Upload
jinho-shin
View
346
Download
3
Embed Size (px)
Citation preview
Nova
OpenStack Study 3rd
클라우드개발팀 신진호
Installations
# yum install nova-api nova-cert nova-conductor nova-consoleauth nova-novncproxynova-scheduler python-novaclient
# yum install nova-compute
On Controller Node
On Compute Node
Where is nova-network!!!?What is cert? novncproxy?
Openstack Icehouse
Components
nova-novncproxy
nova-cert
nova-consoleauth
nova-network
nova-api-metadata
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Components
nova-novncproxy
nova-cert
nova-consoleauth
nova-network
nova-api-metadata
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Components
nova-novncproxy
nova-cert
nova-consoleauth
nova-network
nova-api-metadata
Neutron
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Components
nova-novncproxy
nova-cert
nova-consoleauth
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Components
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Components > nova-api
nova-api nova-conductor
nova-scheduler nova-computequeue
database
HTTP Web Service!Accepts & Responds to User’s Compute API callsSupports OpenStack Compute API, Amazon EC2 API, Admin API.Initiates Orchestration Activities.
POST /v2/{tenant_id}/servers/{server_id}/action
Components > nova-apiPOST /v2/{tenant_id}/servers
Request Body
{
"server": {
"name": "server-test-1",
"imageRef": "b5660a6e-4b46-4be3-9707-6b47221b454f",
"flavorRef": "2",
"max_count": 1,
"min_count": 1,
"networks": [
{
"uuid": "d32019d3-bc6e-4319-9c1d-6722fc136a22"
}
],
"security_groups": [
{
"name": "default"
},
{
"name": "another-secgroup-name"
}
]
}
}
202 Accepted
Response Body
{
Components > nova-conductor
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Database Proxy!Acting as an intermediary between the compute node and the database node and the database.
Components > nova-conductor
Why?
Auditing database operations, revoking access privileges.
That’s Difficult!
They host tenant instances.
Compute nodes are the least trusted of the services in OpenStack.
Components > nova-conductor
They strongly recommends
Be isolated to a management network,
Use SSL,
Create unique user accounts per service endpoint.
Restrict services to executing with parameters, …
Prevent directly accessing or modifying.
Unfortunately, it complicates fine-grained access control
and audit data access.
Because, it Focus on improving Security, effectively modifying.
Components > nova-conductor
-> Compute nodes are the least trustedof the services in OpenStack. Because they host tenant instances.
-> Do not deploy it on Compute Nodes.
Components > nova-conductor
nova-api nova-conductor
nova-scheduler nova-computequeue
database
pushpop
pushpop
Components > nova-scheduler
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Scheduler!Takes VM requests from the queue.Determine on which compute node host it.
Components > nova-scheduler
nova-api nova-conductor
nova-scheduler queue
mysql
nova-compute1
nova-compute2
nova-compute3
NEW Instance
Instance B
takesdetermines
Create Instance
Components > nova-compute
nova-api nova-conductor
nova-scheduler nova-computequeue
database
Worker Daemon!Creates and terminates VMs through hypervisor APIs,such as Xen, QEMU, KVM, Vmware, ….
It Supports multiple hypervisors.
Because, it Has an abstraction layer, Driver.
Components > nova-compute
nova-compute
Compute Agent(KVM)
libvirt
KVM
VM VM
nova-compute
Compute Agent(Hyper-v)
Hyper-v
VM VM
nova-scheduler
nova-compute
Abstraction layer, Driver
any hypervisor
VM VM
Components > nova-compute
nova-api nova-conductor
nova-schedulernova-compute
queue
database
hypervisor
VM
VM launch
takes
determines
Components > nova-compute
keystone
Glance
Neutron
Cinder
Horizon or CLI
45
312
In more detail…
Provisioning Instance
Links
• Deprecation of Nova Network– http://docs.openstack.org/openstack-ops/content/nova-network-deprecation.html
• Compute service– http://docs.openstack.org/icehouse/install-guide/install/apt/content/compute-service.html
• Chapter 33. Database access control– http://docs.openstack.org/security-guide/content/ch042_database-overview.html
• VNC console proxy– http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html
• EC2 compatibility API– http://docs.openstack.org/admin-guide-cloud/content/instance-mgmt-ec2compat.html
• nova-cert– http://docs.openstack.org/developer/nova/man/nova-cert.html
• Laurent Luce's Blog > OpenStack Nova internals of instance launching– http://www.laurentluce.com/posts/openstack-nova-internals-of-instance-launching/
• Request Flow for Provisioning Instance in Openstack– http://ilearnstack.com/2013/04/26/request-flow-for-provisioning-instance-in-openstack/
Next Week…
• nova-compute – driver
– hypervisor support matrix
– …
• nova-scheduler – filters
– host aggregates
– …
• availability zone
• initialization of a cloud instance– cloud-init
– file injection
• migration– migrate instances
EOF