210 likes | 441 Views
GENI Software. Marshall Brinn, GPO Architect January 7, 2013. Outline. GENI Principles GENI Software Categories GENI Software Details GENI Software Requirements. GENI Principles.
E N D
GENI Software Marshall Brinn, GPO Architect January 7, 2013
Outline • GENI Principles • GENI Software Categories • GENI Software Details • GENI Software Requirements
GENI Principles • The GENI Architecture Team has recently worked to define and publish a set of concise statements that define the GENI project and architecture efforts: • Differentiators: What makes GENI different from other cloud infrastructures or distributed test-beds? • Principles: What are GENI’s essential motivating values and goals? • Requirements: What are the top level system requirements that drive the architecture and implementation? While still a work-in-progress, we hope they convey a good sense of the “what” and “why” of GENI.
GENI Differentiators • GENI provides open access to resources to the American academic and research community • GENI provides custom, segregated and programmable computation, network and storage topologies • GENI provides low-level metrics on hardware substrate to facilitate repeatable experimentation in virtual environments • GENI provides access to uncommon or expensive resources to researchers • GENI provides resources with broad geographic diversity, spanning the United States and providing access to international federation resources • GENI provides the ability for users to 'opt-in' their internet traffic to experimental services or networks
GENI Principles • GENI is dedicated to supporting science and network experimentation and researchers • GENI is a federation of autonomous test-beds and resources • GENI establishes a common trust fabric to allow disparate resources to interoperate reliably • GENI establishes and enforces policies that provide assurances to resource owners that their resources will not be misused. • GENI federation members agree to abide by these policies in exchange for these assurances. • GENI supports interoperability among disparate resources and control frameworks
GENI Requirements • GENI will provide custom, segregated and programmable computation, network and storage topologies • GENI will provide common authentication and authorization services to support federated aggregates in validating experimenter resource requests • GENI will provide support for protecting federated aggregates from misuse by, at least, forensics and slice shutdown services
GENI Software Context Review Federation: A collection of people and institutions who agree to share resources and abide by common procedures in order to share resources in a reliable, mutually beneficial manner. Operations Center: Processes and tools monitoring activity on GENI resources for adherence to policies. Clearinghouse: Set of services establishing federation-level authentication, authorization and accountability of experimenter use of federation resources. Tools: Software capabilities that interact with federation resources on behalf of experimenters Aggregates: Software entities that represent federated resources in transactions with experimenter tools. Resources: Physical resources (compute, network, storage) made available to the federation by means of a participating aggregate. Experimenter: A researcher seeking to perform network experiments on customized data plane. Grey boxes are real-world entities, represented in software by Purple boxes.
GENI Software Suite • Aggregate Managers: Allows the owner of a set of resources to share these resources with the GENI federation by means of the GENI Aggregate Manager (AM) API • Experimenter Tools: Allows an experimenter to express and implement their needs for resources and topologies and experiment configurations • Clearinghouse: Establish federation-level trust, identity, policy • GMOC: Support forensics and high-level oversight, monitoring and management of GENI operations
GENI Software Suite: Aggregate Manager Think of the Aggregate Manager as providing Control Plane and Management Plane operations on customized Data Planes • Control Plane: Creates custom Data Plane topologies • Slicing Services: HyperVisors (OpenStack, KVM, Xen) • Programmability Services: OpenFlow • Stitching Services: Intra-Aggregate and Inter-Aggregate services for stitching cross-aggregate topologies • Management Plane: Monitoring Aggregate behavior, taking protective action if necessary • GMOC Monitoring/Reporting/Control Interface
GENI Software Suite: Aggregate Manager [2] Any service that presents resources in accordance with the GENI AM API is an Aggregate Manager. There are several implementations that are deployed and interoperate within the GENI federation • ProtoGENI / InstaGENI: Developed and maintained by University of UTAH, partnered with HP and Princeton, derived from Emulab capability • ORCA / ExoGENI: Developed and maintained at RENCI in North Carolina • FOAM/FlowVisor : Maintained by Open Network Labs, presents OpenFlow “flow space” as an virtual resource
