SlideShare a Scribd company logo

Implementing security groups in open stack

Rishabh Agarwal, profile picture
Rishabh Agarwal

The document discusses the implementation of security groups in OpenStack as part of a project report by engineering students. It covers the benefits of cloud computing, the importance of security, and different cloud deployment models, including single-node and multi-node installations. Additionally, it includes a detailed installation guide for OpenStack, emphasizing user configuration, system setup, and security management.

Engineering
Related topics:
Cloud Computing Insights
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
IMPLEMENTING SECURITY GROUPS IN OPENSTACK submitted to Noida Institute of Engineering & Technology, Greater Noida Project Report submitted by Rishabh Agarwal Arzoo Singh Raj Shekhar Jyoti Yadav under the supervision of Mr. Hitesh Sharma Mr. Rahul Singh Department of Computer Science and Engineering
DECLARATION WE, STUDENTS OF BACHELOR OF TECHNOLOGY, COMPUTER SCIENCE AND ENGINEERING, NIET GREATER NOIDA, HEREBY DECLARE THAT THE WORK PRESENTED IN THIS THESIS IS OUTCOME OF OUR OWN WORK, IS BONAFIDE, CORRECT TO THE BEST OF OUR KNOWLEDGE. THIS WORK HAS BEEN CARRIED OUT TAKING CARE OF ENGINEERING ETHICS AND KEEPING INDIAN IP LAWS INTO CONSIDERATION. RISHABH AGARWAL ARZOO SINGH 1313310118 1313310036 RAJ SHEKHAR JYOTI YADAV 1313310114 1313310070 DATE: 16-06-2016 i
ACKNOWLEDGEMENT WE WOULD LIKE TO TAKE THIS OPPORTUNITY TO EXPRESS OUR DEEP SENSE OF GRATITUDE AND PROFOUND FEELING OF ADMIRATION TO OUR PROJECT SUPERVISOR/MENTOR MR HITESH SHARMA AND MR RAHUL SINGH, FOR PROVIDING US INVALUABLE GUIDANCE FOR THE TECHNICAL SEMINAR. WE ACKNOWLEDGE HERE OUT DEPT TO ALL THOSE WHO HELPED SIGNIFICANTLY IN ONE OR MORE STEPS. ii
ABSTRACT The use of Cloud Computing has increased rapidly in many organizations. Cloud computing provides many benefits in terms of low cost and accessibility of data. Ensuring the security of cloud computing is a major factor in the cloud computing environment, as users often store sensitive information with cloud storage providers but these providers may be untrusted. Dealing with “single cloud” providers is predicted to become less popular with customers due to risks of service availability failure and the possibility of malicious insiders in the single cloud. A movement towards “multi-clouds”, or in other words, “interclouds” or “cloud-of-clouds” has emerged recently. Cloud can be implemented in 2 installation modes namely – Single Node Installation and Multi Node Installation. A single node installation installs all components like nova, keystone, cinder, etc. in one single node(used basically for testing). Multi node installation installs different components along various nodes. In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. iii
CONTENT Chapter Title Page No. Declaration i Acknowledgement ii Abstract iii 1 Introduction 1 1.1 Overview 1 1.2 Types of Cloud 2 1.3 Classification on the basis of Services 4 1.4 Advantages 5 2 Security 6 2.1 Security issues associated with cloud 6 2.2 Single node and Multi node 7 2.3 Security single node and multi node 9 3 Installation Guide 12 3.1 Installation 12 3.1.1 Add User 12 3.1.2 Download 12 3.1.3 Run DevStack 13 3.1.4 Using OpenStack 14 3.2 Container Setup 14 3.2.1 Configuration 14 3.2.2 Create Container 15 3.2.3 Start Container 15 3.2.4 Run DevStack 16 3.2.5 Cleanup 16 3.3 Configure Compute Nodes 17 4 Conclusion 20 5 References 21
LIST OF FIGURES Figure Name Figure No Page No Layered Model of Cloud 1 2 Architecture of Cloud Data Storage 2 4 Services of the Cloud 3 5 Multi Node Architecture 4 8
Chapter 1 INTRODUCTION 1.1 Overview The term „Cloud Computing‟ is made up of two terms, Cloud and Computing. Cloud could be thought to be synonymous with the Internet where various resources are interlinked with the use of network. One can use the resource they want with the help of simple client-server architecture. The term „computing‟ refers to processing. Cloud computing is computing on various resources over the network. In cloud computing Infrastructure, Platform and Application/Software are delivered as service over the network. The cloud concept has changed the IT market wherein organizations need not invest on resources; they rather rent the required resource on on-demand basis or take services from the cloud which has reduced the infrastructure costs in manifold. Cloud is basically used in three models namely, Saas (Software as a Service), PaaS (Platform as a service), IaaS (Infrastructure as a service). SaaS model of cloud computing lies with end users, where they store their critical, important and real time information. PaaS model of cloud computing is used mostly by Application developers, who use the platform from cloud as a service to develop, test, debug and deploy their applications. It is basically a middleware for developers. IaaS model is used by network analysts. Here services like storage, networking, and database management are also offered. In general pay per use payment model is followed here. The end user is generally interested only in SaaS. The data is consumed as well as produced by the cloud. This data is used by cloud computing systems and client computing systems as well. 1
Fig 1: Layered Model of Cloud Cloud computing has no specific definition as such. However, one acceptable definition was given which more or less defined cloud computing. It states cloud to be “A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet.” 1.2 Types of Cloud Cloud computing is typically classified in the following ways:  Public cloud: In Public cloud the computing infrastructure is hosted by the cloud vendor at the vendor‟s premises. The customer has no visibility 2
