<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1033963232;
mso-list-template-ids:65943456;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Stephen.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank you for reviewing this!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">See my comments bellow.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Sam.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Stephen Balukoff [mailto:sbalukoff@bluebox.net]
<br>
<b>Sent:</b> Wednesday, February 12, 2014 11:58 AM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron][LBaaS] Proposal for model change - Layer 7 support<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Samuel!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Per your request, here's some feedback on the layer 7 proposal referenced below. Please let me know if by "comment is something missing there" you meant I should actually comment within the blueprint or wiki system instead of in this e-mail
thread.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
Are <span style="font-size:10.5pt;font-family:"Arial Unicode MS","sans-serif";color:#333333">L7Policy, L7Rule, and L7VipPolicyAssociation all new resources within the data model, or are any of these simply going to be implemented as additional fields to existing
objects? (I'll try to produce a new diagram for y'all illustrating how these fit in with the existing data model, unless one of you has this already.)</span><o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> Those are new resources within the data model. Please review the Wiki and the code for further details.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
<span style="font-size:10.5pt;font-family:"Arial Unicode MS","sans-serif";color:#333333">I see the intent is to support L7 rules of the following types: "</span><span style="font-size:10.0pt;font-family:Consolas;color:#333333;background:whitesmoke">Hostname,
Path, File Type, Header, Cookie" </span>Has there been discussion around supporting other types of L7 rules? (I ask mostly out of curiosity-- the list there actually covers the 90% use case for our customers just fine.)<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> We have reviewed this based on capabilities that we belive could be supported by HA proxy and all
commercial vendors.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> What is missing?<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
Since the L7Rule object contains a position indicator, I assume, therefore, that a given L7Rule object cannot exist in more than one L7Policy, correct? Also, I assume that the first L7Rule added to an L7Policy becomes the rule at position 0 and that subsequent
rules are added with incrementing positions. This is unless the position is specified, in which case, the rule is inserted into the policy list at the position specified, and all subsequent rule position indicators get incremented. Correct?<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> Correct.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
Shouldn't the L7Rule object also have a l7PolicyID attribute?<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> It does.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
It is unclear from the proposal whether a given VIP can have multiple <span style="font-size:10.0pt;font-family:Consolas;color:#333333;background:whitesmoke">L7VipPolicyAssociation
</span>objects associated with it. If not, then we've not really solved the problem of multiple back-end pools per VIP. If so, then the L7VipPolicyAssociation object is missing its own 'position' attribute (because order matters here, too!).<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> Correct the L7VIPPollicyassociation should have a “position” attribute. The way to implement is under
consideration.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt;mso-list:l0 level1 lfo1">
I assume any given pool can have multiple <span style="font-size:9.5pt;font-family:Consolas;color:#333333;background:whitesmoke">L7VipPolicyAssociations</span>. If this is not the case, then a given single pool can only be associated with one VIP.<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><Sam> nope this any to any. Pools can be associated with multiple VIPs<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
There is currently no way to set a 'default' back-end pool in this proposal. Perhaps this could be solved by:<o:p></o:p></li></ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo1">
Make 'DEFAULT' one of the actions possible for a L7VipPolicyAssociation<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo1">
Any L7VipPolicyAssociation with an action of 'DEFAULT' would have a null position and null L7PolicyId.<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level2 lfo1">
We would need to enforce having only one L7VipPolicyAssociation object with a 'DEFAULT' action per VIP.<o:p></o:p></li></ul>
</ul>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"><Sam> the “default” behavior is governed by the current VIP
</span><span style="font-family:Wingdings;color:#1F497D">à</span><span style="color:#1F497D"> Pool relationship. This is the canonical approach that could also be addressed by LBaaS drivers that do not support L7 content switching.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><Sam> We will fix the VIP</span><span style="font-family:Wingdings;color:#1F497D">ß</span><span style="font-family:Wingdings;color:#1F497D">à</span><span style="color:#1F497D">Pool limitation (for Juno) by removing
the Pool</span><span style="font-family:Wingdings;color:#1F497D">à</span><span style="color:#1F497D">VIP reference al only leaving the VIP
</span><span style="font-family:Wingdings;color:#1F497D">à</span><span style="color:#1F497D"> Pool reference thus allowing the Pool to be used by multiple VIPs. This was originally planned for icehouse but will be handle for Juno.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal">Other than the last three points above, the L7Policy, L7Rule, and L7VipPolicyAssociation do essentially the same thing as the 'ACL' object in my proposal, albeit with more granularity in the objects themselves. (In our BLBv2 implementation,
we have pretty loose rules around what can be specified in a given ACL, and allow haproxy to do syntax checking itself on the whole generated configuration file, returning an error and refusing to update a listener's in-production configuration until the error
is resolved in the case where the user made an error on any given ACL.) I like that in this proposal, the model seems to enforce compliance with certain rule formats, which, presumably, could be syntax checked against what haproxy will allow without having
to call haproxy directly.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The down-side of the above is that we start to enforce, at the model level, very haproxy-specific configuration terminology with this. This is fine, so long as load balancer vendors that want to write drivers for Neutron LBaaS are capable
of translating haproxy-specific ACL language into whatever rules make sense for their appliance.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"><Sam> It is not HA proxy specific as all commercial implementation can support this.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Having said the above, I don't see a way to expose a lot of L7 functionality and still be able to do syntax checking without choosing one particular configuration format in which rules can be specified (in our case, haproxy). I suppose
we could invent our own pseudo rule language-- but why bother when haproxy has already done this, eh?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'll take a look at the SSL stuff next, then the LoadBalancerInstance stuff...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Stephen<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Feb 11, 2014 at 5:26 AM, Samuel Bercovici <<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Cambria","serif"">Please review the current work in progress and comment is something is missing there.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Cambria","serif"">The logical load balancer API which is already addressed:</span><o:p></o:p></p>
<p style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-family:"Cambria","serif"">Multiple pools per VIP (ie. “layer 7” support) -
<a href="https://blueprints.launchpad.net/neutron/+spec/lbaas-l7-rules" target="_blank">
https://blueprints.launchpad.net/neutron/+spec/lbaas-l7-rules</a>. </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Stephen Balukoff <br>
Blue Box Group, LLC <br>
(800)613-4305 x807 <o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>