/OpenAttestation/OpenAttestation

• Core technologies - Intel® Trusted Execution Technology - Intel® Virtualization Technology FlexMigration

1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012

Trust

TCP is enabled in OpenStack (Folsom release) • Vendors: Bundle OAT into your OpenStack offering • Providers/IT: Implement TCP in your OpenStack Cloud • Users: Request and deploy VMs on Trusted nodes

8

Trusted Compute Pools with Geo-Tagging Use asset descriptor information to control virtual workloads

- E.g., Enforce policies to control migration or bursting to trusted systems in specific geographical locations

• Enhance OpenStack* services - Dashboard – display

VM/storage geo - Flavor – Geo for VM Instances

and Storage - Aggregate filter - Geo attestation service - Configure geo attestation

service - Provision geo certificate

for trusted machines

Provide feedback, use cases

Trust

9

10

11

Key Management Facilitates server-side encryption; Data-at-rest security Enables new use cases and users, e.g., compliance

• Random Key generation - Intel® Secure Key: true randomness important

• Secure Storage – keys encrypted with a master key

• Access controlled - Identity - Keystone and

access policies • Audit logging -

create/delete/use • High availability • Pluggable backend – HSM, TPM

Security

Encryption Keys : Create, Store, Protect, and Ready Access

12

OpenStack* Key Manager Key management as separate service; prototype in Havana, incubation in Icehouse release of OpenStack*

Secure OpenStack Clouds • Encrypt volumes, objects and communications

Status and Next Steps

• Barbican Key Manager: - https://github.com/cloudkeep/barbican

• Integration with OpenStack authentication and authorization system

• Immediate: Provide volume/block encryption

Future • Creation and certification of public-private key pairs • Software support for periodic background tasks • Client component that can work against HSM • Examine KMIP • Leverage AES-XTS to enhance performance

Building Blocks

• Trusted Platform Module • Intel® Secure Key • Intel® AES-NI • New instructions and wider registers

Security

Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions

13

OpenStack* Security Guide http://docs.openstack.org/sec/ • OpenStack* services • Public and Private clouds • Security domains and bridges • Layered security • Secure node bootstrapping and

hardening • Secure intra-service

communication • Database security • Hypervisor selection • Trusted machine images • VM Migration • Logging • Identity management • Access control • Compliance & Audit

Help update the Security Guide

Security

14

CPU Features Exposure

Allows OpenStack* to have a greater awareness of the capabilities of the hardware platforms

• Expose CPU features to

OpenStack Nova scheduler • Use ComputeCapabilities filter to

select hosts with required features - Security workload could run faster &

more securely with Intel® AES-NI

• Enables premium flavors - Enhanced capabilities for cloud

customers - Enhanced revenue for cloud providers

Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions

Image (Glance) Import host capabilities request via VM metadata

Dashboard (Horizon) Expose

Compute (Nova) Host capabilities discovery, reporting and filter enhancements

Targeted for Havana and future OpenStack releases

EPA

15

PCI Express* (PCIe*) Accelerator Exposure

• OpenStack* updates to enable PCI Express* (PCIe*) Accelerators – Solution based on libvirt and KVM

– Add PCIe device info to the libvirt driver

– Extend Nova Scheduler to handle PCIe device allocation

– Configure the VM for Deployment

• Status – Code released to the community

– Not yet integrated into the Havana release mainline – NIC SR-IOV Virtual Function allocation to a VM possible Not a recommended use case Additional OpenStack updates necessary for a robust solution

Leverage PCI Express Accelerators to gain performance • Crypto speed-up, hardware-based trust, faster I/O

SR-IOV = Single Root I/O Virtualization

EPA

16

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute

• Enhancing OpenStack Storage – Intelligent Volume Scheduling – Erasure Code – COSBench

• Enhancing OpenStack Networking

• Enhancing OpenStack Data Collection

• Intel IT Open Cloud

• Summary and Next Steps

17

Intelligent Volume Scheduling - OpenStack* Cinder Maximize block storage efficiency by intelligently allocating volume based on workload and type of service required

