Implementing security groups in open stack

1. IMPLEMENTING SECURITY GROUPS IN OPENSTACK submitted to Noida Institute of Engineering & Technology, Greater Noida Project Report submitted by Rishabh Agarwal Arzoo Singh Raj Shekhar Jyoti Yadav under the supervision of Mr. Hitesh Sharma Mr. Rahul Singh Department of Computer Science and Engineering

2. DECLARATION WE, STUDENTS OF BACHELOR OF TECHNOLOGY, COMPUTER SCIENCE AND ENGINEERING, NIET GREATER NOIDA, HEREBY DECLARE THAT THE WORK PRESENTED IN THIS THESIS IS OUTCOME OF OUR OWN WORK, IS BONAFIDE, CORRECT TO THE BEST OF OUR KNOWLEDGE. THIS WORK HAS BEEN CARRIED OUT TAKING CARE OF ENGINEERING ETHICS AND KEEPING INDIAN IP LAWS INTO CONSIDERATION. RISHABH AGARWAL ARZOO SINGH 1313310118 1313310036 RAJ SHEKHAR JYOTI YADAV 1313310114 1313310070 DATE: 16-06-2016 i

3. ACKNOWLEDGEMENT WE WOULD LIKE TO TAKE THIS OPPORTUNITY TO EXPRESS OUR DEEP SENSE OF GRATITUDE AND PROFOUND FEELING OF ADMIRATION TO OUR PROJECT SUPERVISOR/MENTOR MR HITESH SHARMA AND MR RAHUL SINGH, FOR PROVIDING US INVALUABLE GUIDANCE FOR THE TECHNICAL SEMINAR. WE ACKNOWLEDGE HERE OUT DEPT TO ALL THOSE WHO HELPED SIGNIFICANTLY IN ONE OR MORE STEPS. ii

4. ABSTRACT The use of Cloud Computing has increased rapidly in many organizations. Cloud computing provides many benefits in terms of low cost and accessibility of data. Ensuring the security of cloud computing is a major factor in the cloud computing environment, as users often store sensitive information with cloud storage providers but these providers may be untrusted. Dealing with “single cloud” providers is predicted to become less popular with customers due to risks of service availability failure and the possibility of malicious insiders in the single cloud. A movement towards “multi-clouds”, or in other words, “interclouds” or “cloud-of-clouds” has emerged recently. Cloud can be implemented in 2 installation modes namely – Single Node Installation and Multi Node Installation. A single node installation installs all components like nova, keystone, cinder, etc. in one single node(used basically for testing). Multi node installation installs different components along various nodes. In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. iii

5. CONTENT Chapter Title Page No. Declaration i Acknowledgement ii Abstract iii 1 Introduction 1 1.1 Overview 1 1.2 Types of Cloud 2 1.3 Classification on the basis of Services 4 1.4 Advantages 5 2 Security 6 2.1 Security issues associated with cloud 6 2.2 Single node and Multi node 7 2.3 Security single node and multi node 9 3 Installation Guide 12 3.1 Installation 12 3.1.1 Add User 12 3.1.2 Download 12 3.1.3 Run DevStack 13 3.1.4 Using OpenStack 14 3.2 Container Setup 14 3.2.1 Configuration 14 3.2.2 Create Container 15 3.2.3 Start Container 15 3.2.4 Run DevStack 16 3.2.5 Cleanup 16 3.3 Configure Compute Nodes 17 4 Conclusion 20 5 References 21

6. LIST OF FIGURES Figure Name Figure No Page No Layered Model of Cloud 1 2 Architecture of Cloud Data Storage 2 4 Services of the Cloud 3 5 Multi Node Architecture 4 8

