Enterprise Private Cloud Fast and Secure App Deployment with OpenStack (Part 2)

(1)

Enterprise Private Cloud

Fast and Secure App Deployment with OpenStack (Part 2)

Introduction

Welcome to this Oracle Open World lab – thanks for joining us.

This lab will take you through the basics of using OpenStack on Oracle Solaris 11 and install applications into newly created VM instances. OpenStack is a popular open source cloud infrastructure that has been integrated into Oracle Solaris 11.2. OpenStack includes a number of services that help you manage the compute, storage and network resources in your data center through a central web based dashboard.

These services can be summarized as the following:

Service Name Description

Nova Compute virtualization

Cinder Block storage

Neutron Software Defined Networking (SDN)

Keystone Authentication between cloud services

Glance Image management and deployment

Horizon Web based dashboard

For this lab and the time allocated to us, we will deploy a new VM instance using OpenStack and install the Oracle Database 12c into it. After successfully

installing the database and ensuring that it runs correctly, we will create a golden image in which to rapidly clone this environment across the cloud. In the second half of this lab, we will explore some of the compliance and security features included in Oracle Solaris 11 and demonstrate a typical compliance lifecycle used in the cloud, and how we can help lock VMs down from an external attack.

(2)

Lab Setup

This lab has the following set up:

Oracle Solaris 11.2 (root password is solaris11)

Hostname of solaris, IP address range of 10.158.56.0/21

IPS repository clone at /repository/publishers/solaris

Oracle Database 12c installation files located in /root/ and an Oracle Database

12c installation response file located at /root/db_install.rsp

To start with, open up a Terminal window in the host OS and start an SSH connection with root/solaris11 as the user/password combination:

# ssh [email protected] Password:

Oracle Corporation SunOS 5.11 11.2 June 2014

1. Provision a VM instance

Before we install the Oracle Database, we will need to create a VM instance to install it to. We will also need to log into the OpenStack Horizon dashboard located at http://10.158.56.x/horizon (matching the IP address

provided to you) and install an instance. Use dba/oracledba as the

user/password combination to log in.

(3)

Once you have successfully logged in, we will need to do a number of different things. Firstly, let’s navigate to the Access and Security menu to associate a new SSH keypair:

There are no keypairs currently defined. Let’s go ahead by clicking the Import Keypair button. In our case let’s use the SSH public key of our global zone:

root@solaris:~# cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Khp4Th5VcKQW4LttqzKAR8O60gj43cB0CbdpiizEhXEbVgjI7IlnZlo9i SEFpJlnZrFQC8MU2L7Hn+CD5nXLT/uK90eAEVXVqwc4Y7IVbEjrABQyB74sGnJy+SHsCGgetjwVrifR9fkxFHg jxXkOunXrPMe86hDJRpZLJFGYZZezJRtd1eRwVNSHhJdZmUac7cILFJen/wSsM8TOSAkh+ZWEhwY3o08nZg2IW dMImPbwPwtRohJSH3W7XkDE85d7UZebNJpD9kDAw6OmXsY5CLgV6gEoUExZ/J4k29WOrr1XKR3jiRqQlf3Kw4Y uK9JUi/gPhg2lTOhISgJoelorQ== root@solaris

Having successfully imported the SSH keypair, let’s now create a network for this instance. Choose the Networks menu entry to get the following screen:

(4)

There are no networks currently defined. Let’s create a network by clicking on the Create Network button. Let’s create a network called mynetwork with a

subnet called mysubnet using the 192.168.x.0/24 address range. This

means that instances that choose this network will be created within this range starting at 192.168.x.3. Use the unique IP that was assigned to your laptop

e.g. 10.158.56.x

Once we create our network, we should see it successfully created in the following screen:

(5)

Now we are ready to launch a new instance. Choose the Instances menu entry to get the following screen:

Let’s launch a new instance by clicking on the Launch Instance button. We will call our instance myinstance. We will give it an Oracle Solaris non-‐global zone

– medium flavor. Flavors represent the size of the resources that we should give this instance. We can see here that we will get a root disk of 10GB and 2,048MB RAM. We will choose to boot this instance from the image that’s stored in Glance that we uploaded called Base Zone.

(6)

Once we are happy with the Details tab, we can move onto the Access & Security tab. We can see that our keypair has been pre-‐selected, so we can immediately move on to the Networking tab. Here we will need to select mynetwork as our

next. Once we have finished this, we can click on the Launch button.

