Embed Size (px)
Citation preview
Build an Open Source PaaSwith Red Hat's
OpenShift and OpenStack
Dan McPherson @danmcp
Red Hat10.15.12
OpenStack – Build your own Cloud w/ Open Source
● Nova – Compute
● Glance – Image Storage
● Swift – Storage
● Keystone - Identity
● Dashboard (Horizon) – User Interface
● Quantum - Networking
OpenStack Releases
● Diablo - First 'production' release (v1.0)
● Essex – I can actually install it (v2.0)
● Folsom - Just released (v3.0)
● Grizzly - April 2013
OpenStack Essex and Fedora 17
● http://fedoraproject.org/wiki/Getting_started_with_OpenStack_on_Fedora_17
sudo openstack-db --service nova --initsudo openstack-db --service glance --initsudo systemctl start qpidd.service && sudo systemctl enable qpidd.servicesudo systemctl start libvirtd.service && sudo systemctl enable libvirtd.servicefor svc in api registry; do sudo systemctl start openstack-glance-$svc.service; donefor svc in api registry; do sudo systemctl enable openstack-glance-$svc.service; donesudo dd if=/dev/zero of=/var/lib/nova/nova-volumes.img bs=1M seek=20k count=0sudo vgcreate nova-volumes $(sudo losetup --show -f /var/lib/nova/nova-volumes.img)sudo openstack-config --set /etc/nova/nova.conf DEFAULT libvirt_type qemusetsebool -P virt_use_execmem onfor svc in api objectstore compute network volume scheduler cert; do sudo systemctl start openstack-nova-$svc.service; donefor svc in api objectstore compute network volume scheduler cert; do sudo systemctl enable openstack-nova-$svc.service; donesudo openstack-db --service keystone --initTOKEN=$(openssl rand -hex 10)cat > keystonerc <<EOFexport ADMIN_TOKEN=$TOKENexport OS_USERNAME=adminexport OS_PASSWORD=verybadpassexport OS_TENANT_NAME=adminexport OS_AUTH_URL=http://127.0.0.1:5000/v2.0/export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/export SERVICE_TOKEN=$TOKENEOFsource ~/keystonercsudo openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKENsudo systemctl start openstack-keystone.service && sudo systemctl enable openstack-keystone.servicesudo ADMIN_PASSWORD=$OS_PASSWORD SERVICE_PASSWORD=servicepass openstack-keystone-sample-datakeystone user-listsudo openstack-config --set /etc/nova/api-paste.ini filter:authtoken admin_tenant_name servicesudo openstack-config --set /etc/nova/api-paste.ini filter:authtoken admin_user novasudo openstack-config --set /etc/nova/api-paste.ini filter:authtoken admin_password servicepasssudo openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystonefor svc in api compute; do sudo systemctl restart openstack-nova-$svc.service; donesudo openstack-config --set /etc/glance/glance-api.conf paste_deploy flavor keystonesudo openstack-config --set /etc/glance/glance-registry.conf paste_deploy flavor keystonesudo openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_tenant_name servicesudo openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_user glancesudo openstack-config --set /etc/glance/glance-api-paste.ini filter:authtoken admin_password servicepasssudo openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_tenant_name servicesudo openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_user glancesudo openstack-config --set /etc/glance/glance-registry-paste.ini filter:authtoken admin_password servicepasssudo systemctl restart openstack-glance-api.servicesudo systemctl restart openstack-glance-registry.servicesudo nova-manage network create demonet 10.0.0.0/24 1 256 --bridge=demonetbr0sudo modprobe nbdnova keypair-add mykey > oskey.privchmod 600 oskey.privsudo systemctl restart httpd.servicesudo systemctl enable httpd.servicesudo setsebool -P httpd_can_network_connect=oncurl http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2glance add name=f16-jeos is_public=true disk_format=qcow2 container_format=bare < f16-x86_64-openstack-sda.qcow2nova boot myserver --flavor 2 --key_name mykey --image $(glance index | grep f16-jeos | awk '{print $1}')
Building an Image with OpenShift Origin
● http://www.krishnaraman.net/openshift-origin-on-openstack/
● yum install -y --enablerepo=updates-testing oz
● Create your tdl (example in the link above)
● sudo oz-install -d4 -u openshift.tdl
● qemu-img convert -O qcow2 /var/lib/libvirt/images/openshift_origin.dsk origin-base.qcow
● glance add name="origin-base" is_public=true container_format=bare disk_format=qcow2 < origin-base.qcow
Fedora 18 – OpenShift Origin and OpenStack
● http://fedoraproject.org/wiki/Features/OpenShift_Origin
● http://fedoraproject.org/wiki/Features/OpenStack
OpenStack – What's Missing/Weaknesses
● Load Balancing
● Billing/Metering
● Monitoring
● Account Maintenance
● Orchestration
● DNS
● ...
OpenStack – What Matters
● Yes OpenStack has been and is still a little rough around the edges.
● But that's not what really matters● Open Source and Mind Share
● http://www.openstack.org/community/● http://www.openstack.org/foundation/companies/
OpenShift Origin
Time to level set
Rule #1: IaaS != PaaSIaaS focus is on VM's
PaaS focus is on Applications
Rule #2: PaaS is not a
Self-service environmentsVaried, volatile workloads
Polyglot environmentsStandard deployments
Rule #3: PaaS is about developers
AND OPERATIONS!!