7. Chapter 1 INTRODUCTION 1.1 Overview The term „Cloud Computing‟ is made up of two terms, Cloud and Computing. Cloud could be thought to be synonymous with the Internet where various resources are interlinked with the use of network. One can use the resource they want with the help of simple client-server architecture. The term „computing‟ refers to processing. Cloud computing is computing on various resources over the network. In cloud computing Infrastructure, Platform and Application/Software are delivered as service over the network. The cloud concept has changed the IT market wherein organizations need not invest on resources; they rather rent the required resource on on-demand basis or take services from the cloud which has reduced the infrastructure costs in manifold. Cloud is basically used in three models namely, Saas (Software as a Service), PaaS (Platform as a service), IaaS (Infrastructure as a service). SaaS model of cloud computing lies with end users, where they store their critical, important and real time information. PaaS model of cloud computing is used mostly by Application developers, who use the platform from cloud as a service to develop, test, debug and deploy their applications. It is basically a middleware for developers. IaaS model is used by network analysts. Here services like storage, networking, and database management are also offered. In general pay per use payment model is followed here. The end user is generally interested only in SaaS. The data is consumed as well as produced by the cloud. This data is used by cloud computing systems and client computing systems as well. 1

8. Fig 1: Layered Model of Cloud Cloud computing has no specific definition as such. However, one acceptable definition was given which more or less defined cloud computing. It states cloud to be “A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet.” 1.2 Types of Cloud Cloud computing is typically classified in the following ways:  Public cloud: In Public cloud the computing infrastructure is hosted by the cloud vendor at the vendor‟s premises. The customer has no visibility 2

9. and control over where the computing infrastructure is hosted. The computing infrastructure is shared between any organizations.  Private cloud: The computing infrastructure is dedicated to a particular organization and not shared with other organizations. Private clouds are more expensive and more secure when compared to public clouds. Private clouds are of two types: On-premise private clouds and externally hosted. Private clouds. Externally hosted private clouds are also exclusively used by one organization, but are hosted by a third party specializing in cloud infrastructure. Externally hosted private clouds are cheaper than On-premise private clouds.  Hybrid cloud: Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud bursting organization use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully.  Community cloud: It involves sharing of computing infrastructure in between organization of the same community. For example all Government organizations within the state of California may share computing infrastructure on the cloud to manage data related to citizens residing in California 3

10. Fig 2: Architecture of Cloud Data Storage 1.3 Classification on the basis of services The three key cloud delivery models are –  Software-as-a-Service (SaaS) enables a software deployment model in which one or more applications and the computing resources that run them are provided for use on demand as a turnkey service. It can reduce the total cost of hardware and software development, maintenance, and operations.  Platform-as-a-Service (PaaS) enables a software deployment model in which the computing platform is provided as an on-demand service which applications can be developed upon and deployed. It can reduce the cost and complexity of buying, housing, and the managing of hardware and software components of the platform.Infrastructure-as-a-Service (IaaS) enables a software deployment model in which the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand 4

11. service upon which a platform to develop and execute applications can be founded. It can be used to avoid buying, housing, and managing the basic hardware and software infrastructure components. Fig 3: Services of the Cloud 1.4 Advantages of Cloud Computing  Flexibility  Disaster recovery  Automatic software updates  Capital-expenditure Free  Increased collaboration  Work from anywhere  Document control  Security  Competitiveness  Environmentally Friendly 5

12. Chapter 2 SECURITY 2.1 Security issues associated with the cloud Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers. Organizations use the Cloud in a variety of different service models (SaaS, PaaS and IaaS) and deployment models (Private, Public, Hybrid and Community). There are a number of security concerns associated with cloud computing. These issues fall into two broad categories: security issues faced by cloud providers (organizations providing software-, platform-, or Infrastructure-as a-service via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).The responsibility is shared, however. The provider must ensure that their infrastructure is secure and that their clients‟ data and applications are protected while the user must take measures to fortify their application and use strong passwords and authentication measures. When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance Report, insider attacks are the third biggest threat in cloud computing. Therefore, Cloud Service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity. In order to conserve resources, cut costs, and maintain efficiency, Cloud Service Providers often store more than one customer's data on the same server. As a 6

13. result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer – virtualization that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking. 2.2 Single node and Multi node in OpenStack A single node installation installs all components like Nova, Keystone, Cinder, etc. in one single node (used basically for testing). Multi node installation installs different components along various nodes. For example Keystone and Cinder in one node, Neutron in another and 2 Novas in 2 different servers. You can differentiate these two types of installation seeing if there is more than one node with different components in your environment. Generally speaking a single node setup of OpenStack (i.e.[DevStack])(http://docs.openstack.org/developer/devstack/) is used for testing purposes. It is not designed for production and thus most would strongly discourage such implementation. From a personal perspective, I've used it to test 7

