International Journal of Computer Engineering and Technology (IJCET), ISSN 0976INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & 6367(Print), ISSN

0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME

TECHNOLOGY (IJCET)

ISSN 0976 6367(Print) ISSN 0976 6375(Online) Volume 5, Issue 1, January (2014), pp. 118-127 IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com

IJCET
IAEME

AN ENHANCED MONITORING MECHANISM FOR IAAS PLATFORMS

Mohammed Jameel Sadeeq Barwary Assistant Lecturer, Department of Statistics, Faculty of Adminstration and Economics, University of Duhok(UoD), Kurdistan Region - Iraq

ABSTRACT The monitoring mechanisms of open-source IaaS software OpenNebula and monitoring system Ganglia were analyzed. Reduce overload of retrieving resource usage information by deploying the Ganglia monitoring agent. And for improving the robustness of monitoring subsystem, we take measures on the privileged domain of virtualization nodes to hide the agent to prevent regular or malicious users checking, modifying, unloading or killing it intentionally or unintentionally. The mechanism is very helpful to enhance the effectiveness, reliability and sturdiness of the monitoring system of IaaS platforms. KEYWORDS: IaaS, Monitoring, Consolidation, Agent. I. INTRODUCTION With the outstanding advantages of elasticity, economics and etc., cloud computing is embraced by many IT companies, universities and research institutes. According to the NIST (National Institute of Standards and Technology) definition of cloud computing, the cloud model contains five essential characteristics, on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service [1]. Importantly, most of the attractive characteristics rely on the effectiveness and reliability of resources monitoring system. Currently, for IaaS (Infrastructure as a Service), there are many different monitoring systems for commercial or open source IaaS platforms, which have different merits and demerits about overload or robustness [2], many researchers have proposed different solutions to solve performance or robustness problems. For example, G. Katsaros et al designed a multi-level monitoring framework, which is more effective and scalable [3]. Javier Povedano-Molina et al design a high adaptable and scalable monitoring architecture for cloud, which ensures an accurate measurement of resources in cloud keeping a low overhead [4]. And D. Zou et al designed a trusted monitoring framework to ensure the integrity of monitoring environment through trusted computing technology [5].
118

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME Most of the previous works focused on the efficiency or monitoring environment security, but lacking the protection mechanism of monitoring system components. With the development of cloud computing and datacenter expansion, the monitoring system should consider both of the above two aspects. In this paper, we present an enhanced monitoring mechanism for IaaS platform based on OpenNebula, detailing the monitoring agent as the alternative of native monitoring probes and the consolidation measures to protect the monitoring component of monitoring infrastructure. II. MONITORING MECHANISM OF OPENNEBULA AND GANGLIA OpenNebula is an enterprise-ready open-source platform to manager cloud data centers and to build IaaS platform. The architecture of Ganglia is shown as figure 1.
CLI GUI Cloud Servers Scheduler

OCA(Rubyjava) XML-RPC API Opennebula Core

Monitoring Virtualization Storage Images Network Auth

DB

Figure 1. The architecture of OpenNebula A. The monitoring mechanism of OpenNebula The native built-in monitoring subsystem of OpenNebula relies on the Xen hypervisor tools and OpenNebula-defined probes. The architecture of monitoring subsystem of OpenNebula as shown in figure 2.

OpenNebul a Front end

Moni t or i ng Subsyst em Ot her

oni t ori ng probes Password-l ess SSH M Dom 0 Dom U Dom U Dom 0 Dom U Dom U Dom 0 Dom U Dom U

XEN Node

XEN Node

XEN Node

Figure 2. OpenNebula Monitoring Subsystem To retrieve the resource information successfully, the OpenNebula Frontend needs to do the following works:

