Whats new in neutron for open stack havana

7,430 views

Published on

The Havana release of OpenStack, came out in October 2013, contains several significant changes and new features in the networking component. OpenStack Networking has changed name from 'quantum' to 'neutron'. It lays the foundation for supporting heterogeneous network components with the introduction of the ML2 (modular layer 2) plugin. The first implementations of FireWall as a Service (FWaaS) and VPN as a Service (VPNaaS) are now included. These features were demonstrated by Cisco developers at the OpenStack meetup in Boston in Oct 2013.

Published in: Technology
0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,430
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
460
Comments
0
Likes
18
Embeds 0
No embeds

No notes for slide

Whats new in neutron for open stack havana

  1. 1. What’s new in Neutron for Havana Neutron developers at Cisco Systems Boxborough office Brian Bowen, Henry Gessau, Dane LeBlanc, Paul Michali, Abishek Subramanian, et. al.
  2. 2. Agenda • • • • • • • • Modular Layer 2 plugin (ML2) ML2 demo with Cisco Nexus driver FireWall as a Service (FWaaS) FWaaS demo VPN as a Service (VPNaaS) VPNaaS demo Cisco plugin with N1000V Demo of Dashboard to control N1000V
  3. 3. Modular Layer 2 in OpenStack Neutron Robert Kukura, Red Hat Kyle Mestery, Cisco
  4. 4. Motivations For a Modular Layer 2 Plugin
  5. 5. Before Modular Layer 2 ... Neutron Server Neutron Server OR Open vSwitch Plugin OR ... Linuxbridge Plugin
  6. 6. Before Modular Layer 2 ... Neutron Server Compute node Cisco Plugin Open vSwitch agent Open vSwitch Sub-Plugin Nexus Sub-Plugin Cisco Nexus switch
  7. 7. ML2 Architecture Diagram Neutron Server API Extensions ML2 Plugin Mechanism Manager Type Manager Tail-F NCS Open vSwitch Linuxbridge L2 Population Hyper-V Cisco Nexus Arista VXLAN TypeDriver VLAN TypeDriver GRE TypeDriver
  8. 8. TypeDrivers in Havana The following are supported segmentation types in ML2 for the Havana release: ● local ● flat ● VLAN ● GRE ● VXLAN
  9. 9. MechanismDrivers in Havana The following ML2 MechanismDrivers exist in Havana: ● ● ● ● ● ● ● Arista Cisco Nexus Hyper-V L2 Population Linuxbridge Open vSwitch Tail-f NCS
  10. 10. ML2 Futures: Deprecation Items • The future of the Open vSwitch and Linuxbridge plugins o o o These are planned for deprecation in Icehouse ML2 supports all their functionality ML2 works with the existing OVS and Linuxbrige agents
  11. 11. ML2 With Current Agents ● ML2 Plugin works with existing agents Neutron Server ML2 Plugin ● Separate agents for Linuxbridge and Open vSwitch ● Can also use physical switches from different vendors API Network Host A Linuxbridge Agent Host B Linuxbridge Agent Host C Open vSwitch Agent Host D Open vSwitch Agent
  12. 12. ML2 demo, showing ... ● ML2 running with multiple MechanismDrivers ○ ○ openvswitch cisco_nexus ● Booting multiple VMs on multiple compute hosts ● Configuration of VLANs across both virtual and physical infrastructure
  13. 13. Cisco Nexus ML2 Mechanism Driver Demonstration
  14. 14. Cisco Nexus ML2 Mechanism Driver • Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are launched, migrated, or terminated • Works with Open vSwitch (OVS) mechanism driver  OVS: virtual switching  Cisco Nexus: physical switching • Ported from original Cisco Nexus OpenStack Plugin • Available in Havana release
  15. 15. Topology Management Network Controller / Network Node Compute Host 1 VM 1 VM 2 Compute Host 2 VM 3 VM 4 External Network eth1/1 eth1/2 eth1/3 VLAN 810 mgmt VLAN 812 Nexus 3K Data Network
