Rackspace Reference Architecture For

OpenStack

Rackspace

Version11.07.11

Reference

Architecture

for

OpenStack

Version11.07.11

Summary
This reference architecture guide was developed by Rackspace Cloud Builders based on the
company'sexperiencesdeployingandsupportingOpenStackcloudsinproduction.Inthespiritof
opensource,itismeanttosharebestpracticesandprovidedetailedtechnicalinformationaboutthe
logicalandphysicalarchitectureofareproducibleOpenStackdeployment.OpenStackisacollectionof
opensourcetechnologiesthatprovidesamassivelyscalableopensourcecloudcomputingplatform.
CurrentlyOpenStackfocusesontwokeycomponents:OpenStackCompute,whichofferscomputing
powerthroughvirtualmachineandnetworkmanagement,andOpenStackObjectStorage,whichis
softwareforredundant,scalableobjectstoragecapacity.Thisguideincludesnetworktopologyandthe
deploymentandinstallationprocessesthataretestedtoworkindatacentersaroundtheglobe.Withthis
documentinhandyoucandeterminenextstepsforbuildinganOpenStackcloud.

IntendedAudience
ThisdocumentisintendedforRackspaceCertifiedDeploymentandTechnologypartners,cloudservice
providers,hostingcompaniesandenterpriseITdepartmentswantingtodeployanOpenStackpowered
cloudthatcanbesupportedbyRackspaceinanydatacenter.Thisdocumentprovidestheinformation
requiredtoacquirehardwarethatisthebasisforanOpenStackcloudandworkwithsolutionpartnersto

provisionandconfigureanOpenStacksolution.Inordertomakeuseofit,youshouldhavesomeprior
knowledgeofcloudcomputing,privatecloudmanagement,hardwareconfiguration,networktopology,
anddatacentermanagement.

PurposeofReferenceArchitecture
Areferencearchitecturecontainsanidentifiedsetofhardwareandnetworkconfigurationthatprovides
atestedreferenceforimplementingacloudcomputingsolution.Itgivesatestedtemplatesolutionfor
architecting a particular cloud solution, in this case the open source OpenStack cloud computing
software.Italsoprovidesacommonsetofdefinitionsfortermsandvocabularysothediscussionabout
atemplatecanbefocusedonimplementationdetails,inordertoprovideacommonworkingpointfrom
whichtostart. This RackspaceReferenceArchitectureforOpenStackisadeploymentguidewith
verified,testedanddesignedsoftware,hardwareandnetworkarchitecturetohelpbuildOpenStack
deploymentsthatcanbesupportedandrunbyRackspaceongoingastheRackspaceCloud:Private
Edition.

OpenStacktheProject
OpenStack, originally sponsored by Rackspace and NASA,is free open source project that allows
organizationstobuildmassivelyscalablepublicandprivateclouds.OpenStackisaglobalcollaboration
of developers and cloud computing technologists producing the ubiquitous open source cloud
computingplatformforpublicandprivateclouds.Theprojectaimstodeliversolutionsforalltypesof
cloudsbybeingsimpletoimplement,massivelyscalable,andfeaturerich.Thetechnologyconsistsofa
seriesofinterrelatedprojectsdeliveringvariouscomponentsforacloudinfrastructuresolution.

AboutRackspaceCloudBuilders
Rackspaceistheleaderinthehostingandcloudcomputingindustry,managingmorethan65,000
servers worldwide with the value proposition of exceptional customer service, branded Fanatical
Support. The group that provides specialized knowledge in deploying and managing OpenStack
cloudsinanydatacenterisRackspaceCloudBuilders.ThepeopleworkingontheRackspaceCloud
BuildersteamincludethefoundersoftheRackspaceCloud,aswellastheteamfromAnsoLabs,the
peopleinvolvedinbuildingNASA'sNebulaCloud.TheRackspaceCloudBuildersareactivelywriting
OpenStacksoftware,readytodeployandsupportyourcloud.

NextActions
Afteryoubecomefamiliarwiththedetailsinthereferencearchitecture,youcanfindouthowtodeploy
a Rackspace Cloud: Private Edition based on the reference architecture through Rackspace Cloud
Builders' deployment team or Certified Deployment Partners by contacting
cloudbuilders@rackspace.com. If you are interested in becoming a Certified Deployment or
Technology partner for reference implementations, contact Scott Sanchez at
scott.sanchez@rackspace.com.

Terminology, Acronyms, and External

References
Inanefforttostandardizeondefinitionsforterms,defineacronyms,andofferfurtherreadingthrough
externalreferences,thisdocumentcontainsstandarddefinitionsthatyoumaywanttoreviewpriorto
readingthisdocument.PleaserefertotheAppendixforalistofterminologyandfurtherreferences.

OpenStackLogicalArchitecture

OpenStack serves both cloud users and cloud administrators through a Dashboard interface that
providesacontrolpanelforissuingcommandthroughtheAPIbutunderthecovers.Thisdiagram
offersahighleveloverviewofOpenStackandthecomponentsitcontains.
TheOpenStackarchitectureconsistsofthreemajorcomponents:Compute,StorageandImages.Hereis
awalkthroughofeachcomponentinthelogicalarchitecture.

