17:31:28 #startmeeting Networking Advanced Services 17:31:29 Meeting started Wed Apr 9 17:31:28 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:31:30 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:31:32 The meeting name has been set to 'networking_advanced_services' 17:31:49 #topic Flavors Framework 17:31:58 #link: https://review.openstack.org/#/c/83055/ 17:32:06 also #link https://wiki.openstack.org/wiki/Neutron/FlavorFramework 17:32:21 enikanorov: i think there was some activity on the PoC patch 17:32:24 hi 17:32:34 Swami: hi, thanks for joining 17:32:39 SumitNaiksatam: yes, but i think people reviewed it as regular one 17:32:51 while i think it make sense to focus on shceduling part of it 17:32:56 enikanorov: i know, more on syntax than semantics :-) 17:33:21 enikanorov: yeah the scheduling part was not very clear to me 17:33:39 enikanorov: for the benefit of everyone here, can you quickly walk through the workflow 17:33:46 so the idea of scheduling is that it is falling into two parts 17:33:47 enikanorov: if it can be done briefly 17:34:02 1. choose the provider that generally supports all requested capabilities 17:34:17 2. if provider manages some backends - try to chose particular backend 17:34:48 #2 is totally driver-dependent operation, it can be omitted, e.g. scheduling on the driver side can be just empty 17:34:59 so, for lbaas #2 could be agent scheduling 17:35:08 so #1 will chose haproxy provider 17:35:15 enikanorov: the “provider” definition here is per the service type framework? 17:35:18 #2 will chose particular lbaas agent 17:35:21 SumitNaiksatam: yes 17:35:31 provider/driver 17:36:00 enikanorov: for #2, do you mean to choose different verdor's AGENT driver? 17:36:05 if some driver manages hw/sw appliances, then #2 could be scheduling on them 17:36:26 garyduan: no, scheduling is done on the plugin-driver side 17:36:33 e.g. it chooses plugin-driver first 17:36:48 enikanorov: I see. so #2 is to talk to the device 17:37:03 not exactly, i'd say 17:37:22 driver evaluates available backends and choses matching backend 17:37:31 enikanorov: moreover, the vendor name could be a “tag” value as well? 17:37:33 it's not necessary to ommunicate with backends 17:37:50 enikanorov: understand now 17:37:51 SumitNaiksatam: yes, i believe that was one of the unit tests showing such example 17:37:54 enikanorov: What do you mean by backend here. 17:37:55 enikanorov: to provide a hint to the scheduler 17:38:05 enikanorov: ok 17:38:20 Swami: backend is an entity actually implementing the service 17:38:35 enikanorov: thanks 17:40:05 that's it from my side... 17:40:10 enikanorov: probably, provider should do the validation to make sure the flavor can be scheduled to the backend 17:40:22 garyduan: that's the step #2 17:40:37 it can internally match flavor with capabilities of managed backends 17:41:20 and if no backend is found, then scheduler may try to use another provider/driver 17:41:35 Is the plugin doing this match? 17:41:46 enikanorov: yes. that's what I am thinking now 17:43:13 songole: basically, yes 17:43:21 enikanorov: the “schedule” method is not defined in any base class in the current patch 17:43:49 SumitNaiksatam: it's defined in class SchedulingProvidersPlugin 17:43:58 it's in the test_flavors.py 17:43:59 can you post the link to the BP if handy 17:44:24 banix: #link https://wiki.openstack.org/wiki/Neutron/FlavorFramework 17:44:26 banix: https://blueprints.launchpad.net/neutron/+spec/neutron-flavor-framework 17:44:29 thanks 17:44:31 enikanorov: thanks. what is the flavor framework doing in the process? 17:44:36 yep, and the description is on the wiki 17:44:48 songole: what do you mean? 17:45:27 SumitNaiksatam: most of the meaningful code is in test_flavors, i intentionally didn't separate it to different files 17:45:50 enikanorov: does the capability have anything to do with extensions? 17:45:54 enikanorov: ok 17:46:15 garyduan: flavors are API extension itself 17:46:53 enikanorov: so on the flavors API side 17:46:54 API lands on the plugin first. Is there an interface between plugin & flavor? 