17:32:57 #startmeeting Networking Advanced Services 17:32:58 Meeting started Wed Apr 23 17:32:57 2014 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:33:00 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:33:02 The meeting name has been set to 'networking_advanced_services' 17:34:02 #info the advanced services common requirements session is accepted for the summit #link http://summit.openstack.org/cfp/details/19 17:34:43 we have our task cut out in terms of prioritzing what we want to discuss in that slot 17:34:50 lets bring that up again in the open discussion 17:35:05 #topic Flavors Framework 17:35:13 our standing agenda item 17:35:27 enikanorov_: any plans to submit the blueprint spec? 17:35:44 SumitNaiksatam: working on it right now. 17:35:52 enikanorov_: great 17:36:05 btw, the current PoC patch: #link https://review.openstack.org/#/c/83055 17:36:07 not really. it seems that i hate the new process! :) 17:36:24 enikanorov_: ouch! :-) 17:36:42 unfortunately undo will not work on that! 17:36:49 so, on the patch and on the FW in general 17:36:54 enikanorov_: yes please 17:37:01 i heard many complaints about the term 'flavor' 17:37:11 so let's may be discuss the name again? 17:37:21 i don't remember we have finalized this 17:37:28 enikanorov_: really? I thought flavor was favored due to its name being in tune with Nova 17:37:29 or we can leave it to ML 17:37:34 i've started the thread 17:37:35 enikanorov_: no we havent 17:37:40 enikanorov_: sure 17:37:58 enikanorov_: i thought the main change over the STF was the name :-P 17:37:59 s3wong: nope... actually didn't head of a positive feedback on the name 17:38:06 haha 17:38:08 STF -> flavor 17:38:12 kidding! :-) 17:38:30 enikanorov_: you obviously deserve more credit than that 17:38:34 can we reuse service type or it will be confusing 17:38:45 yep, it's confusing 17:38:53 banix: well, the flavor object contains service type, so a bit confusing 17:39:11 and rename service type :) 17:39:12 i don't have strong opinion on name though 17:39:13 enikanorov_: what are the current candidates for the name? 17:39:17 noy really 17:39:38 per ML there is a suggestion to actually split the resource name into service-specific resource names 17:39:47 like FirewallType, LoadbalancerType 17:39:48 etc 17:40:00 it somewhat makes sense to me 17:40:05 enikanorov_: hmmm 17:40:15 enikanorov_: what would you call the framework, though 17:40:17 ? 17:40:26 but I'd prefer single name and single resource 17:40:32 enikanorov_: agree 17:40:55 framework is mostly around scheduling, capability matching, etc... 17:40:55 folks, banix: if you have thoughts, perhaps a good idea to send to the ML 17:41:13 internally we may have one model exposed through different resources 17:41:23 enikanorov_: ok 17:41:30 enikanorov_: which is good 17:41:45 enikanorov_: regarding the PoC patch 17:41:58 i noticed that nachi put some comments 17:42:12 enikanorov_: i dont think there is anything major suggested there 17:42:13 yeah, but those are code style nits 17:42:17 yep 17:42:22 yeah, mostly cosmetics 17:42:49 enikanorov_: i guess not as many people are looking at the patch, they expect the BP spec first 17:42:56 *expect to see 17:43:06 i guess so. plan to push it tomorrow 17:43:16 enikanorov_: nice 17:43:31 any more questions for enikanorov_? 17:44:10 #topic Service context with Service Interfaces 17:44:21 #link https://docs.google.com/document/d/1AlEockwk0Ir267U9uFDc-Q6vYsWiAcAoKtCJM0Jc5UI/edit 17:44:24 Kanzhe: there? 17:44:33 SumitNaiksatam: yes 17:45:04 so there was some discussion on this through the week 17:45:09 people have provided comments 17:45:31 the above is an evolution over the original bp spec 17:45:42 Kanzhe: you want to summarize the discussions till this point? 17:46:23 There have been some feedbacks on the difficulties in using the current serviceContext API. 17:46:40 SumitNaiksatam: which original bp? 17:46:59 banix: #link https://docs.google.com/document/d/1fmCWpCxAN4g5txmCJVmBDt02GYew2kvyRsh0Wl3YF2U/edit 17:47:07 SumitNaiksatam: thanks 17:47:35 Kanzhe: go ahead 17:47:43 An alternative API was proposed, and defines a provider workflow and tenant workflow. 17:48:13 On the provider side, ServiceContext is a list of serviceInterface. 17:49:08 When a provider makes a service available, it defines a list of available serviceInterfaces, which may capture the physical location, mac address, etc. 17:49:38 Then tenant uses the XaaS API to create a logic service. 