What is Nimbus? (#)

Nimbus is a set of open source tools that together provide an "Infrastructure-as-a-Service" (IaaS) cloud computing solution. Our mission is to evolve the infrastructure with emphasis on the needs of science, but many non-scientific use cases are supported as well.

Nimbus allows a client to lease remote resources by deploying virtual machines (VMs) on those resources and configuring them to represent an environment desired by the user.

It was formerly known as the "Virtual Workspace Service" (VWS) but the "workspace service" is technically just one the components in the software collection.

What is the main way to deploy Nimbus? (#)

Options aren't always a good thing, especially to start with. The main way to deploy Nimbus is the "cloudkit" configuration. This involves hosting a site manager service and creating an image repository for clients to have their own personal image directories (see the cloud guide for details). You direct your new users to use the cloud client which gets them up and running in just a few minutes if the credential situation is understood.

Overview of the cloud configuration:

Is Nimbus hard to install? (#)

Nimbus itself is not hard to install, it has a script driven install option that asks you questions (see the administrator guide for details).

Nimbus requires that some dependencies are installed first. On the service node: Java (1.5+) and bash. On the hypervisor nodes: Python (2.4+), bash, ebtables, DHCPd, libvirt and KVM or Xen (2 works but 3 is recommended).

All of these things are installable via the package management system of all the popular Linux distributions.

What are the main Nimbus components? (#)

The components are lightweight and self-contained so that they can be selected and composed in a variety of ways. For example, using the workspace service with the pilot will enable a different cluster integration strategy. You can mix and match protocol implementations with the "pure Java" resource management module.

Writing new components should be a matter of "dropping" them in. As explained in "What is the RM API?", the Java side of things is particularly LEGO® like. As of Nimbus 2.3 workspace-control (the VMM component) is modularized with around 10 plugin points. And we are working towards modularizing even more and providing better implementations for various components.

Any questions, suggestions, and requirements in this area are appreciated.

What is the Workspace Service? (#)

The Workspace service is a standalone site VM manager that different remote protocol frontends can invoke.

The current supported protocols are Web Services based or HTTP based. They all run in either an Apache Axis based Java container or Apache CXF. But there is only a certain level of necessity:

What is the WSRF frontend? (#)

This is the protocol implementation in longstanding use by previous workspace services and clients including the popular cloud-client. A full protocol guide enumerating differences is forthcoming.

What is the EC2 frontend?

This is an implementation of two of the Amazon Elastic Compute Cloud (EC2) interfaces that allow you to use clients developed for the real EC2 system against Nimbus based clouds.

There is support for both EC2 interfaces: SOAP and Query.

See What EC2 operations are supported?

What EC2 operations are supported? (#)

(See What is the EC2 frontend?)

Nimbus provides a partial protocol implementation of EC2's WSDL (namespace https://ec2.amazonaws.com/doc/2009-08-15/, a previous version supported 2008-05-05) and the Query API complement to that WSDL. The operations behind these EC2 commandline clients are currently provided:

What is the metadata server? (#)

The metadata server responds to HTTP queries from VMs, using the same path names as the EC2 metadata server

The URL for this is obtained by looking at '/var/nimbus-metadata-server-url' on the VM, which is an optional customization task injected by the Nimbus service on your behalf (we are considering trying to simulate Amazon's hardcoded IP address "169.254.169.254" on any subnet, feedback on this idea is appreciated).

Like on EC2, its responses are based on the source IP address from the TCP packet, giving the information specific to each VM instance. This also means there is an assumption that the immediately local network is non-spoofable. Administrators, you should also put in place a firewall rule that restricts this port to the VMs only, just in case.

The metadata server is disabled by default, consult your administrator (or try a query from inside your VM).

Administrators, see "services/etc/nimbus/workspace-service/metadata.conf" for the details.

What metadata server fields are supported? (#)

(See What is the metadata server?)

