Certified OpenStack

Administrator(COA) Study guide

Trainocate 5/2022

Trainocate.com
Objectives
Object 1: Provide basic knowledge
Object 2: Guide for further study
Object 3: Prepare the COA

Trainocate.com
Agenda

Chapter 1: Getting to Know OpenStack Chapter 7: OpenStack Networking

Chapter 2: How to Build Your Own Virtual Chapter 8: OpenStack Object Storage
Test Environment Chapter 9: OpenStack Block Storage
Chapter 3: Identity Management Chapter 10: Troubleshooting OpenStack
Chapter 4: OpenStack Dashboard Test 1
Chapter 5: Image Management Test 2
Chapter 6: OpenStack Compute

Trainocate.com
Schedule
1 2 3 4 5 6 7 8 9 10
Chapter 1: Getting to Know OpenStack
Chapter 2: How to Build Your Own Virtual Test Environment
Chapter 3: Identity Management
Chapter 4: OpenStack Dashboard
Chapter 5: Image Management
Chapter 6: OpenStack Compute
Chapter 7: OpenStack Networking
Chapter 8: OpenStack Object Storage
Chapter 9: OpenStack Block Storage
Test 1
Test 2
Chapter 10: Troubleshooting OpenStack

4 Trainocate.com April 19, 2022

Trainocate.com
Information
Date of Birth May 21, 1986
Gender Male
Mobile phone (+084) 932.210.586
Company SVTechnologies JSC
E-mail [email protected]
• Red Hat Certified Engineer (RHCE)
• Red Hat Certified System Administrator in Red Hat Enterprise Linux
• Red Hat Certified System Administrator in Red Hat OpenStack
• Red Hat Certified Specialist in Virtualization
• Red Hat Certified Ceph Administrator
• Certified OpenStack Administrator
5 Trainocate.com April 19, 2022

Trainocate.com
Chapter 1: Getting to Know OpenStack

❑Cloud Computing Introduction

❑Openstack Introduction
❑COA Exam Introduction
❑Hand-Ons: Lab Environment

6 Trainocate.com April 19, 2022

Trainocate.com
 Cloud Computing
7

Trainocate.com
 What is cloud computing

❑ Cloud computing is a model for ubiquitous, convenient, on-demand network

access to a shared pool of configurable computing resources, such as
servers, storage, networks, applications, and services.
❑ Resources can be rapidly provisioned with minimal management or service
provider interaction. Self-service users launch instances as virtual machines,
when needed, without requiring assistance from the service provider.
❑ The cloud consumer decides the computing resources needed for their
instances.

8 Trainocate.com April 19, 2022

Trainocate.com
 Cloud characteristic

❑ Self-service: Allows cloud consumers to provision

instances with computing resources.
❑ Multitenancy: Allows multiple cloud consumers to
share underlying hardware and resources.
❑ Elasticity: Dynamically increases or decreases the
resources used according to demand.
❑ Telemetry: Resources can be monitored and metered
by the service provider and the consumer

9 Trainocate.com April 19, 2022

Trainocate.com
 Cloud Types/Deploy

❑ Public: Originally started as application hosting services, but has

evolved to be applications,
infrastructure, and data storage served by a third party vendor.
❑ Private: On-premises data centers that include virtualization, software,
and automation to build and manage infrastructure, feature-matching
the public cloud, providing greater control over
security, data privacy, and compliance, plus the flexibility of public
cloud tools and capabilities.
❑ Hybrid: Configuring both public and private cloud resources to be
orchestrated together.
Use cases include client facing apps on the public cloud connected to data
storage in private cloud datacenters, or building apps that run on identical
software infrastructure on both private and public, while responding to
changes in demand by distributing capacity. Hybrid designs using.
OpenStack are being proven to be the highest flexibility and adaptability.
10 Trainocate.com April 19, 2022

Trainocate.com
 Cloud Models
❑ Infrastructure as a Service (IaaS) allows the cloud consumer to provision
computing resources and software (operating system and applications).
The cloud consumer manages the instance
images, storage, networking, and computing resources (vCPUs and
vRAM).
❑ Platform as a Service (PaaS) provides the operating system (i.e.,
libraries, programming languages) for the cloud consumer. The cloud
consumer provides the application(s) to be deployed on the instances.
The provider manages the underlying cloud infrastructure.
❑ Software as a Service (SaaS) provides the operating system and all
software for the cloud consumer. The provider manages the underlying
cloud infrastructure and the application(s) deployed for use as live
services.

11 Trainocate.com April 19, 2022

Trainocate.com
Cloud Models Example

❑ IaaS is there to provide you with maximum

flexibility when it comes to hosting custom-built
apps, as well as providing a general data center
for data storage.
❑ PaaS is most often built on top of an IaaS
platform to reduce the need for system
administration. It allows you to focus on app
development instead of infrastructure
management.
❑ SaaS offers ready-to-use, out-of-the-box solutions
that meet a particular business need (such as a
website or email). Most modern SaaS platforms
are built on IaaS or PaaS platforms.

12 Trainocate.com April 19, 2022

Trainocate.com
Workloads Scale

Autoscaling

13 Trainocate.com April 19, 2022

Workloads Monolothic and Microservices
❑ The monolithic architecture is considered to be a
traditional way of building applications. A monolithic
application is built as a single and indivisible unit.
Usually, such a solution comprises a client-side user
interface, a server side-application, and a database.
❑ It is unified and all the functions are managed and
served in one place. Normally, monolithic applications
have one large code base and lack modularity. If
developers want to update or change something, they
access the same code base. So, they make changes in
the whole stack at once.
❑ Scalability. You cannot scale components independently,
only the whole application.

14 Trainocate.com April 19, 2022

Trainocate.com
Workloads Monolothic and Microservices
❑ While a monolithic application is a single unified unit,
a microservices architecture breaks it down into a
collection of smaller independent units.
❑ These units carry out every application process as a
separate service. So all the services have their own logic
and the database as well as perform the specific
functions.
❑ Independent components. Firstly, all the services can be
deployed and updated independently, which gives more
flexibility. Secondly, a bug in one microservice has an
impact only on a particular service and does not
influence the entire application. Also, it is much easier
to add new features to a microservice application than a
monolithic one.

15 Trainocate.com April 19, 2022

Trainocate.com
Workloads Pets vs Cattles

❑ What are pets? Think about how much coddling you give your
pets. This is analogous to big proprietary traditional data
centers with their big, scale-up storage servers that consume a
lot of resources, require a lot of administrative time and effort,
and need constant coddling, much as you do with a pet.
❑ What are the cattle? Hyperscale companies – Google, Apple,
Facebook, and so on – couldn’t scale, so they fundamentally
altered the way data centers work so they function like cattle.
For, while tradition data centers offer custom treatments, such
as you do with pets, these organizations expect individual
nodes to fail, making them, much like cattle, replaceable.

16 Trainocate.com April 19, 2022

Trainocate.com
 Traditional Workloads
❑ Traditional workloads, including SOA, are defined as monolithic,
meaning that each service or component is discrete, handling
higher loads by being programmed to grow larger. This is why
traditional workloads are described as scaling up, being moved to
larger and larger systems as the applications or their respective
components evolved.
❑ Enterprise virtualization is also an example of traditional
workloads, adding more RAM, CPUs, and storage as workloads
increase. However, even the largest systems have upper limits.
❑ Traditional enterprise applications can be made to be resilient and
scalable, but such features must be implemented through
additional high availability management tools, and with the
programmatic cooperation of the the applications themselves.
Complex applications have unique needs, such that each enterprise
application usually required custom programming to implement
scaling.

17 Trainocate.com April 19, 2022

Trainocate.com
 Cloud Workloads
❑ Cloud applications, like SOA, are designed as a stack of service or microservice components, each deployed and managed as
separate components. Service components deploy as VMs or containers and scale by starting numerous instances of each service.
❑ Cloud applications are designed different than enterprise applications. For example, enterprise applications were programmatically
taught how to scale and process work as they scaled larger, with hardware limitations and bottlenecks driving program solutions and
design. Cloud application scale, but the application or service component has no programming or understand that it is being scaled.
Service components are replicated and managed by load balanced networking; scaling occurs by starting as many copies of a
service as is required to handle the current load. However, in order to be scaled, a service must follow standard cloud design rules

18 Trainocate.com April 19, 2022

Trainocate.com
Virtual Machine and Containers

❑ Virtualization allows a single physical computer

to host and support multiple operating systems
or application environments, each as a software
emulation of a complete computer system,
known as a virtual machine.
❑ Each virtual machine runs its own operating
system, which can be different from the one on
the host computer.
❑ The host system runs specialized software
known as a hypervisor, to emulate BIOS, CPUs,
memory, network devices and other physical
resources for each virtual machine.

19 Trainocate.com April 19, 2022

Trainocate.com
 Virtual Machine and Containers
❑ A container is an isolated emulation environment
similar to a virtual machine. Like a virtual machine, it
behaves as a separate computer system, using
hardware emulated in software by the host system.
❑ The difference is that a container is designed to share
the host's operating system, and provide only the
additional libraries and configuration files required to
support the application that it contains.
❑ Because containers normally do not contain a full
operating system, they are much smaller and faster to
start and scale

20 Trainocate.com April 19, 2022

Trainocate.com
Virtual Machines and Container Use Cases
Virtual Machine Use Cases Container Use Cases

Consolidation: Multiple physical servers coverted into virtual machines Faster Delivery
requires fewer physical hosts. Modern data centers are reaching limits Containers facilitate faster delivery of applications. Developers can
that make expansion challenging. Acquiring sufficient physical write applications on local containers, then publish to image
resources is expensive. More servers requires more power and cooling. registries for consumption by other teams, such as quality control or
Compartmentalization: Virtualization is used to divide existing physical production.
machines into separate virtual machines without additional hardware Easier Deployment and Scaling of Applications
expenditures. Containers allow for easier deployment, are more portable and
Development and Testing scale better. Containers can be created on a developer's local host,
Virtualization offers advantages for software and network service and can run without modification on another physical machine or as
development and testing. On a single machine, a developer could run a virtual guest. They can run in the office, in the data center, or in a
several different test environments. If a test environment crashes, it cloud.
does not corrupt the developer's main working environment. Higher Density
Virtual Appliances Containers achieve higher density. They are lightweight, fast, and a
Virtual appliances are preconfigured virtual machines running useful cost-effective alternative to hypervisor-based systems, especially
applications in an easily deployed manner. Software vendor consider useful in high-density computing environments
this to be valuable, since it is easier to ship a preinstalled system with a
known configuration, versioning, and environment tuning, instead of
software packages to be installed and configured onsite.
21 Trainocate.com April 19, 2022

Trainocate.com
Cloud and Virtualization

❑ virtualization is a technology, where cloud is an environment.

❑ Cloud infrastructure can include a variety of bare-metal, virtualization, or container software that can be used to
abstract, pool, and share scalable resources across a network to create a cloud.
❑ An automation layer is added to replace or reduce human interaction with repeatable instructions and processes,
which provides the self-service component of the cloud.
❑ You’ve created a cloud if you’ve set up an IT system that:
▪ Can be accessed by other computers through a network.
▪ Contains a repository of IT resources.
▪ Can be provisioned and scaled quickly.

22 Trainocate.com April 19, 2022

Trainocate.com
 Cloud and Virtualization

If you already have a virtual

infrastructure, you can create a cloud
by pooling virtual resources together,
orchestrating them using management
and automation software, and creating
a self-service portal for users—or you
can let something like openstack.

23 Trainocate.com April 19, 2022

Trainocate.com
Self service Example
4
Legacy IT Infrastructure HN
1 HCM
- Tasks are divided into Departments Department
Department
- Need Time to Process

Network
Resources Department
Resources

Server Storage
24 Trainocate.com April 19, 2022
Department Department
Trainocate.com
Self service Example
4
Virtualization IT Infrastructure HCM
1 HN
- Devide into Departments Department
Department
- Need Time to Process
Virtualization
Department

Resources
Resources

Virtualization Software

25 Trainocate.com April 19, 2022

Trainocate.com
Self service Example
4
Cloud IT Infrastructure 1 HN HCM
- Devide into Departments Department Department
- Need Time to Process
Cloud Department

Resources Resources

Cloud Software - API

26 Trainocate.com April 19, 2022

Trainocate.com
 Cloud and Kubernetes

❑ Kubernetes is a portable, extensible, open source platform for

managing containerized workloads and services, that facilitates
both declarative configuration and automation.
❑ It has a large, rapidly growing ecosystem. Kubernetes services,
support, and tools are widely available.

27 Trainocate.com April 19, 2022

Trainocate.com
Cloud and Containers

VMware Redhat

28 Trainocate.com April 19, 2022

Demo

❑Describe Self service

❑Describe Automation

29 Trainocate.com April 19, 2022

Trainocate.com
April 19, 2022
30
Trainocate.com

Trainocate.com
Flexera 2021 State of the Cloud Report

Summary Respondents by organization size

▪ Cloud adoption was expanding rapidly even before

COVID-19. After the pandemic took hold, cloud plans
and adoption increased even faster.
▪ The report explores the thinking of 750 global cloud
decision-makers and users about the public, private
and multi-cloud market

31 Trainocate.com April 19, 2022

 Flexera 2021 State of the Cloud
Report

Almost all organizations are using at least one cloud Breakdown of cloud types

▪ 99 percent of respondents are using at least one

public or private cloud.
▪ 97% of respondents utilize at least one public cloud,
80% have at least one private cloud.
▪ 78% of respondents are using hybrid cloud

32 Trainocate.com April 19, 2022

 Flexera 2021 State of the Cloud
Report

Public cloud provider adoption rates for all current use/experimenting/planned

organizations

33 Trainocate.com April 19, 2022

 Flexera 2021 State of the Cloud
Report

Private cloud plays important role

▪ Most organizations are taking a multi-cloud, hybrid

approach in which private cloud plays an important
role. As mentioned earlier in this report, about 80
percent of survey respondents are running at least
one private cloud

34 Trainocate.com April 19, 2022

 Flexera 2021 State of the Cloud
Report

Migrating to cloud is top initiative

35 Trainocate.com April 19, 2022

 Flexera 2021 State of the Cloud
Report

Migrating to cloud is top initiative

36 Trainocate.com April 19, 2022

Viet Nam market

❑ Thị trường ĐTĐM Việt Nam đạt khoảng 133 triệu USD (tương đương
khoảng 3.200 tỷ đồng).
❑ Tính đến năm 2020, Việt Nam có khoảng 27 trung tâm dữ liệu (IDC) của
11 doanh nghiệp trong nước đầu tư, 270.000 máy chủ trên khắp cả nước.
❑ Tuy nhiên, doanh nghiệp Việt Nam mới chiếm được 20% thị phần của thị
trường, 80% còn lại là các doanh nghiệp nước ngoài.
❑ Những nhà cung cấp dịch vụ chủ yếu trên thị trường là VNPT, Viettel, FPT
VNG.
❑ Năm 2020, đại dịch covid-19 đã tạo nên 1 cú hích thúc đẩy tốc độ tăng
trưởng của thị trường ĐTĐM tại Việt Nam tăng lên 40% - trích lời ông
Nguyễn Khắc Lịch, Phó cục trưởng Cục An toàn thông tin.

37 Trainocate.com April 19, 2022

Trainocate.com
 Openstack
April 19, 2022
38
Trainocate.com

Trainocate.com
 WHAT IS OPENSTACK?

❑ OpenStack is a cloud operating system that controls large pools of

compute, storage, and networking resources throughout a datacenter,
all managed and provisioned through APIs with common authentication
mechanisms.
❑ A dashboard is also available, giving administrators control while
empowering their users to provision resources through a web interface.
❑ Beyond standard infrastructure-as-a-service functionality, additional
components provide orchestration, fault management and service
management amongst other services to ensure high availability of user
applications.
❑ OpenStack is still one of the top three most active open source projects
in the world.

39 Trainocate.com April 19, 2022

Trainocate.com
The four opens
The OpenStack Foundation is committed to ensuring that OpenStack follows "the four opens":
❑ Open source: The OpenStack source code is licensed under the Apache License Version 2.0 (APLv2). OpenStack
is committed to creating truly open source software that is usable and scalable.
❑ Open design: OpenStack is also committed to an open design process. Every six months, the development
community meets for a Project Team Gathering (PTG) to create the roadmap for the next release. This includes
brainstorming ideas, gathering requirements, and writing blueprints for upcoming releases. The PTGs are always
open to the public.
❑ Open development: OpenStack keeps its source code publicly available through the entire development process
(https://github.com/openstack). Everything is open, including code reviews, release roadmaps, and technical
discussions.
❑ Open community: All processes are documented, open, and transparent. The technical governance of the project
is democratic, with a community of contributors electing technical leads and members of technical committees.
Project meetings are held in public IRC channels, and technical communication is primarily done through public
mailing lists

40 Trainocate.com April 19, 2022

Trainocate.com
 Benefits of Openstack
Standardization in Its Foundation
The promise of the cloud has greatly eliminated the days when large technology providers tried to lock in customers with monolithic closed systems. But
that promise is dependent upon standardization. Thus, more than 700 companies supporting OpenStack are striving toward a flexible, standardized
platform that works interchangeably with any infrastructure. This is extremely important, especially since many companies have spent years investing
large sums of money in IT
Less Cost and More Innovation
Most IT departments are focused on running and managing the infrastructure and not providing innovative solutions. The flexibility and low cost of
OpenStack helps alleviate this by freeing up IT to focus on new applications, solutions, and service delivery rather than inflexible, underlying
infrastructure. This allows for faster delivery of new features and products, such as online tools to help customers better manage their portfolios, and
can help attract customers and increase retention.
Industry-wide Support
OpenStack receives widespread support from some of the most important corporations in the technology industry, all of which have come together to
help companies break away from being locked in to a particular cloud vendor. While some of these players offer their own flavor of OpenStack, they still
commit to the ideals of an open, standardized cloud. The major concern is not choosing the right technology, but selecting the vendor with the richest
ecosystem and support, knowing that support extends to virtually an entire industry.
Enables Portability to Other Clouds
Investments in open cloud development like OpenStack must be portable to other clouds. Portability takes a variety of forms, including programming
languages and frameworks, data, and applications. If developing an application for one cloud, it should not need to be rewritten in a different language
or use different APIs to move it somewhere else.
41 Trainocate.com April 19, 2022

Trainocate.com
THE OPENSTACK LANDSCAPE

42 Trainocate.com April 19, 2022

Trainocate.com
THE OPENSTACK CORE

43 Trainocate.com April 19, 2022

Trainocate.com
Openstack Foundation

❑ The OpenStack Foundation was created in 2012 with the

simple mission to protect, empower, and promote
OpenStack software and the community around it.
❑ Since the Foundation's initial formation, there have been
more than fifteen OpenStack Summits. The OpenStack
Summit is an incredible gathering of more than 5,000
software developers, CIOs, systems engineers, and
technical writers from all over the world.
❑ Membership of the foundation is free and accessible to
anyone; everyone from individual contributors to large
enterprises are members, including companies like AT&T,
Red Hat, Rackspace, Ubuntu, SUSE, Google, and IBM

44 Trainocate.com April 19, 2022

Trainocate.com
The OpenStack Marketplace

❑ Consulting and Integrators: Redhat, IBM, Ubuntu,

Rackspace ..