and control over where the computing infrastructure is hosted. The computing infrastructure is shared between any organizations.  Private cloud: The computing infrastructure is dedicated to a particular organization and not shared with other organizations. Private clouds are more expensive and more secure when compared to public clouds. Private clouds are of two types: On-premise private clouds and externally hosted. Private clouds. Externally hosted private clouds are also exclusively used by one organization, but are hosted by a third party specializing in cloud infrastructure. Externally hosted private clouds are cheaper than On-premise private clouds.  Hybrid cloud: Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud bursting organization use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully.  Community cloud: It involves sharing of computing infrastructure in between organization of the same community. For example all Government organizations within the state of California may share computing infrastructure on the cloud to manage data related to citizens residing in California 3
Fig 2: Architecture of Cloud Data Storage 1.3 Classification on the basis of services The three key cloud delivery models are –  Software-as-a-Service (SaaS) enables a software deployment model in which one or more applications and the computing resources that run them are provided for use on demand as a turnkey service. It can reduce the total cost of hardware and software development, maintenance, and operations.  Platform-as-a-Service (PaaS) enables a software deployment model in which the computing platform is provided as an on-demand service which applications can be developed upon and deployed. It can reduce the cost and complexity of buying, housing, and the managing of hardware and software components of the platform.Infrastructure-as-a-Service (IaaS) enables a software deployment model in which the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand 4
service upon which a platform to develop and execute applications can be founded. It can be used to avoid buying, housing, and managing the basic hardware and software infrastructure components. Fig 3: Services of the Cloud 1.4 Advantages of Cloud Computing  Flexibility  Disaster recovery  Automatic software updates  Capital-expenditure Free  Increased collaboration  Work from anywhere  Document control  Security  Competitiveness  Environmentally Friendly 5
Chapter 2 SECURITY 2.1 Security issues associated with the cloud Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers. Organizations use the Cloud in a variety of different service models (SaaS, PaaS and IaaS) and deployment models (Private, Public, Hybrid and Community). There are a number of security concerns associated with cloud computing. These issues fall into two broad categories: security issues faced by cloud providers (organizations providing software-, platform-, or Infrastructure-as a-service via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).The responsibility is shared, however. The provider must ensure that their infrastructure is secure and that their clients‟ data and applications are protected while the user must take measures to fortify their application and use strong passwords and authentication measures. When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance Report, insider attacks are the third biggest threat in cloud computing. Therefore, Cloud Service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity. In order to conserve resources, cut costs, and maintain efficiency, Cloud Service Providers often store more than one customer's data on the same server. As a 6
result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer – virtualization that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking. 2.2 Single node and Multi node in OpenStack A single node installation installs all components like Nova, Keystone, Cinder, etc. in one single node (used basically for testing). Multi node installation installs different components along various nodes. For example Keystone and Cinder in one node, Neutron in another and 2 Novas in 2 different servers. You can differentiate these two types of installation seeing if there is more than one node with different components in your environment. Generally speaking a single node setup of OpenStack (i.e.[DevStack])(http://docs.openstack.org/developer/devstack/) is used for testing purposes. It is not designed for production and thus most would strongly discourage such implementation. From a personal perspective, I've used it to test 7
certain OpenStack components that aren't fully available yet (i.e Sahara). For those purposes it is a fantastic environment. A multi-node setup on the other hand is what most production environments run on. Given the various components of OpenStack having all components on one node can significantly affect performance as you are limited to whatever resources that one node may have. Multi-Node not only provides a solution for this, but it is also highly scalable in the sense that if you require more compute power all you have to do is add more compute nodes (same with swift for storage, etc.). Additionally, having various nodes for various components can offer a failover in the case of one of your nodes suffers downtime. As for how to check the single node and multi node installation a quick and simple way to check if the current OpenStack deployment is single or multi node is run the following command in your controller node. nova host-list Fig 4: Multi Node Architecture 8
2.3 Security in Single node and Multi node 2.3.1 How to create Security Group? 1- Click on Access & Security 2-Click on Create Security Group 9
3- Enter the name of Security Group and click Create Security Group After creating, security group, you need to allow/deny network/protocol as per your requirement. This is the default rule in OpenStack for all tenant/group/project/user 2.3.2 How to add rules in Security Group? 1- Click on Add Rule 10
2- Manage Rules by clicking on Manage Security Group Rules 3- Here we are allowing All TCP ports. We can do the same for all protocols (TCP,UDP, ICMP etc.) Here, I have allowed All TCP, All UDP and All ICMP. After creating, click on Security &Access and you will be able to see your security group which you have created. 11
Chapter 3 INSTALLATION GUIDE 3.1 Installation 3.1.1 Add your user We need to add a user to install DevStack. (if you created a user during install you can skip this step and just give the user sudo privileges below) adduser stack Since this user will be making many changes to your system, it will need to have sudo privileges: apt-get install sudo -y || yum install -y sudo echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers From here on you should use the user you created. Logout and login as that user. 3.1.2 Download DevStack We‟ll grab the latest version of DevStack via https: sudo apt-get install git -y || sudo yum install -y git git clone https://git.openstack.org/openstack-dev/devstack cd devstack 12
