[openstack-dev] How to implement and configure a new Neutron vpnaas driver from scratch?

Paul Michali (pcm) pcm at cisco.com
Thu Apr 24 14:14:45 UTC 2014


Not sure I quite understand the question, but to configuring VPNaaS in single provider mode, from a user’s perspective is the same (see api.openstack.org<http://api.openstack.org>).

To bring up a cloud that uses a different vendor’s service and device driver, you need to modify neutron.conf to select the vendor’s service driver (as the default driver), instead of the reference driver, and in vpn_agent.ini you select the vendor’s device driver (instead of or in addition to the reference implementation, doesn’t matter, as it pairs with the service driver).

HTHs,


PCM (Paul Michali)

MAIL …..…. pcm at cisco.com<mailto:pcm at cisco.com>
IRC ……..… pcm_ (irc.freenode.com<http://irc.freenode.com>)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83



On Apr 24, 2014, at 3:13 AM, Julio Carlos Barrera Juez <juliocarlos.barrera at i2cat.net<mailto:juliocarlos.barrera at i2cat.net>> wrote:

OK, thank you guys, I understood that it was not possible to configure and make work any VPNaaS plugin. I don't care, by now, because it works in single-provider mode. I knew about the Cisco implementation, but I don't know how to configure it, because I didn't find enough documentation about that topic. I need some help on the basics configuring a VPNaaS plugin in single provider mode, because I only found information about it in 3rd party blog posts, etc.

What are the basic steps?

Thank you again.

[http://www.i2cat.net/sites/all/themes/elegantica/logo.png]
Julio C. Barrera Juez
Office phone: +34 93 357 99 27
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net<http://dana.i2cat.net/>


On 18 April 2014 10:50, Bo Lin <linb at vmware.com<mailto:linb at vmware.com>> wrote:
Hi Julio,
+1 for Paul's response. Multiple-provider VPNaaS support is delayed. But you can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452> and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as examples to write your own vpnaas driver without multi-provider support. If any questions or problems in your codes leading to not work, just upload your codes onto the review board, we can find how to solve it :).

Thanks!
---Bo


________________________________
From: "Paul Michali (pcm)" <pcm at cisco.com<mailto:pcm at cisco.com>>

To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Sent: Friday, April 11, 2014 2:15:18 AM

Subject: Re: [openstack-dev] How to implement and configure a new Neutron vpnaas driver from scratch?

By not “working” do you mean you cannot get the plugin to work in a multi-provider environment? Multi-provider solutions have been tabled until Juno, where more discussion is occurring on what is the best way to support different service providers.

However, you should be able to get the plugin to work as the “sole” VPN service provider, which is what the Cisco solution does currently. You can look at how I’ve done that in the cisco_ipsec.py modules in the service_drivers and device_drivers directories, under neutron/services/vpn/.


Regards,

PCM (Paul Michali)

MAIL …..…. pcm at cisco.com<mailto:pcm at cisco.com>
IRC ……..… pcm_ (irc.freenode.com<https://urldefense.proofpoint.com/v1/url?u=http://irc.freenode.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3f732defa72f3a816af1d5b52eefd459e2939807789cbc29c963da082ce8c010>)
TW ………... @pmichali
GPG Key … 4525ECC253E31A83
Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83



On Apr 10, 2014, at 1:51 PM, Julio Carlos Barrera Juez <juliocarlos.barrera at i2cat.net<mailto:juliocarlos.barrera at i2cat.net>> wrote:

Hi.

After 8 months of the patch creation and being abandoned weeks ago (https://review.openstack.org/#/c/41827/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=35c7a80127726543da2ed25bdde79e07b28ce936aa8a1ca7afa4fc20bcbefb65>) I still don't how can we develop a VPNaaS plugin following Bo Lin instructions. Is there any other patch trying to solve the problem? Is there any way to workaround the issue to get a VPNaaS plugin working?

Thank you!

[http://www.i2cat.net/sites/all/themes/elegantica/logo.png]
Julio C. Barrera Juez
Office phone: +34 93 357 99 27<tel:%2B34%2093%20357%2099%2027>
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=86728c6db62dee1a59132a2b11c5651432e714ee782ead0c4790189d29195b5d>


On 27 February 2014 10:51, Bo Lin <linb at vmware.com<mailto:linb at vmware.com>> wrote:
Hi Julio,
You can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452> and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as examples to write your own vpnaas driver. More info about service type framework, you can also refer to neutron/services/loadbalancer codes.