(7)

After a little bit of time we can see that our instance has successfully. Depending on what you chose for your subnet address space, your instance may have a slightly different IP.

We are now ready to log into this instance. In this lab we took the simple path of just setting up an internal network topology. In a typical cloud environment we would set up an external network that VMs could communicate through to the outside world. To access these VMs, we will need to access them through the global zone.

root@solaris:~# ssh [email protected]

The authenticity of host '192.168.66.3 (192.168.66.3)' can't be established. RSA key fingerprint is 89:64:96:91:67:ab:6b:35:58:37:35:b8:ab:f3:e5:98. Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.66.3' (RSA) to the list of known hosts. Last login: Thu Sep 11 00:33:57 2014

Oracle Corporation SunOS 5.11 11.2 June 2014 root@host-192-168-66-3:~# ipadm

NAME CLASS/TYPE STATE UNDER ADDR lo0 loopback ok -- --

(8)

lo0/v6 static ok -- ::1/128 net0 ip ok -- -- net0/dhcp inherited ok -- 192.168.66.3/24

2. Setting up an environment for the Oracle Database

Now that we have successfully provisioned an instance, let’s go ahead and start to install the Oracle Database. There are a number of required pre-‐requisites that we need to meet first in order to install the database. In this lab, we will meet the minimum requirements and install the database silently using a response file (as opposed to a graphical installation).

Let’s start by adding a new user called oracle, and assigning them to two

groups oinstall and dba.

# useradd -m oracle 80 blocks

# groupadd oinstall # groupadd dba

# usermod -g oinstall -G dba oracle

Next, we will need to set up appropriate resource controls by creating a new project called user.oracle. In our case, we need to increase the default

maximum number of file descriptors a given process can use.

# projadd user.oracle

# projmod -U oracle -sK "process.max-file-descriptor=(basic,65536,deny)" user.oracle # projmod -U oracle -sK "project.max-shm-memory=(priv,8589934592,deny)" user.oracle

Let’s also ensure that the correct software dependencies are installed. In Oracle Solaris 11.2 a new package called oracle-‐rdbms-‐server-‐12-‐1-‐preinstall was added that provides all the dependent packages that you will need for an Oracle Database installation. Let’s go ahead and install this.

# pkg install oracle-rdbms-server-12-1-preinstall Packages to install: 11

Services to change: 2 Create boot environment: No Create backup boot environment: No

DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 11/11 254/254 5.0/5.0 0B/s PHASE ITEMS

Installing new actions 644/644 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 1/1

Our next step will be to create a location in which we will install the Oracle Database to. For convenience we will install to the existing ZFS root pool, but we will create a new dataset for this.

# zfs create rpool/apps

(9)

# zfs list rpool/apps

NAME USED AVAIL REFER MOUNTPOINT rpool/apps 31K 31.4G 31K /apps

Also, let’s initially create an oracle sub-‐directory and ensure that the oracle user has the appropriate privileges.

# mkdir /apps/oracle

# chown -R oracle:dba /apps

Finally, let’s set the password of the oracle user to solaris11 and log into

the account.

# passwd oracle # su - oracle

3. Installing the Oracle Database

The first thing we will need to do is copy over the Oracle Database installer files. For convenience we have provided them in the Global Zone which can be

reached at 192.168.x.2 (this may change depending on the subnet value you

chose). Once these are copied over, we will unpack the zip files.

$ scp [email protected]:/files/* . $ unzip '*.zip'

$ cd database

We will use a response file to silently install the database. For this installation we will be installing the Enterprise Edition with a database only installation (as opposed to a database installation and configuration). For convenience we have provided db_install.rsp with the following contents:

oracle.install.responseFileVersion=/oracle/install/rspfmt_dbinstall_response_schema_v1 2.1.0 oracle.install.option=INSTALL_DB_SWONLY ORACLE_HOSTNAME=solaris UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/apps/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/apps/oracle/oracledb12c ORACLE_BASE=/apps/oracle oracle.install.db.InstallEdition=EE oracle.install.db.DBA_GROUP=dba oracle.install.db.BACKUPDBA_GROUP=dba oracle.install.db.DGDBA_GROUP=dba oracle.install.db.KMDBA_GROUP=dba SECURITY_UPDATES_VIA_MYORACLESUPPORT=false DECLINE_SECURITY_UPDATES=true oracle.installer.autoupdates.option=SKIP_UPDATES

This response file can obviously be tailored for your own environment as required. Now we are ready to run the Oracle Database installer.

