With OpenStack Icehouse, CERN Is Closer To Cloud Federation

Federated and interoperable OpenStack clouds are on the horizon, as code development work, led by a CERN research fellow sponsored by Rackspace as part of a CERN openlab project, has been included in the latest OpenStack release, Icehouse.

Since July 2013, Rackspace and CERN openlab have worked together on a joint research and development project to federate OpenStack clouds and get them to work better together. Like Rackspace Cloud Architect Troy Toman noted in his OpenStack Summit Atlanta keynote presentation, the community is working diligently toward cloud federation and it is imperative for the future of OpenStack. The inclusion of code in Icehouse to federate identity in multi-cloud environments is a major milestone and can eliminate isolation among cloud resources.

As CERN IT Infrastructure Manager Tim Bell said: “Federation for CERN is a critical requirement looking forward. By enabling a cloud environment to have federation, then it allows people to take advantage of compute resources in many different centres.”

From here, Rackspace will continue to work with CERN openlab to further enhance federation capabilities. Future work streams include security validation of the identity federation code with help of graduate students from the University of Texas at San Antonio (UTSA) who are conducting important research around open cloud computing in academic environments; and the development of clients to leverage the federation code in Icehouse, which is based on the SAML identity standard. Additionally, work is planned within the image management service, Glance, to also leverage federation to allow images built in one OpenStack cloud to be imported into another. The goal for this project is to showcase cloud bursting between OpenStack private and public clouds at an upcoming OpenStack Summit.

With identity federation, which was developed by CERN openlab fellow Marek Denis as well as other members of the OpenStack community, a private cloud user can manage a multi-cloud environment using only their private cloud sign-in credentials. This capability, along with the planned enhancements to the image service, will enable a user of the CERN OpenStack cloud to spin up an image on its own private cloud and import that image into the Rackspace public cloud and spin it up there using only their CERN credentials – Rackspace will already know their identity credentials due to the federation capabilities built in to OpenStack.

We announced this project at the OpenStack Summit Hong Kong in November, and have continued to make great progress. The inclusion of this federation code into Icehouse enables OpenStack service providers to consume the code and build federated services on the OpenStack platform. It’s also the first step in creating a federated, connected cloud of clouds.

For Rackspace, this has the potential to create an environment where our Rackspace Private Cloud can automatically burst into our public cloud, enabling a true hybrid cloud environment.

Creating the code to federate identity is just a first step. Soon, it will expand in scope to enable the use of resources, authorization models and service catalogs while providing seamless multi-cloud environments across public and private clouds. This will empower CERN to exploit the maximum amount of computing resources and make them available to researchers.

Working with CERN openlab and the OpenStack community, we’re solving the hard problems in OpenStack together. Federation is critical for OpenStack to continue its momentum.

Federated identity is just one accomplishment to come out of our yearlong relationship with CERN openlab. We’re currently examining other areas where Rackspace and CERN openlab can work together, one of which is data analysis and management.

This work reaffirms the importance of federated cloud in academic and research communities, initiatives that Rackspace is working closely with the community to develop and enhance.