CGW’12, Cracow, October 22-24, 2012 1 12-Oct-12 Managing Cloud Resources for Medical Applications P. Nowakowski, T. Bartyński, T. Gubała, D. Harężlak, M. Kasztelnik, J. Meizner, M. Bubak ACC CYFRONET AGH, Krakow, Poland
Dec 23, 2015
CGW’12, Cracow, October 22-24, 2012 112-Oct-12
Managing Cloud Resources for Medical Applications
P. Nowakowski, T. Bartyński, T. Gubała, D. Harężlak, M. Kasztelnik, J. Meizner, M. Bubak
ACC CYFRONET AGH, Krakow, Poland
CGW’12, Cracow, October 22-24, 2012 212-Oct-12
• Install/configure each application service (which we call an Atomic Service) once – then use them multiple times in different workflows;
• Direct access to raw virtual machines is provided for developers, with multitudes of operating systems to choose from (IaaS solution);
• Install whatever you want (root access to Cloud Virtual Machines);
• The cloud platform takes over management and instantiation of Atomic Services;
• Many instances of Atomic Services can be spawned simultaneously;
• Large-scale computations can be delegated from the PC to the cloud/HPC via a dedicated interface;
• Smart deployment: computations can be executed close to data (or the other way round).
Core concept: a cloud platform for medical application services and data
Developer Application
Install any scientificapplication in the cloud
End userAccess available
applications and datain a secure manner
Administrator
Cloud infrastructurefor e-scienceManage cloud
computing and storageresources
Managed application
CGW’12, Cracow, October 22-24, 2012 312-Oct-12
Atomic service instance: A running instance of an atomic service, hosted in the Cloud and capable of being directly interfaced, e.g. by the workflow management tools or VPH-Share GUIs.
!
Virtual Machine: A self-contained operating system image, registered in the Cloud framework and capable of being managed by VPH-Share mechanisms.
!Atomic service: A VPH-Share application (or a component thereof) installed on a Virtual Machine and registered with the cloud management tools for deployment.
!
Raw OS
OS
VPH-Share app.(or component)
External APIs
OS
VPH-Share app.(or component)
External APIs
Cloud host
A brief glossary
CGW’12, Cracow, October 22-24, 2012 412-Oct-12
Platform for three user groups
The goal of of the platform is to manage cloud/HPC resources in support of VPH-Share applications by:• Providing a mechanism for application developers to install their applications/tools/services on the available
resources• Providing a mechanism for end users (domain scientists) to execute workflows and/or standalone
applications on the available resources with minimum fuss• Providing a mechanism for end users (domain scientists) to securely manage their binary data in a hybrid
cloud environment• Providing administrative tools facilitating configuration and monitoring of the platform
Cloud Platform Interface• Manage hardware resources• Heuristically deploy services• Ensure access to applications• Keep track of binary data• Enforce common security
Hybrid cloud environment (public and private resources)
ApplicationGeneric service
Application Application
DataData Data
Developer supportTools for deploying applications and registering datasets
End user supportEasy access to applications and binary data
Admin supportManagement of VPH-Share hardware resources
CGW’12, Cracow, October 22-24, 2012 512-Oct-12
Physicalresources
Atomic Service InstancesDeployed by AMS on available resources as required by WF mgmt or generic AS
invoker
Raw OS (Linux variant)
LOB Federated storage access
Web Service cmd. wrapper
Generic VNC server
VPH-Share Tool / App.
DRIService
Atmosphere persistence layer (internal registry)
VM templates
AS images
Available cloud
infrastructure
Manageddatasets
101101011010111011
101101011010111011
101101011010111011
AMService
LOB federatedstorage access
Cloud stackclients
HPC resourceclient/backend
Data and Compute Cloud Platform
VPH-Share Master UI
AS mgmt. interface
Generic AS invoker
ComputationUI extensions
Data mgmt. interface
Generic data retrieval
Data mgmt.UI extensions
Remote access toAtomic Svc. UIs
Custom AS client
Workflow description and execution
Developer Scientist
Admin
Security mgmt. interface
Securityframework
Web Service security agent
Cloud Platform Architecture
Modules available in first prototype
CGW’12, Cracow, October 22-24, 2012 612-Oct-12
End user’s view of the cloud platform – contd.