17:50:11 Kanzhe: serviceInterface is per the definition in your document, but not a resource, right? 17:50:27 We will introduce add/delete interface API for tenant to define the serviceContext for the logic services. 17:50:47 It will be a resource. 17:50:59 isnt it already a resource in the doc? 17:51:00 and has UUID. 17:51:23 Kanzhe: do you consider that a serviceInterface can be created by regular OpenStack tenant? 17:52:10 jsoares: whoever is responsible to stand up the actual service instance defines the serviceInterface. 17:52:19 Kanzhe: hmmm…if its a purely provider artifact, perhaps not required to make this a resource 17:52:49 Kanzhe: the tenant only needs to see the port side of this interface 17:53:06 My understanding of provider is admin user that creates serviceInterface. 17:54:02 SumitNaiksatam: yes, serviceInterface is a resource not visible to tenant. If that makes sense. 17:54:09 Kanzhe: my questions is that whether that orchestration happens internal to the provider implementation 17:54:22 *question 17:54:48 Kanzhe: but the admin user "owns" OpenStack right? What if, a tenant wants to introduce himself a function that he owns? 17:55:07 btw, to put this in context for anyone not following this discussion - we are discussing the insertion of a single service 17:55:41 jsoares: how would that function be configured? 17:55:44 SumitNaiksatam: Don't quite understand the question. 17:56:00 SumitNaiksatam: the admin user would still need to get a handle of the serviceInterface (add/delete, plug), so it needs to be a resource, right? 17:56:27 Kanzhe: by “that” i meant creation of the service interface (but you answered my question, I think) 17:56:47 SumitNaiksatam: that function would be configured by the tenant itself, which could be an external system 17:56:49 s3wong: isnt that an implementation detail? 17:57:13 jsoares: good, as far as OpenStack is concerned, its just a VM, right? 17:57:46 SumitNaiksatam: but the admin user would still need to GET/POST on that interface, right? 17:57:57 s3wong: to do what? 17:58:05 SumitNaiksatam: right! just a VM, but we have seen that the notion of "port" is not enough for Service Function, therefore it would need something like a Service Interface 17:58:43 SumitNaiksatam: add, delete, connect/plug? 17:59:18 s3wong: can those operations can be performed on the service resource? 18:00:02 SumitNaiksatam: yeah, I see what you are saying 18:00:07 jsoares: Tenant should only consume Neutron port. There are discussion to extend the Neutron port to support L1 interfaces. 18:01:03 jsoares: yeah, to add to what Kanzhe said, we are thinking if the service interface part can be hidden inside the implementation, the tenant only sees the port counterpart of that service interface 18:01:34 i dont think this is in the document yet 18:01:44 Kanzhe: but then, a Neutron port would evolve and be able to be what we are referring as Service Interface? I mean, it can be just L1, L1+L2, L1+L2+L3? 18:01:54 perhaps might make things a little clearer with a diagram in the document 18:02:24 jsoares: exactly. I believe that came up with our discussion earlier. We need to evolve neutron port 18:02:37 jsoares: yes. SumitNaiksatam : I finally see where you question is from? 18:03:15 s3wong, Kanzhe: then it's clear for me now! 18:04:34 Kanzhe: plans to update the document? 18:04:43 SumitNaiksatam: However, provider needs to be able to define serviceInterfaces (add/delete). If SI is not a resource, how are the config tracked? 18:05:09 Kanzhe: can it not be just internal objects? 18:06:23 SumitNaiksatam: I am thinking there needs to be a DB table for serviceInterface, hence a resource. 18:06:44 Kanzhe: DB table yes, but that does not necessarily translate to a resource 18:07:23 ok, Kanzhe perhaps updating the document will help others to come up to speed with the discussion 18:07:30 SumitNaiksatam: so it is just a list of things attached to a Service resource 18:07:31 SumitNaiksatam: Ok, DB table is what I meant. 18:07:43 Kanzhe: i guessed as much :-) 18:08:02 s3wong: kind of 18:08:14 s3wong: as long as the provider can make sense of it 18:08:26 SumitNaiksatam: cool 18:08:31 s3wong: but then its the provider’s implementation, so it should be possible 18:08:45 Kanzhe: i believe there was also a suggestion to define a southbound interface 18:09:17 SumitNaiksatam: Yes, we just covered the provider workflow. 