[openstack-dev] [Neutron] Group Based Policy and the way forward
Robert Kukura
kukura at noironetworks.com
Tue Aug 5 17:46:10 UTC 2014
On 8/5/14, 1:23 PM, Gary Kotton wrote:
> Ok, thanks for the clarification. This means that it will not be done
> automagically as it is today -- the tenant will need to create a
> Neutron port and then pass that through.
Not quite. Using the group policy API, the port will be created
implicitly when the endpoint is created (unless an existing port_id is
passed explicitly). All the user will need to do is obtain the port_id
value from the endpoint and pass this to nova.
The goal is to make passing "--nic epg-id=<endpoint-group-id>" just as
automatic as passing "--nic net-id=<network-uuid>". Code in Nova's
Neutron integration would handle the epg-id by passing it to
create_endpoint, and then using the port_id that is returned in the result.
-Bob
> Thanks
> Gary
>
> From: Robert Kukura <kukura at noironetworks.com
> <mailto:kukura at noironetworks.com>>
> Reply-To: OpenStack List <openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org>>
> Date: Tuesday, August 5, 2014 at 8:13 PM
> To: OpenStack List <openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org>>
> Subject: Re: [openstack-dev] [Neutron] Group Based Policy and the way
> forward
>
>
> On 8/5/14, 11:04 AM, Gary Kotton wrote:
>> Hi,
>> Is there any description of how this will be consumed by Nova. My
>> concern is this code landing there.
> Hi Gary,
>
> Initially, an endpoint's port_id is passed to Nova using "nova boot
> ... --nic port-id=<port-uuid> ...", requiring no changes to Nova.
> Later, slight enhancements to Nova would allow using commands such as
> "nova boot ... --nic ep-id=<endpoint-uuid> ..." or "nova boot ...
> --nic epg-id=<endpoint-group-uuid> ...".
>
> -Bob
>> Thanks
>> Gary
>>
>> From: Robert Kukura <kukura at noironetworks.com
>> <mailto:kukura at noironetworks.com>>
>> Reply-To: OpenStack List <openstack-dev at lists.openstack.org
>> <mailto:openstack-dev at lists.openstack.org>>
>> Date: Tuesday, August 5, 2014 at 5:20 PM
>> To: OpenStack List <openstack-dev at lists.openstack.org
>> <mailto:openstack-dev at lists.openstack.org>>
>> Subject: Re: [openstack-dev] [Neutron] Group Based Policy and the way
>> forward
>>
>> On 8/4/14, 4:27 PM, Mark McClain wrote:
>>> All-
>>>
>>> tl;dr
>>>
>>> * Group Based Policy API is the kind of experimentation we be should
>>> attempting.
>>> * Experiments should be able to fail fast.
>>> * The master branch does not fail fast.
>>> * StackForge is the proper home to conduct this experiment.
>> The disconnect here is that the Neutron group-based policy sub-team
>> that has been implementing this feature for Juno does not see this
>> work as an experiment to gather data, but rather as an important
>> innovative feature to put in the hands of early adopters in Juno and
>> into widespread deployment with a stable API as early as Kilo.
>>
>> The group-based policy BP approved for Juno addresses the critical
>> need for a more usable, declarative, intent-based interface for cloud
>> application developers and deployers, that can co-exist with
>> Neutron's current networking-hardware-oriented API and work nicely
>> with all existing core plugins. Additionally, we believe that this
>> declarative approach is what is needed to properly integrate advanced
>> services into Neutron, and will go a long way towards resolving the
>> difficulties so far trying to integrate LBaaS, FWaaS, and VPNaaS APIs
>> into the current Neutron model.
>>
>> Like any new service API in Neutron, the initial group policy API
>> release will be subject to incompatible changes before being declared
>> "stable", and hence would be labeled "experimental" in Juno. This
>> does not mean that it is an experiment where to "fail fast" is an
>> acceptable outcome. The sub-team's goal is to stabilize the group
>> policy API as quickly as possible, making any needed changes based
>> on early user and operator experience.
>>
>> The L and M cycles that Mark suggests below to "revisit the status"
>> are a completely different time frame. By the L or M cycle, we should
>> be working on a new V3 Neutron API that pulls these APIs together
>> into a more cohesive core API. We will not be in a position to do
>> this properly without the experience of using the proposed group
>> policy extension with the V2 Neutron API in production.
