Private Cloud Appliance (PCA) Tenant Groups
By Jsavit-Oracle on Feb 12, 2017
This blog article describes "tenant groups," a relatively new feature of the Oracle Private Cloud Appliance (PCA). The PCA is an engineered system for quickly deploying virtual machine environments. Integrating compute, network, and storage components in a "converged infrastructure" solution, PCA lets customers deploy VMs within a few hours of initial power-up.
PCA is deployed with a 'base rack' with up to 25 compute nodes (Oracle X5-2 or X6-2 servers) running Oracle VM Server. This can be combined with two expansion racks with up to 30 compute nodes each for a total of 85 servers. All server, network and storage resources are managed from a single Oracle VM Manager user interface, running on of two management servers in an active/passive high availability pair. This may optionally be combined with Oracle Enterprise Manager for comprehensive management and cloud capability.
Servers are automatically discovered and added to the Oracle VM environment, with a server pool created in each rack. This arrangement works well for many customers: servers in a pool are a uniform resource for VMs, and a VM can be freely started or migrated between any of the servers. Most PCA configurations are based on a single PCA rack (Rack1), and a single server pool, named (Rack1_ServerPool).
Some customers want to provide isolation for multiple 'tenants' (different customers, clients or departments) of their PCA, essentially dedicating a subset of the servers for a tenant. This may be for concerns of security, or chargeback ("those servers were paid for by the Sales department so should not run any other department's VMs"), or resource isolation to ensure that there's always capacity for the tenant's VMs regardless of what other tenants do.
This did not fit with the original PCA architecture, which had a single server pool and didn't provide this type of isolation. There are simple tricks to accomplish this anyway: you could assign a tenant's VMs to a unique storage repository for its VM definitions and disk images, and then only present that repository (and no others) to the tenant's compute nodes. Alternatively, you could have the tenant on its own VLAN (a good idea anyway), and only define that VLAN (and no others) on the tenant's servers. Both methods ensure that only the VMs belonging to the tenant run on the servers owned by that tenant, but add administrative complexity.
PCA 2.2.1 added a systematic and easy way to directly provide this capability, documented in the Private Cloud Appliance Administrator's Guide.
Instead of manually dividing an Oracle VM server pool as above, PCA adds the abstraction of a tenant group, composed of a subset of the PCA's servers. This is an Oracle VM server pool, with PCA automation to coordinate assignment of storage and network resources when a server is added to or removed from the group.
There can be up to 8 tenant groups, including the default Rack1_ServerPool. Each tenant group has servers, a server pool file system, and may have custom networks. When a server is added to a tenant group it is automatically associated with the appropriate resources.
Administering tenant groups is straightforward, and uses the PCA command line interface. To use it, log into the active PCA management server and enter commands to create the tenant group, and assign servers to it:
[root@ovcamn05r1 ~]# pca-admin Welcome to PCA! Release: 2.2.1 PCA> list tenant-group Name Default State ---- ------- ----- Rack1_ServerPool True ready --------------- 1 row displayed Status: Success PCA> create tenant-group Sales
PCA> add server ovcacn11r1 SalesPCA> add server ovcacn13r1 Sales
PCA> show tenant-group Sales ---------------------------------------- Name Sales Default False Tenant_Group_ID 0004fb00000200009f696260c5b2c884 Servers ['ovcacn11r1', 'ovcacn13r1'] State ready Tenant_Group_VIP 192.168.140.125 Tenant_Networks None Pool_Filesystem_ID 3600144f094680c7c0000582aafad0009 ---------------------------------------- Status: Success
This creates an Oracle VM server pool named 'Sales' with the two specified servers.
Only VMs assigned to this tenant group can run on those servers, providing isolation between different tenants.
Compute isolation isn't the entire story: Storage isolation is provided by a separate pool file system and repositories, and network isolation can be provided by VLANs and another new PCA feature, custom networks. Custom networks will be described in a later blog article.
The Private Cloud Appliance is an Oracle engineered system for deploying virtual machine environments for private clouds based on Oracle VM. The tenant group feature is a straightforward way to provide isolation between tenants that require dedicated compute resources. For further details, please see the Administrator's Guide.