whats new in neutron for open stack havana
DESCRIPTION
The Havana release of OpenStack, came out in October 2013, contains several significant changes and new features in the networking component. OpenStack Networking has changed name from 'quantum' to 'neutron'. It lays the foundation for supporting heterogeneous network components with the introduction of the ML2 (modular layer 2) plugin. The first implementations of FireWall as a Service (FWaaS) and VPN as a Service (VPNaaS) are now included. These features were demonstrated by Cisco developers at the OpenStack meetup in Boston in Oct 2013.TRANSCRIPT
Neutron developers at Cisco Systems
Boxborough office
Brian Bowen, Henry Gessau, Dane LeBlanc,
Paul Michali, Abishek Subramanian, et. al.
What’s new in
Neutron
for Havana
• Modular Layer 2 plugin (ML2)
• ML2 demo with Cisco Nexus driver
• FireWall as a Service (FWaaS)
• FWaaS demo
• VPN as a Service (VPNaaS)
• VPNaaS demo
• Cisco plugin with N1000V
• Demo of Dashboard to control N1000V
Agenda
Modular Layer 2 in
OpenStack Neutron
Robert Kukura, Red Hat
Kyle Mestery, Cisco
Motivations For a
Modular Layer 2 Plugin
Before Modular Layer 2 ...
Neutron Server
Open vSwitch Plugin
OR
Neutron Server
Linuxbridge Plugin
OR ...
Before Modular Layer 2 ...
Neutron Server
Cisco Plugin
Open vSwitch
Sub-Plugin
Nexus
Sub-Plugin
Compute node
Open vSwitch agent
Cisco Nexus switch
ML2 Architecture Diagram
Neutron Server
ML2 Plugin
Type Manager Mechanism Manager
API Extensions
GR
E
Typ
eD
rive
r
Aris
ta
VL
AN
Typ
eD
rive
r
VX
LA
N
Typ
eD
rive
r
Cis
co
Ne
xu
s
Hyp
er-V
L2
Po
pu
latio
n
Lin
uxb
ridg
e
Open
vS
witc
h
Ta
il-F N
CS
TypeDrivers in Havana
The following are supported segmentation
types in ML2 for the Havana release:
● local
● flat
● VLAN
● GRE
● VXLAN
MechanismDrivers in Havana
The following ML2 MechanismDrivers exist in
Havana:
● Arista
● Cisco Nexus
● Hyper-V
● L2 Population
● Linuxbridge
● Open vSwitch
● Tail-f NCS
ML2 Futures: Deprecation Items
• The future of the Open vSwitch and
Linuxbridge plugins o These are planned for deprecation in Icehouse
o ML2 supports all their functionality
o ML2 works with the existing OVS and Linuxbrige
agents
ML2 With Current Agents
Neutron Server
ML2
Plugin
Host A
Linuxbridge
Agent
Host B
Linuxbridge
Agent
Host C
Open vSwitch
Agent
Host D
Open vSwitch
Agent
API Network
● ML2 Plugin works with existing
agents
● Separate agents for Linuxbridge
and Open vSwitch
● Can also use physical switches
from different vendors
ML2 demo, showing ...