3.1.3 Run DevStack Now to configure stack.sh. DevStack includes a sample in devstack/samples/local.conf. Createlocal.conf as shown below to do the following:  Set FLOATING_RANGE to a range not used on the local network, i.e. 192.168.1.224/27. This configures IP addresses ending in 225-254 to be used as floating IPs.  Set FIXED_RANGE and FIXED_NETWORK_SIZE to configure the internal address space used by the instances.  Set FLAT_INTERFACE to the Ethernet interface that connects the host to your local network. This is the interface that should be configured with the static IP address mentioned above.  Set the administrative password. This password is used for the admin and demo accounts set up as OpenStack users.  Set the MySQL administrative password. The default here is a random hex string which is inconvenient if you need to look at the database directly for anything.  Set the RabbitMQ password.  Set the service password. This is used by the OpenStack services (Nova, Glance, etc) to authenticate with Keystone. local.conf should look something like this: [[local|localrc]] FLOATING_RANGE=192.168.1.224/27 FIXED_RANGE=10.11.12.0/24 FIXED_NETWORK_SIZE=256 FLAT_INTERFACE=eth0 ADMIN_PASSWORD=supersecret 13
DATABASE_PASSWORD=iheartdatabases RABBIT_PASSWORD=flopsymopsy SERVICE_PASSWORD=iheartksl 3.1.4 Using OpenStack At this point you should be able to access the dashboard from other computers on the local network. In this example that would be http://192.168.1.201/ for the dashboard (aka Horizon). Launch VMs and if you give them floating IPs and security group access those VMs will be accessible from other machines on your network. Some examples of using the OpenStack command-line clients nova and glance are in the shakedown scripts in devstack/exercises. exercise.sh will run all of those scripts and report on the results. 3.2 Container Setup 3.2.1 Configuration For a successful run of stack.sh and to permit use of KVM to run the VMs you launch inside your container, we need to use the following additional configuration options. Place the following in a file called devstack-lxc.conf # Permit access to /dev/loop* lxc.cgroup.devices.allow = b 7:* rwm 14
# Setup access to /dev/net/tun and /dev/kvm lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0 lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 # Networking lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0 3.2.2 Create Container The configuration and rootfs for LXC containers are created using the lxc-create command. We will name our container devstack and use the ubuntu template which will use debootstrap to build a Ubuntu rootfs. It will default to the same release and architecture as the host system. We also install the additional packages bsdmainutils and git as we‟ll need them to run devstack: sudo lxc-create -n devstack -t ubuntu -f devstack-lxc.conf -- --packages=bsdmainutils,git The first time it builds the rootfs will take a few minutes to download, unpack, and configure all the necessary packages for a minimal installation of Ubuntu. LXC will cache this and subsequent containers will only take seconds to create. 3.2.3 Start Container To start the container, run: sudo lxc-start -n devstack 15
A moment later you should be presented with the login prompt for your container. You can login using the username ubuntu and password ubuntu. You can also ssh into your container. On your host, run sudo lxc-info -n devstack to get the IP address (e.g. ssh ubuntu@$(sudo lxc-info -n devstack | awk '/IP/ { print $2 }')). 3.2.4 Run Devstack You should now be logged into your container and almost ready to run devstack. The commands in this section should all be run inside your container. 1. Download DevStack git clone https://git.openstack.org/openstack-dev/devstack 2. Configure Refer to Minimal Configuration if you wish to configure the behaviour of devstack. 3. Start the install 4. cd devstack ./stack.sh 3.2.5 Cleanup To stop the container: lxc-stop -n devstack 16
To delete the container: lxc-destroy -n devstack 3.3 Configure Compute Nodes The compute nodes only run the OpenStack worker services. For additional machines, create alocal.conf with: [[local|localrc]] HOST_IP=192.168.42.12 # change this per compute node FLAT_INTERFACE=eth0 FIXED_RANGE=10.4.128.0/20 FIXED_NETWORK_SIZE=4096 FLOATING_RANGE=192.168.42.128/25 MULTI_HOST=1 LOGFILE=/opt/stack/logs/stack.sh.log ADMIN_PASSWORD=labstack DATABASE_PASSWORD=supersecret RABBIT_PASSWORD=supersecret 17
SERVICE_PASSWORD=supersecret DATABASE_TYPE=mysql SERVICE_HOST=192.168.42.11 MYSQL_HOST=$SERVICE_HOST RABBIT_HOST=$SERVICE_HOST GLANCE_HOSTPORT=$SERVICE_HOST:9292 ENABLED_SERVICES=n-cpu,n-net,n-api-meta,c-vol NOVA_VNC_ENABLED=True NOVNCPROXY_URL="http://$SERVICE_HOST:6080/vnc_auto.html" VNCSERVER_LISTEN=$HOST_IP VNCSERVER_PROXYCLIENT_ADDRESS=$VNCSERVER_LISTEN Fire up OpenStack: ./stack.sh A stream of activity ensues. When complete you will see a summary of stack.sh„s work, including the relevant URLs, accounts and passwords to poke at your shiny new OpenStack. The most recent log file is available in stack.sh.log. 18
3.3.1 Cleaning Up After DevStack Shutting down OpenStack is now as simple as running the included unstack.sh script: ./unstack.sh A more aggressive cleanup can be performed using clean.sh. It removes certain troublesome packages and attempts to leave the system in a state where changing the database or queue manager can be reliably performed. ./clean.sh Sometimes running instances are not cleaned up. DevStack attempts to do this when it runs but there are times it needs to still be done by hand: sudo rm -rf /etc/libvirt/qemu/inst* sudo virsh list | grep inst | awk '{print $1}' | xargs -n1 virsh destroy 19
CONCLUSION In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. 20
REFERENCES  https://ask.openstack.org/en/question/59516/what-is-the-difference- between-single-node-and-multi-node-installation-in-openstack/  http://blog.flux7.com/blogs/openstack/tutorial-how-to-install-multi- nodes-in-openstack  http://blog.flux7.com/blogs/openstack/tutorial-install-single-node- openstack  www.wikipedia.com 21

