1 High level architecture and general features
2 ============================================
7 The Doctor project circles around two distinct use cases: 1) management of
8 failures of virtualized resources and 2) planned maintenance, e.g. migration, of
9 virtualized resources. Both of them may affect a VNF/application and the network
10 service it provides, but there is a difference in frequency and how they can be
13 Failures are spontaneous events that may or may not have an impact on the
14 virtual resources. The Consumer should as soon as possible react to the failure,
15 e.g., by switching to the STBY node. The Consumer will then instruct the VIM on
16 how to clean up or repair the lost virtual resources, i.e. restore the VM, VLAN
17 or virtualized storage. How much the applications are affected varies.
18 Applications with built-in HA support might experience a short decrease in
19 retainability (e.g. an ongoing session might be lost) while keeping availability
20 (establishment or re-establishment of sessions are not affected), whereas the
21 impact on applications without built-in HA may be more serious. How much the
22 network service is impacted depends on how the service is implemented. With
23 sufficient network redundancy the service may be unaffected even when a specific
26 On the other hand, planned maintenance impacting virtualized resources are events
27 that are known in advance. This group includes e.g. migration due to software
28 upgrades of OS and hypervisor on a compute host. Some of these might have been
29 requested by the application or its management solution, but there is also a
30 need for coordination on the actual operations on the virtual resources. There
31 may be an impact on the applications and the service, but since they are not
32 spontaneous events there is room for planning and coordination between the
33 application management organization and the infrastructure management
34 organization, including performing whatever actions that would be required to
35 minimize the problems.
37 Failure prediction is the process of pro-actively identifying situations that
38 may lead to a failure in the future unless acted on by means of maintenance
39 activities. From applications' point of view, failure prediction may impact them
40 in two ways: either the warning time is so short that the application or its
41 management solution does not have time to react, in which case it is equal to
42 the failure scenario, or there is sufficient time to avoid the consequences by
43 means of maintenance activities, in which case it is similar to planned
49 NFV and the Cloud platform provide virtual resources and related control
50 functionality to users and administrators. :num:`Figure #figure3` shows the high
51 level architecture of NFV focusing on the NFVI, i.e., the virtualized
52 infrastructure. The NFVI provides virtual resources, such as virtual machines
53 (VM) and virtual networks. Those virtual resources are used to run applications,
54 i.e. VNFs, which could be components of a network service which is managed by
55 the consumer of the NFVI. The VIM provides functionalities of controlling and
56 viewing virtual resources on hardware (physical) resources to the consumers,
57 i.e., users and administrators. OpenStack is a prominent candidate for this VIM.
58 The administrator may also directly control the NFVI without using the VIM.
60 Although OpenStack is the target upstream project where the new functional
61 elements (Controller, Notifier, Monitor, and Inspector) are expected to be
62 implemented, a particular implementation method is not assumed. Some of these
63 elements may sit outside of OpenStack and offer a northbound interface to
66 General Features and Requirements
67 ---------------------------------
69 The following features are required for the VIM to achieve high availability of
70 applications (e.g., MME, S/P-GW) and the Network Services:
72 1. Monitoring: Monitor physical and virtual resources.
73 2. Detection: Detect unavailability of physical resources.
74 3. Correlation and Cognition: Correlate faults and identify affected virtual
76 4. Notification: Notify unavailable virtual resources to their Consumer(s).
77 5. Fencing: Shut down or isolate a faulty resource
78 6. Recovery action: Execute actions to process fault recovery and maintenance.
80 The time interval between the instant that an event is detected by the
81 monitoring system and the Consumer notification of unavailable resources shall
82 be < 1 second (e.g., Step 1 to Step 4 in :num:`Figure #figure4` and :num:`Figure
87 .. figure:: images/figure3.png
90 High level architecture
95 The VIM shall monitor physical and virtual resources for unavailability and
101 The VIM shall detect unavailability and failures of physical resources that
102 might cause errors/faults in virtual resources running on top of them.
103 Unavailability of physical resource is detected by various monitoring and
104 managing tools for hardware and software components. This may include also
105 predicting upcoming faults. Note, fault prediction is out of scope of this
106 project and is investigated in the OPNFV "Data Collection for Failure
107 Prediction" project [PRED]_.
109 The fault items/events to be detected shall be configurable.
111 The configuration shall enable Failure Selection and Aggregation. Failure
112 aggregation means the VIM determines unavailability of physical resource from
113 more than two non-critical failures related to the same resource.
115 There are two types of unavailability - immediate and future:
117 * Immediate unavailability can be detected by setting traps of raw failures on
118 hardware monitoring tools.
119 * Future unavailability can be found by receiving maintenance instructions
120 issued by the administrator of the NFVI or by failure prediction mechanisms.
122 Correlation and Cognition
123 ^^^^^^^^^^^^^^^^^^^^^^^^^
125 The VIM shall correlate each fault to the impacted virtual resource, i.e., the
126 VIM shall identify unavailability of virtualized resources that are or will be
127 affected by failures on the physical resources under them. Unavailability of a
128 virtualized resource is determined by referring to the mapping of physical and
129 virtualized resources.
