Getting to OpenStack


In the industry, OpenStack is seen as very hard to implement. Considering this, I began to think that most people who deploy OpenStack try to bite off too a large chunk of OpenStack at one go, to implement it all instead of just what they need. OpenStack is a cloud management platform, not the hypervisor, so perhaps we can take some lessons from how we installed VMware products when we just started out. We still implement things using the same patterns for vSphere. We should revisit OpenStack with this history in mind.

Most administrators I know, and companies for which I have done work involving VMware products, started very simply. They installed VMware ESX or ESXi and then installed vCenter and all its necessary components. This was enough to get virtual machines running, perhaps not with all the bells and whistles required in the end, but they had a running environment. Today, this basically equates to installing vSphere ESXi, logging in to the vSphere web interface, and deploying the vCenter Appliance, which includes SSO (or deploying vCenter and SSO within either a single Windows VM or multiple).

Hypervisor Plus Management Is Not Yet OpenStack

So, what is the equivalent of the getting-started bits for OpenStack? I think this is the part that gets overlooked—why OpenStack gets relegated to a science experiment by many, who think it requires a huge knowledge base just to get running. When I talked this over with Alastair Cooke, a fellow analyst, we concluded that it likely has more to do with misunderstood use cases than with a lack of knowledge, or perhaps a lack of explanation. Those who develop OpenStack come from the cloud service provider world, where they need many components to make their cloud work. But a private cloud does not need everything a cloud service provider needs, at least not at the beginning.

Let me see if we can map the minimum requirements to VMware vSphere as well as the rest of the arena of hypervisor and cloud management tools.

VMware vSphere OpenStack Hyper-V Red Hat
Hypervisor ESXi KVM/Xen1 Hyper-V KVM
Initial Management vCenter and SSO Nova and Keystone System Center and AD RHEV and LDAP

1 You can also run VMware vSphere and Hyper-V as the hypervisors for OpenStack; it just takes more management to make that happen efficiently.

Now, we have just enough management and hypervisor to start deploying virtual machines. Can all these run within the same set of hypervisors? Yes, but most suggest these items be a management cluster to manage the actual virtual environment used for non-management workloads. Even so, we should consider that each hypervisor contains, minimally, three to four network connections for various critical components. So, physical segregation is more about politics than reality.

I have been told that OpenStack today may not work without Glance, but in the past it did. Glance is an image store. Any number of image stores are available. However, Nova currently makes best use of Glance.

VMware vSphere OpenStack Hyper-V Red Hat
Image Store Templates datastore Glance CIFS RHEV

What else is there in OpenStack, and why would we want to use it? Now, if we use just Nova and Keystone, we do not have what is often considered OpenStack. We need to add a few more things to make it official. However, most can stop here, as they really just want to manage a virtual environment and not necessarily a true cloud. The above set of tools uses the underlying hypervisor’s virtual networking, storage presentation, and image catalog. However, access to those items is controlled by the administrator and not presented to the user as an IT as a Service play.

So now, for OpenStack, we have management plus hypervisor to control our virtual environment and to have a way to present certain workloads to end users for use via Nova (ITaaS). The other stacks at this stage have no IT as a Service options, and all underlying networking and storage are handled by the hypervisor directly.


We also want monitoring, as we need to monitor our systems and we would like to respond to that monitoring in some useful way.

VMware vSphere OpenStack Hyper-V Red Hat
Monitoring vRealize Operations Ceilometer System Center RHEV
Log Analysis
  • Log Insight
  • Elasticsearch
  • Splunk
  • Elasticsearch
  • Splunk
  • Elasticsearch
  • Splunk
  • Elasticsearch
  • Splunk
Orchestration vRealize Orchestrator Heat PowerShell
  • Puppet
  • Chef

Now we have the beginnings of IT operations analytics and response to those analytics using the tools that are necessary. Do we need these tools immediately? Not really. Many virtual environments have none of these tools in place. Even now, some are using just the monitoring tools within the base management tools, third-party tools, open source, or even roll-your-own tools.

IT Automation/ITaaS

The goal of OpenStack is to get to true IT automation and present IT as a Service with operations orchestration. To that end, we need to add a few more components.

VMware vSphere OpenStack Hyper-V Red Hat
Network NSX Neutron 5nine Software RHEV
Storage Storage Profiles Cinder


Now all that is missing is security. This should be considered up front, actually, not at the end. However, for OpenStack, nothing outside of Keystone is used to control the security of the resultant stack of products. To do this, you need to apply the appropriate hardening guides to each element, and perhaps use Congress.

For VMware vSphere, there is a well-known hardening guide and configuration guide, and these elements can be measured via various tools (even vRealize Operations). We still need to build tools and guides to cover the entire mixed bag of tools that currently make up OpenStack.

VMware vSphere OpenStack Hyper-V Red Hat
Network Security NSX NFV Neutron NFV via Open vSwitch 5nine Software Open vSwitch
  • vCNS
  • NSX Edge
5nine Software
Identity SSO Keystone AD LDAP
Encryption VMCrypt2  Cinder? BitLocker
Attestation vRealize Operations3

2 Announced, not yet released    3 For hypervisor attestation

The real issue around security is not all the bells and whistles, but how you can attest that the hypervisor and management stack is actually secure. Each individual VM has a number of hardening guides around it, as does vSphere, KVM, and Xen, but I have seen nothing that is management-specific, or even OpenStack-specific. I’ve seen lots of tools for policies, but not much that pulls it all together. This is why the governing rule of virtualization and  cloud security is to isolate the management components using firewalls and proxy services.

Share this Article:

The following two tabs change content below.
Edward Haletky
Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]
Edward Haletky

Latest posts by Edward Haletky (see all)

Related Posts:

Leave a Reply

1 Comment on "Getting to OpenStack"

Sort by:   newest | oldest | most voted
5 months 21 days ago

A fantastic article, along those lines Mirantis’ OpenStack with the Apcera Platform lets you not only deploy and manage multiple workloads it adds the level of governance and security we need in today’s environments