[openstack-dev] How to implement and configure a new Neutron vpnaas driver from scratch?

Julio Carlos Barrera Juez juliocarlos.barrera at i2cat.net
Thu Apr 24 07:13:20 UTC 2014


OK, thank you guys, I understood that it was not possible to configure and
make work any VPNaaS plugin. I don't care, by now, because it works in
single-provider mode. I knew about the Cisco implementation, but I don't
know how to configure it, because I didn't find enough documentation about
that topic. I need some help on the basics configuring a VPNaaS plugin in
single provider mode, because I only found information about it in 3rd
party blog posts, etc.

What are the basic steps?

Thank you again.


Julio C. Barrera Juez
Office phone: +34 93 357 99 27
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net


On 18 April 2014 10:50, Bo Lin <linb at vmware.com> wrote:

> Hi Julio,
> +1 for Paul's response. Multiple-provider VPNaaS support is delayed. But
> you can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452>
>  and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as
> examples to write your own vpnaas driver without multi-provider support. If
> any questions or problems in your codes leading to not work, just upload
> your codes onto the review board, we can find how to solve it :).
>
> Thanks!
> ---Bo
>
>
> ------------------------------
> *From: *"Paul Michali (pcm)" <pcm at cisco.com>
>
> *To: *"OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> *Sent: *Friday, April 11, 2014 2:15:18 AM
>
> *Subject: *Re: [openstack-dev] How to implement and configure a new
> Neutron vpnaas driver from scratch?
>
> By not "working" do you mean you cannot get the plugin to work in a
> multi-provider environment? Multi-provider solutions have been tabled until
> Juno, where more discussion is occurring on what is the best way to support
> different service providers.
>
>  However, you should be able to get the plugin to work as the "sole" VPN
> service provider, which is what the Cisco solution does currently. You can
> look at how I've done that in the cisco_ipsec.py modules in the
> service_drivers and device_drivers directories, under neutron/services/vpn/.
>
>
>  Regards,
>
>   PCM (Paul Michali)
>
>  MAIL ......... pcm at cisco.com
> IRC ........... pcm_ (irc.freenode.com<https://urldefense.proofpoint.com/v1/url?u=http://irc.freenode.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3f732defa72f3a816af1d5b52eefd459e2939807789cbc29c963da082ce8c010>
> )
> TW ............ @pmichali
> GPG Key ... 4525ECC253E31A83
> Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83
>
>
>
>  On Apr 10, 2014, at 1:51 PM, Julio Carlos Barrera Juez <
> juliocarlos.barrera at i2cat.net> wrote:
>
>  Hi.
>
>  After 8 months of the patch creation and being abandoned weeks ago (
> https://review.openstack.org/#/c/41827/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=35c7a80127726543da2ed25bdde79e07b28ce936aa8a1ca7afa4fc20bcbefb65>)
> I still don't how can we develop a VPNaaS plugin following Bo Lin
> instructions. Is there any other patch trying to solve the problem? Is
> there any way to workaround the issue to get a VPNaaS plugin working?
>
>  Thank you!
>
>
>  Julio C. Barrera Juez
> Office phone: +34 93 357 99 27
> Distributed Applications and Networks Area (DANA)
> i2CAT Foundation, Barcelona, Spain
> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=86728c6db62dee1a59132a2b11c5651432e714ee782ead0c4790189d29195b5d>
>
>
> On 27 February 2014 10:51, Bo Lin <linb at vmware.com> wrote:
>
>>  Hi Julio,
>>  You can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452>
>>  and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as
>> examples to write your own vpnaas driver. More info about service type
>> framework, you can also refer to neutron/services/loadbalancer codes.
>>
>>  ------------------------------
>>  *From: *"Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net>
>>  *To: *"OpenStack Development Mailing List (not for usage questions)" <
>> openstack-dev at lists.openstack.org>
>> *Sent: *Thursday, February 27, 2014 5:26:32 PM
>> *Subject: *Re: [openstack-dev] How to implement and configure a new
>> Neutron vpnaas driver from scratch?
>>
>>
>>  I'm following the change you pointed a week ago. It seems that it is
>> working now, and will be eventually approved soon. I will be happy when it
>> is approved.
>>
>>  Anyway, I need more information about how to develop a service driver
>> and a device driver for VPN plugin. I realize doing reverse-engineering
>> that I need and RPC agent and and RPC between them to communicate and use a
>> kind of callbacks to answer. Where I can find documentation about it and
>> some examples? Is there any best practise guide of the use of this
>> architecture?
>>
>>  Thank you again!
>>
>>  [image: i2cat]
>>  Julio C. Barrera Juez
>> Office phone: +34 93 357 99 27
>> Distributed Applications and Networks Area (DANA)
>> i2CAT Foundation, Barcelona, Spain
>> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>
>>
>>