$ ./runInstaller -silent -responseFile /export/home/oracle/db_install.rsp Starting Oracle Universal Installer...

Checking Temp space: must be greater than 180 MB. Actual 796 MB Passed Checking swap space: must be greater than 150 MB. Actual 1749 MB Passed [WARNING] [INS-13014] Target environment does not meet some optional requirements. CAUSE: Some of the optional prerequisites are not met. See logs for details. /tmp/OraInstall2014-09-28_02-25-07PM/installActions2014-09-28_02-25-07PM.log

(10)

ACTION: Identify the list of failed prerequisite checks from the log:

/tmp/OraInstall2014-09-28_02-25-07PM/installActions2014-09-28_02-25-07PM.log. Then either from the log file or from installation manual find the appropriate

configuration to meet the prerequisites and fix it manually. You can find the log of this install session at:

/apps/oraInventory/logs/installActions2014-09-28_02-25-07PM.log

The install will run through a long list of checks to ensure the environment meets the requirements before installing itself. Some of the optional requirements may fail – do not worry about this, if left for a few minutes the database installation should succeed ok. You can always check the contents of

/apps/oraInventory/logs/installActions*.log to ensure that it has been successfully

installed:

The installation of Oracle Database 12c was successful.

Please check '/apps/oraInventory/logs/silentInstall2014-09-28_02-25-07PM.log' for more details.

As a root user, execute the following script(s): 1. /apps/oraInventory/orainstRoot.sh 2. /apps/oracle/oracledb12c/root.sh

Successfully Setup Software.

Once the installation has finished, we will need to quickly run a few scripts as the

root account as suggested by the installer and then log back into the oracle

account again.

$ logout

# /apps/oracle/oraInventory/orainstRoot.sh

Changing permissions of /apps/oracle/oraInventory. Adding read,write permissions for group.

Removing read,write,execute permissions for world.

Changing groupname of /apps/oracle/oraInventory to oinstall. The execution of the script is complete.

# /apps/oracle/oracledb12c/root.sh

Check /apps/oracle/oracledb12c/install/root_solaris_2014-09-28_14-51-55.log for the output of root script

# su - oracle

4. Running the Oracle Database

Let’s check to see that the Oracle Database has been installed ok by testing it, and setup a default environment that we can use for this database. Set up the

following environmental variables: $ export ORACLE_BASE=/apps/oracle $ export ORACLE_HOME=/apps/oracle/oracledb12c $ export ORACLE_SID=orcl $ export LD_LIBRARY_PATH=/apps/oracle/oracledb12c/lib $ export PATH=/apps/oracle/oracledb12c/bin:$PATH

Let’s also associate the site identifier (ORACLE_SID) with the database home

(ORACLE_HOME) by updating the /var/opt/oracle/oratab file with the

addition of the following line:

orcl:/apps/oracle/oracledb12c:Y

(11)

Let’s also create an initialization parameter file for the ORACLE_SID by creating

it at /apps/oracle/oracledb12c/dbs/initorcl.ora with the following

contents:

db_name='orcl'

Now we can check to see if our Oracle Database instance is working by starting it and running a few SQLPlus commands:

$ dbstart /apps/oracle/oracle12c

Processing Database instance "orcl": log file /apps/oracle/oracledb12c/startup.log $ sqlplus /nolog

SQL> connect / as sysdba Connected.

SQL> create database orcl; Database created.

SQL> connect orcl as sysdba; Enter password: solaris11 Connected.

SQL> create table participants(

2 first_name varchar2(25) not null, 3 last_name varchar2(25) not null); Table created.

SQL> describe participants;

Name Null? Type

--- --- --- FIRST_NAME NOT NULL VARCHAR2(25)

LAST_NAME NOT NULL VARCHAR2(25) SQL> exit

Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

Now that we have seen that it works ok, let’s stop the database instance.

$ dbshut /apps/oracle/oracle12c

5. Automatic restart of Oracle Database with SMF

It would be nice if our golden image that we’re creating for OpenStack could automatically start the Oracle Database on first boot. To achieve this we will integrate it with the Service Management Framework (SMF). SMF manages system services on Oracle Solaris 11, and provides high availability in the event of software or hardware failure.