14. certain OpenStack components that aren't fully available yet (i.e Sahara). For those purposes it is a fantastic environment. A multi-node setup on the other hand is what most production environments run on. Given the various components of OpenStack having all components on one node can significantly affect performance as you are limited to whatever resources that one node may have. Multi-Node not only provides a solution for this, but it is also highly scalable in the sense that if you require more compute power all you have to do is add more compute nodes (same with swift for storage, etc.). Additionally, having various nodes for various components can offer a failover in the case of one of your nodes suffers downtime. As for how to check the single node and multi node installation a quick and simple way to check if the current OpenStack deployment is single or multi node is run the following command in your controller node. nova host-list Fig 4: Multi Node Architecture 8

15. 2.3 Security in Single node and Multi node 2.3.1 How to create Security Group? 1- Click on Access & Security 2-Click on Create Security Group 9

16. 3- Enter the name of Security Group and click Create Security Group After creating, security group, you need to allow/deny network/protocol as per your requirement. This is the default rule in OpenStack for all tenant/group/project/user 2.3.2 How to add rules in Security Group? 1- Click on Add Rule 10

17. 2- Manage Rules by clicking on Manage Security Group Rules 3- Here we are allowing All TCP ports. We can do the same for all protocols (TCP,UDP, ICMP etc.) Here, I have allowed All TCP, All UDP and All ICMP. After creating, click on Security &Access and you will be able to see your security group which you have created. 11

18. Chapter 3 INSTALLATION GUIDE 3.1 Installation 3.1.1 Add your user We need to add a user to install DevStack. (if you created a user during install you can skip this step and just give the user sudo privileges below) adduser stack Since this user will be making many changes to your system, it will need to have sudo privileges: apt-get install sudo -y || yum install -y sudo echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers From here on you should use the user you created. Logout and login as that user. 3.1.2 Download DevStack We‟ll grab the latest version of DevStack via https: sudo apt-get install git -y || sudo yum install -y git git clone https://git.openstack.org/openstack-dev/devstack cd devstack 12

19. 3.1.3 Run DevStack Now to configure stack.sh. DevStack includes a sample in devstack/samples/local.conf. Createlocal.conf as shown below to do the following:  Set FLOATING_RANGE to a range not used on the local network, i.e. 192.168.1.224/27. This configures IP addresses ending in 225-254 to be used as floating IPs.  Set FIXED_RANGE and FIXED_NETWORK_SIZE to configure the internal address space used by the instances.  Set FLAT_INTERFACE to the Ethernet interface that connects the host to your local network. This is the interface that should be configured with the static IP address mentioned above.  Set the administrative password. This password is used for the admin and demo accounts set up as OpenStack users.  Set the MySQL administrative password. The default here is a random hex string which is inconvenient if you need to look at the database directly for anything.  Set the RabbitMQ password.  Set the service password. This is used by the OpenStack services (Nova, Glance, etc) to authenticate with Keystone. local.conf should look something like this: [[local|localrc]] FLOATING_RANGE=192.168.1.224/27 FIXED_RANGE=10.11.12.0/24 FIXED_NETWORK_SIZE=256 FLAT_INTERFACE=eth0 ADMIN_PASSWORD=supersecret 13

20. DATABASE_PASSWORD=iheartdatabases RABBIT_PASSWORD=flopsymopsy SERVICE_PASSWORD=iheartksl 3.1.4 Using OpenStack At this point you should be able to access the dashboard from other computers on the local network. In this example that would be http://192.168.1.201/ for the dashboard (aka Horizon). Launch VMs and if you give them floating IPs and security group access those VMs will be accessible from other machines on your network. Some examples of using the OpenStack command-line clients nova and glance are in the shakedown scripts in devstack/exercises. exercise.sh will run all of those scripts and report on the results. 3.2 Container Setup 3.2.1 Configuration For a successful run of stack.sh and to permit use of KVM to run the VMs you launch inside your container, we need to use the following additional configuration options. Place the following in a file called devstack-lxc.conf # Permit access to /dev/loop* lxc.cgroup.devices.allow = b 7:* rwm 14