________________________________
From: "Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net<mailto:juliocarlos.barrera at i2cat.net>>
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Sent: Thursday, February 27, 2014 5:26:32 PM
Subject: Re: [openstack-dev] How to implement and configure a new Neutron vpnaas driver from scratch?


I'm following the change you pointed a week ago. It seems that it is working now, and will be eventually approved soon. I will be happy when it is approved.

Anyway, I need more information about how to develop a service driver and a device driver for VPN plugin. I realize doing reverse-engineering that I need and RPC agent and and RPC between them to communicate and use a kind of callbacks to answer. Where I can find documentation about it and some examples? Is there any best practise guide of the use of this architecture?

Thank you again!

[i2cat]
Julio C. Barrera Juez
Office phone: +34 93 357 99 27<tel:%2B34%2093%20357%2099%2027>
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>


On 19 February 2014 09:13, Julio Carlos Barrera Juez <juliocarlos.barrera at i2cat.net<mailto:juliocarlos.barrera at i2cat.net>> wrote:
Thank you very much Bo. I will try all your advices and check if it works!

[i2cat]
Julio C. Barrera Juez
Office phone: +34 93 357 99 27<tel:%2B34%2093%20357%2099%2027>
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>


On 18 February 2014 09:18, Bo Lin <linb at vmware.com<mailto:linb at vmware.com>> wrote:
I wonder whether your neutron server codes have added the " VPNaaS integration with service type framework" change on https://review.openstack.org/#/c/41827/21<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/21&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=4a935821d551bb10de76c121ea8f83f57c00bf3a88ac0c73b51d87f96be1524f> , if not, the service_provider option is useless. You need to include the change before developing your own driver.

QA (In my opinion and sth may be missing):
- What is the difference between service drivers and device drivers?
    service drivers are driven by vpn service plugin and are responsible for casting rpc request (CRUD of vpnservices) to and do callbacks from vpn agent.
    device drivers are driven by vpn agent and are responsible for implementing specific vpn operations and report vpn running status.

- Could I implement only one of them?
    device driver must be implemented based on your own device. Unless the default ipsec service driver is definitely appropriate, suggest you implement both of them. After including "VPNaaS integration with service type framework", the service driver work is simple.

- Where I need to put my Python implementation in my OpenStack instance?
   Do you mean let your instance runs your new codes? The default source codes dir is /opt/stack/neutron, you need to put your new changes into the dir and restart the neutron server.

- How could I configure my OpenStack instance to use this implementation?
   1.  Add your new codes into source dir
   2. Add appropriate vpnaas service_provider into neutron.conf and add appropriate "vpn_device_driver" option into vpn_agent.ini
   3. restart n-svc and q-vpn

Hope help you.

________________________________
From: "Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net<mailto:juliocarlos.barrera at i2cat.net>>
To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Sent: Monday, February 17, 2014 7:18:44 PM
Subject: [openstack-dev] How to implement and configure a new Neutron vpnaas        driver from scratch?


Hi.

I have asked in the Q&A website without success (https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/<https://urldefense.proofpoint.com/v1/url?u=https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=73a239e478da9a7d12255611481016295433378154fb612bd567c30d77788648>).

I want to develop a vpnaas implementation. It seems that since Havana, there are plugins, services and device implementations. I like the plugin and his current API, then I don't need to reimplement it. Now I want yo implement a vpnaas driver, and I see I have two main parts to take into account: the service_drivers and the device_drivers. IPsec/OpenSwan implementation is the unique sample I've found.

I'm using devstack to test my experiments.

I tried to implement VpnDriver Python class extending the main API methods like IPsecVPNDriver does. I placed basic implementation files at the same level of IPsec/OpenSwan does and configured Neutron adding this line to /etc/neutron/neutron.conf file:

service_provider = VPN:VPNaaS:neutron.services.vpn.service_drivers.our_python_filename.OurClassName:default

I restarted Neutron related services in my devstack instance, but it seemed it didn't work.



- What is the difference between service drivers and device drivers?
- Could I implement only one of them?
- Where I need to put my Python implementation in my OpenStack instance?
- How could I configure my OpenStack instance to use this implementation?



I didn't find almost any documentation about these topics.

Thank you very much.

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=46fe06049efb1d29a85b63f7ce101cd69695a368c3da6ea3a91bcd7d2b71ce59


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657>




_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81>


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140424/849a0481/attachment.html>


More information about the OpenStack-dev mailing list