OpenNebulaConf 2016 - Security, Federation & Hybrid Hands-on Workshop by Carlos Martin, OpenNebula

Carlos MartínOpenNebula Software Engineer

linkedin.com/in/carlosmartinsanchez

Security, Federation & Hybrid Workshop

OpenNebulaConf 20164th edition

Agenda for the Workshop

● Infrastructure integration levels

○ Federation

○ Hybrid: OpenNebula - OpenNebula

○ Hybrid: OpenNebula - other technologies

● Security & Authentication

Federation

Data Center Federation OverviewWhat is OpenNebula Federation?

● Tightly coupled integration of 2 or more OpenNebula instances

● Each instance of the Federation is called a Zone

● One master and several slaves.

● Zones share the user accounts, groups, and permissions configuration

● A vDC is a group of users with part of the physical resources, generally one or more clusters belonging to one or several zones, assigned to them

● Seamless for Cloud users: ability to switch the active Zone in Sunstone

Data Center Federation

Let’s see a demo!

Under the HoodInner Workings of Federation● Master and slaves share DB tables: users, groups, ACL rules, zones● Only master writes to shared tables.● Slaves keep a read-only local copy, and proxy writing ops to the master● Sync is achieved configuring MySQL to replicate certain tables only● Performs well over long-distance/bad quality connections● If master zone fails, slaves continue to work, except for new user creation or

password updates, etc.● Slaves can be added at any moment (import or new)● Support of different OpenNebula versions● Sunstone server is connected to all the oned daemons in the Federation● One Sunstone for the entire Federation, or one Sunstone per Zone

Architecture

Configuration● Enable Federation Mode = Master in the master’s oned.conf● Define the master’s xmlrpc endpoint: onezone update 0● Create a zone for every slave (name and endpoint)● Importing from existing slave: onedb import-slave

● Select merging policy+----------+-------------++------------+---------------+

| Master | Slave || With merge | Without merge |

+----------+-------------++------------+---------------+

| 5, alice | 2, alice || 5, alice | 5, alice |

| 6, bob | 5, bob || 6, bob | 6, bob |

| | || | 7, alice-1 |

| | || | 8, bob-1 |

+----------+-------------++------------+---------------+

● Configure MySQL Replication Master and Slave● Copy auth directory from master to slaves: /var/lib/one/.one_auth

Hybrid

OpenNebula - OpenNebula

Hybrid Cloud Computing(Cloud Bursting)● VMs can be local or remote● VM connectivity has to be configured, usually VPNs

● External Cloud are like any other host● Placement Constraints● Hybrid Cloud drivers

Hybrid Drivers

NEW!

Installation● New drivers are available as an addon:

https://github.com/OpenNebula/addon-opennebula-hybrid

● Install and enable drivers in oned.conf

● Configure remote user credentials

● Add hybrid Host

● Fully supported in Sunstone!

Hybrid: OpenNebula - OpenNebula

Let’s see a demo!

● Several hybrid OpenNebula’s are supported

● Limit CPU and MEMORY with quotas

● Admin can define:

○ access to physical infrastructure

○ access to VM Templates

Configuration

Hybrid

OpenNebula - vCloudJordi Guijarro

Cloud & Security Manager, CSUC

Security & Authentication

Authentication DriversUser Authentication Drivers● Can be used to:

● Allow/deny access● Automatically create OpenNebula users (there is no need to import and

sync LDAP users, for example)

● Each user can have a different authentication driver● oned xml-rpc protocol remains untouched: seamless integration with CLI,

OCA, Sunstone…● Even with external authentication, OpenNebula user objects are needed to

keep track of resource ownership, usage, and quota limits

● OpenNebula will cache the successful authentication tokens for a while to reduce the driver workload. This can be adjusted or disabled in oned.conf

● A default driver can be configured for unknown usernames

Authentication DriversAuthentication driver scripts● authenticate

● From the session string “username:secret”, returns 0 or -1 to grant or deny access

● New usernames will be added as OpenNebula users if the driver prints to stdout ‘drivername username password’

● New in 5.2! The driver can return a list of groups that the user belongs to. The OpenNebula user group list is updated.

You can manage group ownership in your LDAP and OpenNebula will mirror the changes

Admins have many hats!Tell OpenNebula the one that’s on your head

Login TokensWhat is it?● A temporary password with an expiration date● New in 5.2! A token can have an effective group

Effective group● Filters all resources to show the ones in the defined group.

For instance: Focus your work on group ‘production’ or ‘development’

Authentication in Sunstone

● Basic user / password● x509 certificates, managed by the browser

● Remote auth: Do not miss the user workshop on Wednesday

OpenNebula Sunstone integration with FreeIPA using Single Sign On

Álvaro Simón, Ghent University

OpenNebulaConf 20164th edition

Platinum

Gold

Silver

Community

THANKS!

Some Colored Text Boxes

Sample Colored TexBoxAddresses Space (multiple, disjoint ranges)● IPv4● IPv6 (Global & ULA)● Ethernet - MAC addresses

Security Groups● Managed as a separate entity● Inbound & Outbound, TCP/UDP/ICMP

Custom Tags

Configuration & Physical Attributes● Network specific (e.g. BRIDGE, VLAN_ID)● VM Context (e.g. DNS, GATEWAY)

Virt

ual N

etw

ork

Def

initi

on

Sample Text Boxes

Virtual Machine Configuration (L3 - L4 - L5)● Context CD-ROM ISO with network information

● Stock guest packages include support for IP, GATEWAY, DNS, NETWORK_MASK but easily extensible

● NFV not imposed nor required (e.g. DHCP server per net) but supported.

Require as less as possible, accommodate any topology