Loading…
Kougyoku [clear filter]
Tuesday, October 27
 

11:15am JST

Paradigm Shift - Leveraging Private Cloud to Encourage Scale and Resiliency at the App Layer
Moving from an era of vertical scaling and infrastructure resiliency to a world where reliability in the infrastructure is not assumed and application owners must start thinking about horizontal scaling and fault tolerance at higher layers can be challenging. A deep dive into what are the best practices for deploying distributed, scalable applications on cloud, where are the challenges and what solutions scale well.

Hear real world examples of how Comcast stood up an internal private cloud service leveraging OpenStack and Ceph. In less than 3 years the cloud is supporting over 500 internal customers including large scale, high performance applications such as our X1 platform and Residential Email.

A review of what architectures, tools and services work well for large scale stateless applications as well as how smaller apps tackle their deployments. Answers to where and how our apps securely manage state, store data, and plan for failure.

Speakers
avatar for Sri Basam

Sri Basam

Distinguished Architect, Walmart
Sri is an infrastructure architect at Walmart.
avatar for Rick Melick

Rick Melick

Walmart Cloud Computing Platform (WC²P), Walmart Stores, Inc.
Accountable for building one of the world’s largest, private, OpenStack, production clouds at this Fortune #1 retailer -- 200,000+ cores. Software Engineering Manager for the team implementing Infrastructure as a Service (Elastic CaaS, STaaS, SDN) on OpenStack for Walmart. Associates... Read More →
avatar for Andrew Mitry

Andrew Mitry

Sr. Distinguished Engineer, Walmart
Andrew Mitry, senior distinguished engineer at Walmart, currently leads architecture for a team that builds and operates one of the largest private clouds run on OpenStack and Ceph. Mitry coordinates among Walmart's development, engineering and operations teams as well as the OpenStack... Read More →


Tuesday October 27, 2015 11:15am - 11:55am JST
Kougyoku

12:05pm JST

Manila and Sahara: Crossing the Desert to the Big Data Oasis
Manila, at its core, provides basic provisioning and management of file shares to users of an OpenStack cloud. The Sahara project provides a framework to expose Big Data services such as Spark and Hadoop. Together these two projects create a solution that is greater than the sum of its parts.

Natural synergy and popular demand led these three teams to develop a joint solution to expose Manila file shares within the Sahara construct to solve real Big Data challenges.
  
This talk serves as a brief introduction to what these two projects encompass as well as a detailed look at the joint integration work that was created involving:

 o      Sahara Data sources
 o      Manila File Shares
 o      Horizon Integration
 o      Sample Workflows
     
 Some administrative enhancements to Manila will also be covered including:

 o   Manila snapshots
 o   NFS Connector for Hadoop
 o   HDFS driver for Manila
 
Finally, a demo will be presented showing a Sahara data processing job running with binaries, data sets, and results hosted in Manila file shares mounted on a Sahara cluster.

Attendees will leave this session with an understanding of Manila and Sahara integrations and tangible use cases where it can be leveraged as a key component of a Big Data application deployment.

Speakers
avatar for Jeff Applewhite

Jeff Applewhite

Technical Marketing Engineer, NetApp
Jeff Applewhite is a Technical Marketing Engineer with NetApp’s Cloud Solutions Group. Jeff has an extensive background in operations, storage, high availability, and hosting large, distributed applications requiring the strictest Service Level Agreements.  Jeff focuses on helping... Read More →
avatar for Ethan Gafford

Ethan Gafford

Senior Software Engineer, Red Hat, Inc., Red Hat
I'm a lifelong programming hobbyist and open source enthusiast who found my way back to software after starting my career as a Registered Nurse (I originally hoped to segue back into medical software, but fell in love with pure tech.) My background is overwhelmingly centered around... Read More →


Tuesday October 27, 2015 12:05pm - 12:45pm JST
Kougyoku

2:00pm JST

OpenStackClient and OpenStack Python SDK
Learn about the newer features of OpenStackClient:

* simplify the experience of communitcating with multiple clouds
* operate as a long-running process to eliminate repeated loads/forks as a subprocess
* explore the plugin interface and capabilities exposed
* what changes with the adoption of the Python SDK?

Speakers
DT

Dean Troyer

Senior Cloud Software Engineer
Dean has been working on and around OpenStack from the beginning and before with the original Nova deployment at NASA.  He began the OpenStackClient project to provide a consistent command-line interface for the OpenStack APIs.  He is currently a Senoir Cloud Software Engineer... Read More →


Tuesday October 27, 2015 2:00pm - 2:40pm JST
Kougyoku

2:50pm JST

Managing Medical and Health Data With OpenStack, a Wearable Sensor, and Smart Apps
Let's talk about the application workloads and scenarios you can envision on a truly open cloud. What do you think about owning your health data or fitness data? How about running the infrastructure on an OpenStack cloud?