Example: Differentiated Service with Different Storage Backends • CSP: 3 different storage systems, offers 4

levels of volume services

• Volume service criteria dictates which storage system can be used

• Filter scheduler allows CSP to name storage services and allocate correct volume

Intelligent Volume Scheduling is enabled in OpenStack* (Grizzly release)

18

Erasure Code for OpenStack* Swift

Access Tier (Concurrency)

Capacity Tier (Storage)

Clients Tri-replication path Erasure code path

Saves disk space, does not impact QoS for hot objects • Swift uses tri-replication

today (3x storage) • Add daemon on

storage node • Scans all existing

objects offline • Selects cold objects of

large enough size • Replaces tri-replication

algorithm with erasure code

Collaborate on Erasure Code • CLDS007: “OpenStack Swift Erasure Code: A Smart

Cloud Storage Solution“ Wednesday, 5PM, Rm 2005 • https://blueprints.launchpad.net/swift/+spec/swift-ec

19

Introducing COSBench An Open Source Intel developed benchmarking tool to measure Cloud Object Storage (e.g., OpenStack* Swift) performance

• Compare performance of cloud object stores

• Evaluate internal options for software stacks

• Identify bottlenecks and tune performance

• Pluggable adaptors for different storage systems

• Web-based UI • Real-time performance monitoring

Throughput Response Time

Bandwidth Success Ratio

Download, Evaluate, Contribute https://github.com/intel-cloud/cosbench

20

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute

• Enhancing OpenStack Storage

• Enhancing OpenStack Networking – Intel® Open Network Platform

• Enhancing OpenStack Data Collection

• Intel® IT Open Cloud

• Summary and Next Steps

21

Intel® Open Network Platform (ONP), OpenStack* and SDN/NFV Framework

Node Node Node Node Node Node

Controller Controller

OpenStack (Orchestrator)

Network Applications

Northbound API

Southbound API e.g., OpenFlow*, Open vSwitch

Network Appliance

TOR Switch Cloud Server Virtual Switch

EPC Media Gateway

Neutron

SDN/NFV; Software Defined Networking/Network Functions Virtualization

Intel® ONP Switch

Reference Design

Intel ONP Server

Reference Design

Learn more about Intel ONP • CLDS006: “Extending Open Networking Platform (ONP) for the Next

Generation Server Architectures“ Wednesday, 3:45PM, Rm 2005

22

Agenda

• Intel and OpenStack*

• Enhancing OpenStack Compute

• Enhancing OpenStack Storage

• Enhancing OpenStack Networking

• Enhancing OpenStack Data Collection – Multiple Publisher Support

– Intelligent Workload Scheduling

• Intel® IT Open Cloud

• Summary and Next Steps

23

Data Collection for Monitoring: Multiple Publisher (Ceilometer)

Data Collector

Transformer

Pipeline Manager

Transformer

Metering

Monitoring

Publisher

Publisher

Publisher

Transformer

Facilitates transformation and publishing of metered data for consumption by various targets

• Send/publish collected measurements to different endpoint/utility through different conduits with different format

• Provides ability to store collected data in different data stores

Targeted for OpenStack* Havana release • Create/add plugs-ins to store data in your own data stores

24

Data Collection for Efficiency: Intelligent Workload Scheduling

Enhanced usage statistics allow advanced scheduling decisions

• Pluggable metric data collecting framework - Collects data via

plug-ins - Sends data to

notification bus for use by other OpenStack* components

• Compute (Nova) - New filters / weighers for utilization-based scheduling

Targeted for OpenStack* Havana release • Utilize pluggable framework to create/add your

own plugs-ins to monitor network

25

Agenda

• Intel® and OpenStack*

• Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps

26

Intel IT Open Cloud

• 77% Virtualized • 80% of new servers in the Cloud • Under 1 hour to deploy Infrastructure • Small number of SaaS apps in usage • Savings realized to date: $21M

• Land Applications in minutes • Automation: lower cost w/ less resources • Open Cloud for bursting capacity • SaaS for non-differentiated apps (e.g. email)

Today: Large Private Cloud, Limited Public Cloud

Tomorrow: Hybrid Cloud

Learn more on Intel IT Open Cloud • CLDS004 “Intel IT Open Cloud – What’s Under the Hood, and How Do We Drive It?”