18:09:39 Kanzhe: perhaps we can add to the document 18:09:42 There is a tenant workflow, where tenant can instantiate a logic resource. 18:09:57 SumitNaiksatam: yes, I will update the doc. 18:09:59 SumitNaiksatam: I think the SB interfaces are for a generic service plugin to send API calls to service drivers 18:10:03 Kanzhe: thanks 18:10:11 s3wong: yes 18:10:31 s3wong: its more than the just the provider workflow 18:10:37 Once the logic service is created, user can add an interface to the service. 18:10:46 lets wait for Kanzhe’s update to the document 18:11:18 The tenant workflow mirros well with the existing router interface workflow. 18:11:29 Kanzhe: ok 18:11:33 ok moving on 18:11:41 #topic Port Chaining Proposal 18:11:43 Kanzhe: agreed. It is a clean model 18:11:52 #link https://docs.google.com/document/d/1Bk1e8-diE1VnzlbM8l479Mjx2vKliqdqC_3l5S56ITU/edit 18:12:05 cgoncalves jsoares: there? 18:12:12 SumitNaiksatam: we are :) 18:12:31 cgoncalves: thanks for updating the proposal 18:12:52 cgoncalves: nicely documented, including the use cases 18:12:53 since last meeting we had 1,5 days of public holidays so not much of work on this :) 18:13:00 cgoncalves: no worries 18:13:02 SumitNaiksatam: thanks 18:13:46 I've already start writting some API and DB code but it's still early to share 18:13:52 cgoncalves: so as we discussed before, i think we can potentially leverage this work as a traffic steering building block 18:14:03 what do others think about this? 18:14:09 hoping that way we can gather more input from the community 18:14:41 as a side note, we have also been looking how to enforce this via ODL (OpenDaylight)...we've been doing some tests 18:14:46 SumitNaiksatam: agreed. there are enough overlaps that we should merge the two efforts - unify the way we will do traffic steering 18:14:51 jsoares: nice 18:14:58 SumitNaiksatam: it sounds good! :) 18:15:26 s3wong: i am thinking that there are three pieces that we are dealing with here 18:15:36 SumitNaiksatam: agree with the steering building block. 18:15:42 (1) service insertion (the part we just discussed with Kanzhe’s proposal) 18:16:15 (2) trafffic steering (including classifier) as being discussed in cgoncalves and jsoares’ proposal 18:16:42 (3) service chain (which includes addressing neutron services) 18:17:05 (3) would rely on (1) and (2) 18:17:40 SumitNaiksatam: yes, agreed. 18:18:09 SumitNaiksatam: in that case, both (2) and (3) should depend on (1) 18:18:28 SumitNaiksatam: our proposal addresses (2) traffic chaining as a dependency for (3) service chain which is our ultimate goal 18:19:05 3 leverages 2, which leverages 1. 18:19:05 SumitNaiksatam: but do you see (2) exposed like the proposal presents it now? I mean, something like "Traffic Steering Chain" 18:19:36 Kanzhe: so we are all relying on you to get (1)'s proposal out :-) 18:19:44 jsoares: should not be exposed in my opinion 18:19:54 jsoares: we need to think through, but it does seem like it is a candidate for a lower level traffic steering API 18:20:23 where would t be used beyond service chains? 18:20:41 s3wong: end of the day, it is a team effort to the serviceChaining holy grail. :-) 18:20:42 banix: i agree that it would be very difficult to consume for the tenant to consume 18:20:47 jsoares: traffic steering framework should be lower level in that you are creating classifers/rules to move traffic flow off of its natural flow 18:20:51 difficult -> complex 18:21:12 jsoares: but service chain would be a composition of tenant addressable neutron service objects 18:21:25 s3wong: agree 18:21:47 SumitNaiksatam, s3wong: That would suit Neutron services, but what if the tenant itself want to build a Service Function Chain himself? 18:22:06 banix s3wong: i think where jsoares is coming from is to be able to make service VMs to be part of the chain 18:22:15 with its own Functions, or other functions that are not within Neutron today 18:22:28 jsoares: yes, i get that, see ^^^ :-) 18:22:32 s3wong: we will need a generic service object for other services that not yet defined in Neutron. 