Copyright © 2016 Mirantis, Inc. All rights reserved www.mirantis.com What's new in OpenStack Newton OpenStack's 14th release
Copyright © 2016 Mirantis, Inc. All rights reserved
www.mirantis.com
What's new in OpenStack Newton
OpenStack's 14th release
Copyright © 2016 Mirantis, Inc. All rights reserved
Speakers
Alexey Stupnikov OPENSTACK MAINTENANCE ENGINEER
Alexey Stupnikov is an OpenStack Maintenance Engineer at Mirantis. Prior to joining Mirantis, he was a Systems & Network Administrator at Megalabs, in the R&D lab of the second largest mobile phone operator and the third largest telecom operator in Russia. Previously he served as a Senior Network Engineer/Projects Team Lead at MTO, a mid-size systems integrator providing solutions for mid-size enterprise and large government customers.
Mike Tillman SR. SYSTEM ARCHITECT
Mike Tillman is a Sr. System Architect in the OpenStack Services team at Mirantis. Previously he was a software engineer at American Express involved with DevOps.
Nick Chase HEAD OF TECHNICAL AND MARKETING CONTENT
Nick Chase serves as editor-in-chief of the popular OpenStack:Unlocked newsletter, which he created. With 20+ years' experience as a developer and author, Nick has written several books and hundreds of articles as an IBM developerWorks Certified Master Author. He also founded NoTooMi.com and has done Web application development for companies such as Alcatel-Lucent, Sun Microsystems, Oracle, and the Tampa Bay Buccaneers.
Copyright © 2016 Mirantis, Inc. All rights reserved
● Please submit questions in the Questions pane.
● We’ll provide a link where you can download the slides at the end of the webcast.
A Little Housekeeping
Copyright © 2016 Mirantis, Inc. All rights reserved
Agenda
● Impact of the Big Tent● Compute● Network● Storage● Auxiliary "core" services● Additional projects● Q&A
Copyright © 2016 Mirantis, Inc. All rights reserved
Some sample projects
● OpenStackSalt● Watcher● Vitrage● Fuel● Searchlight● Tacker● CloudKitty● DragonFlow
Copyright © 2016 Mirantis, Inc. All rights reserved
NovaOpenStack Compute Service
To implement services and associated libraries to provide massively scalable, on demand, self service access to compute resources, including bare metal, virtual
machines, and containers.
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova
● Scheduler● Get me a network● Cinder v2● Glance v2● Policy defaults● Cells v2● Worth mentioning
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Scheduler
● New /placement API● Resource providers● Inventories● Allocations● Usage records
● Configurable● [placement] section of nova.conf
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Get me a network
● Previously roll your own● Neutron in Mitaka● Microversion 2.37
networks: auto
auto-allocated-topology API
● Newton on all nodes
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Cinder v2 and Glance v2
● Previously in Cinder and Glance● Dropping v1
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Policy defaults
● What can this cloud do?● Overridable policy defaultsoslopolicy-list-redundant –namespace nova
oslopolicy-policy-generator –namespace nova –output-file policy-merged.yaml
nova-policy (under development)
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Cells v2
● Main code path● Feature complete● New commands
nova-manage cell_v2 simple_cell_setup –transport_url <url>
nova-manage cell_v2 discover_hosts
nova-manage cell_v2 map_cell0
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Ironic
● Multiple nova-compute services● Duplicate compute_node entries● Always enabled● Used with caution for multiple compute hosts● Multitenant networking
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Other