● ML2 running with multiple MechanismDrivers ○ openvswitch
○ cisco_nexus
● Booting multiple VMs on multiple compute
hosts
● Configuration of VLANs across both virtual
and physical infrastructure
Cisco Nexus ML2
Mechanism Driver
Demonstration
Cisco Nexus ML2 Mechanism
Driver
• Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are launched, migrated, or terminated
• Works with Open vSwitch (OVS) mechanism driver
OVS: virtual switching
Cisco Nexus: physical switching
• Ported from original Cisco Nexus OpenStack Plugin
• Available in Havana release
Topology
Controller /
Network Node Compute Host 1 Compute Host 2
VM 1 VM 4 VM 2 VM 3
VLAN 810
VLAN 812
Management Network
eth1/1 eth1/2 eth1/3
Nexus 3K
mgmt
External
Network Data
Network
DevStack Configuration
Add to localrc File:
Q_PLUGIN=ml2
Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,
cisco_nexus
Q_ML2_PLUGIN_TYPE_DRIVERS=vlan
Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack)
Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini)
ML2_VLAN_RANGES=physnet1:810:819
ENABLE_TENANT_VLANS=True
PHYSICAL_NETWORK=physnet1
OVS_PHYSICAL_BRIDGE=br-eth1
Cisco Mechanism Driver Config
• Create a file, e.g. “ml2_conf_cisco.ini”: o[ml2_mech_cisco_nexus:10.86.1.118]
oComputeHost-1=1/2
oComputeHost-2=1/3
ossh_port=22
ousername=admin
opassword=MyPassword
• File name and path are arbitrary, but these
configs in localrc must point to it: Q_PLUGIN_EXTRA_CONF_PATH
Q_PLUGIN_EXTRA_CONF_FILES
• Template in Neutron branch: o
/opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf
_cisco.ini
Neutron Server Startup Command
cd /opt/stack/neutron && pyth /usr/local/bin/neutron-
server --config-file /etc/neutron/neutron.conf --config-
file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file
//home/leblancd/devstack/ml2_conf_cisco.ini || echo
"q-svc failed to start" | tee "/opt/stack/status/stack/q-
svc.failure"
Demo
Resources
• README files:
o /opt/stack/neutron/neutron/plugins/ml2/README
o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README
• Template .ini Files:
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
• Wiki Pages:
o https://wiki.openstack.org/wiki/Neutron/ML2
o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus
• Google Doc:
o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS
aFKUhEGNEuDo4
Virtual Private Networking as a Service
Havana Release
Paul Michali MAIL [email protected] IRC pcm_ (irc.freenode.net) TW @pmichali
Virtual Private Network as a Service
• Initial Release Goals
• Site to site VPN (~AWS).
• Considered “experimental” w/limited functionality.
• Only Pre-Shared Keys, no certificates.
• Future releases to address other use cases.
• SSL-VPN, MPLS/BGP
• Certificate support
• Service insertion/chaining
OpenSwan Driver
• OpenSwan: open source VPN process
• Supports several encryption/auth algorithms, modes of operation (Remote Access, Site2Site, Host2Host).
• Designed to support a single connection.
• Uses configuration files to control operation • /opt/stack/data/neutron/ipsec/<router-UUID>/…
Current Status
• Reference implementation released
• Horizon dashboard access released
• CLI and REST APIs available
• API reference documentation published • http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
• Feature documentation in progress
• Ongoing: bug fixes & enhancements (Icehouse)
Site to Site VPN
West Private: 10.2.0.0/24 Br-ex: 172.24.4.21
East Private: 10.1.0.0/24 Br-ex: 172.24.4.11
Router 10.2.0.1
172.24.4.21
10.1.0.5 10.1.0.4
10.1.0.1
172.24.4.11
VM VM VM
Router
10.2.0.4
VPN
172.24.4.0/24
Ubuntu 12.04 (VM) Ubuntu 12.04 (VM)
Site to Site VPN (physical)
Private: 10.2.0.0/24 Private: 10.1.0.0/24
Internal Network
Br-ex: 172.24.4.20
Admin Network
Public Network (172.24.4.222/28)
NAT/host
Br-ex: 172.24.4.10
eth1 eth1 eth0 eth0
Host
Reference Info
• How To:
https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
• Main page (API is in OS doc wiki):
http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
https://wiki.openstack.org/wiki/Neutron/VPNaaS
• OpenSwan & StrongSwan:
https://github.com/xelerance/Openswan/wiki
http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan
Blueprint
Backup Slides
Devstack-32 (UCS) Devstack-33 (UCS)
Site to Site VPN (physical)
Private: 10.2.0.0/24 Private: 10.1.0.0/24
C6500
172.24.4.225
Br-ex: 172.24.4.232
Admin Network (14.0.3.0/24)
14.0.3.32 14.0.3.33
Public Network (172.24.4.222/28)
Switch
Br-ex: 172.24.4.225
eth1 eth3 eth2 eth4
Multi-node DevStack
• To do site-to-site VPN, needed to share the public net.