45 Trainocate.com April 19, 2022

Trainocate.com
Some Milestones

Initial release Train

21 October 2010; 16 October 2019
OpenStack began in as a joint project of 44 services
Rackspace Hosting and NASA

Havana Xena
2013 Red Hat introduced commercial support for OpenStack 06 October 2021
with the "Grizzly" release.,The OpenStack organization has
grown rapidly and is supported by more than 540 companies 38 services

46 Trainocate.com April 19, 2022

Trainocate.com
Open Infrastructure Foundation

❑ OpenStack Foundation announced that it is

changing its name to “Open Infrastructure
Foundation,” starting in 2021.
❑ The Foundation now covers a wide variety of
open-source cloud and container technologies
as the Open Infrastructure Foundation.
❑ Open Infrastructure vs. Cloud Native:
Differentiate with The Linux Foundation's
Cloud Native Computing Foundation (CNCF)
and its flagship project Kubernetes

47 Trainocate.com April 19, 2022

Trainocate.com
 Openinfra Foundation

• Platinum Members

Gold Members

April 19, 2022 Trainocate.com 48

 Openinfra Foundation

Silver Members

April 19, 2022 Trainocate.com 49

Certified OpenStack Administrator (COA)
The OpenStack Foundation has developed the Certified OpenStack Administrator exam which offers a career-path based
certification for OpenStack professionals. The exam is performance-based and will test the baseline skills of an
OpenStack Administrator, a person with at least 6 months of OpenStack experience who provides day-to-day operation
and management of an OpenStack cloud.

Description Benefits:
Exam Code: COA Recognition in the industry
Question types: Hands on with Increased customer confidence
real OpenStack Environment Proof of knowledge and skills
Time Limit: 180 minutes Certification verification for
Price: USD $400 employers and customers
Delivery Method: Live virtual New career opportunities
instructor-led

50 Trainocate.com April 19, 2022

Trainocate.com
 Requirements
❑ A basic understanding of Ubuntu Linux process
management is assumed.
❑ Below are the specific content areas (knowledge domains)
and the specific tasks on which candidates may be expected
to demonstrate their knowledge
Identity management - 15%
Compute - 35%
Object Storage - 5%
Block Storage - 10%
Networking - 30%
Image management - 5%
https://www.openstack.org/coa/requirements

51 Trainocate.com April 19, 2022

Trainocate.com
Question Air

Question 1
Within the accounting project, create a new
tenant network called tenantnetwork1. It should
have a subnet called tenant-subnet1 with the
following
details:
CIDR: 192.168.5.0/24
DHCP: Enabled
Allocation range: 192.168.5.50 to 192.168.5.60

52 Trainocate.com April 19, 2022

Trainocate.com
April 19, 2022
53
Trainocate.com

Trainocate.com
Lab Environment

❑ CPU: 2 CPU (w/Hardware Assissted)

❑ Storage: 25GB
❑ Memory : 16 GB
❑ IP: 172.
❑ User: root/admin123

54 Trainocate.com April 19, 2022

Trainocate.com
Pre-installed Lab

55 Trainocate.com April 19, 2022

Trainocate.com
Chapter 2: How to Build Your Own
Virtual Test Environment

❑Openstack Components
❑Deployment methods
❑Diagram & Samples
❑Hand-On: Installation

56 Trainocate.com April 19, 2022

Trainocate.com
Openstack Components
Service Share
❑ Horizon ❑ Placement
❑ Keystone ❑ Openstack Client
❑ Nova
❑ Glance Environment
❑ Cinder ❑ NTP
❑ Neutron ❑ SQL Database
❑ Message queue
❑ Memcached

57 Trainocate.com April 19, 2022

Trainocate.com
Code Name and Service

Keystone (Identity Service) Horizon (Dashboard)

❑ A centralized identity service that provides authentication and authorization ❑ A web-based interface for managing OpenStack services. It provides a
for other services. graphical user interface for operations such as launching instances,
❑ The identity service also provides a central catalog of services running in a managing networking, and setting access controls.
particular OpenStack cloud.
❑ It supports multiple forms of authentication, including username and
password credentials, token-based systems, and Amazon Web Services
(AWS) logins.
❑ The identity service acts as a single sign-on (SSO) authentication service for
users and components.

58 Trainocate.com April 19, 2022

Code Name and Service

Nova (Compute) Neutron (Networking) Image service (Glance)

❑ The compute service manages instances (virtual ❑ OpenStack networking service is a software- ❑ A service that acts as a registry for virtual
machines) running on nodes, providing virtual defined networking (SDN) service that helps to machine images, allowing users to copy server
create networks, subnets, routers, and floating images for immediate storage.
machines on demand. IP addresses. Users can create and attach ❑ These images can be used as templates when
❑ It is a distributed service and interacts with the interface devices to instances and routers. setting up new instances
identity service for authentication, image service for Administrators can define a gateway for a
images, and dashboard as a web-based user router to allow external access.
interface. ❑ OpenStack networking ships with plug-ins and
agents for Cisco virtual and physical switches,
❑ The compute service is designed to scale out Open vSwitch, OVN, and others. The common
horizontally on standard hardware, downloading agents are L3 and DHCP (which provides
images to launch instances as required. DHCP IP addresses to instances). OpenStack
❑ The compute service uses libvirtd, qemu, and kvm networking enables projects to create
for the hypervisor. advanced virtual network topologies including
entities such as firewalls, load balancers, and
virtual private networks (VPNs).

59 Trainocate.com April 19, 2022

Code Name and Service

Cinder (Block Storage) Swift (Object Storage)

❑ The block storage service manages storage volumes for virtual machines. ❑ A service providing object storage that allows users to store and retrieve
This can be both ephemeral and persistent block storage for instances files.
running in the compute service. ❑ The object store architecture is distributed to allow for horizontal scaling
❑ Snapshots can be taken for backing up data, either for restoring data or to and to provide redundancy as failure proofing.
be used to create new block storage volumes. ❑ Data replication is managed by software, allowing greater scalability and
redundancy than dedicated hardware.

60 Trainocate.com April 19, 2022

Code Name and Service

Placement (Scheduling) Openstack client

❑ Placement is an OpenStack service that provides an HTTP API for tracking ❑ OpenStackClient (aka OSC) is a command-line client for OpenStack that
cloud resource inventories and usages to help other services effectively brings the command set for Compute, Identity, Image, Object Storage and
manage and allocate their resources. Block Storage APIs together in a single shell with a uniform command
structure.

61 Trainocate.com April 19, 2022

Environment Services

Network Time Protocol (NTP) SQL Database

❑ Chrony is recommend configure the controller node to reference more ❑ Most OpenStack services use an SQL database to store information. The
accurate (lower stratum) servers and other nodes to reference the database typically runs on the controller node. The procedures in this guide
controller node. use MariaDB or MySQL depending on the distribution. OpenStack services
also support other SQL databases including PostgreSQL.

62 Trainocate.com April 19, 2022

Environment Services

Message queue Memcached

❑ The message queue service typically runs on the controller node. ❑ The Identity service authentication mechanism for services uses
❑ OpenStack supports several message queue services including RabbitMQ, Memcached to cache tokens. The memcached service typically runs on the
Qpid, and ZeroMQ. However, most distributions that package OpenStack controller node.
support a particular message queue service. This guide implements the
RabbitMQ message queue service because most distributions support it.

63 Trainocate.com April 19, 2022

 Openstack Architecture

April 19, 2022

64
Trainocate.com

Trainocate.com
 Before we begin

❑ OpenStack software provides a collection of

services covering all the functionality associated
with a private cloud solution.
❑ Those services are composed internally of
different components, allowing a flexible and
scalable configuration. OpenStack services base
their back end on two services, a database for
persistence and a message broker for supporting
communications among the components of each
service.
❑ Each service is an web app with Rest API server
(‘frontend)

65 Trainocate.com April 19, 2022

Trainocate.com
Restful API
❑ Representational State Transfer (REST!). A fancy term
for web pages who follow certain rules or architectural
style (just like every building has it’s own),
❑ RESTful API provides the interface and service of
OpenStack. Simply put, using the complex constraints
as listed by REST API,
❑ A programmer can create web service page for
consumers to connect with OpenStack.
❑ In addition to that, the different components of
OpenStack interact and are integrated with each other
using these set of RESTful constraints!

66 Trainocate.com April 19, 2022

Trainocate.com
AMQP

❑ Advanced Message Queuing Protocol (AMPQ). Just like the middlemen in Business, AMPQ acts as the messaging
broker! An analogy can be drawn to your Office Mail system.
❑ AMPQ gives your applications a common platform to send and receive messages, and your messages a safe place to
live until received.
❑ Any message broker solution supporting AMQP can be used as a message broker back end.
❑ RabbitMQ is the message broker to be used on its OpenStack architecture, since it provides enterprise-level features
useful for setting up advanced configurations.

67 Trainocate.com April 19, 2022

Trainocate.com
RabbitMQ
Term Description
retrieves published messages from the
Exchange
producer and distributes them to queues
Publisher/Pro
applications that publish the message
ducer
Consumer applications that process the message
Queues stores the message
used by the exchange to determine how
Routing Key
to route the message
the link between a queue and an
Binding
exchange

68 Trainocate.com April 19, 2022

Trainocate.com
RPC

❑ Remote Procedural Call. An IPC (Inter Process

Communication) mechanism, by which a
program (or OpenStack component) can use to
request a service from a program located in
another computer in a network without having
to understand network details.
❑ The main idea is make remote service work like
local function

69 Trainocate.com April 19, 2022

Sample: a google web service, client just wait for result from google before do anything.
Trainocate.com
RPC over AMQP
❑ There are two main parts of RPC used in OpenStack. First is
rpc.cast, which simply means don’t wait for the result and
second is rpc.call, which means wait and report the result
(or Error code in case of failure).
❑ Oslo(Openstack Common Libarry) To produce a set of
python libraries containing code shared by OpenStack
projects.
❑ Oslo.messaging is used to create a RPC interface that
includes RPCClient and RPCServer methods.

70 Trainocate.com April 19, 2022

Trainocate.com
Nova Examples

❑ For instance, in Nova service, when nova scheduler

wants to talk with nova compute, it will call a
RPCClient defined inside oslo.messaging.
❑ That RPCClient will trigger rpc.call(), rpc.cast() and
send the messages into a queue that is responsible
for transferring the message queuing/receiving
response to/from RPCServer.
❑ RPCServer method is implemented in other
components of Nova such as nova-network, nova-
compute, etc.

71 Trainocate.com April 19, 2022

Trainocate.com
Nova Examples

❑Exchanges and Queues are created in

RabbitMQ to route the message.
❑Messages are sent in a load balancer
moden.

72 Trainocate.com April 19, 2022

Trainocate.com
AMQP Benefits

❑Decoupling between client and servant (such as the client does not
need to know where the servant's reference is).
❑Full a-synchronism between client and servant (such as the client
does not need the servant to run at the same time of the remote call).
❑Random balancing of remote calls (such as if more servants are up
and running, one-way calls are transparently dispatched to the first
available servant).

73 Trainocate.com April 19, 2022

Trainocate.com
Service Catalog

❑ APIs are needed to bring applications together in order to perform a

designed function built around sharing data and executing pre-
defined processes.
❑ They work as the middle man, allowing developers to build new
programmatic interactions between the various applications people
and businesses use on a daily basis.
❑ Rest API is call by IP Address so that we need a catalog of services.

74 Trainocate.com April 19, 2022

Trainocate.com
Open Source License

❑ In contrast to proprietary software, open source software licenses govern how others – besides the originator – can use,
modify, or distribute software code. They grant other users the permission and rights to use or repurpose the code for new
applications or to include the code in other projects.
❑ One of the main advantages of open source code is its visibility, which makes it easier to troubleshoot problems and to
understand better how something works when the documentation is either lacking or incorrect.
❑ Depending on the type of open source license, you may even be allowed to modify the original source code to tailor it to
your needs or fix any issues you find. The license will determine whether this is possible, and under what terms. For
example, you may be required to make any modifications publicly available.
❑ Openstack is use Apache License with some Apache License terms & conditions. Eg:
• Grants rights to users that can be applied to both copyrights and patents,
• Apache License doesn’t require you to release the modified code under the same license, you can choose to add
specific license terms and conditions that govern how others use, reproduce, or distribute your modified code.

75 Trainocate.com April 19, 2022

Trainocate.com
Challenges for Open Source Software

❑ The difficulty of use - Some open source applications may be tricky to set up and use. Others may lack
user-friendly interfaces or features that your staff may be familiar with. This can affect productivity and
prevent your staff from adopting or using programs with ease.
❑ Compatibility issues - Many types of proprietary hardware need specialised drivers to run open source
programs, which are often only available from the equipment manufacturer. This can potentially add to
the cost of your project. Even if an open source driver exists, it may not work with your software as well as
the proprietary driver.
❑ Liabilities and warranties - With proprietary software, the developer usually provides indemnification and
warranty as part of a standard licence agreement. This is because they fully control and copyright the
product and its underlying code. Open source software licences typically contain only limited warranty
and no liability or infringement indemnity protection.
❑ Hidden costs - Software that is free up-front but later costs money to run can be a major burden,
especially if you haven't considered hidden costs from the outset.

76 Trainocate.com April 19, 2022

Trainocate.com
IDC: Value of Red Hat solutions compared
to free open source software

Numerous IDC studies found that subscription-based

infrastructure software from Red Hat offers a 3-year
return on investment (ROI) of 368% and 32% lower
infrastructure costs. This is achieved by:
❑ Reducing the overall cost of running equivalent
workloads by optimizing infrastructure requirements
and saving staff time
❑ Enhancing security to minimize operational risk and
enable teams responsible for security
❑ Creating more agile IT environments that allow for
more timely and effective development efforts
❑ Improved business results via a more scalable, high-
performing IT infrastructure foundation

77 Trainocate.com April 19, 2022

https://www.redhat.com/en/resources/idc-business-value-red-hat-solutions-executive-summary
Trainocate.com
Hypervisor Distro

❑ KVM (x86) which running on CentOS, • Hypervisors

Redhat, Ubuntu is the best.
❑ Openstack support running for commercial
Hypervisor such as VMware ESXi,
Microsoft Hyper-V.

78 Trainocate.com April 19, 2022

Trainocate.com https://whitestack.com/products/whitecloud/
Alternatives to CentOS

In December of 2020, CentOS’s parent company Red Hat

announced that the company is shifting its focus from CentOS
Linux to CentOS Stream, which is an upstream development
platform for ecosystem developers.

❑ AlmaLinux ❑ Oracle Linux

❑ Rocky Linux ❑ Debian
❑ Ubuntu Server ❑ Fedora Server
❑ OpenSUSE

79 Trainocate.com April 19, 2022

Trainocate.com https://whitestack.com/products/whitecloud/
 Openstack Distro

Distro Top

▪ Rank
VMWARE INTEGRATED OPENSTACK

OPENSTACK

CANONICAL’S CHARMED OPENSTACK

REDHAT OPENSTACK

https://www.openstack.org/marketplace/distros/

80 Trainocate.com April 19, 2022

April 19, 2022
81
Trainocate.com

Trainocate.com
OpenStack Deployments Methods

Method Source Model

❑ Manual Deployment ❑ Official: openstack.org, redhat.com ❑ AIO: all-in-one

❑ Automated Deployment ❑ UnOfficals: Blogs, Github ❑ Multinode
▪ Packstack (RDO)
▪ TripleO (RDO)
▪ Kolla-Ansible
▪ Openstack-Ansible

82 Trainocate.com April 19, 2022

OpenStack Deployments RDO Distro

❑ To distinguish with Debian Distro

❑ This freely-available, community-supported distribution of OpenStack runs on Red Hat
Enterprise Linux, CentOS, Fedora, and their derivatives.
❑ RDO is easy to install, contains the latest OpenStack bits and is supported by a large
community that is always there when you need help. RDO is facilitated by Red Hat and
available at https://www.rdoproject.org/
❑ RDO OpenStack deployments methods
▪ RDO-Manager: RDO-Install and configure each service manually
▪ Manager is an OpenStack deployment and management tool for RDO. It is based on the OpenStack
TripleO project and its philosophy is inspired by the SpinalStack project.
▪ Packstack to install and configure RDO

83 Trainocate.com April 19, 2022

Trainocate.com
 Manual Deployment

❑ Install and configure each service manually. This requires a lot

of time and effort from an administrative point of view. Details
of how each OpenStack service can be installed and
configured manually.

❑ Documents are provided in the following documentation:

http://docs.openstack.org/latest/installguide/install/yum/con
tent/, http://server-world.info/en.

84 Trainocate.com April 19, 2022

Trainocate.com
Automated Deployment

Devstack/Packstack Lifecycle management

▪ Packstack is mostly suitable for Red Hat Distribution

Linux like CentOS and Fedora. It basically uses
puppet modules to deploy various part of Openstack
Components through ssh.
▪ Devstack is a script written to create an environment
with Openstack minimal setup which can be used to
setup Openstack on laptop as well.

