bwCloud: cross-site server virtualization O. V. Dulov Steinbuch Centre for Computing, Karlsruhe Institute of Technology Hermann-von-Helmholtz-Platz 1, Building 441 / 236, 76344 Eggenstein-Leopoldshafen, Germany E-mail: oleg.dulov@kit.edu The paper provides a project status, system architecture, and future work for bwCloud. The purpose of the bwCloud project is to build a prototype for cross-site Infrastructure as a Service (IaaS) system, based on the set of universities in Baden-Württemberg (Germany). This differentiates from the typical IaaS systems, where sites located into one data center or into one service provider’s organization. The federative approach is the core con- cept for the project: it starts from the system architecture, follows through the resource sharing and user man- agement for the scientific community in the region. The concept for production-ready cross-site IaaS is another output from the project. This concept can be used by any other universities or research centers to connect to bwCloud or setup their own cross-site IaaS platform. There are some design ideas introduced and some techno- logical stacks analyzed. Keywords: University Cloud, Cloud computing, Virtualization, Infrastructure as a Service, cross-site IaaS, multi-region OpenStack. © 2016 Oleg V. Dulov 202 1. Introduction A Cloud Computing is the powerful paradigm in IT-area and represents the shift in providing IT as a service. In general, the main idea behind the Cloud Computing is to abstract the hardware infra- structure for users. Cloud platforms provide their resources over the Internet or Intranet with the self- service approach, where a user can interact with the infrastructure or preconfigured hosts, based on his specific requirements. Computer Centers are using the Cloud Computing, providing their services based on different models. Traditionally, there are clear separated service models to deliver Cloud-based services [NIST]: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS). Some- times these concepts are considering as the layered structure: PaaS extends IaaS and can provide SaaS. In general, it is not necessary and all three concepts can base on completely different platforms. Cur- rently, there are more than sixty extensions [Sharma] in an as-a-Service family, such as Database as a Service (DBaaS), or HPC as a Service (HPCaaS). Figure 1. Three basic Cloud Service Models IaaS gives the most level of flexibility for users, by providing highly scalable resources that can be adjusted on-demand. This makes IaaS well-suited for temporary, experimental or change unexpect- edly workloads. Other characteristics of IaaS environments include the automation of administrative tasks, dynamic scaling, desktop virtualization and policy-based services. The IaaS functionality can include framework for installing additional packages during the virtual resources maintenance. Such an extended IaaS sometimes called IaaS+ concept, because it is still not quite PaaS, but already not the “classical” IaaS. Users should monitor their virtual resources closely to avoid being charged for unauthorized ser- vices. Because IaaS providers own the infrastructure, systems management and monitoring may be- come more difficult for the users, and if an IaaS provider experiences downtime, users' workloads may be affected. 203 There are four Cloud deployment models[NIST] are considered: private, public, community and hybrid. Private cloud is a cloud infrastructure operated solely for a single organization, whether man- aged internally or by a third-party, and hosted either internally or externally. Often, the access to the private cloud is through an intranet. Very often, the private cloud called the Enterprise Cloud, but this is not necessarily true. A cloud is called a "public cloud" when the services are rendered over a net- work that is open for public use, the Internet. Figure 2. Cloud deployment Models Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party, and either hosted internally or externally. Hybrid cloud is a composition of two or more clouds (private, community or public) that remain distinct entities but are bound together, offering the benefits of multiple deployment models. Cloud architecture is the systems architecture of the software systems involved in the delivery of cloud computing, typically involves multiple cloud components communicating with each other over a loose coupling mechanism such as a messaging queue. Elastic provision implies intelligence in the use of tight or loose coupling as applied to mechanisms such as these and others. The universities are providing their IT services for the students, researches and employees. As any service provider need to optimize the infrastructure costs and improve the scalability, usability and flexibility for the users. Usually, universities are installing the IaaS Platform based on their own com- puting resources, under one site, as a private Cloud. The local system administration team usually pro- vides the service to users from the same university. The idea behind bwCloud Project is to share IaaS resources between a set of universities in Ba- den-Württemberg: These requirements are pointing to the cross-site IaaS platform with community Cloud deployment model. The project started in December 2014 for two years with the following two aims: prototypical implementation and concept development of a “university-Cloud”. The project partners are the Universities in Mannheim1, Freiburg2, Ulm3, Stuttgart4, Karlsruhe Institute of Tech- nology5 and BelWü6. Additional information about the bwCloud project is on the project’s website: http://www.bw-cloud.org. 1 https://www.uni-mannheim.de 