Intel Confidential — Do Not Forward Single Control Plane all the Way! Intel IT OpenStack Journey Sridhar Mahankali, Cloud Architect, Intel Corporation Greg Bunce, Automation & Integration Lead, Intel Corporation
Intel Confidential — Do Not Forward
Single Control Plane all the Way! Intel IT OpenStack Journey
Sridhar Mahankali, Cloud Architect, Intel Corporation
Greg Bunce, Automation & Integration Lead, Intel Corporation
2
Legal Disclaimers
Copyright © 2014 Intel Corporation. All rights reserved
Intel, the Intel logo, Xeon, Atom, and QuickAssist are trademarks of Intel Corporation in the U.S.
and/or other countries.
*Other names and brands may be claimed as the property of others.
All products, computer systems, dates and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel® Advanced Vector Extensions (Intel® AVX)* are designed to achieve higher throughput to certain integer and floating point operations. Due to varying processor power characteristics, utilizing AVX instructions may cause a) some parts to operate at less than the rated frequency and b) some parts with Intel® Turbo Boost Technology 2.0 to not achieve any or maximum turbo frequencies. Performance varies depending on hardware, software, and system configuration and you should consult your system manufacturer for more information. *Intel® Advanced Vector Extensions refers to Intel® AVX, Intel® AVX2 or Intel® AVX-512. For more information on Intel® Turbo Boost Technology 2.0, visit http://www.intel.com/go/turbo No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware and/or software optimized to use the technologies. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an Intel® Identity Protection Technology-enabled system, including an enabled Intel® processor, enabled chipset, firmware, software, and Intel integrated graphics (in some cases) and participating website/service. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com/. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware, software and may require a subscription with a capable service provider (may not be available in all countries). Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. Consult your system or service provider for availability and functionality. No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Xeon® processor E7-8800/4800/2800 v2 product families or Intel® Itanium® 9500 series-based system (or follow-on generations of either.) Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient System Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel processor and enabled technology(ies). Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient Memory Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel® processor and enabled technology(ies). built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries. Requires a system with Intel® Turbo Boost Technology. Intel Turbo Boost Technology and Intel Turbo Boost Technology 2.0 are only available on select Intel® processors. Consult your system manufacturer. Performance varies depending on hardware, software, and system configuration. For more information, visit http://www.intel.com/go/turbo Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization
3
Agenda
• Intel IT’s Cloud Transformation & Journey
• Why Intel IT selected OpenStack for its Control Plane strategy
• Intel IT OpenStack Control Plane Status & Plans
• Automation Framework, Workforce Transformation and Call to Action
• Summary
• Q&A
2014+ 2012
IT’s Cloud Transformation
2010 2000-2009
Design
Office/Enterprise
Traditional Hosting Mainstream Virtualization
Intel Cloud 1.0 Hybrid Cloud 2.0 Converged Cloud
12% Virtualized 42% Virtualized 75% Virtualized >75%+ Virtualized
90+ Day Provisioning
10 day Provisioning On Demand Compute
On Demand Compute, Network, Storage
Silos of Capacity Pooled Capacity Segmented Clouds Converged Clouds, burst capacity @ 3rd Party
Manual Ticketed Service Request
Manual Ticketed Service Request
Some on demand Request fulfillment
Full Self Service Request fulfillment
Varying Server Reliability
99.7% VM Reliability 99.7-99.9% Availability 99.99% Availability Capable
Public Physical Hosting
Office Cloud
Public
Office/Enterprise /Services
Office/Enterprise /Services
Intel IT Cloud Environment Significant changes over past 12-24 months
5
SaaS
• Very small: limited to specific portfolios
• Big wins in HR apps & activity in CRM and ERP
• Established plan for holistic adoption
• Hosted restricted secret data
• Published SaaS Playbook
PaaS
• Implemented PaaS for Java, .NET + more (CloudFoundry)
• Streamlined app landing process from weeks to days
• New demand from 5-Star