119

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME 1) Every Node need to have an identical unix account that will be used by the Frontend to connect and execute commands remotely, such as the monitoring probes and virtual machines management procedures. By default, the account is named oneadmin. 2) According to the password-less SSH login principle, making the oneadmin account in Frontend can password-less login every node. The above two steps is critical to monitoring subsystem of Frontend. Because any node was added to IaaS platform, the Frontend needs to copy monitoring probes into it remotely. 3) After above operations were performed successfully, the oneadmin account in Frontend will remote password-less login every node and execute the probes to gather the resources information periodically. B. The monitoring mechanism of Ganglia Analyzing the principle of the monitoring mechanism, there is a fact that the monitoring subsystem overhead is relate to the number of nodes, it will increase along with the increase nodes. To avoid the above problem, we adopt open source distributed cluster monitoring system Ganglia as the alternative, which is developed by Berkeley and with the advantages of scalability, overload lowly. The architecture of Ganglia [6] as shown in figure 3.
client connect data

gmetad Poll XML over TCP gmetad Poll failover XDR over UDP gmetad Poll failover Poll

gmond Node

gmond Node

...

gmond Node

gmond Node

gmond Node

...

Cluster

Cluster

Figure 3. Ganglia architecture The Ganglia monitoring system contains three main components, monitor daemon (gmond), metadata daemon (gmetad) and PHP web frontend. Especially, the gmond run in the nodes which we wish to monitor, which collects monitoring data of own, announces its presence on the local network and receive the state of other gmond nodes through muticast or unicast systems. III. ENHANCED MONITORING MECHANISM IMPLEMENTATION C. Integrating gmond of Ganglia According to the principle of Ganglia, we employ gmond as the alternatives of the probes to retrieve the resource information [7][8]. Then the monitoring subsystem can retrieve the whole resource information of IaaS platforms through accessing any one gmond in the multicast systems. The architecture of new monitoring subsystem after integrating gmond as shown in figure 4.
120

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME
OpenNebul a Fr ont end M oni t or subsyst em gm ond

Ot her

M ul t i cast channel Dom 0 gm ond Node

Xen

Dom U

Dom 0 gm ond Node

Xen

Dom U

Dom 0 gm ond Node

Xen

Dom U

Figure 4. Integrating Ganglia gmond Adopt the new monitoring mechanism, not only reducing the monitoring overhead in a large deployment as the monitor system dont rely on the SSH connections to the nodes, but also easily extending the user-defined monitoring metrics, such as monitoring current running services or the overload information of specific process. D. Consolidation monitoring mechanism As the matter of fact that most of the attractive characteristics of cloud computing rely on the effectiveness and reliability of resources monitoring system, for improving the robustness of monitoring agent, we take measures on Linux guest operating system to hide the agent in privileged domain (which is the Dom0 operating system in Xen [9][10] virtualization environment as shown in Figure 4) to prevent regular or malicious users checking, modifying, unloading or killing it intentionally or unintentionally. The consolidation basic principles as follow. 1) when user executes commands or call APIs to view information of system processes, the unit for hiding monitor agent will judge the identity of who performs the above operations, whether it is the authorized user or not; 2) If the user is authorized, the request information containing monitoring agent process will be return successfully. It is need to emphasis that the authorized user is not the administrator or root account in Linux operating system, which is a custom defined user account in privileged domain operating system (Dom0). The purpose of setting the account is to modify or configure the monitoring agent as needed to satisfy the different resource management and schedule requirements of IaaS platforms. The implementation is detailed below. According to the principle of process view of Linux operating system as shown in figure 5, it contains the following steps: 1) When an application launch a process view request, the application tools (Such as ps, pstree, top, etc.) will launch a system call sys_open function to open the /proc directory. If successful, it will return the file descriptors; 2) According to the descriptors, the application will continue calling sys_getdents function to traverse the directory entry of /proc directory and return the process directory entry set; 3) Finally, according to the process directory entry set, the application will get the process information.
121

