Contrail is an open source integrated approach to virtualization, which aims at offering Infrastructure as a Service (IaaS) services, services for federating IaaS clouds, and Contrail Platform as a Service (ConPaaS) services on top of federated clouds.
In Contrail, the user is relieved from managing the access to individual cloud providers and can focus on specifying the service or application. The application will be then deployed on few clouds selected from a large set of heterogeneous cloud providers. These providers can implement a different cloud technology, have different hardware, or offer different types of guarantees.
Contrail implements a dependable cloud by guaranteeing the availability of the computational resources and having strict guarantees in terms of quality of service (QoS ) and quality of protection (QoP), that customers can specify in the Service Level Agreement (SLA), when submitting their requests, and monitor during the execution of the application. The Contrail Federation is the primary access for the customers. It is the entity entitled to select the best provider for serving the customers’ requests, and to negotiate and enforce the SLAs even on unreliable providers. Thus, a customer of Contrail only needs to submit the distributed application, along with its runtime configuration, and specify the requirements in an OVF and SLA documents respectively. Then, the Federation ensures that the providers’ resources are utilized as needed for offering an elastic, dependable, and trustworthy cloud service.
These qualities enable customers to rely on cloud computing as an external source for their data management and as processing facilities for creating their business on top.
The Contrail architecture is designed to be extensible, allowing the reuse of some components in different layers, and to give the possibility to exploit components independently. As such it is organized in modular components separated by well-defined interfaces and structured in layers to specifically address, from the top to down, the federation, the provider, and the resources.
The federation layer is the entry-point for users, who register and authenticate to use the Contrail services; users interact with this layer to negotiate SLAs, to submit and monitor their applications. The federation layer is then in charge of interacting with the different cloud providers, enabling seamless access to their resources. %The main component at the federation layer is the Federation module~\cite{contrail-federation}.
The Contrail Federation implements federated identity management, for authentication and authorization, and integrates security mechanisms to provide strict security guarantees expressed as quality of protection (QoP) terms. The SLA terms for security (QoP) and performance guarantees (QoS) are used to select the most suitable cloud providers to deploy the user’s application based on the resources available and the providers’ reputation, matching the level of performance and trustworthiness required by the application. The Federation then proceeds to negotiate proper SLA terms with each provider in a transparent way for the users. In this phase, a high degree of interoperability could be achieved thanks to the Virtual Execution Platform (VEP) service) enabling the federation to manage the resources of public and private cloud providers regardless of the hardware and the technology implemented.
The provider layer implements the business part of a cloud provider since it negotiates and enforces SLAs, monitors the application and does the accounting of the resources. This layer is the sole interacting with the Contrail Federation. The resource layer manages the physical resources of a cloud provider. In Contrail, each cloud provider runs a copy of the VEP software which in turn seamlessly integrates its resources with the Contrail Federation. The separation of the provider and resource layers have a two fold meaning: a cloud provider can have many data centers, and the cloud provider could use the management services of the provider layer to run their business independently or in addition to the Contrail Federation.
A key objective of the Contrail project is to provide a reliable cloud platform. The gateway is the Contrail Federation and three other important components are VEP, GAFS, and VIN. VEP is a reliable application deployment platform that is resilient to operational failures and which supports secure management of user data with a strong guarantee for QoS. It is an open source technology implementing standards and offers the deployment of end-user applications independently from the underlying platform, providing the needed support for interoperability to the Contrail Federation. GAFS (Global Autonomous File System) is a reliable and highly available storage service implemented with XtreemFS. It is used both to store VM images and system logs, and as a scalable Storage as a Service for Cloud users and applications. GAFS provides scalability and elasticity, and implements security mechanisms for data access control and encryption for data in transit. It also allows to specify the level of protection of the stored data and the location of the storage due to specific legal requirements or negotiated QoS terms, e.g., low latency and high throughput. VIN (Virtual Infrastructure Network) is responsible for managing all communication within a Contrail application and maintaining a stable network when resources are added or removed to an elastic application. It creates a dedicated private network per application, which is deployed in an isolated environment and can provide different security levels for the communication.
Another key objective of Contrail is to provide elastic PaaS services on top of federated clouds. This is achieved thanks to ConPaaS (the Contrail PaaS) component, which will directly interact with the Federation to use services and features such as user management, SLA handling, and application deployment.
The tight integration with the Federation will ensure that a ConPaaS service can be deployed over different cloud providers to guarantee elasticity within the constraint of the negotiated SLA, thus integrating security, availability and performance guarantees for a reliable execution. As a standalone component, ConPaaS already ensures that services can deploy themselves on the cloud, be self-managed, elastic, and scalable. A ConPaaS service can monitor its own performance and increase or decrease its processing capacity by dynamically (de-)provisioning instances of itself in the cloud.