OpenStackCompute(Nova)
OpenStackCompute(codenameNova)isopensourcesoftwaredesignedtoprovisionandmanage
largenetworksofvirtualmachines,creatingaredundantandscalablecloudcomputingplatform.It
provides the software, control panels, and APIs required toorchestrate a cloud, including running
instances,managingnetworks,andcontrollingaccessthroughusersandprojects.OpenStackCompute
strivestobebothhardwareandhypervisoragnostic,currentlysupportingavarietyofstandardhardware
configurationsandmajorhypervisors.

OpenStackObjectStorage(Swift)
OpenStackObjectStorage(codenamedSwift)isopensourcesoftwareforcreatingredundant,scalable

objectstorageusingclustersofstandardizedserverstostorepetabytesofaccessibledata.Itisnotafile
systemorrealtimedatastoragesystem,butratheralongtermstoragesystemforamorepermanent
typeofstaticdatathatcanberetrieved,leveraged,andthenupdatedifnecessary.Primaryexamplesof
datathatbestfitthistypeofstoragemodelarevirtualmachineimages,photostorage,emailstorageand
backuparchiving.Havingnocentral"brain"ormasterpointofcontrolprovidesgreaterscalability,
redundancyandpermanence.
Objects are written to multiple hardware devices in the data center, with the OpenStack software
responsiblefordatareplicationandintegrityacrossthecluster.Storageclusterscanscalehorizontally
byaddingnewnodes.Shouldanodefail,OpenStackworkstoreplicateitscontentfromotheractive
nodes.

OpenStackImageService(Glance)
OpenStackImageService(codenamedGlance)providesdiscovery,registration,anddeliveryservices
forvirtualdiskimages.TheImageServiceAPIserverprovidesastandardRESTinterfaceforquerying
information about virtual disk images stored in a variety of backend stores, including OpenStack
Object Storage. Clients can register new virtual disk images with the Image Service, query for
informationonpubliclyavailablediskimages,andusetheImageService'sclientlibraryforstreaming
virtualdiskimages.
Amultiformatimageregistry,OpenStackImageServiceallowsuploadsofprivateandpublicimages
inavarietyofformats,includingRaw,Machine(kernel/ramdiskoutsideofimage,alsoknownasAMI),
VHD(HyperV),VDI(VirtualBox),andqcow2(Qemu/KVM).
AlltheseservicesareavailablethroughaselfserviceGUIasawebbaseddashboard.

KeyFeaturesandCapabilities
The OpenStack cloud software provides many features and offers strong capabilities. This listing
focusesontheenterpriseusecasesthatworkwellforthisreferencearchitecture.
Feature

Description

RESTbased
Allowswebservicesintegration&automation
OpenStackAPI
BrandableSelf
Provides ability to administer cloud and provision instances ondemand with an
Service
optiontorebrandyoursite
Dashboard
Tenants
(Projects)
Multirole
support

Abilitytocreatemultipleaccounts/projectsunderamasteraccount/project.Tenants
areisolatedresourcecontainersformingtheprincipalorganizationalstructurewithin
OpenStackCompute(Nova)
RolebasedaccesscontrolsforuserinterfaceandAPIaresupportedoutofthebox.
e.g.:TenantAdmin/CloudOperator:canadministertheentirecloud,TenantUser:can
onlymanageallocatedresources

Feature

Description

Snapshots

Allowstopreservediskstateofarunninginstance

Quotas

Abilitytoassignquotaspertenant/project.Therearecurrentlyquotasfornumberof
instanceswhichmaybelaunched,totalNumberofprocessorcoreswhichmaybe
allocated,Numberofvolumeswhichmaybecreated,Totalsizeofallvolumeswithin
aprojectasmeasuredinGB,totalnumberofgigabytes,andnumberofpublicly
accessiblefloatingIPs.

Keypairs

Providessecureauthenticationtoyourinstances

FloatingIPsareIPaddressesthatcanbedynamicallyassociatedwithaninstance.
Thisaddresscanbedisassociatedandassociatedwithanotherinstanceatanytime.A
FloatingIPsandusercanreserveafloatingIPfortheirproject.
FixedIPs
FixedIPsareassignedtoaninstanceoncreationandstaythesameuntiltheinstance
isexplicitlyterminated.
Securitygroupscontainanamedcollectionofnetworkaccessrules,likefirewall
policies. These access rules specify which incoming network traffic should be
deliveredtoallVMinstancesinthegroup,allotherincomingtrafficbeingdiscarded.
SecurityGroups
WhenlaunchingVMinstances,theprojectmanagerspecifieswhichsecuritygroups
itwantstojoin.Itwillbecomeamemberofthesespecifiedsecuritygroupswhenitis
launched.
CustomImages

Abilitytouploadcustomimages(rawdiskformatsupport),uploadsupportviaAPI
only

VNCAccess

VNCclientusingHTML5(WebSockets,Canvas)withencryption(wss://)support

Image
Templates

Allowstocreatenewinstancesondemandfromagoldenimage

Flavors

Instancetypesorflavorsareresourcesgrantedtovirtualmachines("instances)in
thecloud.Eachflavorhasauniquecombinationofdiskspace,memoryandCPU
capacity

