Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Published byMatthew Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010."— Presentation transcript:

1 Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010

2 Tony.Cass@ CERN.ch Motivation for the Working Group  Virtualisation is attractive! –For sites: ease operational procedures –For VOs: guarantee execution environment »Although VOs remain worried about virtualisation penalty  The EC2 model not acceptable for many sites –if infrastructure is not able to provide adequate isolation for images where user has root access »e.g. where NFS (or other protection systems based on uid/gid identification) is used to provide access to shared resources.  HEPiX working group established to enable exchange of trusted virtual machine images between sites –Assumes that not all users will need to generate VM images. This is reasonable as not all users need to install software at sites in today’s Grid environment. 2

3 Tony.Cass@ CERN.ch Approach  Establish a policy for generation of trusted images  Document method for sites to contextualise images to meet local policies  Enable exchange of trusted images between sites. 3

4 Tony.Cass@ CERN.ch Policy for Trusted Image Generation  You recognise that VM base images, VO environments and VM complete images, must be generated according to current best practice, the details of which may be documented elsewhere by the Grid. These include but are not limited to: –any image generation tool used must be fully patched and up to date; –all operating system security patches must be applied to all images and be up to date; –images are assumed to be world-readable and as such must not contain any confidential information; –there should be no installed accounts, host/service certificates, ssh keys or user credentials of any form in an image; –images must be configured such that they do not prevent Sites from meeting the fine-grained monitoring and control requirements defined in the Grid Security Traceability and Logging policy to allow for security incident response; –the image must not prevent Sites from implementing local authorisation and/or policy decisions, e.g. blocking the running of Grid work for a particular user.  http://www.jspg.org/wiki/Policy_Trusted_Virtual_Machines 4

5 Tony.Cass@ CERN.ch Image Contextualisation  Contextualisation is needed so that sites can configure images to interface to local infrastructure – e.g. for syslog, monitoring & batch scheduler.  Contextualisation is limited to these needs! Sites may not alter the image contents in any way. –Any site are concerned about security aspects of an image should refuse to instantiate it and notify the endorser.  Contextualisation mechanism –Images should attempt to mount a CDROM image provided by the sites and, if successful, invoke two scripts from the CDROM image: »prolog.sh before network initialisation »epilog.sh after network initialisation 5

6 Image Cataloguing and Exchange 6

7 Tony.Cass@ CERN.ch A step towards Cloud Computing?  Most (all?) current implementations of virtualised cpu servers integrate virtual machines with local workload management systems –requests to the local WMS lead to instantiation of virtual machines –locally provided machines have WMS client installed; contextualisation allows WMS client installation for remotely provided images.  There is an alternative! –Sites can instantiate VM images that connect directly to a VOs pilot job infrastructure. –This decouples completely »Site role to allocate resources according to funding »VO interest in managing priorities between different users and tasks. –Dynamic instantiation of VM images according to demand patterns leads to changing “virtual batch system” for the VOs. 7

8 Tony.Cass@ CERN.ch Summary  The HEPiX Virtualisation Working Group has established a framework which should enable the free interchange of virtual machine images between HEP sites –a policy governing how images should be generated, to enable trust between sites and endorsers, and –a mechanism for contextualising images to be compliant with local policies at the instantiating site, and –a mechanism for cataloguing endorsed images and to track images approved for instantiation at a given site  VO supplied images could connect to pilot job infrastructure directly, not the local workload management system –allowing sites to instantiate images dynamically according to workload patterns, a step towards Cloud Computing for HEP.  Interestingly, the StratusLab project has very similar ideas (see PS50 @ 16:30). Collaboration looks to be a possibility, especially in the Image Catalogue area. 8

9

Download ppt "Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010."

Similar presentations

Security Daniel Mallmann MWSG meeting Amsterdam 14-15 December 2005.

Security Daniel Mallmann MWSG meeting Amsterdam December 2005.
ANTHONY TIRADANI AND THE GLIDEINWMS TEAM glideinWMS in the Cloud.

ANTHONY TIRADANI AND THE GLIDEINWMS TEAM glideinWMS in the Cloud.
Communicating Machine Features to Batch Jobs GDB, April 6 th 2011 Originally to WLCG MB, March 8 th 2011 June 13 th 2012.

Communicating Machine Features to Batch Jobs GDB, April 6 th 2011 Originally to WLCG MB, March 8 th 2011 June 13 th 2012.
HEPiX Virtualisation Working Group Status, July 9 th 2010

HEPiX Virtualisation Working Group Status, July 9 th 2010
Polish Infrastructure for Supporting Computational Science in the European Research Space EUROPEAN UNION Services and Operations in Polish NGI M. Radecki,

Polish Infrastructure for Supporting Computational Science in the European Research Space EUROPEAN UNION Services and Operations in Polish NGI M. Radecki,
Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
EMI INFSO-RI-261611 Cloud Task Force Eric Yen and Simon Lin 22 Nov. 2010.

EMI INFSO-RI Cloud Task Force Eric Yen and Simon Lin 22 Nov
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.

Dynamic Firewalls and Service Deployment Models for Grid Environments Gian Luca Volpato, Christian Grimm RRZN – Leibniz Universität Hannover Cracow Grid.
Www.consorzio-cometa.it FESR Consorzio COMETA Grid Introduction and gLite Overview Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione.

FESR Consorzio COMETA Grid Introduction and gLite Overview Corso di formazione sul Calcolo Parallelo ad Alte Prestazioni (edizione.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
The Grid System Design Liu Xiangrui Beijing Institute of Technology.

The Grid System Design Liu Xiangrui Beijing Institute of Technology.
Advanced Topics StratusLab Tutorial (Orsay, France) 28 November 2012.

Advanced Topics StratusLab Tutorial (Orsay, France) 28 November 2012.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Similar presentations

Ads by Google