Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.

Published byLambert Peters Modified over 8 years ago

Similar presentations

Presentation on theme: "HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010."— Presentation transcript:

1 HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010

2 Outline Introduction Working assumptions Sub-tasks description References and links Andrea Chierici CCR Workshop 2010 2

3 Introduction The objective is to enable virtual machine images created at one site to be used at other HEPiX (and WLGC) sites. Agreement required on how images  are generated securely and with traceability  are transmitted securely and efficiently  can be expired/revoked if necessary  can be customised to meet individual site requirements (contextualisation)  can be used with different hypervisors Andrea Chierici CCR Workshop 2010 3

4 Working assumptions Images are generated by some authorized or trusted process  Some sites may accept “random” user generated images, but most won’t  No root access by end user during image generation Images are “contextualized” to connect to local site workload management system  But at least one site (other than CERN…) is interested in seeing images connect directly to experiment workload management system.  Recipient site controls how “payload” ends up in the image Andrea Chierici CCR Workshop 2010 4

5 Generation (1) The security-related policy requirements for the generation and endorsement of trusted virtual machine (VM) images for use on the Grid has already been defined The aim is to enable Grid Sites to trust and instantiate endorsed VM images that have been generated elsewhere. Andrea Chierici CCR Workshop 2010 5

6 Generation (2) Endorser:  Confirms that a particular VM complete image has been produced according to the requirements of the policy  States that the image can be trusted. An Endorser should be one of a limited number of authorised and trusted individuals appointed either by a VO or a Site.  The appointing VO or Site must assume responsibility for the actions of the Endorser and must ensure that he/she is aware of the requirements of the policy. Andrea Chierici CCR Workshop 2010 6

7 Virtual Machine Image Catalogue VMIC records details of virtual machine images distributed to the sites to be run on the site’s local hardware.  Gives sites a central point of control over the images run at their site  Provides a mechanism to control (trust) who may subscribe images to the site, and to block images that are deprecated for some reason. Andrea Chierici CCR Workshop 2010 7

8 Endorsed vs approved Endorsed (endorser decision):  Role defined in the policy document  Scope: VMI production & maintenance Approved (site decision)  Marks the VMI “valid for use” by the site  Scope: operating the VMI For a VMI to run, it must be both:  Endorsed by an endorser (i.e. part of the VMIC endorsed)  Approved by the local site Andrea Chierici CCR Workshop 2010 8

9 Transmission Recommendation for basic transport protocol(s) to be supported  Prescriptive for sites wishing to generate images Current model is “tagged images” distributed in manner akin to mechanism used for VO software today Proposal for optional protocols to improve transmission efficiency  E.g. transmission of only differences w.r.t. a reference image  Interested in protocols such as bitTorrent Will not comment on intra-site image transmission Andrea Chierici CCR Workshop 2010 9

10 Expiry & Revocation Status a little unclear “Image Revocation List” à la CRL?  Technical proposal required Image endorses required to revoke images in case of security issues and the like Andrea Chierici CCR Workshop 2010 10

11 Contextualization Proposal for mechanism allowing site to configure image  File system mounted at image instantiation and automated invocation of scripts on the file system during the initialization.  Final job/payload will not execute as root Restrictions on aspects sites are allowed to configure  No changes to C compiler, Perl, Python, … to be allowed Contentious issue is kernel patching (not allowed) Andrea Chierici CCR Workshop 2010 11

12 Support for multiple hypervisors Recommendations/recipe(s) to enable sites to generate images that can be used with a range of hypervisors  Only KVM and XEN (both para and full)  Limited to sl5 for both host and guest Already tested extensively  KVM integration in sl5.4 helpful Andrea Chierici CCR Workshop 2010 12

13 Summary A year ago, sites were rejecting any possibility of running remotely generated virtual machine images. Today, we have the skeleton of a scheme that will enable sites to treat trusted VM images exactly as normal worker nodes.  This enables VOs to be 100% sure of the worker node environment (potentially) inclusion in the VM image of the pilot job framework enabling “cloud like” submission of work to sites. Active involvement of VOs is now highly desirable as we move towards delivering a proof-of-concept system. Nothing in what is being done  prevents sites that wish to do so from implementing Amazon EC2-style instantiation of user generated images, or  precludes use of CERNvm. Andrea Chierici CCR Workshop 2010 13

14 References and links Hepix-virtualisation@cern.ch VM generation policy draft  http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines Virtualisation workshop upcoming Andrea Chierici CCR Workshop 2010 14

Download ppt "HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010."

Similar presentations

HEPiX Virtualisation Working Group Status, July 9 th 2010

HEPiX Virtualisation Working Group Status, July 9 th 2010
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
INFSO-RI-223782 An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.

INFSO-RI An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.
A comparison between xen and kvm Andrea Chierici Riccardo Veraldi INFN-CNAF.

A comparison between xen and kvm Andrea Chierici Riccardo Veraldi INFN-CNAF.
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.

Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu 2010-8-27.

1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.

Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Objectives Functionalities and services Architecture and software technologies Potential Applications –Link to research problems.

Objectives Functionalities and services Architecture and software technologies Potential Applications –Link to research problems.
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.

02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
OSG Tier 3 support Marco Mambelli - OSG Tier 3 Dan Fraser - OSG Tier 3 liaison Tanya Levshina - OSG.

OSG Tier 3 support Marco Mambelli - OSG Tier 3 Dan Fraser - OSG Tier 3 liaison Tanya Levshina - OSG.
Virtualised Worker Nodes Where are we? What next? Tony Cass GDB 2012 12/12/12.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.
Systems Development Life Cycle

Systems Development Life Cycle
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Conference name Company name INFSOM-RI-1234567 Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Similar presentations

Ads by Google