More Related Content

PDF
Cloud Computing Security
Dhaval Dave
 
PDF
Cloud computing security and privacy
Adeel Javaid
 
PDF
Cloud Computing Use Cases Whitepaper 3 0
Jason Reed
 
PDF
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 
PDF
Cloud Computing - Introduction
Dr. Sunil Kr. Pandey
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
PPTX
Cloud computing security issues and challenges
Dheeraj Negi
 
PPTX
Cloud computing security & forensics (manu)
ClubHack
 
Cloud Computing Security
Dhaval Dave
 
Cloud computing security and privacy
Adeel Javaid
 
Cloud Computing Use Cases Whitepaper 3 0
Jason Reed
 
Iaetsd cloud computing and security challenges
Iaetsd Iaetsd
 
Cloud Computing - Introduction
Dr. Sunil Kr. Pandey
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
Bill Annibell
 
Cloud computing security issues and challenges
Dheeraj Negi
 
Cloud computing security & forensics (manu)
ClubHack
 

What's hot (20)

PDF
Rp059 Icect2012 E694
Sandeep Saxena
 
PDF
Cloud computing security from single to multi clouds
Cholavaram Sai
 
PDF
An efficient and secure data storage in cloud computing using modified RSA pu...
IJECEIAES
 
PDF
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Pushpa
 
PDF
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
Editor IJMTER
 
PPT
Cloud Computing Security Issues
Discover Cloud Computing
 
PDF
CLOUD COMPUTING_proposal
Laud Randy Amofah
 
PDF
Cloud Computing- Proposal (Autosaved)
Zuhair Haroon khan
 
PPTX
Smart cloud - single to multi cloud
Abdul Rasheed Feroz Khan
 
PDF
Cloud computing security issues and challenges
Kresimir Popovic
 
DOC
Cloud Computing Security From Sngle to multi Clouds Full Documentaion
Vamshi Chowdary
 
PPTX
Cloud computing and its security issues
Jyoti Srivastava
 
PPTX
Authentication cloud
vidhya dharmarajan
 
PDF
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET Journal
 
PPTX
Understanding Cloud Computing
Mohammed Sajjad Ali
 
PPTX
Lecture01: Introduction to Security and Privacy in Cloud Computing
ragibhasan
 
PDF
Cloud computing security through symmetric cipher model
ijcsit
 
PPTX
Data Confidentiality in Cloud Computing
Ritesh Dwivedi
 
DOC
Cloud security
Mohamed Shalash
 
PDF
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
Hoang Nguyen
 
Rp059 Icect2012 E694
Sandeep Saxena
 
Cloud computing security from single to multi clouds
Cholavaram Sai
 
An efficient and secure data storage in cloud computing using modified RSA pu...
IJECEIAES
 
Presentation on cloud computing security issues using HADOOP and HDFS ARCHITE...
Pushpa
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
Editor IJMTER
 
Cloud Computing Security Issues
Discover Cloud Computing
 
CLOUD COMPUTING_proposal
Laud Randy Amofah
 
Cloud Computing- Proposal (Autosaved)
Zuhair Haroon khan
 
Smart cloud - single to multi cloud
Abdul Rasheed Feroz Khan
 
Cloud computing security issues and challenges
Kresimir Popovic
 
Cloud Computing Security From Sngle to multi Clouds Full Documentaion
Vamshi Chowdary
 
Cloud computing and its security issues
Jyoti Srivastava
 
Authentication cloud
vidhya dharmarajan
 
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET Journal
 
Understanding Cloud Computing
Mohammed Sajjad Ali
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
ragibhasan
 
Cloud computing security through symmetric cipher model
ijcsit
 
Data Confidentiality in Cloud Computing
Ritesh Dwivedi
 
Cloud security
Mohamed Shalash
 
SOME SECURITY CHALLENGES IN CLOUD COMPUTING
Hoang Nguyen
 
Ad

Viewers also liked (12)

