

Fathom.io is an easy-to-run cloud that supports the OpenStack APIs - amirnathoo
http://fathom.io/

======
justinsb
Wow - wasn't quite ready for this to go public, but I guess the (Octo)cat is
out of the bag now. FathomCloud is an experiment in a really lightweight
cloud, supporting existing cloud APIs, starting with the OpenStack API. It
uses LXC so you can set it up on any Linux machine, even on EC2. It's also an
experiment in trying to figure out new functionality that may be missing from
OpenStack or other clouds.

Anyone that builds an XaaS (or even a complex website) ends up building a
management layer on top of their cloud; there's no point in everyone
rebuilding the same thing, and it should probably have a sane API. FathomCloud
can replace that management layer.

There are definitely lots of rough edges. If anyone wants to try it out,
please email me with any issues and I'll do my best. And I'm happy to answer
any questions!

------
dwwoelfel
The IPv6 looks interesting, but how do the containers talk to the rest of the
internet?

~~~
justinsb
Great question! Every container gets an IPv6 and an IPv4 address. The IPv4
address is private (behind NAT), the IPv6 address is routable. So outbound
traffic from the instance works to both IPv4 and IPv6.

For a simple instance, inbound traffic only works over IPv6. That's not really
practical today, so there's support for floating IPv4 addresses. You can
assign one IPv4 to an instance running a load balancer (haproxy, nginx), and
then that uses IPv6 to talk to the backend instances. That's going to be
documented within the week (I hope!)

Sadly, EC2 doesn't support IPv6, so we use protocol 41 (which wraps IPv6 in
IPv4 packets), giving each EC2 instance a 2002: address. They can then talk to
each other, or to other FathomCloud instances. They can talk to IPv6 servers
that have a 2002: address configured.

Finally, most end-users don't have IPv6 either. There's a trick using SSH and
tunnels to give you a quick-and-easy VPN, so you can get onto IPv6 from any
machine. I'm going to blog about this, as it's the easiest way to get IPv6 and
you get a VPN for free.

So it's a bit messy in the details, but with IPv4 floating IPs I think it all
works. Using a single floating IPv4 to a loadbalancer is "the right thing to
do" anyway in a cloud webserver setup. And I think it's totally worth it to
say goodbye to NAT forever!

------
nl
Is this using the OpenStack codebase or are the APIs reimplemented from
scratch?

~~~
justinsb
The APIs are re-implemented from scratch, from the OpenStack docs. The docs
are pretty good, and the OpenStack community has been pretty good about
improving them where there were gaps as well.

Part of the idea was not to use _any_ of the existing OpenStack code.
Otherwise the temptation to copy-and-paste from OpenStack would have been too
high, and copying and pasting defeats the whole purpose of doing a second
implementation.

Equally, while I think there are some concepts that I hope will make it into
the official OpenStack (such as a consistent Swift), there can be no copy and
paste 'upstream' either because of the language barrier, which means that
FathomCloud can be a true playground for experimentation.

~~~
nl
IMHO that's good. I've done some OpenStack work (a JS client), and I think it
could benefit from an alternate implementation - there was too much reverse
engineering involved.

~~~
justinsb
Sounds interesting - would love a link to your work if it's open source!

~~~
nl
I raised a bug on CORS support[1], and then switched over to doing it all
Serverside.

I was writing a cross-provider control console. Got a fair way along, but
haven't released it.

[1][https://bugs.launchpad.net/oslo/+bug/987044](https://bugs.launchpad.net/oslo/+bug/987044)

~~~
justinsb
Cool idea. I don't see any reason not to support CORS; all the OpenStack
requests require a custom Auth http header anyway, so I don't think there's
any danger in turning on CORS there. I didn't see anyone in the Launchpad bug
report that was against it.

The only call that I think _might_ be dangerous to expose is the login API,
but that should be rate-limited and / or have lockout anyway.

I've opened a bug to support CORS in FathomCloud. It's not a lot of work (I
already have the filter in the repo, it's just not configured in). I just want
to think it through to make sure it's safe:
[https://github.com/fathomdb/cloud/issues/50](https://github.com/fathomdb/cloud/issues/50)

~~~
nl
If you follow the bug links there was actually an attempt made to fix it, but
it was rejected as being incomplete.

I haven't chased it up, but I think it's an important use-case.

~~~
justinsb
Thanks for pointing out the patch - I'll review the discussion.

It's definitely an important use case - no argument here :-)

