Open Stack

Excerpts from Chris Marino's message of 2016-02-01 06:08:34 -0800:
> Hello everyone, just wanted to let you know that today we opened up the
> repos for the new open source networking project we’ve been working on.
> It’s called Romana and the project site is romana.io.
> 
> Thought you would be interested because it enables multi-tenant networking
> without a virtual network overlay. It's targeted for use with applications
> that only need L3 networks so we’ve been able to eliminate and simplify
> many things to make the network faster, and easier to build and operate.
> 
> If you run these kind of Cloud Native apps on OpenStack (or even directly
> on bare metal with Docker or Kubernetes), we’d love to hear what you think.
> We’re still working on the container CNM/CNI integration. Any and all
> feedback is welcome.
> 
> The code is on Github at github.com/romana and you can see how it all works
> with a demo we’ve set up that lets you install and run OpenStack on EC2
> <http://romana.io/try_romana/openstack/>.
> 
> You can read about how Romana works on the project site, here
> <http://romana.io/how/romana_basics/>. In summary, it extends the physical
> network hierarchy of a layer 3 routed access design
> <http://romana.io/how/background/#routed-access-datacenter> from spine and
> leaf switches on to hosts, VMs and containers.
> 
> This enables a very simple and intuitive tenancy model: For every tenant
> (and each of their network segments) there is an actual physical network
> CIDR on each host, with all tenants sharing the host-specific address
> prefix.  The advantage of this is that route aggregation makes route
> distribution unnecessary and collapses the number of iptables rules
> required for segment isolation. In addition, traffic policies, such as
> security rules, can easily be applied to those tenant or segment specific
> CIDRs across all hosts.
> 
> Any/all comments welcome.

Really interesting, thanks Chris. For baremetal, which is a very real
thing for users of OpenStack right now, this presents some challenges.

The agents that sit on compute nodes in Romana are not going to be able
to enforce any isolation themselves, since baremetal nodes will end
up on the same L2. The agents would either have to get back into the
business Neutron ML2 is in, of configuring switches through a mechanism
driver, or servers would have to self-isolate, which may not be obvious
or acceptible for some. I wonder if you've thought through any other
solution to that particular problem.

I also think you should share this on openstack-dev, as the developers
may also be aware of other efforts that may conflict with or complement
Romana.