Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Slides:

Advertisements

Similar presentations

Security Daniel Mallmann MWSG meeting Amsterdam December 2005.

Advertisements

ANTHONY TIRADANI AND THE GLIDEINWMS TEAM glideinWMS in the Cloud.

Communicating Machine Features to Batch Jobs GDB, April 6 th 2011 Originally to WLCG MB, March 8 th 2011 June 13 th 2012.

HEPiX Virtualisation Working Group Status, July 9 th 2010

Polish Infrastructure for Supporting Computational Science in the European Research Space EUROPEAN UNION Services and Operations in Polish NGI M. Radecki,

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Technology on the NGS Pete Oliver NGS Operations Manager.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

EMI INFSO-RI Cloud Task Force Eric Yen and Simon Lin 22 Nov

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

FESR Consorzio COMETA Grid Introduction and gLite Overview Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Advanced Topics StratusLab Tutorial (Orsay, France) 28 November 2012.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Virtual Workspaces Kate Keahey Argonne National Laboratory.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

GLIDEINWMS - PARAG MHASHILKAR Department Meeting, August 07, 2013.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Module 10: Windows Firewall and Caching Fundamentals.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

The SEE-GRID-SCI initiative is co-funded by the European Commission under the FP7 Research Infrastructures contract no Workflow repository, user.

Workload management, virtualisation, clouds & multicore Andrew Lahiff.

DIRAC Pilot Jobs A. Casajus, R. Graciani, A. Tsaregorodtsev for the LHCb DIRAC team Pilot Framework and the DIRAC WMS DIRAC Workload Management System.

OSG Area Coordinator’s Report: Workload Management Maxim Potekhin BNL May 8 th, 2008.

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010.

A.O.F. Internal Confidential Communication Project REVIEW PROTOCOL for SMART-HEALTH-COMPUTER STATIONS For Churches.

1 Cloud Services Requirements and Challenges of Large International User Groups Laurence Field IT/SDC 2/12/2014.

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010 May 12 th 2010.

Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.

Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

EGI-InSPIRE RI SPG Tasks for Year 2011 Jan 2011 Kelsey/Security Policy Group1.

Claudio Grandi INFN Bologna Virtual Pools for Interactive Analysis and Software Development through an Integrated Cloud Environment Claudio Grandi (INFN.

INFN/IGI contributions Federated Clouds Task Force F2F meeting November 24, 2011, Amsterdam.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

The HEPiX Virtualisation Working Group Towards a Grid of Clouds Tony Cass CHEP 2012 May 24 th 2012.

Virtual Machines on BiG Grid INFN Annual Meeting May 2010 Sander Klous, Nikhef.

HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.

Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Bob Jones EGEE Technical Director

Regional Operations Centres Core infrastructure Centres

OGF PGI – EDGI Security Use Case and Requirements

Cloud Challenges C. Loomis (CNRS/LAL) EGI-TF (Amsterdam)

HEPiX Virtualisation working group

ATLAS Cloud Operations

StratusLab Tutorial (Bordeaux, France)

THE STEPS TO MANAGE THE GRID

WLCG Collaboration Workshop;

VMDIRAC status Vanessa HAMAR CC-IN2P3.

Resource and Service Management on the Grid

Preventing Privilege Escalation

Presentation transcript:

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010

CERN.ch Motivation for the Working Group  Virtualisation is attractive! –For sites: ease operational procedures –For VOs: guarantee execution environment »Although VOs remain worried about virtualisation penalty  The EC2 model not acceptable for many sites –if infrastructure is not able to provide adequate isolation for images where user has root access »e.g. where NFS (or other protection systems based on uid/gid identification) is used to provide access to shared resources.  HEPiX working group established to enable exchange of trusted virtual machine images between sites –Assumes that not all users will need to generate VM images. This is reasonable as not all users need to install software at sites in today’s Grid environment. 2

CERN.ch Approach  Establish a policy for generation of trusted images  Document method for sites to contextualise images to meet local policies  Enable exchange of trusted images between sites. 3

CERN.ch Policy for Trusted Image Generation  You recognise that VM base images, VO environments and VM complete images, must be generated according to current best practice, the details of which may be documented elsewhere by the Grid. These include but are not limited to: –any image generation tool used must be fully patched and up to date; –all operating system security patches must be applied to all images and be up to date; –images are assumed to be world-readable and as such must not contain any confidential information; –there should be no installed accounts, host/service certificates, ssh keys or user credentials of any form in an image; –images must be configured such that they do not prevent Sites from meeting the fine-grained monitoring and control requirements defined in the Grid Security Traceability and Logging policy to allow for security incident response; –the image must not prevent Sites from implementing local authorisation and/or policy decisions, e.g. blocking the running of Grid work for a particular user.  4

CERN.ch Image Contextualisation  Contextualisation is needed so that sites can configure images to interface to local infrastructure – e.g. for syslog, monitoring & batch scheduler.  Contextualisation is limited to these needs! Sites may not alter the image contents in any way. –Any site are concerned about security aspects of an image should refuse to instantiate it and notify the endorser.  Contextualisation mechanism –Images should attempt to mount a CDROM image provided by the sites and, if successful, invoke two scripts from the CDROM image: »prolog.sh before network initialisation »epilog.sh after network initialisation 5

Image Cataloguing and Exchange 6

CERN.ch A step towards Cloud Computing?  Most (all?) current implementations of virtualised cpu servers integrate virtual machines with local workload management systems –requests to the local WMS lead to instantiation of virtual machines –locally provided machines have WMS client installed; contextualisation allows WMS client installation for remotely provided images.  There is an alternative! –Sites can instantiate VM images that connect directly to a VOs pilot job infrastructure. –This decouples completely »Site role to allocate resources according to funding »VO interest in managing priorities between different users and tasks. –Dynamic instantiation of VM images according to demand patterns leads to changing “virtual batch system” for the VOs. 7

CERN.ch Summary  The HEPiX Virtualisation Working Group has established a framework which should enable the free interchange of virtual machine images between HEP sites –a policy governing how images should be generated, to enable trust between sites and endorsers, and –a mechanism for contextualising images to be compliant with local policies at the instantiating site, and –a mechanism for cataloguing endorsed images and to track images approved for instantiation at a given site  VO supplied images could connect to pilot job infrastructure directly, not the local workload management system –allowing sites to instantiate images dynamically according to workload patterns, a step towards Cloud Computing for HEP.  Interestingly, the StratusLab project has very similar ideas (see 16:30). Collaboration looks to be a possibility, especially in the Image Catalogue area. 8