Browse Prior Art Database

CLOUD ORCHESTRATION

IP.com Disclosure Number: IPCOM000250394D
Publication Date: 2017-Jul-10
Document File: 5 page(s) / 63K

Publishing Venue

The IP.com Prior Art Database

Related People

Ian Wells: AUTHOR

Abstract

Cloud orchestration techniques are provided. Virtual machines (VMs) are granted a unique right to operate cloud orchestration functions, thereby delegating power to VMs specific to VM role and task in an application. A command channel that would normally control a physical network interface card (NIC) hardware or virtual NIC (vNIC) behavior may accept commands that have a wider effect in an orchestrated cloud or system.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 31% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

CLOUD ORCHESTRATION

AUTHORS: Ian Wells

CISCO SYSTEMS, INC.

ABSTRACT

Cloud orchestration techniques are provided. Virtual machines (VMs) are granted

a unique right to operate cloud orchestration functions, thereby delegating power to VMs

specific to VM role and task in an application. A command channel that would normally

control a physical network interface card (NIC) hardware or virtual NIC (vNIC) behavior

may accept commands that have a wider effect in an orchestrated cloud or system.

DETAILED DESCRIPTION

In certain cloud operating systems, authority is given to users with secrets. These

secrets can be provided to virtual machines (VMs) to enable the VMs to run applications.

To modify a cloud (e.g., run a VM), a user usually supplies user credentials to a cloud

control endpoint (e.g., a representational state transfer endpoint) when making the request.

The request is then approved or denied based on the validity and scope of the credentials.

For example, such credentials may be shared with the content of a VM also running on the

cloud controller that allows it to take action with the cloud to, among other things, run

additional VMs.

When running a workload attached to a software defined networking (SDN)

controller, the workload may wish to request actions of the SDN controller. Traditionally

this is done by connecting to the SDN controller application programming interface (API),

but this requires network connectivity between the workload and the administrative plane,

and a credential in the workload, both of which can present security risks. When running a

workload in a cloud, the cloud may be orchestrated by starting or stopping VMs. The cloud

needs access to the API endpoint and a credential. Credential issuance is typically an

administrative task and credentials are not issued specifically to new workloads, but reused

over all workloads.

Copyright 2017 Cisco Systems, Inc. 2

Described herein are techniques for identifying a VM as a source of a request to

orchestrate, and techniques for the cloud user to delegate limited control to that VM to

perform certain cloud-modifying tasks (e.g., running VMs) without creating a full user or

a delegated key for the VM. A credential with no authority is automatically provided to a

VM on startup, or a communications channel accessible via only that VM (e.g., a fake

hardware device) is added to the VM so that the VM alone can be the source of commands

over that channel. Alternatively, the Internet Protocol (IP) address of the VM that can reach

the control endpoint is used as a unique source identifier. Certain techniques (e.g., anti-

spoofing) may permit a command to uniquely be identified to the VM issuing the

command.

This means that, should the VM be compromised, that authority, and only that

authority, is lost to the attacker. The credentials in the first instance necessarily have wide

ranging power, and setting up a separate orchestration user for the VM is usu...