PPTX
Celulares
samuel Estevez
 
PDF
Innate Response - 1A
Ybeb18
 
PDF
Innate Response - 1B
Ybeb18
 
PPTX
Android lollipop
Hitesh Ramola
 
PPTX
Sociology
Rishabh Agarwal
 
PPT
Prezentacja
Marcin Majchrzyk
 
PPT
Londync
Marcin Majchrzyk
 
PDF
Captcha seminar report
Rishabh Agarwal
 
PDF
Employee Performance Review
Mindy Bates
 
DOCX
SYNOPSIS
Rishabh Agarwal
 
PDF
The Complement System
Ybeb18
 
PPT
Immunology in a Nutshell
Ybeb18
 
Celulares
samuel Estevez
 
Innate Response - 1A
Ybeb18
 
Innate Response - 1B
Ybeb18
 
Android lollipop
Hitesh Ramola
 
Sociology
Rishabh Agarwal
 
Prezentacja
Marcin Majchrzyk
 
Londync
Marcin Majchrzyk
 
Captcha seminar report
Rishabh Agarwal
 
Employee Performance Review
Mindy Bates
 
SYNOPSIS
Rishabh Agarwal
 
The Complement System
Ybeb18
 
Immunology in a Nutshell
Ybeb18
 
Ad

Similar to Implementing security groups in open stack (20)

PDF
An Overview To Cloud Computing
IJSRED
 
PDF
Cc unit 3 updated version
Dr. Radhey Shyam
 
PDF
G0314043
iosrjournals
 
PDF
Module-1 introductaion cloud computing.pdf
Sitamarhi Institute of Technology
 
PPT
Cloud computing
Nibi Maouriyan
 
PDF
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
iosrjce
 
PDF
A017620123
IOSR Journals
 
PDF
Data Security Model Enhancement In Cloud Environment
IOSR Journals
 
DOCX
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
PDF
Introduction to aneka cloud
ssuser84183f
 
PPT
An introduction to the cloud 11 v1
charan7575
 
PDF
cloud computing
Surbhi Sharma
 
PDF
A REVIEW ON RESOURCE ALLOCATION MECHANISM IN CLOUD ENVIORNMENT
INTERNATIONAL JOURNAL OF COMPUTERS AND TECHNOLOGY
 
PPTX
Cloud computing
Sammer Qader
 
PDF
Methodologies for Enhancing Data Integrity and Security in Distributed Cloud ...
IIJSRJournal
 
PDF
An Overview on Security Issues in Cloud Computing
IOSR Journals
 
PDF
Ijetcas14 424
Iasir Journals
 
DOCX
Cloud Computing
Abdul Aslam
 
DOCX
Private Cloud With System Center Project
Abhijit Kundu
 
PPTX
Introduction to Cloud Computing(UNIT 1).pptx
Dr. SURBHI SAROHA
 
An Overview To Cloud Computing
IJSRED
 
Cc unit 3 updated version
Dr. Radhey Shyam
 
G0314043
iosrjournals
 
Module-1 introductaion cloud computing.pdf
Sitamarhi Institute of Technology
 
Cloud computing
Nibi Maouriyan
 
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
iosrjce
 
A017620123
IOSR Journals
 
Data Security Model Enhancement In Cloud Environment
IOSR Journals
 
Cloud Computing Security Issues in Infrastructure as a Service” report
Vivek Maurya
 
Introduction to aneka cloud
ssuser84183f
 
An introduction to the cloud 11 v1
charan7575
 
cloud computing
Surbhi Sharma
 
A REVIEW ON RESOURCE ALLOCATION MECHANISM IN CLOUD ENVIORNMENT
INTERNATIONAL JOURNAL OF COMPUTERS AND TECHNOLOGY
 
Cloud computing
Sammer Qader
 
Methodologies for Enhancing Data Integrity and Security in Distributed Cloud ...
IIJSRJournal
 
An Overview on Security Issues in Cloud Computing
IOSR Journals
 
Ijetcas14 424
Iasir Journals
 
Cloud Computing
Abdul Aslam
 
Private Cloud With System Center Project
Abhijit Kundu
 
Introduction to Cloud Computing(UNIT 1).pptx
Dr. SURBHI SAROHA
 

Recently uploaded (20)

PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPT on Performance Review to get promotions
prashant593122
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
web development for engineering and engineering
keshriji700
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Well-logging-methods_new................
ZafriFarid
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 

