Intel Confidential — Do Not Forward

Single Control Plane all the Way! Intel IT OpenStack Journey

Sridhar Mahankali, Cloud Architect, Intel Corporation

Greg Bunce, Automation & Integration Lead, Intel Corporation

2

Legal Disclaimers

Copyright © 2014 Intel Corporation. All rights reserved

Intel, the Intel logo, Xeon, Atom, and QuickAssist are trademarks of Intel Corporation in the U.S.

and/or other countries.

*Other names and brands may be claimed as the property of others.

All products, computer systems, dates and figures specified are preliminary based on current expectations, and are subject to change without notice. Intel® Advanced Vector Extensions (Intel® AVX)* are designed to achieve higher throughput to certain integer and floating point operations. Due to varying processor power characteristics, utilizing AVX instructions may cause a) some parts to operate at less than the rated frequency and b) some parts with Intel® Turbo Boost Technology 2.0 to not achieve any or maximum turbo frequencies. Performance varies depending on hardware, software, and system configuration and you should consult your system manufacturer for more information. *Intel® Advanced Vector Extensions refers to Intel® AVX, Intel® AVX2 or Intel® AVX-512. For more information on Intel® Turbo Boost Technology 2.0, visit http://www.intel.com/go/turbo No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware and/or software optimized to use the technologies. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an Intel® Identity Protection Technology-enabled system, including an enabled Intel® processor, enabled chipset, firmware, software, and Intel integrated graphics (in some cases) and participating website/service. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com/. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware, software and may require a subscription with a capable service provider (may not be available in all countries). Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. Consult your system or service provider for availability and functionality. No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Xeon® processor E7-8800/4800/2800 v2 product families or Intel® Itanium® 9500 series-based system (or follow-on generations of either.) Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient System Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel processor and enabled technology(ies). Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient Memory Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel® processor and enabled technology(ies). built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries. Requires a system with Intel® Turbo Boost Technology. Intel Turbo Boost Technology and Intel Turbo Boost Technology 2.0 are only available on select Intel® processors. Consult your system manufacturer. Performance varies depending on hardware, software, and system configuration. For more information, visit http://www.intel.com/go/turbo Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization

3

Agenda

• Intel IT’s Cloud Transformation & Journey

• Why Intel IT selected OpenStack for its Control Plane strategy

• Intel IT OpenStack Control Plane Status & Plans

• Automation Framework, Workforce Transformation and Call to Action

• Summary

• Q&A

2014+ 2012

IT’s Cloud Transformation

2010 2000-2009

Design

Office/Enterprise

Traditional Hosting Mainstream Virtualization

Intel Cloud 1.0 Hybrid Cloud 2.0 Converged Cloud

12% Virtualized 42% Virtualized 75% Virtualized >75%+ Virtualized

90+ Day Provisioning

10 day Provisioning On Demand Compute

On Demand Compute, Network, Storage

Silos of Capacity Pooled Capacity Segmented Clouds Converged Clouds, burst capacity @ 3rd Party

Manual Ticketed Service Request

Manual Ticketed Service Request

Some on demand Request fulfillment

Full Self Service Request fulfillment

Varying Server Reliability

99.7% VM Reliability 99.7-99.9% Availability 99.99% Availability Capable

Public Physical Hosting

Office Cloud

Public

Office/Enterprise /Services

Office/Enterprise /Services

Intel IT Cloud Environment Significant changes over past 12-24 months

5

SaaS

• Very small: limited to specific portfolios

• Big wins in HR apps & activity in CRM and ERP

• Established plan for holistic adoption

• Hosted restricted secret data

• Published SaaS Playbook

PaaS

• Implemented PaaS for Java, .NET + more (CloudFoundry)

• Streamlined app landing process from weeks to days

• New demand from 5-Star

• Open databases gained traction (MySQL, MongoDB)

• Ran “code-a-thons” to train developers to write cloud-aware apps

IaaS

• Evolved from proprietary to open (OpenStack)

• Exceeded 75% virtualized

• Delivered self service compute, storage, network

• Demonstrated burst to public cloud

• Limited consumption of public cloud

• Pioneered DevOps

Approach: Build private cloud & extend to public

Hosting Business Goals

Increase Velocity, Zero Downtime, Grow with Flat Budget

Velocity <1hr for VMs

Reduce Incidents Scheduled Downtimes the

norm

Sustain Operations

Velocity Idea to Production in <1 day

Zero Downtime “Always On”

for Apps/Services

Grow with Flat Budget Increase in Engineer:Server and

TB Ratio

7

Intel IT Cloud History & Future Strategy

2009-2014 – Proprietary Hypervisor + Custom Automation Framework to enable IT’s virtualization & self-service objectives

