Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Federated Cloud Technology

From EGIWiki
Revision as of 09:57, 3 March 2016 by Enolfc (talk | contribs)
Jump to navigation Jump to search
Overview For users For resource providers Infrastructure status Site-specific configuration Architecture




EGI Federated Cloud provides the services and technologies to create federation of clouds (community, private or public clouds) that operate according to the preferences, choices and constraints set by its members and users. The EGI Cloud Federations are modeled around the concept of an abstract Cloud Management stack subsystem that is integrated with components of the EGI Core Infrastructure and that provides a set of agreed uniform interfaces within the community it provides services to. This page documents the technical solutions provided by EGI to create such federations. The Architecture page gives an overview of the federation model.

Integrated interfaces or user environments

Cloud systems must provide a set of interfaces through which users and user applications can interact with the services offered. In case of an IaaS cloud federation these interfaces offer compute, storage and network management capabilities. The interfaces can be harmonised across all participating cloud providers - in which case the providers are responsible for implementing the agreed standard - or can be native at the different sites. In this latter case, libraries or portals can hide heterogeneity from the users and can translate user requests to diverse native formats.

EGI Federated promotes the use of open standards for providing a uniform interface and behaviour across different providers: OCCI for management of compute resources and CDMI for management of storage. The Federated Cloud APIs and SDKs page describes from a user point of view how these interfaces can be used.

OCCI

The Open Cloud Computing Interface (OCCI) is a RESTful Protocol and API designed to facilitate interoperable access to, and query of, cloud-based resources across multiple resource providers and heterogeneous environments. The formal specification is maintained and actively worked on by OGF’s OCCI-WG.

The VM Management scenario page contains further details on the support for OCCI on different Cloud Management Stacks.

Implementations

rOCCI - A Ruby OCCI Framework
Provides OCCI support for various Cloud Management Frameworks, including OpenNebula
ooi
OCCI for OpenStack Interface, provides OCCI support for the most recent versions of OpenStack
OCCI-OS
OpenStack OCCI interface, now deprecated.


OpenStack Compute

OpenStack sites of the EGI Federated Cloud can provide access through the native OpenStack API. The OpenStack API documentation is available at OpenStack developer pages. EGI Federated Cloud supports the usage of the Compute (nova) v2.1 API. The Federated Cloud APIs and SDKs page describes how to use this API in the EGI resources.

CDMI

The SNIA Cloud Data Management Interface (CDMI) defines a RESTful open standard for operations on storage objects. Semantically the interface is very close to AWS S3 and MS Azure Blob, but is more open and flexible for implementation.

CDMI offers clients a way for operating both on a storage management system and single data items. The exact level of support depends on the concrete implementation and is exposed to the client as part of the protocol.The design of the protocol is aimed both at flexibility and efficiency. Certain heavyweight operations, e.g. blob download, can be performed also with a pure HTTP client to make use of the existing ecosystem of tools. CDMI is built around the concept of Objects, which vary in supported operations and metadata schema. Each Object has an ID, which is unique across all CDMI deployments.

There are 4 CDMI objects most relevant in the context of EGI’s Federated Cloud:

  • Data object: Abstraction for a file with rich metadata.
  • Container: Abstraction for a folder. Export to non-HTTP protocols is performed on the container level. Container might have other containers inside of them.
  • Capability: Exposes information about a feature set of a certain object. CDMI supports partial implementation of the standards by defining optional features and parameters. In order to discover what functionality is supported by a specific implementation, CDMI client can issue a GET request to a fixed url: /cdmi_capabilities.
  • Domain: Deployment specific information.

Attachment of the storage items to a VM can often be performed more efficiently using protocols like NFS or iSCSI. CDMI supports exposing of this information via container metadata. A client can make use of this information to attach a storage item to a VM over an OCCI protocol.

Implementations

snf-cdmi
CDMI implementation for Synnefo's object storage Pithos+
cdmi-spec
Skeleton for the implementation of CDMI, used by snf-cdmi
osaddon/cdmi
A CDMI implementation on top of OpenStack Swift. Not maintained

Virtual Machine Image Management

In a distributed, federated Cloud infrastructure, users will often face the situation of efficiently managing and distributing their VM Images across multiple resource providers. Users need a catalogue of Virtual Machine images (VMIs) that are usable on the IaaS cloud provider sites and encapsulate those software configurations that are useful and relevant for the given community. (Typically pre-configured scientific models and algorithms). To maximise usability of VMIs across cloud sites the images should be in a format that’s supported at every federation member site (Or at least can be converted to such formats). Users also need a system that automatically replicates VMIs from the VMI catalogue to the federation member sites, as well as removes them when needed. Automated replication can ensure consistency of capabilities across sites and is very often coupled with a VMI vetting process to ensure that only properly working, and relevant VMIs are replicated to the cloud sites of the community

AppDB Cloud MarketPlace

The EGI AppDB service has been extended to a Virtual Appliance Marketplace. This brings about a new category of software entries, called Virtual Appliances (VAs), which are, in all practical manners, clean-and mean virtual machine images designed to run on a virtualization platform, that provide a software solution out-of-the-box, ready to be used with minimal or no set-up needed within the EGI Federated Cloud infrastruture.