Nimbus provides a partial implementation of EC2's version of the metadata server (their full field listing). These fields are currently supported:

What is the cloud client? (#)

The cloud client aims to get users up and running in minutes with instance launches and one-click clusters, even from laptops, NATs, etc. See the cloud client quickstart and cluster quickstart to see what it can do.

What is the reference client? (#)

The reference client exposes all features of the WSRF frontend as a commandline client. It is relatively complex to use and thus typically wrapped by task-specific scripts.

Internally, it's implemented around a base Java client API suitable for portal integration or any programmatic usage. Docs on this API are forthcoming but if you are interested check out org.globus.workspace.client_core in the client source tree (contains Javadoc comments and also consult example usages in the org.globus.workspace.client.modes package).

What is the Workspace Pilot? (#)

The pilot is a program the service will submit to a local site resource manager (LRM) in order to obtain time on the VMM nodes. When not allocated to the workspace service, these nodes will be used for jobs as normal (the jobs run in normal system accounts in Xen domain 0 with no guest VMs running).

Several extra safeguards have been added to make sure the node is returned from VM hosting mode at the proper time, including support for:

Also included is a one-command "kill 9" facility for administrators as a "worst case scenario" contingency.

Using the pilot is optional. By default the service does not operate with it, the service instead directly manages the nodes it is configured to manage.

What is the RM API? (#)

Most things having to do with the Java server side components are very flexible, featuring an extensibility system that allows for customization and replacement at runtime of various behaviors. By employing the Spring framework's "Dependency Injection" system, the Java components are virtually like LEGO® blocks.

One of the very strong internal interfaces here is the site resource management module which allows the remote security and protocol implementations and semantics to be separate from one consistent set of management operations. The implementing module governs how and when callers get VMs, it assigns resources to use, and takes them away at the appropriate times, etc.

What is workspace-control? (#)

Program installed on each VMM node used to (1) to start, stop and pause VMs, (2) implement VM image reconstruction and management, (3) securely connect the VMs to the network, and (4) to deliver contextualization information (see Context Broker).

Currently, the workspace control tools work with Xen and KVM.

Implemented in Python in order to be portable and easy to install. Requires libvirt, sudo, ebtables, and a DHCP server library.

What is the Context Broker? (#)

This is a service that allows clients to coordinate large virtual cluster launches automatically and repeatably.

Used to deploy "one-click" virtual clusters that function right after launch as opposed to launching a set of "unconnected" virtual machines like most VM-on-demand services give you. It also provides a facility to "personalize" VMs (seed them with secrets, access policies, and just-in-time configurations). This requires that the VMs run a lightweight script at boot time called the Context Agent.

This is a user-oriented system that runs as an "overlay" on top of the normal VM-on-demand mechanics. It's been used on top of Nimbus clouds as well as with EC2 resources.

See the one-click clusters guide for more detail and the one-click cluster example to show just one of the many things this can be used to accomplish.

What is the Context Agent? (#)

A lightweight agent on each VM -- its only dependencies are Python and the ubiquitous curl program -- securely contacts the context broker using a secret key. This key was created on the fly and seeded inside the instance. This agent gets information concerning the cluster from the context broker and then causes last minute changes inside the image to adapt to the environment.

See What is the Context Broker? Download it from this one-click clusters guide section.

What is the "cloudkit"? (#)

See What is the main way to deploy Nimbus?

What is Nimbus Web? (#)

Nimbus Web is the rapidly evolving web interface for Nimbus. It provides administrative and user functions in a friendly interface. This module is targeted for many exciting features and enhancements over the coming months.

Nimbus Web is centered around a Python Django web application that is intended to be deployable completely separate from the Nimbus service. Instructions for configuring and starting the application are in this section of the administrator guide.

Existing features:

• User X509 certificate management and distribution

Forthcoming features:

• Query interface authentication token management
• Cloud configuration functionality
• Nimbus installation helper
• Visualization of cloud usage data

How is the software licensed? (#)

Nimbus is licensed under the terms of the Apache License version 2.