Integrated
Monitoring
&Metering

UsesGangliaandNagios,opensourcemonitoringtoolsthatsurveyallyourcloud
resourcesandpresentalltheinformationgraphically

Integrated
ImageService

Servicefordiscovering,registering,andretrievingvirtualmachineimages.Ithasa
RESTfulAPIthatallowsqueryingofVMimagemetadataaswellasretrievalofthe

Feature

Description
actualimage.VMimagesmadeavailablethroughthisservicecanbestoredonlocal
filesystemsonly.Futureoptiontoincludeobjectstoragesystems likeOpenStack
ObjectStorageandotherexternaldiskstoragesystems.

Users and
Accesstoimagesislimitedbyproject(ortenant),access/secretareperuser,keypairs
Projects/Tenants
areperuser,andquotasareperproject(ortenant).
Access

Planning
BecauseyouhaveoptionsforonpremiseoroffpremisehostingwithOpenStackreferencearchitecture,
yourplanningprocessshouldfitintoyournormalbusinessoperations.However,buildingaprivate
cloud may offer some surprising juxtapositions from your normal operations. Let's explore these
comparisonsbetweentraditionalinfrastructuremanagementandplanningandprivatecloudplanning
andmanagement.

BuildingaPrivateCloud
Building a private cloud presents a shift from a model where everything is customized to one of
standardizationachievinghigherlevelsofscalability,elasticitywithyourexistingonpremisesystems.
Planningistantamounttothesuccessofthisbuildprocess.
Traditional management of information technology conjures images of static bindings between
processes,applications,andinfrastructure,abrittlesetoflinkswherebreakageoccursoftenenoughto
beexpected.Changeiscarefullyplanned,evenwithit'sownchangemanagementsystemsandprocesses
because introducing change is risky, manual, and slow. You also see heterogeneous elements and
processesacrosssilosinbusinessunits,divisions,andotherorganizationalstructures.Management
softwareexecutestothelowestcommondenominator,whichisneitherstrategicnorelasticandit's
certainlynotscalable.
Withanopposingsetofplans,wecanexamineprivatecloudmanagement.Youcaneasilyenvision
dynamic relationships across all layers of the technology stack with a cloud in place. Change is
constant,expected,andautomatedwithmassivestandardizationandhighlevelabstractionlayers.Your
daytodayisautomated;managementtoolsshouldfocusonhigherordertasks,notthemundane.

HardwareSpecifications
Thedeploymentmodelinthisreferencearchitecturedescribesthehardwareneededforeachofthe
threereferences:multinodeCompute,privateObjectStorage,andpublicObjectStorage.

OpenStackCloudSystemRequirements
Thissectiondescribesthesystemrequirementsforthereferencearchitecture.Theserequirementsare
forbuildingproductionreadyclouds,abletobesupportedbyRackspaceCloudBuilders.
Inthisreferencearchitecture,weofferguidanceforthreedeployments:ahighavailabilityCompute
deployment,acompactObjectStoragedeploymentofferingredundantstorage,andanObjectStorage
deploymentwithaneyetowardsaddingnodesforadditionalcomputeandstorageinthefuture.
Compute multinode deployment that's elastic and scalable to enable many compute nodes for
hundredsorthousandsofguestVMstorunconcurrentlywithhighavailability.
ObjectStorageprivatedeployment(orarchivingusecase)thatoffersaknownamountofstorage
thatreplicatedredundantly,withtheproxy/object/container/accountservicesonallmachines.
ObjectStoragepublicdeployment thatoffersoptionalbuildoutforstorageproviderswhowantto
improvecosteffectivenessinsplittingoutaproxylayer,andinstallingaccountandcontainerservers
separatelyfromobjectservers.
MultinodeComputeRequirements
POC/ProductionreadyCloud
Type

Description

Recommendation
DellR415orDellR515
SinglesocketCPU(min.needed)
8GBRAM

Controller
Node(s)

Compute

(Nova)Qty:2,2.515KRPM300GBSAS
controllersoftware
Ubuntu11.04,11.10
R1,LSIRAIDController
IntelNICs:2ormoreNICsof1Gorgreater,basedon
intendedworkload

ComputeNode(s) Hostsvirtualinstances

DellC6105
DualHexCPU
96GBRAM
Qty:12,2.515KRPM300GBSASDrives
2Sleds(4U)

Type

Description

Recommendation
R10,LSIRAIDController
Ubuntu11.04,11.10
IntelNICs:2ormoreNICsof1Gorgreater,basedon
intendedworkload

L2Switch

CabinetSwitches

Cisco3500or2960G

L3Switch

AggregateSwitch(es)

Cisco4948Eor4948S

MD3200i

iSCSI ExternaliSCSI storage for

(storage amount dependent on amount required for
ControllerNodeHA
Storage
storingimagesintheImageService)
PrivateObjectStorageRequirements
Archiving{Private,WriteHeavy,Upto2Cabinet(~30Nodes)}
Type

