Mirantis Acquires Docker Enterprise Platform Business


What’s New in OpenStack Havana Webcast Q&A

When we gave the What’s New in OpenStack Havana webcast this week, we had many more questions than we could answer, so we’ve gathered them all up, along with their answers, and published them here for you.

Q:  What are Tiered Zones?

Nick Chase: Tiered zones basically means that Swift is going to make your storage zones as unique as possible.  That means that if you’re running on a single machine, it’ll try to put each of your zones on different disks in that machine.  If you’re on a small cluster, it’ll try and put them on different hosts.  If you’re on a big cluster, it’ll try and put them on different racks.  Basically, tiered zones means that Swift is gonna try and adjust to whatever environment that you’re in to make it as unique as possible.

Q: What are status and limitations of FWaaS component in the Havana release? Does it replace Neutron Security Groups implementation?

Oleg Gelbukh:  The status of firewall as a service is still experimental, and firewall as a service is not replacement for Neutron security group, as at least yet.  Firewall as a service is intended to control the perimeter of that network.  Firewall as a service essentially defines ingress and digress traffic fielders on tenant routers, while security groups basically define the filters on interaction with instance.  So there also is kind of limitation for the firewall in Havana.  Rules of the firewall are applied to all others for the tenant.  You can only have one firewall in the tenant.

Q:  Did you say that we can provision VPNs?

Nick Chase:       Yes. VPN as a service is available in Havana.   It’s possible and it’s available in Horizon, as I was saying, but I am going to put a caveat on that.  VPN as a service is still definitely experimental.  It does work.  From what I understand, it works pretty well, but if you’re going to put it in production, make sure that you test it and play with it and know what you are dealing with, especially if you’re doing VPNs for security purposes.

Q:  If Glance allows multiple locations, can we limit the amount of space a single tenant can use in all of those locations?

Oleg Gelbukh:  I believe that you can set a sort of global quota for that, yes.

Q:  You didn’t mention Load Balancing as a Service.  Which vendors have implemented plugins for that?

Oleg Gelbukh:  LBaaS was experimental in Grizzly and now it’s full-on ready for production in Havana, so it’s definitely there, and you can provision from both the command line and from Horizon.  There have also been some basic improvements to the reference architecture.  As for vendor plugins, that’s not quite how it works.  There’s a single plugin, and then there’s a driver framework that vendors can write drivers for.  I don’t have the list of drivers off the top of my head, so we’ll have to include that in the resources when we put that up.

Q:  I’m confused about projects versus tenants.

Oleg Gelbukh:  Yeah, in Grizzly, there was an official change that said that what we’ve been calling tenants should now be called projects, because that’s really more what they are, but a lot of people are still calling them tenants.  They’re interchangable, as confusing as that is.

Q:  What happens if the REMOTE_USER has an @ in the name?

Oleg Gelbukh:  There’s actually some discussion about that right now on the development lists.  Right now it’s split on the @, with the left part being the username and the right part being the domain.

Q: What is the status of API v3 in Keystone?

Oleg Gelbukh: API v3 is fully supported by Keystone and keystone client, but most of other services and clients don’t recognize and work with API v3. Inter-services communication still pure API v2.

Q:  On nova, can you use shared and local storage at the same time?

Oleg Gelbukh:         Basically, you can combine local and shared storage using multiple backend capability of Cinder, but for cache – the cache in instances, I don’t think it’s supported because you have to – you basically have to keep your instance cache in a single directory.  You can use shared storage and local storage for different sets of compute nodes, but obviously you won’t have the option to migrate between nodes with local storage and nodes on shared storage.  In order to migrate, they won’t migrate between the two instances, so that’s not possible.

Q:   Does Heat replace or encapsulate tools like Puppet, Chef, Ansible, etc.

Oleg Gelbukh:         Well, as far as I know in Havana, Heat does not have software components in templates it can replace or something like that with configuration management tools, but there is a blend to implement that kind of – it’s actually caused discussion right now in the community about how to integrate configuration management with Heat because basically what Heat doesn’t want to do is to ___ with all possible kinds of software products, so they want to have hooks or triggers in their templates which will trigger the external service that will provide the management of configuration.  The general idea right now is that it will be emerging workflow as a service – workflow service for OpenStack, but it’s possible that it will be integrated with other projects that are aimed at application management like Murano or ___ maybe.

Q:  Please explain the differences  bteween Cinder, Swift and  Glance … i.e.,  juxtapose use cases so I understand when I use one versus the other two.  There seems to be tremendous overlap between these. 