  16. 16. DevStack Configuration Add to localrc File: Q_PLUGIN=ml2 Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch, cisco_nexus Q_ML2_PLUGIN_TYPE_DRIVERS=vlan Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack) Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini) ML2_VLAN_RANGES=physnet1:810:819 ENABLE_TENANT_VLANS=True PHYSICAL_NETWORK=physnet1 OVS_PHYSICAL_BRIDGE=br-eth1
  17. 17. Cisco Mechanism Driver Config • Create a file, e.g. “ml2_conf_cisco.ini”: • o[ml2_mech_cisco_nexus:10.86.1.118] oComputeHost-1=1/2 oComputeHost-2=1/3 ossh_port=22 ousername=admin opassword=MyPassword File name and path are arbitrary, but these configs in localrc must point to it:  Q_PLUGIN_EXTRA_CONF_PATH Q_PLUGIN_EXTRA_CONF_FILES • Template in Neutron branch: o
  18. 18. Neutron Server Startup Command cd /opt/stack/neutron && pyth /usr/local/bin/neutronserver --config-file /etc/neutron/neutron.conf --configfile /etc/neutron/plugins/ml2/ml2_conf.ini --config-file //home/leblancd/devstack/ml2_conf_cisco.ini || echo "q-svc failed to start" | tee "/opt/stack/status/stack/qsvc.failure"
  19. 19. Demo
  20. 20. Resources • README files: o /opt/stack/neutron/neutron/plugins/ml2/README • o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README Template .ini Files: o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini • o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini Wiki Pages: o https://wiki.openstack.org/wiki/Neutron/ML2 • o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus Google Doc: o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS aFKUhEGNEuDo4
  21. 21. Virtual Private Networking as a Service Havana Release Paul Michali MAIL pcm@cisco.com IRC pcm_ (irc.freenode.net) TW @pmichali
  22. 22. Virtual Private Network as a Service • Initial Release Goals • • • • Site to site VPN (~AWS). Considered “experimental” w/limited functionality. Only Pre-Shared Keys, no certificates. Future releases to address other use cases. • • • SSL-VPN, MPLS/BGP Certificate support Service insertion/chaining
  23. 23. OpenSwan Driver • OpenSwan: open source VPN process • • • Supports several encryption/auth algorithms, modes of operation (Remote Access, Site2Site, Host2Host). Designed to support a single connection. Uses configuration files to control operation • /opt/stack/data/neutron/ipsec/<router-UUID>/…
  24. 24. Current Status • • • • Reference implementation released Horizon dashboard access released CLI and REST APIs available API reference documentation published • http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html • Feature documentation in progress • Ongoing: bug fixes & enhancements (Icehouse)
  25. 25. Site to Site VPN VM VM VM 10.1.0.4 Router 10.1.0.5 10.2.0.4 10.1.0.1 Router 172.24.4.21 172.24.4.11 East Private: 10.1.0.0/24 Br-ex: 172.24.4.11 10.2.0.1 VPN 172.24.4.0/24 West Private: 10.2.0.0/24 Br-ex: 172.24.4.21
  26. 26. Site to Site VPN (physical) Host Private: 10.2.0.0/24 Private: 10.1.0.0/24 Ubuntu 12.04 (VM) Ubuntu 12.04 (VM) Br-ex: 172.24.4.10 eth1 Br-ex: 172.24.4.20 eth0 eth0 NAT/host Admin Network Internal Network Public Network (172.24.4.222/28) eth1
  27. 27. Reference Info • How To: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall • Main page (API is in OS doc wiki): http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html https://wiki.openstack.org/wiki/Neutron/VPNaaS • OpenSwan & StrongSwan: https://github.com/xelerance/Openswan/wiki http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan
  28. 28. Backup Slides
  29. 29. Site to Site VPN (physical) Private: 10.1.0.0/24 Private: 10.2.0.0/24 Devstack-32 (UCS) Devstack-33 (UCS) Br-ex: 172.24.4.225 eth1 Br-ex: 172.24.4.232 eth2 14.0.3.32 14.0.3.33 Switch Admin Network (14.0.3.0/24) C6500 Public Network (172.24.4.222/28) eth4 eth3 172.24.4.225