Implementing security groups in open stack

  • 1. IMPLEMENTING SECURITY GROUPS IN OPENSTACK submitted to Noida Institute of Engineering & Technology, Greater Noida Project Report submitted by Rishabh Agarwal Arzoo Singh Raj Shekhar Jyoti Yadav under the supervision of Mr. Hitesh Sharma Mr. Rahul Singh Department of Computer Science and Engineering
  • 2. DECLARATION WE, STUDENTS OF BACHELOR OF TECHNOLOGY, COMPUTER SCIENCE AND ENGINEERING, NIET GREATER NOIDA, HEREBY DECLARE THAT THE WORK PRESENTED IN THIS THESIS IS OUTCOME OF OUR OWN WORK, IS BONAFIDE, CORRECT TO THE BEST OF OUR KNOWLEDGE. THIS WORK HAS BEEN CARRIED OUT TAKING CARE OF ENGINEERING ETHICS AND KEEPING INDIAN IP LAWS INTO CONSIDERATION. RISHABH AGARWAL ARZOO SINGH 1313310118 1313310036 RAJ SHEKHAR JYOTI YADAV 1313310114 1313310070 DATE: 16-06-2016 i
  • 3. ACKNOWLEDGEMENT WE WOULD LIKE TO TAKE THIS OPPORTUNITY TO EXPRESS OUR DEEP SENSE OF GRATITUDE AND PROFOUND FEELING OF ADMIRATION TO OUR PROJECT SUPERVISOR/MENTOR MR HITESH SHARMA AND MR RAHUL SINGH, FOR PROVIDING US INVALUABLE GUIDANCE FOR THE TECHNICAL SEMINAR. WE ACKNOWLEDGE HERE OUT DEPT TO ALL THOSE WHO HELPED SIGNIFICANTLY IN ONE OR MORE STEPS. ii
  • 4. ABSTRACT The use of Cloud Computing has increased rapidly in many organizations. Cloud computing provides many benefits in terms of low cost and accessibility of data. Ensuring the security of cloud computing is a major factor in the cloud computing environment, as users often store sensitive information with cloud storage providers but these providers may be untrusted. Dealing with “single cloud” providers is predicted to become less popular with customers due to risks of service availability failure and the possibility of malicious insiders in the single cloud. A movement towards “multi-clouds”, or in other words, “interclouds” or “cloud-of-clouds” has emerged recently. Cloud can be implemented in 2 installation modes namely – Single Node Installation and Multi Node Installation. A single node installation installs all components like nova, keystone, cinder, etc. in one single node(used basically for testing). Multi node installation installs different components along various nodes. In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. iii
  • 5. CONTENT Chapter Title Page No. Declaration i Acknowledgement ii Abstract iii 1 Introduction 1 1.1 Overview 1 1.2 Types of Cloud 2 1.3 Classification on the basis of Services 4 1.4 Advantages 5 2 Security 6 2.1 Security issues associated with cloud 6 2.2 Single node and Multi node 7 2.3 Security single node and multi node 9 3 Installation Guide 12 3.1 Installation 12 3.1.1 Add User 12 3.1.2 Download 12 3.1.3 Run DevStack 13 3.1.4 Using OpenStack 14 3.2 Container Setup 14 3.2.1 Configuration 14 3.2.2 Create Container 15 3.2.3 Start Container 15 3.2.4 Run DevStack 16 3.2.5 Cleanup 16 3.3 Configure Compute Nodes 17 4 Conclusion 20 5 References 21
  • 6. LIST OF FIGURES Figure Name Figure No Page No Layered Model of Cloud 1 2 Architecture of Cloud Data Storage 2 4 Services of the Cloud 3 5 Multi Node Architecture 4 8
  • 7. Chapter 1 INTRODUCTION 1.1 Overview The term „Cloud Computing‟ is made up of two terms, Cloud and Computing. Cloud could be thought to be synonymous with the Internet where various resources are interlinked with the use of network. One can use the resource they want with the help of simple client-server architecture. The term „computing‟ refers to processing. Cloud computing is computing on various resources over the network. In cloud computing Infrastructure, Platform and Application/Software are delivered as service over the network. The cloud concept has changed the IT market wherein organizations need not invest on resources; they rather rent the required resource on on-demand basis or take services from the cloud which has reduced the infrastructure costs in manifold. Cloud is basically used in three models namely, Saas (Software as a Service), PaaS (Platform as a service), IaaS (Infrastructure as a service). SaaS model of cloud computing lies with end users, where they store their critical, important and real time information. PaaS model of cloud computing is used mostly by Application developers, who use the platform from cloud as a service to develop, test, debug and deploy their applications. It is basically a middleware for developers. IaaS model is used by network analysts. Here services like storage, networking, and database management are also offered. In general pay per use payment model is followed here. The end user is generally interested only in SaaS. The data is consumed as well as produced by the cloud. This data is used by cloud computing systems and client computing systems as well. 1
  • 8. Fig 1: Layered Model of Cloud Cloud computing has no specific definition as such. However, one acceptable definition was given which more or less defined cloud computing. It states cloud to be “A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet.” 1.2 Types of Cloud Cloud computing is typically classified in the following ways:  Public cloud: In Public cloud the computing infrastructure is hosted by the cloud vendor at the vendor‟s premises. The customer has no visibility 2
  • 9. and control over where the computing infrastructure is hosted. The computing infrastructure is shared between any organizations.  Private cloud: The computing infrastructure is dedicated to a particular organization and not shared with other organizations. Private clouds are more expensive and more secure when compared to public clouds. Private clouds are of two types: On-premise private clouds and externally hosted. Private clouds. Externally hosted private clouds are also exclusively used by one organization, but are hosted by a third party specializing in cloud infrastructure. Externally hosted private clouds are cheaper than On-premise private clouds.  Hybrid cloud: Organizations may host critical applications on private clouds and applications with relatively less security concerns on the public cloud. The usage of both private and public clouds together is called hybrid cloud. A related term is Cloud Bursting. In Cloud bursting organization use their own computing infrastructure for normal usage, but access the cloud for high/peak load requirements. This ensures that a sudden increase in computing requirement is handled gracefully.  Community cloud: It involves sharing of computing infrastructure in between organization of the same community. For example all Government organizations within the state of California may share computing infrastructure on the cloud to manage data related to citizens residing in California 3