85 Trainocate.com April 19, 2022

Automated Deployment

Kolla-ansible/Openstack-ansible TripleO/RHOSP

▪ Docker/ LXC

86 Trainocate.com April 19, 2022

Architect Overview
Node Role Include services
• Control • Keystone
• Compute • Nova
• Network • Glance
• Storage • Cinder
• Neutron

87 Trainocate.com April 19, 2022

Trainocate.com
Node Role

Controller Compute Block Storage

❑ The controller node runs the Identity ❑ The compute node runs the hypervisor ❑ The optional Block Storage node contains
service, Image service, Placement service, portion of Compute that operates the disks that the Block Storage and
management portions of Compute, instances. By default, Compute uses the Shared File System services provision for
management portion of Networking, KVM hypervisor. The compute node also
various Networking agents, and the instances.
runs a Networking service agent that
Dashboard. It also includes supporting
connects instances to virtual networks and ❑ For simplicity, service traffic between
services such as an SQL database,
message queue, and NTP. provides firewalling services to instances compute nodes and this node uses the
via security groups. management network. Production
❑ Optionally, the controller node runs
❑ You can deploy more than one compute environments should implement a
portions of the Block Storage, Object
Storage, Orchestration, and Telemetry node. Each node requires a minimum of separate storage network to increase
services. two network interfaces. performance and security.

❑ The controller node requires a minimum of ❑ You can deploy more than one block
two network interfaces. storage node. Each node requires a
minimum of one network interface.

88 Trainocate.com April 19, 2022

Role

Object Storage Network HCI Compute

❑ The controller node runs the Identity ❑ The compute node runs the hypervisor ❑ An compute node with Storage module
service, Image service, Placement service, portion of Compute that operates ❑ Better for scaling out system such as
management portions of Compute, instances. By default, Compute uses the cloud.
management portion of Networking, KVM hypervisor. The compute node also
various Networking agents, and the runs a Networking service agent that
Dashboard. It also includes supporting connects instances to virtual networks and
services such as an SQL database, provides firewalling services to instances
message queue, and NTP. via security groups.

❑ Optionally, the controller node runs ❑ You can deploy more than one compute
portions of the Block Storage, Object node. Each node requires a minimum of
Storage, Orchestration, and Telemetry two network interfaces.
services.

❑ The controller node requires a minimum of

two network interfaces.

89 Trainocate.com April 19, 2022

Network
❑ Guest or tenant network – Hosts traffic among the virtual
machines (VMs) in the OpenStack cloud.
❑ Storage network – Hosts traffic between the VMs and their
application datasets that are on external storage systems.
❑ Management or API network – Hosts traffic among the OpenStack
components that manage the entire operation of the cloud
infrastructure, including administrator-generated traffic.
❑ External network – Hosts traffic between the virtual entities such
as the VMs and their private networks in the OpenStack cloud and
the wider network, which consists of both the corporate network
and the Internet.

90 Trainocate.com April 19, 2022

Trainocate.com
High Availability (HA ) Controller Cluster

❑ High availability systems seek to minimize the following

issues:
▪ System downtime: Occurs when a user-facing service is unavailable
beyond a specified maximum amount of time.
▪ Data loss: Accidental deletion or destruction of data.

❑ Openstack Controller High availability can be achieved with

software components can contribute to the system level
availability.
▪ Haproxy
▪ Keepalived
▪ Pacemaker
▪ Mariadb cluster
▪ RabbitMQ cluster

https://docs.openstack.org/ha-guide/intro-ha-common-
tech.html#hardware

91 Trainocate.com April 19, 2022

Trainocate.com
Split brain in Cluster
❑ Imagine that you have 10-node cluster and for some reason the network is
divided into two in a way that 4 servers cannot see the other 6. As a result you
ended up having two separate clusters; 4-node cluster and 6-node cluster.
Members in each sub-cluster are thinking that the other nodes are dead even
though they are not. This situation is called Network Partitioning (aka Split-
Brain Syndrome).

❑ Since it is a network failure, there is no way to avoid it programatically and your

application will run as two separate independent clusters but we should be able
answer the following questions: "What will happen after the network failure is
fixed and connectivity is restored between these two clusters? Will these two
clusters merge into one again? If they do, how are the data conflicts resolved,
because you might end up having two different values for the same key in the
same map?"

92 Trainocate.com April 19, 2022

Trainocate.com
 haproxy
❑ HAProxy provides load balancing services and SSL
termination
❑ For a successful installation, you require a load
balancer. You may prefer to make use of hardware
load balancers instead of HAProxy. If hardware load
balancers are in use, then implement the load
balancing configuration for services prior to
executing the deployment.

93 Trainocate.com April 19, 2022

Trainocate.com
Keepalived and Pacemaker

❑ Keepalived for VIP

❑ Pacemaker: with Resource
Failover: IP, service

94 Trainocate.com April 19, 2022

Trainocate.com
 RabbitMQ cluster

❑ A RabbitMQ cluster is a logical grouping of one or

several nodes, each sharing users, virtual hosts,
queues, exchanges, bindings, runtime parameters
and other distributed state.
❑ The composition of a cluster can be altered
dynamically. All RabbitMQ brokers start out as
running on a single node. These nodes can be
joined into clusters, and subsequently turned back
into individual brokers again.

transport_url = rabbit://openstack:[email protected]:5672,openstack: password

@10.1.17.62:5672,openstack: password @10.1.17.63:5672/

95 Trainocate.com April 19, 2022

Trainocate.com
Galera Cluster

❑ MariaDB Galera Cluster is a virtually synchronous multi-

primary cluster for MariaDB. It is available on Linux only, and
only supports the InnoDB storage engine (although there is
experimental support for MyISAM and, from MariaDB 10.6,
Aria.
❑ MariaDB Galera Cluster is powered by:
• MariaDB Server.
• The Galera wsrep provider library.

❑ The functionality of MariaDB Galera Cluster can be obtained

by installing the standard MariaDB Server packages and the
Galera wsrep provider library package.

96 Trainocate.com April 19, 2022

Trainocate.com
Memcached

❑ Memcached is a high-performance, distributed

caching system. Although application-neutral, it's most
commonly used to speed up dynamic Web
applications by alleviating database load.
❑ Python applications, caching is important. Using a
cache to avoid recomputing data or accessing a slow
database can provide you with a great performance
boost.

97 Trainocate.com April 19, 2022

Trainocate.com
All-in-One(AIO) Model

❑ Minimal Install: You need to have a system with a fresh

install of Linux. You can download the Minimal CD for
Ubuntu releases since DevStack will download & install all
the additional dependencies. The netinstall ISO is available
for Fedora and CentOS/RHEL. You may be tempted to use
a desktop distro on a laptop, it will probably work but you
may need to tell Network Manager to keep its fingers off
the interface(s) that OpenStack uses for bridging.
❑ Network Configuration: Determine the network
configuration on the interface used to integrate your
OpenStack cloud with your existing network. For example, if
the IPs given out on your network by DHCP are
192.168.1.X - where X is between 100 and 200 you will be
able to use IPs 201-254 for floating ips.

98 Trainocate.com April 19, 2022

Trainocate.com
Multinode Model
Mô hình multinode không HA

99 Trainocate.com April 19, 2022

https://github.com/hocchudong/openstack-tools/blob/master/docs/openstack-victoria-CentOS8-install.md
Trainocate.com
Installation Guide
Mô hình Lab

100 Trainocate.com April 19, 2022

Trainocate.com
Hand-On: Installation
❑ Perform an openstack AIO installation by packstack
❑ Reference: https://www.rdoproject.org/install/packstack/
❑ Verify installation

101 Trainocate.com April 19, 2022

Trainocate.com
Chapter 3: Identity Management

❑Identity
❑Token
❑Manage keystone
❑Hand-Ons: Keystone

102 Trainocate.com April 19, 2022

Trainocate.com
 Keystone (Identity Service)
❑ The OpenStack Identity Service (code named Keystone) provides:
▪ Authentication/Role-based authorization
▪ Policy management
▪ Token handling
❑ Internal service functions categorized as:
▪ Identity
▪ Resource
▪ Token
▪ Policy
▪ Role assignment
▪ Catalog
❑ The Identity Service API is available at configurable endpoints segregated by public and internal traffic.The API can be provided
redundantly by multiple Controller nodes using Pacemaker/Keepalived with a virtual IP (VIP) address.

103 Trainocate.com April 19, 2022

Trainocate.com
Keystone Architecture

Main functions

❑ Run on WSGI
❑ Multiple Services, Backends

104 Trainocate.com April 19, 2022

Keystone and WSGI

https://github.com/openstack/keystone/blob/master/httpd/wsgi-keystone.conf
105 Trainocate.com April 19, 2022
 Identity
Identity encompasses authentication and authorization functions.
❑ Users are a digital representation of a person, system, or service using
other OpenStack services.
▪ Users must be assigned a role to participate in a project.
▪ Users may be managed using groups, introduced in Identity Service
v3, which can be assigned roles and attached to projects in the
same way as individual users.
❑ Projects (previously known as tenants) are collections of owned
resources such as networks, images, servers, and security groups.
These are structured according to the development needs of an
organization.
▪ A project can represent a customer, account, or any organizational
unit.
▪ With Identity Service v3, projects can contain subprojects, which
inherit project role assignments and quotas from parent projects

106 Trainocate.com April 19, 2022

Trainocate.com
Identity Authentication and Authorization

❑ Authentication is the act of confirming the identity of a specific user—in other words,
proving that a user is whom she or he claims to be.
❑ Authorization is the function of determining access rights for that specific user. Keystone
has a variety of functions, but first and foremost, it provides authentication.
❑ All OpenStack users are required to authenticate to Keystone via the Horizon dashboard,
command-line interface (CLI), SDK, or directly to the API before requesting services from
OpenStack components.
❑ Once a user is authenticated, Keystone is not involved in determining the user’s access
rights. Access rights include things such as whether a user can create a Neutron virtual
router or perhaps create Glance images that are publicly accessible. This authorization is
handled by a file called policy.json, and it lives in each installed OpenStack service's
configuration directory.

107 Trainocate.com April 19, 2022

Trainocate.com
Resource
❑ Resource functions manage domains, which are an Identity Service
v3 entity for creating segregated collections of users, groups, and
projects.
❑ Domains allow multiple organizations to share a single OpenStack
installation. Users, projects, and resources created in one domain
cannot be transferred to another domain; by design, they must be
recreated.
❑ OpenStack creates a single domain named default for a new
installation.
❑ In Identity Service v2, multiple domains are not recognized and all
activities use the default domain.

108 Trainocate.com April 19, 2022

Trainocate.com
Token

❑ Token functions create, manage, and validate time-limited tokens, which users pass to
other OpenStack components to request a service.
❑ A token is a structured enumeration of user access rights designed to simplify the
requirement that each individual OpenStack service request be verified for sufficient
user privilege.

109 Trainocate.com April 19, 2022

Trainocate.com
Policy

❑ Policy functions provide a rule-based authorization

engine and an associated rule management interface.
❑ Policy rules define the capabilities of roles. Default
roles include admin, _member_, swiftoperator, and
heat_stack_user. You can build policies to create
custom roles
❑ A Role-Based Access Control (RBAC) policy that is
enforced on each public API end‐point

110 Trainocate.com April 19, 2022

Trainocate.com
Access Control in oslo.policy

A user has a role to execute an action on a target object

Kirsti is an admin and can create users.

In oslo.policy terms:
Credentials: contains the user information (user, project, domain and roles)
Rule: Is the name of the action
Target: is the target object (what object is it? what user does it belong to? What project does it belong to?)

111 Trainocate.com April 19, 2022

Trainocate.com
 Oslo.policy Language
❑ Use oslopolicy-policy-generator to generate the policy.json file
❑ "< target >": "< rule >"
Targets
• aliases : "admin_or_creator": "role:admin or role:creator"
• actions : “identity: list_user_projects” ,“identity:
create_projects”
Rule
• always true, always false.
• A special check (for a role, another rule, or an external target):
"compute:get_all": "role:lister"
• A comparison of two values.
• Boolean expressions based on simpler rules.

112 Trainocate.com April 19, 2022 https://www.youtube.com/watch?v=O25jVBo4ubg&t=135s

https://jaosorior.dev/2018/oslo-policy-deep-dive-p2/
Trainocate.com
Role Assignment

❑ Role assignment functions are used to assign users to projects.

Users do not belong to projects; instead they have a role in a
project. Users may be assigned multiple roles for the same project,
and may also be assigned different roles in multiple projects.
❑ Roles define a set of user privileges to perform specific operations
on OpenStack services, defined by policy definitions. The most
commonly recognized roles are _member_, which can perform all
normal activities within a project, and admin, which adds additional
permissions to create users, projects, and other restricted resource
objects.

113 Trainocate.com April 19, 2022

Trainocate.com
Access Management and Authorization
❑ User have at least 1 role in project

114 Trainocate.com April 19, 2022

Trainocate.com
Admin Issue
❑ _member_ role: users can create, read, update, and
delete resources, as long as they own that resource
❑ admin role: has access to all projects in the domain. The
admin role is defined in all policy.json files as having full
admin access to all projects within all domains.
❑ We would never give the admin role to a customer in an
environment with customers in each domain. To work
around this, OpenStack administrators create
domain_admin roles. This is outside the scope of COA
prep, but for more information on this, visit
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlo
w

115 Trainocate.com April 19, 2022

Trainocate.com
Keystone Service Catalog

❑ Catalog functions store connection information about every

other OpenStack service component, in the form of
endpoints.
❑ An endpoint is a URL that an API client uses to access a
service in OpenStack. Every service has one or more
endpoints.
❑ The catalog contains multiple endpoint entries for each
service, to allow service traffic to be segregated by public,
internal, and administration tasks for traffic management
and security reasons.
❑ Because OpenStack services may be redundantly installed
on multiple controller and compute nodes, the catalog
contains endpoints for each. When users authenticate and
obtain a token to use when accessing services, they are, at
the same time, being given the current URL of the
116 requested service. April 19, 2022
Trainocate.com

Trainocate.com
 Service Backends
Each listed Identity Service function supports multiple choices of back
ends, defined through plug-ins, which can be one of the following types (not
all functions support all back-end types):
• Key Value Store: A file-based or in-memory dictionary using primary key
lookups.
• Memcached: A distributed-memory shared caching structure.
• Structured Query Language: OpenStack uses SQLAlchemy as the default
persistent data store
for most components. SQLAlchemy is a Python-based SQL toolkit.
• Pluggable Authentication Module: Using the Linux PAM authentication
service.
• Lightweight Directory Access Protocol: Uses the LDAP protocol to connect
to an existing backend directory, such as IdM or AD, for user authentication
and role information.

117 Trainocate.com April 19, 2022

Trainocate.com
 Federated Authentication

❑ As of the Icehouse release, Keystone is able to

consume federated authentication via Apache
modules for multiple trusted Identity Providers.
❑ These users are not stored in keystone and are
treated as ephemeral.
❑ The federated users will have their attributes
mapped into group-based role assignments

118 Trainocate.com April 19, 2022

Trainocate.com
Authentication

Password Token

119 Trainocate.com April 19, 2022

Authentication Token

❑ The Identity Service confirms a user's identity through an

authentication process specified through plug-in
configuration, and then provides that user with a token
that represents the user’s identity.
❑ A typical user token is scoped, meaning that it lists the
resources and access for which it may be used. A scoped
token lists the user's rights and privileges, as defined in
roles relevant to the current project.
❑ When a user makes a request to an OpenStack service,
the service verifies the requested resource access against
the user’s provided roles and then either allows or denies
the requested service

120 Trainocate.com April 19, 2022

Trainocate.com
 Token Scope
Token Scope Description

Unscoped tokens are authentication-only tokens that do not contain a project, role, or service information
payload. For example, an unscoped token may be used when authentication is provided by an identity provider
other than the Identity Service, such as an LDAP, RADIUS, or AD server. The token is used to authenticate with
Unscoped
the Identity Service, which then exchanges the unscoped token with the authenticated user's appropriate
scoped token. An unscoped token may also be referred to as an Identity Service default token, which is not
associated with a project or domain and may be exchanged for a scoped token.

Project-scoped tokens provide authorization to perform operations on a service endpoint using the resources of
a single project, allowing activities specified by the user's role in that project. These tokens contain the relevant
Project-scoped
service catalog, roles, and project information as payload and are considered to be associated to a specific
project.
Domain-scoped tokens apply to services that occur at the domain level, rather than at the project or user level.
This type of token has a payload containing the domain's service catalog, and is limited to services that do not
Domain-scoped
require per-project endpoints. The token payload also contains the project and role information for the user
121 Trainocate.comwithin the specified
April 19, 2022 domain.
Trainocate.com
Token Providers

❑ There are four types of token providers: UUID, PKI, PKIZ, and the
newest provider, Fernet
❑ These are generated by keystone and have an expiry date.
Tokens have a limited lifespan, allowing the user to perform
service requests without further authentication until the token
expires or is revoked.
❑ The staging key is not used to generate tokens but can be used
to validate tokens as the staging key might be the new primary
key on the master due to a rotation and the keys have not yet
been synchronised across all the units.

122 Trainocate.com April 19, 2022

Trainocate.com
Fernet Tokens

❑ Fernet tokens are an implementation of a symmetric key cryptographic authentication method, which uses the same
key to both encrypt and decrypt, designed specifically to process service API request tokens.
❑ Fernet supports using multiple keys, always using the first key (the current key) in the list to perform encryption, and
then attempting earlier keys and staged keys (keys that are scheduled to become current) to perform decryption.