● Spec freeze● Nova network deprecated (again)● Mutable config
DEFAULT.debug
libvirt.live_migration_completion_timeout
Libvirt.live_migration_progress_timeout
● nova-manage command to refresh the quota usages for a project or user● Virtual device role tagging ● os-vif plugin
Copyright © 2016 Mirantis, Inc. All rights reserved
Nova: Worth mentioning
● Service proxies deprecated● Return 404 on microversion 2.36 or higher● Use the native API instead
/images
/os-networks
/os-fixed-ips
/os-floating-ips
/os-floating-ips-bulk
/os-floating-ip-pools
/os-floating-ip-dns
/os-security-groups
/os-security-group-rules
/os-security-group-default-rules
/os-volumes
/os-snapshots
/os-baremetal-nodes
/os-fping
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Neutron
NeutronOpenStack Networking Service
To implement services and associated libraries to provide on-demand, scalable, and technology-agnostic network abstraction.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Neutron
● 802.1Q tagged VM connections (VLANs)● L3 Service Plugin flavors● OSProfiler support● QoS enhancements● Worth mentioning
Copyright © 2016 Mirantis, Inc. All rights reserved
Neutron: 802.1Q
● 802.1Q tagged VM connections (VLAN aware VMs)● New TRUNK resource is added
■ Primary port passes untagged traffic■ Subports are used to transfer tagged frames
Copyright © 2016 Mirantis, Inc. All rights reserved
Neutron: L3
● L3 Service Plugin flavors● Flavors:
■ Every flavor is linked with unique service profile■ Service profile is used to select unique service provider■ 1-1 flavor to service profile association■ User can choose the optimal flavor, or leave it unspecified
Copyright © 2016 Mirantis, Inc. All rights reserved
Neutron: OSProfiler
● OSProfiler support:● Find bottlenecks● Troubleshoot interoperability issues
Copyright © 2016 Mirantis, Inc. All rights reserved
Neutron: QoS
● QoS-related improvements● Mark outgoing packets with a DSCP code
■ Enforce end-to-end QoS policies■ Simplify network administration
● QoS minimum egress bandwidth■ VM will always get essential egress BW
Copyright © 2016 Mirantis, Inc. All rights reserved
Neutron: Worth mentioning
● VMs without IP Address● Run VMs with complex networking configurations
● Specific pools of external IP addresses● Optimize IP allocation
● Neutron extension resources with timestamps● Use “created_at” and “updated_at” filters
Copyright © 2016 Mirantis, Inc. All rights reserved
CinderOpenStack Block Storage Service
To implement services and libraries to provide on-demand, self-service access to Block Storage resources via abstraction and automation on top of
other block storage devices.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Cinder
● Microversions● Rolling upgrades● Replication● Active-Active High Availability
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Microversions
● In the header:
X-OpenStack-Cinder-API-Version: 2.114
● In the response:
X-OpenStack-Cinder-API-Version: 2.114
Vary: X-OpenStack-Cinder-API-Version
● /v3 endpoint
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Rolling upgrades
● Backward compatibility● Upgrade 1 by 1● Restart● Tech preview ONLY
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Replication
● Available but not universally adopted● Expansion on hold● User feedback● Dell SC driver
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Active-Active HA
● Not production yet● Grouping hosts● Cluster lifecycle● Cluster API
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Worth mentioning
● Scheduler_weight_handler
● StochasticHostWeightHandler
● Group type and group specs APIs.
● Volumes summary API
● Keystone v3 support for Swift backup driver in single user mode.
