Re: [openstack-dev] [neutron][nova] New specs on routed networking

2014-10-28 Thread Harshad Nakil
L3 routed network can support
1. broadcast/multicast
2. VRRP virtual MAC like technology

For example OpenContrail does support both of these in fully L3 routed
networks.

Regards
-Harshad

On Tue, Oct 28, 2014 at 4:59 PM, Angus Lees g...@inodes.org wrote:

 On Tue, 28 Oct 2014 09:07:03 PM Rohit Agarwalla wrote:
  Agreed. The way I'm thinking about this is that tenants shouldn't care
 what
  the underlying implementation is - L2 or L3. As long as the connectivity
  requirements are met using the model/API, end users should be fine. The
  data center network design should be an administrators decision based on
  the implementation mechanism that has been configured for OpenStack.

 I don't know anything about Project Calico, but I have been involved with
 running a large cloud network previously that made heavy use of L3
 overlays.

 Just because these points weren't raised earlier in this thread:  In my
 experience, a move to L3 involves losing:

 - broadcast/multicast.  It's possible to do L3 multicast/IGMP/etc, but
 that's
 a whole can of worms - so perhaps best to just say up front that this is a
 non-broadcast network.

 - support for other IP protocols.

 - various L2 games like virtual MAC addresses, etc that NFV/etc people
 like.


 We gain:

 - the ability to have proper hierarchical addressing underneath (which is a
 big one for scaling a single network).  This itself is a tradeoff
 however -
 an efficient/strict hierarchical addressing scheme means VMs can't choose
 their
 own IP addresses, and VM migration is messy/limited/impossible.

 - hardware support for dynamic L3 routing is generally universal, through a
 small set of mostly-standard protocols (BGP, ISIS, etc).

 - can play various L3 games like BGP/anycast, which is super useful for
 geographically diverse services.


 It's certainly a useful tradeoff for many use cases.  Users lose some
 generality in return for more powerful cooperation with the provider around
 particular features, so I sort of think of it like a step halfway up the
 IaaS-
 PaaS stack - except for networking.

  - Gus

  Thanks
  Rohit
 
  From: Kevin Benton blak...@gmail.commailto:blak...@gmail.com
  Reply-To: OpenStack Development Mailing List (not for usage questions)
  openstack-dev@lists.openstack.orgmailto:
 openstack-dev@lists.openstack.org
   Date: Tuesday, October 28, 2014 1:01 PM
  To: OpenStack Development Mailing List (not for usage questions)
  openstack-dev@lists.openstack.orgmailto:
 openstack-dev@lists.openstack.org
   Subject: Re: [openstack-dev] [neutron][nova] New specs on routed
  networking
  1. Every packet L3 FIB Lookup : Radix Tree Search, instead of current L2
  Hash/Index Lookup ? 2. Will there be Hierarchical network ?  How
 much
  of the Routes will be imported from external world ? 3. Will there be
  Separate routing domain for overlay network  ? Or it will be mixed with
  external/underlay network ?
  These are all implementation specific details. Different deployments and
  network backends can implement them however they want. What we need to
  discuss now is how this model will look to the end-user and API.
  4. What will be the basic use case of this ? Thinking of L3 switching to
  support BGP-MPLS L3 VPN Scenario right from compute node ?
  I think the simplest use case is just that a provider doesn't want to
 deal
  with extending L2 domains all over their datacenter.
 
  On Tue, Oct 28, 2014 at 12:39 PM, A, Keshava
  keshav...@hp.commailto:keshav...@hp.com wrote: Hi Cory,
 
  Yes that is the basic question I have.
 
  OpenStack cloud  is ready to move away from Flat L2 network ?
 
  1. Every packet L3 FIB Lookup : Radix Tree Search, instead of current L2
  Hash/Index Lookup ? 2. Will there be Hierarchical network ?  How much
  of the Routes will be imported from external world ? 3. Will there be
  Separate routing domain for overlay network  ? Or it will be mixed with
  external/underlay network ? 4. What will be the basic use case of this ?
  Thinking of L3 switching to support BGP-MPLS L3 VPN Scenario right from
  compute node ?
 
  Others can give their opinion also.
 
  Thanks  Regards,
  keshava
 
  -Original Message-
  From: Cory Benfield
  [mailto:cory.benfi...@metaswitch.commailto:cory.benfi...@metaswitch.com
 ]
  Sent: Tuesday, October 28, 2014 10:35 PM
  To: OpenStack Development Mailing List (not for usage questions)
  Subject: Re: [openstack-dev] [neutron][nova] New specs on routed
 networking
 
  On Tue, Oct 28, 2014 at 07:44:48, A, Keshava wrote:
   Hi,
  
   Current Open-stack was built as flat network.
  
   With the introduction of the L3 lookup (by inserting the routing table
   in forwarding path) and separate 'VIF Route Type' interface:
  
   At what point of time in the packet processing  decision will be made
   to lookup FIB  during ? For each packet there will additional  FIB
   lookup ?
  