>>  On 19 February 2014 09:13, Julio Carlos Barrera Juez <
>> juliocarlos.barrera at i2cat.net> wrote:
>>
>>> Thank you very much Bo. I will try all your advices and check if it
>>> works!
>>>
>>>  [image: i2cat]
>>>  Julio C. Barrera Juez
>>> Office phone: +34 93 357 99 27
>>> Distributed Applications and Networks Area (DANA)
>>> i2CAT Foundation, Barcelona, Spain
>>> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>
>>>
>>>
>>>   On 18 February 2014 09:18, Bo Lin <linb at vmware.com> wrote:
>>>
>>>>   I wonder whether your neutron server codes have added the " VPNaaS
>>>> integration with service type framework" change on
>>>> https://review.openstack.org/#/c/41827/21<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/21&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=4a935821d551bb10de76c121ea8f83f57c00bf3a88ac0c73b51d87f96be1524f> ,
>>>> if not, the service_provider option is useless. You need to include the
>>>> change before developing your own driver.
>>>>
>>>>  QA (In my opinion and sth may be missing):
>>>>  - What is the difference between service drivers and device drivers?
>>>>      service drivers are driven by vpn service plugin and are
>>>> responsible for casting rpc request (CRUD of vpnservices) to and do
>>>> callbacks from vpn agent.
>>>>     device drivers are driven by vpn agent and are responsible for
>>>> implementing specific vpn operations and report vpn running status.
>>>>
>>>>  - Could I implement only one of them?
>>>>      device driver must be implemented based on your own device.
>>>> Unless the default ipsec service driver is definitely appropriate, suggest
>>>> you implement both of them. After including "VPNaaS integration with
>>>> service type framework", the service driver work is simple.
>>>>
>>>>  - Where I need to put my Python implementation in my OpenStack
>>>> instance?
>>>>     Do you mean let your instance runs your new codes? The default
>>>> source codes dir is /opt/stack/neutron, you need to put your new changes
>>>> into the dir and restart the neutron server.
>>>>
>>>>  - How could I configure my OpenStack instance to use this
>>>> implementation?
>>>>     1.  Add your new codes into source dir
>>>>    2. Add appropriate vpnaas service_provider into neutron.conf and add
>>>> appropriate "vpn_device_driver" option into vpn_agent.ini
>>>>    3. restart n-svc and q-vpn
>>>>
>>>>  Hope help you.
>>>>
>>>>  ------------------------------
>>>>  *From: *"Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net>
>>>> *To: *"OpenStack Development Mailing List" <
>>>> openstack-dev at lists.openstack.org>
>>>> *Sent: *Monday, February 17, 2014 7:18:44 PM
>>>> *Subject: *[openstack-dev] How to implement and configure a new
>>>> Neutron vpnaas        driver from scratch?
>>>>
>>>>
>>>>  Hi.
>>>>
>>>>  I have asked in the Q&A website without success (
>>>> https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/<https://urldefense.proofpoint.com/v1/url?u=https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=73a239e478da9a7d12255611481016295433378154fb612bd567c30d77788648>
>>>> ).
>>>>
>>>>  I want to develop a vpnaas implementation. It seems that since
>>>> Havana, there are plugins, services and device implementations. I like the
>>>> plugin and his current API, then I don't need to reimplement it. Now I want
>>>> yo implement a vpnaas driver, and I see I have two main parts to take into
>>>> account: the service_drivers and the device_drivers. IPsec/OpenSwan
>>>> implementation is the unique sample I've found.
>>>>
>>>>  I'm using devstack to test my experiments.
>>>>
>>>>  I tried to implement VpnDriver Python class extending the main API
>>>> methods like IPsecVPNDriver does. I placed basic implementation files at
>>>> the same level of IPsec/OpenSwan does and configured Neutron adding this
>>>> line to /etc/neutron/neutron.conf file:
>>>>
>>>>  service_provider =
>>>> VPN:VPNaaS:neutron.services.vpn.service_drivers.our_python_filename.OurClassName:default
>>>>
>>>>  I restarted Neutron related services in my devstack instance, but it
>>>> seemed it didn't work.
>>>>
>>>>
>>>>
>>>>  - What is the difference between service drivers and device drivers?
>>>> - Could I implement only one of them?
>>>> - Where I need to put my Python implementation in my OpenStack
>>>> instance?
>>>> - How could I configure my OpenStack instance to use this
>>>> implementation?
>>>>
>>>>
>>>>
>>>>  I didn't find almost any documentation about these topics.
>>>>
>>>>  Thank you very much.
>>>>
>>>>  _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>>
>>>> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=46fe06049efb1d29a85b63f7ce101cd69695a368c3da6ea3a91bcd7d2b71ce59
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>>  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>>
>> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81>
>>
>>
>  _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
>
> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140424/51336b48/attachment.html>


More information about the OpenStack-dev mailing list