● List manageable volumes and snapshots
● /v2/<project_id>/os-volume-manage
● /v2/<project_id>/os-snapshot-manage
Copyright © 2016 Mirantis, Inc. All rights reserved
Cinder: Worth mentioning
● DEFAULT config stanza volumes
● enabled_backends config option
● Bye bye XML API
Copyright © 2016 Mirantis, Inc. All rights reserved
GlanceOpenStack Image Service
To provide services and associated libraries to store, browse, share, distribute and manage bootable disk images, other data closely associated
with initializing compute resources, and metadata definitions.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Glance
● Improved Import (upload) API for users● Move Nova to Glance v2 so v1 can be deprecated● GLARE● Trust concept for long-lived snapshots
Copyright © 2016 Mirantis, Inc. All rights reserved
Glance: Deprecate v1
● V2 API Complete in Glance since Mitaka● Completed Nova conversion to Glance v2
Copyright © 2016 Mirantis, Inc. All rights reserved
Glance: GLARE
● Glance Artifact Repository● Images plus metadata● Other types of objects● Beyond Glance's usual role● Backend for Community App Catalog
Copyright © 2016 Mirantis, Inc. All rights reserved
Glance: Trust
● Trust concept for long-lived snapshots● Complete in Glance, may not be complete in Nova
Copyright © 2016 Mirantis, Inc. All rights reserved
Glance: Worth mentioning
● Restrictive default policy● New vhdx disk_format config option● Image signature verification: "Sign-the-data" rather than
"sign-the-hash"● No more downgrades● S3 support removed
Copyright © 2016 Mirantis, Inc. All rights reserved
Swift: Object versioning
● Keep all copies● X-History-Location vs X-Versions-Locationcurl -i -XPUT -H "X-Auth-Token: <token>" -H "X-Versions-Location: versions" \ http://<storage_url>/containercurl -i -XPUT -H "X-Auth-Token: <token>" http://<storage_url>/versions
curl -i -XPUT --data-binary 1 -H "X-Auth-Token: <token>" \ http://<storage_url>/container/myobjectcurl -i -XPUT --data-binary 2 -H "X-Auth-Token: <token>" \ http://<storage_url>/container/myobject
curl -i -H "X-Auth-Token: <token>" http://<storage_url>/versions?prefix=008myobject/
● More information
Copyright © 2016 Mirantis, Inc. All rights reserved
Swift: Object encryption
● At-rest encryption● Middleware in the proxy server WSGI pipeline● Object itself, user metadata, etc. encrypted● Account, size, etc. not encrypted● Confidentiality, not security● More information
Copyright © 2016 Mirantis, Inc. All rights reserved
Swift: Worth mentioning
● Concurrent bulk-deletes (delete_concurrency default = 2)● TempURL includes `Expires` header, time in URL● staticweb unauthenticated requests● rsync ignores own temp files● Recommended ports now 6200-6202
Copyright © 2016 Mirantis, Inc. All rights reserved
KeystoneOpenStack Identity Service
To facilitate API client authentication, service discovery, distributed multi-tenant authorization, and auditing.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Keystone
● Federated identity● Simplified configuration setup● Python 3 compatibility● PCI support of password configuration options
Copyright © 2016 Mirantis, Inc. All rights reserved
Keystone: New features
● Rolling upgrades using new options for keystone_manage db_sync● --expand
● --migrate
● --contract
● password_expires_at attribute● change_password()
● Credentials encrypted at rest● Encrypt before contracting the database!!!
Copyright © 2016 Mirantis, Inc. All rights reserved
Keystone: Performance
● Cache tokens ● Cache_on_issue to [token] section● Adds to validation cache
● LDAP mapping● keystone-manage mapping_populate
● On setup or after keystone-manage mapping_purge
Copyright © 2016 Mirantis, Inc. All rights reserved
HorizonOpenStack Dashboard
To provide an extensible unified web based user interface for all
OpenStack services.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Horizon
● Specify a fixed IP or subnet when creating a port
● IMAGES_ALLOW_LOCATION
● TOKEN_DELETE_DISABLED
● LBaaS v2 as a plugin
● Swift-only deployment
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Horizon
● LAUNCH_INSTANCE_DEFAULTS (disable_image,
disable_instance_snapshot,
disable_volume, disable_volume_snapshot)
● Restrict CIDR range for user private network
● Keystone Tokens available to JavaScript
(ENABLE_CLIENT_TOKEN = False to disable)
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Horizon
● Consistency Groups
● Network IP availability
● L3 agent hosts/routers
● Scheduler hints on launching an instance
Copyright © 2016 Mirantis, Inc. All rights reserved
HeatOpenStack Orchestration Service
To create a human- and machine-accessible service for managing the entire lifecycle of infrastructure and applications within OpenStack clouds
Copyright © 2016 Mirantis, Inc. All rights reserved
Heat
● Cinder Quality of Service, Quota
● Conditions
● DNS resolution and integration with external DNS
(dns_name and dns_domain)
● external_id attribute for (read only) external resource
● YAQL eval
● template_dir (Default is /etc/heat/templates)
Copyright © 2016 Mirantis, Inc. All rights reserved
CeilometerOpenStack Telemetry Service
To reliably collect measurements of the utilization of the physical and virtual resources comprising deployed clouds, persist these data for subsequent retrieval
and analysis, and trigger actions when defined criteria are met.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Ceilometer
● REST API (such as Gnocchi) rather than just database
● Batching by default
● Adjust pipeline_processing_queues and batch_size
● Magnum support
● New meters:
● Perf.cpu.cycles
● Perf.instructions
● Perf.cache_references
● Cache_misses
● Memory.bandwidth.total
● Memory.bandwidth.local
Copyright © 2016 Mirantis, Inc. All rights reserved
FuelDeployment Service
To streamline and accelerate the process of deploying, testing and maintaining various configurations of OpenStack at scale.