GENI Software Suite: Experimenter Tools • Resource Management Tools: Allow experimenters to express and build custom topologies • GENI Portal: Web-based access to Clearinghouse services and Aggregate resources • Emphasis on making “Simple things simple, Difficult things possible” • Omni: Command-line interface to Aggregate resources • FLACK: Graphical interface to building and viewing custom topologies
GENI Software Suite: Experimenter Tools [2] • Experiment Management Tools: Support configuring and running experiments on the GENI-provided data plane, and reviewing/analyzing results • Orchestration: OMF, GUSH • Instrumentation/Monitoring: GEMINI and GIMI projects esp. GEMINI Portal, LabWIKI • Archiving/Analysis: iRODS, UNIS
GENI Software Suite: Clearinghouse • Series of federation-level services to establish broad common trusted sense of identity and policy • Introduces “Project” level of management of activity on slices/slivers • Establishes privileges of experimenters based on their roles on “projects” • Establishes accountability (“one neck to wring”) for all activity on a project to that project’s PI • Establishes federation-level certificates and trust roots to enable all tools and aggregates to interoperate reliably • Establishes a common directory of federation-level services for other services to discover one another
GENI Federation Software Architecture Schematic GMOC GENI Clearinghouse Identity Provider Service Authority Logging Service Credential Store AuthZ Service Project Authority Slice Authority Member Authority Aggregate Experimenter Tool
GENI Software Suite: GMOC The GENI Meta-Operations Center (GMOC) provides top-level oversight and management services to protect resources against misuse (intentional or not) • Forensics: Detailed logging of operations and metrics on resources for real-time monitoring and post-analysis of experiments, failures, misbehavior • What operations were taken by whom when? • What level of network or compute activity was taking place on which resources? • What slivers belong to which slices, projects, PI’s? • Management: Ability to determine a misbehaving experiment (intentionally or not) and shut it down on all participating aggregates without impacting other co-located experiments
Aggregate Manager: Managing Campus Boundaries for Experiments Policy and trust inputs allow the campus to control which requests flow over the control plane, including which resources are connected to the data plane. • Control/Management Plane (IP) • AM API Requests/Responses • GENI CH Credentialing • GMOC Control Messages • GMOC Monitoring • Data Plane (L2) • Trans-Aggregate Experiment Traffic Aggregate Manager • Shibboleth AuthN • InCommon AuthN • PKI-based Credentials • VLAN-based segregation • Signed, Authenticated Requests • Slice/Sliver Expiration • FOAM ‘FlowSpace’ Authorization • ABAC-based AuthZ (Future) OUTSIDE CAMPUS FW INSIDE CAMPUS FW RESOURCE RESOURCE GENI and Campus Resources
GENI Aggregate Authentication • GENI Authentication is based on: • InCommon Identity Provider (IDP) of users signing into GENI tools • Shibboleth provides single sign-on sessions based on this identity • GENI participating campuses should be members of the OCI-sponsored InCommon Federation, which provides trusted and validated user credentials • Organizations should provide “Research and Scholarship” InCommon category IDP’s • https://spaces.internet2.edu/display/InCCollaborate/Research+and+Scholarship+Category • Provides information such as Affiliation, Email, Name [First, Last], EPPN • GPO provides a default IDP for campuses that do not yet provide such an IDP
GENI Policy Management • GENI Aggregates use policy to control its responses to critical questions such as: • Which experimenters do I trust? • With which other aggregates am I willing to collaborate? • How many resources should I allocate to which experimenters or experiments? • Currently, the GENI Clearinghouse presents a bundle of ‘trusted roots’ that federated aggregates accept and thereby trust any credential signed by someone trusted by GENI. • In the future, GENI expects to use the far more expressive ABAC language to capture and police policy statements Note that the expressing and policing of policy statements can and is done in software. But the establishment of these policies and trust are human and inter-organizational (out-of-band) actions.
Deployment Requirements: Software This list is not complete and may vary by the type of rack, but provides a sense of the kinds of requirements to deploy a GENI rack • Hardware Configuration • Encoding hardware configuration details such as switch configurations, compute node MAC’s and switch ports, dedicated VLAN’s, capacities/constraints of H/W, QoS budgets • Integration with Campus Infrastructure • Integration with site health/reporting tools (is rack up?) • Rack power-down/reboot integration with site management tools • GENI Federation • Installation of GENI trust roots • Creation/distribution of GENI-signed credentials
Summary • The GENI Federation is a collaborative effort among people: experimenters, resource owners and network managers • The GENI project provides a broad range of software tools that represent the interests of these people to allow them to share resources in a trusted, efficient manner