How to develop new API extensions
in OpenStack networking (Neutron)
2015 August 23Fujitsu Vietnam LimitedPODC (Platform Offshore Development Center)Cao Xuan Hoang ([email protected])
Copyright 2015 Fujitsu Vietnam Limited
Agenda
2 Copyright 2015 Fujitsu Vietnam Limited
How API of OpenStack work?API extensionsExperiments
Example use case Security group implementation sequence Support logging feature/API for SG Security group logging experiment Firewall logging experiment
How API of OpenStack work?
3 Copyright 2015 Fujitsu Vietnam LimitedOpenStack includes several services that can be managed through the API.
There are two ways we can use OpenStack: API and SDK.
An application can either call the API itself, or use an SDK available for the application's programming language.
API extensions (1)
4 Copyright 2015 Fujitsu Vietnam Limited
The OpenStack API extension mechanism makes it possible to add functionality to OpenStack APIs in a manner that ensures compatibility with existing clients.
The below image is an example for LBaaS API extensions that comes from operators/users use cases demand.
API extensions (2)
5 Copyright 2015 Fujitsu Vietnam Limited
What can be extended and how:New elements and attributes.New resources.New parameters.New headers.New verbs.New media types.New actions.New states.Other capabilities.
Experiment – example use case
6 Copyright 2015 Fujitsu Vietnam Limited
What will happening when Banks may hacked by someone else (strangers)? Lost a mount bank’s accounts. Lost a mount of money. Finance transferring may stopped. ……
How long does it require to fix the problem? As fast as possible or almost immediately.
How do we know exactly who is/are hacked Bank’s database? We have to check records/history/…. => from logs.
Has OpenStack networking supports log feature to get packet logs? Not yet.
It means NEW logging API extension comes from operators/users use case demand (necessary).
How to develop/support logging API extension? See next pages.
Security group implementation sequence
7 Copyright 2015 Fujitsu Vietnam Limited
We are going to show an example of logging feature that should be implemented in NEW API
Host OVSAgent Neutron Server Neutron Client
Firewall
update_port_filter
update iptables
create security group rule or delete rule
security_groups_rule_updated
security_group_rules_for_devices
Retrive security group rules from DB.
Sequence: security group updated ( created or deleted )
Support logging for SG (1)
8 Copyright 2015 Fujitsu Vietnam Limited
We are going to show an example of logging feature that should be implemented in NEW API
Agent Server
OVSRpcCallbacks
OVSBridgePluginV2
OVSPluginApi
OVSNeutronAgentRPC
SecurityGroupAgentRPC
SecurityGroupAgentRpcCallbackMixin
SecurityGroupServerRpcApiMixin SecurityGroupServerRpcCallbackMixin
security_groups_logging_update orsecurity_groups_rule_logging_update
security_group_info_for_devicessecurity_group_rules_for_devices
*A
*A security_groups_logging_updated or security_groups_rule_logging_updated
: New classes
Others boxes : Inherit from existing classes
SecurityGroupDbMixin
AgentNotifierApi
PacketLoggingDbMixin
PacketLoggingNotifier
SecurityGroupAgentRpcApiMixin
security_groups_logging_update orsecurity_groups_rule_logging_update
Support logging for SG (2)
9 Copyright 2015 Fujitsu Vietnam Limited
Main steps in source code implementing: Create resource:
Class name:class Packetlogging(extensions.ExtensionDescriptor)
Resource name: packet_loggings
Interface API:get_packet_loggings(list cmd)get_packet_logging(show cmd)create_packet_logging(create cmd)delete_packet_logging(delete cmd)
Create database to store resource: Class name:
class PacketLogging (model_base.BASEV2, models_v2.HasId, models_v2.HasTenant)Database name:
packet_loggingCreate columns :
object_id = sa.Column(sa.String(36)) service_type = sa.Column(sa.Enum('fw', 'fw-rule', 'sg', 'sg-rule', name='supported_servicetypes'))
Migration database: $ neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini revision -m
"packet logging" edit xxx_packet_logging.py for migration database.
Support logging for SG (3)
10 Copyright 2015 Fujitsu Vietnam Limited
Main steps in source code implementing: Notify Agent:
Class name:class PacketLoggingNotifier(sg_rpc.SecurityGroupAgentRpcApiMixin)
Topics: Agent, version: 1.0Interface:
Server: In class SecurityGroupAgentRpcApiMixinsecurity_group_logging_updated(self, context, security_group_id)security_group_rule_logging_updated(self, context, security_group_rule_id)
Agent: In class SecurityGroupAgentRpcCallbackMixinsecurity_group_logging_updated(self, context, **kwargs)security_group_rule_logging_updated(self, context, **kwargs)
Driver: _add_security_group_rule_logging(self, port, direction) => Implement add LOG rule into
Iptables.
Create instances (VMs) which attached custom security-group
Security group logging experiment (1)
11 Copyright 2015 Fujitsu Vietnam Limited
Create instances (VMs) which attached custom security-group
Security group logging experiment (2)
12 Copyright 2015 Fujitsu Vietnam Limited
Security group logging experiment (3)
13 Copyright 2015 Fujitsu Vietnam Limited
Create instances (VMs) which attached custom security-group
Security group logging experiment (4)
14 Copyright 2015 Fujitsu Vietnam Limited
Create instances (VMs) which attached custom security-group
Enable/Disable logging and check Iptables and packet log.
Firewall logging experiment (1)
15 Copyright 2015 Fujitsu Vietnam Limited
Create firewall as normally.
Firewall logging experiment (2)
16 Copyright 2015 Fujitsu Vietnam Limited
Create firewall as normally.
Firewall logging experiment (3)
17 Copyright 2015 Fujitsu Vietnam Limited
Enable/Disable logging and check Iptables and packet log.1. Method: POST2. URL: http://192.168.100.73:9696/v2.0/packet-loggings3. Hearders:
x-auth-token: 8b93abf5fdeb4097a1a163fd421d8a3d4. Body:
{ "packet_logging": { "tenant_id": "aaf1bfbf6fbc4b948f2c98899c513525", "object_id": "0988a52c-9a57-4f80-8914-b6dd4cb130d5", "service_type": “fw" }}
Conclusion: We have already implemented NEW API extension.
THANK YOU!
18 Copyright 2015 Fujitsu Vietnam Limited
Reference linkhttps://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g33084527_0_60https://review.openstack.org/#/c/204481/ Patch set 1https://review.openstack.org/#/c/204484/ Patch set 1
Copyright 2014 Fujitsu Vietnam Limited