I will touch on several of these in an effort to help you avoid some common mistakes.
Governance, and Why This is Important
With open source software, the rules are different. For some open source software, the product management function is still contained inside a single software company. For OpenStack (also in the case of Linux), the product management function lies with the OpenStack Foundation, an independent non-profit organization which has its own by-laws, procedures and governance. It's board members are also elected by the community, which minimizes dominance by any single vendor. This changes the dynamic completely because market requirements have a different path by which they become product functionality. Any developer can submit a code change for consideration. Companies can employ (at their own cost) any number of developers, thereby vying for influence by sheer number of heads. Enterprise software companies like VMWare, HP, IBM and others are embracing OpenStack, but they also have significant software license revenue that is complementary and/or competitive with OpenStack. This is not a bad thing, but is an important nuance to understand for anyone considering a long term commitment to OpenStack, because some product features may have genuine market pull, while others may be influenced by enterprise software. There are advantages to this also. For example, VMWare Integrated OpenStack (VIO) has strong integration to vSphere, vCloud Director and the entire VCloud Automation suite (recently renamed to vRealize Suite). HP Helion OpenStack, has strong integration to their cloud automation suite, including Cloud Service Automation (CSA) and Operations Orchestration (OO) products.
The code development and management process is also a major consideration for any software user. In the enterprise software world, the entire development process is owned by a single vendor from code, build, test and QA to packaging and distribution. It is assumed that any enterprise software company has safe-guards and processes that ensure code quality and security. With OpenStack, the development community is very large. For the latest release (Kilo), some 1,500 developers put their weight behind Kilo, merging over 19,500 patches and dispatching with nearly 14,000 tickets, all in a 6 month period. The coding, QA and security processes have to be automated and very disciplined in order to enable this volume and size of developer community. The OpenStack community has adopted modern DevOps and automation practices. Code checks covering code quality and security are more stringent than most software companies have internally. This is by necessity and is a very good thing for the user base, because the structure applied represents a lower risk for users.
OpenStack Distributions: What Are They and Why Does it Matter?
Open Source Software Licensing Models & Agreements
- Degree of vendor lock in
- Product management and how much input you will have
- Availability of skills in the market place for that software
Open core - Base functionality is open source, but additional features are license based. Vendor will sell support contracts for open source portion and license/support for additional functionality
Open source - All code is completely open and available. Vendor will sell support contracts only. OpenStack follows this model, but there is a rich vendor ecosystem of technology companies that add additional complimentary solutions, such as cloud management, software defined networking (SDN), virtualization and much more. Some of those are open source, others are proprietary.
Agreements and Terms
All open source software is released to public domain under specific terms, in most cases referencing an existing open source license model. There are specific differences and it is important to be aware of which model is being used, in order to minimize IP infringement risks and avoid unjustified charges. Read your open source license agreement carefully!
Here are some of the common licenses. Note that OpenStack is distributed under the Apache 2.0 license.
Risks in Adopting OpenStack and How to Mitigate Them
1. Security - this topic is top of mind for almost every IT leader. There are two main areas to consider separately with respect to OpenStack: coding/development, and operational. Coding and development addresses some of the code checks and QA processes that both the OpenStack community and the distributors must adhere to in order to ensure that no malicious code is inserted into the core OpenStack code set. With 1500 developers to keep track of, this is no small feat. Automation software and tightened procedures have greatly reduced the risk associated with the code, but questions should be asked of any distributor as to how they address this issue. On the operational side, a lot of work has been put in by the OpenStack development community over the last year to ensure that the security is ready for the enterprise. This includes incorporation of identity management functionality of the Keystone project. There is a separate committee in the OpenStack Foundation dedicated to security for applications and data.
This is an actual real scenario, and has happened. The Symantec case demonstrates how real this scenario is. If the claimant so chose, they could file suit against the entire OpenStack supply chain, starting with the foundation, working through to the distributor, reseller and finally the end customer. If the claimant wins in court, an injunction could be granted, forcing users to cease using the software. The latter scenario is unlikely but should be factored into a risk analysis before adopting OpenStack. One key step that all end customers can take to minimize the exposure, is ask your distributor for indemnification for 3rd party IP infringement. If a distributor provides indemnity, it shields the end user from liability and cost of legal defense, which is definitely worth it! As of the writing of this newsletter, HP is the only distributor that has publicly come forward and offered unlimited indemnity to customers for this. Other distributors offer limited protection, some no protection. It is up to you as a customer and user to insist on it.
3. Implementation - OpenStack is no different from an implementation perspective than any other new technology. Implementation time, effort and cost is highly dependent upon how different business requirements are from the out-of-box system, how many integration points there are, level of expertise, and size/stability of scope. The best approach is to start small, implementing a limited scope, and building from there. Internal training of personnel is highly recommended and you may look to outside consulting companies for assistance in getting started. Outside help can not only help you set strategy and direction, but accelerate learning of internal resources and cut implementation time and risk. Use a phased approach and build complexity with each subsequent phase. For example, you can start phase 1 with compute (Nova) and block/object storage (Cinder/Swift), which would provide you with provisioning and virtualization of OS and storage for apps running in your existing environment. Phase 2 might add networking (Neutron) and expansion of image storage (Glance).
As big as the advantages can be, it is critical to understand that OpenStack, as an open source component of your operation, is a different world than other proprietary enterprise software you might be used to. Those who grasp the differences and leverage them to their advantage will be successful with OpenStack.
Zefflin is focused exclusively on Data Center Automation and Cloud Management solutions implementation and integration. As a world-class, agile, center of excellence, our aim is to work with best of breed software, combined with the industry's best technical consulting and integration talent. We provide consulting services in data center strategy, DevOps Transformation, DevOps automation, OpenStack consulting and software implementation. We cut through the hype, identifying which tools can be implemented and integrated to effectively automate application development and IT operations. We offer high quality, cost effective solutions addressing the automation of the entire lifecycle of complex computing environments, from request/catalog management, automated provisioning (OS, application, database, storage, network), to policy governance and compliance. Our vision is to bring to market consulting/software solutions that enable the lights-out data center. This will allow our customers to implement fully automated private, public and hybrid cloud systems, delivering low cost, high quality services to their customers while minimizing personnel cost. Our current software resale and implementation portfolio includes Scalr and CloudForms for cloud management and Cloudify for cloud orchestration, as well as support for all major OpenStack distributions. www.zefflin.com