  30. 30. Multi-node DevStack • To do site-to-site VPN, needed to share the public net. • Solution: Config DevStack (localrc) GW IP to be specified. Also added naming for easier config. devstack-32 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.225 Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226, end=172.24.4.231” Q_USE_SECGROUP=False devstack-33 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.232 Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233, end=172.24.4.238” Q_USE_SECGROUP=False FIXED_RANGE=10.1.0.0/24 NETWORK_GATEWAY=10.1.0.1 FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1
  31. 31. Modifications for VPNaaS • • • • Make localrc modifications as shown on previous page. Connect two systems with a switch (L2) for public net. Manually bring up eth# used for public network link. Add br-ex and add eth# to br-ex.
  32. 32. Object Diagram IPSec Policy IKE Policy 1 1 used by used by N N 1 Service IPSec Site Connection N establishes 1 1 is associated with is associated with 1 Subnet 1 Router Note: all of these are associated with a single tenant
  33. 33. VPN Archtecture IPSec Rest API VPN Extension Common API IPSec VPN Adv Srv Plugin Core DB Schedulers (not implemented) NameSpaceDevice IPSec VPN Agent BP2 strong-swan driver VMDevice HardWareDevice
  34. 34. RPC API (Create VPN Service1/2) User Neutron IpSecDriver create vpn service Select driver using type Set status BUILDING Ensure Add interface to the router create vpn service create Ike policy Noop (do nothing) Store policy create ipsec policy Store policy create vpn connection create vpn connection Agent StrongSwan DeviceDriver Namespace Device
  35. 35. RPC API (Create VPN Service 2/2) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Namespace Device fetch router host of associated router vpn-service-updated sync this sync will be done pediolically, and boot time also sync sync vpn connection info with related infos compair local state ensure_conf_file ensure_process_running
  36. 36. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections Select driver using type vpn-service-updated vpn-service-updated sync sync Namespace Device
  37. 37. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections Select driver using type Remove interface vpn-service-updated vpn-service-updated sync sync Namespace Device
  38. 38. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections Select driver using type vpn-service-updated vpn-service-updated sync sync Namespace Device
  39. 39. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections Select driver using type Remove interface vpn-service-updated vpn-service-updated sync sync Namespace Device
  40. 40. Proposed IP Sec Object Model
  41. 41. Amazon Object Model
  42. 42. Cisco Object Model
  43. 43. FWaaS in OpenStack Havana
  44. 44. Contributors • BigSwitch Sumit N, KC Wang • Cisco Sridar K • Dell Rajesh M • PayPal Ravi C
  45. 45. Initial reference implementation How: Service Plugin + Agent + Driver Where: L3 only -- iptables rules on routers Why: Complements security groups What next? Vendor drivers
  46. 46. Entity Relationships Firewall Rules Firewall A Firewall B Tenant B Firewall C Allow ICMP Tenant A Tenant C Firewall Policy X ... Allow TCP 80 ... Firewall Policy Y ... Ordered (Routers)
  47. 47. Command Line Interface Rules Policies firewall-rule-create (CRUD) firewall-policy-create firewall-rule-list firewall-rule-show firewall-rule-update firewall-rule-delete firewall-policy-list firewall-policy-show firewall-policy-update firewall-policy-insert-rule firewall-policy-remove-rule firewall-policy-delete Firewalls firewall-create firewall-list firewall-show firewall-update firewall-delete
  48. 48. Demo Dashboard Interface and CLI

×