Whats new in neutron for open stack havana
- 1. What’s new in
Neutron
for Havana
Neutron developers at Cisco Systems
Boxborough office
Brian Bowen, Henry Gessau, Dane LeBlanc,
Paul Michali, Abishek Subramanian, et. al.
- 2. Agenda
•
•
•
•
•
•
•
•
Modular Layer 2 plugin (ML2)
ML2 demo with Cisco Nexus driver
FireWall as a Service (FWaaS)
FWaaS demo
VPN as a Service (VPNaaS)
VPNaaS demo
Cisco plugin with N1000V
Demo of Dashboard to control N1000V
- 3. Modular Layer 2 in
OpenStack Neutron
Robert Kukura, Red Hat
Kyle Mestery, Cisco
- 5. Before Modular Layer 2 ...
Neutron Server
Neutron Server
OR
Open vSwitch Plugin
OR ...
Linuxbridge Plugin
- 6. Before Modular Layer 2 ...
Neutron Server
Compute node
Cisco Plugin
Open vSwitch agent
Open vSwitch
Sub-Plugin
Nexus
Sub-Plugin
Cisco Nexus switch
- 7. ML2 Architecture Diagram
Neutron Server
API Extensions
ML2 Plugin
Mechanism Manager
Type Manager
Tail-F NCS
Open
vSwitch
Linuxbridge
L2
Population
Hyper-V
Cisco Nexus
Arista
VXLAN
TypeDriver
VLAN
TypeDriver
GRE
TypeDriver
- 8. TypeDrivers in Havana
The following are supported segmentation
types in ML2 for the Havana release:
● local
● flat
● VLAN
● GRE
● VXLAN
- 9. MechanismDrivers in Havana
The following ML2 MechanismDrivers exist in
Havana:
●
●
●
●
●
●
●
Arista
Cisco Nexus
Hyper-V
L2 Population
Linuxbridge
Open vSwitch
Tail-f NCS
- 10. ML2 Futures: Deprecation Items
•
The future of the Open vSwitch and
Linuxbridge plugins
o
o
o
These are planned for deprecation in Icehouse
ML2 supports all their functionality
ML2 works with the existing OVS and Linuxbrige
agents
- 11. ML2 With Current Agents
● ML2 Plugin works with existing
agents
Neutron Server
ML2
Plugin
● Separate agents for Linuxbridge
and Open vSwitch
● Can also use physical switches
from different vendors
API Network
Host A
Linuxbridge
Agent
Host B
Linuxbridge
Agent
Host C
Open vSwitch
Agent
Host D
Open vSwitch
Agent
- 12. ML2 demo, showing ...
● ML2 running with multiple MechanismDrivers
○
○
openvswitch
cisco_nexus
● Booting multiple VMs on multiple compute
hosts
● Configuration of VLANs across both virtual
and physical infrastructure
- 14. Cisco Nexus ML2 Mechanism
Driver
• Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are
launched, migrated, or terminated
• Works with Open vSwitch (OVS) mechanism driver
OVS: virtual switching
Cisco Nexus: physical switching
• Ported from original Cisco Nexus OpenStack Plugin
• Available in Havana release
- 16. DevStack Configuration
Add to localrc File:
Q_PLUGIN=ml2
Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,
cisco_nexus
Q_ML2_PLUGIN_TYPE_DRIVERS=vlan
Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack)
Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini)
ML2_VLAN_RANGES=physnet1:810:819
ENABLE_TENANT_VLANS=True
PHYSICAL_NETWORK=physnet1
OVS_PHYSICAL_BRIDGE=br-eth1
- 17. Cisco Mechanism Driver Config
• Create a file, e.g. “ml2_conf_cisco.ini”:
•
o[ml2_mech_cisco_nexus:10.86.1.118]
oComputeHost-1=1/2
oComputeHost-2=1/3
ossh_port=22
ousername=admin
opassword=MyPassword
File name and path are arbitrary, but these
configs in localrc must point to it:
Q_PLUGIN_EXTRA_CONF_PATH
Q_PLUGIN_EXTRA_CONF_FILES
• Template in Neutron branch:
o
- 18. Neutron Server Startup Command
cd /opt/stack/neutron && pyth /usr/local/bin/neutronserver --config-file /etc/neutron/neutron.conf --configfile /etc/neutron/plugins/ml2/ml2_conf.ini --config-file
//home/leblancd/devstack/ml2_conf_cisco.ini || echo
"q-svc failed to start" | tee "/opt/stack/status/stack/qsvc.failure"
- 20. Resources
•
README files:
o /opt/stack/neutron/neutron/plugins/ml2/README
•
o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README
Template .ini Files:
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini
•
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
Wiki Pages:
o https://wiki.openstack.org/wiki/Neutron/ML2
•
o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus
Google Doc:
o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS
aFKUhEGNEuDo4
- 22. Virtual Private Network as a
Service
• Initial Release Goals
•
•
•
•
Site to site VPN (~AWS).