17:47:38 songole: the plugin for the flavors API is FlavorManager, it's a class instance similar to plugins 17:47:52 enikanorov: the API lets you programatically create flavors 17:47:58 i think it makes sense to implement it like provider framework 17:48:02 SumitNaiksatam: yes 17:48:23 enikanorov: what about the “service types" 17:48:41 this may have been mentioned earlier but the provider knows how to schedule the backend? that is the idea behind having a two step approach here? 17:48:43 right now patch assumes serviec types are constant 17:48:50 LOADBALANCER, FIREWALL, etc 17:49:05 enikanorov: ok 17:49:40 enikanorov: ok, that is fine for individual services 17:50:08 enikanorov: there was a feeling that one should be able to dyncamically create and publish chains as well 17:50:15 for combinations/types - i don't know yet. i think there should be API to define such types first 17:50:59 will there be any validation to check if those chains are valid chains before deploying the service. 17:51:02 enikanorov: in that case, you would need more dynamic flavor - not constants service_type 17:51:05 banix: provider/driver may need or need not scheduling at all, that's why it's delegated to the driver 17:51:31 s3wong: right, instead of a string, that will be a foreign key to service-types 17:51:47 but right now i'm not sure how flexible such construct can be 17:52:16 i mean that a chain should have a driver, i don't think it can be arbitratry, can it? 17:52:28 enikanorov: yes, still undefined today 17:52:54 enikanorov: i think we had this discussion earlier, the feeling is that there could potentially be a generic driver which might be able to handle such cases 17:52:59 enikanorov: there are two camps on that. We want to have fixed template for chains, or some of us also want to have dynamically defined chains 17:53:26 SumitNaiksatam: i don't think it will be a major change even if service types will be dynamic 17:53:32 enikanorov: at this point, if possible, it might be good to not close that possiblity 17:53:46 enikanorov: ok good 17:53:54 any more questions for enikanorov 17:54:03 enikanorov: what is the plan forward 17:54:08 enikanorov: s3wong does it make sense to have one or more driver of srvice type "chain" that may be able to instantiate certain chains? 17:54:11 enikanorov: when does this come out of WIP? 17:54:28 well... I filed a design track for that 17:54:30 banix: i believe that is the current plan 17:54:37 on the summit, i mean 17:54:49 enikanorov: so this will be WIP until/after the summit? 17:54:50 so i hope to gather more attention of the core team 17:54:57 banix: yes, I believe that is what SumitNaiksatam said above. Having a driver to render the chain definition 17:55:16 enikanorov: shall we work on getting a more detailed design before then? 17:55:30 SumitNaiksatam: considering the state of lbaas (where I was planning to apply it at first) i'm not sure i'm able to proceed with some non-wip code 17:56:04 garyduan: would you be interested in trying this on FWaaS? 17:56:18 banix: to me the design is quite straightforward, if you see some issues - feel free to email me or reach out to IRC, i'll update the wiki and the code 17:56:30 enikanorov: can you ellaborate what you mean by state of lbaas; 17:56:38 sorry for being ignorant on that front 17:57:04 banix: np. we're thinking of some API redesign, and basically flavor framework is not a top priority there 17:57:17 enikanorov: i see. thx. 17:57:31 btu i may try to apply the patch to some other adv service 17:58:21 enikanorov: are you offering to apply the patch to some other adv service or are you suggesting that some one else can apply? 17:58:34 btw, sorry for interrupting 17:58:52 my patch assumes that service already employs provider framework 17:59:09 and that is something that we had not agreement with some core team members 17:59:12 so... 17:59:16 enikanorov: ok, that is a bit of catch 22 17:59:25 Is it possible to invent a simple service just for experimentation? or the calue is in picking an existing service and see how it can use this framework? 17:59:35 value 17:59:39 enikanorov: since the STF is not approved for FWaaS or VPNaaS 17:59:39 banix: it's implemented in my patch :_) 17:59:52 enikanorov: right 18:00:11 STF not hard to add though... 