Description

Recommendation
DellC2100
SingleQuad
8or12GBRAM

Qty:12,SATA3.52TBDrives
Object
Object Storage account, container,
Qty:2,SAS2.5300GBDrives(internal)
StorageNode objectserversplusproxy
NoRAID
Ubuntu10.04
Intel 1Gb NICs: 2 or more NICs of 1G or
greater,basedonintendedworkload
L2Switch

CabinetSwitch(es)

Cisco2960G

L3Switch

AggregateSwitch(es)

Cisco4948

PublicObjectStorageRequirements

StorageasaService{Public,Read/WriteHeavy,Min5cabinets(~75Nodes)}

Type

Description

Recommendation
DellC2100
SingleQuad
8or12GBRAM

Qty:12,SATA3.52TBDrives
Object StorageObject Storage account,
Qty:2,SAS2.5300GBDrives(internal)
container,objectservers
Node
NoRAID
Ubuntu10.04
Intel1GbNICs:2ormoreNICsof1Gorgreater,
basedonintendedworkload
DellR415orDellR515
SinglesocketCPU(min.needed)
8GBRAM
Object Proxy
ObjectStorageproxyserver
Node

Qty:2,3.515KRPM300GBSAS
Ubuntu11.04,11.10
R1,LSIRAIDController
IntelNICs

L2Switch

CabinetSwitch(es)

L3Switch

AggregateSwitch(es)

Cisco2960G
Arista75xx(preferred)
CiscoNexus

Type

Description

Recommendation
DellR415orDellR515
SinglesocketCPU(min.needed)

Bastion
Server
(BMC
Station)

8GBRAM
Server to securely accessQty:2,3.515KRPM300GBSAS
internalcloud
Ubuntu11.04,11.10
SSHservice
IntelNICs:2ormoreNICsof1Gorgreater,basedon
intendedworkload

Note:YoucanestimatethepowerandcoolingusagebyusingDellDataCenterCapacityplanner
available

@
http://www.dell.com/content/topics/topic.aspx/global/products/pedge/topics/en/config_calculator?
c=us&cs=5%2055&l=en&s=biz .WerecommendtousethistooltoplantheappropriatePDUand
provideadequatecooling.

SANasStorageOption
Notavailableatthistime.

ServerPreparationforOpenStackDeployment
The server preparation involves racking, stacking, and cabling the servers and network devices
accordingtothedeploymentguide.Yourhardwaredeploymentpartnerperformsthisfunction.

NetworkDesign
OpenStackNetworkModel
OpenStackprovidesanumberofnetworkmodelstochoosefromwhendesigningadeployment;allare
described below. However, for this reference architecture, the High Availability DHCP model is
describedinmoredetailthanthefulllist.
FlatNetworkModelAnetworkadministratorspecifiesasubnetfromwhichallthevirtualmachines

pullsIPaddressesfromapoolofavailablefixedaddresses.
FlatDHCPNetworkModelTheserverthatrunsnovanetworkisagatewaytothecomputenodes
runningvirtualmachines.
VLANModelTheserverrunningvirtualmachines(acomputenode)createsaVLANandabridge
foreachprojectortenant,andusersaccesstheirVMsthroughaspecialVPNthatmustbecreated.
HighAvailabilityFlatDHCPModel (theRackspaceCloudBuildersDefault)Eachcomputehost
doesNetworkAddressTranslation(NAT),DHCP,andacts asagatewayforallofits ownvirtual
machines.
Rackspace Cloud Builders deploy a High Availability FlatDHCP networking model provided by
OpenStack.Thisnetworkmodelrequiresthatthenovanetworksoftwareisinstalledandconfiguredon
eachserverthatisrunningnovacompute.Thepurposeofspreadingthenetworkserviceacrossmultiple
servers is tolocalizethe failure domaintoeachnovacomputenode.Ina scenario wherea nova
computeserveristakenofflineforanyreasonincludingmaintenance,onlythevirtualinstancesonthat
serverwillbeaffected.Allotherinstancesintheprivatecloudwillcontinuetoservetrafficthrough
theirownnetworkservice.Thisisdepictedintheexamplebelow.

Figure3HighAvailabilityDHCPNetworkingModel

IPAddressingandNATforOpenStackDeployment
This section describes the types of networks you need to configure to work with an OpenStack
deployment. Thesecontainbestpracticesforbothconservingnetworkresourcesandensuringthat
networkadministratorsunderstandtheneedsfornetworksandpublicIPaddressesforaccessingthe
APIsandVMsasnecessary.Itoffersrecommendationsandrequiredminimumsizes.
ManagementNetwork(RFC1918IPRange,notpubliclyroutable)
Thisnetworkisutilizedforallinterservercommunicationswithinthecloudinfrastructure.