Nick Chase:             Yeah, okay.  Yeah, there is kind of some overlap in that, you know, Glance can use Swift and Cinder for back ends, then you know, all of that.  Here’s what they’re all about.  Cinder is block-level storage.  It’s basically like, you know, the drive that’s on your computer, and you can take a Cinder volume and you can attach it to an instance and use that as a hard drive, basically, that you can go ahead and add files to and deal with.  Swift is what they call object storage.  It’s not really the same – they try and conceptualize it so that you can sort of use it the same way.  You see what you think are files.  There is what looks like a file structure, so you might have, you know, slash, you know, my presentation, slash, you know, presentation.ppx or whatever, but really, what these are is these are containers or, you know, buckets or however you wanna call them, but they’re containers of data that you can then extract and sort of recombine that into an actual file.  So Swift would be object storage in that way.  And then Glance is more of a repository for images that you can then use to boot up your instances.  So now I wanna create a new virtual machine, well what is that virtual machine.  Well, it’s a virtual machine that has, you know, a Tomcat web server and, you know, Solar search engine or whatever, and that’s all put together as sort of a nicely wrapped-up package, and that nicely wrapped-up package sits in Glance waiting for me to say okay, give me that.  And so then it takes it and puts it on a volume and starts it up.  And Glance, of course, has to store those files somewhere.  So Glance can store those files on, you know, a local machine.  It can store them off on a Cinder volume, or it can store them off on a – in a Swift container.  So Glance, you can kind of think of Glance as a sort of registry for where to find stuff that you need to start up a machine.  I hope that answers the question.

Q:  Can you give us some real world examples what heat can do at this point? Use cases.

Oleg Gelbukh:         Well, we do have a couple of cases for Heat in our customer environments.  The most interesting application of Heat, just like Nick said is autoscaling, and we have a couple of customers who are actually working basic autoscaling on using Heat, actually on Grizzly.  So our experience is that we’re on combined environments, so we use master version of Heat with the Grizzly version of OpenStack, and the primary interest is in autoscaling and also a ___ starter capability of Heat resources also gets much direction.  That capability allows Heat to rebuild the virtual machine in case it detects it is down.  It can rebuild it on the same host or on another host in case – if the original host is down.  So that’s – those are examples of how our customers are using Heat and how we help them to use Heat.

Q:  In general is any proprietary Neturon plugin needed to support basic operations of Openstack Neutron networking using VXLAN or GRE tunneling modes?

Oleg Gelbukh:         Well, this stuff is supported – both VX LAN and GRE tunnel are supported by Open vSwitch, which is OpenSource, which is actually the reference plugin for Neutron, so you can – you don’t need any proprietary plugins to support those two modes.  You can work in those two modes with just Open vSwitch driver – Open vSwitch plugin, I’m sorry.

Q:  Upgrade path from grizzly?

Oleg Gelbukh:         Well, this question is actually tricky.  There are basically three options you can take when you’re upgrading from Grizzly to Havana.  You can have – the way that Grizzly OpenStack infrastructure does it for testing.  You can shut down everything, run upgrades on your components, run updates to your database and then bring everything up – back up as a single action.  You can also try to create the new cloud next to your existing cloud, if you can afford it, and basically move your workload from old cloud running on Grizzly to the new cloud running on Havana, and that’s the second option for upgrade path.  And the third option that we have for upgrade path is to combine those – basically combine those two approaches.  You still need to create the set of controllers running next to the controllers running on Grizzly and you can ___ upgrades to your compute nodes.  You can upgrade one-by-one by moving virtual machines and upgrading the actual – moving original machines out from this compute node and stopping the services on the ___ upgrading it and connecting it to the new set of controllers.  So that’s basically a third option that you have for upgrade.

Q:  Auto Scaling supported with multi-Tier App deplyment using heat?

Nick Chase:             Yeah.  I mean, Heat is – Heat is really – that’s almost what it’s designed for really.  I’m not – I wouldn’t claim to speak authoritatively on the multitier issue, but Heat does really give you a lot of control over the different components that you want and so on.  So I don’t see why you should not be able to migrate a multitier deployment.  Now, you just need to be really careful in creating your templates.

Q:  Speaking about volume migration, how close to vMotion is it? Is it manually migrated or can you setup some kind of Fail-over or HA?

Nick Chase:             You know what, I’m not that familiar with how VMotion works, but I will say that, from what it looks like to me, it looks as though it could be used in an HA capacity.  Oleg, would you agree with that?