After learning that her eleven-year-old son was diagnosed with Type I diabetes in 2014, Anne began investigating technology to help with the daunting task of living with the day-to-day management of the condition. True story, she found a way to use OpenStack resources to monitor data from his continuous glucose monitor (CGM) to gather not just five data points a day but nearly 300 data points in a 24-hour period.

Hear the story of finding Nightscout, a collection of open source projects that can run real-time monitoring applications on OpenStack clouds.  While the project's original approach to collect the data required an Android phone attached to the CGM receiver, the project now has a REST API for collecting and displaying data. Justin has a family member with Type I diabetes also, and we can compare and contrast the proprietary approach with the open source approach. We can demonstrate the Nightscout web application and iOS app running on a Rackspace Cloud server with node.js connected to a MongoDB database.

While the CGM use cases are medical devices with medical data, we also want to explore consumer data collection such as fitness trackers. Let's discuss the full spectrum of open source and open data in an open cloud.

Speakers
avatar for Anne Gentle

Anne Gentle

Principal Engineer, Rackspace
Anne Gentle works in open source projects with the OpenStack project at Rackspace, using open source techniques for API design and documentation. She ensures the docs.openstack.org site contains relevant and accurate documentation for 20 projects written in Python across 130 git repositories... Read More →
avatar for Justin Shepherd

Justin Shepherd

Distinguished Architect
As the distinguished architect for Rackspace Private Cloud powered by OpenStack, Justin Shepherd is an ambassador of openness. He is often traveling the globe talking about the powers of OpenStack and private cloud, and has trained numerous companies on deploying and operating OpenStack... Read More →


Tuesday October 27, 2015 2:50pm - 3:30pm JST
Kougyoku

3:40pm JST

Building Applications With Swift: Developer On-Ramp
In this session, we will talk about stuff that's going to make developing Swift easy by offloading the hard problems of storage. OpenStack Swift makes your application better. We can find dozens of storage systems that can do read write and delete but the fact that you can use swift for these advanced features means that you're able to focus on making your app awesome rather than worrying about the hard problems in storage.

We will cover how application developers can take advantage of some of the more advanced features in Swift, including... TempURL, StaticWeb, FormPost, and Static or Dynamic Large Objects among others.

Speakers
avatar for Clay Gerrard

Clay Gerrard

Sr. Software Engineer
Clay Gerrard is a Sr. Software Engineer at SwiftStack. SwiftStack is a technology innovator of private cloud storage for today’s applications, powered by OpenStack Swift. Clay was part of the original development team at Rackspace that created Rackspace Files, which became the Swift... Read More →
avatar for Doug Soltesz

Doug Soltesz

Senior Product Manager
Doug is currently a Senior Product Manager at SwiftStack and has over 15 years of experience working in Information Technology. Prior to joining SwiftStack, Doug was VP of IT at Budd Van Lines. Doug has been recognized and received innovation awards in the areas of green initiatives... Read More →


Tuesday October 27, 2015 3:40pm - 4:20pm JST
Kougyoku

4:40pm JST

Effective IoT system on OpenStack
IoT is one of the biggest topics in IT system today.  In this session, we will discuss how we can achieve an effective IoT system on OpenStack.

Firstly we'll describe IoT use cases, and summarize some generic requirements for IoT backend.  Secondly, we'll present our reference design of IoT backend on OpenStack IaaS.  Finally, we'll discuss the result of fit and gap analysis of OpenStack itself as a platform for IoT backend.

This session includes following items.

What kind of components we need to enable IoT backend
How to design and create network model to gather up all data from distributed sources
How to support flexible data gathering, storing and processing of massive data
How to archieve multi-tenanty required for IoT platform

Speakers
avatar for Takashi Kajinami

Takashi Kajinami

Platform engineer, NTT DATA
Takashi Kajinami is a platform engineer at NTT Data since 2012, who has worked on the private cloud storage construction, with OpenStack Swift and Sheepdog. He is recently interested in IoT system, container technologies and the automation of system operation.
avatar for Hiroshi Miura

Hiroshi Miura

Manager, NTT DATA Corporation
Mr. Hiroshi Miura is an experienced speaker in areas of Linux, Python, OSS education and OpenStreetMap. He made presentations and panel sessions including LinuxCon 2010, PyConJP 2011, LinuxCon 2012, Enterprise User Meeting 2013. He is now providing proffessional services to customers... Read More →


Tuesday October 27, 2015 4:40pm - 5:20pm JST
Kougyoku

5:30pm JST

The Real Slim Shade
I'm slim shade yes I'm the slim shade all you other slim shades are just imita ... ok, so the joke only makes it so far before the rhyming breaks horribly.

