OpenStack Clustering & Services
In the OpenStack clustering, one or more servers is combined or aggregated together to form High Availability Cluster. There are two types of clustering mechanics used:
This type of clustering is used in HA purpose and also for read/Write operations in databases, different files and other systems.
In this Standby server will be active only when Primary server went sown or will face service failure.
In this all servers or nodes are acting as active servers, and handles all requests. Once any node is failed, it gets removed from cluster and others will take over its requests. This type of clustering also acts as load balancing cluster.
Cloud Controllers acts as a central management server and also helps in OpenStack deployment. It manages all API calls and other messaging transactions.
Following are the Cloud Controller functions:
- It provides all type of API services which helps in communication between all OpenStack components.
- It provides Services interface to End user or tenants.
- It also helps in providing HA and load balancing services
- It provides infrastructure services like database and message queue.
- It exposes persistence storage.
Keystone is the service which provides the identity services and service cataloging. Keystone provides rule based access and authorization of services to OpenStack. In open stack all services register with Keystone along with their API endpoints so that they can communicate with each other.
Keystone itself is composed of multiple providers like:
The main function of Identity provider is to create and authenticate users and group credentials. It can also be integrated by external identity providers like LDAP. Following are the various user’s type keystone supports.
- Service User who is using Services running in OpenStack
- End User who is acting as external user.
- Admin user who need to access the services and resources for integrating customers and support.
Resource Providers implements domain or container for keystone such as users, groups. Domain is just like company or service provider.
This Provider helps in defining the users and its role or users groups to a list of roles. Roles are assigned to users which defines which user will perform which function.
Roles defines services which is assigned to users or users group.
When user wants to access or use any services, it must be authenticated to Identity provider. Once user is authenticated token provider generates tokens which authorizes user to access and use OpenStack Services. This Tokens are only valid for limited time period and this valid tokens are used for accessing OpenStack Services.
In Order to provide the OpenStack Services to User, all OpenStack services must be registered to Keystone. This Registration of Services is done in a provider called catalog Provider. It also contain Endpoints who are associated to services running in OpenStack Cloud.
Policy Provider is used to associate the rule that allow access to Keystone resources. This rule states that which users are allowed to access which rule. Rule can be associated to single users or Groups of users.
Keystone Advance Features:
Following are advance Keystone features provided by keystone service.
- Federated Keystone
- Fernet Keystone
Which this services, we can use Identity service provided by an External Identity Provider which helps in accessing resources available to open stack such as Storage, Network and compute.
Federated Keystone has following feature and advantages:
- It is used to integrate the Existing Identity resources like LDAP, Active Directory, so that user can be authenticated in OpenStack.
- It is also used to integrate the different cloud services
- Due to its Single Sign on facility it provides better user security for OpenStack users.
Working of Federated Keystone:
- Any user tries to access resources available in OpenStack
- User to be authenticated and OpenStack check weather users has been authenticated or has existing session or Still to be authenticated. If it still to be authenticated, users is redirected to URL of Identity Provider so that user can be authenticated.
- Once User Provides Username and password and after authentication is done successfully, It issues an unscoped token which contains information like list of groups the authenticated user belong to.
- Now User can use the unsocped token to determine the list of accessible domains or containers which OpenStack can provide to it for use.
- User then gets the Scoped token from unscoped tokens and starts using resources provide by OpenStack Cloud.
OpenStack issue PKI based token to which enables users to access resources. These tokens are encapsulates the user identity and authorization context in JSON Format which make PKI very large and to store these large PKI we also require large volume of database.
To overcome these short coming , Fernet token are used , because these token are small in size so these token are not stored in databases. These token contains user identity, authorization scope of project, and expiration time.
To enable Fernet tokens in keystone use following commands:
Horizon Dash Board:
This is the OpenStack dash board runs on Apache Webserver which is based on Python Django web application frame work. This service mostly runs on OpenStack Controller or on separate Node to offload workload of controller.
Infrastructure Message Queue:
Infrastructure Message Queue is used to Queues the request or message who are in pipeline to be delivered to users or any other services. These Queues must be implemented in cluster because if message queue fails whole Open stack will be halted.
Following are the multiple Queue solution provided by Open Stack.
RabbitMQ: This Messaging solution provides high available Messaging queue due to which they runs in cluster. To provide the robust messaging service we can also enable mirrored queue. With Mirror Queue , Clients always connect to master node and send consume message, where slaves servers only used to store message and they hold messages only till master node acknowledge receiving the message.
To provide active active message, Queues are integrated to clustering solution such as Pacemaker and DRDB.
Rabbit MQ provide security to messages by implementing security feature of TLS. Transport Level Security uses SSL certificates to encrypt the message to provide secure communication, These SSL certificates are either self signed or Provide by CA. RabbitMQ also provides authentication and authorization based on username and password.