• Fernet Key File - 256 bits

83b4sCF0Q4pb3aNWJYtSdtdaH8PMA_5dlN7OswXKbvE=
\xf3v\xf8\xb0!tC\x8a[\xdd\xa3V%\x8bRv\xd7Z\x1f\xc3\xcc\x03\xfe]\x94\xde\xce\xb3\x05\xcan\
xf1

123 Trainocate.com April 19, 2022

Trainocate.com
Key Rotation

❑ Fernet Key File Name - Integers starting from 0

ls /etc/keystone/fernet-keys => 0 1 2 3 4
❑ Type 1: Primary Key
▪ Encrypt and Decrypt
▪ Key file named with the highest index
❑ Type 2: Secondary Key
▪ Only Decrypt
▪ Lowest Index < Secondary Key File Name < Highest
Index
❑ Type 3: Staged Key
▪ Decrypt and Next In Line to become Primary Key
▪ Key file named with lowest index (of 0)

Trainocate.com
Token Generation Workflow

Signed using Signing Key

Fernet Token Version Current Timestamp IV Cipher Text HMAC

Token Payload:
Version
User ID
Methods Padding
Project ID
Expiry Time
Audit ID

Encrypted using Encrypting Key

Trainocate.com April 19, 2022 Fernet – Token Generation Workflow

Token Validation Workflow

Validate Token with: Decrypt using Fernet KeysNoto retrieve Token Payload
Restore
Padding
GET v3/auth/tokens
Version: Fixed Versioning by Keystone:
• X-Subject-Token
• Unscoped Payload : 0
• X-Auth-Token Determine the Version from the Token Payload
Re-inflate token • Domain Scoped Payload : 1
with “=” and return • Project Scoped Payload : 2
token with correct
For Project Scoped Token:
padding
Disassemble payload to • User ID Project ID
determine validation fields • Methods Token Expiry
• Audit ID

Check if a token is Current Time < Token Not Found

expired, current time is Expiry Time No
calculated in UTC

Yes

Yes
Check if a token matches Is Token Not Found
any revocation events Revoked?

No

Trainocate.com April 19, 2022 HTTP/1.1 200 OK

Keystone Service Catalog

❑ Service find other service by Catalog

❑ Service accosiate by use user

127 Trainocate.com April 19, 2022

Trainocate.com
Catalog Service Endpoints

❑ Service -> Endponit -> API URL.

128 Trainocate.com April 19, 2022

Trainocate.com
Workflow & Token Scoping

Because domains are a new feature supported in

Identity Service v3, earlier documentation may refer only
to scoped and unscoped tokens, in which the scope is
project based.
❑ Step 1: Obtain an unscoped token from Keystone
❑ Step 2: Discover tenants/projects you have access to
❑ Step 3: Obtain a scoped token
❑ Step 4: Invoke the target endpoint service API
❑ Step 5: Validate role metadata (policy.json)
❑ Step 6: Service API request
❑ Step 7: Return response

129 Trainocate.com April 19, 2022 http://bodenr.blogspot.com/2014/03/openstack-keystone-workflow-token.html

Trainocate.com
Workflow & Token Scoping

❑ To create an VM, request use token are

verified between projects: nova, glance,
neutron(quantum)
❑ Service user name and project are
declared in config of projects.

130 Trainocate.com April 19, 2022

Trainocate.com
 Openstack Client

❑ Use the OpenStack Python API libraries, extending or

replacing them as required
❑ Use a consistent naming and structure for commands
and arguments
❑ Provide consistent output formats with optional machine
parseable formats
❑ Use a single-binary approach that also contains an
embedded shell that can execute multiple commands on
a single authentication (see libvirt’s virsh for an
example)
❑ Independence from the OpenStack project names; only
API names are referenced (to the extent possible)

131 Trainocate.com April 19, 2022

Trainocate.com
Openstack CLI

$ openstack --os-auth-url
http://192.168.56.56:500
0/v3 --os-user-domain-
name default

$ source openrc
$ openstack user list

132 Trainocate.com April 19, 2022

Trainocate.com
CLI vs Dashboard

133 Trainocate.com April 19, 2022

Trainocate.com
 Exam Objective
❑ Create domain, user, projects, role

134 Trainocate.com April 19, 2022

Trainocate.com
 Use keystone
❑ Show token
❑ Set token environment
❑ Show projects

$ OS_TOKEN=2511aaa898ff42158addea8c90ba2622
$ curl -s -H "X-Auth-Token: $OS_TOKEN" \
http://localhost:5000/v3/projects | python -mjson.tool
openstack project list

135 Trainocate.com April 19, 2022

Trainocate.com
Chapter 4: OpenStack Dashboard

❑Components
❑Manage Horizon
❑Hand-Ons: Horizon

136 Trainocate.com April 19, 2022

Trainocate.com
Horizon

❑ Horizon is the web console and provides the

frontend for the user, it invokes the APIs of various
different OpenStack services such as Glance,
NOVA, and so on.
❑ The output returned by the APIs is processed and
displayed appropriately by the Horizon Dashboard
Service.
❑ Django-based application deployed as an Apache
WSGI application

Trainocate.com April 19, 2022

Trainocate.com
 Horizon Apache settings

❑ mod_wsgi is an Apache module which can host any Python WSGI

application, including Django. Django will work with any version of
Apache which supports mod_wsgi.
❑ Once you’ve got mod_wsgi installed and activated, edit your
Apache server’s httpd.conf file and add the following.

https://docs.djangoproject.com/en/4.0/howto/deployment/wsgi/modwsgi/
138 Trainocate.com April 19, 2022

Trainocate.com
 Horizon Settings
❑Horizon’s settings broadly fall into four categories:
▪ General Settings: this includes visual settings like the modal backdrop style, bug url and theme configuration, as well
as settings that affect every service, such as page sizes on API requests.
▪ Service-specific Settings: Many services that Horizon consumes, such as Nova and Neutron, don’t advertise their
capabilities via APIs, so Horizon carries configuration for operators to enable or disable many items.
▪ Django Settings, which are common to all Django applications. The only ones documented here are those that
Horizon alters by default; however, you should read the Django settings documentation to see the other options
available to you.
▪ Other Settings: settings which do not fall into any of the above categories.
❑To modify your settings, you have two options:
▪ Preferred: Add .py settings snippets to the openstack_dashboard/local/local_settings.d/ directory. Several example
files (appended with .example) can be found there. These must start with an underscore, and are evaluated
alphabetically, after local_settings.py.
▪ Modify your openstack_dashboard/local/local_settings.py. There is an file found at
openstack_dashboard/local/local_settings.py.example.

Trainocate.com April 19, 2022

Trainocate.com https://docs.openstack.org/horizon/latest/configuration/settings.html#django-settings
Horizon Django Architecture

❑ Horizon provides a flexible framework for creating

Dashboards and Panels
❑ Panels are grouped into PanelGroups
❑ PanelGroups into Dashboards

Trainocate.com April 19, 2022

Trainocate.com
Sample Dashboards and Panels

❑Dashboard: LA Django
❑Panel Group: Overview

141 Trainocate.com April 19, 2022

Trainocate.com
Dashboard Module

Dashboard Sample: ladjango

❑ Dashboards are created as Django Applications

❑ Dashboard modules partitioned into:
– static/: Static media (css, js, img)
– templates/: Django templates
– python modules: dashboard.py module which
includes the class used by Horizon

142 Trainocate.com April 19, 2022

Trainocate.com
Panel Module

Panel sample: Hypervisor

❑ Panels are created as Python Modules
❑ Panel modules partitioned into:
– static/: Static media (css, js, img)
– templates/: Django templates
– python modules: urls.py, views.py, panel.py,
tables.py, forms.py, tabs.py, tests.py

143 Trainocate.com April 19, 2022

Trainocate.com
View Module

❑View module ties together everything

– Tables
– Templates
– API Calls
❑Horizon base views:
– APIView, LoginView, MultiTableView,
DataTableView, MixedDataTableView, TabView,
TabbedTableView, WorkflowView

144 Trainocate.com April 19, 2022

Trainocate.com
Authentication
❑ Keystone manages all Authentication for OpenStack
❑ To access an OpenStack service:
– authenticate with Keystone
– Obtain a TOKEN
– Use TOKEN for transactions with OpenStack
service
❑ Horizon passes all Auth requests to Keystone via
CUSTOM_BACKENDS

https://docs.openstack.org/horizon/latest/_modules/openstack_auth/backend.html

145 Trainocate.com April 19, 2022

Trainocate.com
Horizon Navigation

❑ OpenStack services

146 Trainocate.com April 19, 2022

Trainocate.com
User in Keystone
❑ User have at least 1 role in project

147 Trainocate.com April 19, 2022

Trainocate.com
Horizon Dashboard

148 Trainocate.com April 19, 2022

Trainocate.com
Horizon User View

admin _member_

149 Trainocate.com April 19, 2022

User/Group

❑ Identiy>Users

150 Trainocate.com April 19, 2022

Trainocate.com
Project quota
Identity>Projects>Modify quotas

151 Trainocate.com April 19, 2022

Resources

❑ Later chapter
▪ Compute: Nova
▪ Network: Neutron

152 Trainocate.com April 19, 2022

Trainocate.com
Exam objective

153 Trainocate.com April 19, 2022

Trainocate.com
Chapter 5: Image Management

❑Architecture
❑Components
❑Hand-Ons: Glance

154 Trainocate.com April 19, 2022

Trainocate.com
Glance

❑ Glance is the OpenStack image service and it

provides the registration, storage, and delivery of
cloud images
❑ Glance has a RESTful API that allows querying of VM
image metadata as well as retrieval of the actual
image.

155 Trainocate.com April 19, 2022

Trainocate.com
Glance Architecture

❑ glance-api: Accepts Image API calls for image

discovery, retrieval, and storage.
❑ glance-registry: Stores, processes, and retrieves
metadata about images. Metadata includes items
such as size and type.
❑ glance database: Stores image metadata and you
can choose your database depending on your
preference. Most deployments use MySQL or SQLite.

156 Trainocate.com April 19, 2022

Trainocate.com
Cloud Image

❑ It's important to understand that in the elastic cloud world, agility is the priority and we rarely waste
time with installers!
❑ Unlike a typical ISO, cloud images that exist in Glance are typically snapshots of a disk's contents.
These images have been previously configured by a person or script that has gone through the
initial installation procedure and has installed specific programs and configuration files to ensure it
is cloud aware.
❑ Glance can store these images in a variety of backends called data stores. Glance supports a
variety of data stores, including the local filesystem, NFS, or an OpenStack Swift container

157 Trainocate.com April 19, 2022

Trainocate.com
 Image Status
status Description

queued In the Glance registry, an image identifier is reserved for an image. The image
data has not been uploaded or transferred to the glance. Once the image is
created the image size is not set directly to zero.
saving Saving indicates that the raw data of an image is at present being transferred
or uploaded to the Glance. An image will likely to be never in the saving status
if that image is stored with a call to POST /images and also if there is an x-
image-meta-location header present.
active Active status indicates that an image is completely accessible in a glance, at
the time when the image data is transferred or uploaded or once the image
gets created the image size is directly set to zero.
deactivated This indicates that any user other than admin is not allowed to access image
data. If the downloading of an image is restricted then it will also restrict the
processes like image exporting and cloning of image which may need the
image data.
killed This indicates that during the uploading or transferring of the image data an
error occurred and due to which it is not possible to read the image.
deleted It denotes that the data about an image has been retained by the glance but
still it is not available for use. At the later date, the image in this deleted state
158 Trainocate.com
will be removed or April 19, 2022
deleted automatically.
Trainocate.com
 Image Visibility
Image Description
Visibility
Public Images that are public are available to all projects, across all domains in the
❑ One of the most-used settings
OpenStack environment. The default Glance policy.json file only allows a user
for an image is its visibility.
with the admin role to set an image as public. Public images cannot be
❑ By default, during an image's
modified or deleted unless you are scoped to the project that owns the image
creation, its visibility is set to
shared, allowing the image to be Private Private visibility limits image access to the owner while public visibility allows
accessible by the owner, as well access to all users.
as other users within the same Shared with If a user has the admin role, they have the ability to share an image with one
project. Project specific project. If a user explicitly shares an image with your project, it will
show as Shared with Project. You cannot modify or delete images shared with
your project unless you are scoped to the project that owns the image.
Community A community image is an image uploaded by a project, and such project
wants other projects use such image,

159 Trainocate.com April 19, 2022

Trainocate.com
Image Protect

❑ To prevent users from accidentally deleting the image.

State Description
❑ To delete the image, the protected flag must be
removed by any user scoped to the image owner protected Prevent image from being deleted
project unprotected Allow image to be deleted (default)

160 Trainocate.com April 19, 2022

Trainocate.com
Container Format

❑ The container format refers to whether the virtual machine image is in a file format that also contains metadata about
the actual virtual machine.
❑ Note that the container format string is not currently used by Glance or other OpenStack components, so it is safe to
simply specify bare as the container format if you are unsure.

Container Description
Format
bare No metadata
ovf OVF/OVA format
aki/ami/ari Amazon kernel, machine image, ramdisk

161 Trainocate.com April 19, 2022

Trainocate.com
 Format Description
raw An unstructured disk image format.

File Format vhd

A common disk format used by virtual machine monitors from
VMware, Xen,Microsoft, VirtualBox, and others.
Another common disk format supported by many common virtual
vmdk
machine monitors.
A disk format supported by VirtualBox virtual machine monitor and
❑ OpenStack supports many virtual disk vdi
the QEMU emulator.
image formats, including RAW, QCOW2,
AMI, VHD, and VMDK .. An archive format for the data contents of an optical disc (for
iso
example, CD-ROM).
A disk format supported by the QEMU emulator that can expand
qcow2 dynamically and
supports the copy-on-write feature.
aki An Amazon kernel image, supported by Amazon EC2.
ari An Amazon ramdisk image, supported by Amazon EC2.
ami An Amazon machine image, supported by Amazon EC2.
A disk format supported by the QEMU emulator. It can expand
ploop
dynamically and supports Copy on Write.
ova An OVF package in a tarfile.

162 Trainocate.com April 19, 2022

docker A docker container format.
Trainocate.com
 Attribute RAW QCOW2

A RAW image will take up QCOW2 is a sparse

Raw vs QCOW2
the same amount of disk representation of the virtual
space as the data it disk image. Consequently, it
Image Size contains as long as it is is smaller than a RAW image
sparse. Unused space in the of the same source. It also
source does not consume supports
space in the image. compression using zlib.
❑ The RAW format is a bootable, uncompressed virtual disk
Considered better than
image, whereas the QCOW2 format is more complex and
QCOW2 because disk space
supports many features. Considered not as good as
is all allocated on VM
RAW due to the latency of
❑ File systems that support sparse files allow RAW images Performance creation. This avoids the
performing disk allocation
to be only the size of the used data. latencies introduced by
as space is required.
allocating space as
❑ This means that a RAW image of a 20 GiB disk may only required.
be 3 GiB in size. The attributes of both are compared in
the following table. Encryption Not applicable. Optional. Uses 128-bit AES.
❑ When choosing between improved VM performance and Supports multiple
reduced storage consumption, reduced storage snapshots, which are a
consumption is usually preferred. Snapshots Not applicable. read-only record of the
image at a particular point
❑ The performance difference between RAW and QCOW2 in time.
images is not great enough to outweigh the cost of
allocated but underused storage. Reduces storage
consumption by writing
Copy-on-write Not applicable. changes back to a copy of
the data to be modified. The
163 Trainocate.com April 19, 2022 original is left unchanged.
Trainocate.com
Image Properties and Metadata

Glance image properties Image properties are native to Glance images.

Glance metadata definitions Glance metadata definitions, on the other hand, are properties that can
be set on OpenStack resources.

The default Glance policy.json file only allows users with the admin role to
manage the metadata definitions, while all other users with any other role
can apply those definitions to all allowed resources in OpenStack.

164 Trainocate.com April 19, 2022

Trainocate.com
Image Properties and Metadata

Glance image properties Glance metadata definitions

165 Trainocate.com April 19, 2022

Image Properties
Property Description
kernel_id The ID of image stored in Glance that should be used as the kernel when booting an AMI-style image.

ramdisk_id The ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image.

instance_uuid Metadata which can be used to record which instance this image is associated with. (Informational only, does not
create an instance snapshot.)
architecture Operating system architecture as specified in https://docs.openstack.org/python-
glanceclient/latest/cli/property-keys.html
os_distro The common name of the operating system distribution as specified in https://docs.openstack.org/python-
glanceclient/latest/cli/property-keys.html
os_version The operating system version as specified by the distributor.
description A brief human-readable string, suitable for display in a user interface, describing the image.
cinder_encrypti Identifier in the OpenStack Key Management Service for the encryption key for the Block Storage Service to use
on_key_id when mounting a volume created from this image.
cinder_encrypti States the condition under which the Image Service will delete the object associated with the
on_key_deletio ‘cinder_encryption_key_id’ image property. If this property is missing, the Image Service will take no action.
n_policy https://docs.openstack.org/glance/rocky/admin/useful-image-properties.html#using-image-properties

166 Trainocate.com April 19, 2022

https://docs.openstack.org/glance/rocky/admin/useful-image-properties.html#using-image-properties
Trainocate.com
Metadata Definition Catalogue
❑ A challenge we’ve experienced with using OpenStack is discovering,
sharing, and correlating metadata across services and different types
of resources. We believe this affects both end users and
administrators.
❑ The metadata definition service was added to Glance in the Juno
release of OpenStack.
❑ It provides a common API for vendors, admins, services, and users to
meaningfully define available key / value pair metadata that can be
used on different types of resources (images, artifacts, volumes,
flavors, aggregates, and other resources). A definition includes a
property’s key, its description, its constraints, and the resource types to
which it can be associated.

https://docs.openstack.org/glance/latest/user/metadefs-concepts.html
https://specs.openstack.org/openstack/glance-specs/specs/juno/metadata-schema-
167 Trainocate.com April 19, 2022
catalog.html
Trainocate.com
Metadata definitions
Sample: Nova Flavor + Host Aggregate
This example configures the Compute service to enable
users to request nodes that have solid-state drives (SSDs).
You create a fast-io host aggregate in the nova availability
zone and you add the ssd=true key-value pair to the
aggregate. Then, you add the node1, and node2 compute
nodes to it.

