1. How to develop new API extensions
in OpenStack networking (Neutron)
2015 August 23
Fujitsu Vietnam Limited
PODC (Platform Offshore Development Center)
Cao Xuan Hoang (hoangcx@vn.fujitsu.com)
Copyright 2015 Fujitsu Vietnam Limited
2. Agenda
1 Copyright 2015 Fujitsu Vietnam Limited
How API of OpenStack work?
API extensions
Experiments
Example use case
Security group implementation sequence
Support logging feature/API for SG
Security group logging experiment
Firewall logging experiment
3. How API of OpenStack work?
2 Copyright 2015 Fujitsu Vietnam Limited
OpenStack includes several services that can be managed through the API.
There are two ways we can use OpenStack: API and SDK.
An application can either call the API itself, or use an SDK available for the application's programming language.
4. API extensions (1)
3 Copyright 2015 Fujitsu Vietnam Limited
The OpenStack API extension mechanism makes it possible to
add functionality to OpenStack APIs in a manner that ensures
compatibility with existing clients.
The below image is an example for LBaaS API extensions that
comes from operators/users use cases demand.
5. API extensions (2)
4 Copyright 2015 Fujitsu Vietnam Limited
What can be extended and how:
New elements and attributes.
New resources.
New parameters.
New headers.
New verbs.
New media types.
New actions.
New states.
Other capabilities.
6. Experiment – example use case
5 Copyright 2015 Fujitsu Vietnam Limited
What will happening when Banks may hacked by someone else
(strangers)?
Lost a mount bank’s accounts.
Lost a mount of money.
Finance transferring may stopped.
……
How long does it require to fix the problem?
As fast as possible or almost immediately.
How do we know exactly who is/are hacked Bank’s database?
We have to check records/history/…. => from logs.
Has OpenStack networking supports log feature to get packet logs?
Not yet.
It means NEW logging API extension comes from operators/users use case
demand (necessary).
How to develop/support logging API extension?
See next pages.
7. Security group implementation sequence
6 Copyright 2015 Fujitsu Vietnam Limited
We are going to show an example of logging feature that should be implemented in NEW API
Host OVSAgent Neutron Server Neutron Client
Firewall
update_port_filter
update iptables
create security group
rule or delete rule
security_groups_rule_
updated
security_group_rules_for_devices
Retrive security
group rules from
DB.
Sequence: security group updated ( created or deleted )
8. Support logging for SG (1)
7 Copyright 2015 Fujitsu Vietnam Limited
We are going to show an example of logging feature that should be implemented in NEW API
Agent Server
OVSRpcCallbacks
OVSBridgePluginV2
OVSPluginApi
OVSNeutronAgentRPC
SecurityGroupAgentRPC
SecurityGroupAgentRpcCallbackMixin
SecurityGroupServerRpcApiMixin SecurityGroupServerRpcCallbackMixin
security_groups_logging_update or
security_groups_rule_logging_update
security_group_info_for_devices
security_group_rules_for_devices
*A
*A security_groups_logging_updated or
security_groups_rule_logging_updated
: New classes
Others boxes : Inherit from existing classes
SecurityGroupDbMixin
AgentNotifierApi
PacketLoggingDbMixin
PacketLoggingNotifier
SecurityGroupAgentRpcApiMixin
security_groups_logging_update or
security_groups_rule_logging_update