group based policy: open source policy in opendaylight and openstack neutron
DESCRIPTION
This is the talk I gave at LinuxCon/CloudOpen 2014 in Chicago around Group Based Policy, a new networking abstraction around policy groups.TRANSCRIPT
![Page 1: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/1.jpg)
Group Based Policy
Open Source Policy in OpenDaylight and OpenStack Neutron
Kyle MesteryOpenStack Neutron PTL
![Page 2: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/2.jpg)
Abstract
As computing has continued to evolve to a more utility or cloud-like environment, one area which has not evolved as much is networking. Concepts relevant 20 years ago such as switches, ports, networks, subnets and routers are today still very much the basic building blocks for operators and application deployers. Group Based Policy looks to extend this landscape by introducing the concepts of groups of endpoints and policy abstractions governing the communication between the groups. With Group Based Policy, application deployers can think in terms relevant to their applications when deploying networking for their applications. This talk will cover an introduction to Group Based Policy and explore it’s implementation in OpenStack Neutron and OpenDaylight. An overview of how the two work together to achieve harmony for application deployers will also be discussed.
![Page 3: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/3.jpg)
Our hero … the application developer
Application Developer
![Page 4: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/4.jpg)
But first, some history
![Page 5: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/5.jpg)
What is a computer network?
A computer network is a collection of computers and other hardware components interconnected by communication channels that allow sharing of resources and information.
![Page 6: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/6.jpg)
A typical computer network ...
![Page 7: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/7.jpg)
Protocol Soup ...
![Page 8: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/8.jpg)
What if this could be simplified?
![Page 9: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/9.jpg)
Now, back to our hero
Application Developer
![Page 10: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/10.jpg)
Our hero wants to deploy this
Internet Web/App Server DB
Client Tier Web/App Tier DB Tier
![Page 11: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/11.jpg)
Currently she does this ...
Q
Network/subnet
Network/subnet
Network/subnet
Router
External Network
Q
![Page 12: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/12.jpg)
What if she could do this!
PGWeb
PGApplication
PGDB
PGExternal Network
(Internet) C1 C2 C3
Protocol: TCPPort: 80Action: Redirect to FW_LB_CHAIN
Protocol: TCPPort: 9080Action: ALLOW
Protocol: TCPPort: 3306Action: ALLOW
![Page 13: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/13.jpg)
Introducing Group Based Policy
● APIs to allow the user to express intent○ Separates intent from the actual underlying networking
infrastructure
● Application policy abstracted from network specifics
● Open Standards, Open Source, Community Driver○ OpenDaylight○ OpenStack Neutron
![Page 14: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/14.jpg)
Group Based Policy Terminology
● Existing constructs○ Switches○ Networks○ Subnets○ Ports○ Routers○ Load balancers○ Firewalls
● GBP Constructs○ Policy Point○ Policy Group
![Page 15: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/15.jpg)
Group Based Policy Elements
● Policy Repository● Endpoint Repository● Observer● Policy Enforcer
![Page 16: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/16.jpg)
The Benefits of Group Based Policy
● Easier application focused networking● Improved automation● Consistency● Extensible policy model● User defined policy is not dependent on
specific networking technologies
![Page 17: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/17.jpg)
Open Source Implementations
By utilizing OpenStack Neutron with OpenDaylight and GBP APIs, application developers and deployers get a fully open source networking policy system.
![Page 18: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/18.jpg)
But first, back to our hero
Application Developer
I need some background information on OpenDaylight and OpenStack.
![Page 19: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/19.jpg)
What is OpenDaylight?
Code Acceptance Community
To create a robust, extensible, open source code base that covers the major common components required to build an SDN solution
To get broad industry acceptance amongst vendors and users
• Using OpenDaylight code directly or through vendor products
•Vendors using OpenDaylight code as part of commercial products
To have a thriving and growing technical community contributing to the code base, using the code in commercial products, and adding value above, below and around.