Recommendedsize:255IPs(CIDR/24)
PublicNetwork(PubliclyroutableIPrange)
ThisnetworkisutilizedforprovidingPublicIPaccessibilitytotheAPIendpointswithinthecloud
infrastructure.
inimumsize:8IPs(CIDR/29)
VMNetwork(RFC1918IPRange,notpubliclyroutable)
ThisnetworkisutilizedforprovidingprimaryIPaddressestothecloudinstances.
>Recommendedsize:1024IPs(CIDR/22)
StorageNetwork(RFC1918IPRange,notpubliclyroutable)
ThisnetworkisutilizedforallinterservercommunicationswithintheObjectStorageinfrastructure.
Recommendedsize:255IPs(CIDR/24)
FloatingIPnetwork(PubliclyroutableIPRange)
ThisnetworkisutilizedforprovidingPublicIPaccessibilitytoselectedcloudinstances.
Minimumsize:16IPs(CIDR/28)OpenStackSoftwareSpecifications&Deployment
Thissectiondescribesthesoftwareversionsandcombinationsthatworkforthefeaturesetincluded
withthisreferencearchitecture.

PhysicalDeployment
Note:Abastionhost,installedbehindappropriatesitespecificsecuritysystems,willbeusedtoaccess
the solution to perform ongoing OpenStack software installation, Ongoing operations support and
troubleshooting.

DeploymentDiagrams
Thissectionprovidesdiagramsoflogicalandphysicaldeploymentdescriptions.

ComputeLogicalArchitectureDiagram

Figure4ComputeLogicalArchitecture
ControllerNodesHA:
Option 1: Cluster setup w/ iSCSI DAS (Dell MD3200i) and Coro Sync.
(Recommended)

Option2:ClusterSetupw/DRBD
NetworkingOptions:
Option1(Recommended):PairofbondedNICs(forredundancy)thatwouldsupportCorp.andMgmt.
networksviaVLANtagging.AnotherpairofbondedNICStosupportPublicandVMnetviaVLAN
tagging.Total4physicalNICcards
Option2:TakeCorp.andMgmt.networksandcombinethemintoonenetwork.Stillneed2NICsand
bonded.1VLANinsteadofseparateVLANs
Option3:Everysinglenetworkgets2bondedphysicalNICsTotal8NICs
L3Switch:4948Eor4948Sswitch(dependingonwhat'savailable)
L2Switch:3500or2960G(dependingonwhat'savailable)
ServerConfigurations:
ComputeNodes(RuleofThumb):4to8GBRAMand1SpindlePerCore
ComputeNode:DellC6105,2Sleds,Qty:122.5300GBSASHardDrives,96GBRAM,DualHex
ProcTotal4Uspacefor2Sleds
ControllerNode:Dell415or515,8to12GBRAM,SingleSocket,Qty:2SAS300GBHarddrives

ComputePhysicalArchitectureDiagram(2cabinetlayout)

Figure5ComputePhysicalArchitecture(TwoCabinets)
TheImageService,Glance,storestheinitialImage,andforreference,theimagesizeisdisplayedin
MBforLinuxbasedimages,andthesizesofWindowsimagesaredisplayedinGB.
Fortruehighavailability(HA)andmoreImageServicestorage,useexternalstoragesuchasDASas
referencedabove.

ComputePhysicalArchitectureDiagram(multicabinetlayout)

Figure6ComputeLogicalArchitecture(MultipleCabinets)

Allnodesineachcabinetconnecttorespectivecabinetswitches.
Onlytwocontrollernodesandonestoragearrayarerequiredforentireconfiguration.
UseDRBDforNoDASconfiguration.

ObjectStorageLogicalArchitectureDiagram

Figure7ObjectStorageLogicalArchitecture

Object Storage Private Storage (or Archiving usecase) Two Cabinet Physical
Architecture

Figure8ObjectStoragePhysicalArchitecture(TwoCabinets)
Linkspeedsareforillustrationpurposesonly;actualnetworklinksvarybasedonapplicationspecific
needs.
AllstoragenodesconnecttorespectiveL2switchesinthecabinet
MLAG:multichassislinkaggregation.
Allservices(Object,Storage,Accountandproxy)runontheStoragenodeinthisimplementation.

ObjectStoragePublicStorageMultipleCabinetPhysicalArchitecture

Figure9ObjectStorageforPublicUse(MultipleCabinets)
Linkspeedsareforillustrationpurposesonly;actualnetworklinksvarybasedonapplicationspecific
needs.
AllstoragenodesconnecttorespectiveL2switchesinthecabinet
MLAG:multichassislinkaggregation
NotethatProxynodesaresetupasaseparateentityfromthestoragenodetoallowforbetterscalability
in this architecture. This implementation allows for maximum scalability of the environment and
optimumperformance
Object, Storage and Account services run on the Storage node in this implementation with Proxy
servicerunningonproxynode.

OpenStack Software Specifications and

Deployment
Thissectionliststhespecificsoftwarerequiredandthepackagesbuiltforinstallingthesoftware.