168 Trainocate.com April 19, 2022

Trainocate.com
Metadata definitions
Sample: Nova + Glance
Consider a multihypervisor OpenStack environment
consisting of KVM, Hyper-V, and XEN hypervisors. If a user
creates a Glance image, they could set metadata on that
image to only allow booting it on a hypervisor compatible
with the image file format.
To apply this metadata to an image, a user uploads their
image and can then click on Update Metadata in the
Actions dropdown. You can now select the
hypervisor_type property from the left-hand Available
Metadata pane and add it to the image.

169 Trainocate.com April 19, 2022

Trainocate.com
Image Limit
❑ An instance uses both an image as the template for its
virtual system disk, and a flavor that defines the
hardware resources used to deploy that instance.
❑ If an image includes minimum requirements for disk and
memory size, those requirements must be met by the
flavor settings, else the deployment request is rejected.
❑ If an image does not include minimum require settings, it
can be deployed using almost any flavor, but if the flavor
sizing is insufficient for the image to successfully boot,
the deployment will fail.
❑ Similarly, the flavor used must specify disk and memory
sizes that are equal to or larger than specified by the
image.

170 Trainocate.com April 19, 2022

Trainocate.com
Image Backends

Backends
file File system
Swift Object storage
S3 Amazon S3
RBD Ceph RADOS Block Device (RBD)
HTTP Read images from web server (no writing)
Cinder Block storage
vSphere VMware datastores

171 Trainocate.com April 19, 2022

Trainocate.com
Image Cache

❑ Transferring large images from the controller node to compute

nodes can impact controller node performance. For this reason,
production installations either configure the compute node
image cache as shared storage across all compute nodes, or
configure Red Hat Ceph Storage, a scalable and distributed
storage system, as the default image store.
❑ By default, image caching is disabled.
❑ The Glance API server may be configured to have an optional
local image cache. A local image cache stores a copy of image
files, essentially enabling multiple API servers to serve the same
image file, resulting in an increase in scalability due to an
increased number of endpoints serving an image file.

172 Trainocate.com April 19, 2022

Trainocate.com
Build Image

❑ Install cloud-init, /etc/rc.local

❑ Fetch metadata, public key
❑ Customize console in Grub, remove MAC, route

https://docs.openstack.org/image-guide/centos-image.html

173 Trainocate.com April 19, 2022

Trainocate.com
Exam objectives

❑ Create image
❑ Download image
❑ Sharing Image with specific projects
❑ Setting glance images metadata

174 Trainocate.com April 19, 2022

Trainocate.com
Chapter 6: OpenStack Compute

❑Compute Concepts
❑Architecture
❑Components
❑Instance
❑Hand-On: Manage Instance

175 Trainocate.com April 19, 2022

Trainocate.com
Virtualization

❑ VMM or hypervisor is a piece of software that

is responsible for monitoring and controlling
virtual machines or guest operating systems.
❑ The physical system that runs the
virtualization software (hypervisor or Virtual
Machine Monitor) is called a host and the
virtual machines installed on top of the
hypervisor are called guests.

176 Trainocate.com April 19, 2022

Trainocate.com
Hypervisor types
Name Hypervisor Type Description

QEMU (Quick Emulator) Full Virtualization Released in 2003, QEMU is an open source hypervisor that provides full
system emulation. It can emulate one or several processors without
assistance from the CPU, although it does have the tendency to be a bit slow
XEN Para Virtualization Released in 2003 and originally a project at the University of Cambridge, Xen
is open source and implements a technique called paravirtualization (PV). PV
does not require processors with virtualization extensions, and instead relies
on drivers inside the VM guests. Xen has been used by many popular public
cloud offerings, including Slice Host, Rackspace, and Amazon Web Services.
QEMU-KVM (Quick Hardware-assisted Released in 2006, QEMU-KVM is a fork of QEMU that continues to use QEMU
Emulator-Kernel-based virtualization to virtualize a guest's peripherals, but also takes advantage of processors
Virtual Machine) with hardware-virtualization extensions. QEMU-KVM is fast because of its
ability to virtualize guests at near-native speeds! This is often referred to as
hardware-assisted virtualization or HVM

177 Trainocate.com April 19, 2022

Trainocate.com
Hypervisor Archituecture

❑ XEN use drivers inside the VM

guests
❑ QEMU-KVM (Quick Emulator-
Kernel-based Virtual Machine)
❑ QEMU (Quick Emulator): takes
advantage of processors with
hardware-virtualization
extensions

178 Trainocate.com April 19, 2022

Trainocate.com
Libvirt

❑ Libvirt is an open source API daemon that is often used

for managing any of the aforementioned hypervisors. In
an OpenStack environment, nova-compute will utilize
the libvirt daemon, libvirtd , to manage virtual
machines.
❑ In addition to these open source hypervisors, nova-
compute is also compatible with Microsoft's Hyper-V
hypervisor, VMware vCenter, and XenServer (a
commercially supported virtualization product built on
Xen)

179 Trainocate.com April 19, 2022

Trainocate.com
Nova

❑ Nova is the OpenStack compute service and it is the core of the OpenStack cloud.
❑ It is designed to manage and automate pools of compute resources and work with a variety of existing virtualization
technologies
❑ Nova works with a variety of existing hypervisor technologies, including QEMU-KVM, QEMU, Hyper-V, VMwareESXi, Xen,
and XenServer. It also supports the ability to leverage existing Linux container technologies such as LXC and Docker.
❑ When one boots an instance, Nova leverages available CPU, memory, and disk resources on compute nodes

180 Trainocate.com April 19, 2022

Trainocate.com
 Nova architecture
Components Description
nova-api The primary gateway to Nova. One must interact with nova-api to
create, list, delete, and manage instances
nova-scheduler Evaluates and filters all available compute hosts to determine the best
compute node for an instance you'd like to boot. The behavior of nova-
scheduler can be modified based on specific characteristics,
such as CPU architecture or a specific location in the data center.
nova-conductor A "database broker" that directly connects to the OpenStack
environment's relational database. Because the compute node (or
hypervisor) is the least trusted component of a multi-tenant virtualized
environment, all database communication goes through nova-
conductor.
nova-novncproxy Provides serial console access to Nova instances via a VNC client or
web browser
nova- Receives requests from nova-novncproxy to authorize a user’s token
consoleauth and maps the private host and port of an instance's VNC server
nova-compute Manages virtual machines on the hypervisor.
181 Trainocate.com April 19, 2022

Trainocate.com
 Launching the
Instances

April 19, 2022

182
Trainocate.com

Trainocate.com
 Launch Instance in cloud
Traditional virtualization environment Openstack environment

• Virtual hardware needs to be defined. • An instance is booted from a copy of an original image containing a
• Storage for the VM needs to be defined. preinstalled operating system.
• An operating system need to be installed. • The compute node copies the original image and boots the instance from the
These steps take time and physical resources. copy (called the base image).
• Live changes made to the instance are stored in an overlay file so as to leave
the base image unaffected during use.
• When the instance is deleted, memory and vCPU resources are released. The
original state is reclaimed by deleting the overlay file which contained all the
runtime changes.
• When the instance is deleted, any persistent volumes and the base image are
retained and remain unchanged, and are available for reuse.
These steps take time and physical resources. This mechanism allows for a flexible and rapid deployment of virtual instances.

183 Trainocate.com April 19, 2022

Trainocate.com
Instance Launch Process

The launch process uses a combination of

REST API calls to OpenStack services, and
message broker RPC calls for coordination
between service components.

184 Trainocate.com April 19, 2022

Trainocate.com
 Instance Launch Process

1. Dashboard or CLI gets the user credential and does the REST call to Keystone for
authentication.
2. Keystone authenticate the credentials and generate & send back auth-token which will be
used for sending request to other Components through REST-call.
3. Dashboard or CLI convert the new instance request specified in ‘launch instance’ or ‘nova-
boot’ form to REST API request and send it to nova-api.
4. nova-api receive the request and sends the request for validation auth-token and access
permission tokeystone.
5. Keystone validates the token and sends updated auth headers with roles and permissions.
6. nova-api interacts with nova-database.
7. Creates initial db entry for new instance.
8. nova-api sends the rpc.call request to nova-scheduler excepting to get updated instance
entry with host ID specified.
9. nova-scheduler picks the request from the queue.
10.nova-scheduler interacts with nova-database to find an appropriate host via filtering and
weighing.
11.Returns the updated instance entry with appropriate host ID after filtering and weighing.
12.nova-scheduler sends the rpc.cast request to nova-compute for ‘launching instance’ on
appropriate host .
13.nova-compute picks the request from the queue.
14.nova-compute send the rpc.call request to nova-conductor to fetch the instance information
such as host ID and flavor( Ram , CPU ,Disk).
185 Trainocate.com April 19, 2022

Trainocate.com
 Instance Launch Process

15.nova-conductor picks the request from the queue.

16.nova-conductor interacts with nova-database.
17.Return the instance information.
18.nova-compute picks the instance information from the queue.
19.nova-compute does the REST call by passing auth-token to glance-api to get the
Image URI by Image ID from glance and upload image from image storage.
20.glance-api validates the auth-token with keystone.
21.nova-compute get the image metadata.
22.nova-compute does the REST-call by passing auth-token to Network API to allocate
and configure the network such that instance gets the IP address.
23.quantum-server validates the auth-token with keystone.
24.nova-compute get the network info.
25.nova-compute does the REST call by passing auth-token to Volume API to attach
volumes to instance.
26.cinder-api validates the auth-token with keystone.
27.nova-compute gets the block storage info.
28.nova-compute generates data for hypervisor driver and executes request on
Hypervisor( via libvirt or api).

186 Trainocate.com April 19, 2022

Trainocate.com
Flavors

❑ Flavors are hardware specification profiles for deploying instances. These specifications include the disk and memory
size, and number of cores to be used for each instance deployed.
❑ Flavors can also specify sizes for additional ephemeral storage or a swap disk, plus metadata to restrict usage or to
provide special project access.
❑ Administrators can customize flavors for specific environments and use cases. The extra_specs flavor element is
used to define free-form characteristics, providing flexibility beyond specifying memory, CPU, and disk specifications.
The element uses key-value pairs that assist in scheduling the compute nodes for an instance deploy. Key-value
flavor settings must match corresponding key-value settings on compute nodes.

187 Trainocate.com April 19, 2022

Trainocate.com
Flavor Disk

Root The root disk contains the operating system for the instance, created using an image as a template. If
Disk flavor's root disk size is smaller than the image's minimum disk requirement the instance deployment will
not be attempted. The compute service also supports using persistent volumes as the root disk source
Ephem The ephemeral disk in a flavor defines an additional disk to be attached to the deployed instance. Like the
eral root disk, the ephemeral disk is created as a disk device in the instance at the size set in the flavor. This
Disk disk is a raw device, requiring partitioning, formatting, filesystem creation, and mounting to a directory
before it can be used. By default, the size of an ephemeral disk in a flavor is 0 GB, meaning that no disk is
created. The cloud-init utility, discussed later in this course, automates these tasks during instance
deployment.
Swap A swap disk defines additional storage that can be enabled as swap in the instance. Similar to the
Disk ephemeral disk, swap space is presented as a raw device in the instance. To use this device as swap, it
needs to be declared and enabled as swap space.

188 Trainocate.com April 19, 2022

Trainocate.com
 Nova Cellv2 Method
❑ As more of the CellsV2 implementation is finished, all operators are
required to make changes to their deployment.
❑ For all deployments (even those that only intend to have one cell),
these changes are configuration-related, both in the main nova
configuration file as well as some extra records in the databases.
❑ All nova deployments must now have the following databases
available and configured:
1.The "API" database
2.One special "cell" database called "cell0"
3.One (or eventually more) "cell" databases
❑ Thus, a small nova deployment will have an API database, a cell0,
and what we will call here a "cell1" database.

189 Trainocate.com April 19, 2022

Trainocate.com
 Nova Cellv2 Benefits
❑ There is a clear boundary between api and cell. Only the database
is required at the api level, and Message Queue is not required.
nova-api now depends on nova_api and nova_cell0 two
databases.
❑ The nova-scheduler service only needs to be installed at the api
level, and the cell does not require parameter scheduling. In this
way, after one scheduling, it can be determined on which machine
of which cell to start
Here actually depends on the placement service, which will
be mentioned in future articles
❑ Only need to install nova-compute and nova-conductor services in
the cell, and its dependent DB and MQ
❑ All cells become a flat architecture. It is much simpler than the
previous multi-layer father-child architecture.
❑ The service on the api will directly connect the MQ and DB of the
cell, so no additional services like nova-cell are needed. There will
also be a big improvement in performance
190 Trainocate.com April 19, 2022

Trainocate.com
Nova Cell

191 Trainocate.com April 19, 2022

https://docs.openstack.org/nova/queens/user/cells.html#overview
Trainocate.com
Nova Availability Zones
and Host Aggregates

Openstack cloud can be zoned from top to down levels, into

Regions, Availability Zones and Host Aggregates
❑ Region: Each Region has its own full Openstack
deployment, including its own API endpoints, networks and
compute resources. Different Regions share one set of
Keystone and Horizon to provide access control and Web
portal.
❑ Availability Zone: Inside a Region, compute nodes can be
logically grouped into Availability Zones, when launching
new VM instance, we can specify AZ or even a specific
node in a AZ to run the VM instance.
❑ Host Aggregate: Besides AZ, compute nodes can also be
logically grouped into Host Aggregates

192 Trainocate.com April 19, 2022

Trainocate.com
Nova Scheduling

❑ The scheduler receives a request from the conductor.

The request contains the resource requirements
which are sent to the placement service.
❑ The placement service runs a query which returns all
available compute nodes able to satisfy the resource
requirements. The placement service creates a
summary for each compute node that matches the
resource requirements. The summary is sent to the
scheduler.

193 Trainocate.com April 19, 2022

Trainocate.com
Nova Scheduling

❑ The scheduler runs the requirements through filters to

refine the search. The compute nodes are ranked and the
compute node at the top of the list is chosen. The
scheduler then sends the request to the placement service
to claim the resources.
❑ The claim can return an unsuccessful result if, in the
meantime, the resources have been claimed by another
request. In this case, the scheduler selects the next
compute node in the ranking list. If the claim is successful
the scheduler contacts the conductor.
❑ The conductor attempts to build the instance on the
selected host. If the build fails for any reason, the
conductor ensures that the resources are not claimed by
the instance

194 Trainocate.com April 19, 2022

Trainocate.com
Placement

❑ The data model is used to find resources, for example, compute nodes, storage pools, or an IP allocation pool. The
resources of each provider are tracked by the placement service.
• Resources on compute nodes are RAM and CPU.
• Resources on storage nodes are disks.
❑ Consumed resources are tracked as classes.
❑ The API allows the placement service to query and manage resource providers, inventories, and allocation records.
The resource providers provide consumption information to all consumers of the resources. These generic resource
pools solve the problem of incorrect capacity and usage information.
❑ Before this release, the placement service tasks were carried out by the compute service. This caused issues with
resource tracking, meaning that usage and capacity values were calculated inaccurately

195 Trainocate.com April 19, 2022

Trainocate.com
Nova Filter Scheduler
Compute uses the nova-scheduler service to
determine how to dispatch compute requests.
By default, the scheduler driver is configured as
a filter scheduler.

[filter_scheduler] enabled_filters = RetryFilter,

AvailabilityZoneFilter, ComputeCapabilitiesFilter,
ImagePropertiesFilter, ServerGroupAntiAffinityFilter,
ServerGroupAffinityFilter

196 Trainocate.com April 19, 2022

Trainocate.com
Nova Filter Scheduler

❑ One common use case for host aggregates is when

you want to support scheduling instances to a subset
of compute hosts because they have a specific
capability.
❑ For example, you may want to allow users to request
compute hosts that have SSD drives if they need
access to faster disk I/O, or access to compute hosts
that have GPU cards to take advantage of GPU-
accelerated code.
❑ Nova Scheduler can combine function of Flavor
extra_specs and Host Aggregate

197 Trainocate.com April 19, 2022

https://docs.openstack.org/nova/latest/admin/aggregates.html
Trainocate.com
Nova Weigh Scheduler

❑ When resourcing instances, the filter scheduler

filters and weights each host in the list of
acceptable hosts.
❑ Each time the scheduler selects a host, it virtually
consumes resources on it, and subsequent
selections are adjusted accordingly. This process
is useful when the customer asks for the same
large amount of instances, because weight is
computed for each requested instance.
❑ All weights are normalized before being summed
up; the host with the largest weight is given the
highest priority.

198 Trainocate.com April 19, 2022

Trainocate.com
 Cloud-Init
Cloud-init
❑ cloud-init is a python utility that is distributed in the form of a package which
aims to be the defacto multi-distribution package that handles early
initialization of a cloud instance(as described in the documentation). It
operates during various boot stages to make sure that the necessary
configuration is applied.
❑ cloud-init is a multi cloud solution due to its ability to retrieve necessary
metadata and configuration from various data sources.
Nova Metadata Service
❑ Metadata Server: Metadata is exposed to the instance via a URL, which by
default is hosted on http://169.254.169.254
❑ Config Drive: Instances which do not have network connectivity could still
consume metadata via a CD-ROM like device(Config Drive). When the
configuration drive is enabled, the Bare Metal service will create a partition
on the instance disk and write the configuration drive image onto it. The
configuration drive must be mounted before use. This is performed
automatically by many tools, such as cloud-init and cloudbase-init.
199 Trainocate.com April 19, 2022

Trainocate.com
Metadata

❑ The metadata service provides a way for instances to retrieve

instance-specific data. Instances access the metadata service
at http://169.254.169.254
❑ The metadata service can be run globally, as part of the nova-api
application, or on a per-cell basis, as part of the standalone nova-
api-metadata application

200 Trainocate.com April 19, 2022

Trainocate.com
Metadata Flow

❑ Instance sends a HTTP request for metadata to 169.254.169.254.