   How about the  impact on  'inter compute traffic', processed by  DVR  ?
   Here thinking  OpenStack 

Re: [openstack-dev] VPC Proposal

2014-02-18 Thread Harshad Nakil
1. Feature is giving AWS VPC api compatibility with existing openstack
structure
2. It does give full AWS compatibility (except for network ACL which was
differed). Shared networks, FIP within scope of VPC is not some thing AWS
provides. So it is not partial support.
3. IMO it would not be major change to go from what we are proposing to
what JC is proposing as far as AWS VPC API(s) are concerned.
4. I can understand developers not liking AWS API(s) but many users of
openstack will benefit
5. Multi tenant hierarchy and domains won't effect AWS API(s) in any way

IMO there no need to differ this blueprint.



On Tue, Feb 18, 2014 at 10:03 AM, Martin, JC jch.mar...@gmail.com wrote:

 There was a lot of emails on that thread, but I am not seeing the
 discussion converging. I would like to reiterate my concerns:

- We are trying to implement an API on a feature that is not supported
 by openstack
- As a result, the implementation is overloading existing construct
 without implementing full AWS capabilities and semantic (e.g. Shared
 network isolation from VPC, or Floating IP scoping to VPC).
- Dependent blueprints are not implemented and have been deferred,
 resulting in the broken implementation (e.g.
 https://blueprints.launchpad.net/neutron/+spec/policy-extensions-for-neutron
 )
- this feature is only available through EC2 API, which is likely
 going to result in another implementation for general use.
- users adopting the VPC model proposed through EC2 API will be stuck
 in an upgrade mess when the proper implementation comes along.
- There are new constructs in work that are better suited for
 implementing this concept properly (Multi tenant hierarchy and domains).

 As you can guess, I'm not really a fan, but it seems that only few
 individuals are concerned. I would think that this topic would create more
 interest, specially on the network side. Maybe because of the subject tags.
 I will therefore copy this email with the Neutron tag.

 JC

 On Feb 17, 2014, at 10:10 PM, Rudra Rugge rru...@juniper.net wrote:

  I am not sure on how to dig out the archives. There were a couple of
  emails exchanged with Salvatore on the thread pertaining to the
 extensions
  we were referring to as part of this blueprint.
 
  There are a few notes on the whiteboard of the blueprint as well.
 
  Regards,
  Rudra
 
 
  On 2/17/14, 1:28 PM, jc Martin jch.mar...@gmail.com wrote:
 
  Thanks,
 
  Do you have the links for the discussions ?
 
  Thanks,
 
  JC
 
  Sent from my iPhone
 
  On Feb 17, 2014, at 11:29 AM, Rudra Rugge rru...@juniper.net wrote:
 
  JC,
 
  BP has been updated with the correct links. I have removed the
 abandoned
  review #3.
  Please review #1 and #2.
 
  1. https://review.openstack.org/#/c/40071/
 
   This is the active review.
   There is one comment by Sean regarding
   adding a knob when Neutron is not used.
   That will be addressed with the next path.
  2. https://review.openstack.org/#/c/53171
   This is the active review for tempest
   test cases as requested by Joe Gordon.
   Currently abandoned until #1 goes through.
  3. https://review.openstack.org/#/c/53171
   This review is not active. It was accidentally submitted with a new
  change-id.
 
  Regards,
  Rudra
 
  On 2/16/14, 9:25 AM, Martin, JC jch.mar...@gmail.com wrote:
 
  Harshad,
 
  I tried to find some discussion around this blueprint.
  Could you provide us with some notes or threads  ?
 
  Also, about the code review you mention. which one are you talking
  about :
  https://review.openstack.org/#/c/40071/
  https://review.openstack.org/#/c/49470/
  https://review.openstack.org/#/c/53171
 
  because they are all abandoned.
 
  Could you point me to the code, and update the BP because it seems
 that
  the links are not correct.
 
  Thanks,
 
  JC
  On Feb 16, 2014, at 9:04 AM, Allamaraju, Subbu su...@subbu.org
  wrote:
 
  Harshad,
 
  Thanks for clarifying.
 
  We started looking at this as some our customers/partners were
  interested in get AWS API compatibility. We have this blueprint and
  code review pending for long time now. We will know based on this
  thread wether the community is interested. But I assumed that
  community
  was interested as the blueprint was approved and code review has no
  -1(s) for long time now.
 
  Makes sense. I would leave it to others on this list to chime in if
  there is sufficient interest or not.
 
  To clarify, a clear incremental path from an AWS compatible API to
 an
  OpenStack model is not clear.
 
  In my mind AWS compatible API does not need new openstack model. As
  more discussion happen on JC's proposal and implementation becomes
  clear we will know how incremental is the path. But at high level
  there
  two major differences
  1. New first class object will be introduced which effect all
  components
  2. more than one project can be supported within VPC.
  But it does not change AWS API(s). So even in JC(s) model if you
 want
  AWS API then we will 

Re: [openstack-dev] [keystone] role of Domain in VPC definition

2014-02-16 Thread Harshad Nakil
Yes, [1] can be done without [2] and [3].
As you are well aware [2] is now merged with group policy discussions.
IMHO all or nothing approach will not get us anywhere.
By the time we line up all our ducks in row. New features/ideas/blueprints
will keep Emerging.

Regards
-Harshad


On Feb 16, 2014, at 2:30 AM, Salvatore Orlando sorla...@nicira.com wrote:

It seems this work item is made of several blueprints, some of which are
not yet approved. This is true at least for the Neutron blueprint regarding
policy extensions.

