OpenStack Newton What's new in - Mirantis · OpenStack Newton OpenStack's 14th release. ... Alexey Stupnikov is an OpenStack Maintenance Engineer at Mirantis. ... New features Rolling

Copyright © 2016 Mirantis, Inc. All rights reserved

www.mirantis.com

What's new in OpenStack Newton

OpenStack's 14th release


Speakers

Alexey Stupnikov OPENSTACK MAINTENANCE ENGINEER

Alexey Stupnikov is an OpenStack Maintenance Engineer at Mirantis. Prior to joining Mirantis, he was a Systems & Network Administrator at Megalabs, in the R&D lab of the second largest mobile phone operator and the third largest telecom operator in Russia. Previously he served as a Senior Network Engineer/Projects Team Lead at MTO, a mid-size systems integrator providing solutions for mid-size enterprise and large government customers.

Mike Tillman SR. SYSTEM ARCHITECT

Mike Tillman is a Sr. System Architect in the OpenStack Services team at Mirantis. Previously he was a software engineer at American Express involved with DevOps.

Nick Chase HEAD OF TECHNICAL AND MARKETING CONTENT

Nick Chase serves as editor-in-chief of the popular OpenStack:Unlocked newsletter, which he created. With 20+ years' experience as a developer and author, Nick has written several books and hundreds of articles as an IBM developerWorks Certified Master Author. He also founded NoTooMi.com and has done Web application development for companies such as Alcatel-Lucent, Sun Microsystems, Oracle, and the Tampa Bay Buccaneers.


● Please submit questions in the Questions pane.

● We’ll provide a link where you can download the slides at the end of the webcast.

A Little Housekeeping


Agenda

● Impact of the Big Tent● Compute● Network● Storage● Auxiliary "core" services● Additional projects● Q&A


Impact of the Big Tent


What is the "Big Tent"?


Some sample projects

● OpenStackSalt● Watcher● Vitrage● Fuel● Searchlight● Tacker● CloudKitty● DragonFlow



Compute


NovaOpenStack Compute Service

To implement services and associated libraries to provide massively scalable, on demand, self service access to compute resources, including bare metal, virtual

machines, and containers.


Nova

● Scheduler● Get me a network● Cinder v2● Glance v2● Policy defaults● Cells v2● Worth mentioning


Nova: Scheduler

● New /placement API● Resource providers● Inventories● Allocations● Usage records

● Configurable● [placement] section of nova.conf


Nova: Get me a network

● Previously roll your own● Neutron in Mitaka● Microversion 2.37

networks: auto

auto-allocated-topology API

● Newton on all nodes


Nova: Cinder v2 and Glance v2

● Previously in Cinder and Glance● Dropping v1


Nova: Policy defaults

● What can this cloud do?● Overridable policy defaultsoslopolicy-list-redundant –namespace nova

oslopolicy-policy-generator –namespace nova –output-file policy-merged.yaml

nova-policy (under development)


Nova: Cells v2

● Main code path● Feature complete● New commands

nova-manage cell_v2 simple_cell_setup –transport_url <url>

nova-manage cell_v2 discover_hosts

nova-manage cell_v2 map_cell0


Nova: Ironic

● Multiple nova-compute services● Duplicate compute_node entries● Always enabled● Used with caution for multiple compute hosts● Multitenant networking


Nova: Other

● Spec freeze● Nova network deprecated (again)● Mutable config

DEFAULT.debug

libvirt.live_migration_completion_timeout

Libvirt.live_migration_progress_timeout

● nova-manage command to refresh the quota usages for a project or user● Virtual device role tagging ● os-vif plugin


Nova: Worth mentioning

● Service proxies deprecated● Return 404 on microversion 2.36 or higher● Use the native API instead

/images

/os-networks

/os-fixed-ips

/os-floating-ips

/os-floating-ips-bulk

/os-floating-ip-pools

/os-floating-ip-dns

/os-security-groups

/os-security-group-rules

/os-security-group-default-rules

/os-volumes

/os-snapshots

/os-baremetal-nodes

/os-fping


Network


OpenStack Neutron

NeutronOpenStack Networking Service

To implement services and associated libraries to provide on-demand, scalable, and technology-agnostic network abstraction.