18:00:26 SumitNaiksatam: so the value that i see in STF is dispatching mechanism, but STF is blamed for bad user experieence 18:00:26 pcm: that is correct, the patches are already there 18:00:55 pcm: yeah, per enikanorov ^^^ the STF future itself is uncertain 18:01:00 pcm: Why was the STF patch not approved. 18:01:19 Swami: see enikanorov’s comment ^^^ 18:01:25 Swami: I think the discussion of flavors put a hold on it. 18:01:31 ok all, we have other topics 18:01:33 SumitNaiksatam: Apologies for my ignorance. What is STF? 18:01:42 service type framework 18:01:48 SumitNaiksatam,pcm: thanks 18:01:50 oh. thanks 18:01:50 or provider framework 18:02:06 lets think about what’s a good way to make progress, and if you have suggestions, please send to the mailer, we can revisit next week as to where we are 18:02:14 songole: STF - service type framewrok 18:02:22 moving on 18:02:40 cgoncalves: wanted some time last week, and we could not accommodate that 18:02:50 #topic Port chaining proposal 18:02:57 SumitNaiksatam: thanks 18:03:02 #link https://docs.google.com/document/d/1Bk1e8-diE1VnzlbM8l479Mjx2vKliqdqC_3l5S56ITU/edit?pli=1# 18:03:16 cgoncalves: i believe you sent an email to the mailer? 18:03:21 so, I don't know if any of you read that doc 18:03:37 cgoncalves: i had a quick run through it 18:03:40 SumitNaiksatam: I did send an email to -dev ml some time ago 18:03:45 hope others had a chance to look 18:03:54 btw, enikanorov: thanks for the earlier update! :-) 18:04:07 np! 18:04:44 cgoncalves: does anyone have thoughts on cgoncalves’s proposal? 18:05:27 cgoncalves: perhaps people need a little more time to read through 18:05:36 cgoncalves: you want to quickly summarize? 18:05:43 cgoncalves: are you following the work being done on services in VMs? are these related? 18:05:49 in a nutshell: if I'm not mistaken, every Neutron network service is attached to a Neutron port. the currently work regarding network service chain only adresses those Neutron network services 18:06:25 cgoncalves: ignore my question and carry on pls 18:06:27 what I'm proposing is not restrict to those supported services but anything that is reached via a Neutron port 18:06:28 cgoncalves: that is somewhat true (regarding each service attaching to a port) 18:06:34 SumitNaiksatam: cgoncalves: what are we really adding with port-based chaining over service-context based one? 18:07:05 banix: service VM discussion coming up, hang in there :-) 18:07:34 SumitNaiksatam: sure. thanks. 18:07:36 s3wong: it is supposed to be a more flexible approach 18:07:50 s3wong: in the service-context based one you can only attach Neutron services (vpn, lb, fw) to the chain. I'm proposing augumenting it to something more broad and hence a port-based approach 18:08:01 s3wong: as banix hinted, this might have more relevance when services are in a VM 18:08:25 s3wong: so that you can mix in a chain VMs and Neutron services 18:08:45 cgoncalves: so my take on this is that this could be potential approach to chaining 18:09:06 the group policy BP could also benefit from this approach rather than also be limited to the service-based approach 18:09:07 SumitNaiksatam: cgoncalves: yes, I can see more relevancy in case a service has multiple ports 18:09:17 cgoncalves: however it requires the user to actually understand everything about how a service is realized 18:09:39 cgoncalves: we were trying to hide that to some extent by making services available as *aaS 18:10:04 cgoncalves: for GBP, I don't know if tenants would even "see" a port to a service 18:10:21 SumitNaiksatam: yes, but as argued in the proposal Neutron can't keep up with all network services providing them as *aaS 18:11:07 cgoncalves: OK - you are thinking if the tenants themselves are bringing in their own services 18:11:10 cgoncalves: that is true, but in that case that service is not a service, its just a VM as far as Neutron/OpenStack is concerned 18:11:33 s3wong: yeah, mean to say the same thing 18:11:36 s3wong: yes. you can see use case #2 for instance (the DPI one) 18:11:42 SumitNaiksatam: but you can't chain that service then, right? 18:11:46 SumitNaiksatam: that's right. 