Since I first looked at this spec I've been wondering why nova has been
selected as an endpoint for network operations rather than Neutron, but
this probably a design/implementation details whereas JC here is looking at
the general approach.

Nevertheless, my only point here is that is seems that features like this
need an all-or-none approval.
For instance, could the VPC feature be considered functional if blueprint
[1] is implemented, but not [2] and [3]?

Salvatore

[1] https://blueprints.launchpad.net/nova/+spec/aws-vpc-support
[2]
https://blueprints.launchpad.net/neutron/+spec/policy-extensions-for-neutron
[3]
https://blueprints.launchpad.net/keystone/+spec/hierarchical-multitenancy


On 11 February 2014 21:45, Martin, JC jch.mar...@gmail.com wrote:

 Ravi,

 It seems that the following Blueprint
 https://wiki.openstack.org/wiki/Blueprint-aws-vpc-support

 has been approved.

 However, I cannot find a discussion with regard to the merit of using
 project vs. domain, or other mechanism for the implementation.

 I have an issue with this approach as it prevents tenants within the same
 domain sharing the same VPC to have projects.

 As an example, if you are a large organization on AWS, it is likely that
 you have a large VPC that will be shred by multiple projects. With this
 proposal, we loose that capability, unless I missed something.

 JC

 On Dec 19, 2013, at 6:10 PM, Ravi Chunduru ravi...@gmail.com wrote:

  Hi,
We had some internal discussions on role of Domain and VPCs. I would
 like to expand and understand community thinking of Keystone domain and
 VPCs.
 
  Is VPC equivalent to Keystone Domain?
 
  If so, as a public cloud provider - I create a Keystone domain and give
 it to an organization which wants a virtual private cloud.
 
  Now the question is if that organization wants to have  departments wise
 allocation of resources it is becoming difficult to visualize with existing
 v3 keystone constructs.
 
  Currently, it looks like each department of an organization cannot have
 their own resource management with in the organization VPC ( LDAP based
 user management, network management or dedicating computes etc.,) For us,
 Openstack Project does not match the requirements of a department of an
 organization.
 
  I hope you guessed what we wanted - Domain must have VPCs and VPC to
 have projects.
 
  I would like to know how community see the VPC model in Openstack.
 
  Thanks,
  -Ravi.
 
 
  ___
  OpenStack-dev mailing list
  OpenStack-dev@lists.openstack.org
  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] VPC Proposal

2014-02-16 Thread Harshad Nakil
Comments Inline

Regards
-Harshad


On Sat, Feb 15, 2014 at 11:39 PM, Allamaraju, Subbu su...@subbu.org wrote:

 Harshad,

 Curious to know if there is a broad interest in an AWS compatible API in
 the community?


We started looking at this as some our customers/partners were interested
in get AWS API compatibility. We have this blueprint and code review
pending for long time now. We will know based on this thread wether the
community is interested. But I assumed that community was interested as the
blueprint was approved and code review has no -1(s) for long time now.


 To clarify, a clear incremental path from an AWS compatible API to an
 OpenStack model is not clear.


In my mind AWS compatible API does not need new openstack model. As more
discussion happen on JC's proposal and implementation becomes clear we will
know how incremental is the path. But at high level there two major
differences
1. New first class object will be introduced which effect all components
2. more than one project can be supported within VPC.
But it does not change AWS API(s). So even in JC(s) model if you want AWS
API then we will have to keep VPC to project mapping 1:1, since the API
will not take both VPC ID and project ID.

As more users want to migrate from AWS or IaaS providers who want compete
with AWS should be interested in this compatibility.

There also seems to be terminology issue here Whats is definition of VPC
if we assume what AWS implements is VPC
then what JC is proposing VOS or VDC (virtual openstack or virtual DC)
as all or most of current openstack features are available to user in  this
new Abstraction. I actually like this new abstraction.


 Subbu

 On Feb 15, 2014, at 10:04 PM, Harshad Nakil hna...@contrailsystems.com
 wrote:

 
  I agree with problem as defined by you and will require more fundamental
 changes.
  Meanwhile many users will benefit from AWS VPC api compatibility.


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] VPC Proposal

2014-02-16 Thread Harshad Nakil
IMHO I don't see two implementations. Since right now we have only
one. As a community if we decide to add new abstractions then we will
have to change software in every component where the new abstraction
makes difference. That's normal software development process.
Regards
-Harshad


 On Feb 16, 2014, at 9:03 AM, Allamaraju, Subbu su...@subbu.org wrote:

 Harshad,

 Thanks for clarifying.

 We started looking at this as some our customers/partners were interested in 
 get AWS API compatibility. We have this blueprint and code review pending 
 for long time now. We will know based on this thread wether the community is 
 interested. But I assumed that community was interested as the blueprint was 
 approved and code review has no -1(s) for long time now.

 Makes sense. I would leave it to others on this list to chime in if there is 
 sufficient interest or not.

 To clarify, a clear incremental path from an AWS compatible API to an 
 OpenStack model is not clear.

 In my mind AWS compatible API does not need new openstack model. As more 
 discussion happen on JC's proposal and implementation becomes clear we will 
 know how incremental is the path. But at high level there two major 
 differences
 1. New first class object will be introduced which effect all components
 2. more than one project can be supported within VPC.
 But it does not change AWS API(s). So even in JC(s) model if you want AWS 
 API then we will have to keep VPC to project mapping 1:1, since the API will 
 not take both VPC ID and project ID.