131 VIM shall allow configuration of fault correlation between physical and
132 virtual resources. VIM shall support correlating faults:
134 * between a physical resource and another physical resource
135 * between a physical resource and a virtual resource
136 * between a virtual resource and another virtual resource
138 Failure aggregation is also required in this feature, e.g., a user may request
139 to be only notified if failures on more than two standby VMs in an (N+M)
140 deployment model occurred.
145 The VIM shall notify the alarm, i.e., unavailability of virtual resource(s), to
146 the Consumer owning it over the northbound interface, such that the Consumers
147 impacted by the failure can take appropriate actions to recover from the
150 The VIM shall also notify the unavailability of physical resources to its
153 All notifications shall be transferred immediately in order to minimize the
154 stalling time of the network service and to avoid over assignment caused by
155 delay of capability updates.
157 There may be multiple consumers, so the VIM has to find out the owner of a
158 faulty resource. Moreover, there may be a large number of virtual and physical
159 resources in a real deployment, so polling the state of all resources to the VIM
160 would lead to heavy signaling traffic. Thus, a publication/subscription
161 messaging model is better suited for these notifications, as notifications are
162 only sent to subscribed consumers.
164 Notifications will be send out along with the configuration by the consumer.
165 The configuration includes endpoint(s) in which the consumers can specify
166 multiple targets for the notification subscription, so that various and
167 multiple receiver functions can consume the notification message.
168 Also, the conditions for notifications shall be configurable, such that
169 the consumer can set according policies, e.g. whether it wants to receive
170 fault notifications or not.
172 Note: the VIM should only accept notification subscriptions for each resource
173 by its owner or administrator.
174 Notifications to the Consumer about the unavailability of virtualized
175 resources will include a description of the fault, preferably with sufficient
176 abstraction rather than detailed physical fault information.
182 Recovery actions, e.g. safe VM evacuation, have to be preceded by fencing the
183 failed host. Fencing hereby means to isolate or shut down a faulty resource.
184 Without fencing -- when the perceived disconnection is due to some transient
185 or partial failure -- the evacuation might lead into two identical instances
186 running together and having a dangerous conflict.
188 There is a cross-project effort in OpenStack ongoing to implement fencing. A
189 general description of fencing in OpenStack is available here:
190 https://wiki.openstack.org/wiki/Fencing_Instances_of_an_Unreachable_Host .
195 In the basic :ref:`uc-fault1` use case, no automatic actions will be taken by
196 the VIM, but all recovery actions executed by the VIM and the NFVI will be
197 instructed and coordinated by the Consumer.
199 In a more advanced use case, the VIM shall be able to recover the failed virtual
200 resources according to a pre-defined behavior for that resource. In principle
201 this means that the owner of the resource (i.e., its consumer or administrator)
202 can define which recovery actions shall be taken by the VIM. Examples are a
203 restart of the VM, migration/evacuation of the VM, or no action.
207 High level northbound interface specification
208 ---------------------------------------------
213 This interface allows the Consumer to subscribe to fault notification from the
214 VIM. Using a filter, the Consumer can narrow down which faults should be
215 notified. A fault notification may trigger the Consumer to switch from ACT to
216 STBY configuration and initiate fault recovery actions. A fault query
217 request/response message exchange allows the Consumer to find out about active
218 alarms at the VIM. A filter can be used to narrow down the alarms returned in
219 the response message.
223 .. figure:: images/figure4.png
226 High-level message flow for fault management
228 The high level message flow for the fault management use case is shown in
229 :num:`Figure #figure4`.
230 It consists of the following steps:
232 1. The VIM monitors the physical and virtual resources and the fault management
233 workflow is triggered by a monitored fault event.
234 2. Event correlation, fault detection and aggregation in VIM. Note: this may
235 also happen after Step 3.
236 3. Database lookup to find the virtual resources affected by the detected fault.
237 4. Fault notification to Consumer.
238 5. The Consumer switches to standby configuration (STBY)
239 6. Instructions to VIM requesting certain actions to be performed on the
240 affected resources, for example migrate/update/terminate specific
241 resource(s). After reception of such instructions, the VIM is executing the
242 requested action, e.g., it will migrate or terminate a virtual resource.
247 The NFVI maintenance interface allows the Administrator to notify the VIM about
248 a planned maintenance operation on the NFVI. A maintenance operation may for
249 example be an update of the server firmware or the hypervisor. The
250 MaintenanceRequest message contains instructions to change the state of the
251 resource from 'normal' to 'maintenance'. After receiving the MaintenanceRequest,
252 the VIM will notify the Consumer about the planned maintenance operation,
253 whereupon the Consumer will switch to standby (STBY) configuration to allow the
254 maintenance action to be executed. After the request was executed successfully
255 (i.e., the physical resources have been emptied) or the operation resulted in an
256 error state, the VIM sends a MaintenanceResponse message back to the
261 .. figure:: images/figure5.png
264 High-level message flow for NFVI maintenance
266 The high level message flow for the NFVI maintenance use case is shown in
267 :num:`Figure #figure5`.