18:11:47 Network Service as a Sevice? NSaaS 18:11:57 banix: :-) 18:12:02 banix: ha ha :-) 18:12:07 recursive defintion like GNU 18:12:12 :) 18:12:25 SumitNaiksatam: the whole propose is to be agnostic to what's running in those ports, either a VM running some kind of service or a Neutron provided network service 18:12:53 cgoncalves: essentially you want a way to be able to specify that traffic be steered between certain ports 18:13:43 btw, IETF folks have been recently working on the definition and such on this matter http://datatracker.ietf.org/wg/sfc/ 18:13:55 SumitNaiksatam: yes. 18:13:59 cgoncalves: in case of GBP, in case of having service represented by a group, having to specify a "port" seems to be limiting 18:14:20 s3wong: i dont see this being directly consumed at the policy abstraction level 18:14:36 s3wong: however the “renderer” could potentially make use of this 18:14:37 cgoncalves: what about define a "GenericServiceaaS" with service context? then undefined services can be inserted or chained with serviceContext. 18:14:53 SumitNaiksatam: given this approach, the work you've been working on Neutron network service chaining could use this work 18:15:06 cgoncalves: yeah, i was trying to say that 18:15:39 kanzhe: i see, that could be another way of doing it 18:15:57 s3wong: that could be hidden from the user, I guess 18:16:04 SumitNaiksatam: how so? The chain itself is "rendered" by GBP in our thinking so far, right (contract scope chains)? 18:16:16 or service object 18:16:25 kanzhe: that's another way, yes 18:16:38 s3wong: still not completely sure, there are differing opinions :-) 18:16:56 cgoncalves: ok thanks, good start, lets think about it a little more 18:17:08 kanzhe: but I think in that particular case you would say that VMs could be initiated and configured by Neutron just like other services (fw, lb, vpn) 18:17:09 cgoncalves: this all sounds very interesting; will read through more carefully and get back to you. 18:17:18 banix: thanks 18:17:19 cgoncalves: and lets give others a chance to think through this as well 18:17:36 SumitNaiksatam: ok. thank you the time slot to briefly present it here 18:17:49 cgoncalves: very welcome and we will circle back 18:17:59 #tpoic Service VM progress update 18:18:08 we've been working on models and API. next week I think I can present something to you all 18:18:08 #topic Service VM progress update 18:18:16 cgoncalves: great thanks 18:18:29 cgoncalves: great. Looking forward to seeing that 18:18:36 so yamahata cannot make it to this meeting 18:18:52 s3wong: voluteered to provide update from the service VM meeting 18:18:59 s3wong: over to you 18:19:09 s3wong: that's nice. thanks. 18:19:15 SumitNaiksatam: I see yamahata online, but I guess he is really sleeping now :-) 18:19:22 cgoncalves: I think this group is working on many enhancement around XaaS to address resource scheduling, insertion, chaining, and other issues. The port-based proposal won't be able to leverage all the improvement. 18:19:28 yamahata: there? 18:19:35 So yamahata has done pretty much all the work so far 18:19:39 kanzhe: that is good point 18:19:46 the API and DB model is here: 18:19:48 s3wong: yes please go on 18:20:06 #link https://review.openstack.org/#/c/72068/ 18:20:53 The basic architecture consists of a management interface driver and a device manager/driver 18:21:12 management manager/driver is for management interface on the VM 18:21:27 device manager/driver is for managing the actual service VM 18:21:50 kanzhe: if you could elaborate more on that thought next week or mailing list I would appreciate :-) 18:22:18 at this point, the reference implementation we are aiming for is LBaaS haproxy driver on a VM 18:22:29 some preliminary diff can be found here: 18:22:42 cgoncalves: sure. 18:22:52 #link https://review.openstack.org/#/c/72068/ 18:23:01 that is not working yet, BTW 18:23:39 the API patch is here #link https://review.openstack.org/#/c/56892 18:23:39 yamahata is also working with the community on defining a message proxy server 18:24:18 SumitNaiksatam: sorry, cut and paste error :-) 18:24:25 s3wong: np 18:24:44 currently the suggestion is to use Marconi 18:24:45 s3wong: perhaps let people dwell on these links a little more 18:24:56 s3wong: ok, sounds logical 18:25:07 which I have no idea what Marconi really does, so I will refrain from commenting too much :-) 18:25:36 yamahata would like our comment on the API and DB model, especially 18:25:38 s3wong: i believe they had applied for incubation 18:25:43 s3wong: sure 18:26:02 all, please respond to the review patches in Gerrit 18:26:06 s3wong: thanks 18:26:10 Swami: there? 