❑ This request either hits the router or DHCP namespace depending on
the route in the instance
❑ The metadata proxy service in the namespace adds the following info
to the request:
• Instance IP (X-Forwarded-For header)
• Router or Network-ID (X-Neutron-Network-Id or X-Neutron-Router-Id
header)

❑ The metadata proxy service sends this request to the metadata agent
(outside the namespace) via a UNIX domain socket.
❑ The neutron-metadata-agent application forwards the request to the
nova metadata API service by adding some new headers (instance ID
and Tenant ID) to the request.
https://github.com/meditechopen/meditech-ghichep-openstack/blob/master/docs/100.Advanced/metadata.md
201 Trainocate.com April 19, 2022

Trainocate.com
Public key

❑ Instance key is injected into instance by

metadata/cloud-init while initialization steps.
❑ User generates a self asynchronous keypair
(private/public key)
❑ Public key is used to create openstack public key.
Private is used to ssh into instance.

202 Trainocate.com April 19, 2022

Trainocate.com
 Launching Instance

To launch an instance, prepare below

requirements
• Uploading Images
• Developing Flavors
• Managing Private Networks

203 Trainocate.com April 19, 2022

Trainocate.com
Instance State

204 Trainocate.com April 19, 2022

Trainocate.com
Instance State

The following diagram shows the sequence of VM

states, task states, and power states when a new VM
instance is created.

205 Trainocate.com April 19, 2022

Trainocate.com
 Manage Action
Actionn Description

Associate Floating IP Allows us to map a floating IP (external IP) to our instance, if available.

Attach/Detach Interface Attach/Remove another (or the same) network to the instance. This is comparable to plugging
an additional virtual NIC (or port) to the instance.
Edit Instance Rename the instance or add/remove security groups. If you completely remove all security
groups from an instance's port, all ingress and egress traffic will be blocked
Console Another way to gain console access
Resize Specify another flavor to resize the instance
View Log Another way to view the console log
Pause Instance Store the state of the VM in memory.

Terminate Instance Completely deletes the instance.

206 Trainocate.com April 19, 2022

Trainocate.com
 Manage Action
Actionn Description
Suspend Store the state of the VM on the compute node hard disk

Shelve The instance will be stopped and snapshotted. It will then be removed from the compute node but will still appear in your list of
instances with status Shelved. All the associated data and resources are kept, although the state information will be gone. It can
then be unshelved and used.
Lock In locked state, an instance cannot be modified or terminated by nonadmin users.
Unlock Unlocks an instance, allowing users within the project to modify or terminate
Soft Reboot Triggers a graceful reboot of the instance with an ACPI event.
Hard Reboot Powers the instance off and turns it back on. Also known as a cold reboot
Shut Off Triggers a graceful shutdown of the instance with an
Instance ACPI event
Rebuild Instance Recreates the instance from a fresh image while maintaining the same fixed and floating IP addresses, among other metadata

207 Trainocate.com April 19, 2022

Trainocate.com
 Manage Instance
VM State Commands

Paused unpause

Suspended resume

set admin password, suspend, pause, rescue, rebuild, soft delete, delete, backup,
Active
snapshot, stop, reboot, resize, revert resize, confirm resize

suspend, pause, rescue, rebuild, soft delete, delete, backup, start, snapshot, stop,
Shutoff
reboot, resize, revert resize, confirm resize

Rescued unrescue, pause

Stopped rescue, delete, start

Soft Deleted force delete, restore

Error soft delete, delete

Building delete

Rescued delete, stop, reboot

208 Trainocate.com April 19, 2022

Trainocate.com
Nova Console
1. A user tries to open the VNC Client connected to the virtual machine from
the browser
2. The browser sends a request to nova-api, asking to return the URL to access
vnc
3. nova-api calls nova-compute's get vnc console method, requesting to return
information to connect to VNC
4. nova-compute calls libvirt's get vnc console function
5. libvirt will obtain VNC Server information by parsing the
/etc/libvirt/qemu/instance-0000000c.xml file running by the virtual
machine
6. libvirt returns host, port and other information to nova-compute in json
format
7. nova-compute will randomly generate a UUID as Token
8. nova-compute integrates the information returned by libvirt and the
information in the configuration file into connect_info and returns it to nova-
api

209 Trainocate.com April 19, 2022

Trainocate.com
 Nova Console
9. nova-api will call the authorize_console function of nova-consoleauth
10.nova-consoleauth will cache the information of instance –> token, token –>
connect_info
11.Nova-api returns the access url information in connect_info to the browser:
http://172.24.1.1:6080/vnc_auto.html ? token = 7efaee3f-eada-4731-a87c-
e173cbd25e98 & title = helloworld% 289169fdb2-5b74-46b1-9803 -
60d2926bd97c% 29
12.The browser will try to open this link
13.This link will send the request to nova-novncproxy
14.nova-novncproxy calls the check_token function of nova-consoleauth
15.nova-consoleauth verified the token and returned the connect_info
corresponding to this instance to nova-novncproxy
16.Nova-novncproxy connects to the VNC Server on the compute node through the
host, port and other information in connect_info, thus starting the work of proxy

210 Trainocate.com April 19, 2022

Trainocate.com
Exam Objective

211 Trainocate.com April 19, 2022

Trainocate.com
Chapter 7: OpenStack Networking

❑Network Concepts
❑Architecture
❑Components
❑Diagram
❑Hand-Ons: Manage Network

212 Trainocate.com April 19, 2022

Trainocate.com
Network Concepts

❑ SDN/VNF
❑ VLAN/VXLAN
❑ IPTABLES/NAMESPACE
❑ OPENVSWITCH

213 Trainocate.com April 19, 2022

Trainocate.com
Software Defined Networking (SDN )

❑ Software-defined networking (SDN) is a

networking model that allows network
administrators to manage network services
through the abstraction of several networking
layers.
❑ SDN decouples the software that handles the
traffic, called the control plane, and the
underlying mechanisms that route the traffic,
called the data plane. SDN enables
communication between the control plane and
the data plane.

214 Trainocate.com April 19, 2022

Trainocate.com
 SDN Benefits

❑ The decoupling of the control plane and data plane enables both planes to evolve
independently, which results in several advantages such as high flexibility, being
vendoragnostic, open programmability, and a centralized network view.
❑ Security features that allow administrators to route traffic through a single, centrally
located,firewall. One advantage of this is the ability to utilize intrusion detection
methods on real-time captures of network traffic.
❑ Automated load balancing in SDNs enhances performance of servers load balancing,
and reduces the complexity of implementation.
❑ Network scalability allows data centers to use features of software-defined
networking along with virtualized servers and storage to implement dynamic
environments where computing resources are added and removed as needed.
Reduced operational costs by minimizing the need to deploy, maintain, and replace
expensive hardware such as many of the servers and network switches within a data
center

215 Trainocate.com April 19, 2022

Trainocate.com
 NETWORK FUNCTION VIRTUALIZATION (NFV)
❑ Network Function Virtualization (NFV) remains a fast evolving set of solutions. In
general, dedicated physical network hardware is replaced with virtual network
appliances running on resilient, scalable commodity hardware.
❑ Current proposals and standards are found on the European Telecommunication
Standards Institute (ETSI) website, which is the application layer running on OpenStack,
and is beyond the scope of this course.
❑ Before NFV, telco infrastructure included many thousands of rack-mounted hardware
appliances. Dedicated, specialized services, such as firewall, video optimization, or
access policies, were implemented in each appliance's firmware and internal storage.
Each hardware piece had to be cabled in sequence and configured with unique,
proprietary commands.By replacing each appliance with an identical software-only
network function in an OpenStack virtual machine or container, and all physical cabling
and configuration with a network service chain definition that sequences each function
to the next as a requestable service, the telco industry swapped their largest CapEx
and OpEx outlays for instantaneously scalable and replaceable software.

216 Trainocate.com April 19, 2022

Trainocate.com
Relationship between SDN, NFV

217 Trainocate.com April 19, 2022

Trainocate.com
 NFV Architecture
Network Function Virtualization: The move from custom hardware
NFV
performing network functions to a software solution.
Virtual Network Function: Software, typically running on a virtual machine,
VNF
that performs a specific network function, such as routing.
Network Function Virtualization Infrastructure: The hardware and software
NFVI hosting the NFV components. Typically, the NFVI is Red Hat OpenStack
Platform.
Virtual Infrastructure Manager: This component controls the NFVI. When
VIM
RHOSP is the NFVI, it is also the VIM.
Software Defined Networking: This technology creates and manages virtual
network components through an API, and is complementary to NFV. SDN
SDN
separates control and data plane components, permitting dynamic changes
needed for virtualization environments.
NFV- NFV Management and Orchestration: Defines the management of an NFV
MANO platform, including an NFV Orchestrator, a VNF Manager, and a VIM.
Element Management System: Responsible for function management of one
EMS
or more VNFs using the VNF Manager

218 Trainocate.com April 19, 2022

Trainocate.com
 Virtual Network Function (VNF)
❑ A Virtual Network Function (VNF) is the fundamental building block in NFV architecture. A VNF represents virtual network elements
implemented on Commercial Off The Shelf (COTS) equipment available from vendors such as DELL, HP, IBM, and Cisco.
❑ VNF examples include virtualized routers, switches, firewalls, load-balancers, content delivery and optimizers.
❑ VNFs helps telecommunicationproviders use low cost generic hardware and scale these network elements on demand. A VNF can map
one-to-one to a particular network function that was provided by a legacy network appliance.
❑ Multiple VNFs can be chained together to provide an end-to-end Service or Service Chain. The Evolved Packet Core (EPC) is an example
of a service used by telcos.

219 Trainocate.com April 19, 2022

Trainocate.com
 VXLAN Tunnels
❑ Virtual eXtensible LAN (VXLAN) is a network
virtualization technology which solves the
scalabilityproblems associated with large cloud
computing deployments. It increases scalability
up to 16 million logical networks and allows the
adjacency of layer 2 links across IP networks.
❑ The VXLAN protocol encapsulates L2 networks
and tunnels them over L3 networks.

220 Trainocate.com April 19, 2022

Trainocate.com
iptables

❑ Is a firewall management tool

❑ Allow to configure the security or firewall security tables using
chains
❑ A rule in a chain can cause a jump to another chain, which, in turn,
can jump to another chain, and so on. This behavior can be
repeated to whatever level of nesting is desired.
❑ If the traffic does not match the rules of a subchain, the system
recalls the point at which the jump occurred and returns to that
point for further processing.
❑ When iptables is enabled, every network packet arriving at or
leaving an interface traverses at least one chain.

221 Trainocate.com April 19, 2022

Trainocate.com
Packet Flow
Step Table Chain Comment
1 On the wire (e.g Internet)
2 Comes in on an interface (e.g eth0)
3 raw PREROUTING Handle packets before the connection
tracking take place
4 The connection tracking takes place
5 mangle PREROUTING Mangling packets, changing header flag (e.g
TOS)
6 nat PREROUTING for DNAT
7 Routing Decision. Packet destined for local
host or to be forwarded?
8 mangle INPUT Mangling packets after they have been
route, but before they actually sent to the
process on machine
9 filter INPUT Filtering all incoming traffic destined for the
local host
222 Trainocate.com April 19, 2022
10 Local process or application
Trainocate.com
Chains and Rules

❑ Chain contains many rule

❑ Custom chain can be defined by openstack
❑ A chain is end with RETURN previous rule

223 Trainocate.com
Illustrated introduction to Linux iptables (iximiuz.com)
Trainocate.com
Iptables Sample

❑ Outgoing packet from

Instance
❑ Custom chains are
created to add rule

224 Trainocate.com April 19, 2022

Trainocate.com
 Network namespace

❑ A namespace is described as an abstract kernel environment

allowing unconflicted use and restriction of resource identifiers.
❑ Each namespace contains uniquely named processes and
resources that cannot be seen or reached by processes from
other namespaces.
❑ A primary characteristic of namespaces is that no coordination
is required between namespaces when resource identifiers are
created; the use of identical names in different namespaces is
never a conflict.
❑ A network namespace is defined as a logical copy of the
network stack with its own routes, firewall rules, and network
interfaces.
https://github.com/hocchudong/thuctap032016/blob/65152921dfffa01808d69a9c
9c02c9a2b446e50a/ThaiPH/ThaiPH_linux_network_namespaces.md

225 Trainocate.com April 19, 2022

Trainocate.com
 Open
vSwitch
April 19, 2022
226
Trainocate.com

Trainocate.com
Open vSwitch

❑ The Open vSwitch project, which supports multiple network

protocols and standards, provides extra features designed
for software defined networks (SDN).
❑ Open vSwitch supports network protocols such as VLAN,
VXLAN, the OpenFlow standard, the sFlow protocol, as well
as the Cisco RSPAN protocol.
❑ Open vSwitch can operate in a distributed configuration,
with centralized controllers that provision the network
bridges. Linux bridges and Open vSwitch bridges can coexist
on a system.

227 Trainocate.com April 19, 2022

Trainocate.com
 OpenFlow

❑ Routers maintain path information about the flow of packets

related to network traffic passing through them. This
information is organized in flow tables, which are created and
stored in the network hardware. Before 2011, access to this
information was only allowed by the local software operating
on the router. The OpenFlow standard was established to allow
access to the flow tables from remote systems.
❑ It requires a centralized controller to handle the network flow.
A controller can be used for basic operations, such as
monitoring the broadcasting traffic and building a MAC table,
as well as advanced software-driven operations, such as
monitoring the creation of virtual machines, and provisioning
the network flows instantly across the network.

228 Trainocate.com April 19, 2022

Trainocate.com
Open vSwitch Architecture

❑ Kernel module: The openvswitch kernel module is the

equivalent of ASICs on a hardware switch. It is the data
plane of the switch where all acket processing takes place.
❑ vSwitch daemon: The ovs-vswitchd daemon is a Linux
process that runs in user space on every physical host and
dictates how the kernel module will be programmed.
❑ Database server: An OpenStack/Open vSwitch
implementation uses a local database on every physical
host called the Open vSwitch Database Server (OVSDB),
which maintains the configuration of the virtual switches.

229 Trainocate.com April 19, 2022

Trainocate.com
Open vSwitch virtual device

❑ Tap devices
❑ Linux bridges: which can applied iptables rules
❑ Virtual ethernet cables: veth cables when making
connections between network namespaces and Linux
bridges
❑ OVS bridges
❑ OVS patch ports

230 Trainocate.com April 19, 2022

Trainocate.com
virtual device
Interface
Ethernet frame to travel from the virtual Network Type Interface Name
Type
machine instance to the physical network, it will
all tap tapN
pass through many different interfaces,
including the following: qbrXXXX (only used with the
all bridge
iptables firewall driver)
qvbXXXX, qvoXXXX (only used with
all veth the
iptables firewall driver)
all vSwitch br-int
flat, vlan vSwitch br-ex (user-configurable)
vxlan, gre vSwitch br-tun
flat, vlan patch int-br-ethX, phy-br-ethX
vxlan, gre patch patch-tun, patch-int
231 Trainocate.com April 19, 2022 flat, vlan physical ethX (where X is the interface)
Trainocate.com
 Open vSwitch Bridge
❑ Open vSwitch can act as a software-based switch running on a virtual machine's hypervisor, and as a control stack for
dedicated switching hardware. As a result, it has been ported to multiple virtualization platforms and switching chipsets.
❑ In OpenStack, OVS bridges are use instead of Linux bridges to provide the extra processing functionality required to interface
with neutron and other components that normal Linux bridges are not capable of handling
• Support for the NetFlow, sFlow, IPFIX, SPAN, and RSPAN network protocols

• Support for Link Aggregation Control Protocol (LACP)

• Support for 802.1Q IEEE standard (VLAN), for network partitioning and trunking

• Support for Spanning Tree Protocol (STP)

• Control of Quality of service (QoS) for applications, users, and data flows

• Bonding of network interfaces with load balancing

• Full IPv6 support

• Remote configuration via C and Python bindings

• Implementation of packet forwarding in either the kernel space or the user space

232 Trainocate.com April 19, 2022

Trainocate.com
 Open vSwitch Flow Mode
❑ Open vSwitch can operate like a legacy network switch (by maintaining a MAC table) or it can
operate in flow mode.
❑ In flow mode, various rules, created based on packet-matching criteria,
determine the correct ports for outgoing traffic. Rules are created and injected into Open
vSwitch bridges.
❑ Flow mode is similar to how swith and router network processors manages traffic. Rules are
created to match most any layer 2, layer 3, and layer 4 packet header field. When a rule
matches, the packet is forwarded to a physical or virtual port, dropped, or rewritten for further
processing by other rule sets. Rules are sorted by priority, and every frame is checked against
the rules, starting with the highest priority. If a frame matches a critieria set, then no further rule
processing is done.
❑ All frames are first processed by table 0, before being optionally redirected to other tables. If
there are no rules that matche, the default policy is to drop the frame.

233 Trainocate.com April 19, 2022

Trainocate.com
Layer 2 and layer 3

234 Trainocate.com April 19, 2022

Trainocate.com
VIRTUAL DEVICES SAMPLE

TAP DEVICES
VETH DEVICES
OVS PATCH PAIR DEVICES

https://www.opencloudblog.com/?p=66>
235 Trainocate.com April 19, 2022

Trainocate.com
VIRTUAL DEVICES

TAP DEVICES
VETH DEVICES
OVS PATCH PAIR DEVICES

[root@lab-1 ~]# ip -c link show type veth

15: qvo1246f044-39@qvb1246f044-39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP
mode DEFAULT group default qlen 1000
link/ether 46:54:61:11:52:f6 brd ff:ff:ff:ff:ff:ff
16: qvb1246f044-39@qvo1246f044-39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbr1246f044-39
state UP mode DEFAULT group default qlen 1000
link/ether 3e:23:b9:59:92:f0 brd ff:ff:ff:ff:ff:ff

236 Trainocate.com April 19, 2022

Trainocate.com
 Openstack Neutron

April 19, 2022 Trainocate.com 237

Neutron
❑ The Networking service, code-named neutron,
provides an API that lets you define network
connectivity and addressing in the cloud. The
Networking service enables operators to leverage
different networking technologies to power their cloud
networking.
❑ The Networking service also provides an API to
configure and manage a variety of network services
ranging from L3 forwarding and Network Address
Translation (NAT) to load balancing, perimeter
firewalls, and virtual private networks.