2 https://www.uni-freiburg.de 3 https://www.uni-ulm.de 4 http://www.uni-stuttgart.de 5 https://www.kit.edu 6 https://www.belwue.de 204 2. Cross-site IaaS The main challenge for constructing IaaS infrastructure – to build the site: computing cluster with a Cloud platform on it and provide the functionality for users. In a case of bwCloud, there are more than one site and users are coming from a set of universities. Hence, the deployment model for the project is Community Cloud, where under user community considered all projects and people from the institutes into the region. There are two logical ways to construct cross-site IaaS: by setting up hybrid and non-hybrid systems. The hybrid system differentiates between the Cloud (virtualization, containerization) platforms on every site and integrated cloud management platform (CMP) for the cross-site interconnection and management. The Cloud platform and the CMP can be completely different software stacks. In such an architecture, the Cloud management platform is communicating with the Cloud or virtual platforms and assigning them management tasks for virtual resources. The functionality split between the fol- lowing: 1. Cloud management platform is independent from virtualization environment and not responsi- ble for actual maintenance of virtual resources. 2. Virtualization platform is not responsible for managing the cloud user’s rights, constructing workflows, templating and so on. There are some potential problems with IaaS architecture based on CMP, such as incompatibility between virtual resources formats through sites and not sufficient quality and limitations of cloud management software for today. This technology is more promising for use cases, where for example, the virtualization or Cloud platform into the site cannot be changed because of one or other reason but should be included into the bwCloud infrastructure. Figure 3. Hybrid and non-hybrid cloud architecture In the case of non-hybrid architecture, every site is using the same software platform. Intercon- nection and management provided by the same software and somehow distributed among different site locations. There are some components for centralized management functionality. As we can see, there are not big differences in general architectural sketches: there are two sub- systems: centralized cloud management and distributed cloud platform. In one case the role of central- ized management is playing by special tool – CMP, in another the same for every site part of the Cloud platform software. The hybrid model offers more flexibility to choose the Cloud platform (it can be a virtualization or containerization platform) and couple the managerial tasks, user workflows and management, but the price for this can be higher complexity and (as for today) low-quality soft- ware. 205 There is a list of software platforms, which can be used for constructing IaaS with or without CMP, but currently de-facto standard is the OpenStack Project7. OpenStack project has many activities inside, which are separated as independent projects8 and can be grouped into the following types: 1. Core - official projects with full access to OpenStack brand and assets. 2. Incubated or optional - projects on an official track to become core projects; partial access to OpenStack brand and assets. 3. Library - projects are directly or indirectly consumed by Core projects. 4. Gating - gating projects are used as part of the continuous integration gate mechanism that protects the core projects branches from regressive changes. 5. Supporting - additional projects that are deemed necessary in producing the other official pro- jects. 6. Related - unofficial projects with no rights to use OpenStack brand and assets or project re- sources. 3. The system architecture In general, the Cloud system architecture can be seen as three-layered structure: a physical layer, a virtual resources layer, and a service layer. Between the physical and the virtual resources, it can be additional allocation sublayer to physical and virtual resources interconnection. There are a set of software stacks and technologies are available for every layer. The physical layer for bwCloud is not determined - every site can use their own hardware system and networking components. The service layer fixed by the IaaS, hence – only the virtual resources will be provided, without any platform or software-as-a-Service components. The allocation and the virtual layers are the main challenges for the cross-site virtualization. During the evaluation phase of the bwCloud project, two architectures were setup: non-hybrid based on OpenStack and hybrid with CMP ManageIQ9. The software containerisation technologies are often outside of IaaS context and were excluded from evaluation for constructing IaaS, but (as we will see later) were considered as the underlined technology to deploy the IaaS itself. ManageIQ project integrates different types of middleware: cloud, virtualization and container platforms. The interconnection between CMP and cloud/virtualization platform made by the user with an administrative role. Current state for this project does not allow the migration or conversion the virtual resources between different underlying formats, for example, VMWare-based VM cannot be easily migrated into OpenStack and another way around. To avoid the virtual infrastructure complexity, bwCloud decided to construct the system without mixing the virtualization, containerization, and hybrid technologies and concentrate on Cloud platform based on OpenStack multi-region setup. There are six core projects currently into OpenStack: Nova for computing tasks, Neutron for networking, Cinder as block storage service, Swift – object storage, Glance as image service, Keystone as an identity service. All OpenStack core projects, except Swift, are included into the bwCloud prototype to build compute cluster without object storage. The supported optional OpenStack Telemetry10 services: Ceilometer, Gnocchi and Aodh and the Horizon Dashboard added with some customizations to pro- vide the Dashboard and the system Monitoring functionality. 