The OpenStack Infra project is one of the largest and most active OpenStack End Users in existence. As a result, we've learned just about everything about how OpenStack operates for consumers, the ways it can fail and the way different clouds diverge. We've encoded all of that learning in a library called 'shade' which wraps the OpenStack clients in the business logic needed to get your work done. shade is currently at the heart of Infra's nodepool project, which is the program that provides a pool of nodes across multiple public clouds so that everyone's OpenStack test jobs can run, as well as the new OpenStack modules that are in the Ansible 2.0 release.

In this talk, we'll talk briefly about the motivation for and challenges of writing shade - but we'll mostly talk about how to use it to get stuff done. In the process, there may be some ranting about things which could work better but don't.

I do not promise to not rap.

Speakers
avatar for Monty Taylor


Tuesday October 27, 2015 5:30pm - 6:10pm JST
Kougyoku
 
Wednesday, October 28
 

11:15am JST

Could You Please Pass Me the PaaS?
You have got your IaaS cloud up and running but are your developers happy? Has your IaaS forced your developers to also become agile sysadmins? At Symantec, we want out cloud developers to remain developers and this means abstracting away complexities of compute, storage and networking details and instead focus on actual software development.

After we built our Openstack cloud at Symantec, our next logical step was to build a Platform as a Service that to provide even more automation and streamlining to our customer’s experience. In this talk, we will share our experience and lessons learned in building a unified customer facing PaaS solution around our Openstack cloud.

Some of the topics we will cover are:

  • The results of our evaluation of different PaaS platforms that are out there like Cloudfoundry, Openshift and Deis

  • Potential design architectures to use when building your own PaaS from scratch

  • Adding multi-tenancy to your PaaS

  • Benefits of running on both containers and VMs


Speakers
avatar for Miguel Zuniga

Miguel Zuniga

Director of Engineering, Mirantis
Experience technical lead, who during his past 10 years in the field has worked with physical, virtual and cloud technologies. He is a supporter of all open source projects and evangelist of using open source tools. Now is a member of the Symantec's Cloud Platform Engineering leading... Read More →


Wednesday October 28, 2015 11:15am - 11:55am JST
Kougyoku

12:05pm JST

Your First C# App on OpenStack
Do you know C#? Want to learn how to write a scalable cloud application
using an OpenStack SDK? Come to this presentation!

We will discuss how you can use OpenStack.NET to
*    Create and destroy compute resources.
*    Scale available resources up and down.
*     Use Object and Block storage for file and database persistence.
*    Make cloud-related architecture decisions such as turning functions
into micro-services and modularizing them

Speakers
avatar for Tom Fifield

Tom Fifield

OpenStack community manager
After working on scalability in computing at particle physics experiments like ATLAS at the Large Hadron Collider, Tom led the creation of a cloud designed for the publicly-funded research sector in Australia.It currently serves thousands of researchers directly, using many datacentres... Read More →
avatar for Bo Liang

Bo Liang

Product Manager
Liangbo is a Product Manager at the 99cloud OpenStack Infrastructure group, He has been working with OpenStack as a cloud platform for more than three years.


Wednesday October 28, 2015 12:05pm - 12:45pm JST
Kougyoku

2:00pm JST

The Good, The Bad, and The Ugly of the OpenStack APIs: An Application Developer's View
On one hand, OpenStack is quite promising with open APIs, open-source reference implementation with extensible plug-in architecture to support different implementations. On the other hand, it is a nightmare for software developers building enterprise-grade distributed applications on-top-of OpenStack i.e., using only APIs available to users/tenants.  Such applications need to be elastic (scale-out and scale-in as loads fluctuate), highly-available (several 9's of availability), and support high throughput (several Gbps of traffic). Unfortunately, many of the primitives available in the physical infrastructure to be able to build such services are either non-existent or available via ad-hoc extension APIs at the virtual infrastructure layer in OpenStack implementations.


The Good (examples):




  • Nova's CRUD API for VMs: The basic VM creation and deletion with several options are pretty solid APIs in the OpenStack and this allows an application orchestration engine to easily scale-out and scale-in the app VMs as needed. The placement options exist albeit bit restricted.


  • Neutron's CRUD API for networks, ports, router, subnets: Neutron abstractions of the networks, ports, routers, and subnets makes it easy for an application orchestration engine to connect VMs to right networks for creating multiple app tiers with proper isolation.




The Bad (examples):




  • No notification APIs from OpenStack services such as Nova, Neutron, Glance, and Keystone: There is no way for the application orchestrator process to timely detect rebooted/deleted/dead application VMs or ports. The only option is to periodically check.


  • Security groups API mess: Depending on whether Nova is implementing the security groups or Neutron, the semantics of the APIs are different!!


  • Network performance: The reference implementation's stack is too complex (layers of different bridges connected by veth pairs, iptables with resource intensive nf_conntrak) with multiple bottleneck locations. And different vendors' plugins have myriad of other limitations.




