Rackspace Private Cloud v12.2: Hardening OpenStack

Last week, we made generally available the latest release of Rackspace Private Cloud powered by OpenStack.

Version 12.2 is a fast follow to versions 12.0 and 12.1, released in April, and a product of many hours of engineering work and rigorous testing. The Rackspace Private Cloud team focused heavily on addressing requirements from our enterprise customers around stability and security.

As OpenStack gains further foothold, not only among tech startups but within more traditional companies such as financial institutions and retail firms, requirements like stability and security become ever more critical.

Testing for Enterprise Readiness

Central to creating an enterprise ready OpenStack cloud is our commitment to rigorous testing. Rackspace, of course, has more experience with this than any other OpenStack provider. The lessons learned from continually testing the world’s largest OpenStack public cloud inform our private cloud testing process. Our testing process is also refined by years operating some of the world’s largest OpenStack private clouds.

Some details on how we tested RPC v12.2 may be illustrative.

The process began with RPC Engineering taking the upstream OpenStack code and working with the community to test and to fix bugs to get to a stable release. We continue testing with the stable release, filing and tracking bugs and submitting bug fixes. As part of our testing process, we leverage OpenStack projects like Rally and Tempest to execute 1,000+ test cases against RPC v12.2 release candidates. Only when a release candidate has satisfactorily passed that testing process are we then ready to make it generally available to our customers.

Because our testing process is so rigorous, and because we must ensure any release of RPC is fully operational as a managed service, Rackspace will at times take a bit longer to roll out a release after the community has made the latest stable release available. This ensures our customers are successful when we deploy and run the latest version of Rackspace Private Cloud on their behalf.

Liberty Support

Liberty was the 12th release of OpenStack by the community and made available last October. Having completed the testing process outlined above, Rackspace has now made this release available for customers in RPC v12.2. This means RPC customer receive the benefits of important bug fixes in Liberty, along with improved management and scalability. And it’s all backed by Rackspace Managed Services Support.

Invariably, any new OpenStack release and RPC brings up questions regarding upgradability. Upgrading from one major OpenStack release to another has always been a challenge. In the early days, “upgrading” OpenStack meant deploying a new cloud and migrating all instances and workloads.

Understanding that this is unacceptable for most customers, Rackspace has developed an architecture that upgrades our customer non-disruptively from one release to another, including upgrading from RPC v11.x based on Kilo to RPC v12.2 based on Liberty.

As part of this upgrade process, the Rackspace Engineering team performs multiple upgrade tests from one RPC release to another. When we upgrade a customer’s specific RPC implementation, our Operations team executes a regression test suite at the start of a scheduled upgrade window. Then our team of OpenStack experts upgrade the customer’s cloud to v12.2 and execute our regression testing again. The final step is to compare our pre- and post-regression test results and validate that the upgrade was successful.

Security Hardening

It should be no surprise that security is at or near the top of the list of requirements for any enterprise. Security testing has always been part of what Rackspace does to make RPC enterprise ready. We’ve taken this further in v12.2 by encapsulating the recommended practices for hardening an OpenStack cloud and automating the process of applying these practices to a Rackspace Private Cloud.

This is done by extending the work Rackspace has been doing in the OpenStack-Ansible project and creating a new openstack-ansible-security role that can be applied to any OpenStack cloud deployed using OpenStack-Ansible. Since RPC leverages OpenStack-Ansible, our customers immediately have access to this new capability.

This new role applies a number of security hardening configurations to the Ubuntu operating system RPC runs on, and locks down some common services that previously might have created security gaps. The security role conforms to the federal Security Technical Implementation Guide and is useful for customers who need to meet compliance standards, such as the Payment Card Industry Data Security.

Load Balancer as a Service

One of the most requested OpenStack services has been Load Balancer as a Service, which allows tenants to provision their own software load balancers. Rackspace is making LBaaS available to our customers in RPC v12.2 as a technical preview. This means LBaaS is enabled for customers and they are free to use it.

However, for a number of reasons, including the lack of high availability and certain scalability limits, we do not advise our customers to use LBaaS for workloads that require the load balancer to be highly available and/or need to scale their workloads.

Since high availability and scale are typical requirements for production workloads, we advise customers to use the hardware load balancers that come with every RPC implementation for that purpose. We believe, however, there is value for customers to have access to LBaaS as a technical preview in certain test/dev environments, and so that they can become familiar with the LBaaS APIs. In a future release, we will provide full support for LBaaS, when it is ready, using the same APIs that are available as part of the technical preview.

Rackspace Private Cloud v12.2 is an important release for customers for the stability and security hardening we provide to OpenStack. V12.2 also give customers an opportunity to begin mapping out how they may use application enabling features such as LBaaS, Heat orchestration, and auto-scaling. Throughout July, we will be publishing content to help users better understand RPC and how to use it to enable their businesses.

To read more about RPC v12.2, please go to our Rackspace Document site.

NO COMMENTS

LEAVE A REPLY