7 http://www.openstack.org/ 8 https://wiki.openstack.org/wiki/ProjectTypes 9 http://manageiq.org/ 10 https://wiki.openstack.org/wiki/Telemetry 206 Figure 4. bwCloud OpenStack multi-region setup All participating sites are representing themselves as regions and provides the OpenStack appli- cation programming interface (API) for inter-service communication. As we can see in Figure 3, the services are separated into two groups: installed on every site and some central services. Thus, Nova, Neutron and Cinder and their APIs are installed under every site. Two other core services (Glance, Keystone) and optional Horizon and Monitoring stack are the central bwCloud components. Typically, the OpenStack installation based on commodity hardware: relatively inexpensive, widely available devices. The bwCloud do not restrict sites for hardware configuration: every site can choose which servers and networking components to use. It can be commodity server or blade center with attached storage area network (SAN) cluster. The sustainable APIs are getting the possibility for cross-site communication inside distributed environment. Hopefully, the OpenStack API do not change much between releases, hence it is possible to have the situation, where different sites have an even different version of OpenStack services. Practically speaking, the OpenStack multi-region setup is not different from one region setup: but allow switching between regions. OpenStack central components cannot provide functionality to mix resources between sites – every site is independent but accessible with API. This situation makes diffi- cult to migrate virtual resources between sites. Such a migration task can be interesting for migration of one virtual machine or the whole site (e.g. before site downtime). In order to increase the site reliability, all Compute Nodes based on the Ceph11 distributed object store. Ceph is open source and freely-available distributed object store and file system designed to provide good performance, reliability, and scalability. During the bwCloud project, some extension to Horizon-based Dashboard implemented to get- ting the possibility for the user to make migration between two sites, getting some monitoring infor- mation and some others addons. The migration between the regions is coupled with the user quota management: the resource policy for every user. 4. User management and use cases Before the user can start with bwCloud, he/she should register himself. User registration is done by connecting to bwIDM12, - federated identity management platform for universities in Baden- Württemberg. The core of the bwIDM system is the Identity provider based on shibboleth Single Sign- On. The bwCloud in this structure is the shibboleth service provider with permission to communicate with Identity provider and ask the user attributes. 11 http://ceph.com/ 12 https://www.bwidm.de/ 207 Figure 5. bwCloud user capabilities After registration and approval, the user should setup password for bwCloud. The registration portal cannot store user credentials from the identity provider but provides the possibility set the ser- vice password into OpenStack Keystone. In this setup, any participant of bwIDM can register himself and have login credentials for bwCloud. If user does not want to use system anymore, he can deregis- ter himself. Currently, no automatic deregistration procedure is implemented, but it can be by updating the user status from Identity Provider. The problem to use special registration portal is the complexity not only to register the user but also deregistration process: the portal itself have no information about how the system is used by the user, only which shibboleth attributes are coming for him. The registration process can be simplified by providing the shibboleth authorization directly by the Horizon. This option is also considered, but the general workflow is approved. The ticket system is the major part of the user support process. Currently, the bw-support portal13 used for this purpose, based on xgus14 platform. The xgus framework developing the Karlsruhe Insti- tute of Technology and provides the Global Grid User Support ticketing system for Large Hadron Col- lider Experiment (LHC) and some others helpdesk portals. The accounting for the user currently not provided, but only evaluated and prototypically imple- mented. The base for accounting metrics are the data from Nova database. This data is collected and the price function applied for used resources. The price model is simple and includes the weighted sum of the virtual CPU, Disk, and RAM usage. The price estimation calculated during the instance creation based on the flavor. In OpenStack, a flavor defines the compute, memory, and storage capac- ity of a virtual server, also known as an instance. The recommended way to implement the accounting to setup the CloudKitty15 rating-as-a-Service project. This can be combined with the telemetry measurements and provides the dashboard for cus- tomization of weights for price function and set the attributes which to include into the price model. There are three use cases identified for the project: "Student-VM", "Institut-/Scientist-VM", "Site