18:22:44 jsoares: it sounds like for BYOS, we need to have a service object able to reference to a VM 18:22:46 Kanzhe: good point 18:22:53 SumitNaiksatam: Yes, we highlight that in the introduction of our proposal 18:23:02 s3wong: BYOS, nice!! :-) 18:23:09 SumitNaiksatam: shouldnt that be through the "service in VM" work? 18:23:10 Kanzhe: absolutely 18:23:10 s3wong: copyright it! :-) 18:23:32 banix: service VM is now being moved out of Neutron 18:23:51 s3wong: i know but there should be something higher level 18:24:14 banix: we can have generic service object able to point to a VM designated by a tenant 18:24:19 cgoncalves jsoares: i see in your document that you had plans to update it 18:24:39 cgoncalves jsoares: we will need to normalize on some of the terminology 18:24:49 endpoints in being used int he GP proposal 18:24:50 banix: but lifecycle management of the service in VM should not be Neutron's job 18:25:06 s3wong: that's great and desirable but the question is how that gets done and through what APIs .... 18:25:07 SumitNaiksatam: sure! 18:25:10 also, i would propose a traffic sterring terminlogy, rather than chain 18:25:28 SumitNaiksatam: gp_endpoint, sf_endpoint; gp_classifier, sf_classifier :) kidding 18:25:33 banix: the service VM effort is still going :-) just not a Neutron project 18:25:35 s3wong banix: lets have the service VM discussion next week 18:25:47 cgoncalves: :-) 18:26:10 #topic Certificate Management 18:26:16 Swami: there? 18:26:23 yes 18:26:29 I am here. 18:26:42 the issue is that there is a requirement across services to be able to deal with certificates 18:26:50 and we dont have a way to do that today 18:26:54 Swami: over to you 18:27:07 There was some concerns and discussions about storing the certificates for the services in neutron. 18:27:27 Both Lbaas and VPNaaS had an issue with the Icehouse. 18:27:27 Swami: is there a ML thread on this? 18:27:55 My question is, does this Advanced Services team need to own this as part of addressing the advanced services. 18:28:21 Swami: okay, lets first bring this up with the PTL 18:28:51 lets get initial thoughts, and we can accordingly start discussing this (either here, or as a separate thread) 18:28:52 SumitNaiksatam: Recently the ssl VPN work and the Lbaas ssl offload work was stopped, since there was no infrastructure to support secure certificates. 18:29:16 SumitNaiksatam: Yes that makes sense. 18:29:20 #action SumitNaiksatam Swami to follow up with PTL regarding certificate management 18:29:23 Swami: thanks 18:29:40 #Atlanta Summit Discussion 18:29:49 there is some progress with barbican which has incubated 18:30:03 #topic Atlanta Summit Discussion 18:30:17 enikanorov_: thanks, we can check that 18:30:46 at this point, i have collected the following prirorities from the previous discussion: 18:31:02 * flavors framework 18:31:03 * base service definition 18:31:04 * service insertion framework 18:31:05 * service chaining framework 18:31:06 * certificate management 18:31:12 this is just a laundry list 18:31:26 SumitNaiksatam: that is very ambitious for one 40 minutes session 18:31:29 putting it out there early so that we can think through 18:31:35 s3wong: i know 18:31:46 if we converge on some topics, we can knock them off this list 18:32:12 also, we have made it clear to the PTL that a shared 40 min slot is pretty short time for this discussions 18:32:30 what we can do is, if there is enough interest, have follow up break up sessions 18:32:48 or even prior to this session 18:33:03 i believe our session will be on thursday 18:33:24 any thoughts/comments on this or in general? 18:33:42 SumitNaiksatam , others: are ypou planning on having specs for review? 18:33:51 banix: yes definitely 18:34:04 banix: so we need to have some basic level of convergence on the design 18:34:22 banix: based on that we can go to the neutron core team/PTL and request prioritization 18:34:31 SumitNaiksatam: we definitely need to work on getting base service object definition nailed down 18:34:33 banix: and accordingly out the specs in 18:34:44 s3wong: definitely agree 18:34:53 s3wong: agree 18:34:59 SumitNaiksatam: should we also outline the impacts to the current reference implementations 18:35:46 SridarK: yes, that will be a part of the feasibility discussion when choosing a particular approach 18:36:05 ok got it 18:36:22 SridarK: i agree, changes to the base service definition might need changes to existing service implementations 18:36:34 ok folks, we are over time 18:36:40 any parting thoughts/comments? 18:37:18 alright thanks all! 18:37:24 see you next week 18:37:25 thanks! 18:37:25 bye 18:37:25 bye 18:37:31 #endmeeting