 Hi Bonsoir and we want to Talk with you guys about our experience with open-stack and Installation in a financial institution. We are working for BBBA This is a Very big bank very big High number of Customers a lot of people working with a Lot of money well really the money is not ours It's the front our customers Why it's interesting organization and Why a bank Hasn't one billion of customers, you know, there is no banking in the world Which has one billion of customers? However Facebook or Apple or other digital companies has one billion of customers of 500 millions or so but banks now why Because we we can't it's a problem with infrastructure the infrastructure Which banks are using right now is not a scale not only on the sense of physical constraints, but the business model behind that Behind our business doesn't support that the scale In consequence we have a mission from Rob as you know and Everybody knows them films of Blue brothers, yes Well, we have the same Mission we have to save our company because there are a lot of digital companies taking our place For example Apple or Google We have to protect our developers giving them better infrastructure better Means in order to them to develop application applications are the mean we are giving value to our to our customers In our vision, we need a self provision infrastructure. We need a infinite infinite Scalable infrastructure With in a active active Configuration with a hybrid that data model Distributed private and public data both between Hybrid infrastructure and public and private cloud and having a programmable infrastructure in that sense Traditional SETA is not the able third is the IBM mainframe In that sense That infrastructure it has a lot of physical constraints, but it's more important the Business model constraints and we have to move our operation to better infrastructure Prebate cloud based on on open stack and both public cloud With a programmable infrastructure will can build a better better Application development life cycle including not only the code Including the infrastructure definition to Using that life cycle to develop test and Go to production or review maintenance both the Application code infrastructure code you have the same life cycle for both things But for this you need a programmable infrastructure in our plan is to have first a private cloud using Open stack In fact, we are in a couple of weeks. We will have that infrastructure in production with a real application real banking application and Next year we will have the another instance of Private cloud in in Mexico will have our operations our data center corporate data center in both in Madrid and Mexico Well Hi Good afternoon everyone today. I'm talking about how we design and build our open stack private cloud But first of all, I'd like to mention the world we have with the projects first of all is to provide the digital bank with a private cloud infrastructure similar to Amazon or Google in order to To work towards the cloud to do the same thing we are doing with Amazon or Google But you know in our internal network in our in our internal cloud The second one is to promote a cultural change within the within the bank We like to move from different groups for example security communication networking that works as different silos for each other with a lot of bureaucracy with lack of communication to small projects managed by a small or medium groups with different roles that start evolve finish and maintain the project The third one is to automate everything This is to automate virtual machine lifecycle to automate application deployment security network Almost everything that you can automate and finally To have the possibility of deploying application in a multi cloud way So we have some products in which we are using the services from Amazon or Google And how do we use it? We use it via dashboard via SDK, but mostly via API We are using also continuous delivery tools like Jenkins or Atlassian bamboo and cross-cloud libraries like for or g-clouds So why open stack? Because this is the product that give us the possibility of realizing of our goals Also because it's huge community not only members, but also companies its maturity and the innovation in parallel the interoperability and also the flexibility that it give us to change different solutions within the same underlying technology and Why read that? Because oh, I forgot to say that we are starting with a ice house Release we have tested some releases and we we are starting with I house and what read that we are working with different Providers and they give us not only a simple open stack installation They give us their expertise and also some other products to work with open stack and to make our life easier And how are we planning to use it? Well? I'll mention three topics the first of all is continuous delivery The second one is agile methodology and the third one is DevOps methodology or sec DevOps in this case Because we want to mix people from security to the team. I told earlier We are planning to give each project or team with a tenant and the possibility To link the tenant with the continuous deployment tool and also the possibility to link this their tenant to Another clouds so the tenant will have certain capacity and therefore they can work in a They can move to the cloud So open stack there we go. We have a couple of environments here Pre-production and production the idea is simple here is just to test everything in the first one before moving to the second one about the hardware we choose HP and Just to say that we have different nodes for different things I mean there's for example the cloud controller or compute nodes or administration nodes, which has more gigabytes of RAM Than for example, Swift however, Swift has obviously more more disk And what about cylinder and glands? Well here? We have several options to investigate new technologies such as a cluster fs or or theft to choose a well-known provider or a mixture between both We have decided to start with netapp Because our background with them because they are in the because why they are in the community They have some plugins for for open stack and also because we have found Some features that we haven't found in other in other cases. For example, they have a very good cloning Solution very good a snapshot in solution. They have the duplication In where you can deploy for example 20 bitron machines without having to copy 20 times the same image to the compute nodes or The storage tiring in which you can classify the storage in in several parts For example bronze gold and silver type of storage So open stack there we go. How we deploy the