The Ugly (examples):




  • Too much restriction on network connectivity without exposing proper APIs to customize: For example, source IP address spoofing is not allowed even in a local network, where as that is an essential primitive for building highly available services. Ad-hoc neutron extension APIs such as allowed-address-pairs and port-security APIs alleviate this but not being part of core APIs means it is not no guarantee that they are available everywhere


  • Semantics of APIs left to the interpretation of plugins: for example, in a physical world, all servers connected to a switch can communicate at L2 without any restriction. However, with all of the neutron plugins, there is one or another restriction imposed that is not explicitly indicated (for example, can't have the multiple fixed IPs on a port, can't have the same IP on two ports, etc.)



Speakers
avatar for Praveen Yalagandula

Praveen Yalagandula

OpenStack Architect, Avi Networks
Praveen Yalagandula is the OpenStack Architect at Avi Networks, responsible for designing and developing the integration of Avi Networks’ Cloud Application Delivery Platform with OpenStack infrastructure services. At Avi, Praveen also leads the application performance visibility... Read More →


Wednesday October 28, 2015 2:00pm - 2:40pm JST
Kougyoku

2:50pm JST

Using Terraform With OpenStack
Terraform is an open source tool that enables users to declaratively design infrastructure and have those designs materialize into working components. It is useful for developers who want to create or manage IT architectures across multiple clouds.

OpenStack support was added to Terraform earlier this year, enabling users to deploy cloud-based infrastructure inside the OpenStack clouds.

This session will cover the following topics:

  • What Terraform is

  • How to write a Terraform configuration

  • Using Terraform with OpenStack

  • Terraform and OpenStack internals


No prior knowledge of Terraform is required to attend. By the end of the session, you'll be ready to start deploying cloud infrastructure inside OpenStack using Terraform.

Speakers
avatar for Joe Topjian

Joe Topjian

Vice President, Technology, Cybera
Joe currently lives in Alberta, Canada, building and automating clouds for Cybera. Joe is also a co-author of the OpenStack Operations Guide and is an active member of the OpenStack Operators community.


Wednesday October 28, 2015 2:50pm - 3:30pm JST
Kougyoku

3:40pm JST

Securing the Fortress With Barbican at Symantec
TLS Keys, Disk Encryption Keys, and Service Passwords, are examples of sensitive data that needs to be kept away from prying eyes, yet still needs to be readily available for automated processes. Storing passwords and secrets in config files in your version control system potentially exposes that data to actors who shouldn’t have it. Barbican provides a secure repository to store such data and the controls to ensure only authorized users can get to that data.

As part of Symantec’s enterprise cloud initiative, we are deploying Barbican to handle not only our own OpenStack Key Management needs, but also as a Key Management as a Service option for our product groups. Our journey with Barbican has been fraught with challenges and in this talk, we will share our experience and lessons learned along the way.

Some of the topics to be covered:

  • Our uses cases for Barbican

  • How we’ve deployed Barbican

  • Operationalizing Barbican

  • Our practices and lessons learned


Speakers
avatar for Jason Fritcher

Jason Fritcher

Principal Infrastructure Engineer, Symantec
Jason Fritcher is an Infrastructure Engineer in Symantec's Cloud Platform Engineering group who works on using Barbican to bring improved security to their OpenStack cloud. He has nearly 20 years of experience working in operations, development and security roles, building and running... Read More →



Wednesday October 28, 2015 3:40pm - 4:20pm JST
Kougyoku

4:40pm JST

Secure Your OpenStack Infrastructure
Balancing needs of security and scale for an elastic cloud is tricky if not downright impossible. How do you roll out agile, self service Platform as a Service (PaaS) application clouds while in parallel ensuring protection for OpenStack API end points from DDoS attacks, separation of tenant and provider networks, perimeter endpoint security plus satisfy compliance requirements such as encryption in-flight and at rest?

This session will cover security at scale without dependence on existing technologies and tools like 5 tuple and IPTables. Come learn:





  • How you can achieve regulatory compliance on per tenant basis



  • How separation of tenant and provider networks can be done and simultaneously satisfy both parties security requirements



  • How to leverage the use of next generation firewalls for intrusion detection and host quarantine



  • How to protect OpenStack API endpoints - for example Nova and Swift - from DDoS attacks that overrun the database




Speakers
avatar for Rick Kundiger

Rick Kundiger

Rick Kundiger is a former U.S. Government data center architect with 15 years of experience. While there Rick designed and deployed various IT systems throughout the world and travelled throughout Asia, Europe, Africa and the Middle East. Rick began working with OpenStack and Software... Read More →
avatar for Pere Monclus

Pere Monclus

CTO
Before co-founding PLUMgrid, Pere was a Distinguished Engineer at Cisco Systems in the Research and Advanced Development team, where he led innovation in the areas of cloud, security and converged infrastructure. Prior to that, he was responsible for the architecture and technology... Read More →


Wednesday October 28, 2015 4:40pm - 5:20pm JST
Kougyoku

5:30pm JST

OpenStack Federation: Past, Present, and Future (Panel)
Allowing implementors to “trust but verify” OpenStack clouds makes federation work.  This is done through SAML & Keystone's federation support for multiple OpenStack clouds. But what about audit data? How can you verify that the events emitted from a cloud service provider are true? And what about keys & secrets? How can you verify that the keys you have in your private cloud are being used by a cloud service provider correctly & securely?

