[openstack-dev] [neutron][vpnaas] Need community guidance please...

Paul Michali pc at michali.net
Wed Aug 26 12:06:25 UTC 2015


See @PCM inline...


On Wed, Aug 26, 2015 at 4:44 AM Germy Lure <germy.lure at gmail.com> wrote:

> Hi,
>
> Maybe I missed some key points. But why we introduced vpn-endpoint groups
> here?
>

@PCM For the multiple local subnet capabilities for IPSec, the existing API
would need to be changed, so that we can specify 1+ local subnets, as part
of the VPN connection. This would have been the simplest approach for
updating IPSec connections, however, it makes it a point solution.

Other VPN flavors would also have similar "endpoint" specifications in
their "connection" APIs.

The approach that I'm advocating, is to extract out some of the commonality
between VPN flavors such that we can have some reuse.

Essentially, the idea is to break VPN into two parts. One is "what is
connected" and the other is "how the connection is made".

For the former, the idea of an endpoint group is introduced. It provides a
collection of endpoints that can be identified by a type (e.g. subnet,
CIDR, network, vlan, ...) and an ID.

The latter would be VPN flavor specific, having all of the details needed
for that type of VPN connection and would reference the needed endpoint
group(s) by ID.

This separates the "what" from the "how".



> "ipsec-site-connection" for IPSec VPN only, "gre-connection" for GRE VPN
> only, and "mpls-connection" for MPLS VPN only. You see, different
> connections for different vpn types. Indeed, We can't reuse connection API.
>

@PCM Correct. The "how" is VPN type specific. But we can have a common API
for the "what".



>
> Piece of the ref document(https://review.openstack.org/#/c/191944/) like
> this:
> "allowing subnets (local) and CIDRs (peer) to be used for IPSec, but
> routers, networks, and VLANs to be used for other VPN types (BGP, L2,
> direct connection)"
>
> You see, different epg types for different vpn types. We can't reuse epg.
>

@PCM We're not reusing the endpoint group itself for different types of
VPN, we're reusing the API for different types of VPN. A common API that
holds a collection of endpoints of a specific type.

You can look at the code out for review, for a feel for the implementation
being worked on:  https://review.openstack.org/#/c/212692/3



> So, how we meet "The third goal, is to do this in a manner that the code
> can be reused for other flavors of VPN."?
>

@PCM The code for the endpoint group API could be used for other VPN types.
Instead of them creating table fields (and the corresponding db logic) for
the endpoints of their connection, they can refer to the ID(s) from the
endpoint groups table, and can add additional validation based on the VPN
type.

FYI, I pushed up version 7 of the dev ref document yesterday.

Regards,

PCM


> Thanks.
>
>
> On Tue, Aug 25, 2015 at 1:54 AM, Madhusudhan Kandadai <
> madhusudhan.openstack at gmail.com> wrote:
>
>> My two cents..
>>
>> On Mon, Aug 24, 2015 at 8:48 AM, Jay Pipes <jaypipes at gmail.com> wrote:
>>
>>> Hi Paul, comments inline...
>>>
>>> On 08/24/2015 07:02 AM, Paul Michali wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm working on the multiple local subnet feature for VPN (RFE
>>>> https://bugs.launchpad.net/neutron/+bug/1459423), with a developer
>>>> reference document detailing the proposed process
>>>> (https://review.openstack.org/#/c/191944/). The plan is to do this in
>>>> two steps. The first is to add new APIs and database support for
>>>> "endpoint groups" (see dev ref for details). The second is to modify the
>>>> IPSec/VPN APIs to make use of the new information (and no longer use
>>>> some older, but equivalent info that is being extended).
>>>>
>>>> I have a few process/procedural questions for the community...
>>>>
>>>> Q1) Should I do this all as one huge commit, as two commits (one for
>>>> endpoint groups and one for modification to support multiple local
>>>> subnets), or multiple (chained) commits (e.g. commit for each API for
>>>> the endpoint groups and for each part of the multiple subnet change)?
>>>>
>>>> My thought (now) is to do this as two commits, with the endpoint groups
>>>> as one, and multiple subnet groups as a second. I started with a commit
>>>> for create API of endpoint (212692), and then did a chained commit for
>>>> delete/show/list (215717), thinking they could be reviewed in pieces,
>>>> but they are not that large and could be easily merged.
>>>>
>>>
>>> My advice would be 2 commits, as you have split them out.
>>>
>>
>> I would prefer to have two commits with end-point groups as one and
>> modification to support multiple local subnets as another. This will be
>> easy to troubleshoot when in need.
>>
>>>
>>> Q2) If the two parts are done separately, should the "endpoint group"
>>>> portion, which adds a table and API calls, be done as part of the
>>>> existing version (v2) of VPN, instead of introducing a new version at
>>>> that step?
>>>>
>>>
>>> Is the Neutron VPN API microversioned? If not, then I suppose your only
>>> option is to modify the existing v2 API. These seem to be additive changes,
>>> not modifications to existing API calls, in which case they are
>>> backwards-compatible (just not discoverable via an API microversion).
>>>
>> I suggest to be done as part of the existing version v2 API . As the api
>> tests are in transition from neutron to neutron-vpnaas repo, we can modify
>> the tests and submit as a one patch
>>
>>>
>>> Q3) For the new API additions, do I create a new subclass for the
>>>> "interface" that includes all the existing APIs, introduce a new class
>>>> that is used together with the existing class, or do I add this to the
>>>> existing API?
>>>>
>>>
>>> Until microversioning is introduced to the Neutron VPN API, it should
>>> probably be a change to the existing v2 API.
>>>
>> +1
>>
>>>
>>> Q4) With the final multiple local subnet changes, there will be changes
>>>> to the VPN service API (delete subnet_id arg) and IPSec connection API
>>>> (delete peer_cidrs arg, and add local_endpoints and peer_endpoints
>>>> args). Do we modify the URI so that it calls out v3 (versus v2)? Where
>>>> do we do that?
>>>>
>>>
>>> Hmm, with the backwards-incompatible API changes like the above, your
>>> only option is to increment the major version number. The alternative would
>>> be to add support for microversioning as a prerequisite to the patch that
>>> adds backwards-incompatible changes, and then use a microversion to
>>> introduce those changes.
>>>
>> Right now, we are beefing up scenario tests for VPN, adding
>> microversioning feature seems better option for me, but open to have
>> reviews from community.
>>
>>>
>>> Best,
>>> -jay
>>>
>>> I'm unsure of the mechanism of increasing the version.
>>>>
>>>> Thanks in advance for any guidance here on how this should be rolled
>>>> out...
>>>>
>>>> Regards,
>>>>
>>>> Paul Michali (pc_m)
>>>>
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150826/71f7daad/attachment.html>


More information about the OpenStack-dev mailing list