 As more users want to migrate from AWS or IaaS providers who want compete 
 with AWS should be interested in this compatibility.

 IMHO that's a tough sell. Though an AWS compatible API does not need an 
 OpenStack abstraction, we would end up with two independent ways of doing 
 similar things. That would OpenStack repeating itself!

 Subbu



___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] VPC Proposal

2014-02-15 Thread Harshad Nakil
Comments Inline

Regards
-Harshad


On Sat, Feb 15, 2014 at 3:18 PM, Martin, JC jch.mar...@gmail.com wrote:

 Harshad,

 Thanks, What happens when I create two VPC ? Beside the project private
 networks, what is isolated ?


Since VPC is mapped to project. All the isolation provided by the project
is available.


 What do you call DC admin ? I know two administrators :
- Cloud administrators
- VPC admnistrator


I mean cloud administrator


 Are you saying that VPCs cannot have their own external gateways and NAT
 pools  ?


Yes conceptually as far as AWS API compatibility is concerned.


 Also, maybe more importantly, why try to build an AWS API before the
 function is available in openstack ? Why not wait to do it properly before
 defining the API mapping ?

Actually  as fas as AWS API is concerned we have all the proper building
blocks in openstack.

I agree with problem as defined by you and will require more fundamental
changes.
Meanwhile many users will benefit from AWS VPC api compatibility.


 JC
 On Feb 15, 2014, at 8:47 AM, Harshad Nakil hna...@contrailsystems.com
 wrote:

  EIP will be allocated from public pools. So in effect public pools and
  shared networks are only DC admin functions. Not available to VPC
  users.
  There is a implicit external gateway. When one creates NAT instance or
  VPN instance, external interfaces of these interfaces come from the
  shared network which can be configured by the DC admin.
 
 
  Regards
  -Harshad
 
 
  On Feb 14, 2014, at 10:07 PM, Martin, JC jch.mar...@gmail.com
 wrote:
 
  Harshad,
 
  I'm not sure to understand what you mean by :
  However many of these concepts are not exposed to a AWS customers and
  the API work well.
 
  So for example in :
 
 
 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#VPC_EIP_EC2_Differences
 
  When it says :
  When you allocate an EIP, it's for use only in a VPC.
 
  Are you saying that the behavior of your API would be consistent
 without scoping the external networks to a VPC and using the public pool
 instead ?
 
  I believe that your api may work for basic features on a small
 deployments with only one VPC, but as soon as you have complex setups with
 external gateways that need to be isolated, I'm not sure that it will
 provide parity anyway with what EC2 provides.
 
 
  Maybe I missed something.
 
 
  JC
 
  On Feb 14, 2014, at 7:35 PM, Harshad Nakil hna...@contrailsystems.com
 wrote:
 
  Hi JC,
 
  You have put it aptly. Goal of the blueprint is to present facade for
  AWS VPC API as the name suggest.
  As per your definition of VPC, shared network will have issues.
  However many of these concepts are not exposed to a AWS customers and
  the API work well.
  While we work incrementally towards your definition of VPC we can
  maintain API compatibility to AWS API that we are proposing. As we are
  subset of your proposal and don't expose all features within VPC.
 
  Regards
  -Harshad
 
 
  On Feb 14, 2014, at 6:22 PM, Martin, JC jch.mar...@gmail.com
 wrote:
 
  Rudra,
 
  I do not agree that the current proposal provides the semantic of a
 VPC. If the goal is to only provide a facade through the EC2 API, it may
 address this, but unless you implement the basic features of a VPC, what
 good is it doing ?
 
  I do believe that the work can be done incrementally if we agree on
 the basic properties of a VPC, for example :
  - allowing projects to be created while using resources defined at
 the VPC level
  - preventing resources not explicitly defined at the VPC level to be
 used by a VPC.
 
  I do not see in the current proposal how resources are scoped to a
 VPC, and how, for example, you prevent shared network to be used within a
 VPC, or how you can define shared networks (or other shared resources) to
 only be scoped to a VPC.
 
  I think we already raised our concern to you several months ago, but
 it did not seem to have been addressed in the current proposal.
 
  thanks,
 
  JC
 
  On Feb 14, 2014, at 3:50 PM, Rudra Rugge rru...@juniper.net wrote:
 
  Hi JC,
 
  We agree with your proposed model of a VPC resource object. Proposal
 you are making makes sense to us and we would like to collaborate further
 on this. After reading your blueprint two things come to mind.
 
  1. VPC vision for Openstack? (Your blueprint is proposing this
 vision)
  2. Providing AWS VPC api compatibility with current constrains of
 openstack structure.
 
  The blueprint that we proposed targets #2.
  It gives a way to implement AWS VPC api compatible API. This helps
 subset of customers to migrate their workloads from AWS to openstack based
 clouds. In our implementation we tied VPC to project. That was easiest way
 to keep isolation with current structure. We agree that what you are
 proposing is more generic. One to way is to implement our current proposal
 to have one VPC to one project mapping. As your blueprint matures we will
  move VPC to multiple project mapping.
 
