Publication Date: 2017-Jul-10
The IP.com Prior Art Database
Cloud orchestration techniques are provided. Virtual machines (VMs) are granted a unique right to operate cloud orchestration functions, thereby delegating power to VMs specific to VM role and task in an application. A command channel that would normally control a physical network interface card (NIC) hardware or virtual NIC (vNIC) behavior may accept commands that have a wider effect in an orchestrated cloud or system.
Copyright 2017 Cisco Systems, Inc. 1
AUTHORS: Ian Wells
CISCO SYSTEMS, INC.
Cloud orchestration techniques are provided. Virtual machines (VMs) are granted
a unique right to operate cloud orchestration functions, thereby delegating power to VMs
specific to VM role and task in an application. A command channel that would normally
control a physical network interface card (NIC) hardware or virtual NIC (vNIC) behavior
may accept commands that have a wider effect in an orchestrated cloud or system.
In certain cloud operating systems, authority is given to users with secrets. These
secrets can be provided to virtual machines (VMs) to enable the VMs to run applications.
To modify a cloud (e.g., run a VM), a user usually supplies user credentials to a cloud
control endpoint (e.g., a representational state transfer endpoint) when making the request.
The request is then approved or denied based on the validity and scope of the credentials.
For example, such credentials may be shared with the content of a VM also running on the
cloud controller that allows it to take action with the cloud to, among other things, run
When running a workload attached to a software defined networking (SDN)
controller, the workload may wish to request actions of the SDN controller. Traditionally
this is done by connecting to the SDN controller application programming interface (API),
but this requires network connectivity between the workload and the administrative plane,
and a credential in the workload, both of which can present security risks. When running a
workload in a cloud, the cloud may be orchestrated by starting or stopping VMs. The cloud
needs access to the API endpoint and a credential. Credential issuance is typically an
administrative task and credentials are not issued specifically to new workloads, but reused
over all workloads.
Copyright 2017 Cisco Systems, Inc. 2
Described herein are techniques for identifying a VM as a source of a request to
orchestrate, and techniques for the cloud user to delegate limited control to that VM to
perform certain cloud-modifying tasks (e.g., running VMs) without creating a full user or
a delegated key for the VM. A credential with no authority is automatically provided to a
VM on startup, or a communications channel accessible via only that VM (e.g., a fake
hardware device) is added to the VM so that the VM alone can be the source of commands
over that channel. Alternatively, the Internet Protocol (IP) address of the VM that can reach
the control endpoint is used as a unique source identifier. Certain techniques (e.g., anti-
spoofing) may permit a command to uniquely be identified to the VM issuing the
This means that, should the VM be compromised, that authority, and only that
authority, is lost to the attacker. The credentials in the first instance necessarily have wide
ranging power, and setting up a separate orchestration user for the VM is usu...