[openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
Bhandaru, Malini K
malini.k.bhandaru at intel.com
Fri Aug 9 09:22:27 UTC 2013
Srini – I am guessing this feature is not for the Havana release.
Please consider using key manager (https://github.com/cloudkeep/barbican) that is being built for OpenStack.
The key manager could generate the key-pair and obtain a certificate from the configured CA,
or your endpoint could create its own key-pair and register with the key manager and ask for certification.
A common key support service will reduce duplication of effort and code and down the line make for easier cloud provisioning because
each switch, compute node etc can be provided the essentials for secure communication.
Regards
Malini
From: Addepalli Srini-B22160 [mailto:B22160 at freescale.com]
Sent: Thursday, August 08, 2013 7:35 PM
To: Addepalli Srini-B22160; OpenStack Development Mailing List
Subject: Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
We have put some more thought on “OVS getting hold of certificate & private key pair for each of its logical switches from Openstack Controller”.
Please see below. Please validate and let us know if there are any issues.
Reasoning:
- OF logical switches require its own certificate+private key pair to make SSL connection with the OF controller. Automating the configuration of certificate+private key pair helps in reducing errors and also saves time from manual configuration of each logical switches. Note that if there are 1000 physical servers, each having two logical switches result into 2000 OF logical switches. Configuring 2000 logical switches with certificate+private key pair would be very time consuming and error prone.
Enhancement to the Neutron OVS Plugin to act as simple CA and generate certificates on behalf of logical switches.
- Initialization : OVS plugin is configured with CA certificate pair (Public and private key pair) – via configuration file. If no external CA certificate pair is available from the configuration file, it generates the self signed CA certificate based on configuration file parameters (subject name, Certificate signing algorithm, key size etc..). It stores this pair in the database.
- Run time Sequence:
o OVS quantum Agent sends a request to Plugin to get hold of certificate pair for a OF logical switch (identified by DPID).
o Plugin checks whether there is a certificate pair generated already for this DPID (Current thought is to use DPID as the subject name of the certificate).
§ If there is one, check for the validity. If no more valid, then it removed the certificate from its database.
§ Else :
· Generate the certificate pair using DPID as the subject name, validity period from the configuration file.
· Sign with CA private key.
· Store the certificate pair in the database.
· To ensure that database is not filled with certificates that are no longer required, some inactivity timeout can be maintained on per certificate basis. If the certificate is not requested for that inactivity timeout, then the certificate can be removed.
§ Send the certificate pair to the requested agent.
- Code: There is some code openssl.py in keystone. There is a mechanism provided to ensure that private keys are secured and not visible to un-authorized users. This can be used as the basis for above implementation. We also need to ensure that the private key is not sent in clear between OVS agents and plugin. We will be putting some more thought on this.
Thanks
Srini
From: Addepalli Srini-B22160
Sent: Wednesday, August 07, 2013 8:34 PM
To: 'OpenStack Development Mailing List'
Subject: RE: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
Thanks Ravi.
We will take this forward to ensure that the OVS based virtual switches in physical servers are automated using Openstack controller
- OVS getting hold of certificate & private key pair for each of its logical switches from Openstack Controller.
- OVS getting hold of Openflow controller IP addresses for each of its logical switches from Openstack controller.
- OVS getting hold of CA certificate chain to validate Openflow controller during SSL connectivity.
Our current thinking is that assignment of OF controller to OVS switch is based on Zones and Cells. That is, Openstack Quantum API (create API) may look like this.
- Create Openflow Cluster :
o Openflow controller Cluster name
o Certificate Chain used by OF controllers to create their own certificates.
o Cluster type (EQUAL type, MASTER/SLAVE type)
o Set of Openflow controllers - For each OF controller
§ IP address or domain name
§ TCP Port
§ Role of Openflow controller (MASTER or SLAVE ) – Valid only if cluster type is MASTER/SLAVE type (Only one controller can be MASTER).
o Virtual switch mapping
§ Applicable Zone name
§ Applicable Cell name
Essentially, there could be multiple clusters of Openflow controllers. Each cluster is associated with a zone and cell. When the OVS agent connects to OVS plugin to get hold of Openflow controller information, Plugin gets the zone & cell classification of the compute node (from NOVA) where OVS is present and then selects the matching OF cluster record and sends the information from that record to the agent. Any feedback is appreciated.
Thanks
Srini
From: Ravi Chunduru [mailto:ravivsn at gmail.com]
Sent: Wednesday, August 07, 2013 10:52 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
Right, Nicira controller needs manual OVS certificate addition.
From my earlier mail
"Nicira approach today is to add ovs certificates onto ovs controller manually."