Wednesday, 5PM, Rm 2001

27

Agenda

• Intel® and OpenStack*

• Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps

28

Summary: Intel® Technologies & Solutions for OpenStack*

Release Trusted Compute Pools (TCP) TCP With Geotagging

• Place workloads and VMs in trusted pools of virtualized servers

• Determine and control location of sensitive data in the cloud

• Intel® TXT, Intel® VT FlexMigration

Folsom Icehouse

Key Manager • Manager for symmetric and public/private keys, certificates

• Intel® AES-NI, Intel® Secure Key

Havana/ Icehouse

Enhanced Platform Awareness

• Levering PCIe accelerator devices in cloud infrastructure, and enabling access to Intel® 64 instruction set extensions

• Intel® QuickAssist, Intel AES-NI, Intel® AVX, AVX2, Intel® SSE4, Intel Secure Key

Havana

Erasure Code • Replacing tri-replication algorithm in Swift Havana

Intelligent Volume Scheduling • Allocate block storage type of service required Grizzly

Multiple Publisher • Transformation & publishing of metered data Havana

Data Collection for Efficiency • Usage statistics for scheduling decisions Havana

Open Network Platform • Framework for SDN/NFV • Intel® VT-d, Intel® DPDK, Intel® DDIO

Open Attestation SDK • Remote attestation service for TCP Open Source

COSBench • Object store performance characterization tool Open Source

Intel® TXT = Intel® Trusted Execution Technology; Intel® VT = Intel® Virtualization Technology; Intel® AES-NI = Intel® Advanced Encryption Standard – New Instructions; Intel® AVX = Intel® Advanced Vector Extensions; Intel® VT-d = Intel® Virtualization for Directed I/O; Intel® DPDK = Intel® Data Plane Development Kit; Intel® DDIO = Intel® Data Direct I/O

29

Read, Download, Get Involved • Compute

- Open Attestation SDK: https://github.com/OpenAttestation/OpenAttestation

- OpenStack* on Intel® TXT (Fedora*): https://fedoraproject.org/wiki/OpenStackOnTXT

- Mechanisms to Protect Data in the Open Cloud: http://download-software.intel.com/sites/default/files/Intel_TXT_Open_Cloud_Security_Final_Web.pdf

• Storage - COSBench: https://github.com/intel-cloud/cosbench

• Networking

- Intel® Open Network Platform: http://www.intel.com/content/www/us/en/switch-silicon/open-network-platform.html

• Intel IT use of OpenStack

- Accelerating Deployment of Cloud Services Using Open Source Software: http://www.intel.com/content/dam/www/public/us/en/documents/best-practices/accelerating-deployment-of-cloud-services-using-open-source-software.pdf

Intel® Trusted Execution Technology (Intel® TXT)

30

Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm Intel, Xeon, Look Inside and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

*Other names and brands may be claimed as the property of others. Copyright ©2013 Intel Corporation.

31

Legal Disclaimer • Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute

the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see Intel® Advanced Encryption Standard Instructions (AES-NI).

• Built-In Security: No computer system can provide absolute security under all conditions. Built-in security features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For more information, see http://security-center.intel.com/.

• Intel® 64 architecture requires a system with a 64-bit enabled processor, chipset, BIOS and software. Performance will vary depending on the specific hardware and software you use. Consult your PC manufacturer for more information. For more information, visit http://www.intel.com/info/em64t.

• Intel® Secure Key Technology: No system can provide absolute security. Requires an Intel® Secure Key-enabled platform, available on select Intel® processors, and software optimized to support Intel Secure Key. Consult your system manufacturer for more information

• Intel® Trusted Execution Technology (Intel® TXT): No computer system can provide absolute security under all conditions. Intel® TXT requires a computer with Intel® Virtualization Technology, an Intel TXT enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit http://www.intel.com/technology/security.

• Trusted Platform Module (TPM): The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.

• Intel® Virtualization Technology (Intel® VT) requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization.