  We feel

Re: [openstack-dev] VPC Proposal

2014-02-14 Thread Harshad Nakil
Hi JC,

You have put it aptly. Goal of the blueprint is to present facade for
AWS VPC API as the name suggest.
As per your definition of VPC, shared network will have issues.
However many of these concepts are not exposed to a AWS customers and
the API work well.
While we work incrementally towards your definition of VPC we can
maintain API compatibility to AWS API that we are proposing. As we are
subset of your proposal and don't expose all features within VPC.

Regards
-Harshad


 On Feb 14, 2014, at 6:22 PM, Martin, JC jch.mar...@gmail.com wrote:

 Rudra,

 I do not agree that the current proposal provides the semantic of a VPC. If 
 the goal is to only provide a facade through the EC2 API, it may address 
 this, but unless you implement the basic features of a VPC, what good is it 
 doing ?

 I do believe that the work can be done incrementally if we agree on the basic 
 properties of a VPC, for example :
   - allowing projects to be created while using resources defined at the VPC 
 level
   - preventing resources not explicitly defined at the VPC level to be used 
 by a VPC.

 I do not see in the current proposal how resources are scoped to a VPC, and 
 how, for example, you prevent shared network to be used within a VPC, or how 
 you can define shared networks (or other shared resources) to only be scoped 
 to a VPC.

 I think we already raised our concern to you several months ago, but it did 
 not seem to have been addressed in the current proposal.

 thanks,

 JC

 On Feb 14, 2014, at 3:50 PM, Rudra Rugge rru...@juniper.net wrote:

 Hi JC,

 We agree with your proposed model of a VPC resource object. Proposal you are 
 making makes sense to us and we would like to collaborate further on this. 
 After reading your blueprint two things come to mind.

 1. VPC vision for Openstack? (Your blueprint is proposing this vision)
 2. Providing AWS VPC api compatibility with current constrains of openstack 
 structure.

 The blueprint that we proposed targets #2.
 It gives a way to implement AWS VPC api compatible API. This helps subset 
 of customers to migrate their workloads from AWS to openstack based clouds. 
 In our implementation we tied VPC to project. That was easiest way to keep 
 isolation with current structure. We agree that what you are proposing is 
 more generic. One to way is to implement our current proposal to have one 
 VPC to one project mapping. As your blueprint matures we will
 move VPC to multiple project mapping.

 We feel that instead of throwing away all the work done we can take an 
 incremental approach.

 Regards,
 Rudra


 On Feb 14, 2014, at 11:09 AM, Martin, JC jch.mar...@gmail.com wrote:


 There is a Blueprint targeted for Icehouse-3 that is aiming to implement 
 the AWS VPC api. I don't think that this blueprint is providing the 
 necessary constructs to really implement a VPC, and it is not taking into 
 account the domains, or proposed multi tenant hierarchy. In addition, I 
 could not find a discussion about this topic leading to the approval.

 For this reason, I wrote an 'umbrella' blueprint to hopefully start the 
 discussion on how to really implement VPC, and eventually split it into 
 multiple real blueprints for each area.

 Please, provide feedback on the following document, and on the best way to 
 move this forward.

 https://wiki.openstack.org/wiki/Blueprint-VPC

 Thanks,

 JC.
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Openstack + OpenContrail

2013-11-16 Thread Harshad Nakil
Sean,
We have diff in three repositories.
Nova, Neutron and devstack. Each review is requiring other to happen first.
Do you have recommendation how do we deal with these dependencies?

Regards
-Harshad


 On Nov 16, 2013, at 9:11 AM, Sean Dague s...@dague.net wrote:

 For something to go in devstack, it has to be included in the base server 
 project. So first step is to work on getting your code upstream into the 
 relevant upstream.

 We don't preintegrate into devstack, because it's job is not to be a general 
 installer, it's to be an opinionated development setup tool for the existing 
 integrated projects, making it easier for people to develop and work with the 
 whole stack.

-Sean

 On 11/15/2013 07:35 PM, Deepinder Singh Setia wrote:
 I would like to add that the work in forked devstack is ongoing and not
 complete. I am trying to understand what would it take to push these
 changes upstream such as coding requirements, testing, code
 organization, documentation  etc.

 Thanks
 Deepinder

 From: Deepinder Setia dse...@juniper.net mailto:dse...@juniper.net
 Reply-To: OpenStack Development Mailing List (not for usage questions)
 openstack-dev@lists.openstack.org
 mailto:openstack-dev@lists.openstack.org
 Date: Friday, November 15, 2013 4:25 PM
 To: OpenStack Development Mailing List (not for usage questions)
 openstack-dev@lists.openstack.org
 mailto:openstack-dev@lists.openstack.org
 Subject: [openstack-dev] Openstack + OpenContrail

 I forked devstack a few weeks ago to integrate with OpenContrail at
 https://github.com/dsetia/devstack.  This installs and launches
 OpenContrail in addition to openstack components.  OpenContrail provides
 network virtualization components -  SDN controller, Virtual Router and
 analytics  - via neutron and nova plugins along with other modules built
 and launched when stack.sh is run. Please see

  * https://github.com/dsetia/devstack/blob/master/contrail/README -
  * 
 http://pedrormarques.wordpress.com/2013/11/14/using-devstack-plus-opencontrail/

  * http://opencontrail.org/

 Bulk of the work is done by new file lib/neutron_thirdparty/contrail
 such as cloning open contrail repo, building and launching contrail
 modules. I also have directory called contrail under devstack which
 includes:

 1. sample localrc files for setting up single or multi node openstack +
open contrail system
 2. Support files and scripts needed by  lib/neutron_thirdparty/contrail
functions
 3. Neutron and Nova patches needed by OpenStack. These plugins have
been submitted for review. Once approved, I will get rid of code to
patch them

 I would like to understand the procedure, requirements and logistics  to
 push these changes upstream to devstack repository.