  • 10. Fig 2: Architecture of Cloud Data Storage 1.3 Classification on the basis of services The three key cloud delivery models are –  Software-as-a-Service (SaaS) enables a software deployment model in which one or more applications and the computing resources that run them are provided for use on demand as a turnkey service. It can reduce the total cost of hardware and software development, maintenance, and operations.  Platform-as-a-Service (PaaS) enables a software deployment model in which the computing platform is provided as an on-demand service which applications can be developed upon and deployed. It can reduce the cost and complexity of buying, housing, and the managing of hardware and software components of the platform.Infrastructure-as-a-Service (IaaS) enables a software deployment model in which the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand 4
  • 11. service upon which a platform to develop and execute applications can be founded. It can be used to avoid buying, housing, and managing the basic hardware and software infrastructure components. Fig 3: Services of the Cloud 1.4 Advantages of Cloud Computing  Flexibility  Disaster recovery  Automatic software updates  Capital-expenditure Free  Increased collaboration  Work from anywhere  Document control  Security  Competitiveness  Environmentally Friendly 5
  • 12. Chapter 2 SECURITY 2.1 Security issues associated with the cloud Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers. Organizations use the Cloud in a variety of different service models (SaaS, PaaS and IaaS) and deployment models (Private, Public, Hybrid and Community). There are a number of security concerns associated with cloud computing. These issues fall into two broad categories: security issues faced by cloud providers (organizations providing software-, platform-, or Infrastructure-as a-service via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud).The responsibility is shared, however. The provider must ensure that their infrastructure is secure and that their clients‟ data and applications are protected while the user must take measures to fortify their application and use strong passwords and authentication measures. When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a recent Cloud Security Alliance Report, insider attacks are the third biggest threat in cloud computing. Therefore, Cloud Service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers must be frequently monitored for suspicious activity. In order to conserve resources, cut costs, and maintain efficiency, Cloud Service Providers often store more than one customer's data on the same server. As a 6
  • 13. result, there is a chance that one user's private data can be viewed by other users (possibly even competitors). To handle such sensitive situations, cloud service providers should ensure proper data isolation and logical storage segregation. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware - be it computing, storage or even networking. This introduces an additional layer – virtualization that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking. 2.2 Single node and Multi node in OpenStack A single node installation installs all components like Nova, Keystone, Cinder, etc. in one single node (used basically for testing). Multi node installation installs different components along various nodes. For example Keystone and Cinder in one node, Neutron in another and 2 Novas in 2 different servers. You can differentiate these two types of installation seeing if there is more than one node with different components in your environment. Generally speaking a single node setup of OpenStack (i.e.[DevStack])(http://docs.openstack.org/developer/devstack/) is used for testing purposes. It is not designed for production and thus most would strongly discourage such implementation. From a personal perspective, I've used it to test 7
  • 14. certain OpenStack components that aren't fully available yet (i.e Sahara). For those purposes it is a fantastic environment. A multi-node setup on the other hand is what most production environments run on. Given the various components of OpenStack having all components on one node can significantly affect performance as you are limited to whatever resources that one node may have. Multi-Node not only provides a solution for this, but it is also highly scalable in the sense that if you require more compute power all you have to do is add more compute nodes (same with swift for storage, etc.). Additionally, having various nodes for various components can offer a failover in the case of one of your nodes suffers downtime. As for how to check the single node and multi node installation a quick and simple way to check if the current OpenStack deployment is single or multi node is run the following command in your controller node. nova host-list Fig 4: Multi Node Architecture 8
  • 15. 2.3 Security in Single node and Multi node 2.3.1 How to create Security Group? 1- Click on Access & Security 2-Click on Create Security Group 9
  • 16. 3- Enter the name of Security Group and click Create Security Group After creating, security group, you need to allow/deny network/protocol as per your requirement. This is the default rule in OpenStack for all tenant/group/project/user 2.3.2 How to add rules in Security Group? 1- Click on Add Rule 10
  • 17. 2- Manage Rules by clicking on Manage Security Group Rules 3- Here we are allowing All TCP ports. We can do the same for all protocols (TCP,UDP, ICMP etc.) Here, I have allowed All TCP, All UDP and All ICMP. After creating, click on Security &Access and you will be able to see your security group which you have created. 11
