The CYCLONE system architecture

CYCLONE provides an integrated software stack that enables a wealth of functionality, such as multi-cloud deployment and scaling of federated applications, secure access control using federated identities, as well as software-defined networking functions.

Our project deliverable 4.1 gives you a comprehensive overview about our architecture. You can also contact Mathias for more information in this matter.

Deliverable 4.1

Main components
The heart of the CYCLONE stack

Deploy, Scale, and manage your (multi-)cloud applications effortlessly

SixSq Sàrl, Apache 2, Source, Homepage

Slipstream provides many facilities to support multi-cloud application deployment, e.g., it can describe application topologies, connect to different IaaS platform APIs for multi-cloud deployment, and offers a web- and a RESTful interface. It allows end-users to use the OIDCACF for logging in and it can write its log messages to Logstash. Slipstream uses modules to break down application components and uses base images and deployment scripts as an internal application model. Slipstream deployment is highly flexible: any application module can be deployed any number of times to any supported cloud. When deploying applications Slipstream offers further coordination functions, for example, application servers querying Slipstream for the current set of database servers. Appliance and application descriptions can be published and shared between users, providing a “service catalog” that promotes reuse.

Slipstream is a commercial product of SixSq, offered for free through the Online Application Deployment Plattform. However, the core of SlipStream and all of the connectors for open source clouds are released under the Apache 2 license and are freely available. The combination of multi-cloud support, automated deployment, application element coordination, and a user-defined “service catalog” make Slipstream an ideal building block connecting the CYCLONE developments in the cloud layer and those at the application level.

Gain full control over your infrastructure using Software-defined Networking (SDN)

Fundació i2CAT, GPLv3, Source, Homepage

OpenNaaS is an open source platform for provisioning network resources. It allows the deployment and automated configuration of dynamic network infrastructures and defines a vendor-independent interface to access services provided by these resources. OpenNaaS provides support for a variety of resources such as optical switches, routers, IP networks and BoD-domains, but, more importantly, it is easy to add new resources and their capabilities as an extension. OpenNaaS is the outcome of a cooperation between several stakeholders and was born with the goal of creating an open source project fostered by a lively community of contributors, benefactors and beneficiaries. We invite you to join us!

See what other users are contributing to OpenNaaS

OpenNaaS Community, Apache 2, Source, Homepage

OpenNaaS is open source and driven by the needs of its community. Whether you are a service or an infrastructure provider, a user or a developer, make it the tool tailored to your requirements!

All OpenNaaS extensions are released under the Apache 2 License.

Integrate network services into your cloud applications using our ready-to-deploy modules in an automated way.

i2CAT, GPLv3, Source

OpenNaaS-CNSMO is a lightweight distributed platform responsible of deploying, configuring and running the networking services in Cyclone project by defining a basic service API and service lifecycle, together with an interservice communication mechanism implementing the actor model and supporting different communication protocols. The system is capable of deploying and running multiple services in both local and remote environments. CNSMO is composed by two components:

  • The CNSMO core
  • CNSMO agents running networking services

Use federated identities without the complexity

TU Berlin, Apache 2, Source

The Federation Provider implements the OpenID Connect Authentication Code Flow (OIDCACF) to issue uniform JSON Web Token (JWT) user claims to relying applications, e.g., user’s identifier, email addresses, or home organization. In the CYCLONE testbed it is integrated with eduGAIN, allowing easy use of those academic identities for authentication, authorization, and other purposes.

The Federation Provider contains two subcomponents:

  • The Identity Broker where end-users specify the identity they want to use for authentication, in our case one of the eduGAIN identity providers (e.g., TUB, CNRS, or UvA).
  • The Backend Modules implementing SAML to communicate with the Identity Providers in order to process authentication requests and responses.

Unify log messages from distributed applications

TU Berlin, Apache 2, Source

Logstash provides remote logging capabilities to unify log messages into a common format. These endpoints comprise of a simple TCP-based and a Syslog-compatible logger. Not shown in the diagram are a Kibana, the Logging Frontend allowing end-users to consume the logs, as well as Elasticsearch to persist the logs.

Get help chosing the right cloud service for your application

TU Berlin, Apache 2, Source

The Open Service Compendium is an information system that supports businesses in their discovery, assessment and cloud service selection by offering a simple dynamic service description language, business-pertinent vocabularies, as well as matchmaking functionality. Within CYCLONE we work on integrating the Open Service Compendium with the Slipstream Service Catalog to make it very easy for DevOps to find fitting cloud services for their multi-cloud deployment. This integration is detailed in Deliverable D6.2

Tools and libraries
Extend your solution with these helpers

Use federated identities for SSH login

TU Berlin, Apache 2, Source

The PAM Module allows the Linux operating system to authenticate users using their federated identities without the need for a modified SSH client or server. Instead, it provides URLs to the users through the SSH “keyboard-interactive mode”, which they open in their User Agents and carry out the regular OIDCACF. At the end, when the JSON web token is retrieved by the PAM module, it transforms the federated identities into existing or newly created local user accounts.

Self-registration of OpenID Connect Clients for federated clouds

TU Berlin, Apache 2, Source

Gain end-to-end security while using HTTPS proxies

TU Berlin, Apache 2, Source

The Trusted Cloud Transfer Protocol (TCTP) is an application layer encryption protocol for HTTP which provides true end-to-end security, i.e., from the user agent (e.g. browser) to the origin server (e.g. a single PaaS container), even if the communication is performed through intermediaries acting as TLS server connection ends, e.g., cloud load balancers. There are currently two implementations of TCTP, the distributed cloud proxy, and the TCTP Rack middleware for Ruby-based web applications, e.g., Ruby on Rails or Sinatra.

Read more about TCTP in this CloudCom 2013 paper.

A generic AAA toolkit library

Universiteit van Amsterdam, GNU LGPL, Source

High performance XACML PDP Engine

Universiteit van Amsterdam, GNU LGPL, Source

Use our scripts to automate network configuration


Create ephemeral VMs

CNRS LAL, GPLv3, Source

Demo applications
Learning material and blueprints

See how easy it is to use Wordpress with federated identities

TU Berlin, GPLv2, Source

Learn how to use federated identities with Django


Apache filter web access based on the federated identities

CNRS IFB, Apache 2, Source

See all our components in action

TU Berlin, -, Source

Demo videos

See CYCLONE in action