openstack group-based policy
TRANSCRIPT
1
OPENSTACK GROUP-BASED POLICYThe Group-based Policy (GBP) abstractions for OpenStack provide an intent-driven declarative policy model that presents simplified application-oriented interfaces to the user.
3
Openstack
A free open source software platform for cloud computing mostly deployed as IAAS
Started in 2010
At least two releases every year, current stable release – Liberty 2015; upcoming is Mitaka April 2016
Thousands of contributors in over 100 countries
4
Openstack Architecture
Openstack Shared Services
SWIFT CINDER NOVA GLANC
ENEUTRON
HORIZON GUI
STORAGE
HYPERVISORS
NETWORK
CLI REST APIREST API
UsersUsers
8
Challenges
1• Separating the Concerns
2 • Networking knowledge
3• Need to manually maintain and refer
virtual infrastructure information for any deployment
4• Introduces more complexity with new
networking features such as firewalling, load balancing
10
Group-Based Policy
GBP is available from Openstack Juno release
Developed by a community of engineers from IBM, Cisco, Big Switch etc.
It was started around Sept 2014
It has the ability to separate the intent of the application developer from the requirement of
the infrastructure operators
It runs on top of existing Openstack services
Designed to offer policy based abstractions to manage Openstack infrastructure
11
Group-Based Policy
Openstack Shared ServicesSWIFT CINDE
R NOVA GLANCE
NEUTRON
HORIZON GUI
STORAGE
HYPERVISORSNETWORK
CLI REST APIREST API
Group Base Policy
GBP GUIUsersUsers
12
Group-Based Policy Constructs
•Collection of network endpoints with their properties.•Policy Target Group: Contains members [VMs]•External Group: Contains the external connectivity defined by External Segment
Groups•These are reusable rules that define connectivity between members of the group
Policy Rules
•These are collection of Policy rulesPolicy
Rule Set•It defines port, protocol and directionClassifier•It can be of type ALLOW, REDIRECT (Service chaining)Actions
13
Group-Based Policy Design
POLICY TARGET GROUP
SUBNET
LAYER 2 POLICY
POLICY RULE SET
POLICY RULE
POLICY RULE
POLICY RULE
CLASSIFIER
CLASSIFIER
ACTIONS
ACTIONS
POLICY TAGS
Port: 22Protocol: TCPDirection: Bi
ALLOW
16
Agenda
Openstack
Challenges
Group-Based Policy
Overcoming challenges
Under the hood
More Features
Overcoming Challenges
17
Non-GBP GBPSeparating the
Concerns
Networking knowledge
Manually maintain and
refer info
More complexity with new n/w
features
Separation of Concerns
No Need to have networking knowledge
No Need to maintain any information
Complexity removed with
service chaining
18
Agenda
Openstack
Challenges
Group-Based Policy
Overcoming challenges
Under the hood
More Features
19
Group-Based Policy Under the hood
Group-Based PolicyNeutron Driver
HORIZON GUICLI
ML2 Driver
Neutron
ODLDriver Vendor Driver
Network Infrastructure
SERVICE CHAINING
Service Chaining 22WEB GROUP APP GROUP DB GROUP
CLASSIFIER
FIREWALL LOAD BALANCER
PORT 80
REDIRECT
24
Future Group Based Policy Experience
It will become more easier and more flexible for
vendors to integrate with Openstack that
are offering policy based
solutions
More focus on application
deployment and delivery
Integrating SDN based solution will be easier