  • 18. Chapter 3 INSTALLATION GUIDE 3.1 Installation 3.1.1 Add your user We need to add a user to install DevStack. (if you created a user during install you can skip this step and just give the user sudo privileges below) adduser stack Since this user will be making many changes to your system, it will need to have sudo privileges: apt-get install sudo -y || yum install -y sudo echo "stack ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers From here on you should use the user you created. Logout and login as that user. 3.1.2 Download DevStack We‟ll grab the latest version of DevStack via https: sudo apt-get install git -y || sudo yum install -y git git clone https://git.openstack.org/openstack-dev/devstack cd devstack 12
  • 19. 3.1.3 Run DevStack Now to configure stack.sh. DevStack includes a sample in devstack/samples/local.conf. Createlocal.conf as shown below to do the following:  Set FLOATING_RANGE to a range not used on the local network, i.e. 192.168.1.224/27. This configures IP addresses ending in 225-254 to be used as floating IPs.  Set FIXED_RANGE and FIXED_NETWORK_SIZE to configure the internal address space used by the instances.  Set FLAT_INTERFACE to the Ethernet interface that connects the host to your local network. This is the interface that should be configured with the static IP address mentioned above.  Set the administrative password. This password is used for the admin and demo accounts set up as OpenStack users.  Set the MySQL administrative password. The default here is a random hex string which is inconvenient if you need to look at the database directly for anything.  Set the RabbitMQ password.  Set the service password. This is used by the OpenStack services (Nova, Glance, etc) to authenticate with Keystone. local.conf should look something like this: [[local|localrc]] FLOATING_RANGE=192.168.1.224/27 FIXED_RANGE=10.11.12.0/24 FIXED_NETWORK_SIZE=256 FLAT_INTERFACE=eth0 ADMIN_PASSWORD=supersecret 13
  • 20. DATABASE_PASSWORD=iheartdatabases RABBIT_PASSWORD=flopsymopsy SERVICE_PASSWORD=iheartksl 3.1.4 Using OpenStack At this point you should be able to access the dashboard from other computers on the local network. In this example that would be http://192.168.1.201/ for the dashboard (aka Horizon). Launch VMs and if you give them floating IPs and security group access those VMs will be accessible from other machines on your network. Some examples of using the OpenStack command-line clients nova and glance are in the shakedown scripts in devstack/exercises. exercise.sh will run all of those scripts and report on the results. 3.2 Container Setup 3.2.1 Configuration For a successful run of stack.sh and to permit use of KVM to run the VMs you launch inside your container, we need to use the following additional configuration options. Place the following in a file called devstack-lxc.conf # Permit access to /dev/loop* lxc.cgroup.devices.allow = b 7:* rwm 14
  • 21. # Setup access to /dev/net/tun and /dev/kvm lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0 lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 # Networking lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0 3.2.2 Create Container The configuration and rootfs for LXC containers are created using the lxc-create command. We will name our container devstack and use the ubuntu template which will use debootstrap to build a Ubuntu rootfs. It will default to the same release and architecture as the host system. We also install the additional packages bsdmainutils and git as we‟ll need them to run devstack: sudo lxc-create -n devstack -t ubuntu -f devstack-lxc.conf -- --packages=bsdmainutils,git The first time it builds the rootfs will take a few minutes to download, unpack, and configure all the necessary packages for a minimal installation of Ubuntu. LXC will cache this and subsequent containers will only take seconds to create. 3.2.3 Start Container To start the container, run: sudo lxc-start -n devstack 15
  • 22. A moment later you should be presented with the login prompt for your container. You can login using the username ubuntu and password ubuntu. You can also ssh into your container. On your host, run sudo lxc-info -n devstack to get the IP address (e.g. ssh ubuntu@$(sudo lxc-info -n devstack | awk '/IP/ { print $2 }')). 3.2.4 Run Devstack You should now be logged into your container and almost ready to run devstack. The commands in this section should all be run inside your container. 1. Download DevStack git clone https://git.openstack.org/openstack-dev/devstack 2. Configure Refer to Minimal Configuration if you wish to configure the behaviour of devstack. 3. Start the install 4. cd devstack ./stack.sh 3.2.5 Cleanup To stop the container: lxc-stop -n devstack 16
  • 23. To delete the container: lxc-destroy -n devstack 3.3 Configure Compute Nodes The compute nodes only run the OpenStack worker services. For additional machines, create alocal.conf with: [[local|localrc]] HOST_IP=192.168.42.12 # change this per compute node FLAT_INTERFACE=eth0 FIXED_RANGE=10.4.128.0/20 FIXED_NETWORK_SIZE=4096 FLOATING_RANGE=192.168.42.128/25 MULTI_HOST=1 LOGFILE=/opt/stack/logs/stack.sh.log ADMIN_PASSWORD=labstack DATABASE_PASSWORD=supersecret RABBIT_PASSWORD=supersecret 17
  • 25. 3.3.1 Cleaning Up After DevStack Shutting down OpenStack is now as simple as running the included unstack.sh script: ./unstack.sh A more aggressive cleanup can be performed using clean.sh. It removes certain troublesome packages and attempts to leave the system in a state where changing the database or queue manager can be reliably performed. ./clean.sh Sometimes running instances are not cleaned up. DevStack attempts to do this when it runs but there are times it needs to still be done by hand: sudo rm -rf /etc/libvirt/qemu/inst* sudo virsh list | grep inst | awk '{print $1}' | xargs -n1 virsh destroy 19
  • 26. CONCLUSION In Single Node installation, since all components are installed on a single node failure of any one node may lead to the failure of entire system. Multi node installation ensures reliable service since it deploys multiple components on multiple nodes. Multi Node installation can also implemented by having multiple copies of components on various nodes thus ensuring more reliability. 20