[openstack-dev] How to implement and configure a new Neutron vpnaas driver from scratch?

Julio Carlos Barrera Juez juliocarlos.barrera at i2cat.net
Sat Apr 26 11:39:24 UTC 2014 

I'm trying to configure any VPNaaS plugin in single-provider mode. I'm not
able to achieve this goal. I'm using a devstack installation and I'm
editing */etc/neutron/neutron.conf* file, modifying this line:

...
service_provider=VPN:cisco_csr:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
...

and */etc/neutron/vpn_agent.ini* modifyin gthis line:

*...*

*vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.IPsecDriver*
*...*

I'm not sure if this configuration is OK. I have some doubts:

- Is this configuration a valid one taking into account that plugin are
available in Python modules path?
- Where are the log files located to check valid neutron configuration?
- What services should I restart each time I change this configuration?

Thank you very much.


Julio C. Barrera Juez
Office phone: +34 93 357 99 27
Distributed Applications and Networks Area (DANA)
i2CAT Foundation, Barcelona, Spain
http://dana.i2cat.net


On 24 April 2014 16:14, Paul Michali (pcm) <pcm at cisco.com> wrote:

>  Not sure I quite understand the question, but to configuring VPNaaS in
> single provider mode, from a user's perspective is the same (see
> api.openstack.org).
>
>  To bring up a cloud that uses a different vendor's service and device
> driver, you need to modify neutron.conf to select the vendor's service
> driver (as the default driver), instead of the reference driver, and in
> vpn_agent.ini you select the vendor's device driver (instead of or in
> addition to the reference implementation, doesn't matter, as it pairs with
> the service driver).
>
>  HTHs,
>
>
>  PCM (Paul Michali)
>
>  MAIL ......... pcm at cisco.com
> IRC ........... pcm_ (irc.freenode.com)
> TW ............ @pmichali
> GPG Key ... 4525ECC253E31A83
> Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83
>
>
>
>  On Apr 24, 2014, at 3:13 AM, Julio Carlos Barrera Juez <
> juliocarlos.barrera at i2cat.net> wrote:
>
>  OK, thank you guys, I understood that it was not possible to configure
> and make work any VPNaaS plugin. I don't care, by now, because it works in
> single-provider mode. I knew about the Cisco implementation, but I don't
> know how to configure it, because I didn't find enough documentation about
> that topic. I need some help on the basics configuring a VPNaaS plugin in
> single provider mode, because I only found information about it in 3rd
> party blog posts, etc.
>
>  What are the basic steps?
>
>  Thank you again.
>
>
>  Julio C. Barrera Juez
> Office phone: +34 93 357 99 27
> Distributed Applications and Networks Area (DANA)
> i2CAT Foundation, Barcelona, Spain
> http://dana.i2cat.net
>
>
> On 18 April 2014 10:50, Bo Lin <linb at vmware.com> wrote:
>
>>  Hi Julio,
>> +1 for Paul's response. Multiple-provider VPNaaS support is delayed. But
>> you can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452>
>>  and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as
>> examples to write your own vpnaas driver without multi-provider support. If
>> any questions or problems in your codes leading to not work, just upload
>> your codes onto the review board, we can find how to solve it :).
>>
>>  Thanks!
>> ---Bo
>>
>>
>>  ------------------------------
>>  *From: *"Paul Michali (pcm)" <pcm at cisco.com>
>>
>> *To: *"OpenStack Development Mailing List (not for usage questions)" <
>> openstack-dev at lists.openstack.org>
>>  *Sent: *Friday, April 11, 2014 2:15:18 AM
>>
>> *Subject: *Re: [openstack-dev] How to implement and configure a new
>> Neutron vpnaas driver from scratch?
>>
>>  By not "working" do you mean you cannot get the plugin to work in a
>> multi-provider environment? Multi-provider solutions have been tabled until
>> Juno, where more discussion is occurring on what is the best way to support
>> different service providers.
>>
>>  However, you should be able to get the plugin to work as the "sole" VPN
>> service provider, which is what the Cisco solution does currently. You can
>> look at how I've done that in the cisco_ipsec.py modules in the
>> service_drivers and device_drivers directories, under neutron/services/vpn/.
>>
>>
>>  Regards,
>>
>>   PCM (Paul Michali)
>>
>>  MAIL ......... pcm at cisco.com
>> IRC ........... pcm_ (irc.freenode.com<https://urldefense.proofpoint.com/v1/url?u=http://irc.freenode.com&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3f732defa72f3a816af1d5b52eefd459e2939807789cbc29c963da082ce8c010>