21. # Setup access to /dev/net/tun and /dev/kvm lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0 lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 # Networking lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0 3.2.2 Create Container The configuration and rootfs for LXC containers are created using the lxc-create command. We will name our container devstack and use the ubuntu template which will use debootstrap to build a Ubuntu rootfs. It will default to the same release and architecture as the host system. We also install the additional packages bsdmainutils and git as we‟ll need them to run devstack: sudo lxc-create -n devstack -t ubuntu -f devstack-lxc.conf -- --packages=bsdmainutils,git The first time it builds the rootfs will take a few minutes to download, unpack, and configure all the necessary packages for a minimal installation of Ubuntu. LXC will cache this and subsequent containers will only take seconds to create. 3.2.3 Start Container To start the container, run: sudo lxc-start -n devstack 15

22. A moment later you should be presented with the login prompt for your container. You can login using the username ubuntu and password ubuntu. You can also ssh into your container. On your host, run sudo lxc-info -n devstack to get the IP address (e.g. ssh ubuntu@$(sudo lxc-info -n devstack | awk '/IP/ { print $2 }')). 3.2.4 Run Devstack You should now be logged into your container and almost ready to run devstack. The commands in this section should all be run inside your container. 1. Download DevStack git clone https://git.openstack.org/openstack-dev/devstack 2. Configure Refer to Minimal Configuration if you wish to configure the behaviour of devstack. 3. Start the install 4. cd devstack ./stack.sh 3.2.5 Cleanup To stop the container: lxc-stop -n devstack 16

23. To delete the container: lxc-destroy -n devstack 3.3 Configure Compute Nodes The compute nodes only run the OpenStack worker services. For additional machines, create alocal.conf with: [[local|localrc]] HOST_IP=192.168.42.12 # change this per compute node FLAT_INTERFACE=eth0 FIXED_RANGE=10.4.128.0/20 FIXED_NETWORK_SIZE=4096 FLOATING_RANGE=192.168.42.128/25 MULTI_HOST=1 LOGFILE=/opt/stack/logs/stack.sh.log ADMIN_PASSWORD=labstack DATABASE_PASSWORD=supersecret RABBIT_PASSWORD=supersecret 17

24. SERVICE_PASSWORD=supersecret DATABASE_TYPE=mysql SERVICE_HOST=192.168.42.11 MYSQL_HOST=$SERVICE_HOST RABBIT_HOST=$SERVICE_HOST GLANCE_HOSTPORT=$SERVICE_HOST:9292 ENABLED_SERVICES=n-cpu,n-net,n-api-meta,c-vol NOVA_VNC_ENABLED=True NOVNCPROXY_URL="http://$SERVICE_HOST:6080/vnc_auto.html" VNCSERVER_LISTEN=$HOST_IP VNCSERVER_PROXYCLIENT_ADDRESS=$VNCSERVER_LISTEN Fire up OpenStack: ./stack.sh A stream of activity ensues. When complete you will see a summary of stack.sh„s work, including the relevant URLs, accounts and passwords to poke at your shiny new OpenStack. The most recent log file is available in stack.sh.log. 18

25. 3.3.1 Cleaning Up After DevStack Shutting down OpenStack is now as simple as running the included unstack.sh script: ./unstack.sh A more aggressive cleanup can be performed using clean.sh. It removes certain troublesome packages and attempts to leave the system in a state where changing the database or queue manager can be reliably performed. ./clean.sh Sometimes running instances are not cleaned up. DevStack attempts to do this when it runs but there are times it needs to still be done by hand: sudo rm -rf /etc/libvirt/qemu/inst* sudo virsh list | grep inst | awk '{print $1}' | xargs -n1 virsh destroy 19

26. CONCLUSION In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. 20

27. REFERENCES  https://ask.openstack.org/en/question/59516/what-is-the-difference- between-single-node-and-multi-node-installation-in-openstack/  http://blog.flux7.com/blogs/openstack/tutorial-how-to-install-multi- nodes-in-openstack  http://blog.flux7.com/blogs/openstack/tutorial-install-single-node- openstack  www.wikipedia.com 21

Implementing security groups in open stack

Implementing security groups in open stack

Implementing security groups in open stack

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(12)

Similaire à Implementing security groups in open stack

Similaire à Implementing security groups in open stack(20)

Dernier

Dernier(20)

Implementing security groups in open stack