Hence, I like Srini's proposal. I suggest to write extensions to your custom plugin. Once accepted it can be part of the core.
Thanks,
-Ravi.
On Wed, Aug 7, 2013 at 8:15 AM, Somanchi Trinath-B39208 <B39208 at freescale.com<mailto:B39208 at freescale.com>> wrote:
Hi Ravi-
We want achieve the same from Quantum Client through Quantum OVS Agent.
Is there any such implementation available for the same with openstack.
I think, the below manual mentions the manual configuration using ovs cli.
Thanking you.
--
Trinath Somanchi - B39208
trinath.somanchi at freescale.com<mailto:trinath.somanchi at freescale.com> | extn: 4048
From: Ravi Chunduru [mailto:ravivsn at gmail.com<mailto:ravivsn at gmail.com>]
Sent: Wednesday, August 07, 2013 8:04 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
Hi Trinath,
I could get this information from Grizzly installation guide <https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/Nicira_SingleNode/OpenStack_Grizzly_Install_Guide.rst>
• Register this Hypervisor Transport Node (Open vSwitch) with Nicira NVP:
•
•
• # Set the open vswitch manager address
• ovs-vsctl set-manager ssl:<IP Address of one of your Nicira NVP controllers>
•
• # Get the client pki cert
• cat /etc/openvswitch/ovsclient-cert.pem
•
• # Copy the contents of the output including the BEGIN and END CERTIFICATE lines and be prepared to paste this into NVP manager
• # In NVP Manager add a new Hypervisor, follow the prompts and paste the client certificate when prompted
# Please review the NVP User Guide for details on adding Hypervisor transport nodes to NVP for more information on this step
Thanks,
-Ravi.
On Wed, Aug 7, 2013 at 2:58 AM, Somanchi Trinath-B39208 <B39208 at freescale.com<mailto:B39208 at freescale.com>> wrote:
Hi Ravi-
With respect to NICIRA NVP Plugin in Quantum, All the processing is done with respect to Nicira NVP.
Also, the Controller cluster arguments are provided from ini file.
Can you point me to where the OVS certificates are handled in Nicira code base for quantum.
--
Trinath Somanchi - B39208
trinath.somanchi at freescale.com<mailto:trinath.somanchi at freescale.com> | extn: 4048
From: Ravi Chunduru [mailto:ravivsn at gmail.com<mailto:ravivsn at gmail.com>]
Sent: Wednesday, August 07, 2013 11:32 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [Neutron] Configuration of Openflow controller reachability information in OVS from Openstack
look into nicira neutrón plugin.
I like the idea of ovs controller config driven through neutrón api. Nicira approach today is to add ovs certificates onto ovs controller manually.
On Aug 6, 2013 9:09 PM, "Addepalli Srini-B22160" <B22160 at freescale.com<mailto:B22160 at freescale.com>> wrote:
>
> Hi,
>
> Using OVS Quantum Plugin and agent, it is possible to configure OVS with
>
> Openflow logical switches.
> Tables
> Ports to the logical switches (VLAN, VXLAN, GRE etc..)
>
> OVS Agent in each compute node uses local ovs-vsctl command to configure above.
>
> But, there is no simple way for Openstack quantum to configure OVS in compute nodes with OF controller IP address, TCP Port, SSL Certificates etc..
> Also, there is no mechanism today to get hold of DPID of the OVS logical switches by Openstack controller.
>
> Do you think that it is good to enhance Openstack OVS Quantum Plugin and agent to pass above information?
>
> At very high level, we are thinking to introduce following:
>
>
> Configuration of OF Controller reachability information
> Quantum extension API though which is used to set following:
> Set of Openflow controllers - For each OF controller
> IP address, Port
> SSL Enabled Yes/No.
> If SSL enabled
> CA certificate chain to validate OF controller identification by the OVS.
> Zone/Cell for which this OF controller is applicable for.
> Changes to QuantumClient to configure above.
> OVS Quantum Plugin to store above information in the database.
> OVS Quantum Agent to Plugin communication to get hold of OF controller information.
> OVS Quantum Agent to add the information in OVS using ovs-vsctl.
> Generation of logical switch certificates
> OVS Quantum agent requests the plugin to generate local certificate and private key for each one of the logical switches
> Agent to send DPID
> Plugin to generate certificate & private key pair and sending them as response.
> Plugin configuration file to have CA certificate to use to sign the logical switch certificates.
>
>
> Does that make sense? Is this work going on somewhere else?
>
> Thanks
> Srini
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ravi
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130809/035e17f9/attachment.html>
More information about the OpenStack-dev
mailing list