• Solution: Config DevStack (localrc) GW IP to be specified. Also added naming for easier config.
devstack-33 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.232 Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233,end=172.24.4.238” Q_USE_SECGROUP=False FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1
devstack-32 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.225 Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226,end=172.24.4.231” Q_USE_SECGROUP=False FIXED_RANGE=10.1.0.0/24 NETWORK_GATEWAY=10.1.0.1
Modifications for VPNaaS
• Make localrc modifications as shown on previous page. • Connect two systems with a switch (L2) for public net. • Manually bring up eth# used for public network link. • Add br-ex and add eth# to br-ex.
Object Diagram
Service
IPSec Policy
Router
IPSec Site Connection
IKE Policy
Subnet
1
1
1
1
1 N
N
1
N
1
used by used by
is associated with
is associated with
establishes
Note: all of these are associated with a single tenant
VPN Archtecture
IPSec VPN Extension
Rest API
IPSec VPN Adv Srv Plugin
Common API
Core
Schedulers (not implemented)
DB
IPSec VPN Agent BP2
strong-swan driver
NameSpaceDevice
VMDevice
HardWareDevice
RPC API (Create VPN
Service1/2)
create vpn service
Select driver using type
create vpn service
create Ike policy
Store policy
create ipsec policy
Store policy
create vpn connection
create vpn connection
Ensure Add interface to the router
Set status BUILDING
Noop (do nothing)
User Neutron Agent Namespace Device IpSecDriver
StrongSwan DeviceDriver
RPC API (Create VPN Service
2/2)
fetch router host of associated router
vpn-service-updated
sync
sync
vpn connection info with related infos
sync
ensure_conf_file
ensure_process_running
this sync will be done pediolically, and boot time also
compair local state
User Neutron Agent Namespace Device IpSecDriver
StrongSwan DeviceDriver
RPC API (Update VPN
Service)
Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync sync
User Neutron Agent Namespace Device IpSecDriver
StrongSwan DeviceDriver
RPC API (Update VPN
Service)
Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync sync
Remove interface
User Neutron Agent Namespace Device IpSecDriver
StrongSwan DeviceDriver
RPC API (Update VPN
Service)
Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync sync
User Neutron Agent Namespace Device IpSecDriver
StrongSwan DeviceDriver
RPC API (Update VPN
Service) User Neutron Agent
Namespace Device IpSecDriver
StrongSwan DeviceDriver
Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync sync
Remove interface
Proposed IP Sec Object
Model
Amazon Object Model
Cisco Object Model
FWaaS
in OpenStack Havana
Contributors
• BigSwitch Sumit N, KC Wang
• Cisco Sridar K
• Dell Rajesh M
• PayPal Ravi C
Initial reference implementation
How: Service Plugin + Agent + Driver
Where: L3 only -- iptables rules on routers
Why: Complements security groups
What next? Vendor drivers
Entity Relationships
Tenant A
Tenant C
Firewall A
Tenant B Firewall B
Firewall C
Firewall Policy
X
Firewall Policy
Y
Allow ICMP
...
Allow TCP 80
...
...
Firewall Rules
Ordered (Routers)
Command Line Interface (CRUD)
Rules
firewall-rule-create
firewall-rule-list
firewall-rule-show
firewall-rule-update
firewall-rule-delete
Policies
firewall-policy-create
firewall-policy-list
firewall-policy-show
firewall-policy-update
firewall-policy-insert-rule
firewall-policy-remove-rule
firewall-policy-delete
Firewalls
firewall-create
firewall-list
firewall-show
firewall-update
firewall-delete
Demo Dashboard Interface
and CLI