HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.

Slides:

Advertisements

Similar presentations

HEPiX Virtualisation Working Group Status, July 9 th 2010

Advertisements

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

INFSO-RI An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.

A comparison between xen and kvm Andrea Chierici Riccardo Veraldi INFN-CNAF.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu

Release & Deployment ITIL Version 3

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

Objectives Functionalities and services Architecture and software technologies Potential Applications –Link to research problems.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.

OSG Tier 3 support Marco Mambelli - OSG Tier 3 Dan Fraser - OSG Tier 3 liaison Tanya Levshina - OSG.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.

Systems Development Life Cycle

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Tools and techniques for managing virtual machine images Andreas.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Workload management, virtualisation, clouds & multicore Andrew Lahiff.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010.

1 Cloud Services Requirements and Challenges of Large International User Groups Laurence Field IT/SDC 2/12/2014.

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010 May 12 th 2010.

Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Draft Security Virtualisation Policy (for Romain Wartel – CERN) EGI Technical.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI /09/14 1 Appliance lifecycle services Marios Chatziangelou, et al.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

A comparison between xen and kvm Andrea Chierici Riccardo Veraldi INFN-CNAF CCR 2009.

The HEPiX Virtualisation Working Group Towards a Grid of Clouds Tony Cass CHEP 2012 May 24 th 2012.

Virtual Machines on BiG Grid INFN Annual Meeting May 2010 Sander Klous, Nikhef.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI John Gordon EGI Virtualisation and Cloud Workshop Amsterdam 12 th May 2011.

CHEP 2010 Taipei, 19 October Predrag Buncic Jakob Blomer, Carlos Aguado Sanchez, Pere Mato, Artem Harutyunyan CERN/PH-SFT.

Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SVG F2F Virtual Machines VM images, software run on VMS. 3 rd March 2015.

Evolution of storage and data management

Andrea Chierici Virtualization tutorial Catania 1-3 dicember 2010

Update on revised HEPiX Contextualization

OGF PGI – EDGI Security Use Case and Requirements

Sviluppi in ambito WLCG Highlights

Virtualization and Clouds ATLAS position

HEPiX Virtualisation working group

Virtualisation for NA49/NA61

NA61/NA49 virtualisation:

Blueprint of Persistent Infrastructure as a Service

Dag Toppe Larsen UiB/CERN CERN,

Progress on NA61/NA49 software virtualisation Dag Toppe Larsen Wrocław

Dag Toppe Larsen UiB/CERN CERN,

Software Security II Karl Lieberherr.

Virtualisation for NA49/NA61

Network Requirements Javier Orellana

WLCG Collaboration Workshop;

VMDIRAC status Vanessa HAMAR CC-IN2P3.

Introduction to the Kernel and Device Drivers

Do we have our heads in the cloud? THE US NATIONAL VIRTUAL OBSERVATORY

SISAI STATISTICAL INFORMATION SYSTEMS ARCHITECTURE AND INTEGRATION

Module 01 ETICS Overview ETICS Online Tutorials

Carlos J. Bernardos, Alain Mourad, Akbar Rahman

LO2 - Be Able to Design IT Systems to Meet Business Needs

Customer Contract Management Scenario Overview

An introduction to the Linux environment v

Congestion Control Comments Resolution

Presentation transcript:

HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010

Outline Introduction Working assumptions Sub-tasks description References and links Andrea Chierici CCR Workshop

Introduction The objective is to enable virtual machine images created at one site to be used at other HEPiX (and WLGC) sites. Agreement required on how images  are generated securely and with traceability  are transmitted securely and efficiently  can be expired/revoked if necessary  can be customised to meet individual site requirements (contextualisation)  can be used with different hypervisors Andrea Chierici CCR Workshop

Working assumptions Images are generated by some authorized or trusted process  Some sites may accept “random” user generated images, but most won’t  No root access by end user during image generation Images are “contextualized” to connect to local site workload management system  But at least one site (other than CERN…) is interested in seeing images connect directly to experiment workload management system.  Recipient site controls how “payload” ends up in the image Andrea Chierici CCR Workshop

Generation (1) The security-related policy requirements for the generation and endorsement of trusted virtual machine (VM) images for use on the Grid has already been defined The aim is to enable Grid Sites to trust and instantiate endorsed VM images that have been generated elsewhere. Andrea Chierici CCR Workshop

Generation (2) Endorser:  Confirms that a particular VM complete image has been produced according to the requirements of the policy  States that the image can be trusted. An Endorser should be one of a limited number of authorised and trusted individuals appointed either by a VO or a Site.  The appointing VO or Site must assume responsibility for the actions of the Endorser and must ensure that he/she is aware of the requirements of the policy. Andrea Chierici CCR Workshop

Virtual Machine Image Catalogue VMIC records details of virtual machine images distributed to the sites to be run on the site’s local hardware.  Gives sites a central point of control over the images run at their site  Provides a mechanism to control (trust) who may subscribe images to the site, and to block images that are deprecated for some reason. Andrea Chierici CCR Workshop

Endorsed vs approved Endorsed (endorser decision):  Role defined in the policy document  Scope: VMI production & maintenance Approved (site decision)  Marks the VMI “valid for use” by the site  Scope: operating the VMI For a VMI to run, it must be both:  Endorsed by an endorser (i.e. part of the VMIC endorsed)  Approved by the local site Andrea Chierici CCR Workshop

Transmission Recommendation for basic transport protocol(s) to be supported  Prescriptive for sites wishing to generate images Current model is “tagged images” distributed in manner akin to mechanism used for VO software today Proposal for optional protocols to improve transmission efficiency  E.g. transmission of only differences w.r.t. a reference image  Interested in protocols such as bitTorrent Will not comment on intra-site image transmission Andrea Chierici CCR Workshop

Expiry & Revocation Status a little unclear “Image Revocation List” à la CRL?  Technical proposal required Image endorses required to revoke images in case of security issues and the like Andrea Chierici CCR Workshop

Contextualization Proposal for mechanism allowing site to configure image  File system mounted at image instantiation and automated invocation of scripts on the file system during the initialization.  Final job/payload will not execute as root Restrictions on aspects sites are allowed to configure  No changes to C compiler, Perl, Python, … to be allowed Contentious issue is kernel patching (not allowed) Andrea Chierici CCR Workshop

Support for multiple hypervisors Recommendations/recipe(s) to enable sites to generate images that can be used with a range of hypervisors  Only KVM and XEN (both para and full)  Limited to sl5 for both host and guest Already tested extensively  KVM integration in sl5.4 helpful Andrea Chierici CCR Workshop

Summary A year ago, sites were rejecting any possibility of running remotely generated virtual machine images. Today, we have the skeleton of a scheme that will enable sites to treat trusted VM images exactly as normal worker nodes.  This enables VOs to be 100% sure of the worker node environment (potentially) inclusion in the VM image of the pilot job framework enabling “cloud like” submission of work to sites. Active involvement of VOs is now highly desirable as we move towards delivering a proof-of-concept system. Nothing in what is being done  prevents sites that wish to do so from implementing Amazon EC2-style instantiation of user generated images, or  precludes use of CERNvm. Andrea Chierici CCR Workshop

References and links VM generation policy draft  Virtualisation workshop upcoming Andrea Chierici CCR Workshop