Log into Master Interface
Select Atomic Service
Instantiate Atomic Service
Access and use application
• Atomic Services can be instantiated on demand
• Once instantiated, the service can be accessed by the end user
• Unused instances can be shut down by Atmosphere
CGW’12, Cracow, October 22-24, 2012 712-Oct-12
AtmosphereCore component of the VPH-Share cloud platform, responsible for managing cloud resources and deploying Atomic Services accordingly.
The Atmosphere Management Service
• receives requests from the Workflow Execution stating that a set of atomic services is required to process/produce certain data;
• queries the Component Registry to determine the relevant AS and data characteristics;• collects infostructure metrics,• analyzes available data and prepares an optimal deployment plan.
AIRAlso called the Atmosphere Internal Registry; stores all data on cloud resources, Atomic Services and their instances.
Computing infrastructure(hybrid public/private cloud)
1. Application (or any other authorized entity)
requests access to an Atomic Service
2. Poll AIR for data regarding this AS and
the available computing resources3. Heuristically determine whether to recycle an
existing instance or spawn a new one. Also determine which computing resources to use when instantiating additional instances (based on cost information and performance metrics obtained from monitoring data)
Cloud middlewareSelection of low-level middleware libraries to manage specific types of cloud sites
[Asynchronous process] Collect monitoring data and analyze health of the cloud infrastructure to ensure optimal deployment of application services
4. Call cloud middleware services to enforce the deployment plan
5. Deploy Atomic Service Instances as directed by Atmosphere
Application
-- or --
Workflow environment
-- or --
End user
CGW’12, Cracow, October 22-24, 2012 812-Oct-12
Deployment planning
Applications are heuristically deployed on the available computing resources, with regard to the following considerations:• where to deploy atomic services (partner’s private cloud site, public cloud infrastructure
or hybrid installation),• whether the data should be transferred to the site where the atomic service is deployed
or the other way around,• how many instances should be started,• whether it is possible to reuse predeployed AS (instances shared among workflows)
The deployment plan bases on the analysis of:• workflow and atomic service resource demands,• volume and location of input and output data,• load of available resources,• cost of acquiring resources on private and public cloud sites,• cost of using cheaper instances (whenever possible and sufficient; e.g. EC2 Spot Instances
or S3 Reduced Redundancy Storage for some noncritical (temporary) data),• public cloud provider billing model
CGW’12, Cracow, October 22-24, 2012 912-Oct-12
High Performance Execution Environment
Provides virtualized access to high performance execution environments
Seamlessly provides access to high performance computing to workflows that require more computational power than clouds can provide
Deploys and extends the Application Hosting Environment – provides a set of web services to start and control applications on HPC resources
GridFTPAHE Web Services
(WSRF::Lite)
Grid resources running Local Resource Manager(PBS, SGE, Loadleveler etc.)
Application Hosting EnvironmentAuxiliary component of the cloud platform, responsible for managing access to traditional (grid-based) high performance computing environments. Provides a Web Service interface for clients.
Invoke the Web Service API of AHE to delegate computation to the grid
Application
-- or --
Workflow environment
-- or --
End user
Present security token (obtained from authentication service)
Tomcat containerWebDAV
User accesslayer
HARCJob Submission Service
(OGSA BES / Globus GRAM)
RealityGrid SWSResource
clientlayer
Delegate credentials, instantiate computing tasks, poll for execution status and retrieve results on behalf of the client
CGW’12, Cracow, October 22-24, 2012 1012-Oct-12
Service-based access to high-performance computational resources
AHE service host(ozone.chem.ucl.ac.uk)
AHE service backend
Provides credential delegation, data staging
and execution monitoring features
AHE service interface
Provides RESTful access to AHE applications,
enables data staging and delegation of security
credentials
The AHE service interface: • Simplifies Grid Security (end user does not have to handle grid security and MyProxy configurations and generation)• Simplifies application setup on the Grid(end user does not have to compile, optimize, install and configure
applications)• Simplifies basic Grid Workflow (AHE stages the data, runs and polls the job and fetches the results automatically)• Simplifies Grid access through RESTful web-services (AHE provides a RESTful interface allowing clients and other web
services to access the computational infrastructure and applications in a Software as a Service (SaaS) manner).