This session looks at what federation use cases have been delivered in previous releases, what is currently being worked on, and the use cases left to help ease the experience of cross-cloud operations.   We provide a brief overview of the standard based CADF  federation audit format that has been adopted by the OpenStack community.  We then discuss enhancements that are being added across OpenStack projects beyond Keystone to support federation and audit capabilities.  Finally we discuss future enhancements that are needed to maximize the consumability of OpenStack federated cloud support.

Speakers
avatar for Steve Martinelli

Steve Martinelli

Senior Software Developer, IBM, IBM Canada Ltd.
Steve Martinelli is an OpenStack Active Technical Contributor and a Keystone Core Contributor. He primarily focuses on enabling Keystone, which is OpenStack's Identity Manager, to better integrate into enterprise environments. Steve was responsible for adding Federated Identity and... Read More →
avatar for Douglas Mendizábal

Douglas Mendizábal

PTL Barbican, Rackspace
Douglas is a Racker, and the current PTL for the Key Management (Barbican) project.  Before being involved in OpenStack, Douglas was a software development consultant specializing in secure development of mobile and web applications.  Douglas also helps organize the Alamo City Python... Read More →
avatar for Joe Savak

Joe Savak

Senior Product Manager, Rackspace
Joe Savak is a Senior Product Manager over Integration Services at Rackspace. In his current role, he oversees products designed to connect all-the-things and deliver optimal and secure user-experiences for customers. 
avatar for Brad Topol

Brad Topol

Distinguished Engineer, IBM
Dr. Brad Topol is an IBM Distinguished Engineer leading efforts focused on Open Technologies and Developer Advocacy. In his current role, Brad leads a development team focused on contributing to and improving Kubernetes and several other cloud native open source projects. Brad is... Read More →


Wednesday October 28, 2015 5:30pm - 6:10pm JST
Kougyoku
 
Thursday, October 29
 

9:00am JST

Make Keystone The Center Of Universe - How eBay Uses it in Multi-security Zones
We will share the experience how we use global keystone here at eBay, those are addressed by real questions:

The instances running in production environment have different security level than the ones running in development environment. Projects locates in high secured zones requires 2FA(Two Factor Authentication) to authenticate while others use password credential. We also introduced a more secured authentication method for service access - API Key, which restricts not only what project it would be grant access to but also where the key can be used. The dynamic project based policy makes that happen and easy to use/configure. We will take a deep look at it as well.

We also isolate the controlling services from the production services into the secured control plane. We enhanced the Keystone to a fully armed IAM(Identity & Access Management) and integrate all the control plane services with it.

We will also share the experience on how to reduce the PKIZ token size as for global keystone, the token size would increase per region basis.




  • eBay multi-environment security model



  • Fill the gap between keystone and a generic IAM



  • The answer to more secured service access - API Key



  • Dynamic Project Based Policy for API Key authentication & management



  • eBay global keystone journey



  • Make the token smaller!




Speakers
avatar for Subbu Allamaraju

Subbu Allamaraju

Vice President, Expedia Inc.
Subbu is the Chief Engineer of cloud at eBay Inc. His team builds and operates a multi-tenant geographically distributed OpenStack based private cloud. This cloud now serves 100% of PayPal web and mid tier workloads, significant parts of eBay front end and services, and thousands... Read More →
avatar for Xiaogang Xin

Xiaogang Xin

Cloud Engineering Manager 云工程师经理, eBay
Xiaogang Xin is the manager of eBay Cloud team. He has worked in infrastructure cloud area for many years, with deep understanding of Kubernetes and its enterprise-level transformation. He is currently responsible for large scale Kubernetes cluster DevOps at eBay which host complex... Read More →


Thursday October 29, 2015 9:00am - 9:40am JST
Kougyoku

9:50am JST

Enhancing OpenStack FWaaS to Address Real World Business Needs
Firewall as a Service in OpenStack requires several improvements for real-world deployment. In this talk we will share ideas that improve Performance of firewalls and enhance OpenStack FWaaS by supporting capabilities like Scheduling and Logging.

This session will include a Demo of the work in progress.