238 Trainocate.com April 19, 2022

Trainocate.com
Neutron Architecture

❑ The Neutron server can take API requests from users and services
and communicate with agents via a message queue.
❑ In a typical environment, network agents will be scattered across
controller and compute nodes and perform duties on their
respective node.
• Layer2 agent that can utilize Open vSwitch, Linux Bridge or other
vendor-specific technology to provide network segmentation and
isolation for project networks. The L2 agent should run on every
node where it is deemed responsible for wiring and securing virtual
interfaces (usually both compute and network nodes).
• Layer3 agent that runs on network node and provides east-west and
north-south routing plus some advanced services such as FWaaS or
VPNaaS.

239 Trainocate.com April 19, 2022

Trainocate.com
Neutron Components
Components Description
API server The OpenStack Networking API includes support for Layer 2 networking and IP Address
Management (IPAM), as well as an extension for a Layer 3 router construct that enables
routing between Layer 2 networks and gateways to external networks. OpenStack Networking
includes a growing list of plug-ins that enable interoperability with various commercial and
open source network technologies, including routers, switches, virtual switches and
software-defined networking (SDN) controllers.
OpenStack Plugs and unplugs ports, creates networks or subnets, and provides IP addressing. The
Networking plug- chosen plug-in and agents differ depending on the vendor and technologies used in the
in and agents particular cloud. It is important to mention that only one plug-in can be used at a time.

Messaging Accepts and routes RPC requests between agents to complete API operations. Message
queue queue is used in the ML2 plug-in for RPC between the neutron server and neutron agents
that run on each hypervisor, in the ML2 mechanism drivers for Open vSwitch and Linux
240 Trainocate.com bridge.
April 19, 2022

Trainocate.com
Neutron API plugins

The OpenStack Networking project provides reference

plugins and drivers that are developed and supported by the
OpenStack community, and also supports third-party plugins
and drivers that extend network functionality and
implementation of the Neutron API
❑ A core plugin implements the core Neutron API, and is
responsible for adapting the logical network described by
networks, ports, and subnets into something that can be
implemented by the L2 agent and IP address
management system running on the host.
❑ A service plugin provides additional network services such
as routing, load balancing, firewalling, and more.
❑ The ML2 plugin is extensible by design and supports
heterogeneous network architectures that can leverage
multiple technologies simultaneously.
241 Trainocate.com April 19, 2022

Trainocate.com
 Neutron ML2 Plugins
❑ ML2 TypeDriver maintains a type-specific network state,
validates provider network attributes, and describes network
segments using provider attributes. Provider attributes include
network interface labels, segmentation IDs, and network
types. Supported network types include local, flat, vlan, gre,
vxlan, and geneve.
❑ ML2 Mechanism driver is responsible for taking information
established by the type driver and ensuring that it is properly
implemented. Multiple Mechanism drivers can be configured
to operate simultaneously, and can be described using three
types of models
• Agent-based: Includes Linux bridge, Open vSwitch, SR-
IOV, and others
• Controller-based: Includes Juniper Contrail, Tungsten
Fabric, OVN, Cisco ACI, VMWare NSX, and others
242• Top-of-Rack:
Trainocate.com Includes Cisco
April 19, 2022Nexus, Arista, Mellanox, and
others Trainocate.com
Drivers

❑ Open vSwitch driver supports all of

those as well as the gre network type.

Mechanism driver\Type driver Flat VLAN VXLAN GRE

Open vSwitch yes yes yes yes
L2 population no no yes yes

243 Trainocate.com April 19, 2022

Trainocate.com
ML2 L2 Population MechanismDriver

❑ The L2 population driver is used to limit the amount of broadcast traffic that is forwarded across the overlay
network fabric when VXLAN networks are used.
❑ Under normal circumstances, unknown unicast, multicast, and broadcast traffic may be flooded out from all tunnels
to other compute nodes. This behavior can have a negative impact on the overlay network fabric, especially as the
number of hosts in the cloud scales out.
❑ As an authority on what instances and other network resources exist in the cloud, Neutron can pre-populate
forwarding databases on all hosts to avoid a costly learning operation.
❑ ARP proxy, a feature of the L2 population driver, enables Neutron to pre-populate the ARP table on all hosts in a
similar manner to avoid ARP traffic from being broadcast across the overlay fabric.

244 Trainocate.com April 19, 2022

Trainocate.com
Before
ML2 L2 Population MechanismDriver

“VM A” wants to talk to “VM G.” “VM A” sends a VM A VM B

broadcast packet, which is replicated to the

entire tunnel mesh.
Host 1
VM I
VM C

Host 1 Host 2

VM H

Host 4 Host 3

VM G VM F VM E VM D

Trainocate.com
With ML2 L2 Population MechanismDriver
The ARP request from “VM A” for “VM G” is
intercepted and answered using a pre-populated
neighbor entry.
Traffic from “VM A” to “VM G” is
encapsulated and sent to “Host 4”
according to the bridge forwarding VM A VM B
table entry.

Host 1 Proxy Arp

VM I

VM C

Host 2
Host 1

VM H

Host 4 Host 3

VM G VM F VM E VM D

Trainocate.com
Neutron Network Namespace

❑ OpenStack was designed with multi-tenancy in mind, and provides users with the
ability to create and manage their own compute and network resources. Neutron
supports each tenant having multiple private networks, routers, firewalls, load
balancers, and other networking resources, and is able to isolate many of these
objects through the use of network namespaces.
❑ When using the open source reference plugins and drivers, every DHCP server,
router, and load balancer that is created by a user is implemented in a network
namespace. By using network namespaces, Neutron is able to provide isolated
DHCP and routing services to each network, allowing users to create overlapping
networks with other users in other projects and even other networks in the same
project

247 Trainocate.com April 19, 2022

Trainocate.com
 Neutron Network Namespace

❑ A qdhcp namespace contains a DHCP service that provides IP addresses to instances using the DHCP protocol.
In a reference implementation, dnsmasq is the process that services DHCP requests. The qdhcp namespace has
an interface plugged into the virtual switch and is able to communicate with instances and other devices in the
same network. A qdhcp namespace is created for every network where the associated subnet(s) have DHCP
enabled.

❑ A qrouter namespace represents a virtual router, and is responsible for routing traffic to and from instances in
subnets it is connected to. Like the qdhcp namespace, the qrouter namespace is connected to one or more
virtual switches depending on the configuration. In some cases, multiple namespaces may be used to plumb
the virtual router infrastructure. These additional namespaces, known as fip and snat, are used for distributed
virtual routers (DVR) and will be discussed later in this book.

248 Trainocate.com April 19, 2022

Trainocate.com
DHCP Router

❑ DHCP Namespace: qdhcp-<network UUID>

❑ Router Namespace: qrouter-<router UUID>

249 Trainocate.com April 19, 2022

Trainocate.com
Neutron Open vSwitch (OVS)

❑ Within OpenStack Networking, Open vSwitch operates as a software switch that uses virtual network bridges and flow
rules to forward packets between hosts.
❑ Although it is capable of supporting many technologies and protocols, only a subset of Open vSwitch features are
leveraged by OpenStack Networking
❑ Openvswitch plug-in components:
Plug-in loaded at runtime by Neutron service
• Processes API calls
• Stores resulting logical network data and mappings in database back end
Agent running on each Compute node:
• Gathers configuration and mappings from central database
• Communicates with local Open vSwitch instance to configure flows and implement network

250 Trainocate.com April 19, 2022

Trainocate.com
 OVS Bridge Architucture

❑ Open vSwitch bridge br-int is known as the integration bridge.

The integration bridge is the central virtual switch that most
virtual devices are connected to, including instances, DHCP
servers, routers
❑ The tunnel bridge br-tun is a virtual switch, similar to the
integration and provider bridges, and is used to connect GRE
and VXLAN tunnel endpoints. Flow rules exist on this bridge that
are responsible for properly encapsulating and decapsulating
tenant traffic as it traverses the bridge
❑ Br-ex, br-eth1 are is for bridge mapping

251 Trainocate.com April 19, 2022

Trainocate.com
Bridge mappings

❑ Open vSwitch driver uses a single virtual switch containing a

single physical interface and uses flow rules to tag traffic if
necessary.
❑ When networks are created, they are associated with an interface
label, such as physnet1. The label physnet1 is then mapped to a
bridge, such as br-eth1, which contains the physical interface
eth1. The mapping of the label to the bridge interface is handled
by the bridge_mappings option.
❑ This mapping can be observed as follows:
bridge_mappings = physnet1:br-eth1
❑ Multiple bridge mappings are allowed and can be added using a
commaseparated list:
bridge_mappings = physnet1:br-eth1,physnet2:br-eth2

252 Trainocate.com April 19, 2022

Trainocate.com
Open vSwitch - Providers Network

253 Trainocate.com April 19, 2022 https://docs.openstack.org/neutron/pike/admin/deploy-ovs.html

Trainocate.com
Open vSwitch - Providers Network

254 Trainocate.com April 19, 2022 https://docs.openstack.org/neutron/pike/admin/deploy-ovs-provider.html#deploy-ovs-provider

Trainocate.com
Open vSwitch - Self Service Networks

Prerequisites:
❑ Add one network node with the following components:
❑ Three network interfaces: management, provider, and overlay.
❑ OpenStack Networking Open vSwitch (OVS) layer-2 agent, layer-3 agent, and
any including OVS.

255 Trainocate.com April 19, 2022

Trainocate.com
Open vSwitch - Self Service Networks

256 Trainocate.com April 19, 2022

Trainocate.com
 Packet Flow

April 19, 2022 Trainocate.com 257

Use Case 1: VM to VM in single
network on single compute node

258
Use Case 2: VM to VM in single
network on two compute nodes

259
Use Case 3: North-South with Floating
IP

260
Use Case 4: East-West routing – VM on
different computes / networks

261
Use Case 5: North-South routing with
SNAT

262
 Neutron Logical Device

April 19, 2022

263
Trainocate.com

Trainocate.com
 Neutron Components
Component Description

Network A network is analogous to a logical slice of the physical network. There are two primary types of networks in Neutron: tenant
networks and provider networks
Tenant network Created by OpenStack users wishing to boot an instance on their very own virtual layer-2 broadcast domain. Tenant networks
are always owned by the project to which the user is scoped during the network creation request.
Provider network Typically managed by someone with an adminlevel role. Provider networks are used to provide network access to resources
outside the OpenStack environment. This resource could be something like the internet, or even a bare-metal database server
that exists on a specific VLAN or VXLAN in your datacenter.
Subnet A subnet is an IPv4 or IPv6 address block associated with a specific network. A subnet allows the assignment of IP addresses
to virtual machine instances or other network resources. A subnet must be associated with a network in order to boot an
instance on it. Upon subnet creation, one always supplies a network CIDR. Subnets attached to tenant networks are typically
DHCP enabled.
Port A port is analogous to a virtual network interface card. It represents entry and exit points for data traffic. There is always a MAC
address and UUID associated with a port. A port is automatically created when one boots an instance on a network, or one can
reserve a port if they prefer a specific IP address.
Security groups and Security groups control the traffic to and from a port. By default, all traffic is allowed out of an instance and nothing is allowed
rules in—except another instance that contains the default security group.
Routers Routers are devices generated by the neutron-l3-agent daemon and allow one to connect different broadcast domains together.
Neutron routers are commonly used to connect traffic from different tenant networks together (east/west traffic) as well as
connecting a tenant network to a provider network in order to access something outside the environment such as the internet
264 (north/south
Trainocate.com April traffic).
19, 2022
Floating IP Trainocate.com
Manage Networks

265 Trainocate.com April 19, 2022

Trainocate.com
Security Groups

Operators can use security groups to:

• Define which services consumers can access, and
prevent unauthorized access.
• Restrict the remote networks that are authorized to
access the instances. Such can be useful for staging
environments.
• Further filter access between projects or instances
in the same network by specifying a pergroup filtering

266 Trainocate.com April 19, 2022

Trainocate.com
Security Groups

This following figure illustrates using security

groups to restrict traffic between project VMs to
only the protocols necessary for application
functions.
Public users access the application only by
connecting to the web front end. Unauthorized
access to the application and database servers
is denied.
Each security group allows full access by other
members in the same security group, but limits
other security groups to only the protocols
required for VMs to function properly

267 Trainocate.com April 19, 2022

Trainocate.com
Floating IP

❑ In OpenStack terminology, a floating IP is an IP

address allocated from a pool for a network
marked as external. A floating IP is a routable
IP address which is publicly reachable.
❑ Floating Ips enable communication from the
external network to the instance.
Administrators can associate a floating IP to
an instance after it is launched.

268 Trainocate.com April 19, 2022

Trainocate.com
FIP Namespace

❑ FIP may reside on Network Node with router

legacy mode
❑ With Network option router(DVR mode), FIP reside
in Compute Node

269 Trainocate.com April 19, 2022

Trainocate.com
Chapter 8: OpenStack Object Storage

❑Architecture
❑Components
❑Hand-Ons: Manage Object

270 Trainocate.com April 19, 2022

Trainocate.com
Object Storage

❑ Object storage is designed for unstructured

data that is highly scalable and resilient for the
world of cloud computing. Unstructured data is
not a fixed format and consists of varying size
files. It’s storage that’s accessible over the
network via simple S3-compatible HTTP REST
API calls.
❑ S3 (Simple Storage Service) was developed by
Amazon Web Services, which has become the
de-facto standard for many of the leading
object storage providers today. The reason
why? They were first to market, and a well
documented interface.

271 Trainocate.com April 19, 2022

Trainocate.com
Object Storage Characteristics

❑ Data is stored as objects versus traditional blocks

❑ Objects can include bakups, archives, videos, images, logs, HTML files, and more
❑ It’s unstructured by nature because there is no format to the way data is stored.
❑ Unlike the directory structure found in traditional file systems, it utilizes a flat list of objects stored in “Objects”
❑ Objects are stored using unique IDs rather than filenames, which drastically reduces the overhead required to
store data.
❑ Objects are stored with user-defined metadata, making it easier to find objects at scale
❑ Objects can be terabytes or even a few kilobytes in size and a single bucket can hold billions of objects.
❑ Application developers can easily access objects using simple S3-compatible API calls through “GET” and
“PUT” requests, without complex directory structures.

272 Trainocate.com April 19, 2022

Trainocate.com
Swift Architecture

❑ Swift is a fully distributed storage solution, where both

static data and binary objects are stored.
❑ It is neither a file system nor a real-time data storage
system. It can easily scale to multiplepetabytes or
billions of objects.

273 Trainocate.com April 19, 2022

Trainocate.com
Swift Components

❑ The Swift components listed in the following table Component Description

are all required for the architecture to work Processes all API calls and locates the requested
properly Proxy Server object. Encodes and decodes data if Erasure Code
is being used.
❑ The proxy server interacts with the appropriate ring
to route requests and locate objects. The ring Maps the names of entities to their stored location
stores a mapping between stored entities and their Ring on disk. Accounts, containers, and object servers
physical location. each have their own ring.
❑ By default, each partition of the ring is replicated Account
Holds a list of all containers.
three times to ensure a fully distributed solution. Server
Data is evenly distributed across the capacity of Container
the cluster. Zones ensure that data is isolated. Holds a list of all objects.
Server
Because data is replicated across zones, failure in
Object
one zone does not impact the rest of the cluster. Stores, retrieves, and deletes objects
Server

274 Trainocate.com April 19, 2022

Trainocate.com
Consistency Hashing

❑ “Consistent Hashing” is a term used to describe a

process where data is distributed using a hashing
algorithm to determine its location.
❑ Using only the hash of the id of the data you can
determine exactly where that data should be. This
mapping of hashes to locations is usually termed a
“ring”.
❑ References:
https://www.toptal.com/big-data/consistent-
hashing#:~:text=according%20to%20Wikipedia).-
,Consistent%20Hashing%20is%20a%20distributed%20hashing%20scheme%20
that%20operates%20independently,without%20affecting%20the%20overall%20
system.

https://online.grokking.org/articles/28/phan-chia-du-lieu-cache-tren-cum-
server-voi-consistent-hashing

275 Trainocate.com April 19, 2022

Trainocate.com
Consistency Hashing
Ý tưởng của Consistent Hashing được đề xuất vào năm 1997 bởi Martin Karger cùng cộng sự. Đến năm 2007 thì mới đưa vào
thực tiễn (DynamoDB, Cassandra, etc.).
Chúng ta vẫn sẽ dùng 3 server như ban đầu, và sẽ "kết nối" 3 server này bằng một "vòng tròn".
Hãy tưởng tượng, mỗi điểm trên "vòng tròn" này tương ứng với một giá trị trong dãy số integer từ 0, 1, 2 … 232-1.
Mỗi địa chỉ IP của 3 server này sẽ được hash thành 3 giá trị đảm bảo trong khoảng từ 0 đến 232 - 1.
Kế đến, chúng ta có tập URL đã được hash thành các giá trị trong khoảng từ 0 đến 232 - 1.
Lần lượt đặt từng giá trị URL đươc hash đó vào trên vòng tròn, sẽ có hai trường hợp xảy ra:
Gía trị URL đươc hash trùng với giá trị hash từ IP của một server.
Gía trị URL đươc hash khác với tất cả giá trị hash từ IP của một server.
Khi giá trị đươc hash từ URL h(X) = z, trùng với giá trị IP của một server cache nào đó, value của nó sẽ được lưu trên server đó.
Khi giá trị được hash từ URL là h(X) = z, khác với tất cả các giá trị hash từ tập IP server cache, ta thực hiện một thao tác tìm
kiếm server sẽ lưu trữ value này bằng cách dịch chuyển điểm z này theo chiều kim đồng hồ, cho đến khi z trùng với một trong
giá trị hash được từ tập IP của cache server.
276 Trainocate.com April 19, 2022

Trainocate.com
Consistency Hashing

Ví dụ, những URL được hash thành các giá trị khác nhau
trên "vòng tròn". Giá trị IP được hash của 3 server lần lượt là
26, 212 và 224.
Như hình vẽ, URL abcde.com/products/phone/iphoneX và
URL abcde.com/products/bike/airblade có giá trị hash
trùng với Server 1 và 2 (26 và 212), lưu lần lượt trên Server
1, 2. các giá trị hash được từ URL các còn lại sẽ lần lượt
nằm rải rác trên vòng tròn.
URL abcde.com/products/tv/Samsung-30-inch được lưu
trên Server 1 vì từ giá trị 217 - 11 đi dọc theo chiều kim đồng
hồ, sẽ gặp giá trị 224 trước. Tương tự như vậy, có thể xác
định giá trị hash cho các URL còn lại.