Accessing grid resources through the AHE service frontend:
1. prepare (The end-users selects a grid application for an appropriate computational resource registered with AHE, and starts an AHE Application Instance (job))
2. SetDataStaging (Sets up data staging information between the grid infrastructure and the user resource)
3. setProperty (Sets up job property)4. start (Initiates data transfer, executes job, checks job status
and fetches result once completed)5. status (Polls the underlying grid infrastructure for job status)
Developer Scientist
HPC resources (National Grid Service)
CGW’12, Cracow, October 22-24, 2012 1112-Oct-12
Data Access for Large Binary Objects
LOBCDER host(149.156.10.143)
LOBCDER service backend
Resource catalogue
WebDAV servlet
Resource factory
Storagedriver
Storagedriver
Storagedriver
(SWIFT)
SWIFTstoragebackend
Core component host(vph.cyfronet.pl) Data Manager
Portlet(VPH-Share
Master Interface component)
Atomic Service Instance(10.100.x.x) Service payload
(VPH-Share application
component)
External hostGeneric WebDAV client
GUI-based access
Mounted on local FS(e.g. via davfs2)
• LOBCDER (the VPH-Share federated data storage component) enables data sharing in the context of VPH-Share applications
• The system is capable of interfacing various types of storage resources and supports SWIFT cloud storage (support for Amazon S3 is under development)
• LOBCDER exposes a WebDAV interface and can be accessed by any DAV-compliant client. It can also be mounted as a component of the local client filesystem using any DAV-to-FS driver (such as davfs2).
CGW’12, Cracow, October 22-24, 2012 1212-Oct-12
Data Reliability and Integrity
• Provides a mechanism which will keep track of binary data stored in the Cloud infrastructure
• Monitors data availability• Advises the cloud platform when instantiating atomic services• Shifts/replicate data between cloud sites, as required
Binarydata
registry
AIR
Amazon S3 OpenStack Swift Cumulus
Register filesGet metadataMigrate LOBs
Get usage stats(etc.)
Distributed Cloud storage
Store and marshal data
End-user features(browsing, querying, direct access to data)
VPH Master Int.
Data management portlet (with DRI
management extensions)
DRI Service
A standalone application service, capable of autonomous operation. It periodically verifies access to any datasets submitted for validation and is capable of issuing alerts to dataset owners and system administrators in case of irregularities.Validation
policy
Configurable validation runtime(registry-driven)
Runtime layer
Extensibleresource
client layer
CGW’12, Cracow, October 22-24, 2012 1312-Oct-12
Security Framework
• Provides a policy-driven access system for the security framework.• Provides a solution for an open-source based access control system based on fine-
grained authorization policies. • Implements Policy Enforcement, Policy Decision and Policy Management• Ensures privacy and confidentiality of eHealthcare data• Capable of expressing eHealth requirements and constraints in security policies
(compliance)• Tailored to the requirements of public clouds
VPH Security Framework
Application Workflow managemen
t service
Developer End user Administrator
VPH clients
VPH Security Framework
VPH Atomic Service Instances
Public internet
(or any authorized user capable of presenting a valid security token)
CGW’12, Cracow, October 22-24, 2012 1412-Oct-12
Authentication and authorization
VPH-Share Master Int.
Authentication widget
Login feature
AdminDeveloper Scientist
Portlet
Portlet
Portlet
Portlet
BiomedTown Identity Provider
Authentication service2. Open login window
and delegate credentials
VPH-Share Atomic Service Instance
SecurityProxy
1. User selects „Log in with BiomedTown”
Users androles
SecurityPolicy
Service payload
(VPH-Shareapplication
component)
3. Validate credentials and spawn session cookie containing user token
(created by the Master Interface)
5. Parse user token, retrieve roles and allow/deny access to the ASI according to the security policy
6’. Relay requestif authorized
6’. Report error (HTTP/401)
if not authorized
4. When invoking AS, pass user token along with request header
• Developers, admins and scientists obtain access to the cloud platform via the Master Interface UI• The OpenID architecture enables the Master Interace to delegate authentication to any public identity
provider (e.g. BiomedTown).• Following authentication the MI obtains a secure user token containing the current user’s roles. This
token is then used to authorize access to Atomic Service Instances, in accordance with their security policies.