infrastructure we use for that for a man plus puppet We found it. We use the version a style path, which is the open stack installer plug-in for the format Here in the format we have defined it several host group once per open stack component and in these host groups we can Customize you adding some puppet modules So therefore we have the whole open stack Services with a puppet with a puppet module and we can Change their configuration in a centralized way Here is an example of some classes some puppet modules and classes and Also, we have Develop on our own Another another modules not for open stack services But also for another services that we are using in the installation like security services or and so on People from redact have helped us to to do this this task in In a complete way So open stack technical details. Well, this is not very technical, right? Yeah, I Wouldn't know this We have we want to to Open the access to our open stack to the internet not only horizon But also the public of the the API is so that's why we are here a couple of rulers in hi with Different internet connection with different providers as we usually do in the bank and then the big blue cloud so Yeah, the entry point of our open stack is the firewall on top Where there is a style and IPS to analyze traffic The firewall has access to a DMZ subnet In where public Components will be placed Also to a router which function will be explained later and then the router has access to the open stack management Network which is the main network here and I Will explain it also and here there are two other networks This one the service subnet in where we have place DNS and NTP It's used to install the open stack components Here at the bottom we have the BBBA internal management subnet And why because here we can connect our open stack platform to the BBBA to our data center via this firewall and here with some Management components and security components will be placed for example here we have a follow a color code the Green one Is belongs to security people from say the security group wanting to collect logs from the entire infrastructure and also to collect network traffic Then they have also another component with security staff that they are researching right now in order to to make the Infrastructure more secure then we have the yellow one Which belongs to management? Mostly to the system administrator group Here we have a couple of nodes with red at enterprise by virtualization From which we manage the complete the entire infrastructure This is connected to the NFS storage via this other network As you can see there are also a nice use virtual machine and a foreman as I explained later here Almost every component is virtualized. There's no physical node now And about the question why to put DNS and NTP here in a service subnet and out here in the BBBA internal network because We don't we don't want to to have traffic from the management open stack subnet to the BBBA internal subnet we only want to From from this to access here collect logs or traffic or whatever and no more It's kind of a security reasons When here we have switch the color code the green one belongs to to the open stack components Swift uses another subnet in order to perform the triple object copy, and this is the first node We have in bar method not virtualize About glance and unseen there as I told you before here We have the NFS storage cabin which is connected apart from the red at enterprise virtualization node to the management of the stack so Here is the way Okay, let's see the the DM said Here when a request comes to our private cloud it passes through the firewall and Reach the load balancer the load balancer just do load balancing. It's okay and then pass the request to the graph and if it's okay pass the request to the horizon and what what happened when the There is an api call api call The graph passes the The request directly to the load balancer of the cloud controller Obviously when the request in the previous example reach horizon then goes to the load balancer So as we open our private cloud To the internet we have to take some security so security Risks and we don't want to to have attack we want to prevent attacker From reaching our internal network. So that's why we have The wafting here the IPS and and so what? About the cloud controller, okay I forgot to mention that the horizon is Isolated is not within the cloud console controller, but for the same reason if someone can attack the horizon maybe then they cannot reach the internal network and The api's are within the cloud controller We have installed it in three nodes and because this was a readout recommendation for ha and also for some components of Open stack that needed an odd number of of services and We thought that three is a good number And we also have my SQL and rabbit MQ isolated We got could have put it these these services within the cloud controller But we have to we'd like to to manage it manage them in a different way. They are installed in Cluster mode with peace maker in a couple of of virtual machines And here appears the no bad compute nodes there. They are also physical and Here is where we can we are going to deploy the virtual machines The virtual machines we are we are deploying Copying the Amazon easy to format will have an ephemeral disk it 8 gigabytes This disk is placed in the same physical node that the Nova compute because this is cheaper and and also this is faster if If the people that manage the virtual machines wants more more disk they have to ask for them to the NFS storage And hey, what about you turn? Here is something miss. So I let the floor to my colleague Danny, which will explain the defect Thank you Yeah, hi everyone My name is Danny I'm going to talk about the integration of Noise BSP in our open-stack deployment at BBBA I will be fast Because we haven't too much time, but anyway, I have very interesting and useful for you Go with the first point With the reason that we choose to to use SDN solution different than standard and neutron approach Well from innovation team As my colleagues explained before We was working automation tools a fast way to deploy and It's a requirement of for for the future to do this that way, but Remember we are a bank and our security team Used to apply strong security Policies to the traditional IT and now with the cloud environment they they feel some afraid For they they feel that everything is a funeral everything is dynamic In the deployment way that we start to work Sometimes start to be outside the the security business flows And they request for us some kind of of solution to to take control over the deployment By the business