 Thanks
 Deepinder



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


 --
 Sean Dague
 http://dague.net

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova] Blueprint for Juniper OpenContrail vrouter nova vif driver support

2013-11-12 Thread Harshad Nakil
Kyle,
These requirement should also be required for existing third plugins.
Will you allow new patches to existing plugins without this requirement?
I hope we don't end up creating multiple classes of citizens.

Regards
-Harshad


 On Nov 12, 2013, at 7:08 PM, Kyle Mestery (kmestery) kmest...@cisco.com 
 wrote:

 On Nov 12, 2013, at 5:26 PM, Prasad Miriyala pmiriy...@juniper.net wrote:

 Hi All,

 A blueprint has been registered to add Nova vif driver support for Juniper 
 vrouter.

 The Juniper OpenContrail Controller is a logically centralized but 
 physically distributed Software Defined Networking (SDN) controller that is 
 responsible for providing the management, control, and analytics functions 
 of the virtualized network.
 The Juniper OpenContrail vRouter is a forwarding plane (of a distributed 
 router) that runs in the hypervisor of a virtualized server. It extends the 
 network from the physical routers and switches in a data center into a 
 virtual overlay network hosted in the virtualized servers. The OpenContrail 
 vRouter is conceptually similar to existing commercial and open source 
 vSwitches such as for example the Open vSwitch (OVS) but it also provides 
 routing and higher layer services.
 The OpenContrail Controller provides the logically centralized control plane 
 and management plane of the system and orchestrates the vRouters.

 Blueprint
 https://blueprints.launchpad.net/nova/+spec/juniper-opencontrail-vrouter-nova-vif-driver

 Associated contrail neutron plugin blueprint
 https://blueprints.launchpad.net/neutron/+spec/juniper-plugin-with-extensions

 Please review blueprint, all comments are welcome.

 Regards,
 Prasad

 Hi Prasad:

 We have seen the BP and review. The problem that we Neutron core are currently
 looking at is something which was discussed at the Summit in Hong Kong last 
 week:
 The requirement of having Smokestack/Tempest tests for plugins. As a core 
 team, we
 haven't decided yet if new plugins will require these tests before being 
 added to the
 tree. All plugins will require these tests by Icehouse-2, so IMHO requiring 
 new plugins
 to have them before they are submitted makes sense. I suspect we will cover 
 this next
 week at the weekly Neutron IRC meeting, so stay tuned.

 Thanks,
 Kyle

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Bad review patterns

2013-11-06 Thread Harshad Nakil
+1

Regards
-Harshad


 On Nov 6, 2013, at 12:36 AM, Radomir Dopieralski openst...@sheep.art.pl 
 wrote:

 Hello,

 I'm quite new in the OpenStack project, but I love it already. What is
 especially nifty is the automated review system -- I'm really impressed.
 I'm coming from a project in which we also did reviews of every change
 -- although it was mostly manual, and just one review was enough to
 merge -- and at some point in that project I noticed that it is very
 easy to give reviews that are unhelpful, frustrating and just get in the
 way of the actual work. I started paying attention to how I am reviewing
 code, and I managed to come up with several patterns that are bad. Once
 I know the patterns, it's easier to recognize when I'm doing something
 wrong and rethink the review. I would like to share the patterns that I
 noticed.


 Not sure if that works...
 =

 You see some suspicious piece of code, and you are not sure if it is
 correct or not. So you point it out in the review and -1 it, demanding
 that the author rechecks it and/or prove that it indeed works.

 It's your job as a reviewer to check such things, don't put all the
 effort on the author. They probably already checked that this code
 works, and possibly have even written tests for it. If you are not
 familiar with the technology enough to tell whether it's good or not,
 and have no means of testig it yourself, you shouldn't be reviewing it.
 If you do have the means to test it or can find the piece of
 documentation that says that it shouldn't be done -- do it as a part of
 the review.


 You ain't gonna need it.
 

 The code contains some parts that are potentially reusable later or in
 different areas, so you -1 it and tell the author to move them into
 reusable functions.

 The fact that you think something is reusable doesn't necessarily mean
 it is, and overly general code is harder to maintain. Let something
 repeat a couple of times just to be sure it actually is reusable. Once
 you find a repeating pattern, you can refactor the code to use a
 generalized function in its place -- in a separate change.


 There is an old bug here.
 =

 While you review the submitted code, you notice something wrong in the
 code not immediately related to the change you are reviewing. You -1 the
 change and tell the author to fix that bug, or formatting issue, or
 typo, or whatever.

 That fix has nothing to do with the change you are reviewing. The
 correct thing to do is to make a mental note of it, and fix it in a
 separate change -- possibly even finding more instances of it or coming
 up with a much better fix after seeing more code.