Blueprints


Performance
The current version of FWaaS configures IPTable rules in a sub-optimal way. The proposed solution aims at segregating the rules dynamically and pushing only the relevant rules on to the IPTables.

Scheduling
One of the  value added feature of firewalls, used by most network admins, is the ability to schedule policies with a specific periodicity and time interval. The proposed solution aims at enhacing the FWaaS Horizon UI and Neutron plugin to enable Tenants to schedule firewall policies.

Logging
The current proposal aims at enhancing the FWaaS and enable logging on the firewall policies. The logs generated can be redirected to a Syslog server and can be analyzed by tools like Splunk.

Speakers
CD

Chandan Dutta Chowdhury

Tech Lead - Juniper Networks
SC

Sarath Chandra Mekala

Tech Lead - Juniper Networks
avatar for Sriram Subramanian

Sriram Subramanian

Director - Software Engineering, Juniper Networks, Juniper Networks
Director - Software Engineering, Juniper Networks Author - OpenStack Networking Cookbook


Thursday October 29, 2015 9:50am - 10:30am JST
Kougyoku

11:00am JST

Sentinel: A Platform for Fine-grained Application Security on OpenStack
In this talk, we present Sentinel, the platform providing fine-grained security to applications running on OpenStack. Sentinel is currently being used at web-scale within eBay to secure applications across multiple OpenStack clusters.

Sentinel provides a robust policy-declaration model to represent applications and inter-application dependencies, a highly-scalable policy engine to translate the policies into enforcement rules, a policy agent that applies the rules on endpoints automatically, and monitoring & auditing capabilities. The highly-scalable design of the policy engine enables rapid deployment of rules on hundreds of thousands of VMs deployed on multiple OpenStack clusters.

The talk will be organized as follows:

  • Overview of the cloud architecture at eBay

  • Architecture of Sentinel

  • Policy declaration model

  • Policy enforcement methodology, optimizations 

  • Integration with OpenStack

  • Automatic service-dependency discovery

  • Monitoring, auditing and real-time visualization

  • Comparison with OpenStack congress and OpenStack Firewall-as-a-Service (FWaaS) 

  • Challenges


About eBay Inc.: eBay Inc. enables commerce by delivering flexible and scalable solutions that foster merchant growth. eBay Inc. properties include eBay Market Places, eBay Enterprise and StubHub. eBay Marketplaces delivers one of the world's largest online Marketplaces to customers. With more than 149 million active users globally, eBay is one of the world's largest online Marketplaces with more than 700 million items listed on its site.


Thursday October 29, 2015 11:00am - 11:40am JST
Kougyoku

11:50am JST

Real World DevOps Experience and Demo Delivering a Trusted and Secure OpenStack Cloud
Trusted Platform Module / Trusted Execution Technology (TPM/TXT) provides advanced hardware based security, root of trust, geo tag location, and helps deliver compliance reporting. However, integrating TPM/TXT into OpenStack is not for the feint at heart and requires changes to your cloud DevOps.

This session will review our experience, tips and tricks, and provide a live demo on how to accomplish this and reap the benefits of secure cloud. The demo will cover the geo location feature and hardware based trust feature that ensures your workloads are operating within boundary controls and on integrity measured trusted hosts. 

This session is for IT Operations, Sys-Admins, Architects and anyone interested in learning about the IT industry’s advanced hardware security root of trust delivered in OpenStackpolicy better for the future.  This talk is strictly about what is available today, utilities to make operator’s job better and what you can do about it.

Speakers
RY

Raghu Yeluri

Sr. Principal Engineer, Intel
Raghu Yeluri is a Sr. Principal Engineer and lead Security Architect in the Data Center Group at Intel Corporation with focus on confidential compute in cloud native, containerized deployments leveraging hardware-based security. In this role, he drives security solution architecture... Read More →


Thursday October 29, 2015 11:50am - 12:30pm JST
Kougyoku

1:50pm JST

Unraveling Docker Security: Lessons From a Production Cloud
Whether you are integrating Docker containers into an existing cloud, or building out a multi-tenant cloud implementation using Docker, it can be a significant challenge to ensure proper security is in place. In this session, we will unravel various threads of security topics that all come together to provide properly configured security and isolation for Docker containers. Many of our findings are based on our experience in building and securing the IBM Container service based on Docker technology on top of an OpenStack IaaS. Topics include:
  • Usage and threat model
  • Implications of sharing the kernel with the host
  • How user namespaces provide isolation from the root user on host
  • Docker engine configuration for security and limitations for preventing forkbomb, filebomb, DOS
  • Security features and issues for Docker registry
  • Docker API and lack of multi-tenancy capabilities