Rule #4: Be ready to learn
{ summary : "What Developers Expect", language : ['ruby' ,'python', 'java', \ 'node.js', 'perl'], scaling : 'automagic', extensible : true, continuous_integration: true}
Name: ops-expectations Summary: What Operations Expects Require: Multi-tenancy Require: Familiar installation %post echo "configuration=sane" > /etc/my.conf
Multi-tenancy?
SHOW ME MORE!
Define an Application
Runtime Requirements (Cartridges)
Code
Creating an App
$ rhc domain create -n mydomain -l mylogin$ rhc app create -a myapp -t ruby-1.9$ curl https://myapp-mydomain.rhcloud.com$ rhc app cartridge add -a myapp -c mysql-5.1
What do you get?A slice of a server
Shell accessDNS name
Private GIT repository
Continuous Integration
How does this all work?
Anatomy of a PaaS
BrokerNodes
SELinux
Kernel Namespaces
Linux Control Groups
Bind Mounts
The Container Model
Multiple Instances of CartridgesCommunication Between Gears
Load Balancing
Code Deployments
Scaling with Gears
Community Cartridges
Quick-startsCustom DNS Plugins
Security Policies
Custom Auth Plugins
Extending OpenShift
LXC
SELinux
The Present...
PaaS Demands a New Security Model
Traditional discretionary access control model (DAC) is too complicated in a PaaS environment. Whitelisting expected function and blocking other function is much
safer. This is Mandatory Access Control (MAC). This is SELinux!
Baby Steps
Step 1 - Unlearn this
$ setenforce 0You know who you are...
Step 2 - Learn the 'Z'$ ls -lZdrwxr-xr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 about_me-rwxrwxr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 config.rudrwxr-xr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 experimental-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 Gemfile-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 Gemfile.lockdrwxrwxr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 public-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 README.mddrwxrwxr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 running_paas-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 script.js-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 showoff.json-rw-rw-r--. danmcp danmcp unconfined_u:object_r:user_home_t:s0 styles.cssdrwxr-xr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 titledrwxrwxr-x. danmcp danmcp unconfined_u:object_r:user_home_t:s0 tmp
Step 2 - Learn the 'Z'(cont.)$ ps -eZLABEL PID TTY TIME CMDunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9542 pts/2 00:00:00 bashunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9609 pts/2 00:00:00 ps -eZ
SELinux Contextsunconfined_u:object_r:user_home_t:s0 => user:role:type:level
User: Identity known to the policy authorized to a specific set of roles and a specific MCS (Multi Category Security) level range
Role: Determines what domains can be entered which ultimately determine which object types can be accessed
Type: Type determines a domain for processes and a type for files. Polices determine how domains can access each other. Either a domain accessing a type or a domain accessing another domain.
Level: Written in long form as: sensitivity:category-set Ex: s0-s0:c0.c1023 (Give access to all categories (1024) within sensitivity 0). This is the key to dynamic multi-tenancy!
Mapping User to MCS Levels
$ id -u user1500
$ ls -lZdrwxr-xr-x. root user1 system_u:object_r:libra_var_lib_t:s0:c0,c500 app-rootdrwxr-xr-x. root root system_u:object_r:libra_var_lib_t:s0:c0,c500 gitdrwxr-xr-x. root root system_u:object_r:libra_var_lib_t:s0:c0,c500 jbossas-7
$ ps -eZsystem_u:system_r:libra_t:s0:c0,c500 28656 ? 00:00:00 standalone.shsystem_u:system_r:libra_t:s0:c0,c500 28703 ? 00:00:16 java
Having trouble?$ grep -r "denied" /var/log/audit/audit.logSee results? If so, SELinux is blocking something...
Building and Hosting OpenShift Origin
● https://openshift.redhat.com/community/wiki/build-multi-node-paas-from-scratch
OpenShift Origin
Demo!!!
Lessons Learned
● You can install OpenStack on your laptop, but I can't think of why you would.
● OpenStack inside a VM running instances doesn't demo very well. Nothing to do with OpenStack of course.
● Demoing something running on OpenStack doesn't make OpenStack look all that interesting.
● No one wants to watch an image be created.● Requires lots of pausing in a pre recorded video to make it
appear seamless
Next Steps...Download the LiveCD
https://openshift.redhat.com/community/open-source/download-origin
Join the Forumshttps://openshift.redhat.com/community/open-source
Join the Mailing Listshttp://lists.openshift.redhat.com/openshiftmm/listinfo/dev
Find us on IRC Freenode #openshift-dev
Attributions
● Silver Bullet (http://bit.ly/IKkt2y)
● Old Car (http://bit.ly/JFZfpx)
● Fancy Car (http://bit.ly/IyfWxz)
● Japanese Walls (http://tinyurl.com/3ucrjjn)
● Norad (http://tinyurl.com/3ozcnyk)
● Happy Cloud (http://tinyurl.com/cobq2k)
● Mess of Wires (http://bit.ly/JNGXAQ)
● Napping worker (http://bit.ly/KifDbx)
● Toolbelt (http://bit.ly/JsVsdG)
● All images found using Creative Commons Search
![[오픈소스컨설팅] OpenShift PaaS Platform How-to](https://img.dokumen.tips/doc/110x75/54810ff7b379593f2b8b5d0a/-openshift-paas-platform-how-to.jpg)
