Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPiX Virtualisation working group

Published bySharlene Floyd Modified over 6 years ago

Similar presentations

Presentation on theme: "HEPiX Virtualisation working group"— Presentation transcript:

1 HEPiX Virtualisation working group
Andrea Chierici Virtualization tutorial Catania 1-3 dicember 2010

2 Outline Introduction Working assumptions Sub-tasks description
References and links CCR Workshop 2010 Andrea Chierici

3 Introduction The objective is to enable virtual machine images created at one site to be used at other HEPiX (and WLGC) sites. 66 people on mailing list; core of ~10 regular participants, but many more join meetings on occasion. CCR Workshop 2010 Andrea Chierici

4 Organisation Group identified 5 work areas Image Generation Policy
Dave Kelsey & Keith Chadwick Image Exchange Owen Synge Image Expiry/Revocation Later agreed to be part of policy & exchange area Image Contextualisation Sebastien Goasguen Multiple Hypervisor Support Andrea Chierici CCR Workshop 2010 Andrea Chierici

5 Working assumptions Images are generated by some authorized or trusted process Some sites may accept “random” user generated images, but most won’t No root access by end user during image generation Images are “contextualized” to connect to local site workload management system But at least one site (other than CERN…) is interested in seeing images connect directly to experiment workload management system. Recipient site controls how “payload” ends up in the image CCR Workshop 2010 Andrea Chierici

6 Generation (1) You recognise that VM base images, VO environments and VM complete images, must be generated according to current best practice, the details of which may be documented elsewhere by the Grid. These include but are not limited to: any image generation tool used must be fully patched and up to date; all operating system security patches must be applied to all images and be up to date; images are assumed to be world-readable and as such must not contain any confidential information; there should be no installed accounts, host/service certificates, ssh keys or user credentials of any form in an image; images must be configured such that they do not prevent Sites from meeting the fine-grained monitoring and control requirements defined in the Grid Security Traceability and Logging policy to allow for security incident response; the image must not prevent Sites from implementing local authorisation and/or policy decisions, e.g. blocking the running of Grid work for a particular user. CCR Workshop 2010 Andrea Chierici

7 Generation (2) Endorser:
Confirms that a particular VM complete image has been produced according to the requirements of the policy States that the image can be trusted. An Endorser should be one of a limited number of authorised and trusted individuals appointed either by a VO or a Site. The appointing VO or Site must assume responsibility for the actions of the Endorser and must ensure that he/she is aware of the requirements of the policy. CCR Workshop 2010 Andrea Chierici

8 Image Cataloguing and Exchange

9 Virtual Machine Image Catalogue
VMIC records details of virtual machine images distributed to the sites to be run on the site’s local hardware. Gives sites a central point of control over the images run at their site Provides a mechanism to control (trust) who may subscribe images to the site, and to block images that are deprecated for some reason. CCR Workshop 2010 Andrea Chierici

10 Endorsed vs approved Endorsed (endorser decision):
Role defined in the policy document Scope: VMI production & maintenance Approved (site decision) Marks the VMI “valid for use” by the site Scope: operating the VMI For a VMI to run, it must be both: Endorsed by an endorser (i.e. part of the VMIC endorsed) Approved by the local site CCR Workshop 2010 Andrea Chierici

11 Transmission Recommendation for basic transport protocol(s) to be supported Prescriptive for sites wishing to generate images Current model is “tagged images” distributed in manner akin to mechanism used for VO software today Proposal for optional protocols to improve transmission efficiency E.g. transmission of only differences w.r.t. a reference image Interested in protocols such as bitTorrent Will not comment on intra-site image transmission CCR Workshop 2010 Andrea Chierici

12 Expiry & Revocation Status a little unclear
“Image Revocation List” à la CRL? Technical proposal required Image endorses required to revoke images in case of security issues and the like CCR Workshop 2010 Andrea Chierici

13 Contextualization Contextualisation is needed so that sites can configure images to interface to local infrastructure e.g. for syslog, monitoring & batch scheduler. Contextualisation is limited to these needs! Sites may not alter the image contents in any way. Any site are concerned about security aspects of an image should refuse to instantiate it and notify the endorser. Contextualisation mechanism Images should attempt to mount a CDROM image provided by the sites and, if successful, invoke two scripts from the CDROM image: prolog.sh before network initialisation epilog.sh after network initialisation CCR Workshop 2010 Andrea Chierici

14 Support for multiple hypervisors
Recommendations/recipe(s) to enable sites to generate images that can be used with a range of hypervisors Only KVM and XEN (both para and full) Limited to sl5 for both host and guest Already tested extensively KVM integration in sl5.4 helpful Documented method to produce VM image that can be used with both kvm and Xen CCR Workshop 2010 Andrea Chierici

15 Other toughts The CernVM filesystem offers an attractive way to ensure sites have the correct VO software, reducing the need for VM images as a mechanism for this. See Ian Collier’s presentation shortly. CVMFS team have asked Romain Wartel to lead security audit This should allay any fears from sites about using CVMFS. Virtualisation is an area with much scope for communication failures! We must be clear that “image endorsement” is a very rapid process The person creating endorses an image which is then immediately available for instantiation by all sites who trust the endorser; there is no need for a lengthy process of verification at sites. Some sites talk about restricting instantiated VM images but the actual impact for end-users is likely small e.g. VM images would have no need to connect to a NFS-based shared storage area, so it would not matter if “isolated from the rest of the network” just means “no access to our NFS servers”. This appears to be the likely situation at NIKHEF, one of the sites the most reluctant to enable instantiation of remotely generated images. CCR Workshop 2010 Andrea Chierici

16 Summary A year ago, sites were rejecting any possibility of running remotely generated virtual machine images. Today, we have the skeleton of a scheme that will enable sites to treat trusted VM images exactly as normal worker nodes. This enables VOs to be 100% sure of the worker node environment (potentially) inclusion in the VM image of the pilot job framework enabling “cloud like” submission of work to sites. CVMFS is probably the neatest solution to the problem of VO software distribution… … but VM exchange remains interesting Nothing in what is being done prevents sites that wish to do so from implementing Amazon EC2-style instantiation of user generated images, or precludes use of CERNvm. CCR Workshop 2010 Andrea Chierici

17 References and links Hepix-virtualisation@cern.ch
VM generation policy draft CCR Workshop 2010 Andrea Chierici

Download ppt "HEPiX Virtualisation working group"

Similar presentations

HEPiX Virtualisation Working Group Status, July 9 th 2010

HEPiX Virtualisation Working Group Status, July 9 th 2010
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
INFSO-RI-223782 An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.

INFSO-RI An On-Demand Dynamic Virtualization Manager Øyvind Valen-Sendstad CERN – IT/GD, ETICS Virtual Node bootstrapper.
1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu 2010-8-27.

1 Bridging Clouds with CernVM: ATLAS/PanDA example Wenjing Wu
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
EMI INFSO-RI-261611 Cloud Task Force Eric Yen and Simon Lin 22 Nov. 2010.

EMI INFSO-RI Cloud Task Force Eric Yen and Simon Lin 22 Nov
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
OSG Tier 3 support Marco Mambelli - OSG Tier 3 Dan Fraser - OSG Tier 3 liaison Tanya Levshina - OSG.

OSG Tier 3 support Marco Mambelli - OSG Tier 3 Dan Fraser - OSG Tier 3 liaison Tanya Levshina - OSG.
Virtualised Worker Nodes Where are we? What next? Tony Cass GDB 2012 12/12/12.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Similar presentations

Ads by Google