[openstack-dev] [neutron][policy] Using network services with network policies

Sumit Naiksatam sumitnaiksatam at gmail.com
Wed Feb 19 06:56:18 UTC 2014


Inline...


On Tue, Feb 18, 2014 at 10:33 AM, Mohammad Banikazemi <mb at us.ibm.com> wrote:

> Thanks Sumit and Stephen for information provided.
>
> It appears to me that we can (and should) use the notion of
> services/service chains within the group policy extension (and that has
> been always one of our options). If this is a reasonable approach, then we
> need to see how we can bring in these services to our group policy and if
> there are changes we may require.
>
> Agreed. Our thinking was that the service instance, insertion context, and
the service chain are elemental abstractions on which the policy could be
layered upon.

> The first thing that comes to mind is to have a new service insertion
> context, namely policy (or should it be policy_rule?). If that is in place,
> then a service chain (we can start with a chain of one single service) gets
> created with it's context set to a particular policy.
>

The notion of a service insertion context is being introduced in this
patch:
https://review.openstack.org/#/c/62599/16/neutron/db/service_context.py

Although the service insertion context need not necessarily be aware of the
policy, I think the mapping is probably the other way around. The rendering
of the policy would lead to a particular service insertion context for that
service/chain.

While the service plugin is responsible for standing up the service, the
> connectivity is established through the implementation of the group policy
> extension, in particular the "redirect" action. Is this a reasonable
> approach?
>

Agreed.

> This approach requires some kind of coordination wrt how these operations
> are done by the service plugin and the group policy extension. May be a
> policy simply provides the insertion context for creation of the service
> chain (in isolation and by the appropriate service plugin) and policy rules
> are then used to make the service operational. This is different from how
> services are expected to be instantiated right now. Right? Thinking aloud
> here. Please comment.
>
> Agreed. That said, the two models/workflows can very nicely coexist. The
first one is using the elemental abstractions (service instances, chains,
etc) where the user needs to manage each of them individually to realize
the entire logical topology. The second option is where a group policy
plugin interprets the policy, and proceeds to render that policy using the
elemental abstractions (but might also perform the same directly on a
backend that supports the policy model).

> A lot of interesting things to work on. May be Juno is where all these
> efforts come to fruition together :)
>
> Totally. We have been incubating some of these ideas for a while now, and
hopefully its becoming more apparent as to why these constructs are
required in Neutron.



> Mohammad
>
> [image: Inactive hide details for Sumit Naiksatam ---02/17/2014 02:12:12
> AM---Thanks Mohammad for bringing this up. I responded in anot]Sumit
> Naiksatam ---02/17/2014 02:12:12 AM---Thanks Mohammad for bringing this up.
> I responded in another thread: http://lists.openstack.org/pipe
>
> From: Sumit Naiksatam <sumitnaiksatam at gmail.com>
> To: Mohammad Banikazemi/Watson/IBM at IBMUS,
> Cc: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Date: 02/17/2014 02:12 AM
> Subject: Re: [openstack-dev] [neutron][policy] Using network services
> with network policies
> ------------------------------
>
>
>
> Thanks Mohammad for bringing this up. I responded in another thread:
>
> http://lists.openstack.org/pipermail/openstack-dev/2014-February/027306.html
>
> ~Sumit.
>
> On Sun, Feb 16, 2014 at 7:27 AM, Mohammad Banikazemi <mb at us.ibm.com>
> wrote:
> > During the last IRC call we started talking about network services and
> how
> > they can be integrated into the group Policy framework.
> >
> > In particular, with the "redirect" action we need to think how we can
> > specify the network services we want to redirect the traffic to/from.
> There
> > has been a substantial work in the area of service chaining and service
> > insertion and in the last summit "advanced service" in VMs were
> discussed.
> > I think the first step for us is to find out the status of those efforts
> and
> > then see how we can use them. Here are a few questions that come to mind.
> > 1- What is the status of service chaining, service insertion and advanced
> > services work?
> > 2- How could we use a service chain? Would simply referring to it in the
> > action be enough? Are there considerations wrt creating a service chain
> > and/or a service VM for use with the Group Policy framework that need to
> be
> > taken into account?
> >
> > Let's start the discussion on the ML before taking it to the next call.
> >
> > Thanks,
> >
> > Mohammad
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140218/6b83e90b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140218/6b83e90b/attachment.gif>


More information about the OpenStack-dev mailing list