• Open databases gained traction (MySQL, MongoDB)
• Ran “code-a-thons” to train developers to write cloud-aware apps
IaaS
• Evolved from proprietary to open (OpenStack)
• Exceeded 75% virtualized
• Delivered self service compute, storage, network
• Demonstrated burst to public cloud
• Limited consumption of public cloud
• Pioneered DevOps
Approach: Build private cloud & extend to public
Hosting Business Goals
Increase Velocity, Zero Downtime, Grow with Flat Budget
Velocity <1hr for VMs
Reduce Incidents Scheduled Downtimes the
norm
Sustain Operations
Velocity Idea to Production in <1 day
Zero Downtime “Always On”
for Apps/Services
Grow with Flat Budget Increase in Engineer:Server and
TB Ratio
7
Intel IT Cloud History & Future Strategy
2009-2014 – Proprietary Hypervisor + Custom Automation Framework to enable IT’s virtualization & self-service objectives
2014-2016 - OpenCloud transitions to the single Control Plane for both Open (OpenStack), Proprietary, & External Provider Hosting Environments
Strategy: • Architectural Strategy – We will position Open Cloud as the single orchestration platform controlling and abstracting a heterogeneous
infrastructure thereby simplifying our hosting service, increasing IT’s agility and customer TTM
• Grow OpenCloud – Organically as incremental hosting capacity is brought online, thru infrastructure refresh, or customer capability requirements; as the OpenStack matures we will seek to evaluate and adopt an enterprise-class distribution
Current Future
Why Intel IT selected OpenStack for its Control Plane Strategy
8
9
Why Intel IT Selected OpenStack for its IaaS Control Plane
Velocity:
Yields direct control over the capabilities that business demands and is forward-leaning in terms of application / service development, delivery, and operations
Geared toward Agile Methodologies, DevOps, and Continuous Integration / Continuous Delivery (CI/CD) & Deployment
Capability:
OpenStack automation platform which is defined by its APIs
Provide granular on-demand services which seed innovation by satisfying simple-to-complex use cases to deliver at the pace business demands
Efficiency & Quality:
We leverage the same tool-chain used by the OpenStack community for developing, building, validating, and deploying our data center operating system
Single Control Plane Represents Up-Leveling of Consumer Capability
All new VMs are provisioned via common control plane
• Self service Networking, Compute, and Storage
Self-service management of newly provisioned instances
• Stop / Start / Delete VMs
• Snapshot
• Creation / attachment / deletion of volumes
• VM Resizing
• Network Creation & Security Group management
Existing (already provisioned VMs) are also managed via common control plane
• Metadata imported into control plane
• Self service Compute and Storage
Intel IT Control Plane Current Status & Plans
11
Internet Facing Internal Facing
Virtual Hosting Environment Overview (~2011)
Non Enclave
Compute
Proprietary Hypervisor
Custom Automation
Proprietary Virtual Switch
Proprietary Storage
Physical Network
Shared Networks
Network Services (LB)
Enclave(s)
Compute
Proprietary Hypervisor
Manual Provisioning
Proprietary Virtual Switch
Proprietary Storage
Physical Network
Network Segmentation
Network Services (LB, FW)
Enclave
Segmented Compute
Proprietary Hypervisor
Manual Provisioning
Proprietary Virtual Switch
Proprietary Storage
Physical Network
Network Segmentation
Network Services (LB, FW, Web App FW)
Internet Facing Applications
Internal Facing Applications
OpenStack Based Cloud
Non Enclave
Compute
KVM
OpenStack Control Plane
OVS
Open Source Storage
Physical Network
Shared Networks
Network Services (LB)
DMZ Enclave
Compute
KVM
OpenStack Control Plane
OVS + Proprietary Plugin
Open Source Storage
Physical Network
Coarse Segmentation
Network Services (LB, FW, Web App FW)
Neutron API
Cinder, Swift APIs
Nova API
Proprietary LB API
Image Repository Image Repository Glance API
Internet Facing Applications
Internal Facing Applications
Where we are headed in 2014
Non Enclave & Enclave
Compute
Multiple Hypervisors
OpenStack Control Plane
OVS + Proprietary Plugin
Multiple Storage Solutions
Physical Network
Coarse Segmentation
Network Services (LB)
DMZ Enclave
Compute
Multiple Hypervisors
OpenStack Control Plane
OVS + Proprietary Plugin
Multiple Storage Solutions
Physical Network
Coarse Segmentation
Network Services (LB, FW, Web App FW)
Neutron API
Cinder, Swift APIs
Nova API
Proprietary LB API
Image Repository Image Repository Glance API
Murano API
Heat API
Abstract Infrastructure and Simplify User Experience
Trusted Compute Trusted Compute
