On lip 19, Damiano Venturin wrote: I haven't had a chance to play with OpenStack yet, but I know roughly what it is and what it does. I'm nore interested in OpenNebula[1] as the hypervisor/virtualization layer due to less complexity between the two solutions and more focused OpenNebula development[2]. The article linked is a bit old so take that into account. OpenNebula seems to be more focused on smaller-scale deployments which DebOps excels in at the moment. In both cases the installations require a bunch of different underlying services to function (MariaDB, RabbitMQ, etc.), management roles for these either are already in DebOps, or can be implemented as needed. Then there are packages with the software implemented for the OpenStack or OpenNebula specifically which could also be added in the project. I imagine that a separate set of playbooks could be developed to aid deployment of a production infrastructure in each case, with different types of hosts (compute, storage, cpu) instead of the default set of playbooks focused on a per-service general-purpose deployment. The debops scripts can be updated to acommodate multiple sets of playbooks for that purpose. There's already the openstack-ansible[3] project that allows deployment of OpenStack unsing Ansible; we could see what components are still missing in DebOps for it to function and implement them over time. In the end, I think that DebOps as a solid base to deploy OpenStack, OpenNebula or Kubernetes in production environment is a good target to aim for. Many of the underlying components are shared, which should make things a bit easier. Cheers, Maciej [1]: https://opennebula.io/ [2]: https://opennebula.io/opennebula-vs-openstack-user-needs-vs-vendor-driven/ [3]: https://github.com/openstack/openstack-ansible

Having (briefly) scanned the emails on this topic, my couple of ZAR 0.20 (20 ZAR cents == ~ EUR0.01 ~ 1 cent EUR ;) ) When you look at the hypervisor arena, the use cases I'll summarise as follows given my experiences: In the sharing environment: - You have a Desktop - you’ll use Parallels/VMWare/VirtualBox (vagrant for headless vbox) (Okay, you can and could use libvirt + KVM, but you are already on a GUI and want GUI interaction/etc.) - You have a LINUX/debops server with spare capacity and need to run VMs: libvirt with KVM (freeBSD: bhyv something in the place of kvm) Now for dedicated hypervisor(s) on physical baremetals: - Simple GUI, only a single servers: ProxMox / ESXi (free edition, and it doesn’t do clustering afaik) - fun “niche” SmartOS - a few clustered servers with GUI no auto-allocations: ProxMox + clustering / VMWare - medium size, auto allocations: ganeti / VMWare - medium massive scale, auto allocations, USers with own rights and billing: OpenStack / OpenNebula / VMWare The “fun” with the OpenStack/Nebula/VMWare/etc. is that you might be installing some of the controllers with a Debian type OS, the actual storage and compute physicals are not necessarily a “distro” installation, but their own “thing” to talk to the master(s). I might be wrong with these, but that was the information I saw last time I investigated them. it’s an auto allocations based on the controllers etc. controlling what/where etc. and you typically only have block storage you write to… the challenge here: BIG FAT back end network links, as every disk io goes out on the network Looking at the Enough project “quickly” you might be stuck with an OVH solution as it seems they cater/work-inside OVH’s tweaks of the stack.. and yes, there are some (I’m using OVH so I know the “funs” too ;( ) Perhaps also ‘cause OVH provides the best bang for buck (compared to AWS/Azure/etc.) for a public cloud setup!!! I don’t think it was chosed for the OpenStack, I belive they chose it and just build/used the OpenStack credentials to fast track the VM creation/etc. I’ll not be surprised that you’ll have to be compiling lots of the stuff yourself too … no need yet to investigate myself ;( You most probably could, but BEFORE you consider a OpenStack/OpenNebula deployment, ask yourself these questions: 1) do I need allocation across hypervisors? 2) Do I have the network bandwidth from the compute nodes to the storages nodes? 3) do I have very-very fast storage nodes? Those are the single factors that’ll make or break your OpenStack/Nebula deployment Okay: *I* don’t have the ZARs to buy those equipment priced in EUR/USD, neither am I working for such a company (I’m just a free lance consultant) so I am biased towards solutions that is not breaking my bank nor clients I do not disagree, I would rather advise that this be a tad sideline project, instead of a full blown DebOps path, unless there are real needs and people having the budgets for those equipment “sponsoring” this part of the project ;) PS: Ansible have ProxMox VM creation stuff lately, and ProxMox does have API etc. to control it ;)

On 21/07/2020 17:17, Maciej Delmanowski wrote: <cut> I thought of something more exotic but turns out it's just splitting responsabilities among machines specialized for a specific task. Correct? very interesting. Definitely a discussion that has to happen because I see a nice picture when I connect the dots. <cut> agreed

