What’s New In
OpenStack
Havana
Nick Chase | Technical Product Marketing
With 20+ years' experience as a developer and author, Nick has written several books and hundreds of articles as an IBM developerWorks Certified Master Author. He also founded NoTooMi.com and has done Web application development for companies such as Lucent Technologies, Sun Microsystems, Oracle, and the Tampa Bay Buccaneers.
Oleg Gelbukh | Principal Engineer
Oleg is Principal Engineer at Mirantis, where he has been working on the Mirantis OpenStack Initiative for the past 3 years. He has been actively involved with multiple OpenStack projects, including Swift, OpenStack-CI (Continuous Integration) and
Viewing this webinar
● You’ll see a window like this; it’s a little different on a Mac .You can see a list of participants.
● Please can submit questions on the bottom window:
○ If we can answer during the webcast, we’ll do so
○ Questions of broader interest will be saved and curated for the end ● We’ll provide a link where you can
download the slides at the end of the webcast.
○ If you ask about slides during
the webcast, you will get the same answer: “A link will be provided
What we’re going to cover:
● Organizational changes
● Core projects
● Integrated projects
● Looking ahead to Icehouse
● Programs
○ Proposal
○ Incubation
○ Graduation to integrated/core
● New programs for Havana
○ OpenStack Orchestration (Heat)
○ OpenStack Metering (Ceilometer)
● Quantum -> Neutron
OpenStack Compute
Nova
Lifecycle
● Boot from image/volume/snapshot
● Clone from image/snapshot
● Shelve instance
Nova
Live migration
● Only within a single cell ● Requires shared storage
nova live-migration <instance_id> <host_id>
Complete instructions at http://bit.ly/live-migration-openstack
Nova
Quotas
● Edit default quota
● Set quotas per user, rather than per tenant/project
nova-manage project quota \ --project <project name> \ --user <user name> \
Nova
Cells and availability zones
● No longer chosen at random
● Scheduled the same way hosts are
● Uses scheduler_filter_classes and scheduler_weight_classes
Nova
Docker
● Create and package an application, then run in any Docker container
● Implemented as both a hypervisor type and a container type for Glance
Nova
VMware
● Cinder support
● Ability to control clone strategy
Nova
KVM
● QEMU guest agent (qemu-guest-agent)
nova image-meta <image_id> set hw_qemu_guest_agent=yes
● Cinder QoS and rate limiting ● PCI passthrough (libvirt only)
● New virtual interface (VIF) drivers (IO Visor, Indigo Virtual Switch, Mellanox)
Nova
Hyper-V
● Support for Windows Server / Hyper-V Server
2012 R2
● Drive resizing with VHDX
● Memory oversubscription with dynamic memory ● Ephemeral storage
Nova
XenServer
● Get around VHD 2000GB limit by splitting large ephemeral disks into 1024GB or 2000GB chunks ● Logging of a server console
● Ability to boot VMs into a state where they are running a Linux distribution installer, to help users build their own custom images
Nova
Storage
● Encryption of Cinder volumes ● Native GlusterFS support
● iSER support for iSCSI over TCP when using RDMA
OpenStack
Networking
Neutron
Firewall as a Service
● Perimeter firewall -- one per tenant (for now)
● Reference implementation via Open vSwitch and
IPtables
Neutron
Firewall as a Service (cont’d)
● Available via Horizon and CLI
neutron firewall-rule-create \ --protocol <tcp|udp|icmp|any>
--destination-port <port-range> --action <allow|deny> neutron firewall-policy-create --firewall-rules \
"<firewall-rule ids or names separated by space>" \ myfirewallpolicy
Neutron
Migrate L3-router service from mix-in to plug-in
● Previously baked into the core
● Server side moved out into a plug-in
● Now possible to replace with alternate implementation
Neutron
New Modular L2 (ML2) plug-in
● Currently monolithic plug-ins for each L2 agent (OVS, LinuxBridge, etc.)
● Single plug-in for all agents ● Works with existing agents ● Easier to add new L2 agents
Neutron
Interface driver support for Indigo Virtual Switch (IVS)
● IVS is a pure OpenFlow virtual switch
● Virtual interface (VIF) can be used to connect to both virtual and physical hardware switches (i.e., BigSwitch)
● Node must have IVS installed
OpenStack
Block Storage
Cinder
Volume migration
●
Admin API to migrate a volume to a different
Cinder back-end
cinder migrate <volume_id> <target os-vol-host-attr:host>
Cinder
Transfer a volume from one tenant/project to
another
cinder transfer-create <volume_id> # Tenant A
Cinder
● Ceph driver to backup service
● Differential backups from Ceph to Ceph ● Enabled in cinder.conf
Cinder
Improved drivers/support
●
Backup from any iSCSI device without internal
optimizations
●
New Windows Storage Server driver features
●
Optimized volume migration for IBM Storwize
driver
Cinder
Improved drivers/support (cont’d)
●
Added Fibre Channel drivers for Huawei storage
systems (improved)
●
Added a NFS Volume Driver to support Nexenta
storage in Cinder (improved)
●
Dell EqualLogic volume driver (new)
OpenStack
Object Storage
Swift
Global clusters
●
Replication across the world
●
Local reads/writes for performance
Swift
Cluster-side crossdomain.xml file
●
Useful for flash, cross-domain JavaScript
<?xml version="1.0"?> <cross-domain-policy>
<allow-access-from domain="*.mirantis.net" /> <allow-access-from domain="*.mirantis.com" /> </cross-domain-policy>
Swift
Optimizations
●
Memcache optimization
●
Threadpool
●
Faster handoff to new volume in case of
OpenStack
Image Service
Glance
Storage options
●
Cinder
●
GridFS
Glance
New Registry API
●
RPC over HTTP
●
Legacy deployments are supported
Glance
Multiple image locations
●
Direct URL access
●
Download from multiple locations
OpenStack
Identity Service
Keystone
Role-based Access Control (RBAC)
●
More granular policies
●
Can be based on aspects of the request such
as API request parameters
"identity:delete_user": [["role:admin", \ "domain_id:%(target.user.domain_id)s"]]
Keystone
Role handling
●
Assign roles via OAuth 1.0a
●
Domain roles can be inherited from project
Keystone
Separate projects etc. from authentication
●
Projects, roles, etc. follow “assignments”
driver
●
Users, groups, etc. follow “identity” driver
●
Credentials follow “credentials” driver
[identity]
Keystone
Token generation
●
Currently PKI or UUID
●
Can now be pluggable
●
keystone.token.provider.Provider interface can
Keystone
Remote handling of authentication through
REMOTE_USER
● Sent by the web server as an environment variable
● Can be disabled (remove "external" from plug-ins list)
OpenStack
Dashboard
Horizon
Nova
●
Editable default quotas.
●
Reset the password of a server/instance.
●
Availability zone support.
●
Improved region support.
Horizon
Nova
Improved
boot-from-volume support.
Horizon
Neutron
● VPN as a Service (VPNaaS) ● Firewall as a Service (FWaas)
