Upload
others
View
13
Download
1
Embed Size (px)
Citation preview
OpenStack approach to SDN by way of NFVAdvanced Network Service FrameworkIsaku Yamahata [email protected]
CloudOpen Japan May 22, 2014
2
Legal DisclaimersCopyright © 2014 Intel Corporation. All rights reserved
Intel, the Intel logo, Xeon, Atom, and QuickAssist are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.All products, computer systems, dates and figures specified are preliminary based on current expectations, and are subject to change without notice.Intel® Advanced Vector Extensions (Intel® AVX)* are designed to achieve higher throughput to certain integer and floating point operations. Due to varying processor power characteristics, utilizing AVX instructions may cause a) some parts to operate at less than the rated frequency and b) some parts with Intel® Turbo Boost Technology 2.0 to not achieve any or maximum turbo frequencies. Performance varies depending on hardware, software, and system configuration and you should consult your system manufacturer for more information.*Intel® Advanced Vector Extensions refers to Intel® AVX, Intel® AVX2 or Intel® AVX-512. For more information on Intel® Turbo Boost Technology 2.0, visit http://www.intel.com/go/turboNo computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware and/or software optimized to use the technologies. Consult your system manufacturer and/or software vendor for more information. No computer system can provide absolute security. Requires an Intel® Identity Protection Technology-enabled system, including an enabled Intel® processor, enabled chipset, firmware, software, and Intel integrated graphics (in some cases) and participating website/service. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit http://ipt.intel.com/. Consult your system manufacturer and/or software vendor for more information.No computer system can provide absolute security. Requires an enabled Intel® processor, enabled chipset, firmware, software and may require a subscription with a capable service provider (may not be available in all countries). Intel assumes no liability for lost or stolen data and/or systems or any other damages resulting thereof. Consult your system or service provider for availability and functionality.No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Xeon® processor E7-8800/4800/2800 v2 product families or Intel® Itanium® 9500 series-based system (or follow-on generations of either.) Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details.For systems also featuring Resilient System Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel processor and enabled technology(ies). Built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For systems also featuring Resilient Memory Technologies: No computer system can provide absolute reliability, availability or serviceability. Requires an Intel® Run Sure Technology-enabled system, including an enabled Intel® processor and enabled technology(ies). built-in reliability features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details.The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries.Requires a system with Intel® Turbo Boost Technology. Intel Turbo Boost Technology and Intel Turbo Boost Technology 2.0 are only available on select Intel® processors. Consult your system manufacturer. Performance varies depending on hardware, software, and system configuration. For more information, visit http://www.intel.com/go/turboIntel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit http://www.intel.com/go/virtualization
Agenda
Introduction: SDN, NFV and OpenStack
Advanced Network Service Framework(ANSF)
Status summary and future work
Questions
Introduction:SDN, NFV and OpenStack
SDN: Software Defined Networking
Making network programmable
Not a new idea
This time with openness and requirement
Packet forwarder
OS
feature feature
SDN
traditional
NFV: Network Function Virtualization
hardware
Virtual appliance
Virtualizing Network Appliance
Openstack Neutron
• Neutron networking
• Core service
• L2/L3 connectivity
• Advanced service
• Loadbalancer(LBaaS)
• Firewall(FWaaS)
• VPN(VPNaaS)
SDN and NFV
SDN NFV
Open InnovationOSS, OpenStack
NFV: VNF manager/orchestrator
• VNF: virtualized network function
• VNF manager/orchestrator: life cycle management
• There are missing building blocks for NFV in OpenStack
• One of the building blocks
gs_NFV002v010101p.pdf
Appliance provider: defining its own service
• Allow appliance provider to define its own service
• The service will be provided to user via openstack API
Cloud provider
Service provider(virtual appliance)
User
Register service
Provide service via openstack API
Advanced Network Service Framework(ANSF)How to add services to OpenStack
Goal of Advanced Network Service Framework
• Make it easy to define new service
• Provide an unified interface to Manage the lifecycle of VMs/services
• Thus lower the bar for appliance provider to integrate their appliance with OpenStack
• Life cycle management
• Side communication channel between vm/service and openstack
• Configuration of VM and services
Horizon
Nova
Heat
Advanced Network Service Framework
ServiceChaining
Services
FWaaSLBaaS…
VPNaaS
Neutron
REST API
REST API
Vender A Firewall
Vender BFirewall
Vender X Firewall
IPtablesFirewall
Create, Configure, Manage Services and Networks
Management NetworkTenant
YTenant
Z Tenant X Network
VM VM VMFWaaS LBaaS
Cloud Deployment
REST API
Block diagram
13
• Configure and Manage
• Common Network Services
• Plugin architecture
• Multi-vendor solutions
• Rest API
Architecture overview
14
Tenant networks
AgentService X
Tenant VMApp
ServiceVM
AgentService Y Tenant VM
DB
OpenStack mgmt network
Neutron Server
Service XVender A
agent
Service YVender B
agent
Relay RPC overSide communication channel
OpenStack mgmt. network is isolated from tenant networks
nova
novadriver
Device/servicemanager
Boot service VM
Vender Adriver
Service X
Vender Bdriver
Service Y
New
ServiceVM
horizon(GUI)
ANSF
DB
Communicating between service and openstack oslo.messaging proxy
agent
Neutron Server
driver
Service
Agent
ServiceVM
Security boundary
RPC
Side Communication Channel
Requirements and other solutions
• Service VM can’t be trusted
• The connection to the public network can’t be assumed
https://docs.google.com/presentation/d/1LTGm4msu-QadYdsRZM-Vp3_t_3-0l0iNRE_Tm_xsf-A/edit#slide=id.g339369fce_13
RPC with Marconi
• Marconi: MQ(Message Queue) service via RestAPI
• http proxy between openstack mgmt. and tenant network
• Inject contact points to VM
• Other use cases
• TripleO(Openstack on Openstack)
• Trove(Database as a Service)
RPC with Marconi
guest agent
VM
Compute node Network node
agent
agent
netns
Controller node
Neutronserver
AMQP
Service X
Data Network
Managementnetwork
Unix socket
Marconiserver
RestAPI
agent
Security with guest agent
guest agent X
VM
agent
agent
Controller node
Neutronserver
Marconi
guest agent Y
VM
ServiceVM
ServiceVM
Data Network Management network
DB
Neutron server
for agent X
Neutron serverFor agent Y
containmentProxy
Attack
Rest API
Status summary and Future workMoving out of Neutron
Status Summary
component status comment
VM/service mgmt Under patch review
Driver for device mgmt patch for nova driver To be posted for patch review
Driver for side communication channel
patch for RPC proxy Discussing in the community with Blueprint
Guest agent Work in progresspatch for LBaaS with haproxy
To be posted for patch reviewas reference implementation
GUI(horizon) Work in progress
22
Tacker: Service VM/Device Manager Project
• https://wiki.openstack.org/wiki/ServiceVM
• Provides unified interface to Neutron and other OpenStack projects.
• Becoming one project independent to Neutron
• Not specific to networking.
• Moving out of Neutron
• Many TODOs as this project has just started.
• Design discussions, Terminology, API/data model, etc…
Incubation Process Starting
Call to Action
• Just started
• Lots of opportunities for innovation
• Share your use cases
• Define Terminology
• Define API/data model
• Design discussion
• Contribute code
Jointhe
project!
Thank you
Questions?
Resource
https://wiki.openstack.org/wiki/Meetings/ServiceVM
https://wiki.openstack.org/wiki/Oslo/blueprints/message-proxy-server