 Guess what I mean.
 ==

 You notice a pep8 violation, or pep257 violation, or awkward wording of
 a comment or docstring, or a clumsy piece of code. You -1 the change and
 just tell author to fix it.

 It's not so easy to guess what you mean, and in case of a clumsy piece
 of code, not even that certain that better code can be used instead. So
 always provide an example of what you would rather want to see. So
 instead of pointing to indentation rules, just show properly indented
 code. Instead of talking about grammar or spelling, just type the
 corrected comment or docstring. Finally, instead of saying use list
 comprehension here or don't use has_key, just type your proposal of
 how the code should look like. Then we have something concrete to talk
 about. Of course, you can also say why you think this is better, but an
 example is very important. If you are not sure how the improved code
 would look like, just let it go, chances are it would look even worse.


 Not a complete fix.
 ===

 The code fixes some problems (for example, fixes formatting and enables
 some flake8 checks), but leaves some other, related problems still not
 fixed. You -1 it and demand that the author adds fixes for the related
 problem.

 Don't live your coding career through the authors. If their fix is good
 and correct and improves the code, let it in, even if you see more
 opportunities to improve it. You can add those additional fixes yourself
 in a separate change. Or, if you don't have time or skill to do that,
 report a bug about the remaining problems and someone else will do it,
 but don't hold the author hostage with your review because you think he
 didn't do enough.


 Leaving a mark.
 ===

 You review a change and see that it is mostly fine, but you feel that
 since you did so much work reviewing it, you should at least find
 *something* wrong. So you find some nitpick and -1 the change just so
 that they know you reviewed it.

 This is quite obvious. Just don't do it. It's OK to spend an hour
 reviewing something, and then leaving no comments on it, because it's
 simply fine, or because we had to means to test someting (see the first
 pattern).



 Those are the things I'm careful about myself. I'm 

Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases

2013-10-10 Thread Harshad Nakil
Won't it be simpler to keep service instance  as one or more VMs, rather
than 1VM being many service instances?
Usually a appliance is collectively (all it's functions) providing a
service. Like firewall or load balancer. A appliance is packaged as VM.
It will be easier to manage
it will be easier for the provider to charge.
It will be easier to control resource allocation.
Once a appliance is physical device than you have all of the above issues
and usually multi-tenancy implementation is weak in most of physical
appliances.

Regards
-Harshad


On Oct 10, 2013, at 12:44 AM, Bob Melander (bmelande) bmela...@cisco.com
wrote:

 Harshad,

 By service instance I referred to the logical entities that Neutron
creates (e.g. Neutron's router). I see a service VM as a (virtual) host
where one or several service instances can be placed.
The service VM (at least if managed through Nova) will belong to a tenant
and the service instances are owned by tenants.

 If the service VM tenant is different from service instance tenants (which
is a simple way to hide the service VM from the tenants owning the
service instances) then it is not clear to me how the existing access
control in openstack will support pinning the service VM to a particular
tenant owning a service instance.

 Thanks,
Bob

  From: Harshad Nakil hna...@contrailsystems.com
Reply-To: OpenStack Development Mailing List 
openstack-dev@lists.openstack.org
Date: onsdag 9 oktober 2013 18:56
To: OpenStack Development Mailing List openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases

  Admin creating service instance for a tenant could common use case. But
ownership of service can be controlled via already existing access control
mechanism in openstack. If the service instance belonged to a particular
project then other tenants should by definition should not be able to use
this instance.

On Tue, Oct 8, 2013 at 11:34 PM, Bob Melander (bmelande) bmela...@cisco.com
 wrote:

  For use case 2, ability to pin an admin/operator owned VM to a
 particular tenant can be useful.
 I.e., the service VMs are owned by the operator but a particular service
 VM will only allow service instances from a single tenant.

  Thanks,
 Bob

   From: Regnier, Greg J greg.j.regn...@intel.com
 Reply-To: OpenStack Development Mailing List 
 openstack-dev@lists.openstack.org
 Date: tisdag 8 oktober 2013 23:48
 To: openstack-dev@lists.openstack.org openstack-dev@lists.openstack.org
 
 Subject: [openstack-dev] [Neutron] Service VM discussion - Use Cases

   Hi,

 ** **

 Re: blueprint:
 https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms

 Before going into more detail on the mechanics, would like to nail down
 use cases.  

 Based on input and feedback, here is what I see so far.  

 ** **

 Assumptions:

  

 - a 'Service VM' hosts one or more 'Service Instances'

 - each Service Instance has one or more Data Ports that plug into Neutron
 networks

 - each Service Instance has a Service Management i/f for Service
 management (e.g. FW rules)

 - each Service Instance has a VM Management i/f for VM management (e.g.
 health monitor)

  

 Use case 1: Private Service VM 

 Owned by tenant

 VM hosts one or more service instances

 Ports of each service instance only plug into network(s) owned by tenant**
 **

  

 Use case 2: Shared Service VM

 Owned by admin/operator

 VM hosts multiple service instances

 The ports of each service instance plug into one tenants network(s)

 Service instance provides isolation from other service instances within VM
 

  

 Use case 3: Multi-Service VM

 Either Private or Shared Service VM

 Support multiple service types (e.g. FW, LB, …)

 ** **

 -  Greg

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


   ___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Neutron] Common requirements for services' discussion

2013-10-10 Thread Harshad Nakil
Agree,
I like what AWS had done. Have a concept of NAT instance. 90 % use cases
are solved by just specifying
Inside and outside networks for the NAT instance.