Oleg Gelbukh:         Well, the one thing about the volume migration, in Cinder right now that makes a difference with the VMotion is that Cinder volume migration is not automated.  I think it’s still mostly manual, so you can have it automated from some scheduler, for example, so that’s the limitation.

Q:  For the vmware support in the past version, we can only work with one host in one cluster.  Now nova supports multi clusters, does nova support working with multi hosts in a cluster?

Oleg Gelbukh:         For the VMware cluster, Nova – Havana Nova supports vCenter with multiple clusters attached to the vCenter.  I believe that you can control the placement inside the vCenter cluster using VMware API, so that’s – the answer is probably yes, you can work in multiple hosts in the vCenter cluster.

Q:  How about image migration? If my image(VM) is in one cluster can I migrate that to a new cluster that does not share the storage?

Oleg Gelbukh: There is a script in Glance which provides this function: glance-replicator. It only supports full replication of images from master to slave Glance server in Havana.

Q:  Is havana in fuel 3.2

Oleg Gelbukh: no, Havana support starts from version 4.0 (preview) of Fuel

Q:  Are you guys coming to HK summit? 🙂

Oleg Gelbukh: Yes, we had strong presence at the summit. About 40 Minrantis people, both technical and marketing, were attending the summit and did a great work there 🙂 Look for updates in our blog.

Q:   How to encrypt a novnc session with a password?

Oleg Gelbukh: though some progress is made in Havana to support secure VNC traffic, the actual implementation of SSL is still not there.

Q:  So cinder is for performance, Swift is for convenience, and Galnce packages storage … for further convenience?

Nick Chase:  Actually, it’s not so much that one’s for performance and one’s for convenience.  They all serve different purposes; Block storage (Cinder) is good when you have many writes to an existing file, or when you have an app that’s not built to be able to handle the Swift API.  Object storage (Swift) is good when you have requirements for replication and other features, but it does require you to work through the API.  Glance is just a registry of images to be used by Nova.

Q:  In VMware there is a concept of vApps.. do we have something similar in OpenStack?

Oleg Gelbukh: Not yet. However, there are projects Murano and Solum which aim to manage application lifecycle.

Q:  Can you provide a bit more details on live migration, limitations, caveats and requirements. Thanks.

Oleg Gelbukh: Live migration in Havana is still tricky. However, couple of improvements landed there, for example, new feature which leverages Nova scheduler to determine where to migrate an instance in case a end user just doesn’t care.

The main limitation of the live migration is a soft requirement to have shared storage. Migration without shared storage is also possible (aka block migration), but that could be very slow and doesn’t suit for production use cases.

Q:  How big can a cell be?

Oleg Gelbukh: A cell could be as big as a standalone OpenStack cluster. However, recommendation from our experience and benchmarks is that cell size should not exceed about 100 compute nodes. That is the biggest size ‘vanilla’ OpenStack scales to without any significant performance impact. The main idea of cells is a segmentation of failure domain and removing of bottlenecks. So it’s practical to keep them relatively small to avoid in-cell scalability issues.

Q:  https://www.mirantis.com/blog/tutorial-openstack-live-migration-with-kvm-hypervisor-and-nfs-shared-storage/  talks about shared storage based LIVE VM migration….but what about VMs using local Hypervisor storage? What about when such VMs might be using cinder volumes (for data only)

Oleg Gelbukh: For locally stored VMs, there is an option of block migration in libvirt, which first moves disk image to destination host, then the diff piled during that migration, and then just does the RAM transition, just like live migration. However, depending on the size and IO load of instance, this process might take indefinite time. This makes block migration probably unsuitable for majority of production use cases.

Q:  Indigo Virtual Switch or OVS ? Which is recommended to be used in Havana?

Oleg Gelbukh: It’s truly difficult to recommend anything without knowing the particular use case. I just can point out that Mirantis OpenStack uses OVS as a virtual switching tech of choice.

Q:  Will Heat work with Docker?

Oleg Gelbukh: Heat generally is not aware of the back-end used by Nova to run instances. So this should be possible with Docker as well as other hypervisor drivers.

Q:  When will Havana be integrated into Fuel? I know 3.2 just came out, but that is still w/ Grizzly.

Nick Chase:  Mirantis OpenStack 4.0, which is available as a technical preview from http://software.mirantis.com, supports most of Havana.  Support for Ceilometer and Heat will come later this year.

Thanks to everyone who attended and asked questions!

How to Use Service Mesh with VMs and Containers