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME

ps top pstree ls /proc

Process Li st ~~~~~~~~~~~~ ~~~~~~~~~~~~ ~~~~~~~~~~~~

User space Kernel space

/ proc

Fi l e Descri pt or

Process di rect ory ent ry set

sys_getdents

System Call sys_call_table ia32_sys_call_table sys_open

Figure 5. The native process of process view Through intercepting and filtering the above native traverse process, we can hide the specific process. To perform it, we introduce a unit for hiding monitoring agent. The new process of the process view in Linux as shown in figure 6.

ps top pstree ls /proc

Process Li st ~~~~~~~~~~~~ ~~~~~~~~~~~~

User space Kernel space

/ proc

Process di rect ory ent ry set

Fi l e Descri pt or
System Call

sys_call_tableia32_sys_call_table
sys_getdents

sys_open

U ni t

f or

hi di ng m oni t or i ng agent

Authorized user?

Y
Non-Filter

Filter operation

VFS Kernel Service

Figure 6. The new process of process view

122

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME For the sys_getdents function as shown in figure 7, we modify the readdir function to add user identity inspection mechanism. Only return the whole directory entry set to authorized user, otherwise, return the information excluding the monitor agent related information to regular user.

sys_getdents vfs_readdir file->f_op->readdir

Figure 7. sys_getdents function The flowchart of the whole above process as shown in figure 8.
Start

Launch process view request Open /proc Application Tools Call Retrieve process info.

sys_open

File Descriptor FD

Call

sys_getdents

Process directory entry set

N Fliter operation

Authorized user

Traverse directory

VFS Function APIs

Process1 directory entry

ProcessN directory entry

The function of /proc file system Process Info. Process Info.

Process list ~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~~~~~~~~

Output process list

End

Figure 8. The flowchart of consolidation

123

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME After adding the consolidation mechanism, the enhanced monitoring architecture as shown in figure 9.
OpenNebul a Fr ont end M oni t or subsyst em gm ond

hi di ng uni t

Ot her

M ul t i cast channel Dom 0 gm ond

hi di ng uni t

Dom U

Dom 0 gm ond
hi di ng uni t

Dom U

Dom 0 gm ond
hi di ng uni t

Dom U

Node

Xen

Node

Xen

Node

Xen

Figure 9. The enhanced monitoring architecture IV. EXPERIMENTAL RESULTS

Based on the enhanced monitoring mechanism detailed in this paper, we take experiments in our IaaS testing platform. Considering the factors of copyright, effectiveness and performance, we choose the opensource software OpenNebula [11], Xen [12] and CentOS operating system [13] to build our IaaS platform. Xen is an open-source hypervisor, which makes it possible to run many instances of operating systems on a single machine. The platform architecture as shown in figure 10.
OpenNebul a gm ond Hi di ng m odul e

I nt er net

Fr ont end

Nodes

Xen gm ond Hi di ng m odul e

Figure 10. Minimal IaaS platform architecture The related software parameters of the IaaS testing environment are shown in Table I and the physical CPU should be 64-bit capable. TABLE I. RELEATED SOFTWARE PARAMETERS Name Version CentOS 5.8, x86_64 Xen 3.4.4 Ganglia 3.2.0
124

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME Utilizing the new monitoring system, we can also get the resource usage information of hosts and virtual machines. The memory usage information of one virtual machine in our IaaS environment as shown in figure 11.

Figure 11. Memory monitoring information For the overload and effectiveness of the monitoring system, based on our environment, we assume the number of Nodes is NTotal. And according to the principle of the native monitoring subsystem of OpenNebula which needs to remote password-less login every node and execute the probes to gather the resources information periodically, we also assume that every remote login operation consumes REvery units resource, the number of hosts monitored in each interval is NInterval, the consume time of each interval operation is TInterval ( and assume that every node of one interval finishes data acquisition operations within time of TInterval by parallel mechanism), the total time and resource consummation of one traverse are TTotal and RTotal. Thereinto, N, R, and T are positive integers. We can deduce the following equations:

RTotal= NTotal*REvery TTotal=(NTotal/NInterval)* TInterval

First, according to (1), the total resource consummation of one traverse is increase linearly along with the increase nodes. And the whole overload of data acquisition is bore by Frontend, while according to Fig.4 the alternative mechanism lets nodes and Frontend to share the overload of data acquisition. A period of time of the overload of gmond agent on Frontend as shown in figure 12.