OpenStackSoftwarePackages
Hereisalistofthesoftwarepackagesexpectedforthisimplementation.
Type

Description

Novacompute

Compute

Version
nodeCurrentEssexMilestone

Comments
KVMHypervisor

Type

Description

Version

Comments

hypervisordriver

Novanetwork

Networkservices

CurrentEssexMilestone

Multinode FlatDHCP or
Multinode

VLAN
preferred

Glance

ImageRegistryand
CurrentEssexMilestone
Deliveryservice

With Keystone integration

for authentication and
privateandpublicimages

Keystone

Authentication
Service

OpenStackdashboard

Django/mod_wsgi Version compatible withWith

dashboard
currentEssexmilestone
authentication

Pythonnovaclient

nova commandVersion compatible with

Offersscriptingsupport
linetool
currentEssexMilestone

DjangoOpenStack

Dashboard Django
CurrentEssexMilestone
support

Novascheduler

Compute
CurrentEssexMilestone
schedulingservice

Simple and Random

schedulersprovided

Novanovnc

From a branch at
NoVNCDashboard
For Keystone tokenbased
github.com/sleepsonthefloor
Component
authentication
/novanovnc

OpenStackcompute

Base nova clientVersion compatible with

library
currentEssexmilestone

OpenStackx

Nova

extensions

Frozen
Version

Will be frozen at
Compatibility
compatibility version until
officialrelease
Keystone

Bundled extensions to the

API
base API to enable

Dashboardfeatureset

DeploymentTools&Methodology
Deployment ofinitial configuration is based onindividual customer questionnaires filled out after
initialcontact.ThesequestionnairescollectinformationsuchasVLANordering,networkinterface

bondingconfiguration,andIPaddressranges.RackspaceCloudBuildersthenusesthisconfiguration
informationtopreseeddataforadeploymentusingtheCrowbarinstallationtool.
Crowbar is an open source cloud deployment framework originally developed by Dell to support
OpenStackand Hadoop powered solutions. The Crowbar tool provides manydeployment services,
includingdevicediscovery,PXEbootstrapservices,DHCP,DNS,NTP,Nagios,Ganglia,andongoing
configurationmanagementusingastandaloneOpscodeChefserver.

OnceinformationaboutnetworktopologyisaddedtoDellCrowbar,servicescanbeconfiguredfrom
theintegratedwebfrontend.

SoftwareInstallation&ConfigurationOptions
Software installation and configuration will be implemented using Dell Crowbar. Crowbar is a
powerfuldeploymenttoolthatbundlesOpscode'sChefconfigurationmanagementsoftware,OpenStack
softwarepackagesprovidedbyRackspaceCloudBuilders,andOpenSourcemonitoringprovidedby
NagiosandGanglia.Onceinitialnetworkdatahasbeenpreseeded,networkproposalscanbegenerated
andacceptedfromtheDellCrowbarwebmanagementtool. Theseproposalsshouldbegeneratedin
accordancewiththeinformationgatheredaspartofthepreengagementquestionnaire.

ImplementationVerification
Tocompletethebuildingofareferencecloud,theimplementationistestedwithatestharness.

HardwareInstallationChecklist
RefertotheOpenStackHardwareInstallationGuidefordetailedstepbystepinstallationprocess.The
Guideisavailabletoqualifiedsolutionpartners.Thefollowinglistofferstheitemsyoumustcomplete

inordertohelpensurehardwareinstallationiscompletedcorrectly.
Allcablesaretestedandperformingproperly.
Equipmentplacementisaccuratetothefinalfloorplan.
Cablesarelaidinaccordancewiththephysicalcablediagram.
NetworkdevicesareconfiguredforproperroutingandVLANaccessaccordingtothedeployment
guide.
Allvendordefinedstandalonediagnosticsarerunandtheresultsaredocumented.
Alldocumentsrelatingtotheinstallationarecollectedandcategorized,includingoriginalhardware
orders,billsoflading,receipts,receivinginventory,andinstallationandtestcertifications.
Properinstallationcleanupisperformed.

OpenStackImplementationChecklist
RefertotheOpenStackSoftwareInstallationGuideforadetailedstepbystepinstallationprocess.The
Guideisavailabletoqualifiedsolutionpartners.

MonitoringOpenStack
Specific monitoring is available through the reference architecture. The major areas of focus for
monitoring are to help ensure availability according to the Service Level Agreements in your
organization.Alsocapacitymonitoringoffersalertswhencapacityisabouttobereached.Thenetwork
availabilityandthroughputaremonitoredaswellasmonitoringanynetworkbreachesthroughthe
perimetersecurityalreadyplanned.
Rackspace Cloud Builders employ Nagios and Ganglia to provide additional status monitoring,
performancedatagatheringandalerting. Nagios is theprimaryagentforalerting andnodestatus
monitoring. Ganglia has performance monitoring addins that directly ties in with the OpenStack
integration. Configure Nagios to create alerts from Ganglia. If you signup for Rackspace Cloud
Operations support, Rackspace specialist for OpenStack deployment will help you configure your
systemforappropriatemonitoring.

SecuringOpenStack
AnOpenStackcloudisusingperimetersecurityonnetworksandtrafficaswellascontrollingaccessby
assigningsecuritygroups.