OpenStack Neutron

● 802.1Q tagged VM connections (VLANs)● L3 Service Plugin flavors● OSProfiler support● QoS enhancements● Worth mentioning


Neutron: 802.1Q

● 802.1Q tagged VM connections (VLAN aware VMs)● New TRUNK resource is added

■ Primary port passes untagged traffic■ Subports are used to transfer tagged frames


Neutron: L3

● L3 Service Plugin flavors● Flavors:

■ Every flavor is linked with unique service profile■ Service profile is used to select unique service provider■ 1-1 flavor to service profile association■ User can choose the optimal flavor, or leave it unspecified


Neutron: OSProfiler

● OSProfiler support:● Find bottlenecks● Troubleshoot interoperability issues


Neutron: QoS

● QoS-related improvements● Mark outgoing packets with a DSCP code

■ Enforce end-to-end QoS policies■ Simplify network administration

● QoS minimum egress bandwidth■ VM will always get essential egress BW


Neutron: Worth mentioning

● VMs without IP Address● Run VMs with complex networking configurations

● Specific pools of external IP addresses● Optimize IP allocation

● Neutron extension resources with timestamps● Use “created_at” and “updated_at” filters


Storage


Storage

● Cinder● Glance● Swift


CinderOpenStack Block Storage Service

To implement services and libraries to provide on-demand, self-service access to Block Storage resources via abstraction and automation on top of

other block storage devices.


OpenStack Cinder

● Microversions● Rolling upgrades● Replication● Active-Active High Availability


Cinder: Microversions

● In the header:

X-OpenStack-Cinder-API-Version: 2.114

● In the response:

X-OpenStack-Cinder-API-Version: 2.114

Vary: X-OpenStack-Cinder-API-Version

● /v3 endpoint


Cinder: Rolling upgrades

● Backward compatibility● Upgrade 1 by 1● Restart● Tech preview ONLY


Cinder: Replication

● Available but not universally adopted● Expansion on hold● User feedback● Dell SC driver


Cinder: Active-Active HA

● Not production yet● Grouping hosts● Cluster lifecycle● Cluster API


Cinder: Worth mentioning

● Scheduler_weight_handler

● StochasticHostWeightHandler

● Group type and group specs APIs.

● Volumes summary API

● Keystone v3 support for Swift backup driver in single user mode.

● List manageable volumes and snapshots

● /v2/<project_id>/os-volume-manage

● /v2/<project_id>/os-snapshot-manage


Cinder: Worth mentioning

● DEFAULT config stanza volumes

● enabled_backends config option

● Bye bye XML API


GlanceOpenStack Image Service

To provide services and associated libraries to store, browse, share, distribute and manage bootable disk images, other data closely associated

with initializing compute resources, and metadata definitions.


OpenStack Glance

● Improved Import (upload) API for users● Move Nova to Glance v2 so v1 can be deprecated● GLARE● Trust concept for long-lived snapshots


Glance: Deprecate v1

● V2 API Complete in Glance since Mitaka● Completed Nova conversion to Glance v2


Glance: GLARE

● Glance Artifact Repository● Images plus metadata● Other types of objects● Beyond Glance's usual role● Backend for Community App Catalog


Glance: Trust

● Trust concept for long-lived snapshots● Complete in Glance, may not be complete in Nova


Glance: Worth mentioning

● Restrictive default policy● New vhdx disk_format config option● Image signature verification: "Sign-the-data" rather than

"sign-the-hash"● No more downgrades● S3 support removed


Auxiliary "core" services


SwiftOpenStack Object Storage Service


Swift: Object versioning

● Keep all copies● X-History-Location vs X-Versions-Locationcurl -i -XPUT -H "X-Auth-Token: <token>" -H "X-Versions-Location: versions" \ http://<storage_url>/containercurl -i -XPUT -H "X-Auth-Token: <token>" http://<storage_url>/versions

curl -i -XPUT --data-binary 1 -H "X-Auth-Token: <token>" \ http://<storage_url>/container/myobjectcurl -i -XPUT --data-binary 2 -H "X-Auth-Token: <token>" \ http://<storage_url>/container/myobject

curl -i -H "X-Auth-Token: <token>" http://<storage_url>/versions?prefix=008myobject/

● More information

http://docs.openstack.org/developer/swift/overview_object_versioning.html




Swift: Object encryption

● At-rest encryption● Middleware in the proxy server WSGI pipeline● Object itself, user metadata, etc. encrypted● Account, size, etc. not encrypted● Confidentiality, not security● More information

http://docs.openstack.org/developer/swift/overview_encryption.html

http://docs.openstack.org/developer/swift/overview_encryption.html


Swift: Worth mentioning

● Concurrent bulk-deletes (delete_concurrency default = 2)● TempURL includes `Expires` header, time in URL● staticweb unauthenticated requests● rsync ignores own temp files● Recommended ports now 6200-6202


KeystoneOpenStack Identity Service

To facilitate API client authentication, service discovery, distributed multi-tenant authorization, and auditing.


OpenStack Keystone

● Federated identity● Simplified configuration setup● Python 3 compatibility● PCI support of password configuration options


Keystone: New features

● Rolling upgrades using new options for keystone_manage db_sync● --expand

● --migrate

● --contract

● password_expires_at attribute● change_password()

● Credentials encrypted at rest● Encrypt before contracting the database!!!