>>
>> If we were failing miserably, or if serious technical issues were
>> being identified with the patches, some delay might make sense. But,
>> other than Mark's -2 blocking the initial patches from merging, we
>> are on track to complete the planned work in Juno.
>>
>> -Bob
>>>
>>>
>>> Why this email?
>>> ---------------
>>> Our community has been discussing and working on Group Based Policy
>>> (GBP) for many months. I think the discussion has reached a point
>>> where we need to openly discuss a few issues before moving forward.
>>> I recognize that this discussion could create frustration for those
>>> who have invested significant time and energy, but the reality is we
>>> need ensure we are making decisions that benefit all members of our
>>> community (users, operators, developers and vendors).
>>>
>>> Experimentation
>>> ----------------
>>> I like that as a community we are exploring alternate APIs. The
>>> process of exploring via real user experimentation can produce
>>> valuable results. A good experiment should be designed to fail fast
>>> to enable further trials via rapid iteration.
>>>
>>> Merging large changes into the master branch is the exact opposite
>>> of failing fast.
>>>
>>> The master branch deliberately favors small iterative changes over
>>> time. Releasing a new version of the proposed API every six months
>>> limits our ability to learn and make adjustments.
>>>
>>> In the past, we've released LBaaS, FWaaS, and VPNaaS as experimental
>>> APIs. The results have been very mixed as operators either shy away
>>> from testing/offering the API or embrace the API with the
>>> expectation that the community will provide full API support and
>>> migration. In both cases, the experiment fails because we either
>>> could not get the data we need or are unable to make significant
>>> changes without accepting a non-trivial amount of technical debt via
>>> migrations or draft API support.
>>>
>>> Next Steps
>>> ----------
>>> Previously, the GPB subteam used a Github account to host the
>>> development, but the workflows and tooling do not align with
>>> OpenStack's development model. I'd like to see us create a group
>>> based policy project in StackForge. StackForge will host the code
>>> and enable us to follow the same open review and QA processes we use
>>> in the main project while we are developing and testing the API. The
>>> infrastructure there will benefit us as we will have a separate
>>> review velocity and can frequently publish libraries to PyPI. From
>>> a technical perspective, the 13 new entities in GPB [1] do not
>>> require any changes to internal Neutron data structures. The
>>> docs[2] also suggest that an external plugin or service would work
>>> to make it easier to speed development.
>>>
>>> End State
>>> ---------
>>> APIs require time to fully bake and right now it is too early to
>>> know the final outcome. Using StackForge will allow the team to
>>> retain all of its options including: merging the code into Neutron,
>>> adopting the repository as sub-project of the Network Program,
>>> leaving the project in StackForge project or learning that users
>>> want something completely different. I would expect that we'll
>>> revisit the status of the repo during the L or M cycles since the
>>> Kilo development cycle does not leave enough time to experiment and
>>> iterate.
>>>
>>>
>>> mark
>>>
>>> [1]
>>> http://git.openstack.org/cgit/openstack/neutron-specs/tree/specs/juno/group-based-policy-abstraction.rst#n370
>>> [2]
>>> https://docs.google.com/presentation/d/1Nn1HjghAvk2RTPwvltSrnCUJkidWKWY2ckU7OYAVNpo/edit#slide=id.g12c5a79d7_4078
>>> <https://urldefense.proofpoint.com/v1/url?u=https://docs.google.com/presentation/d/1Nn1HjghAvk2RTPwvltSrnCUJkidWKWY2ckU7OYAVNpo/edit%23slide%3Did.g12c5a79d7_4078&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=eH0pxTUZo8NPZyF6hgoMQu%2BfDtysg45MkPhCZFxPEq8%3D%0A&m=cIUH5RoLkViWURawHObcnSgnma3z8rgd7F6cm454AZA%3D%0A&s=8159972efd976c5b98ebb1ab48249c7a32c90d4ff5d5c23a04d140dc241ab1ae>
>>>
>>> [3]
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140805/449ca448/attachment-0001.html>
More information about the OpenStack-dev
mailing list