The first thing we’ll do is to create an SMF manifest. This is a description of the service, and how it should be started or stopped. Oracle Solaris 11 provides a convenient way to create this manifest in its simplest form using the

svcbundle command. Let’s run it and provide start and stop methods as

follows:

(12)

# svcbundle -s service-name=site/oracledb12c \

-s start-method="dbstart /apps/oracle/oracledb12c" \

-s stop-method="dbshut /apps/oracle/oracledb12c" -o oracledb12c.xml

This will output a file oracledb12c.xml with a basic template that we can add

to manually if desired. In our case, we do want to modify it slightly to ensure that the oracle user runs the database, and set the appropriate environmental

variables. To do this, we need to add a method context to each exec_method

for start and stop.

Edit oracledb12c.xml and find the <exec_method/> XML tag as follows:

Modify it to use the following instead:

<exec_method timeout_seconds="60" type="method" name="start" exec="dbstart /apps/oracle/oracledbc12c"> <method_context>

<method_credential user="oracle" group="dba"/> <method_environment>

</method_context> </exec_method>

<exec_method timeout_seconds="60" type="method" name="stop" exec="dbshut /apps/oracle/oracledb12c">

<method_context>

<method_credential user="oracle" group="dba"/> <method_environment>

</method_context> </exec_method>

We now need to validate the file to make sure that we haven’t made any errors.

# svccfg validate oracledb12c.xml

Finally, let’s copy this file over to the site SMF manifest location and restart the manifest-‐import service:

# mv oracledb12c.xml /lib/svc/manifest/site # svcadm restart manifest-import

STATE STIME FMRI

online 6:55:38 svc:/site/oracledb12c:default

We can check to see if the Oracle Database is running:

# svcs oracledb12c

and a listing of the running processes confirms it.

(13)

6. Compliance with Oracle Solaris 11.2

We delivered the OpenSCAP security-‐reporting framework in Solaris 11.1. SCAP (Secure Content Automation Protocol) is an open standard for configuration management and reporting originally built for the US Dept of Defense and US National Institute of Standards and Technology. While development was seeded by the public sector, the SCAP ecosystem is rapidity being adopted by most major vendors as a standard way to represent system configuration and security controls. In Solaris 11.2 we wrap OpenSCAP in a convenient new command called compliance(1M). This new compliance command currently has 3 major options:

1) Guide – Create a “step by step” guide that describes how to meet a compliance standard (sometimes called a benchmark)

2) Assess – Assess the system against a series of security checks contained in a standard. The assess sub command outputs an XML file that can be imported into compliance management tools.

3) Report – Convert the XML assessment into a human readable HTML file. This XML to HTML file is an XML translation and can be modified by your

organization.

Starting with Solaris 11.2 we deliver 3 important security/compliance standards 1) PCI-‐DSS – Our mapping of PCI-‐DSS to system configuration and security

controls. This reporting profile was co-‐created by Solaris engineering and a leading PCI-‐DSS QSA (auditor). There are around 200 controls in this standard. 2) 'Solaris Baseline’ – This maps to our “secure by default” security profile, which is an “out of the box” security posture which should meet most customers risk profiles. A freshly installed system should pass this profile.

3) 'Solaris Recommended' -‐ The recommended policy is close to the security posture of the “CIS Security Benchmark” which was developed by Oracle for CIS. This recommended benchmark can take longer to run, but either provides more stringent checks or addresses risks not in the baseline standards.

Let’s start by running a compliance report on our existing Oracle Database VM instance. We can generate an assessment for the Solaris Baseline:

# compliance assess

Assessment will be named 'solaris.Baseline.2014-09-29,14:52' Package integrity is verified

Test_1.1 fail

The OS version is current Test_1.2

fail

Package signature checking is globally activated Test_1.3

pass

All local filesystems are ZFS Test_2.1

pass …

Address Space Layout Randomization (ASLR) is enabled Test_6.6

(14)

pass

Check all default audit properties Test_7.1

pass

Let’s take a look at what the compliance command reports: # compliance list Benchmarks: pci-dss solaris Assessments: solaris.Baseline.2014-09-29,14:52

Now we are are ready to generate a report on this assessment.