Keystone: Performance

● Cache tokens ● Cache_on_issue to [token] section● Adds to validation cache

● LDAP mapping● keystone-manage mapping_populate

● On setup or after keystone-manage mapping_purge


HorizonOpenStack Dashboard

To provide an extensible unified web based user interface for all

OpenStack services.


OpenStack Horizon

● Specify a fixed IP or subnet when creating a port

● IMAGES_ALLOW_LOCATION

● TOKEN_DELETE_DISABLED

● LBaaS v2 as a plugin

● Swift-only deployment

http://git.openstack.org/cgit/openstack/neutron-lbaas-dashboard/


OpenStack Horizon

● LAUNCH_INSTANCE_DEFAULTS (disable_image,

disable_instance_snapshot,

disable_volume, disable_volume_snapshot)

● Restrict CIDR range for user private network

● Keystone Tokens available to JavaScript

(ENABLE_CLIENT_TOKEN = False to disable)


OpenStack Horizon

● Consistency Groups

● Network IP availability

● L3 agent hosts/routers

● Scheduler hints on launching an instance


Other projects


HeatOpenStack Orchestration Service

To create a human- and machine-accessible service for managing the entire lifecycle of infrastructure and applications within OpenStack clouds


Heat

● Cinder Quality of Service, Quota

● Conditions

● DNS resolution and integration with external DNS

(dns_name and dns_domain)

● external_id attribute for (read only) external resource

● YAQL eval

● template_dir (Default is /etc/heat/templates)


CeilometerOpenStack Telemetry Service

To reliably collect measurements of the utilization of the physical and virtual resources comprising deployed clouds, persist these data for subsequent retrieval

and analysis, and trigger actions when defined criteria are met.


OpenStack Ceilometer

● REST API (such as Gnocchi) rather than just database

● Batching by default

● Adjust pipeline_processing_queues and batch_size

● Magnum support

● New meters:

● Perf.cpu.cycles

● Perf.instructions

● Perf.cache_references

● Cache_misses

● Memory.bandwidth.total

● Memory.bandwidth.local


FuelDeployment Service

To streamline and accelerate the process of deploying, testing and maintaining various configurations of OpenStack at scale.


Fuel

● ISOless BVT

● Improved LCM UX including IaC (using git repository as a

source for cluster configuration)

● Container-based deployment possibilities


MuranoApplication Catalog Service

To provide an application catalog service so that users can compose and deploy composite environments on an application abstraction level

while managing the application lifecycle.


Murano

● Application Development Framework

● Multi-region apps

● Dependency driven resource deallocation


Ironic

IronicBare Metal Service

To produce an OpenStack service and associated libraries capable of managing and provisioning physical machines, and to do this in a

security-aware and fault-tolerant manner.


Ironic

● Dynamic allocation of nodes in OneView

(dynamic_allocation=True)

● Access restrictions to REST API

● Network interfaces

● Flat (default when using neutron for DHCP)

● Noop (default when not using neutron for DHCP)

● Neutron (separates networks)

http://docs.openstack.org/developer/ironic/drivers/oneview.html


MagnumContainer Infrastructure Management Service

To provide a set of services for provisioning, scaling, and managing container orchestration engines.


Magnum

● Not so much containers, but container orchestration

engines (COEs)

● Docker swarm overlay networks

● Mesos cluster flags

● Docker Swarm Fedora Atomic driver integrated with

Cinder, rexray volume driver

● SSL for API service


Community App Catalog

To build and maintain the OpenStack Community App Catalog in order to benefit all OpenStack clouds by giving users a central location from which to find and

retrieve applications and other OpenStack components that can be immediately deployed into their OpenStack clouds, and by giving application developers a

highly visible place to share their work with the OpenStack community.


OpenStack Community App Catalog

● Glare as backend

● Exposed as a v2 API

● Users can add and manage assets directly

(programmatically or via the web site)


DesignateDNS Service

To provide scalable, on demand, self service access to authoritative DNS services, in technology-agnostic manner.


Designate

● Better scaling

● Bind to multiple host:port pairs via the new “listen”

configuration arguments for each service

● Get information on user recordsets

● Heartbeat

● Designate-agent service default port 53 -> 5358


MistralWorkflow Service

Provide a simple YAML-based language to write workflows (tasks and transition rules) and a service that allows to upload them, modify, run them at scale and in a highly available manner, manage and monitor workflow execution state and state

of individual tasks.


Mistral

● safe-rerun

● SSL for API

● Murano, Magnum, Tacker actions

● RBAC

● Ad-hoc actions

● Custom messages

● Workflow sharing


Thank You!

Q&A

Section subheader

OpenStack Newton What's new in - Mirantis · OpenStack Newton OpenStack's 14th release. ... Alexey Stupnikov is an OpenStack Maintenance Engineer at Mirantis. ... New features Rolling

Documents