PerimeterSecurity
Bydefault,thereareseveralnetworkssetupaspartofanOpenStackinstallation. Thesenetworks
include:
Aprivatemanagementnetworkformonitoring,PXEboot,andComputeintercommunications
AprivatenetworkforexposingAPIendpoints
AVMnetworkforprivateVMIPs
ApublicnetworkforVMfloatingIPs
Typically,theprivateandmanagementnetworksareisolatedfromtheInternet.Shoulditbedesirable
toconnectthesenetworkstotheInternetortointernalenterprisenetworks,networkadministrators
shouldsetupVLANsandlayer3ACLs.Inaddition,itispossibletosetuproutingand/orpublicNAT
totheAPIendpointsperthesecuritypolicyoftheorganization.
Bydefault,noservicesarelisteningonthepublicnetworkorontheVMnetwork(withtheexceptionof
dnsmasq in the case of a FlatDHCP configuration). Ideally, VMnet traffic is configured on the
firewalltoallowoutboundInternetaccessthroughaNATpool,butfirewallrulescanbeputinplaceat
thefirewallasnecessary.
Inboundtrafficisdesignedtobeunfiltered,withaccesscontrolsviaAPIusingfloatingIPaddresses
andsecuritygroups.FloatingIPaddressesareimplemented(inthemultinodeconfiguration)bystatic
1:1NATfromthepublicIPtotheprivateVMnetIPonthehypervisorrunningtheinstance. This
allowstheabilitytoapplyapublicIPonaVMthroughAPIinteraction.Securitygroups,detailedinthe
nextsection,controlyourfirewallsoninboundtraffic.

SecurityGroups
SecuritygroupsareusedtoprogrammaticallyapplyIPtablerulestointerfacesthatareexposedtothe
public Internet via floating IPs. By default, no traffic is allowed to IP addresses made publicly
accessibleviafloatingIPAPI.Toallowaccesstopublicservices,simpleIPtablerulescanbesavedas
aset,andlaterreferencedtoapplyrulestovirtualmachines.Thesesetsarecalledsecuritygroups.

Forexample,a"mysqlserver"securitygroupcouldbecreatedtoallowtrafficfrom0.0.0.0/0toport
3306/tcp. ByassociatinganewVMinstancewiththissecuritygroup,globalInternetaccesstothe
mysqlservicewouldbeallowed.AVMinstancecanbelongtozeroormoresecuritygroups,withthe
rulesapplyingcumulatively.
SecuritygroupscanallowincomingportrangesfromspecificCIDRrangesoverbothTCPandUDP.
InadditiontoTCPandUDP,ICMPcanbeenabledordisabledonaCIDRbasis,althoughwithoutthe
abilitytospecifysubtype.

Maintenance&Upgrades
The following table describes the maintenance and change management available from Rackspace
CloudBuilders.
HerearethecorrespondingsupportmodelsonaspectrumofRackspaceinvolvementindaytoday
maintenanceandsupport.

TypeofChange

Change Control
Testing
BoardMembers

Lead
Majorarchitectural
1 modifications.Examples
CustomerService
include:
Lead

Required

AdvanceNotice

20businessDays

Systemarchitecture
Interfaceswithother
systems
Servicesprovidedby
system

Security
Representative
ChiefArchitect
DevelopmentLead

Engineeringchanges.
Examplesinclude:
Systemupgrades
Physicalrelocation
2

Logical(network)
relocation
Hardwareupgrades

Lead
CustomerService
Lead
Security
Representative

DiscretionofChange
controlboard

Minimum10business
Days,15businessdays
preferable

DevelopmentLead

Changestosecurity
controls
Minorchanges.Examples
include:
Vulnerabilitypatches

Securityfixes

Lead

Minorconfiguration
changesforservice
restoration

CustomerService
Lead

Replacementof
failed/failingcomponents
withspares

Appendix
Terminology
Compute

UnitTestingunless
Minimum3business
requiredbysecurityor
Days,5dayspreferable.
needforservicerestoration

OpenStackComputeisacomputeservicethatprovidesservercapacityinthecloud.ComputeServers
come in different flavors of memory, disk space, and CPU, and can be provisioned in minutes.
InteractionswithComputeServerscanoccurprogrammaticallyviatheOpenStackComputeAPIorthe
Dashboard.
Nova
ProjectnamefortheComputeservicethatprovisionsandmanageslargenetworksofvirtualmachines,
creatingaredundantandscalablecloudcomputingplatform.
Swift
Project name for the Object Storagesoftwarethat creates redundant, scalable object storageusing
clustersofstandardizedserverstostorepetabytesofaccessibledata.Swiftisusedasaninexpensive
bulkstoragesystemforprogrammaticobjectstorage.
Glance
ProjectnamefortheImageServicesoftware,whichisthemainimagerepositorypieceofOpenStack,it
istheplacewhereyouwillbeuploadingyourimagesaswellastheplacefromwhichtheywillbe
consumedbytherestoftheOpenStacksystem.
Keystone
ProjectnamefortheIdentityservicesoftware,whichoffersanintegratedidentitymanagementsystem
forOpenStack.Initiallyusingtokenbasedauthentication,buteventuallysupportingpluginmodules
for identity storage (LDAP, DB, file, PAM, Active Directory, etc...), protocols (SAML, OAUTH,
OpenID,etc...)
Server
Aserverisavirtualmachineinstanceinthecomputesystem.Flavorandimagearerequisiteelements
whencreatingaserver.
Flavor
Flavorisanavailablehardwareconfigurationforaserver.Eachflavorhasauniquecombinationofdisk
space,memorycapacityandpriorityforCPUtime.
Image
ImagesareyourtemplatesforcreatingnewVMs.TheprojectunderOpenStackthatstorestheavailable
imagesiscalledGlance.
RabbitMQ
Providesrobustmessagingforapplications.Itiscompletelyopensourceandbasedonopenstandard
protocols.
MySQL
Datastorethatstoresbuildtimeandruntimestateforacloudinfrastructure.
SwiftStorageNode
ThenodethatrunsAccount,Container,andObjectservices.
SwiftProxyNode