operation/administration". Students require the virtual resources during their study process. Here the 13 https://bw-support.scc.kit.edu/index.php?mode=index 14 http://xgus.scc.kit.edu/ 15 https://wiki.openstack.org/wiki/CloudKitty 208 resources are minimal and statistics for billing collected for the appropriate project manager or scien- tific employee. A scientist needs the resources for their scientific projects with more resources and storage requirements and API access. Defined use cases are very general and do not specify if, for example, if the GPU-hardware sup- ported or not. Providing the Cloud functionality for the special hardware is out of the project scope. It can be done by one or more sites in the future if the appropriate software (connector) available. Near the same situation is for supporting software containers: it can be done inside the Virtual Machine, but not as a part of bwCloud infrastructure. 5. Operation Every bwCloud site is operated by a local administrator with requirements to control, allocate the resources, implementing resource migration between sites. There are many operational aspects in case of Cloud computing platform: one group of them is the administration of the Cloud infrastructure and another is the Cloud user operational tasks. In the same time, there are many software stacks to archive these goals: some of them can combine these two groups of interest, others provide only for one group. Historically, the system administration can be done by scripting the tasks, by using the configura- tion management tools, by using the software containers or a combination of them. In a case of the Cloud provisioning, there is one more option: to use special provisioning system, which can deploy and manage the maintenance specifically for the Cloud platform. For example, OpenStack has the pro- ject TripleO16 to solve this kind of questions. The project evaluates the Ansible17 configuration management tool for provisioning with play- books, written for bwCloud. The RDO packages deployed into the Centos-based Linux cluster with the Ceph storage backend. The OpenStack Services are using Ceph cluster as a storage backend. Cur- rently, there are no needs to use the special bare-metal provisioning (or Metal as a Service) projects like TripleO, but it can be used as well. There is an alternative way do not use the RDO packages, but the source code from the official repositories. This also evaluated during the bwCloud, indirectly, by using the Docker-based containers from OpenStack Kolla18 project. Such a setup is relatively uncommon in our days, but the technology is very promising for dynamically allocating the resources for Cloud Platform with the possibility to separate different environments for development and production. Figure 6. Systems for Deployment and Release management If consider the release deployment cycle, the TripleO, Ansible, Docker or by using the systems like the Foreman19, provides the opportunity for transparent migration the system from test or devel- 16 https://wiki.openstack.org/wiki/TripleO 17 https://www.ansible.com/ 18 https://wiki.openstack.org/wiki/Kolla 19 https://theforeman.org/ 209 opment environment into the production environment. Because of the specific of OpenStack software in our days, not all tools are providing the same level of complexity for this tasks. In most cases, it depends on the method how the cluster was installed. The current OpenStack architecture in some cases has dependent services, what is not good during the update process. In the case of Docker con- tainers, this question disappears, because from the beginning all services are separated into own con- tainers. The Cloud users actually can use any provisioning and deployment tools, which they want inside the Virtual Machine. Currently, one operational interface should be provided from the Cloud Platform to the user: the virtual resource Monitoring. In general, the Cloud monitoring is a big challenge, be- cause of complexity and integration into the Cloud Platform. There are many different types of events are flowing into the monitoring system, and API access must be provided from the monitoring server not only for the operational team but also for the Cloud users. Usually, the availability and performance monitoring are considered and monitoring system con- sists of minimum three subsystems: checks handling, notifications and alarming, and dashboard. If the Monitoring system considering the system under monitoring as a “Black Box”, we named it as a “black box”, else the “white box” monitoring system. The bwCloud benchmark is a part of black-box monitoring together with the availability checks. This done centrally, based on the OpenStack Rally20 project, where the internal functionality for every site benchmarked and the results are regularly published as reports for every bwCloud region. Avail- ability checks are not centralized and done by site’s local monitoring system (e.g. Nagios, Icinga, Zabbix etc.). Figure 7.The bwCloud monitoring, logging and benchmarking There are three white box monitoring models are evaluated. The first centralize dashboard and leave performance checks and notification under the site. System statistics are collected by the col- lectd21 tool and stored into influxdb22 time-series database. Notification is done by collectd or any site monitoring platform (e.g. Nagios, Icing, Zabbix, etc.). Grafana23- based dashboard connects to the In- fluxDB and publishes the statistics for every site. The Cloud user can be connected into appropriate scripted Grafana dashboard for his virtual resources. In the case of Docker-based deployment, existing software containers