CGW’12, Cracow, October 22-24, 2012 1512-Oct-12
Handling security on the ASI level
VPH-Share Atomic Service Instance
SecurityProxy
SecurityPolicy
Service payload
(VPH-Shareapplication
component)
Public AS API(SOAP/REST)
1. Incomingrequest
Actual application API (localhost access only)
Exposed externally bylocal web server
(apache2/tomcat)
2. Interceptrequest
a6b72bfb5f2466512ab2700cd27ed5f84f991422rdiaz!developer!
rdiaz,Rodrigo Diaz,[email protected],,SPAIN,
08018
User token
digital signaturetimestamp
unique usernameassigned role(s)additional info
3. Decrypt and validate the digital signature with the Master Interface’s secret key.
4. If the digital signature checks out, consult the security policy to determine whether the user should be granted access on the basis of
his/her assigned roles.
6. Intercept service response
7. Relayresponse
• The application API is only exposed to localhost clients
• Calls to Atomic Services are intercepted by the Security Proxy
• Each call carries a user token (passed in the request header)
• The user token is digitally signed to prevent forgery. This signature is validated by the Security Proxy
• The Security Proxy decides whether to allow or disallow the request on the basis of its internal security policy
• Cleared requests are forwarded to the local service instance
3’, 4’ Report error
3’, 4’. If the digital signature is invalid or if the security policy prevents access given the
user’s existing roles, the Security Proxy throws a HTTP/401 (Forbidden) exception to
the client.
5. Relay original request (if cleared)
5. Otherwise, relay the original request to the service payload. Include the user token
for potential use by the service itself.
6-7. The service response is relayed to the original client. This mechanism is entirely transparent from the point of view of the person/application invoking the Atomic
Service.
CGW’12, Cracow, October 22-24, 2012 1612-Oct-12
WP2 Component/Module Technologies applied
Cloud Resource Allocation Management
Java application with Web Service (REST) interfaces, OSGi bundle hosted in a Karaf container, Camel integration framework
Cloud Execution Environment Java application with Web Service (REST) interfaces, OSGi bundle hosted in a Karaf container, Nagios monitoring framework, OpenStack and Amazon EC2 cloud platforms
High Performance Execution Environment
Application Hosting Environment with Web Service (REST/SOAP) interfaces
Data Access for Large Binary Objects
Standalone application preinstalled on VPH-Share Virtual Machines; connectors for OpenStack ObjectStore and Amazon S3; GridFTP for file transfer
Data Reliability and Integrity Standalone application wrapped as a VPH-Share Atomic Service, with Web Service (REST) interfaces; uses LOB tools for access to binary data
Security Framework Uniform security mechanism for SOAP/REST services; Master Interface SSO enabling shell access to virtual machines
Platform Modules and Technologies
CGW’12, Cracow, October 22-24, 2012 1712-Oct-12
Behind the scenes: Instantiating an Atomic Service Template (1/2)
Developer
VPH-Share Master Int.
Cloud Manager
Development Mode
Start Atomic Service
Core Component Host(149.156.10.143)
Cloud Facade (API)
Atmosphere AMS
Atmosphere Internal Registry
MongoDB
Comp. model
Storage model
Nova Head Node(149.156.10.131)
OpenStack(API)
Nova management interface
Glance image store
AS Images
1. Start AS
2. Request instantiation of Atomic Service
3. Get AS VM details
4. Call Nova to instantiate selected VM
OpenStack WN(10.100.x.x)
WN hypervisor (KVM)
Mounted network storage
Per-WN storage
6. Upload VM imageto WN storage
5. Stage AS image on WN
AtomicService
Instance
Assignedlocal storage
7. Boot VM7.
• The Cloud Manager portlet enables developers to create, deploy, save and instantiate Atomic Service Instances on cloud resources.