TheSwiftnodethatrunsProxyservicesandacceptsincomingAPIrequests.
SwiftRing
TheSwiftRingisasetofmappingsofOpenStackObjectStoragedatatophysicaldevices.
Keypairs
Thesearesimplesshkeysandareyourcredentialsforaccessinganyrunninginstances.Keypairsare
addedandmanagedusingtheKeypairssectionoftheuserdashboard.
SecurityGroups
Securitygroupsatthistimeexistmostlyastagsfortheserversandcanbeconsumedviathemetadata
APIviaasimplecurlcommand.Securitygroupscanbespecifiedaspartofthe"personality"ofan
instance.

ExternalReferences
http://openstack.org/
http://docs.openstack.org/
https://github.com/dellcloudedge/crowbar
http://ganglia.info/
http://www.nagios.com/
http://www.drbd.org/
http://www.corosync.org/
DISCLAIMER
ThisdocumentisforinformationalpurposesonlyandisprovidedASIS.Theinformationsetforth
inthedocumentisintendedasaguideandnotasastepbystepprocess,anddoesnotrepresentan
assessment of any specific compliance with laws or regulations or constitute advice. We strongly
recommendthatyouengageadditionalexpertiseinordertofurtherevaluateapplicablerequirementsfor
yourspecificenvironment.
RACKSPACEMAKESNOREPRESENTATIONSORWARRANTIESOFANYKIND,EXPRESS
ORIMPLIED,ASTOTHEACCURACYORCOMPLETENESSOFTHECONTENTSOFTHIS
DOCUMENTANDRESERVESTHERIGHTTOMAKECHANGESTOSPECIFICATIONSAND
PRODUCT/SERVICES DESCRIPTION AT ANY TIME WITHOUT NOTICE. RACKSPACE
RESERVES THE RIGHT TO DISCONTINUE OR MAKE CHANGES TO ITS SERVICES
OFFERINGS AT ANY TIME WITHOUT NOTICE. USERS MUST TAKE FULL
RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES
MENTIONEDHEREIN. EXCEPTASSETFORTHINASEPARATEWRITTENAGREEMENT
SIGNEDBYAUTHORIZEDSIGNATORIESOFBOTHPARTIES,RACKSPACEASSUMESNO
LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY,
RELATING TO ITS SERVICES INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
NONINFRINGEMENT.
ALTHOUGH PART OF THIS DOCUMENTATION EXPLAINS HOW RACKSPACE SERVICES

MAYWORKWITHTHIRDPARTYPRODUCTS,THEINFORMATIONCONTAINEDINTHIS
DOCUMENTISNOTDESIGNEDTOWORKWITHALLSCENARIOS.ANYUSEORCHANGES
TO THIRD PARTY PRODUCTS AND/OR CONFIGURATIONS SHOULD BE MADE AT THE
DISCRETIONOFYOURADMINISTRATORSANDSUBJECTTOTHEAPPLICABLETERMS
ANDCONDITIONSOFSUCHTHIRDPARTY.RACKSPACEDOESNOTPROVIDETECHNICAL
SUPPORT FOR THIRD PARTY PRODUCTS, OTHER THAN SPECIFIED IN A SEPARATE
WRITTENAGREEMENTSIGNEDBYAUTHORIZEDSIGNATORIESOFBOTHPARTIES,AND
RACKSPACEACCEPTSNORESPONSIBILITYFORTHIRDPARTYPRODUCTS.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromRackspace,thefurnishingofthis
document does not give you any license to patents, trademarks, copyrights, or other intellectual
property.
Rackspace,Rackspacelogo,FanaticalSupport,andotherRackspacemarksmentionedinthisdocument
areeitherregisteredservicemarksorservicemarksofRackspaceUS,Inc.intheUnitedStatesand/or
other countries. OpenStack and OpenStack logo are either registered trademarks or trademarks of
OpenStack,LLCintheUnitedStatesand/orothercountries.
Allotherproductnamesandtrademarksusedinthisdocumentareforidentificationpurposesonlyto
refertoeithertheentitiesclaimingthemarksandnamesortheirproducts,andarepropertyoftheir
respectiveowners.Wedonotintendouruseordisplayofothercompanies'tradenames,trademarks,or
service marks to imply a relationship with, or endorsement or sponsorship of us by, these other
companies.
TheUseofthewordPARTNER
Theuseoftheword"partner"doesnotimplyapartnershiprelationshipbetweenRackspaceandany
othercompany.
2011RackspaceUS,Inc.Allrightsreserved.