Considered “experimental” w/limited functionality.
Only Pre-Shared Keys, no certificates.
Future releases to address other use cases.
•
•
•
SSL-VPN, MPLS/BGP
Certificate support
Service insertion/chaining
- 23. OpenSwan Driver
• OpenSwan: open source VPN process
•
•
•
Supports several encryption/auth algorithms, modes of
operation (Remote Access, Site2Site, Host2Host).
Designed to support a single connection.
Uses configuration files to control operation
•
/opt/stack/data/neutron/ipsec/<router-UUID>/…
- 24. Current Status
•
•
•
•
Reference implementation released
Horizon dashboard access released
CLI and REST APIs available
API reference documentation published
• http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
• Feature documentation in progress
• Ongoing: bug fixes & enhancements (Icehouse)
- 25. Site to Site VPN
VM
VM
VM
10.1.0.4
Router
10.1.0.5
10.2.0.4
10.1.0.1
Router
172.24.4.21
172.24.4.11
East
Private: 10.1.0.0/24
Br-ex: 172.24.4.11
10.2.0.1
VPN
172.24.4.0/24
West
Private: 10.2.0.0/24
Br-ex: 172.24.4.21
- 26. Site to Site VPN (physical)
Host
Private: 10.2.0.0/24
Private: 10.1.0.0/24
Ubuntu 12.04 (VM)
Ubuntu 12.04 (VM)
Br-ex: 172.24.4.10
eth1
Br-ex: 172.24.4.20
eth0
eth0
NAT/host
Admin Network
Internal Network
Public Network (172.24.4.222/28)
eth1
- 29. Site to Site VPN (physical)
Private: 10.1.0.0/24
Private: 10.2.0.0/24
Devstack-32 (UCS)
Devstack-33 (UCS)
Br-ex: 172.24.4.225
eth1
Br-ex: 172.24.4.232
eth2
14.0.3.32
14.0.3.33
Switch
Admin Network (14.0.3.0/24)
C6500
Public Network (172.24.4.222/28)
eth4
eth3
172.24.4.225
- 30. Multi-node DevStack
• To do site-to-site VPN, needed to share the
public net.
• Solution: Config DevStack (localrc) GW IP to be
specified. Also added naming for easier config.
devstack-32
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.225
Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226,
end=172.24.4.231”
Q_USE_SECGROUP=False
devstack-33
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.232
Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233,
end=172.24.4.238”
Q_USE_SECGROUP=False
FIXED_RANGE=10.1.0.0/24
NETWORK_GATEWAY=10.1.0.1
FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
- 31. Modifications for VPNaaS
•
•
•
•
Make localrc modifications as shown on previous page.
Connect two systems with a switch (L2) for public net.
Manually bring up eth# used for public network link.
Add br-ex and add eth# to br-ex.
- 32. Object Diagram
IPSec Policy
IKE Policy
1
1
used by
used by
N
N
1
Service
IPSec Site
Connection
N
establishes
1
1
is associated with
is associated with
1
Subnet
1
Router
Note: all of these are associated with a single tenant
- 34. RPC API (Create VPN
Service1/2)
User
Neutron
IpSecDriver
create vpn service
Select driver using type
Set status BUILDING
Ensure Add interface to the
router
create vpn service
create Ike policy
Noop (do nothing)
Store policy
create ipsec policy
Store policy
create vpn connection
create vpn connection
Agent
StrongSwan
DeviceDriver
Namespace
Device
- 35. RPC API (Create VPN Service
2/2)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Namespace
Device
fetch router host of
associated router
vpn-service-updated
sync
this sync will be
done pediolically,
and boot time also
sync
sync
vpn connection info with related
infos
compair local state
ensure_conf_file
ensure_process_running
- 36. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
- 37. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections
Select driver using type
Remove interface
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
- 38. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
- 39. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections
Select driver using type
Remove interface
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device