On 21/07/2020 15:50, hvjunk wrote: <cut> Sounds about right. This might explain why Enough is based on OpenStack. I'll ask the authors. aha <cut> I think there are 9 components in OpenStack. Some are optional. Am I wrong if I visualize them as "containers with a special task" next to any "normal vms" I might add? Lets take an example: say I want to run a simple webserver serving static websites inside openstack. I might have a debian vm running Nginx which uses the Storage openstack component as webroot. The real storage is defined and managed by openstack outside of the vm. Close? If it's like that, what would be a use case for the Nova component? <cut> I've looked at the OVH Public Openstack page: wow!! I've lost my socks. I can't even understand what I need. I'll ask in Enough forum but iyo what would be the monthly cost of the simplest OVH stack, roughly? Another matter here is: how much the OVH infrastructure can be considered "3 letters agencies"-resistant (both legally and technically) ? For delicate matters, one can't rely on 3rd party vps because it's too easy to dump its ram and this makes LUKS useless. Running bare-metal gives a bit more protection or at least some heads-up and control. Where is OVH standing in this regard? Why that? do you think it's faster/easier to deploy vms on openstack? uh? production + compiling = creeps good to know. I'm actually a step further. It's still rather hard to dimension the project itself meaning that some media agencies might need something "medium", most might need something "small" but one can even think to provide one huge architecture shared among all and chunked upon needs. Hard to list pros and cons for each solution. It could make sense to have the Enough project on openstack as it is and a mirror project based on Proxmox for smaller setups both providing the same tools. I'm with you here

On lip 21, Damiano Venturin wrote: Not really. In the final environment, your virtual machines deployed in OpenStack don't see the underlying components directly - you just get a virtual machine with a network interface connected to a gateway and some storage space. Your VM does not are where its disk space is stored, where the network gateway resides, how the network interfaces are connected, etc. OpenStack manages the whole machinery underneath, which can be one physical host or a hundred commodity PCs in a cluster. No. Your VM will just see "a bunch of block storage" which you will partition into filesystems and mount at specific filesystem directory. Nginx sees normal files, it doesn't care what is underneath. Your VM will not have direct access to the OpenStack components at all. Nova is the hypervisor management service in OpenStack. It manages the creation and lifecycle of virtual machines and/or containers on the hosts, usually using KVM hypervisor underneath. If you used virtual machines before, for example with VirtualBox, you probably had to start a VM manually to bring it up. In OpenStack you use the Horizon web server to tell Nova that you want a VM started, and Nova finds an available hypervisor host with enough resources to run it and starts the VM there. It's not a question of what you need... What you actually want to do? If it's just a simple website, you don't need to play with all that OpenStack ecosystem - a normal virtual machine with nginx, mariadb database and SSH access should be enough. OpenStack gets interesting in cases where you want to deploy multiple applications with total separation of their environments, or provide hosting services to multiple third-party tenants which might not even know about each other. Are we talking a data center scale? A quick Google search gave me this article[1] which talks about costs of operating a data center, might be of some use for you. At my workplace I handle the IT side of things, I'm not really sure about our costs, but I can ask for some details. [1]: https://perspectives.mvdirona.com/2010/09/overall-data-center-costs/ Each time we talk about security you need to consider the attack vector. If your adversary is "3 letter agencies" then we are talking government level attacks which OVH or any other provider will not protect you against - they will be compelled by the law enforcement to give up your hardware, nothing they can do about it. In such case you need to start from scratch with your own building, security personnel, access to energy and cooling... Hypervisor management comes much, much later. The answer is much simplier - that's what the VPS provider "provided" to them to manage their servers. This gives an inherent bias to the tools you build to manage your infrastructure - they have to work with whatever is available. Cheers, Maciej

hvjunk wrote: Enough is based on OpenStack and relies on its API which is not proprietary. Unlike AWS, you're not stuck with a single provider by using their proprietary API. If OVH becomes less hospitable, an organization using Enough could migrate to another OpenStack provider[0]. This is in theory but, as you observed, Enough has a few OVH specific elements. I'm hoping we'll get rid of them over time but we're not there yet. Right. People running Enough don't need any of this. Enough does not require nor help anyone willing to deploy an OpenStack cluster: it assumes there is one available. Enough depends on OpenStack for: * Provisionning machines (although one could also manually add in the list of Ansible hosts the IP to a machine provided by any means as long as there is an ssh access) * Firewall * Performing backups (VMs and/or volume snapshots) * Restoring backups * Destroying machines [0] https://www.openstack.org/marketplace/public-clouds/

Hi, On 21/07/2020 15:12, Damiano Venturin wrote: I posted a topic on Enough's forum [1] in order to understand why they rely on OpenStack. From my point of view, having several providers/communities for journalists, sources and human right defenders built on different technologies (OpenStack, Proxmox and others) is a good point. So please don't ditch what you have done. [1] https://forum.enough.community/t/openstack-choice/439 -- Nicolas Quiniou-Briand Messagerie instantanée (Jabber) : nqb(a)azyx.fr Tél : 06 75 84 56 74

I’d say Enough is less build on “openstack” but more on OVH’s publiccloud ;) Well, what you should also remember, you can deploy that stack in either: - Canada (Beauharnois) - Poland (Warsaw) - UK (London) - Germany (Frankfurt) - Taiwan (Singapore) - Australia (Sydney) oh, and two data centre in France :) (GRavelines & Strasbourg) Thus for journalists, you are quite diverse placements