Speakers
avatar for Salman Baset

Salman Baset

Research Staff Member
Salman Baset is working as a Research Staff Member at IBM T. J. Watson Research Center. He received a PhD in Computer Science from Columbia University. His recent work at IBM has been focused on Docker security and designing, building, and securing IBM Containers. Presently, he also... Read More →
SB

Stefan Berger

Senior Technical Staff Member, IBM Corporation
Stefan Berger works at IBM Research. His focus is on cloud security, virtualization security, trusted computing and more recently on security for containers. He is actively involved in several open source projects related to Linux virtualization, Linux containers, as well as the Linux... Read More →
avatar for Phil Estes

Phil Estes

Principal Engineer, AWS
Phil is a Principal Engineer for Amazon Web Services (AWS), focused on core container technologies that power AWS container offerings like Fargate, EKS, and ECS.Phil is currently an active contributor and maintainer for the CNCF containerd runtime project, and participates in the... Read More →


Thursday October 29, 2015 1:50pm - 2:30pm JST
Kougyoku

2:40pm JST

Finally FDE - OpenStack Full Disk Encryption and Missing Pieces
Lets encrypt all the things!

Well, lets not, that's silly - but there's a lot of smart things we can encrypt, some of them require shiny hardware but quite a lot can be done through the clever application of existing software.

In this talk Robert proposes a two tiered encryption model to be applied to an OpenStack deployment.

Foundational - Full Disk Encryption. Encrypting everything on disk is non-trivial when managing large datacentres full of gear. In fact the complexity of this task normally makes it prohibative unless using hardware based solutions. At HP we have developed a new way to approach this problem. It makes Linux Full Disk Encryption pretty painless, scales beautifully and finally does away with retroactive "Log in and type the key" type systems that are just plain horrible. We will peak beneath the covers of this solution and share the code with the community so that we can all deploy full disk encryption at scale in a reliable and safe way.

OpenStack Native - Cinder, Nova and Swift all have native encryption capabilities in the pipeline. During this section of the talk we review their progress and discuss when they can be integrated into running prouction clouds to create a multi-layered encrypted cloud.

Combining these technologies protects everything on disk from accidental loss or compromise while also cryptographically separating tenant data on disk - both have been strong asks for OpenStack for a long time.

In addition, we will introduce Project Marshal.

Project Marshal is an open source implementation of an agent that provides the missing piece of the puzzle for volume encryption.  Using the Barbican client API, it allows running virtual machines to access secrets stored in Barbican to use encrypted volumes with tenant managed keys.

We'll cover: 
- What is project “Marshal”?
- What are its features, claims, and roadmap?
- Where can I get the code?
- How can I help set priorities and contribute to Marshal?

Speakers
avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →
avatar for Dave McCowan

Dave McCowan

Technical Leader, OpenStack@Cisco, Cisco Systems
Dave McCowan leads security initiaves of the OpenStack team at Cisco.  He is an OpenStack contributor to the Barbican project.
avatar for Arvind Tiwari

Arvind Tiwari

Technical Leader, Engineering, Cisco
Arvind Tiwari is a Technical Leader in the CTO Group of Cisco Intercloud Services.  In his current role, Arvind is responsible for helping Cisco Intercloud teams on Identity, Security, Access Management, and Federation efforts.  He is also involved in multiple initiatives to make... Read More →


Thursday October 29, 2015 2:40pm - 3:20pm JST
Kougyoku

3:30pm JST

OpenStack Neutron FWaaS Roadmap
The FWaaS project has been present since the Havana release. There was some serious discussion on what its trajectory should be and the feature priorities at Vancouver. As a community, we have been gathering inputs from operators and users to see what they would like to see happen and prioritizing to present the next steps and direction. We are also looking at the intersect with Security Groups. We will present the usecases, models, plan and welcome feedback.

Speakers
SB

Susanne Balle

Cloud Architect, Intel
Susanne is a Senior Principal Engineer at Intel in the SDI/Cloud Architecture and Pathfinding group. She has been involved in OpenStack in various projects since the Essex OpenStack summit. Her current interests are Networking and Networking Advanced Services such as LBaaS, Octavia... Read More →
avatar for German Eichberger

German Eichberger

Principal Cloud Software Engineer, HP
German Eichberger is a Principal Software Engineer with HP and Co-PTL of OpenStack Octavia. He earned a Master in Computer Science from University of Karlsruhe. His interests are Cloud, SDN, and Microservices.
VJ

Vishwanath Jayaraman

Software engineer, Self employed
SK

Sridar Kandaswamy

Technical Leader, Cisco Systems, Cisco Systems
Sridar Kandaswamy is a Technical Leader in the Openstack team at Cisco Systems Inc. In his past life, he used to work on Switching & L4 - L7 services (the physical kind). He has primarily been working with FWaaS in OpenStack from its inception in Havana.  
SS