# compliance report

/var/share/compliance/assessments/solaris.Baseline.2014-09-29,14:52/report.html

Let’s copy this compliance into the document root of Apache and view it through the web browser:

# cp /var/share/compliance/assessments/solaris*/report.html /var/apache2/2.2/htdocs/

Now open up a web browser and navigate to http://10.158.56.x/report.html

Now instead of the Solaris Baseline benchmark, we’ll run it against the PCI-‐DSS benchmark:

(15)

# compliance assess -b pci-dss

Assessment will be named 'pci-dss.Solaris_PCI-DSS.2014-09-29,15:14'

…

Once the initial report has been completed, we can also create a PCI-‐DSS compliance guide which is a document that describes Oracle Solaris security controls mapped to PCI-‐DSS security standards. This document is useful in determining how to configure an Oracle Solaris system or as an artifact for security auditors.

# compliance guide –b pci-dss

/var/share/compliance/guides/pci-dss.html

7. Create an Oracle Database Unified Archive

Unified Archives are a new feature added in Oracle Solaris 11.2 that provide system cloning and disaster recovery capabilities. They are the foundation of what is installed when deploying a new VM instance in OpenStack, and integrated into the Glance image management service.

Let’s start by capturing a Unified Archive of our existing instance. These can be

# archiveadm create myinstance.uar

Now that we have done this, we’ll need to set some environmental variables so that we can upload this archive to Glance.

# export OS_AUTH_URL=http://localhost:5000/v2.0/ # export OS_PASSWORD=glance # export OS_USERNAME=glance # export OS_TENANT_NAME=service

Once we have setup these environmental variables, we can now import the Unified Archive into Glance.

# glance image-create container-format bare disk-format raw is-public true --name "DB Zone" --property architecture=sparc64 --property hypervisor_type=solariszones --property vm_mode=solariszones < myinstance.uar

(16)

Having uploaded our new image to Glance, we can now go ahead and deploy it to newly created VM instances. Navigate to the Instances menu in Horizon again, and launch a new instance. Choose “DB Zone” as the Image instead of “Base Zone” as we did previously.

8. Securing our Virtual Environment

Let’s assume that we’ve now run our compliance checks and that we’ve got to an environment that has been approved by our auditors and we have captured it and uploaded to OpenStack. In Oracle Solaris 11 we added the ability to create read-‐only environments through Immutable Non-‐Global and Global Zones. This is a feature that provides a tamper proof environment and only allowed to be changed with security privileges.

There are a number of different options in terms of read-‐only – we can lock down everything, we can fix only the configuration of a particular system, or have a flexible configuration with some constraints.

To create an Immutable Zone we need to create a new Flavor in Horizon. Log out of the dba user and log in as admin/secrete. From the OpenStack Dashboard

(Horizon) navigate to the Admin-‐> Flavor page. We can either update an existing one of the Solaris flavours or create a new one. Lets do this by creating a new one called 'Immutable Solaris non global Zone'.

(17)

Make sure you set the 'Flavor Access' to include the projects you want to use this. Then from the 'More' menu on the entry in the table select 'View Extra Specs'

This will bring up a window like this one, since we are creating a new entry from scratch we have to also setup the type of zone this will be.

(18)

Select Create and fill in the following to set a non-‐global zone:

The do the same again and create a key/value pair for zonecfg:file-mac-profile with the value being one of flexible-configuration, fixed-configuration, or strict.

(19)

Now creating a new VM instance using this flavor we can look at the configuration of the non-‐global zone that has been created as follows:

# zonecfg -z instance-0000000f info zonename: instance-0000000f zonepath: /system/zones/instance-0000000f brand: solaris autoboot: false autoshutdown: shutdown bootargs: file-mac-profile: fixed-configuration ...

Congratulations on making it this far and finishing the lab. If you have the time and interest to continue, try taking on the additional exercises below. Thanks again for joining us!

11. More Information

• Download Oracle Solaris 11

http://www.oracle.com/technetwork/server-‐storage/solaris11/downloads/

• Download OpenStack Unified Archive

http://www.oracle.com/technetwork/server-‐

storage/solaris11/downloads/unified-‐archives-‐2245488.html

• Oracle OpenStack on Oracle Solaris Technology Page http://www.oracle.com/technetwork/server-‐

storage/solaris11/technologies/openstack-‐2135773.html

• Getting Started with OpenStack on Oracle Solaris

http://www.oracle.com/technetwork/articles/servers-‐storage-‐admin/getting-‐ started-‐openstack-‐os11-‐2-‐2195380.html