>> )
>> TW ............ @pmichali
>> GPG Key ... 4525ECC253E31A83
>> Fingerprint .. 307A 96BB 1A4C D2C7 931D 8D2D 4525 ECC2 53E3 1A83
>>
>>
>>
>>  On Apr 10, 2014, at 1:51 PM, Julio Carlos Barrera Juez <
>> juliocarlos.barrera at i2cat.net> wrote:
>>
>>  Hi.
>>
>>  After 8 months of the patch creation and being abandoned weeks ago (
>> https://review.openstack.org/#/c/41827/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=35c7a80127726543da2ed25bdde79e07b28ce936aa8a1ca7afa4fc20bcbefb65>)
>> I still don't how can we develop a VPNaaS plugin following Bo Lin
>> instructions. Is there any other patch trying to solve the problem? Is
>> there any way to workaround the issue to get a VPNaaS plugin working?
>>
>>  Thank you!
>>
>>
>>  Julio C. Barrera Juez
>> Office phone: +34 93 357 99 27
>> Distributed Applications and Networks Area (DANA)
>> i2CAT Foundation, Barcelona, Spain
>> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=86728c6db62dee1a59132a2b11c5651432e714ee782ead0c4790189d29195b5d>
>>
>>
>> On 27 February 2014 10:51, Bo Lin <linb at vmware.com> wrote:
>>
>>>  Hi Julio,
>>>  You can take https://review.openstack.org/#/c/74156/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74156/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=3436530b865ab50e305340302d741b5f023419bebc45ec144caa57e4c51b0452>
>>>  and https://review.openstack.org/#/c/74144/<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/74144/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=08ac89d9f0424a7f6bb462accc106a9edc6df8e41b6b7fe568ea287db47abe30> as
>>> examples to write your own vpnaas driver. More info about service type
>>> framework, you can also refer to neutron/services/loadbalancer codes.
>>>
>>>  ------------------------------
>>>  *From: *"Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net>
>>>  *To: *"OpenStack Development Mailing List (not for usage questions)" <
>>> openstack-dev at lists.openstack.org>
>>> *Sent: *Thursday, February 27, 2014 5:26:32 PM
>>> *Subject: *Re: [openstack-dev] How to implement and configure a new
>>> Neutron vpnaas driver from scratch?
>>>
>>>
>>>  I'm following the change you pointed a week ago. It seems that it is
>>> working now, and will be eventually approved soon. I will be happy when it
>>> is approved.
>>>
>>>  Anyway, I need more information about how to develop a service driver
>>> and a device driver for VPN plugin. I realize doing reverse-engineering
>>> that I need and RPC agent and and RPC between them to communicate and use a
>>> kind of callbacks to answer. Where I can find documentation about it and
>>> some examples? Is there any best practise guide of the use of this
>>> architecture?
>>>
>>>  Thank you again!
>>>
>>>  [image: i2cat]
>>>  Julio C. Barrera Juez
>>> Office phone: +34 93 357 99 27
>>> Distributed Applications and Networks Area (DANA)
>>> i2CAT Foundation, Barcelona, Spain
>>> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>
>>>
>>>
>>>  On 19 February 2014 09:13, Julio Carlos Barrera Juez <
>>> juliocarlos.barrera at i2cat.net> wrote:
>>>
>>>> Thank you very much Bo. I will try all your advices and check if it
>>>> works!
>>>>
>>>>  [image: i2cat]
>>>>  Julio C. Barrera Juez
>>>> Office phone: +34 93 357 99 27
>>>> Distributed Applications and Networks Area (DANA)
>>>> i2CAT Foundation, Barcelona, Spain
>>>> http://dana.i2cat.net<https://urldefense.proofpoint.com/v1/url?u=http://dana.i2cat.net/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=c98b2d74b41b9c8efe74e5f89d418dc5b64cd5b5003dc82b3d794c290d876d04>
>>>>
>>>>
>>>>   On 18 February 2014 09:18, Bo Lin <linb at vmware.com> wrote:
>>>>
>>>>>   I wonder whether your neutron server codes have added the " VPNaaS
>>>>> integration with service type framework" change on
>>>>> https://review.openstack.org/#/c/41827/21<https://urldefense.proofpoint.com/v1/url?u=https://review.openstack.org/%23/c/41827/21&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=4a935821d551bb10de76c121ea8f83f57c00bf3a88ac0c73b51d87f96be1524f> ,
>>>>> if not, the service_provider option is useless. You need to include the
>>>>> change before developing your own driver.
>>>>>
>>>>>  QA (In my opinion and sth may be missing):
>>>>>  - What is the difference between service drivers and device drivers?
>>>>>      service drivers are driven by vpn service plugin and are
>>>>> responsible for casting rpc request (CRUD of vpnservices) to and do
>>>>> callbacks from vpn agent.
