Szkolenie z OpenStack Security

Introduction to OpenStack

• History of the cloud and OpenStack
• Cloud features
• Cloud models
• private, public, hybrid
• on-premise, IaaS, PaaS, SaaS
• Public and private cloud deployments based on OpenStack
• Open source and commercial OpenStack distributions
• OpenStack deployment models
• OpenStack ecosystem
• Modules
• Underlying tools
• Integrations
• OpenStack lifecycle
• OpenStack certification
• OpenStack lab (VM) for this course

Getting to know OpenStack

• OpenStack components (Keystone, Glance, Nova, Neutron, Cinder, Swift, Heat) ○ Interaction with OpenStack cloud
• OpenStack daemons and API communication flow

Keystone – Identity management service

• Keystone architecture
• Authentication and available backends
• Token types and token management
• Authorization in OpenStack – roles and oslo.policy
• Keystone resources – domains, projects, users
• Openrc and clouds.yaml – CLI clients configuration
• OpenStack service catalog
• Adding new OpenStack service
• Quota system in OpenStack

Glance – Image service

• Images adjusted to the cloud
• Image features (properties, metadata, format, container)
• Uploading and downloading image
• Sharing images
• Glance image stores
• Protected images
• Manage quotas for image service
• Verification of Glance services

Neutron – Networking

• Architecture and Neutron services
• The ML2 plugin
• Networking in compute node – analysis
• Networking concepts and tools used by Neutron
• Basic Neutron network resource types
• Manage tenant networks, subnets,
• Manage security groups and rules
• East-West routing
• Network namespaces
• Manage external/provider networks
• North-South routing
• Floating IPs management
• Manage network quotas
• Basic network troubleshooting (namespaces, tcpdump, etc.)
• Networking quotas
• Verification of Neutron services

Nova – Compute service

• Interfaces to hypervisors
• Keypair management
• Flavour management
• Flavors and CPU topology
• Instance parameters
• Creating an instance
• Verification of spawned instances
• Snapshotting
• Instance management
• Resizing instances
• Assigning floating IPs
• Interactive console and console log
• Security groups assignment
• Internals of security groups and port-security features (iptables)
• Internals of L3 routers
• Compute quotas
• Getting statistics from Nova
• Placement API and Nova Cells v2
• Placement API and instance scheduling
• Placement API client commands
• Verification of Nova services

Cinder – Block Storage

• Volume parameters
• Creating volume
• Manage volume
• Attaching volume to Nova instance
• Managing volume snapshots
• Managing volume backups
• Internals of snapshots and backups in Cinder
• Transferring volumes between projects
• Restoring backups
• Managing volume quotas
• Adding new storage backend
• QoS in Cinder
• LVM, storage array and Ceph storage backends
• Ceph in OpenStack
• Integrating Ceph and Cinder
• Good practices for Ceph deployments
• Verification of Cinder services

Barbican – Key Management Service

• Barbican architecture
• Storing passphrases
• Generating and storing symmetric encryption keys
• Volume encryption mechanisms
• Configuring Cinder storage type for volume encryption
• Limitations of volume encryption
• Storing X.509 certificate bundles

Swift – Object Storage

• Swift components and processes
• Managing containers and objects
• Managing access control lists
• Setting up object expiration
• The Ring and storage policies
• Monitoring available storage space
• Setting up quotas
• Verification of Swift services

Heat – Orchestration

• Heat Orchestration Template and its components
• Creating Heat stack
• Verification of Heat stack
• Updating Heat stack
• Verification of Heat services

Basic troubleshooting

• Analyzing log files
• Centralized logging
• Debugging OpenStack client queries
• Managing OpenStack database
• Backing up OpenStack
• Analyzing compute node status
• Analyzing instance status
• Analyzing AMQP broker (RabbitMQ)
• Metadata services
• General way of diagnosing OpenStack issues
• Troubleshooting network problems
• Troubleshooting network performance
• Instance backup and recovery

Octavia – Load Balancing-as-a-service

• Architecture
• Objects and request flow
• Octavia flavors
• Octavia Availability Zones
• Creating the HTTP load balancer
• Creating the TCP load balancer
• Creating HTTPS passthrough load balancer
• Listeners, Pools and Health Monitors
• Layer 7 load balancing in Octavia
• Building Amphora image
• LB Failover
• Networking and Monitoring details
• Troubleshooting Octavia

Hardware considerations and capacity planning

• Compute hardware
• Network design
• Storage design
• Flavour sizing
• Resource overcommitment

Highly Available control plane

• HA in OpenStack services
• HA in OpenStack services
• HA message queue

Cloud partitioning and scheduler filters

• Why and how implement cloud partitions (host-aggregates)
• Nova scheduler filters

Workload migration

• Cold and live migration
• Live migration tweaking
• Watcher project

In-depth OpenStack networking (SDN) (2-3h)

• Types of network (local, flat, vlan, vxlan, gre)
• Neutron plugins
• Linux Bridge
• Open vSwitch
• Distributed Virtual Routers
• LBaaS + Octavia project
• VPNaaS

OpenStack monitoring and telemetry

• Ceilometer service
• External monitoring

Advances cloud/hypervisor features

• CPU pinning / NUMA architecture
• SR-IOV

Cloud-init and image customization

• Metadata Service

Block storage backends

• LVM
• Ceph RBD
• Physical appliances
• Storage network considerations

Upgrading OpenStack

• Upgrade strategies and procedures
• Zero-downtime upgrade

Bare-metal provisioning with OpenStack

• Ironic module
• Undercloud and overcloud concepts

Future of OpenStack