OpenDaylight is an Open Source Software project under the Linux Foundation with the goal of furthering the adoption and innovation of Software Defined Networking (SDN) through the creation of a common industry supported platform
![Page 20: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/20.jpg)
What is OpenDaylight Building?
OpenDaylight is an open community that is building:
● An evolvable SDN platform capable of handling diverse use cases and implementation approaches
● Common abstractions of capabilities NorthBound for people to program● Intermediation of those capabilities to multiple Southbound
implementations● Programmable Network services ● Network Applications● Whatever else we need to make it work
○ Including engineering systems
![Page 21: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/21.jpg)
What Is OpenStack?
Self-service provisioning of virtual machines through a software API
Massively scalable, distributed object storeFor tenant created, virtual isolated networks and subnets, and services
Your Application
![Page 22: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/22.jpg)
OpenStack continues to build services which abstract infrastructure and provide highly scalable utilities through REST APIs, command tools and user portals
Compute(VM provisioning)
Networking(Virtual, Physical)
Storage(Object)
Identity/Authentication
VM Image Catalog
User/Admin Portal
Metering(Ceilometer)
Storage(Block)
Orchestration(HEAT)
Networking Services(LB, FW, VPN, IDS..)
![Page 23: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/23.jpg)
How Does Group Based Policy Fit Into OpenDaylight and OpenStack?
Application Developer
![Page 24: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/24.jpg)
GBP In OpenDaylight
● Active project targeting the Helium Release of OpenDaylight
● Initial code available:○ https://git.opendaylight.org/gerrit/groupbasedpolicy
● More info on the wiki○ https://wiki.opendaylight.org/view/Group_Policy:
Main
![Page 25: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/25.jpg)
OpenDaylight GBP Architecture
![Page 26: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/26.jpg)
Group Based Policy Renders
● GBP supports a variety of underlying technologies○ Possible because policy model is based on high
level user intent○ Complexity lies in the renderers
● Renders being worked include:○ OVS Overlay○ OpenFlow Render○ OpFlex Render
![Page 27: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/27.jpg)
Group Based Policy In OpenStack Neutron
● GBP sub-team focused on proof of concept during Icehouse cycle
● Code patches out for review during Juno○ https://blueprints.launchpad.
net/neutron/+spec/group-based-policy-abstraction○ Patches encompass neutron, CLI, Horizon and Heat
![Page 28: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/28.jpg)
CLI
Neutron
Heat Horizon
Policy Manager
LegacyPolicy Driver
ODLPolicy Driver
others
OpenStack GBP Architecture
![Page 29: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/29.jpg)
The Open Source Policy “Stack”
OpFlex Policy Agent with northbound OpFlex protocol interface and southbound interface for device (OVS is the
reference implementation).
OpFlex protocol defined through IETF (OpFlex Control Protocol draft-smith-opflex-00)
Group Policy as defined by OpenStack
OpenDaylight provide northbound API for Group Policy and southbound interface for OpFlex protocol.
LinuxOVS
libvirtOpenFlow OVSDB
![Page 30: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/30.jpg)
Back to our hero
Application Developer
![Page 31: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/31.jpg)
In Summary
● Group Based Policy goals:○ Separate application intent from underlying
implementation○ Provide application oriented APIs for application
developers and deployers○ Uses and extends existing open standards and
protocols○ Simplify complex networking for application
deployers!
![Page 32: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/32.jpg)
Allows anyone to accomplish this!
PGWeb
PGApplication
PGDB
PGExternal Network
(Internet) C1 C2 C3
![Page 33: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/33.jpg)
More Information
● For more information on OpFlex and how it integrates with GBP, attend Scott Mann’s talk:○ Open Source Policy: OpenDaylight and OpFlex○ Thursday, 2:30-3:20PM○ Room SB 3
![Page 34: Group Based Policy: Open Source Policy in OpenDaylight and OpenStack Neutron](https://reader034.vdocuments.site/reader034/viewer/2022042623/54b778cc4a795938168b456f/html5/thumbnails/34.jpg)
Thank you!
Application Developer