request we need to have a solution that is possible to scale and Without too much headache and Geographically distributed in between in remote data center In In for innovation team we have in in our roadmap of Technologies to to introduce in the organization that's the end solution We felt that The project of the player open stack in the organization is a good point to start with this technology When we decide to go with SDN solution we was we were testing some some solution And we decide to to use a noice BSP Well, why noice? Noice is SDN solution that One of the more powerful future for us is the Astration that they call domain templates that's a low our security team to define the The network security topologies And by this reason they this request I'll I'll solve Have a user role system that allowed to isolate the administration task that inside the organization there are like different Technical teams and we need to isolate the task in the same tool Moreover automation When a VM VM is a start in with noice Automatically is assigned to a subnet and security policies that define before the Security team is automatically applied to this to this VM has a Ritz-Norbone API Have the distributing distributed routing and switching It's very powerful Now Eliminate the single point failure of Neutron Network node and Bring us the the possibility to grow up with larger three communication And it's hypervisor and nostic. That's important The integration is so easy via Neutron plug-in We start to To explain more in details in the same the the next slice The Operasta The noice integration open stack. Okay To explain the open stack The noice Bsp integration in our open stack. I need to explain The components of noice solution The main components are the virtualized services directory The virtualized services controller and the virtual routing and switching also a digital component is the virtualized services gateway that we needed to communicate the BNs with the Internet here you can see the Noice component in blue and the rest of open stack component in gray We start to talking about the BSD The BSD is the is where we define the policies And the network Have a recipe I on a web interface where I went define all this And XMPP is used to To a chain the information with the BSC and and be a G the BSC the virtualized services controller play the role of SDN controller and send send a chain the the configuration to the compute nodes via open flow entries and use mp BGP to a chain information with the rest of BSC and be a G the BRS is the The software agent that is the installer in the hypervisor and create the overlay data plane with VX LAN protocol and And and they keep working without the BSC Running that is what I say before that is is a good point and the BG is a element It's a physical element that Understand BX LAN and translate to to build LAN and in our configuration we use for a Floating a pizza a pro ads to connect the VMs with the internet well This is the components of noise and integration as I say before is via neutron plug-in Is installed in in our control in cloud controllers? And told it only with the BSD and be a race a bi Well more about the integration And once have some kind of a fashion that we need to map with the open stack as Russian there are a lot of ocean and by the business need we decide to to map the domain with a project in open stack and and we and made a customization of horizon to Automatically in the in the time that we create a new project inside the horizon to open stack DLD instantiate our domain template As you can see here. We add a new tap in the horizon menu when you create a new Project and here is a scroll where you can see The domain templates that the end user cool instantiate and The next screenshot is from the BSD dashboard where you can see the The domain template definition as you can see it here is a domain template definition And from the horizon we can instantiate in the same time that we create a new project Okay This all is about the integration of noise with open stack We would like to to talk a couple of features that for us are important for our decision and for the use of Open stack with SDM one of these is the The domain templates use as you can see in the picture is a screenshot of the BSD dashboard Where you can see a domain instantiate it and here is a green check that told us that the ACLs are forced from the domain templates when End user instantiate a new project the ACLs as you can see here are a force from the security team and this is So important future for our security team because this way they have to control at deployment time And it's very easy to to define the domain templates as you can see in the in the screenshot There are object to define the flow and inside its flow you can define the Allow it boards for a hand for example here. You can see that we allow HTTP and HTTPS For any to a zone in a zone is another level of stretching where you can Create subnet and in the bottom you can see the like open flow style ACLs that are applied other Good feature that the noise Brina's is the service chaining the sherry chain and allow us when we publish some TCP board and redirect the traffic for a different path that is easy way to Insert a new element for analytic or ideas on some kind of stuff for security That's all for integration and was I I Passed the the floor to Gemma to continue Thank you. Well and I Want to start with you some experiences takeaways for in our project You can see that that takeaways are more related with cultural change on organizational change because in fact technical or architectural questions are very Has a have a very good solution in collaboration with different companies Rehat or no as networks or other companies Intervening in in this project first is We'll have to organize Your development in order to consume the in a different way infrastructure because you can program that that infrastructure is completely different to Current approaching in companies normally in companies you have people working in infrastructure building Storage or systems, etc Take more than week or two weeks to have a Server written machine in order to to have or to do some tests First you have to Change your organization your way to to consume infrastructure and the second is the organization of the project itself and Our organization is very very complicated is Well, I think your companies are more simple, isn't it? No really not Big companies are complicated because are big and there are a lot of people a lot of politics It's fundamental in that kind of project in OpenStack Projects to to have one team working together Physically physically together if it is