CGW’12, Cracow, October 22-24, 2012 1812-Oct-12
Behind the scenes: Instantiating an Atomic Service Template (2/2)
Developer
VPH-Share Master Int.
Cloud Manager
Development Mode
Core Component Host(149.156.10.143)
Cloud Facade (API)
Atmosphere AMS
Atmosphere Internal Registry
MongoDB
Comp. model
Storage model
Nova Head Node(149.156.10.131)
OpenStack(API)
Nova management interface
16. Retrieve ASI status, port mappings and access credentials
12. Register ASI as booting/running
10. Poll Nova for VM status
OpenStack WN(10.100.x.x)
AtomicService
Instance
Assignedlocal storage
WN hypervisor
8. Report VM is booting
11. Delegate query and relay reply
IP Wrangler host(149.156.10.131)
IP Wrangler
Port mappingtable
13. Configure IP Wrangler to enable port forwarding
15. Pollfor ASI statusand update
view
ASI details
• Atmosphere takes care of interpreting user requests and managing the underlying cloud platform.
• CYFRONET contributes a private cloud site for development purposes.
14. Register port mappings for this ASI
9. Report VM is running
CGW’12, Cracow, October 22-24, 2012 1912-Oct-12
Behind the scenes: Communicating with Atomic Service Instance
Developer
VPH-Share Master Int.
Cloud Manager
Development Mode
OpenStack WN(10.100.x.x)
AtomicService
Instance
Assignedlocal storage
IP Wrangler host(149.156.10.131)
IP Wrangler
Port mappingtable
ASI metadata
Standard IP stack
(accessible via public IP)
1. Look up ASI details (including IP Wrangler IP, port mappings and
access credentials, if needed)
2. Initiate interaction 3. Relay 4. Call ASI
• Note: Atomic Service Instances typically do not have public IPs• The role of the IP Wrangler is to facilitate user interaction on
arbitrary ports (e.g. SSH, VNC etc.) with VMs deployed on a computing cluster (such as is the case at CYFRONET)
• The IP Wrangler bridges communication on predetermined ports, according to the ASI configuration which is stored in AIR
• Web Service calls do not require nonstandard ports and are instead handled by appending data to the endpoint path
CGW’12, Cracow, October 22-24, 2012 2012-Oct-12
Behind the scenes: Saving the Instance as a new Atomic Service
Developer
VPH-Share Master Int.
Cloud Manager
Development Mode
Save Atomic Service
Core Component Host(149.156.10.143)
Cloud Facade (API)
Atmosphere AMS
Atmosphere Internal Registry
MongoDB
Comp. model
Storage model
Nova Head Node(149.156.10.131)
OpenStack(API)
Nova management interface
Glance image store
AS Images
1. Create AS from ASI
2. Request storage of Atomic Service
8. Register AS as available.
3. Call Nova to persist ASI
OpenStack WN(10.100.x.x)
WN hypervisor (KVM)
Mounted network storage
Per-WN storage
6. Upload VM imageto Glance
4. Store VM image in Glance
AtomicService
Instance
Assignedlocal storage
5. Image selected VM (incl. user
space)
5.
7. Report success
AS metadata
• Developers are able to save existing instances as new Atomic Services.• Once saved, an Atomic Service can be instantiated by clients.
3’. Register ASas being saved.
CGW’12, Cracow, October 22-24, 2012 2112-Oct-12
More information on accessing the VPH-Share Infrastructure
• The Master Interface is deployed at new.physiomespace.com– Provides access to all VPH-Share cloud platform features– Tailored for domain experts (no in-depth technical knowledge necessary)– Uses OpenID authentication provided by BiomedTown– Contact Piotr Nowakowski (CYF) for details regarding access and account provisioning
• Further information about the project can be found at www.vph-share.eu
• Make sure to check out the DICE team website at CYF (dice.cyfronet.pl/projects/VPH-Share) for further information regarding the cloud platform and practical usage examples