18:26:27 SumitNaiksatam: Thanks for letting me proxy yamahata for couple minutes :-) 18:26:27 yes here 18:26:47 s3wong: we will circle back next week, thanks! 18:26:48 s3wong: thanks 18:26:57 #topic Service Insertion for distributed service implementation 18:27:25 Swami: you want to quicly brief the team about the issues you were facing? 18:27:38 SumitNaiksatam: Yes 18:27:48 Swami: please go ahead 18:28:12 For the Distributed routed module, some of the services can be distributed and there are certain services that need to be centralized. 18:28:27 Say for example FWaaS and LBaaS can be distributed. 18:28:47 VPNaaS should be a singleton service and should be centralized. 18:29:18 Swami: dictributed as in a cluster 18:29:29 Is there any way that we can identify the services and assign it to the right routers. 18:30:16 banix: Distributed across your compute Nodes. For the Distributed Virtual Router, all tenant routers will be distributed and will be available in each and every compute node were the Tenant routed vm resides. 18:30:29 Swami: distributed LBaaS as in elastic load balancing? 18:30:32 swami: got it; thx. 18:30:36 Swami: how useful do you think the “service_context” be in this case? 18:31:04 s3wong: For LBaaS today it is not tied to the router, so it might not be a problem. 18:31:08 BTW, we are the end of the meeting but we can go on longer, since i have the next meeting slot as well on this channel 18:31:15 Swami: go ahead, take your time 18:31:27 SumitNaiksatam: Thanks 18:31:47 SridarK: apologies for the delay on FWaaS but i believe you are equally interested here :-) 18:32:05 So here in this case we are proposing the chain is created and then we apply the chain to a router. 18:32:15 Yes no worries at all interested too SumitNaiksatam: 18:32:56 How do we distinguish between the services and apply those service chains to the respective routers is my question. 18:33:10 If this has not been addressed, then we should take it into consideration. 18:33:34 Swami: we have discussed before, but we have not addressed it 18:33:48 SumitNaiksatam: Yes I do agree. 18:33:59 Swami: agree 18:34:00 Swami: since currently even the single service/centralized insertion is kind of fuzzy :-) 18:34:11 SumitNaiksatam: yeah :) 18:34:18 SumitNaiksatam: Yes I agree . 18:34:34 Swami: but this is a good time to bring this up, since we dont want to paint ourselves in a corner 18:34:50 Swami: my earlier question, will sevice_context help in this case? 18:34:56 Swami: This is the same issue with NAT service, which DVR proposal has a solution. Are you proposing a more generic way to tackle the problem? 18:34:56 Even with today's model we might be able to include it into our discussion and see where we end up, rather than modifying our stuff later. 18:34:59 Swami: or we need to think through it again? 18:35:20 kanzhe: sorry go ahead 18:35:29 Swami: kanzhe’s question ^^^ 18:35:33 SumitNaiksatam: yes we need to think through it again and probably walk through a use case. 18:35:59 Hi, sorry, I was in a meeting 18:36:14 garyduan: np, we are still in the previous meeting too :-) 18:36:16 kanzhe: yes DVR is proposing that NAT being done at the Service Node. That's where we are also thinking that the VPNaaS should be running. 18:36:35 Swami: so NAT is still centralized? 18:37:03 SumitNaiksatam: Yes SNAT is centralized, but for any floating ip it is still distributed. 18:37:32 Swami: thanks, sorry for being slow, you had explained this before during the meeting 18:38:17 SumitNaiksatam: What we can do is take the existing services and come up with a Use case on how it will be handled with the centralized and distribtued mode. 18:38:19 Swami kanzhe: so in the distributed case, can we expect the service backend be expected to figure out how the distribution occurs 18:38:35 Then we can discuss how the Framework will help deploy those services. 