If one wants fancier NAT config they can always use NATaas API(s)
To configure this instance.

There is a blueprint for bringing Amazon VPC API compatibility to nova and
related extensions to quantum already propose concept of NAT instance.

How the NAT instance is implemented is left to the plugin.

Regards
-Harshad


On Oct 10, 2013, at 1:47 AM, Salvatore Orlando sorla...@nicira.com wrote:

Can I just ask you to not call it NATaas... if you want to pick a name for
it, go for Natasha :)

By the way, the idea of a NAT service plugin was first introduced at the
Grizzly summit in San Diego.
One hurdle, not a big one however, would be that the external gateway and
floating IP features of the L3 extension already implicitly implements NAT.
It will be important to find a solution to ensure NAT can be configured
explicitly as well while allowing for configuring external gateway and
floating IPs through the API in the same way that we do today.

Apart from this, another interesting aspect would be to be see if we can
come up with an approach which will result in an API which abstracts as
much as possible networking aspects. In other words, I would like to avoid
an API which ends up being iptables over rest, if possible.

Regards,
Salvatore


On 10 October 2013 09:55, Bob Melander (bmelande) bmela...@cisco.comwrote:

  Hi Edgar,

  I'm also interested in a broadening of NAT capability in Neutron using
 the evolving service framework.

  Thanks,
 Bob

   From: Edgar Magana emag...@plumgrid.com
 Reply-To: OpenStack Development Mailing List 
 openstack-dev@lists.openstack.org
 Date: onsdag 9 oktober 2013 21:38
 To: OpenStack List openstack-dev@lists.openstack.org
 Subject: Re: [openstack-dev] [Neutron] Common requirements for services'
 discussion

   Hello all,

  Is anyone working on NATaaS?
 I know we have some developer working on Router as a Service and they
 probably want to include NAT functionality but I have some interest in
 having NAT as a Service.

  Please, response is somebody is interested in having some discussions
 about it.

  Thanks,

  Edgar

   From: Sumit Naiksatam sumitnaiksa...@gmail.com
 Reply-To: OpenStack List openstack-dev@lists.openstack.org
 Date: Tuesday, October 8, 2013 8:30 PM
 To: OpenStack List openstack-dev@lists.openstack.org
 Subject: [openstack-dev] [Neutron] Common requirements for services'
 discussion

  Hi All,

  We had a VPNaaS meeting yesterday and it was felt that we should have a
 separate meeting to discuss the topics common to all services. So, in
 preparation for the Icehouse summit, I am proposing an IRC meeting on Oct
 14th 22:00 UTC (immediately after the Neutron meeting) to discuss common
 aspects related to the FWaaS, LBaaS, and VPNaaS.

  We will begin with service insertion and chaining discussion, and I hope
 we can collect requirements for other common aspects such as service
 agents, services instances, etc. as well.

  Etherpad for service insertion  chaining can be found here:

 https://etherpad.openstack.org/icehouse-neutron-service-insertion-chaining

  Hope you all can join.

  Thanks,
 ~Sumit.


  ___ OpenStack-dev mailing
 list OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases

2013-10-08 Thread Harshad Nakil
Hello Greg,

Blueprint you have put together is very much in line what we have done in
openContrail virtual services implementation.

One thing that we have done is Service instance is a single type of
service provided by virtual appliance.
e.g. firewall or load-balancer etc
Service instance itself can be made up one or more virtual machines. This
will usually be case when you need to scale out services for performance
reasons

Another thing that we have done is introduced a concept of service
template. Service template describes how the service can be deployed. Image
specified in the template can also be snapshot of VM with cookie cutter
configuration.

service templates can be created by admins.Service instances are created by
tenants (if allowed) using a service templates.

So a a single firewall instance from vendor can be packaged as transparent
L2 firewall in one template and in network L3 firewall in another template.

Regards
-Harshad



On Tue, Oct 8, 2013 at 2:48 PM, Regnier, Greg J greg.j.regn...@intel.comwrote:

  Hi,

 ** **

 Re: blueprint:
 https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms

 Before going into more detail on the mechanics, would like to nail down
 use cases.  

 Based on input and feedback, here is what I see so far.  

 ** **

 Assumptions:

  

 - a 'Service VM' hosts one or more 'Service Instances'

 - each Service Instance has one or more Data Ports that plug into Neutron
 networks

 - each Service Instance has a Service Management i/f for Service
 management (e.g. FW rules)

 - each Service Instance has a VM Management i/f for VM management (e.g.
 health monitor)

  

 Use case 1: Private Service VM 

 Owned by tenant

 VM hosts one or more service instances

 Ports of each service instance only plug into network(s) owned by tenant**
 **

  

 Use case 2: Shared Service VM

 Owned by admin/operator

 VM hosts multiple service instances

 The ports of each service instance plug into one tenants network(s)

 Service instance provides isolation from other service instances within VM
 

  

 Use case 3: Multi-Service VM

 Either Private or Shared Service VM

 Support multiple service types (e.g. FW, LB, …)

 ** **

 **-  **Greg

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev