CloudStack 4.3 – a first review

The latest release of Apache CloudStack has arrived with a raft of exciting new features. In this early review, Giles Sirett, CEO of ShapeBlue looks at the significance of some of these features and why they help to continue to position CloudStack as the IaaS orchestration platform of choice for many service providers and enterprises alike.

Version 4.3 of CloudStack has been some time coming, the official release was earlier today. I count 10 headline new features, 12 improvements (not quite big enough to be called a feature) and over 160 existing issues resolved.

Hyper – V Support

The first, and the biggest headline new feature of CloudStack 4.3, is support for Microsoft’s Hyper- V hypervisor. CloudStack has always had support for Xen, VMware, KVM and OVM (and bare-metal) but Hyper-V had remained the “last hypervisor” for some time. When I first started working with CloudStack, I along with many in the industry, never really expected to see demand for people to orchestrate Hyper-V as it was, well, not really a serious contender in the datacentre space. However, with the trend for private enterprise clouds, we’ve been surprised at ShapeBlue by the increasing market share of Microsoft’s tech in that space. CloudStack is now able to orchestrate Hyper-V 2012 R2 hosts.

Hyper-V, CloudStack supports SMB3-based storage. There are some limitations for this first implementation of Hyper-V support, the following features of CloudStack will not be available in Hyper-V clusters (yet):

  • Network throttling
  • Security groups (Advanced Zone)
  • IPv6
  • Snapshot: VM and disk
  • VPC
  • HA of guest VMs
  • Redundant VR
  • Mixed hypervisor zone
  • NIC bonding

A number of these will be addressed in the next release (4.4).

Palo Alto Firewall integration

At the heart of CloudStack’s advanced networking concept is the use of its own virtual router technology. This gives great cloud-scale elasticity in the public cloud space but increasingly enterprises want their networking layer to be provided by a high-end “known quantity”. This integration work, which has been worked on jointly by Palo Alto and our friends at CloudOps allows the configuring of a Palo Alto firewall as a service provider to override services typically offered by the virtual routers, such as Firewall, NAT & Port forwarding.

Dynamic Compute offerings

To date, Cloudstack has insisted on pre-configured “compute offerings” on which users can then base virtual machines. These compute offerings are a combination of number of vCPU’s and memory. It was possible to create an infinite number of these, but it was always a clunky way for people who wanted to do a type of sliding scale offering of CPU and memory. Cloudstack can now accept custom values for CPU and RAM at the point of creating a virtual machine.

Ntier apps 2.0

nTier Apps was a new feature (or rather, collection of features) added in the previous release of CloudStack. nTier Apps allowed users to create a multi-tier App connected to a single instance of Virtual Router that supported inter-VLAN routing. With these features, users were also able to connect their multi-tier applications to a private Gateway or a Site-to-Site VPN tunnel and route certain traffic to those gateways.

The functionality has now been beefed up to allow site to site VPN’s to be created between virtual routers in different availability zones (whereas previously, you needed to have a “non cloud” VPN endpoint at one end). So, why is this significant ? Well, this feature is symptomatic of CloudStack’s common sense approach to dealing with the non-cloud legacy of many enterprises . We all know that , in the cloud era, apps should really handle scale and HA themselves. No more should that be the job of the infrastructure. However, in the real world, enterprises have 100’s of legacy apps that expect highly available infrastructure: traditional workloads. By allowing users to bridge between availability zones, we are allowing users to create a distributed infrastructure. Very “un cloud era” – but very sensible.

LDAP user provisioning

Another note towards the enterprise adoption of Cloudstack is the enhancement of the LDAP authentication in 4.3. CloudStack now supports multiple LDAP servers and also the ability to select and add users directly from the LDAP directory. You can filter by group name and import all the users within a group. After they have been imported to CloudStack, in contrast to manually adding them in previous releases, users are allowed to directly log in to CloudStack by using the LDAP credentials.

Migrating NFS Secondary Storage to Object Store

In an existing zone that is using NFS for secondary storage, you can now upgrade the zone to use a region-wide object storage without causing downtime. This will not move existing data, but help with the infrastructure migration.