18:38:47 Swami kanzhe: based on the service_context? 18:39:10 SumitNaiksatam: yes the service_context. 18:40:13 SumitNaiksatam: For next week we can plan on walking through the use-case. 18:40:49 SumitNaiksatam: this is a good use case for service insertion. Swami: agree. 18:40:49 Swami: sounds good 18:41:12 Swami kanzhe: can you guys set something up before the next week’s meeting? 18:41:33 and whoever else is interested 18:41:34 SumitNaiksatam: Yes I will work on that Use case with either You are kanzhe. 18:41:41 Swami: thanks! 18:42:03 SumitNaiksatam: Also one other information. 18:42:06 Swami: and for bringing this up…sorry it took us two weeks to get this 18:42:20 Swami: although you requested that this be discussed three weeks back 18:42:25 for the record! :-) 18:42:27 SumitNaiksatam: what is the venue? An IRC meeting before the next week's meeting? 18:42:29 Swami: go ahead 18:42:46 For the Certificate handling for all the services, should this be discussed in this meeting or is there another team for that. 18:42:47 kanzhe: lets decide offline, i think we need a higher bandwidth channel 18:43:06 SumitNaiksatam: sounds good. 18:43:07 Swami: ah, you had asked that before as well 18:43:25 Swami: i dont have any objections to discusisng it in this meeting 18:43:43 I also discussed briefly about this with enikanorov. 18:44:02 Swami: we are probably out of time this week, but lets circle back on this for the next week’s meeting 18:44:11 everyone just one more topic 18:44:17 Right now both LBaaS and VPNaaS needs some framework within the Neutron to support Certificates. 18:44:26 Swami: sure 18:44:38 #topic Adv Services logistics 18:44:43 hope everyone is still around 18:44:46 enikanorov: ? 18:44:47 SumitNaiksatam: Thanks we can take this next week, I don't want to block your FWaaS meeting. 18:44:57 so this thought just occured to me 18:45:00 SumitNaiksatam: this meeting needs to be at least 90 minutes long :-) 18:45:05 based on Swami’s request 18:45:09 s3wong: :-) 18:45:09 i'm here still 18:45:18 enikanorov: good 18:45:29 so we have lots of things to discuss here 18:45:40 under the advance services requirements agenda 18:45:52 what's 'logistics' is about? 18:45:54 we need a way to channelize this feedback and prioritize it 18:46:19 enikanorov: probably bad choice of words, i meant process for channelizing feedback 18:46:31 #undo 18:46:32 Removing item from minutes: 18:46:35 ok 18:46:54 #topic Advanced Services common requirements process and prioritization 18:47:12 i think at this point we are not having enough core participation in this meeting 18:47:42 and hence i am concerned that what we are discussing here does not have enough of a representation on the core team side 18:48:05 does anyone have thoughts on this? 18:48:49 One thing i can think off is having a standing item on this topic “Advanced Services common requirements” in the neutron IRC 18:49:21 +1 18:49:24 SumitNaiksatam: +1 i think this is a good way to get more attention 18:49:25 currently there is hardly any time given to advanced services in the neutron IRC 18:49:25 SumitNaiksatam: agree with the premise. 18:49:27 SumitNaiksatam: Yes that would work out. 18:49:29 +1 18:49:31 SumitNaiksatam: That would be a good start. 18:49:35 ok 18:49:39 enikanorov: what do you think? 18:49:39 SumitNaiksatam: sure +1 18:50:10 we should check with nachi as well 18:50:20 enikanorov: there? 18:50:23 i'll support this idea 18:50:28 enikanorov: ok 18:50:29 and the API group? 18:50:44 we should not expect to get too much time 18:50:58 but just enough to highlight our high priority items 18:51:12 that way we can get on the radar 18:51:32 ok, enikanorov, lets try to reach out to nachi, and try to work through this 18:51:48 #topic Open Discussion 18:51:51 sure 18:51:55 anythin more for today? 18:51:58 enikanorov: thanks 18:52:34 okay i think its been a fairly long meeting 18:52:44 thanks all for joining and hanging in there 18:52:47 bye 18:52:52 bye all! 18:52:58 bye! 18:53:01 #endmeeting