2014-2016 - OpenCloud transitions to the single Control Plane for both Open (OpenStack), Proprietary, & External Provider Hosting Environments

Strategy: • Architectural Strategy – We will position Open Cloud as the single orchestration platform controlling and abstracting a heterogeneous

infrastructure thereby simplifying our hosting service, increasing IT’s agility and customer TTM

• Grow OpenCloud – Organically as incremental hosting capacity is brought online, thru infrastructure refresh, or customer capability requirements; as the OpenStack matures we will seek to evaluate and adopt an enterprise-class distribution

Current Future

Why Intel IT selected OpenStack for its Control Plane Strategy

8

9

Why Intel IT Selected OpenStack for its IaaS Control Plane

Velocity:

Yields direct control over the capabilities that business demands and is forward-leaning in terms of application / service development, delivery, and operations

Geared toward Agile Methodologies, DevOps, and Continuous Integration / Continuous Delivery (CI/CD) & Deployment

Capability:

OpenStack automation platform which is defined by its APIs

Provide granular on-demand services which seed innovation by satisfying simple-to-complex use cases to deliver at the pace business demands

Efficiency & Quality:

We leverage the same tool-chain used by the OpenStack community for developing, building, validating, and deploying our data center operating system

Single Control Plane Represents Up-Leveling of Consumer Capability

All new VMs are provisioned via common control plane

• Self service Networking, Compute, and Storage

Self-service management of newly provisioned instances

• Stop / Start / Delete VMs

• Snapshot

• Creation / attachment / deletion of volumes

• VM Resizing

• Network Creation & Security Group management

Existing (already provisioned VMs) are also managed via common control plane

• Metadata imported into control plane

• Self service Compute and Storage

Intel IT Control Plane Current Status & Plans

11

Internet Facing Internal Facing

Virtual Hosting Environment Overview (~2011)

Non Enclave

Compute

Proprietary Hypervisor

Custom Automation

Proprietary Virtual Switch

Proprietary Storage

Physical Network

Shared Networks

Network Services (LB)

Enclave(s)

Compute

Proprietary Hypervisor

Manual Provisioning

Proprietary Virtual Switch

Proprietary Storage

Physical Network

Network Segmentation

Network Services (LB, FW)

Enclave

Segmented Compute

Proprietary Hypervisor

Manual Provisioning

Proprietary Virtual Switch

Proprietary Storage

Physical Network

Network Segmentation

Network Services (LB, FW, Web App FW)

Internet Facing Applications

Internal Facing Applications

OpenStack Based Cloud

Non Enclave

Compute

KVM

OpenStack Control Plane

OVS

Open Source Storage

Physical Network

Shared Networks

Network Services (LB)

DMZ Enclave

Compute

KVM

OpenStack Control Plane

OVS + Proprietary Plugin

Open Source Storage

Physical Network

Coarse Segmentation

Network Services (LB, FW, Web App FW)

Neutron API

Cinder, Swift APIs

Nova API

Proprietary LB API

Image Repository Image Repository Glance API

Internet Facing Applications

Internal Facing Applications

Where we are headed in 2014

Non Enclave & Enclave

Compute

Multiple Hypervisors

OpenStack Control Plane

OVS + Proprietary Plugin

Multiple Storage Solutions

Physical Network

Coarse Segmentation

Network Services (LB)

DMZ Enclave

Compute

Multiple Hypervisors

OpenStack Control Plane

OVS + Proprietary Plugin

Multiple Storage Solutions

Physical Network

Coarse Segmentation

Network Services (LB, FW, Web App FW)