HEPiX image lists

AppDB's Virtual Appliance Marketplace provides the ground for managing and publishing versioned repositories of virtual appliances, using HEPiX image lists.

Research Communities ultimately create and update VM Images (or delegate this functionality). The Images themselves are stored in Appliance repositories that are provided and managed elsewhere, typically by the Research Community itself. A representative of the Research Community then generates a VM Image list (or updates an existing one) using AppDB. Federated Clouds Resource Provider then subscribe to changes in VM Image lists by regularly downloading the list from AppDB, and comparing it against local copies. New and updated VM Images are downloaded from the appliance repository referenced in the VM Image list into a local staging cache and, where required, made available for further examination and assessment.

Ultimately, Cloud resource Providers will make VM Images available for immediate instantiation by the Research Community.

Implementations

VMCaster / VMCatcher
VMCaster and VMCatcher allow creation and subscription of HEPiX image lists.
vmcatcher_eventHndlExpl_ON
OpenNebula hook for VMCatcher
OpenStack handler for VMCatcher and python-glancepush
OpenStack hooks for VMCatcher

Single Sign-On for users

SSO Ensures that users of the federation needs to register for access only once before they can use the federated services. Single sign-on is increasingly implemented in the form of identity federations in both industry and academia.

Virtual Organisation Management & AAI

Within EGI, research communities are generally identified and, for the purpose of using EGI resources, managed through “Virtual Organisations” (VOs). Users are identified with X.509 certificates which are extended with VO attributes (e.g. acknowledging that the user is member of the VO) in a so called VOMS proxy. This VOMS proxy certificate is used in subsequent calls to the cloud endpoints which map the certificate and VO information each cloud management framework authentication and authorisation mechanisms via the integration modules for VOMS authentication. Configuring these modules into a provider’s cloud installation will allow members of these VOs to access the cloud.

Generic information about how to configure VOMS support for the supported Cloud Management Frameworks is available at MAN10. Information to how to add the support for a new Virtual Organisation on the EGI Federated Cloud can be found at HOWTO16.

EGI expects every provider to support the following VOs:

  • ops VO, used for monitoring purposes;
  • dteam VO, used for testing purposes by site operators; and
  • fedcloud.egi.eu VO, a catch-all VO that provides resources to users for a limited period of time (6 months initially) for protopying and validation.

Resource Providers may support additional VOs in order to give access to other user communities.

Implementations

rOCCI - A Ruby OCCI Framework
Provides authentication for the OCCI interface. rOCCI-server maps the certificate and VO information to local users. Local users need to have been created in advance, which is triggered by regular synchronizations of the OpenNebula installation with [Perun].
Keystone-VOMS
Plugin for OpenStack Keystone to enable VOMS authentication. Allows users to get tokens which can be used to access any of the OpenStack services (including the OCCI interface). Users are generated on the fly in Keystone, it does not need regular synchronization with the VO Management server Perun.

Service Registry

The Service Registry contains general information about the providers participating to the infrastructure and their capabilities. The registry provides the ‘big picture view’ about the federation for both human users and online services (such as service monitors).

GOCDB

EGI’s central service catalogue is used to catalogue the static information of the production infrastructure topology. The service is provided using the GOCDB tool that is developed and deployed within EGI. To allow Resource Providers to expose Cloud resources to the production infrastructure, a number of service types are available:

  • eu.egi.cloud.accounting
  • eu.egi.cloud.storage-management.cdmi
  • eu.egi.cloud.vm-management.occi.
  • eu.egi.cloud.vm-metadata.marketplace
  • eu.egi.cloud.vm-metadata.vmcatcher
  • eu.egi.cloud.vm-metadata.appdb-vmcaster
  • org.openstack.nova

All providers must enter cloud service endpoints to GOCDB in order to enable integration with other operational tools.

Higher level broker services also have its own service types:

  • eu.egi.cloud.broker.compss
  • eu.egi.cloud.broker.proprietary.slipstream
  • eu.egi.cloud.broker.vmdirac

Further information about GOCDB can be find on the following page: GOCDB/Input System User Documentation.

Special rules apply for the following service types:

eu.egi.cloud.storage-management.cdmi

Endpoint URL field must contain the following info:

http[s]://hostname:port

eu.egi.cloud.vm-management.occi

Endpoint URL field must contain the following info:

https://hostname:port/?image=<image_name>&resource=<resource_name>

Both <image_name> and <resource_name> cannot contain spaces. These attributes map to os_tpl and resource_tpl respectively.

org.openstack.nova

Endpoint URL field must contain Keystone URL (https://hostname:port/url) with the following additional info:

https://hostname:port/url?image=<image_uuid>&resource=<flavor_name>

Both <image_name> and <flavour_name> cannot contain spaces.