268 It consists of the following steps:
270 1. Maintenance trigger received from administrator.
271 2. VIM switches the affected NFVI resources to "maintenance" state, i.e., the
272 NFVI resources are prepared for the maintenance operation. For example, the
273 virtual resources should not be used for further allocation/migration
274 requests and the VIM will coordinate with the Consumer on how to best empty
275 the physical resources.
276 3. Database lookup to find the virtual resources affected by the detected
277 maintenance operation.
278 4. StateChange notification to inform Consumer about planned maintenance
280 5. The Consumer switches to standby configuration (STBY)
281 6. Instructions from Consumer to VIM requesting certain actions to be performed
282 (step 6a). After receiving such instructions, the VIM executes the requested
283 action in order to empty the physical resources (step 6b) and informs the
284 Consumer is about the result of the actions. Note: this step is out of scope
286 7. Maintenance response from VIM to inform the Administrator that the physical
287 machines have been emptied (or the operation resulted in an error state).
288 8. The Administrator is coordinating and executing the maintenance
289 operation/work on the NFVI. Note: this step is out of scope of Doctor.
294 Faults in the listed elements need to be immediately notified to the Consumer in
295 order to perform an immediate action like live migration or switch to a hot
296 standby entity. In addition, the Administrator of the host should trigger a
297 maintenance action to, e.g., reboot the server or replace a defective hardware
300 Faults can be of different severity, i.e., critical, warning, or
301 info. Critical faults require immediate action as a severe degradation of the
302 system has happened or is expected. Warnings indicate that the system
303 performance is going down: related actions include closer (e.g. more frequent)
304 monitoring of that part of the system or preparation for a cold migration to a
305 backup VM. Info messages do not require any action. We also consider a type
306 "maintenance", which is no real fault, but may trigger maintenance actions
307 like a re-boot of the server or replacement of a faulty, but redundant HW.
309 Faults can be gathered by, e.g., enabling SNMP and installing some open source
310 tools to catch and poll SNMP. When using for example Zabbix one can also put an
311 agent running on the hosts to catch any other fault. In any case of failure, the
312 Administrator should be notified. Table 1 provides a list of high level faults
313 that are considered within the scope of the Doctor project requiring immediate
314 action by the Consumer.
317 +------------------+---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
318 | Service | Fault | Severity | How to detect? | Comment | Action to recover |
319 +------------------+---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
320 | Compute Hardware | Processor/CPU failure, CPU condition not ok | Critical | Zabbix | | Switch to hot standby |
321 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
322 | | Memory failure/Memory condition not ok | Critical | Zabbix (IPMI) | | Switch to hot standby |
323 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
324 | | Network card failure, e.g. network adapter connectivity lost | Critical | Zabbix/Ceilometer | | Switch to hot standby |
325 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
326 | | Disk crash | Info | RAID monitoring | Network storage is very redundant (e.g. RAID system) and can guarantee high availability | Inform OAM |
327 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
328 | | Storage controller | Critical | Zabbix (IPMI) | | Live migration if storage is still accessible; otherwise hot standby |
329 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
330 | | PDU/power failure, power off, server reset | Critical | Zabbix/Ceilometer | | Switch to hot standby |
331 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
332 | | Power degradation, power redundancy lost, power threshold exceeded | Warning | SNMP | | Live migration |
333 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
334 | | Chassis problem (.e.g fan degraded/failed, chassis power degraded), CPU fan problem, temperature/thermal condition not ok | Warning | SNMP | | Live migration |
335 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
336 | | Mainboard failure | Critical | Zabbix (IPMI) | | Switch to hot standby |
337 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
338 | | OS crash (e.g. kernel panic) | Critical | Zabbix | | Switch to hot standby |
339 +------------------+---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
340 | Hypervisor | System has restarted | Critical | Zabbix | | Switch to hot standby |
341 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
342 | | Hypervisor failure | Warning/Critical | Zabbix/Ceilometer | | Evacuation/switch to hot standby |
343 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
344 | | Zabbix/Ceilometer is unreachable | Warning | ? | | Live migration |
345 +------------------+---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
346 | Network | SDN/OpenFlow switch, controller degraded/failed | Critical | ? | | Switch to hot standby or reconfigure virtual network topology |
347 + +---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
348 | | Hardware failure of physical switch/router | Warning | SNMP | Redundancy of physical infrastructure is reduced or no longer available | Live migration if possible, otherwise evacuation |
349 +------------------+---------------------------------------------------------------------------------------------------------------------------+------------------+-------------------+------------------------------------------------------------------------------------------+----------------------------------------------------------------------+
352 vim: set tabstop=4 expandtab textwidth=80:
Code Review / doctor.git / blob