possible Taking people from security Working our systems Focus them on the final result of the of the project the Our goal is was to to have an infrastructure working in six months from from scratch and We win is it is fantastic because the team is one team We work very well with this approach Well, next steps. Well, we are thinking the same things you are thinking about OpenStack next versions how rolling up to the next version We are right now in nice house version. I Don't know if we are going to you know, or we are going to kilo But our goal is to it change the version one One time per year. It's a good and it's a Very very different goal to the to other infrastructure where Probably the same version is running for years Dockers theft and other approach to the storage compute different compute nodes different hardware We have a lot of things in there in our roadmap This is our team and I Have I want to pay to you to people who come Came here. Well, there is people here who is here like Philip or Jonas It's a fantastic team. We build up fantastic Group of people working together and I at the end. I think it's the best question related with that with this project I We are looking for people who knows about OpenStack if you want to send me A resume well, it's I am open you can find me Okay Finally remember we are Have a mission from God. Okay questions Yeah Yes, it's a very good question Starting the project we made a business case Analyzing every coast in intervening in the project Discovered that our cost over time Are converging with the Amazon coast more or less Coast we see of course This validate our our project from a cost perspective But most important thing for us is to integrate Agility and giving developers new tools in order to develop application In a more agile more with more speed. It's more the most important thing is is that The cultural change is so important We have we want to introduce we are at the end. I'm innovation team We want to introduce not only the technology, but the cultural change Changed minds of people who are working in traditional it If we have around 6,000 people working in in it Mostly in Spain and other countries If every single Person in that organization change his mind, it will be fantastic because the power the powerful Will be virtually infinite This is our vision Yeah It's our installation is right now Small because we have around 30 servers from HP the question is at the end We want to check the feasibility of of doing that thing inside and Grown that infrastructure is very easy We dimension our private cloud for a set of Projects inside the innovation area, but we are planning to extend offering that offering for other areas if We will matter that the consortium Making trends and Plans Grown Grown sub infrastructure when it needed And Yeah, we start with one that data center, but next year we will have another instance of that cloud in Mexico. We have two couples of big data centers to in Madrid and doing near to Mexico City Not right now we integrate our integrating Sail matter are you referring to sail matter or other? Well, we have different reporting capabilities something Some some one related with security. We have a powerful platform of security taking data from WAF with application firewall a learning We are introducing a self-learning web application application forward in order to a feedback the front end of of the APA Taking every information about the locks of the of the different components Analyzing in a fraud platform And Using sail matter that we can have information about different components of of the Our installation The loss balancer Virtual machine and it's used only for high ability of the openness that component Is that question? No, there are physical appliance but that firewall are Have Roles Define it is not the dynamic dynamic roles are applied by a new term by Noise network solution not now because our installation is so small small We only need authentication for DevOps people and DevOps people are Very small amount of people are is not necessary right now probably the platform grounds up we will need some authentic authentication system integrated with our LDAP or something like that Both We want to well for us. It's so important to have a platform in production with real application and to demonstrate that That concept using open stack in a big company is feasible The first intention is to to provide developers some platform where they come Set up virtual machines immediately But in second hand we want to put Production production Projects in fact that I think in December maybe in January the pen it depends on the Production calendar a schedule We want we will have an application from our Internet online service banking online service in Spain running in in our infrastructure One part of that project I Think it's very good because we demonstrate that open stack is so powerful Yeah Yeah Well, I Think it's Our vision is to separate Providing infrastructure to application right now in classical Companies are mixed you you have silos and you have the application risk application And you have an specific People running an infrastructure service storage Operation etc for that application Our vision is to separate infrastructure Have a common work with specialized services, but a common infrastructure programmatic infrastructure and All those people Can't be not so An amount How we will have right now we have a lot a lot of people doing this The other people will will be devops people working in in applications I don't know. I I think it is a very good approach to have people integrated because normally are more Engaged with the projects It's our particular vision Can you repeat to external developers? Yeah, yes, absolutely. Yes, we want to offer in Well in different ways I am let's say Official projects where people Devoting to to that project and with a specific planning and to give Developers some new tools in order to check new technologies. I don't know for example new version of MQ the developer wants to check it and to have the ability of Set up a new virtual machine in seconds and test the that new things is very Convenient for us. Okay. I understand. Yes When we start the project with with things in the fall stack But at the end we prefer to concentrate over the first thing that is infrastructure as a service Probably we will we will have club foundry or some past in place. I Don't know if next year it depends on Necessity for example in big data area. We are testing club foundry right now over other infrastructure if it's Successful we will put in place, but I don't know right now Yes Yeah, it's now a question Thank you. Thank you very much