Information system

The information system provides a real-time view about the actual capabilities and load of federation participants. The information system can be used by both human users and online services.

BDII and GlueSchema

Users and tools can discover the available resource in the infrastructure by querying EGI information discovery services. The common information system deployed at EGI is based on the Berkeley Database Information Index (BDII) with a hierarchical structure distributed over the whole infrastructure.

The information system is structured in three levels: the services publish their information (e.g. specific capabilities, total and available capacity or user community supported by the service) using an OGF recommended standard format, GLUE2. The information published by the services is collected by a Site-BDII, a service deployed in every site in EGI. The Site-BDIIs are queried by the Top-BDIIs - a national or regional located level of the hierarchy, which contain the information of all the site services available in the infrastructure and their services. NGIs usually provide an authoritative instance of Top-BDII, but every Top-BDII, if properly configured, should contain the same set of information.

Resource Providers must provide a Site-BDII endpoint that published information on the available resource following the GLUE2 schema. Even if the GLUE2 schema defines generic computing and storage entities, it was developed originally for Grid resources and can represent only partially the information needed by the Cloud users. Thus, the EGI Federated Cloud is working within the GLUE2 WG at OGF to profile and extend the schema to represent Cloud Computing, Storage and in the future Platform and Software services. The proposed extensions are currently under discussion at the WG. EGI provides an implementation for service-level information that generates information supporting OpenStack and OpenNebula, Synnefo support is currently being added. The information is published in a different subtree (Glue2GroupID=cloud) so it can coexist with grid information and is easily discoverable by users.

Information available for each provider:

  • Cloud computing resources
  • Service endpoint
  • Capabilities provided by the service, such as: virtual machine management or snapshot taking. The labels that identify the capabilities are agreed within the taskforce.
  • Interface, the type of interface – e.g. webservice or webportal – and the interface name and version, for example OCCI 1.2.0
  • User authentication and authorization profiles supported by the service, e.g. X.509 certificates
  • Virtual machines images made available by the cloud provider
  • Resource templates (number of cores and physical memory) allocable in a virtual machine.

Schema

Schema documentation TBC

Implementations

Cloud BDII provider
Generates Glue 2 information by querying the Cloud Management Framework.

Accounting

Federated Accounting provides an integrated view about resource/service usage: it pulls together usage information from the federated sites and services, integrates the data and presents them in such a way that both individual users as well as whole communities can monitor their own resource/service usage across the whole federation.

Usage Records, APEL and accounting portal

EGI Federated Cloud has agreed on a Cloud Usage Record -which inherits from the OGF Usage record- that defines the data that resource providers must send to EGI’s central Accounting repository. Once generated, records are delivered via the network of EGI message brokers to the central accounting repository using APEL SSM (Secure STOMP Messenger) provided by STFC. SSM client packages can be obtained at https://apel.github.io. A Cloud Accounting Summary Usage Record has also been defined and summaries created on a daily basis from all the accounting records received from the Resource Providers are sent to the EGI Accounting Portal. The EGI Accounting Portal also runs SSM to receive these summaries and provides a web page displaying different views of the Cloud Accounting data received from the Resource Providers.

Implementations

OpenNebula cloudacc
OpenNebula Accounting probe
cASO
OpenStack Accounting Probe

Shared Operational Practices

The participating service/resource providers may share certain operational tools and practices at the level of the federation, for example use a shared system to collect availability and reliability statistics about their site, or to share and respond to security alerts.

EGI A/R Monitoring

Services in the EGI infrastructure are monitored via ARGO. Specific probes to check functionality and availability of services must be provided by service developers, The current set of probes used for monitoring cloud resources consists of:

  • OCCI probes (eu.egi.cloud.OCCI-VM and eu.egi.cloud.OCCI-Context): OCCI-VM creates an instance of a given image by using OCCI, checks its status and deletes it afterwards. OCCI-Context checks that the OCCI interfaces correctly supports the standard and the FedCloud contextualization extension.
  • Accounting probe (eu.egi.cloud.APEL-Pub): Checks if the cloud resource is publishing data to the Accounting repository
  • TCP checks (org.nagios.Broker-TCP, org.nagios.CDMI-TCP, org.nagios.OCCI-TCP and org.nagios.CloudBDII-Check): Basic TCP checks for services.
  • VM Marketplace probe (eu.egi.cloud.AppDB-Update): gets a predetermined image list from AppDB and checks its update interval.
  • Perun probe (eu.egi.cloud.Perun-Check): connects to the server and checks the status by using internal Perun interface

Probes for CDMI and the image synchronization mechanism are currently under development. More information on cloud probes can be at Cloud SAM tests.

Currently a central instance specific to the activities of the EGI Federated Clouds Task has been deployed for monitoring test bed Results of cloud probes are visible on the central SAM interface under profile ch.cern.sam-CLOUD-MON and ch.cern.sam-CLOUD-MON_CRITICAL.