monitoring tools can be used. The second model centralized not only the monitoring dashboard but also the notification. It as- sumes that statistics should be provided to the central monitoring message queue and handled by the central monitoring server. The concept includes interconnection between collectd and Sensu24 moni- toring project under site hosts and setup central Sensu server. Sensu components can be combined 20 https://wiki.openstack.org/wiki/Rally 21 https://collectd.org/ 22 https://www.influxdata.com/ 23 http://grafana.org/ 24 https://sensuapp.org/ 210 with open-source automation platform StackStorm25 for automation purposes. Unfortunately, the Sensu handler for open source version is not working stable under high load and this scenario should be combined with other monitoring solutions, which makes not much sense. The previous two models do provide the Cloud monitoring under the system level and without Open- Stack monitoring projects. The third is about how to construct the OpenStack-based Monitoring as a service for every Cloud user. Monitoring-as-a-service solutions, such as Amazon’s CloudWatch26, are not open-source. There is Monasca27 project, which addressed the open-source solution for OpenStack and can be integrated into Horizon. The metrics can be accessed also by using the OpenStack Teleme- try. Additionally, the dashboard should be integrated for the user virtual resources. As the prototype, the Horizon dashboard was implemented which generate the list of virtual machines pro user and create the link to the Grafana server. The dashboards are generated under Grafana-side for the appropriated virtual resource id. These dashboards can be not only linked, but also integrated into Horizon directly (with HTML iframe tag or directly into Horizon by python or JavaScript coding). The question about centralizing logging for the bwCloud split into two models: central log server is located on every site and the log server is located centrally for all sites. On both cases, the logging messages are processed by ELK Stack: logs are proceed by Logstash28 and stored into Elasticsearch29 Database. Kibana30 does dashboard with the search option. The same monitoring Grafana dashboard connects to Elasticsearch and publish logs information together with performance monitoring data. There are many other operational questions should be answered: bwCloud security, release deploy- ment process, checking the VM Image functionality before publishing, delisting the user resources, and some others. Unfortunately, the OpenStack architecture is changed very often between their re- leases and currently very difficult to note the way to unify all these activities. The very good con- structed monitoring for the Cloud system can solve not only a big part of this but also the user ac- counting questions. 6. Conclusions and future work The bwCloud project archives the goals to create a prototype and describes the concept for “uni- versity-Cloud” for a set of universities in the region. In this article, the current state is presented and the major architectural components are noted. Of course, not all project activities are described, for example, complex and time-consuming evaluation process in order to make a decision which technol- ogy to use. During the process some valuable companies (RedHat, IBM, Mirantis etc.) was consulted, different webinars participated. In particular, the hard questions addressed to the hybrid platforms: it is clear the benefit in gen- eral - the level of flexibility for sites will be much higher, but choosing the stable technology with clear advantages against the OpenStack is the good question. Another point is commercial or open source free and non-free software and product support. Because of mixing different types of virtualiza- tion platform, the hybrid Cloud functionality on OpenStack can be an overhead. One more hybrid aspect is the underlying hardware infrastructure, which can be hetero- or homo- geneous. Currently, the hybrid system configuration is considered, what means in simple words: "every site has own decision about the hardware". But this does mean it can have different views, like specialized hardware for one site, and the VM with requirements for this hardware type can be allo- 25 https://stackstorm.com/ 26 https://aws.amazon.com/cloudwatch/?nc1=h_ls 27 https://wiki.openstack.org/wiki/Monasca 28 https://www.elastic.co/products/logstash 29 https://www.elastic.co/products/elasticsearch 30 https://www.elastic.co/products/kibana 211 cated to this site. In order to unify and to avoid the complexity, the homogeneous systems can be con- sidered, where every site has the same hardware systems. While the bwCloud project is successful, the system will be improved by the next project, bwCloud SCOPE, which will start from 2017 for three years. During this time, the bwCloud prototype should be transformed into production platform. During this transformation, it will be some changes in the architecture, for example adding the Object storage, long-term user data archiving services, and/or data analytics use cases. The major point for bwCloud SCOPE project will be operation improvement for providing production-ready service for the bwCloud users. References National Institute of Standards and Technology, U.S (2011). The NIST Definition of Cloud Comput- ing. [Electronic resource] (Last accessed on October 10, 2016) http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf Sugam Sharma (2015). Evolution of as-a-Service Era in Cloud. [Electronic resource] (Last accessed on October 10, 2016) https://www.researchgate.net/publication/279784427_Evolution_of_as-a- Service_Era_in_Cloud 212