VXLAN Plugin Support

The VXLAN plugin, developed by NTT/Verio, adds VXLAN as one of the guest network isolation methods in CloudStack. This plugin enables more than 4096 isolated guest networks in a Zone, with almost the same usability as VLAN isolation. This plugin provides no network services. Use virtual router for network services. This plugin is supported on KVM hypervisors.

OpenContrail Network Plugin Support

The Contrail virtual network controller is an open source project that provides an overlay implementation of network virtualization that is interoperable with network devices that support existing network virtualization standards. Support for the Contrail plugin has been added to CloudStack to provide NAT services to the XenServer hosts. The plugin supports isolated networks, Static NAT implemented by the VRouter dataplane, and Source NAT implemented by using a virtual appliance with full NAT functionality. This development has been undertaken by some of the guys over at Juniper.

Enhanced support for SolidFire Storage

Our friends over at SolidFire have extended their CloudStack plugin to support KVM and hypervisor snapshots for XenServer and ESX. SolidFire storage provides guaranteed Storage Quality of Service at the Virtual Machine level

Database High Availability

CloudStack can now control the failover from master to slave (and back) of its MySQL databases. This has been tested with MySQL 5.1 and 5.5. Database replication in CloudStack is provided using the MySQL replication capabilities. Many DBAs will be having palpations at the idea of an application switching master and slave roles, so good, frequent backups are going to be essential before switching this on. However if it becomes a proven reliable feature it will be the answer to many peoples prayers.

Enhanced Upgrade for Virtual Routers

Upgrading VRs is made flexible. The CloudStack administrators will be able to control the sequence of the VR upgrades. The sequencing is based on Infrastructure hierarchy, such as by Cluster, Pod, or Zone, and Administrative hierarchy, such as by Tenant or Domain. This gives admins much more granular control of virtual router updates making it easier to schedule upgrades to suit their customers.

Service Monitoring Tool for Virtual Router

Various services running on the CloudStack virtual routers can be monitored by using a Service Monitoring tool. The tool ensures that services are successfully running until CloudStack deliberately disables them. If a service goes down, the tool automatically performs a restart, and if that does not help bringing up the service, an alert as well as an event is generated indicating the failure.

Support for SSL Termination

Adding orchestration of Citrix’s NetScaler’s SSL offloading adds serious web front end credientals to the stack that CloudStack can not only support but leverage. This feature also contributed by CloudOps-  allows NetScalers to handle encryption and decryption of HTTP(s) traffic giving plain text HTTP to the back end servers freeing them from the resource intensive task of handling encryption and decryption, all configurable from within CloudStack.

Support for Pluggable VM Snapshots

CloudStack implements a plugin to integrate a third-party storage provider. Third party storage providers can integrate with CloudStack to provide either primary storage or secondary storage. The user enables a storage plugin through the UI.

Publishing Alert Using the Web ROOT Admin API

A new API has been introduced in 4.3, which can be used by services to generate and publish alerts.

The main advantage of this feature is that the third party systems integrating with CloudStack will be able to utilize the Alert notification system publish alerts.

Change in the way certificates are implemented

One change to CloudStack in this release that I feel I need to highlight is the dropping of the reliance (well, default reliance) on the centralised service for HTTPS certificate implementations. This gave a very simple way to establish HTTPS sessions with the console proxy VM and secondary storage VM, without the need for a user to have their own wildcard certificate. Most organisations chose to use their own certificate in any production environments anyway, but users should be aware that now, by default, comms to the console proxy VM are unencrypted.


So, a whole load of new exciting features in this latest version of Apache CloudStack. For me, however, there is a significance about this release greater than just the features themselves. That significance is looking at the wide range (and greatly growing) list of contributors to the Apache CloudStack project. Palo Alto, Solidfire, CloudOps, Juniper, NTT have all been able to contribute code directly this release. Some of those guys are vendors, some are people running clouds on CloudStack – that is a great sign of the diversity and strength of the CloudStack project.

About the author

Giles Sirett is CEO and founder of ShapeBlue. He is also a PMC member of the Apache CloudStack project.



Related Posts:

Apache CloudStack enables existing VMware users and gives an easy way for service providers to migrate to a fully open-source solution and eliminate vendor dependency.