HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010 May 12 th 2010.

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
Communicating Machine Features to Batch Jobs GDB, April 6 th 2011 Originally to WLCG MB, March 8 th 2011 June 13 th 2012.
HEPiX Virtualisation Working Group Status, July 9 th 2010
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
24 Sept 2007 ADASS XVII : London, UK1 Cloudspace: virtual environments in the VO Matthew J. Graham (Caltech) Roy Williams (Caltech) T HE US N ATIONAL V.
INFSO-RI An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.
Useful Tools for Testing
1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu
DIRAC API DIRAC Project. Overview  DIRAC API  Why APIs are important?  Why advanced users prefer APIs?  How it is done?  What is local mode what.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
MPEG-4 Design Team Report. 2 Proposals draft-ietf-avt-rtp-mpeg4-02.txt draft-guillemot-genrtp-01.txt draft-jnb-mpeg4av-rtp-00.txt FlexMux packetization.
Event Management & ITIL V3
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
4061 Session 27 (4/23). Today Virtual Machines and Emulation.
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
1 Resource Provisioning Overview Laurence Field 12 April 2015.
Cryptography and Network Security (CS435) Part One (Introduction)
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Virtual Workspaces Kate Keahey Argonne National Laboratory.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
Pilot Jobs John Gordon Management Board 23/10/2007.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.
Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Tools and techniques for managing virtual machine images Andreas.
Workload management, virtualisation, clouds & multicore Andrew Lahiff.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
LCG Pilot Jobs and glexec John Gordon.
HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VM Management Chair: Alexander Papaspyrou 2/25/
Predrag Buncic (CERN/PH-SFT) Software Packaging: Can Virtualization help?
1 Cloud Services Requirements and Challenges of Large International User Groups Laurence Field IT/SDC 2/12/2014.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Draft Security Virtualisation Policy (for Romain Wartel – CERN) EGI Technical.
Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
LHCb 2009-Q4 report Q4 report LHCb 2009-Q4 report, PhC2 Activities in 2009-Q4 m Core Software o Stable versions of Gaudi and LCG-AA m Applications.
Geant4 GRID production Sangwan Kim, Vu Trong Hieu, AD At KISTI.
Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.
Building on virtualization capabilities for ExTENCI Carol Song and Preston Smith Rosen Center for Advanced Computing Purdue University ExTENCI Kickoff.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
The HEPiX Virtualisation Working Group Towards a Grid of Clouds Tony Cass CHEP 2012 May 24 th 2012.
Virtual Machines on BiG Grid INFN Annual Meeting May 2010 Sander Klous, Nikhef.
HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.
CERN IT Department CH-1211 Genève 23 Switzerland The CERN internal Cloud Sebastien Goasguen, Belmiro Rodrigues Moreira, Ewan Roche, Ulrich.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SVG F2F Virtual Machines VM images, software run on VMS. 3 rd March 2015.
Andrea Chierici Virtualization tutorial Catania 1-3 dicember 2010
Update on revised HEPiX Contextualization
Multi User Pilot Jobs update
HEPiX Virtualisation working group
Virtualisation for NA49/NA61
Blueprint of Persistent Infrastructure as a Service
Dag Toppe Larsen UiB/CERN CERN,
Progress on NA61/NA49 software virtualisation Dag Toppe Larsen Wrocław
Dag Toppe Larsen UiB/CERN CERN,
Software Security II Karl Lieberherr.
Virtualisation for NA49/NA61
WLCG Collaboration Workshop;
VMDIRAC status Vanessa HAMAR CC-IN2P3.
Presentation transcript:

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010 May 12 th 2010

CERN.ch Objective  Enable virtual machine images created at one site to be used at other HEPiX (and WLGC) sites.  Working assumptions –images are generated by some authorised or trusted process »Some sites may accept “random” user generated images, but most won’t –images are “contextualised” to connect to local site workload management system »But at least one site (other than CERN…) is interested in seeing images connect directly to experiment workload management system. 2 No root access by end user during image generation. Recipient site controls how “payload” ends up in the image

CERN.ch Working group areas & Status  Generation  Transmission  Expiry & Revocation  Contextualisation  Support for multiple Hypervisors 3 Image endorser required to revoke images in case of security issues and the like.

CERN.ch Working group areas & Status  Generation –Led by Dave Kelsey & Keith Chadwick –Likely to produce »Policy proposal for image generation process. If sites can demonstrate they meet the requirements of the policy then their images should be trusted for execution at remote sites »Recommendations for hypervisor configuration to ensure maximum security.  Transmission  Expiry & Revocation  Contextualisation  Support for multiple Hypervisors 4 Sites anyway expected to follow best practices. Current discussion is around roles and endorsers for the different components (“base” operating system and VO software) and about who can be trusted. Draft Policy Document:

CERN.ch 5

Working group areas & Status  Generation  Transmission –Led by Owen Synge –Likely to produce »Recommendation for basic transport protocol(s) to be supported  Prescriptive for sites wishing to generate images »Proposal for optional protocols to improve transmission efficiency  E.g. transmission of only differences w.r.t. a reference image  Status of “interesting” protocols such as bitTorrent likely to be an issue. –Unlikely to comment on intra-site image transmission  Expiry & Revocation  Contextualisation  Support for multiple Hypervisors 6 Will not Current model is tagged images distributed in manner akin to mechanism used for VO software today.

CERN.ch 7

Working group areas & Status  Generation  Transmission  Expiry & Revocation –Status a little unclear »a mix of standalone area and generation policy? –“Image Revocation List” a la CRL? »Technical proposal required  Contextualisation  Support for multiple Hypervisors 8 Image endorser required to revoke images in case of security issues and the like.

CERN.ch Working group areas & Status  Generation  Transmission  Expiry & Revocation  Contextualisation –Led by Sebastien Goasguen –Likely to produce »Proposal for mechanism allowing site to configure image  File system mounted at image instantiation and automated invocation of scripts on the file system during the initialisation.  Final job/payload will not execute as root »Restrictions on aspects sites are allowed to configure  No changes to C compiler, perl, python, … to be allowed  Support for multiple Hypervisors 9 Only basic discussions so far. Contentious issue is kernel patching. Group conclusion is that this is not allowed; sites who have security concerns with an image must refuse to run this and must notify the endorser to allow wider revocation. This ensures that all sites are protected.

CERN.ch Working group areas & Status  Generation  Transmission  Expiry & Revocation  Contextualisation  Support for multiple Hypervisors –Led by Andrea Chierici –Produce, if possible, »Recommendations/recipe(s) to enable sites to generate images that can be used with a range of hypervisors  Perhaps a limited set of all possible, however,…  Poll underway to identify most popular hypervisors 10 Little discussion in the group so far. We have identified the hypervisors of interest (kvm and both Xen modes). Andrea is testing extensively at present.

CERN.ch Summary  A year ago, sites were rejecting any possibility of running remotely generated virtual machine images.  Today, we have the skeleton of a scheme that will enable sites to treat trusted VM images exactly as normal worker nodes. –This enables »VOs to be 100% sure of the worker node environment »(potentially) inclusion in the VM image of the pilot job framework enabling “cloud like” submission of work to sites.  Active involvement of VOs is now highly desirable as we move towards delivering a proof-of-concept system.  Nothing in what is being done –prevents sites that wish to do so from implementing Amazon EC2-style instantiation of user generated images, or –precludes use of CERNvm. 11

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.