Copyright © 2016 Mirantis, Inc. All rights reserved
Fuel
● ISOless BVT
● Improved LCM UX including IaC (using git repository as a
source for cluster configuration)
● Container-based deployment possibilities
Copyright © 2016 Mirantis, Inc. All rights reserved
MuranoApplication Catalog Service
To provide an application catalog service so that users can compose and deploy composite environments on an application abstraction level
while managing the application lifecycle.
Copyright © 2016 Mirantis, Inc. All rights reserved
Murano
● Application Development Framework
● Multi-region apps
● Dependency driven resource deallocation
Copyright © 2016 Mirantis, Inc. All rights reserved
Ironic
IronicBare Metal Service
To produce an OpenStack service and associated libraries capable of managing and provisioning physical machines, and to do this in a
security-aware and fault-tolerant manner.
Copyright © 2016 Mirantis, Inc. All rights reserved
Ironic
● Dynamic allocation of nodes in OneView
(dynamic_allocation=True)
● Access restrictions to REST API
● Network interfaces
● Flat (default when using neutron for DHCP)
● Noop (default when not using neutron for DHCP)
● Neutron (separates networks)
Copyright © 2016 Mirantis, Inc. All rights reserved
MagnumContainer Infrastructure Management Service
To provide a set of services for provisioning, scaling, and managing container orchestration engines.
Copyright © 2016 Mirantis, Inc. All rights reserved
Magnum
● Not so much containers, but container orchestration
engines (COEs)
● Docker swarm overlay networks
● Mesos cluster flags
● Docker Swarm Fedora Atomic driver integrated with
Cinder, rexray volume driver
● SSL for API service
Copyright © 2016 Mirantis, Inc. All rights reserved
Community App Catalog
To build and maintain the OpenStack Community App Catalog in order to benefit all OpenStack clouds by giving users a central location from which to find and
retrieve applications and other OpenStack components that can be immediately deployed into their OpenStack clouds, and by giving application developers a
highly visible place to share their work with the OpenStack community.
Copyright © 2016 Mirantis, Inc. All rights reserved
OpenStack Community App Catalog
● Glare as backend
● Exposed as a v2 API
● Users can add and manage assets directly
(programmatically or via the web site)
Copyright © 2016 Mirantis, Inc. All rights reserved
DesignateDNS Service
To provide scalable, on demand, self service access to authoritative DNS services, in technology-agnostic manner.
Copyright © 2016 Mirantis, Inc. All rights reserved
Designate
● Better scaling
● Bind to multiple host:port pairs via the new “listen”
configuration arguments for each service
● Get information on user recordsets
● Heartbeat
● Designate-agent service default port 53 -> 5358
Copyright © 2016 Mirantis, Inc. All rights reserved
MistralWorkflow Service
Provide a simple YAML-based language to write workflows (tasks and transition rules) and a service that allows to upload them, modify, run them at scale and in a highly available manner, manage and monitor workflow execution state and state
of individual tasks.
Copyright © 2016 Mirantis, Inc. All rights reserved
Mistral
● safe-rerun
● SSL for API
● Murano, Magnum, Tacker actions
● RBAC
● Ad-hoc actions
● Custom messages
● Workflow sharing