group based policy: open source policy in opendaylight and openstack neutron
DESCRIPTION
This is the talk I gave at LinuxCon/CloudOpen 2014 in Chicago around Group Based Policy, a new networking abstraction around policy groups.TRANSCRIPT
Group Based Policy
Open Source Policy in OpenDaylight and OpenStack Neutron
Kyle MesteryOpenStack Neutron PTL
Abstract
As computing has continued to evolve to a more utility or cloud-like environment, one area which has not evolved as much is networking. Concepts relevant 20 years ago such as switches, ports, networks, subnets and routers are today still very much the basic building blocks for operators and application deployers. Group Based Policy looks to extend this landscape by introducing the concepts of groups of endpoints and policy abstractions governing the communication between the groups. With Group Based Policy, application deployers can think in terms relevant to their applications when deploying networking for their applications. This talk will cover an introduction to Group Based Policy and explore it’s implementation in OpenStack Neutron and OpenDaylight. An overview of how the two work together to achieve harmony for application deployers will also be discussed.
Our hero … the application developer
Application Developer
But first, some history
What is a computer network?
A computer network is a collection of computers and other hardware components interconnected by communication channels that allow sharing of resources and information.
A typical computer network ...
Protocol Soup ...
What if this could be simplified?
Now, back to our hero
Application Developer
Our hero wants to deploy this
Internet Web/App Server DB
Client Tier Web/App Tier DB Tier
Currently she does this ...
Q
Network/subnet
Network/subnet
Network/subnet
Router
External Network
Q
What if she could do this!
PGWeb
PGApplication
PGDB
PGExternal Network
(Internet) C1 C2 C3
Protocol: TCPPort: 80Action: Redirect to FW_LB_CHAIN
Protocol: TCPPort: 9080Action: ALLOW
Protocol: TCPPort: 3306Action: ALLOW
Introducing Group Based Policy
● APIs to allow the user to express intent○ Separates intent from the actual underlying networking
infrastructure
● Application policy abstracted from network specifics
● Open Standards, Open Source, Community Driver○ OpenDaylight○ OpenStack Neutron
Group Based Policy Terminology
● Existing constructs○ Switches○ Networks○ Subnets○ Ports○ Routers○ Load balancers○ Firewalls
● GBP Constructs○ Policy Point○ Policy Group
Group Based Policy Elements
● Policy Repository● Endpoint Repository● Observer● Policy Enforcer
The Benefits of Group Based Policy
● Easier application focused networking● Improved automation● Consistency● Extensible policy model● User defined policy is not dependent on
specific networking technologies
Open Source Implementations
By utilizing OpenStack Neutron with OpenDaylight and GBP APIs, application developers and deployers get a fully open source networking policy system.
But first, back to our hero
Application Developer
I need some background information on OpenDaylight and OpenStack.
What is OpenDaylight?
Code Acceptance Community
To create a robust, extensible, open source code base that covers the major common components required to build an SDN solution
To get broad industry acceptance amongst vendors and users
• Using OpenDaylight code directly or through vendor products
•Vendors using OpenDaylight code as part of commercial products
To have a thriving and growing technical community contributing to the code base, using the code in commercial products, and adding value above, below and around.
OpenDaylight is an Open Source Software project under the Linux Foundation with the goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common industry supported platform
What is OpenDaylight Building?
OpenDaylight is an open community that is building:
● An evolvable SDN platform capable of handling diverse use cases and implementation approaches
● Common abstractions of capabilities NorthBound for people to program● Intermediation of those capabilities to multiple Southbound
implementations● Programmable Network services ● Network Applications● Whatever else we need to make it work
○ Including engineering systems
What Is OpenStack?
Self-service provisioning of virtual machines through a software API
Massively scalable, distributed object storeFor tenant created, virtual isolated networks and subnets, and services
Your Application
OpenStack continues to build services which abstract infrastructure and provide highly scalable utilities through REST APIs, command tools and user portals
Compute(VM provisioning)
Networking(Virtual, Physical)
Storage(Object)
Identity/Authentication
VM Image Catalog
User/Admin Portal
Metering(Ceilometer)
Storage(Block)
Orchestration(HEAT)
Networking Services(LB, FW, VPN, IDS..)
How Does Group Based Policy Fit Into OpenDaylight and OpenStack?
Application Developer
GBP In OpenDaylight
● Active project targeting the Helium Release of OpenDaylight
● Initial code available:○ https://git.opendaylight.org/gerrit/groupbasedpolicy
● More info on the wiki○ https://wiki.opendaylight.org/view/Group_Policy:
Main
OpenDaylight GBP Architecture
Group Based Policy Renders
● GBP supports a variety of underlying technologies○ Possible because policy model is based on high
level user intent○ Complexity lies in the renderers
● Renders being worked include:○ OVS Overlay○ OpenFlow Render○ OpFlex Render
Group Based Policy In OpenStack Neutron
● GBP sub-team focused on proof of concept during Icehouse cycle
● Code patches out for review during Juno○ https://blueprints.launchpad.
net/neutron/+spec/group-based-policy-abstraction○ Patches encompass neutron, CLI, Horizon and Heat
CLI
Neutron
Heat Horizon
Policy Manager
LegacyPolicy Driver
ODLPolicy Driver
others
OpenStack GBP Architecture
The Open Source Policy “Stack”
OpFlex Policy Agent with northbound OpFlex protocol interface and southbound interface for device (OVS is the
reference implementation).
OpFlex protocol defined through IETF (OpFlex Control Protocol draft-smith-opflex-00)
Group Policy as defined by OpenStack
OpenDaylight provide northbound API for Group Policy and southbound interface for OpFlex protocol.
LinuxOVS
libvirtOpenFlow OVSDB
Back to our hero
Application Developer
In Summary
● Group Based Policy goals:○ Separate application intent from underlying
implementation○ Provide application oriented APIs for application
developers and deployers○ Uses and extends existing open standards and
protocols○ Simplify complex networking for application
deployers!
Allows anyone to accomplish this!
PGWeb
PGApplication
PGDB
PGExternal Network
(Internet) C1 C2 C3
More Information
● For more information on OpFlex and how it integrates with GBP, attend Scott Mann’s talk:○ Open Source Policy: OpenDaylight and OpFlex○ Thursday, 2:30-3:20PM○ Room SB 3
Thank you!
Application Developer