A Scalable Approach to Deploying and Managing Appliances

A Scalable Approach to Deploying and Managing Appliances

Kate Keahey

Rick Bradshaw, Narayan Desai, Tim Freeman

Argonne National Lab, University of Chicago

06/05/07, TeraGrid 2007 http://workspace.globus.org

Environmental Problem

• Complexity

• Consistency

?


Providers and Consumers

Resource provider Resource consumers

Has a limited number of resourcesWant the resources when they

need them & as much as they need

Has to balance the softwareneeds of multiple users

Want to use specificsoftware packages

Has to provide a limited executionenvironment for security reasons

Wants as much controlas possible over resources


Changing the Question

Let’s see what’s availableand adapt my problem

to use it

Here is the environment I need to solve my problem-- deploy it on the Grid

Can we provide the middleware that will enable this change of approach?


Virtual Workspaces Dynamically overlay a required environment over

resources in the Grid Configuration and Information

Configuration management, e.g., Bcfg2, Pacman Issues: How do I express what I want? How long will it take to

install? How reliably will it provide the required environment?

Virtual Machines Xen, VMware, etc. Develop and test locally, deploy globally Short deployment times

Paper: “Quality of Service and Quality of Life in the Grid”


Virtual Machines: The Good News Quality of Life

A user can provision a pre-configured customized and consistent environment across the Grid

The site does not need to understand user’s environment needs in detail

The site can provision environments in a cost-effective manner

And many other fine properties… Quality of Service

Fine-grained enforcement Performance isolation

Convenient serialization Suspend/resume For more see http://workspace.globus.org


Virtual Machines: The Bad News

In order to run in the Grid a user now has to provide an image…

A site administrator now has to maintain potentially many more platforms than before…

How will the management of all these images scale?

If a user-provided image were to be deployed, how can it be integrated with its deployment context?


To Have a Cake and Eat It Too…

Get someone else to configure the image for me…Someone I could trust…Hopefully they can also manage it for me…Assuming I find such a person, how can I adaptthis image to actually work with my site?

provider


To Have a Cake and Eat It Too…

Get someone else to configure the image for me…Someone I could trust…Hopefully they can also manage it for me…

Assuming I find such a person, will I be able to login to those image?

client


Overview

Virtual Appliances Configuring for contextualization

Example Appliance Configuration and Management Appliance Deployment Conclusions


Virtual Appliances Environment to support a specific set of applications Can be automatically adapted to many different

deployment contexts Examples of contextualization:

IP address IP adresses of critical services Ssh keys Security certificates

VM Image

ContextIP addressSSH keys

etc.


Overall Approach

Appliance Producer

ApplianceDeployment

build an appliance

update an appliance

manage appliance deployment

Appliance Management

A

A’


Applicance Contextualization(Preparation)

contextualization agent

Contextualization template

IP address

signed by provider to have properties XYZ

certificate


Appliance Contextualization(Deployment)

delivery method

Contextualization template

IP address: 192.168.7.1

etc.

Validate signature: do we have properties XYZ ?


Example: Virtual Cluster Torque cluster

Assign IP addresses Create accounts Name resolution ssh/scp keys for the

nodes Torque configuration

files The configuration

template is consumed by self-contained Bcfg2 agent inside the VM

<Parameters> <Param name='DNSServer'> <List> <Item value='192.168.1.2'/> <Item value='192.168.1.3'/> </List> </Param> <Param name='nodenames'> <List> <Item value='192.168.7.1'/> <Item value='192.168.7.2'/> <Item value='192.168.7.3'/> <Item value='192.168.7.4'/> </List> </Param>

<Param name='users'> <List> <Item name='user1' value='sad8hgewjnb'/> <Item name='user2' value='saasd2sjnb'/> </List> </Param></Parameters>


Appliance Provider Software

Incremental construction Versioning Describe capabilities

Xen? Vmware?

Testing of appliances Maintenance

Security RSS feed Bugtraq, US-CERT Security

Advisories

Attestation and signing Automation is important!

SL3

OSG TeraGrid

STAR CCSM… …

SL4 …


Appliance Provider Software Bcfg2

Incrementally constructed configuration profiles E.g., OS, security services, application

Node analysis capabilities Supplied with many Linux distributions http://trac.mcs.anl.gov/projects/bcfg2

rPath Recipe-style configuration

Create a project, choose packages, “cook”, build the software appliance

Freely available online Many appliances available, integrated with EC2 http://www.rpath.com/rbuilder/


Appliance Deployment Matching appliances to resources

What VMM? What kernels? Etc. Secure admission of appliances

Validate signature Admission policies and workspace assertions

E.g., no root access, configuration and versioning assertions

SC05 Poster: “Making your workspace secure: establishing trust with VMs in the Grid”

Contextualization Providing contextualization information Secure delivery Host certificates, virtual clusters, etc.


The Workspace Service

Poolnode

Poolnode

Poolnode

Poolnode

Poolnode

Poolnode

Poolnode

Poolnode

(1) The workspace service allows users to dynamically deploy and manage VMs on a pool of nodes

(2) A Workspace is deployed based on (a) image + meta-data and (b) resource allocation

(3) Access is determined based on attribute authorization, image validation work in progress

(4) Contextualization:- Multiple methods of IP address assignment- Host certificates- Personalization work in progress

VWSService


Contextualization and Delivery The deployment software will rely on a range of services

Certificate authorities, IP management, etc. Existing contextualization agents

DHCP Workspace DHCP delivery method

Ad hoc methods E.g., current workspace tools, configuring certificates, etc.

Configuration tools Needed for application-specific tools

Delivery methods Kernel parameters Secure communication over the network Files


Appliance Layers Layered Appliance

A set of interdependent layers

Appliance layers Less data needs to travel More flexible Faster deployment Trust management

Collaborative aspects of configuration

System Layer

Customization Layer

Application Layer

VO Layer


New Roles

Appliance Producer

(Virtual Organization)

ApplianceDeployer

(Resource Providers)

build an appliance

update an appliance

manage appliance deployment


Conclusions Virtualization has the potential to allow providers

to reach more users Flexibility, fast turnaround, etc. Examples: EC2 and others

Configuration management is increasing in importance important Configuration for the masses… We have the methods, but they need to be adapted

The role of VOs will grow VO administrators trusted by the sites VO security procedures


Credits

Workspace team Tim Freeman, Borja Sotomayor

Bcfg2 Rick Bradshaw, Narayan Desai

Thanks to Brett Adam, Ian Foster, Frank Siebenlist,

Ravi Subramaniam, Marty Wesley

Technology

A Scalable Approach to Deploying and Managing Appliances