Sameer Satyam

Product Manager, Cloud Networks, Rackspace


Thursday October 29, 2015 3:30pm - 4:10pm JST
Kougyoku

4:30pm JST

Inserting Advanced Network Security in OpenStack Clouds
OpenStack based private cloud environments deliver a variety of benefits to users with respect to flexibility, automation, and cost. The volume of traffic especially intra-vm (east/west) traffic, generated within the OpenStack clouds is enormous, continues to increase, and is not inspected or secured by current perimeter focused security appliances and solutions. Visibility into this network traffic and the ability to apply security controls including deep packet inspection where needed within the private cloud is of high importance to organizations considering next generation cloud architectures including OpenStack. As high profile security breaches continue to make headlines and elevate data center security to a board level concern for organizations implementing proper network security within OpenStack will become vital to the continued success of the OpenStack project.

Companies including both small scale startups and larger established security players have begun to tackle this challenge introducing concepts and products related to the micro-segmentation of networks that rely heavily on network virtualization platforms in some proprietary infrastructure contexts. In the OpenStack world, Neutron security groups and ACL controls provide a form of some of the micro-segmentation functionality available on other virtualization infrastructure platforms. Through its openness, OpenStack and its APIs have paved the way for the integration of third party software defined networking (SDN) controllers such as Midokura MidoNet that provide more complete micro-segmentation capabilities and enable the dynamic insertion distributed virtual advanced network security services such as network IPS, or next generation firewall.

This presentation will introduce the motivation for, challenges, and concepts involved in securing OpenStack private cloud network environments. We will start with a description of the problem space, namely east/west or intra-vm traffic within the data center. We will then discuss how to think about developing solution to this problem including high-level requirements. This will touch on topics including virtual security function orchestration, service insertion, and policy mapping. Finally, we will discuss a partnership and technology integration between Intel Security and Midokura that brings advanced network security service insertion to OpenStack environments. 

Time permitting a demonstration may be provided showing the joint solution deploying an open source SNORT appliance (IPS) and seamlessly inserting it into a MidoNet controlled network to protect workload VMs from being attacked by neighboring VMs on the same network.

Speakers
avatar for Pino de Candia

Pino de Candia

CTO, Chief Architect, Midokura
As CTO, Pino is responsible for Midokura’s technical innovation and evolution of its flagship technology MidoNet.Pino de Candia joined Midokura as a Software Engineer in 2010. He built the early versions of MidoNet, led the Network Controller team as engineering lead and the Architecture... Read More →
avatar for Jacob Sendowski

Jacob Sendowski

Product Manager, Intel Security Group
Jacob Sendowski is a Product Manager in the Intel Security group focusing on security solutions for the Software Defined Data Center and private clouds. At Intel, he has held positions as a researcher within Intel Labs and an associate at Intel Capital. Jacob holds a Ph.D. in Electrical... Read More →


Thursday October 29, 2015 4:30pm - 5:10pm JST
Kougyoku

5:20pm JST

Protecting Hybrid Cloud Environments From Being Breached
Every week we are hearing about more organizations being breached. Whether it is healthcare organizations like Anthem, financial institutions like JP Morgan Chase, content providers like Sony Pictures Entertainment, or government institutions like the US Office of Personnel and Management, it seems like no one is invulnerable. Adjacent to this frustrating trend, is a total upheaval of the enterprise technology stack in the datacenter. Now the datacenter evolved to a private cloud and enterprises are interested in offloading, for cost efficiency purposes, some of those workloads to the public cloud. Hence the emergence of the hybrid cloud.

The hybrid cloud presents unique security challenges that haven't existed before. With workloads moving between public and private clouds, across OpenStack environments and potentially in containers, how is an enterprise IT team supposed to protect their data and their company, from being breached? Is it even possible?

FlawCheck believes data protection is not an insurmountable problem. But as technology changes and threads change, protection strategies and solutions also need to change. In this presentation, we’ll cover the risks associated with hybrid cloud environments, with a particular emphasis on malware, vulnerabilities, remediation management of hybrid cloud environments, and breach avoidance.

Speakers
avatar for Anthony Bettini

Anthony Bettini

Founder & CEO
Anthony Bettini is the Founder & CEO of FlawCheck, the leader in container security. Anthony was most recently the founding CEO of Appthority, the leader in mobile app security, SINET 16 award winner, and winner of the "Most Innovative Company of the Year" award at RSA Conference... Read More →
avatar for Sasan Padidar

Sasan Padidar

CTO, Flawcheck
Sasan Padidar is the founder & CTO of FlawCheck, the leading container security company. His academic and professional experience has been focused on security and scalability. Most recently, Sasan served as the Chief Architect at Appthority where he was responsible for leading the... Read More →


Thursday October 29, 2015 5:20pm - 6:00pm JST
Kougyoku
 


Filter sessions
Apply filters to sessions.