277 Trainocate.com April 19, 2022

Trainocate.com
Consistency Hashing

❑ Khi thêm một server ki vào cụm cache server (thêm một phần từ vào tập K), server mới sẽ cache lại data giữa 2 khoảng.
❑ Khi bỏ một server ki ra khỏi cụm cache server (bỏ một phần từ ra khỏi tập K), data cache trên server đó sẽ được lưu
trên server kế cận ki+1. Như trên hình, server 1 bị loại bỏ, những giá trị hash (màu đỏ hồng) sẽ được lưu trên server 2.
❑ Như vậy, Consistent Hashing đã giải quyết được vấn đề xáo trộn data cache khi scale hệ thống theo chiều ngang, đảm
bảo sự xáo trộn cache chỉ xảy ra với một server.

278 Trainocate.com April 19, 2022

Trainocate.com
Removing and Rebalancing Zones

❑ It is important to understand the concepts behind a storage system,

to comprehend the policies, and to design and plan carefully before
production. Zones are created to ensure that failure is not an option.
Each data replica should reside within a different zone.
❑ Zone configuration ensures that should one zone fail there are still
two up and running that can either accept new objects or retrieve
stored objects. The recommended number of zones is five, on five
separate nodes. As mentioned previously,
❑ Swift, by default, writes three replicas. If there are only three zones
and one becomes unavailable, Swift cannot hand off the replica to
another node. With five nodes, Swift has options and can
automatically write the replica to another node ensuring that
eventually there will be three replicas.
❑ After Swift is set up and configured, it is possible to rectify or alter
the storage policy. Extra devices can be added at any time.
279 Trainocate.com April 19, 2022

Trainocate.com
Swift concepts

Component Description

Account Swift uses the term "account" to refer to an OpenStack project.

Remember: in the OpenStack world, accounts, tenants, and
projects all mean the same thing
Container A "bucket" for static files (also known as objects). A user must
create a container to upload an object into a Swift account. All
containers are owned by the account (or project) to which the
user was scoped when they created them. By default, all objects
uploaded into a container are private.
Objects Objects are files that one uploads into a container. These are
usually static files, such as pictures, movies, documents, or
logs.

280 Trainocate.com April 19, 2022

Trainocate.com
Swift concepts

Component Description

Object One can set an object to expire at a specific time. Once an object is expired, it will no longer be
expiration accessible and is deleted from the Swift cluster. One great use case for object expiration is temporary
registration codes or keys that are valid for a short time.
ACL (access By default, a Swift container is private and not accessible to other users or projects. By default, a user
control list) with the admin or swiftoperator role can set ACLs at the container level and support lists for
read and write access.
Static Rather than using a traditional web server such as Apache or Nginx to host a website, Swift can host
website static website files, such as HTML, CSS, and client-side JavaScript. By setting the web-index header on a
hosting container to the public URL of the container, it will navigate to a specified file, such as an index.html.
One can then update their DNS to point to the URL of the publicly accessible Swift container.
Object Versioning allows a user to upload multiple versions of a specific file. The user simply creates an
versioning alternate container for storing the versions. As the user uploads a file with the same name to a Swift
container, the previous version gets posted to the alternate container. One can easily retrieve and
restore to a previous version. If a DELETE request is sent to the object, the latest version gets deleted,
and the previous version restored in its place.

281 Trainocate.com April 19, 2022

Trainocate.com
Compare Ceph

❑ Both Swift and Ceph are open source Object Storage systems. They both use standard hardware, allow scale-out
storage, and are easy to deploy in enterprises of all sizes.This is perhaps where the similarities end. Ceph lends itself
to block access storage, transactional storage, and is recommended for single sites. Swift uses Object API access to
storage, and is recommended for unstructured data and geographical distribution.
❑ Applications that mostly use
block access storage are built in a different way from those that use object access storage. Thedecision might come
down to which applications need object storage and how they access it. Swift protects written data first and can
therefore take additional time to update the entire cluster.
❑ Ceph does not do this, which makes it a better candidate for databases and real-time data. Swift would be a better
choice for large-scale, geographically dispersed, unstructured data. This means that you might need or want both
Ceph and Swift.

282 Trainocate.com April 19, 2022

Trainocate.com
Exam Objective

283 Trainocate.com April 19, 2022

Trainocate.com
Chapter 9: Openstack Block Storage

❑Architecture
❑Components
❑Hand-Ons: Manage Block
Storage

284 Trainocate.com April 19, 2022

Trainocate.com
 Storage Concepts

April 19, 2022 Trainocate.com 285

Storage - Software LVM

Physical volume

286 Trainocate.com April 19, 2022

Trainocate.com
Storage: Hardware

❑ Physical Disk
❑ Pool/RAID Group
❑ Volume/LUN

287 Trainocate.com April 19, 2022

Trainocate.com
SAN Concepts

❑ A SAN is block-based storage, leveraging a high-speed

architecture that connects servers to their logical disk
units (LUNs).
❑ A LUN is a range of blocks provisioned from a pool of
shared storage and presented to the server as a logical
disk.
❑ The server partitions and formats those blocks—typically
with a file system—so that it can store data on the LUN just
as it would on local disk storage.

288 Trainocate.com April 19, 2022

Trainocate.com
SAN: iSCSI protocols

iSCSI is an IP-based standard for transferring data

that supports host access by carrying SCSI
commands over IP networks.

289 Trainocate.com April 19, 2022

Trainocate.com
SAN : FC protocols

❑ A fiber channel storage area network (FC SAN) is a system

that enables multiple servers to access network storage
devices. A storage area network enables high-
performance data transmission between multiple storage
devices and servers.
❑ FC technology is essential for SAN implementation and
establishes connectivity according to requirements.

290 Trainocate.com April 19, 2022

Trainocate.com
SAN: FC Fabric

❑ The SAN fabric is an area of the network that contains

routers and switches.
❑ A Storage Area Network (SAN) is configured into a number
of zones. A device that uses the SAN can communicate
only with devices that are included in the same zones that
it is in.

291 Trainocate.com April 19, 2022

Trainocate.com
SAN: FC Zoning

❑ Zoning in a SAN is a used to segment traffic between targets and initiators, or

less formally workstations and storage. Zoning is generally used for security
or performance benefits.
❑ Zoning can be set up through software, referred to as Soft Zoning or it can be
set up through hardware, referred to as Hard Zoning.
❑ Soft zoning can be used if you want zones to be able to overlap, as in
'Workstation X' should be in Zone 1 and Zone 2. This flexibility can be nice
depending on application and is often based on the World Wide Name (WWN)
of the Host Bus Adapter (HBA), which is the PCIe interface for fibre channel
connectivity.
❑ Hard zoning does not allow for zones to overlap. So in the example above
'Workstation X' would need to be in Zone 1 or Zone 2, but could not be in both.

292 Trainocate.com April 19, 2022

Trainocate.com
 Cinder

April 19, 2022 Trainocate.com 293

Cinder

❑ Cinder is an OpenStack project to provide “block

storage as a service”. It's designed to allow the
use of either a reference implementation to
present storage resources to end users that can
be consumed by the OpenStack Compute Project
❑ It virtualizes pools of block storage devices and
provides end users with a self service API to
request and consume those resources without
requiring any knowledge of where their storage is
actually deployed or on what type of device

294 Trainocate.com April 19, 2022

Trainocate.com
Cinder Architecture

❑ cinder-api is an WSGI application that accepts and validates REST

(JSON or XML) requests from clients and routes them to other
Cinder processes as appropriate over AMQP.
❑ cinder-scheduler determines which backend should serve as the
destination for a volume creation or movement request. It
maintains non-persistent state for backends (e.g. available
capacity, capabilities, and supported extra specs) that can be
leveraged when making placement decisions. The algorithm
utilized by the scheduler can be changed through Cinder
configuration.
❑ cinder-volume accepts requests from other Cinder processes and
serves as the operational container for Cinder drivers. This process
is multi-threaded and typically has one thread of execution per
Cinder backend as defined in the Cinder configuration file.
❑ cinder-backup handles the interaction with potential backup
targets (e.g. a file store exported via NFS or an OpenStack Object
Storage Service (Swift)) when a client requests a volume backup or
295 restore operation.
Trainocate.com April 19, 2022

Trainocate.com
Cinder Drivers

- Volume Drivers
- Backup Drivers
- FC Zone Manager Drivers

Note: “Supported” drivers and Unsupported Drivers

296 Trainocate.com April 19, 2022

Trainocate.com
Cinder Drivers

297 Trainocate.com April 19, 2022

https://docs.openstack.org/cinder/rocky/reference/support-matrix.html
Trainocate.com
Cinder Hardware Drivers

❑ IBM Storwize family and SVC volume driver: The volume management driver for Storwize family and SAN Volume
Controller (SVC) provides OpenStack Compute instances with access to IBM Storwize family or SVC storage systems.
❑ Storwize/SVC driver supports the following Block Storage service volume operations:

298 Trainocate.com April 19, 2022

Trainocate.com
Cinder Software Drivers

❑ The Linux-based Logical Volume Manager (LVM) exposes local physical

disks as logical volumes to the operating system. The LVM back-end
implements block storage as LVM logical partitions.
❑ Each compute host implement LVM must have a volume group dedicated
to the block storage service.
❑ Remote LVM devices are typically transported using the iSCSI networking
protocol. Although network connectivity can be achieved at a lower cost
compared to other storage back end technologies since iSCSI does not
require host bus adaptors (HBA) or storage-specific network devices it not
recommend to use ISCSI for production environments

299 Trainocate.com April 19, 2022

Trainocate.com
Cinder Backends

❑ A Cinder backend is the configuration object that

represents a single provider of block storage upon
which provisioning requests may be fulfilled.
❑ A Cinder backend communicates with the storage
system through a Cinder driver. Cinder supports
multiple backends to be simultaneously
configured and managed (even with the same
Cinder driver) as of the Grizzly release.

300 Trainocate.com April 19, 2022

Trainocate.com
Cinder Process

❑ Consider a user creating a Cinder block volume.

❑ The user sends an API request to cinder-api via the Horizon
dashboard or CLI. Once the cinder-api receives the request, it
updates the Cinder database with details about the volume and
places it on the message bus. cinder-scheduler determines the best
Cinder storage node to provision the requested volume.
❑ Once selected, cinder-volume is responsible for generating the LVM
commands to create the logical volume from a predefined volume
group.
❑ The user then sends an API call to nova-api to attach the volume to
the instance of their choice. This connection process is actually an
iSCSI connection between the instance's compute node (the
initiator) and the Cinder storage node (the target).

301 Trainocate.com April 19, 2022

Trainocate.com
FC Zone Manager

❑ Zoning is a fabric-based service in SANs that groups host and storage nodes
that need to communicate. Zoning creates a situation in which nodes (for
example, host or initiators and storage array or targets) can communicate with
each other only if they are members of the same zone.
❑ Prior to FCZM, FC SANs were either pre-zoned or open-zoned when block
storage was provisioned in OpenStack.
❑ Pre-zoning introduces management complexity in cloud orchestration since this
involves considerable manual effort to determine the initiator-target pairs prior
to volume operations and to configure the zones ahead of time. Also, this
method is manual and can be error prone.
❑ Using no zoning is not recommended, because this allows devices to have
unrestricted access on the fabric and can cause Registered State Change
Notification (RSCN) storms, as well as other security vulnerabilities.

https://manuals.directutor.com/3COM/104AA5-9485ENW/index.html?page=3
302 Trainocate.com April 19, 2022

Trainocate.com
Cinder Components

❑ Volume
❑ Volume Type

303 Trainocate.com April 19, 2022

Trainocate.com
Storage Options
There are two types of storage.
❑ Ephemeral storage includes block disk devices and swap space used in a deployed instance.
GBy definition, ephemeral storage resources are discarded when their instance is terminated.
❑ Ephemeral storage uses the local storage available in the compute nodes on which instances
run. Because of this, ephemeral storage is usually the best option for storing elements that
require the best performance, such as the operating system or swap disks.
To scale an instance's storage, provision additional virtual disks using the block storage service,
object store service, or the file share service. Storage resources provided by these services are
persistent; they remain after the instance is terminated

304 Trainocate.com April 19, 2022

Trainocate.com
Volume

❑ Volume: A raw unformatted block device that

can be attached to a Nova virtual machine
instance. It can then be used as a traditional
hard drive by the instance's operating system.
❑ Snapshot: A read-only, point-in-time copy of a
volume's contents. A snapshot can be created
from a volume that is currently in use or in an
available state. The snapshot can then be
used to create a new volume

305 Trainocate.com April 19, 2022

Trainocate.com
Volume Operation

❑ Volume and snapshot are used in

volume operation

306 Trainocate.com April 19, 2022

Trainocate.com
Bootable Volume

❑ Volume can be set to openstack server create

bootable to boot an Task parameter(s)
Information
instance
Boot instance from image
Boot an instance from an image and attach a
--block-device and attach non-bootable
non-bootable volume.
volume
Create a volume from an image and boot an --boot-from-volume and -
Boot instance from volume
instance from that volume. -image; --block-device
Boot from an existing source image, volume, --volume or --snapshot; --
Boot instance from volume
or snapshot. block-device
Attach swap or ephemeral
Attach a swap disk to an instance. --swap
disk to an instance
Attach swap or ephemeral
Attach an ephemeral disk to an instance. --ephemeral
disk to an instance
307 Trainocate.com April 19, 2022

Trainocate.com
 Volume Type

❑ An abstract collection of criteria used to describe a

particular service level
❑ Defined by cloud administrators as a list of key/value
pairs
❑ Utilized by end users when volumes are created
❑ Volumes can be retyped after creation
❑ Use in provisioning with cinder-scheduler

308 Trainocate.com April 19, 2022

Trainocate.com
Volume Creation
❑ blue arrow: represents http request;
❑ pink arrow: indicates that the code is running in the
process address space of the corresponding service;
❑ Green arrow: represents RPC, sending requests
through Message Queuing;
❑ black arrows: how to execute the corresponding
request is related to the specific storage system;

309 Trainocate.com April 19, 2022

Trainocate.com
Cinder Scheduler

Configure Block Storage scheduler multi back end. You

must enable the filter_scheduler option to use multiple-
storage back ends. The filter scheduler:
❑ Filters the available back ends. By default,
AvailabilityZoneFilter, CapacityFilter and CapabilitiesFilter
are enabled.
❑ Weights the previously filtered back ends. By default, the
CapacityWeigher option is enabled. When this option is
enabled, the filter scheduler assigns the highest weight
to back ends with the most available capacity.
The scheduler uses filters and weights to pick the best back
end to handle the request. The scheduler uses volume
types to explicitly create volumes on specific back ends.

310 Trainocate.com April 19, 2022

Trainocate.com
Cinder Filter

AvailabilityZoneFilter: Filters Backends by availability

zone.
CapabilitiesFilter: BackendFilter to work with resource
(instance & volume) type records.
CapacityFilter: Capacity filters based on volume
backend’s capacity utilization.
DifferentBackendFilter: Schedule volume on a different
back-end from a set of volumes.
DriverFilter: DriverFilter filters backend based on a ‘filter
function’ and metrics.

311 Trainocate.com April 19, 2022

Trainocate.com
Cinder Weighing
Type Description
CapacityWeigher Capacity Weigher weighs hosts by their virtual or actual free capacity. For thin provisioning,
weigh hosts by their virtual free capacity calculated by the total capacity multiplied by the max
over subscription ratio and subtracting the provisioned capacity; Otherwise, weigh hosts by
their actual free capacity, taking into account the reserved space. The default is to spread
volumes across all hosts evenly. If you prefer stacking, you can set
the capacity_weight_multiplier option to a negative number and the weighing has the opposite
effect of the default.
ChanceWeigher Chance Weigher assigns random weights to hosts. Used to spread volumes randomly across a
list of equally suitable hosts.
GoodnessWeigher Goodness Weigher. Assign weights based on a host’s goodness function.
VolumeNumberWeigher Weigher that weighs hosts by volume number in backends
AllocatedCapacityWeigher Allocated Capacity Weigher weighs hosts by their allocated capacity. The default behavior is to
place new volume to the host allocated the least space. This weigher is intended to simulate
the behavior of SimpleScheduler. If you prefer to place volumes to host allocated the most
312 Trainocate.com April 19, 2022space, you can set the allocated_capacity_weight_multiplier option to a positive number and

Trainocate.com the weighing has the opposite effect of the default.

Cinder Weighing

Goodness Weigher. Assign weights based on a host’s

goodness function.
❑ If a requested volume is of size 10 GB then lvm-1 is
rated as 50 and lvm-2 is rated as 100. In this case
lvm-2 wins.
❑ If a requested volume is of size 3 GB then lvm-1 is
rated 100 and lvm-2 is rated 25. In this case lvm-1
would win.

https://docs.openstack.org/cinder/latest/admin/driver-filter-weighing.html#extra-specs-
for-the-requested-volume-type

313 Trainocate.com April 19, 2022

Trainocate.com
Exam Objective

❑ Volume type
❑ Volume
❑ Attach to Instance
❑ Mount on instance

314 Trainocate.com April 19, 2022

Trainocate.com
Chapter 10: Troubleshooting Openstack

❑ Troubleshooting Strategy
❑ Hand-Ons: Troubleshoting

315 Trainocate.com April 19, 2022

Trainocate.com
Troubleshooting Strategy

In general, we can troubleshooting according to 2

approaches.
❑ Architect option
❑ Flow option

316 Trainocate.com April 19, 2022

Trainocate.com
Thank you
Thanks to your attention.
.

Trainocate
Dieulinh Nguyen <[email protected]