32

Risk Factors The above statements and any others in this document that refer to plans and expectations for the third quarter, the year and the future are forward-looking statements that involve a number of risks and uncertainties. Words such as “anticipates,” “expects,” “intends,” “plans,” “believes,” “seeks,” “estimates,” “may,” “will,” “should” and their variations identify forward-looking statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking statements. Many factors could affect Intel’s actual results, and variances from Intel’s current expectations regarding such factors could cause actual results to differ materially from those expressed in these forward-looking statements. Intel presently considers the following to be the important factors that could cause actual results to differ materially from the company’s expectations. Demand could be different from Intel's expectations due to factors including changes in business and economic conditions; customer acceptance of Intel’s and competitors’ products; supply constraints and other disruptions affecting customers; changes in customer order patterns including order cancellations; and changes in the level of inventory at customers. Uncertainty in global economic and financial conditions poses a risk that consumers and businesses may defer purchases in response to negative financial events, which could negatively affect product demand and other related matters. Intel operates in intensely competitive industries that are characterized by a high percentage of costs that are fixed or difficult to reduce in the short term and product demand that is highly variable and difficult to forecast. Revenue and the gross margin percentage are affected by the timing of Intel product introductions and the demand for and market acceptance of Intel's products; actions taken by Intel's competitors, including product offerings and introductions, marketing programs and pricing pressures and Intel’s response to such actions; and Intel’s ability to respond quickly to technological developments and to incorporate new features into its products. The gross margin percentage could vary significantly from expectations based on capacity utilization; variations in inventory valuation, including variations related to the timing of qualifying products for sale; changes in revenue levels; segment product mix; the timing and execution of the manufacturing ramp and associated costs; start-up costs; excess or obsolete inventory; changes in unit costs; defects or disruptions in the supply of materials or resources; product manufacturing quality/yields; and impairments of long-lived assets, including manufacturing, assembly/test and intangible assets. Intel's results could be affected by adverse economic, social, political and physical/infrastructure conditions in countries where Intel, its customers or its suppliers operate, including military conflict and other security risks, natural disasters, infrastructure disruptions, health concerns and fluctuations in currency exchange rates. Expenses, particularly certain marketing and compensation expenses, as well as restructuring and asset impairment charges, vary depending on the level of demand for Intel's products and the level of revenue and profits. Intel’s results could be affected by the timing of closing of acquisitions and divestitures. Intel's results could be affected by adverse effects associated with product defects and errata (deviations from published specifications), and by litigation or regulatory matters involving intellectual property, stockholder, consumer, antitrust, disclosure and other issues, such as the litigation and regulatory matters described in Intel's SEC reports. An unfavorable ruling could include monetary damages or an injunction prohibiting Intel from manufacturing or selling one or more products, precluding particular business practices, impacting Intel’s ability to design its products, or requiring other remedies such as compulsory licensing of intellectual property. A detailed discussion of these and other factors that could affect Intel’s results is included in Intel’s SEC filings, including the company’s most recent reports on Form 10-Q, Form 10-K and earnings release.

Rev. 7/17/13

33

Backup

34

Trusted Geolocation Preview • Determine and control

location of server with sensitive information in the cloud

• Server location information added to server root of trust

• Three main phases:

1. Platform Attestation and Safe Hypervisor launch

2. Trust-based Secure Migration

3. Trust- and Geolocation-based Secure Migration

35

Key-Manager

Cinder Keys

Glance Keys

OpenStack Service

Swift/Cinder/ Glance/Keystone

)

TPM

Key Creation and Storage

Random Number Generator

(keys random)

Storage (master keys)

put(key-id, enc-key-str)

get(key-id)

enc_key_str

success

Keystone Keys

Swift Keys

<key-id, enc-key-str, descriptors>

Swift authentication token, access Swift keys Descriptors Creation-time, Expire-time, Num-uses, Type: public/private/ symmetric/unknown

(encrypted) communication

Formatter KMIP

36

Implementation Example

ONP Switch

ONP Server

OS / Hypervisor

DPDK Accelerated Open vSwitch

vEPC CDN CDN Billing

ONP Server

OS / Hypervisor

DPDK Accelerated Open vSwitch

vEPC vEPC vEPC Forecast

ONP Server

OS / Hypervisor

DPDK Accelerated Open vSwitch

vEPC vEPC CDN Analytics

Controller