Neutron API

Cinder, Swift APIs

Nova API

Proprietary LB API

Image Repository Image Repository Glance API

Murano API

Heat API

Abstract Infrastructure and Simplify User Experience

Trusted Compute Trusted Compute

Changing Security Model: Layered Perimeters

Hosting/Datacenter Perimeter

• Control access between DMZ and Public Internet/Private Intranet

• Provides Secure connectivity for internal and external networks

• Terminate “Control plane” Connectivity for off-premise/external hosting

Tenant/Zone Perimeter

• Controls what goes in and out of each zone or tenant

• Administration and manageability

• Network services/Authentication and Authorization

Intra-Zone Segmentation

• Fine/granular segmentation within Zone or Tenant

• Web/App/Database/Cache/Internal load balancing

Defense in Depth Diversity of Enforcement Points Scale Out architecture

Internet Private Enterprise Network

Dedicated Tenant Dedicated Tenant

apps

Tenant/Zone

Perimeter

VMM

VM VM VM

VMM

VM VM VM

WAF

apps apps

Dedicated Tenant

VMM

VM VM VM

apps

Shared Platform

apps

VMM

VM VM VM

Shared Infra/ Hosting Services

VMM

VM VM VM hosting services

Infra Services

Layered Segmentation Design

Security Services

Datacenter

Perimeter

Datacenter

Perimeter

Intra Zone

Segmentation

Hybrid Cloud Strategy

Public Clouds

Internal Network Exclave

IaaS

Smart orchestration layer • Move apps/data among clouds via policies • Deliver security, capacity and cost optimization

Two Proof-of-Concepts Underway O

rche

stratio

n

Burst

Fire

wa

ll

On Premise

App Owner/ Developer

PaaS & DBaaS

Automation Framework and Workforce Transformation

18

OpenStack is an Inflection Point for Driving Cultural, Workforce, & Business Transformation

19

Acknowledge and act upon these dimensions:

• Team Structure / Composition

• T-shaped resources, unicorns

• Software Engineering Processes

• Waterfall Agile

• Workforce Transformation

• Process, tool-centric Software Engineering, large scale systems administration

• Support Models

• L1, L2, L3 DevOps (where applicable)

• Metrics scorecard, RED is good!

• Release & Quality Assurance

• Human Automation

Release

Engineering

Test

Automation

Continuous

Delivery

Continuous

Integration

Frameworks: Tools, Methods, & Support

Teams

Scrum / SoS

WFT

Service Management

DevOps

UX

Actually Automating Deployment

20

Source: http://docs.openstack.org/

Our cloud architecture is a complex set of interdependent

components that would normally all require manual setup to

create a new cloud or modify an existing one.

How do we avoid that to…

… allow continuous improvement of the system?

… instantly create clouds for new demands?

Automating Infrastructure Deployment

Continuous Integration and Delivery Require Automated Infrastructure Deployment

We utilize a set of deployment tools to automatically deploy and configure OpenStack-based clouds.

• Facilitates a repeatable deployment of all infrastructure components.

• Reduces the amount of time it takes to deploy a new cloud from weeks to hours.

• Produces mirrored environments that guarantee QA & Integration environments faithfully represent the potential future state of production.

21

CI

QA Team signs off!

Source: http://puppetlabs.com/blog/continuous-delivery-vs-continuous-deployment-whats-diff

22

Infrastructure CI is ultimately MaaS++

We have three primary infrastructure use-cases for MaaS:

1. Provision and manage IT infrastructure (cloud infrastructure initially, more later)

2. On-demand self-service consumer provisioning and management of IT hosted infrastructure (end-user is able to provision physical devices just as they would provision virtual) for workloads which demand it

3. Management and provisioning of non-IT managed infrastructure in hardware and software lab settings (we provide the capability, they run their business)

Current State Future State

Intel Information Technology

Intel Confidential – for internal use only

Intel Information Technology

Intel Confidential – for internal use only

Wrap Up & QA

23

Intel Information Technology

Intel Confidential – for internal use only

2014 Focus Areas

Rolling Upgrades – no tenant downtime for resources or services

Connection into ALL existing infrastructure – Single Control Plane

Disaster Recovery between sites for VM tenants

Restart of VM when host fails

Hybrid Cloud enabled through Horizon

Use OpenStack to do traditional work – BaR, Bare Metal Provisioning, LB, FW, and more

Use OpenStack to replace internal code – DBaaS, LBaaS

24

Summary

Our Direction = Federated, Interoperable and Open Cloud

Strong success with our Enterprise Private Cloud (Gen1)

Open Cloud (Gen2) in production

Single Control Plane simplifies our hosting environment

OpenStack Control Plane provides a compelling ‘glide path’ to our end-state vision

Changes required to run cloud at scale

Culture

Skills

Business processes

Technology

Intel Confidential — Do Not Forward