Figure 12. The overload of monitoring agent

125

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME Second, according to (2), the waiting time of retrieving the latest resource information of one node in IaaS satisfies TTime [TInterval , (NTotal/NInterval)* TEvery].While after adopting the gmond of Ganglia, the above waiting time is a fixed value and only depends on the specific parameters of gmond, which it is more effectiveness and real-time. For the robustness of monitoring components of monitoring system, the verification process of the consolidation mechanism is detailed as below. When unauthorized user including root account who launches a process view request, the hiding unit will filter the returning results excluding the gmond monitoring agent as shown in Figure 13. While the authorized user (Built-in admin account) can retrieve the whole process information as shown in Figure 14.

Figure 13. Unauthorized user views monitoring agent process Figure 14.

Figure 15. Authorized user views monitoring agent V. CONCLUSION We have present an enhanced monitoring mechanism for IaaS platforms: 1) Adopt the ganglia monitoring agent as the alternatives of native probes to reduce overload; 2) Take measures to hide the monitoring agent to consolidate to prevent it from being killed. We construct a more efficient and robust monitoring subsystem for IaaS platforms. Actually, the mechanism also adapts to the PaaS or SaaS environments, and the regular cluster or grid environments. ACKNOWLEDGMENT This work has been supported by the project of cloud computing network security of the Research Institution of China Mobile.

126

International Journal of Computer Engineering and Technology (IJCET), ISSN 09766367(Print), ISSN 0976 - 6375(Online), Volume 5, Issue 1, January (2014), IAEME REFERENCES [1] [2] [3] [4] [5] [6] Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing, NTSI Special Publication 800-145, 2011. Giuseppe Aceto, et.al., Cloud monitoring: A survey. Computer Networks 57 (2013), 2013, pp.20932115. Gregory Katsaros, et.al., An integrated monitoring infrastructure for cloud environments, Cloud Computing and Services Science, 2012, pp.149-164. J. Povendano-Molina, et al., DARGOS: A highly adaptable and scalable monitoring architecture for multi-tenant Clouds, Future Generation Computer Systems (2013), 2013. D. Zou, et al., Design and implementation of a trusted monitoring framework for cloud platforms, Future Generation Computer Systems (2013), doi:10.1016/j.future.2012.12. Matthew L. Massie, Brent N. Chun, David E. Culler, The ganglia distributed monitoring system: design, implementation, and experience, Parallel Computing, vol. 30, 2004, pp.817840. C12G Labs S.L., Advanced Setups for your Cloud Infrastructure OpenNebula 3.8, C12G LABS, 2012. L. M. Liorente, et.al., OpenNebula 3 Cloud Computing, Packet Publishing Ltd., 2012. Jeanna N. Matthews, et.al., Running Xen: A Hands-on Guide to the Art of Virtualizaiton, Prentice Hall, 2008. Chris Takemura and Luke S. Crawford, The book of Xen: A Practical Guide for the System Administrator, 2009. Barham P.Dragovic B,Fraser K et al. Xen and the Art of Virtualization. Proceedings of the 19th ACM SOSP, 2003,10. Matt Massie, et.al. Monitoring with Ganglia, OREILLY, 2012.12. Xiang Guo-Fu, et.al., Virtualization Based Security Monitoring, Journal of Software, 2012. OpenNebula.org, http://www.opennebula.org/. Xenproject.org, http://www.xenproject.org/. CentOS.org, http://www.centos.org . Vallard Benincosa, Ganglia and Nagios, IBM developerWorks, http://www.ibm.com/developerworks/library/l-ganglia-nagios-1/ . UC Berkeley Grid Report. http://monitor.millennium.berkeley.edu/ .

[7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

127