Changing Security Model: Layered Perimeters
Hosting/Datacenter Perimeter
• Control access between DMZ and Public Internet/Private Intranet
• Provides Secure connectivity for internal and external networks
• Terminate “Control plane” Connectivity for off-premise/external hosting
Tenant/Zone Perimeter
• Controls what goes in and out of each zone or tenant
• Administration and manageability
• Network services/Authentication and Authorization
Intra-Zone Segmentation
• Fine/granular segmentation within Zone or Tenant
• Web/App/Database/Cache/Internal load balancing
Defense in Depth Diversity of Enforcement Points Scale Out architecture
Internet Private Enterprise Network
Dedicated Tenant Dedicated Tenant
apps
Tenant/Zone
Perimeter
VMM
VM VM VM
VMM
VM VM VM
WAF
apps apps
Dedicated Tenant
VMM
VM VM VM
apps
Shared Platform
apps
VMM
VM VM VM
Shared Infra/ Hosting Services
VMM
VM VM VM hosting services
Infra Services
Layered Segmentation Design
Security Services
Datacenter
Perimeter
Datacenter
Perimeter
Intra Zone
Segmentation
Hybrid Cloud Strategy
Public Clouds
Internal Network Exclave
IaaS
Smart orchestration layer • Move apps/data among clouds via policies • Deliver security, capacity and cost optimization
Two Proof-of-Concepts Underway O
rche
stratio
n
Burst
Fire
wa
ll
On Premise
App Owner/ Developer
PaaS & DBaaS
Automation Framework and Workforce Transformation
18
OpenStack is an Inflection Point for Driving Cultural, Workforce, & Business Transformation
19
Acknowledge and act upon these dimensions:
• Team Structure / Composition
• T-shaped resources, unicorns
• Software Engineering Processes
• Waterfall Agile
• Workforce Transformation
• Process, tool-centric Software Engineering, large scale systems administration
• Support Models
• L1, L2, L3 DevOps (where applicable)
• Metrics scorecard, RED is good!
• Release & Quality Assurance
• Human Automation
Release
Engineering
Test
Automation
Continuous
Delivery
Continuous
Integration
Frameworks: Tools, Methods, & Support
Teams
Scrum / SoS
WFT
Service Management
DevOps
UX
Actually Automating Deployment
20
Source: http://docs.openstack.org/
Our cloud architecture is a complex set of interdependent
components that would normally all require manual setup to
create a new cloud or modify an existing one.
How do we avoid that to…
… allow continuous improvement of the system?
… instantly create clouds for new demands?
Automating Infrastructure Deployment
Continuous Integration and Delivery Require Automated Infrastructure Deployment
We utilize a set of deployment tools to automatically deploy and configure OpenStack-based clouds.
• Facilitates a repeatable deployment of all infrastructure components.
• Reduces the amount of time it takes to deploy a new cloud from weeks to hours.
• Produces mirrored environments that guarantee QA & Integration environments faithfully represent the potential future state of production.
21
CI
QA Team signs off!
Source: http://puppetlabs.com/blog/continuous-delivery-vs-continuous-deployment-whats-diff
22
Infrastructure CI is ultimately MaaS++
We have three primary infrastructure use-cases for MaaS:
1. Provision and manage IT infrastructure (cloud infrastructure initially, more later)
2. On-demand self-service consumer provisioning and management of IT hosted infrastructure (end-user is able to provision physical devices just as they would provision virtual) for workloads which demand it
3. Management and provisioning of non-IT managed infrastructure in hardware and software lab settings (we provide the capability, they run their business)
Current State Future State
Intel Information Technology
Intel Confidential – for internal use only
Intel Information Technology
Intel Confidential – for internal use only
Wrap Up & QA
23
Intel Information Technology
Intel Confidential – for internal use only
2014 Focus Areas
Rolling Upgrades – no tenant downtime for resources or services
Connection into ALL existing infrastructure – Single Control Plane
Disaster Recovery between sites for VM tenants
Restart of VM when host fails
Hybrid Cloud enabled through Horizon
Use OpenStack to do traditional work – BaR, Bare Metal Provisioning, LB, FW, and more
Use OpenStack to replace internal code – DBaaS, LBaaS
24
Summary
Our Direction = Federated, Interoperable and Open Cloud
Strong success with our Enterprise Private Cloud (Gen1)
Open Cloud (Gen2) in production
Single Control Plane simplifies our hosting environment
OpenStack Control Plane provides a compelling ‘glide path’ to our end-state vision
Changes required to run cloud at scale
Culture
Skills
Business processes
Technology
Intel Confidential — Do Not Forward