Virtual Machine Image Catalogue

Ó Xen, an open-source industry standard for virtualization, is a virtual-machine monitor providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. Xen offers an efficient and secure feature set for virtualization of x86, x86_64, IA64, ARM, and other CPU architectures. In the beginning, the University of Cambridge Laboratory developed the first versions. Since 2010, the Xen community develops and maintains Xen as free software, licensed under the GNU General Public License (GPLv2) [16][17].

2.2.2 Virtual Machine Image Catalogue

The European Organization for Nuclear Research (CERN) started in 1954. It is the world's largest physics laboratory and its location on Swiss and French border. The famous World Wide Web was birthed from CERN. All the time, CERN IT involves in different computer science's fields and is developing a different set of tools to import the cloud computing infrastructure. In 2009, CERN IT and HEPiX Virtualization Working Group published a proposal about the virtual machine image management in HEPiX conference.

Simply speaking, VMIC is a catalogue of virtual machine images. It can subscribe images list from other sites and easily export an image list for other sites. Sites can choose to trust only specific endorser or even a single image. All virtual machine images files and metadata are preserved for traceability. A trusted endorser can maintain a set of valid virtual machine images. The set is maintained the latest with security patches and updated regularly. All trusted virtual machine images are managed via VMIC and only trusted endorsers can publish and maintain images from VMICs [18]. Each site can setup their

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

personalized VMICs. Sites may decide to trust endorsers and all the virtual machine images.

All endorsers and sites should comply with the security policies from the SPG.  

Figure 2-5 VMIC architecture and concept [18].

Figure 2-5 showed in VMIC this diagram several scenarios of image trust are depicted. Two endorsers from RAL and CMS have published a VMIC. A site approved those VMICs as well as its local one from a local endorser. This populates a list of virtual machines that can be used at the site. The local image distribution system can be hooked onto the local listing of approved VMIs to automatically pre-stage the images [18].  

Academia Sinica Grid Center (ASGC) [19] applies VMIC as the component of their distributed cloud computing environment [20]. As shown in Figure 2-6, when a site approves a virtual machine image from an endorser, the virtual machine image information

‧ 國

立 政 治 大 學

‧

N a tio na

l C h engchi U ni ve rs it y

will be imported to the site VMIC database. Then this site can do a real subscription of an approved image. When approved images are stored in a site, it is published a new image list as well as redistribute and re-endorse those on-site images. VMIC works with many replications in different sites and different communication protocols such as gridftp, bit torrent Peer to Peer ...etc. Therefore sites can always pick up their best access method to subscribe images.  

Figure 2-6 VMIC image endorsing and trusting of distribution [20].

2.2.2.1 HEPiX Virtualization Working Group

The High Energy Physics Unix Information Exchange (HEPiX) forum brings together worldwide Information Technology staffs, including system administrators, system engineers, and managers from the High Energy Physics and Nuclear Physics laboratories and institutes, to foster a learning and sharing experience between sites facing scientific computing and data challenges [21]. Its Participating sites around the world and its organization was formed in 1991. HEPiX is a twice yearly conference in spring and fall.

‧

HEPiX Virtualization Working Group is one session of HEPiX, it was made in the spring 2009 HEPiX. HEPiX Virtualization Working Group is to investigate the implications use-cases and requirements of sites that where at the time expected to come from the relatively new technology of Virtual Machine technology. Main focus is to provide sites a way to control and mange Virtual Machine Image’s provided by experiments, and run them in trusted environments with in the current computing environment provided under Grid computing. There are two objectives of HEPiX Virtualization Working Group; one is to produce a framework to securely run Virtual Machine Images across multiple sites supporting High Energy Physics, the other is that sites need to control over Virtual Machine Image selection [22]. VMIC was published on HEPiX conference in 2009 and cooperate with HEPiX Virtualization Working Group. The HEPiX Virtualization Working Group applications are VMIC, StratusLab[23], and Repoman [24]. 

2.2.2.2 Image Trust

All images published or subscribed must trust the security policy, VMIC security policy is based on EGI Security Policy Group (SPG). The details of image trust will be introduced below. EGI.eu is a not-for-profit foundation established under Dutch law to coordinate and manage the European Grid Infrastructure (EGI) federation on behalf of its participants: National Grid Initiatives (NGIs) and European International Research Organizations (EIROs) [25]. EGI.eu is to promote collaborative work within the community and to integrate the computing resources provided by the different members of the EGI federation. EGI Security Policy Group (SPG) is based on EGI Infrastructure to support all strategy and policy documents and papers that its daily activities in grid operations, software quality, security and user communities. SPG also supports HEPiX in

‧

security policy for the Endorsement and Operation of Virtual Machine Images [26].

SPG defines the following terms.

- Endorser: A role, held either by an individual or a team, who is responsible for confirming that a particular virtual machine image has been produced according to the requirements of this policy and states that the image can be trusted. An Endorser should be one of a limited number of authorized and trusted individuals appointed either by the Infrastructure Organization, a Virtualization Organization (VO) or a resource centre. The appointing body must assume responsibility for the actions of the Endorser and must ensure that he/she is aware of the requirements of this policy.

- Virtual Machine operator: A role, held either by an individual or a team, who is responsible for the security of the virtual machine during its operation phase, from the time it is instantiated, until it is terminated. Typically this addresses individuals with root access on the virtual machine.

- Third party: An external entity other than the resource centre where the virtual machine is operated [27].