>>>>>     device drivers are driven by vpn agent and are responsible for
>>>>> implementing specific vpn operations and report vpn running status.
>>>>>
>>>>>  - Could I implement only one of them?
>>>>>      device driver must be implemented based on your own device.
>>>>> Unless the default ipsec service driver is definitely appropriate, suggest
>>>>> you implement both of them. After including "VPNaaS integration with
>>>>> service type framework", the service driver work is simple.
>>>>>
>>>>>  - Where I need to put my Python implementation in my OpenStack
>>>>> instance?
>>>>>     Do you mean let your instance runs your new codes? The default
>>>>> source codes dir is /opt/stack/neutron, you need to put your new changes
>>>>> into the dir and restart the neutron server.
>>>>>
>>>>>  - How could I configure my OpenStack instance to use this
>>>>> implementation?
>>>>>     1.  Add your new codes into source dir
>>>>>    2. Add appropriate vpnaas service_provider into neutron.conf and
>>>>> add appropriate "vpn_device_driver" option into vpn_agent.ini
>>>>>    3. restart n-svc and q-vpn
>>>>>
>>>>>  Hope help you.
>>>>>
>>>>>  ------------------------------
>>>>>  *From: *"Julio Carlos Barrera Juez" <juliocarlos.barrera at i2cat.net>
>>>>> *To: *"OpenStack Development Mailing List" <
>>>>> openstack-dev at lists.openstack.org>
>>>>> *Sent: *Monday, February 17, 2014 7:18:44 PM
>>>>> *Subject: *[openstack-dev] How to implement and configure a new
>>>>> Neutron vpnaas        driver from scratch?
>>>>>
>>>>>
>>>>>  Hi.
>>>>>
>>>>>  I have asked in the Q&A website without success (
>>>>> https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/<https://urldefense.proofpoint.com/v1/url?u=https://ask.openstack.org/en/question/12072/how-to-implement-and-configure-a-new-vpnaas-driver-from-scratch/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=73a239e478da9a7d12255611481016295433378154fb612bd567c30d77788648>
>>>>> ).
>>>>>
>>>>>  I want to develop a vpnaas implementation. It seems that since
>>>>> Havana, there are plugins, services and device implementations. I like the
>>>>> plugin and his current API, then I don't need to reimplement it. Now I want
>>>>> yo implement a vpnaas driver, and I see I have two main parts to take into
>>>>> account: the service_drivers and the device_drivers. IPsec/OpenSwan
>>>>> implementation is the unique sample I've found.
>>>>>
>>>>>  I'm using devstack to test my experiments.
>>>>>
>>>>>  I tried to implement VpnDriver Python class extending the main API
>>>>> methods like IPsecVPNDriver does. I placed basic implementation files at
>>>>> the same level of IPsec/OpenSwan does and configured Neutron adding this
>>>>> line to /etc/neutron/neutron.conf file:
>>>>>
>>>>>  service_provider =
>>>>> VPN:VPNaaS:neutron.services.vpn.service_drivers.our_python_filename.OurClassName:default
>>>>>
>>>>>  I restarted Neutron related services in my devstack instance, but it
>>>>> seemed it didn't work.
>>>>>
>>>>>
>>>>>
>>>>>  - What is the difference between service drivers and device drivers?
>>>>> - Could I implement only one of them?
>>>>> - Where I need to put my Python implementation in my OpenStack
>>>>> instance?
>>>>> - How could I configure my OpenStack instance to use this
>>>>> implementation?
>>>>>
>>>>>
>>>>>
>>>>>  I didn't find almost any documentation about these topics.
>>>>>
>>>>>  Thank you very much.
>>>>>
>>>>>  _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>>
>>>>> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=9uhm%2F59JRfiZ3CXzuhBOpqcTqWk8APswRGJFZ8H2Tos%3D%0A&s=46fe06049efb1d29a85b63f7ce101cd69695a368c3da6ea3a91bcd7d2b71ce59
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>>  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>>
>>> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=YmmNfPyv1TNDbHlwFZT9xRPhyBxsQW%2B2aJ3daQ8RC%2BI%3D%0A&s=638a7f219d00817d3d17746251a9b5090cce130fed11727be8a4cabd09754657
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81>
>>>
>>>
>>  _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>>
>> https://urldefense.proofpoint.com/v1/url?u=http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=F5etm0B6kVJ9jleIhCvNyA%3D%3D%0A&m=1%2FHmRV%2F3ce%2Bjpzxjfyhv6xjuBhiOBVrajFVFZjco9Zw%3D%0A&s=d81bebe644cccedf66fedc084cf34c54e82b5a62712e12d1b5e2c6c1c6ee2c81
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>  _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140426/227c76cc/attachment-0001.html>

More information about the OpenStack-dev mailing list