Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant Agreement n Neutron/Openstack Networking INFN CHAIN REDS School on Cloud Computing

What does Neutron do ? Event / Place / Date 2  Complete control over network resources  Port, subnet, networks  Build complex topologies based on user/tenants  Assigns its own network segmentation process  L3 functionalities  NAT, Security groups, DVR (since Juno)  Advanced Services  Load Balancer as a Service (LBaaS)  VPN as a Service  Firewall as a Service  Supporting vendor specific extensions

Looking back Event / Place / Date 3  Neutron solves two main issues in its predecessor, Nova-Network 1. Limited network technology  Basic linux bridging implementation  Missing ACL, QoS  Limited multi-tenancy isolation 2. Limited user/tenant control over the network  Tenant couldn’t create their own topology  Tenant couldn’t leverage different network virtualization technologies

Networking as a service Event / Place / Date 4 Openstack Networking – Neutron is a pluggable, scalable and API driven system to manage network and IP addresses  Provides REST API to manage network connections for the resources managed by other OS services (mainly Nova)  Technology agnostic – plugin based  Multi-tenancy : Isolation & abstraction (mainly through Linux namespaces)  Modular : API specifies design, vendors provide implementation (optionally providing implementation extensions)  Expose vendor specific network virtualization and SDN technologies  Although it’s a core OS service, can be used standalone, outside of Openstack

Concepts Event / Place / Date 5 Network : representing isolated virtual Layer-2 domains; a network can also be regarded as a virtual (or logical) switch; Subnet : representing IPv4 or IPv6 address blocks from which IPs to be assigned to VMs on a given network are selected. Ports : represent virtual (or logical) switch ports on a given network. Virtual instances attach their interfaces into ports. The logical port also defines the MAC address and the IP address(es) to be assigned to the interfaces plugged into them. IP addresses – port association implies port-subnet association, as the IP address is taken from the allocation pool for a specific subnet.

Neutron plugins Event / Place / Date 6  Modular Layer 2 (ML2)  ML2 can concurrently use multiple layer2 networking technologies  Open vSwitch, Linux Bridge, Hyper-v L2, Openflow (ryu), OpenDayLight  Cisco  NXOS, N1Kv  NEC  Hyper-V  Brocade  BigSwitch  VMWare NSX

Nova-Neutron handshake Event / Place / Date 7 1. Nova boot get into compute driver, which call neutron api to create port 2. Neutron server creates port object and allocates it with IP address from subnet 3. Neutron server notifies neutron-dhcp agent with the created port object 4. Neutron dhcp-agent configs dhcp server with the port object (IP, MAC, gw, routes) 5. Compute driver gets network information, creates port on br-int soft-switch and then starts the VM with a tap device attached on the soft-switch port 6. Soft-neutron-agent (i.e. ovs-agent) detects and gets to know there is a new soft-switch port created 7. Soft-neutron-agent retrieves port (flows, vlan id) from neutron server and connects VM’s network 8. VM gets its IP address with dhcp client

Component deployments – ML2 Event / Place / Date 8  Neutron Server  Implements rest API and extensions  Enforce network model (network, subnet, port)  IP address to each port  Soft switch plugin agent  Run on each compute node  Connect instances to each port  DHCP agent  Run on each compute node  Start/stop dhcp server  Maintain dhcp configuration  L3 agent  One per network  Implements floating IP and other L3 features (NAT)  Queue  Enhance communications among each component  DB  Provide persistence Neutron Server & plugin Neutron Server & plugin L3 Agent (FW & NAT) L3 Agent (FW & NAT) Service VPNaaS- Agent DHCP agent Plugin agent (soft-switch) Plugin agent (soft-switch) Queue DB Service LBaaS- Agent

Openstack networks Event / Place / Date 9  Management network : it’s used for the internal communication between OS components. IP address on this net should be reachable only within data center  Data network : used for VM data communication within the cloud deployment. IP addressing depends on the OS plugin being used  External network: Used to provide VMs with Internet access. IP address here should be reachable by anyone  API network: Exposes OS API to tenants. Generally External Network is used on this purpose

Functional diagram Event / Place / Date 10

Tenants and provider networks Event / Place / Date 11 Tenant networks provide projects connectivity. By default TN are fully isolated and are not shared. Tenant networks supported :  Flat : all instances reside on the same network, which can also be shared with the hosts.  No VLAN tagging or other network segregation  Local : Instances reside on the local compute host  VLAN : users can create multiple provider or tenant networks using VLAN IDs (tagged) that correspond to VLANs present in the physical network.  Allows interactions with services (firewalls, load balancers..) on the same layer-2 VLAN.  VXLAN and GRE : use network overlays to support private communication between instances. Networking router is required  to enable traffic to traverse outside of the GRE or VXLAN tenant network.  to connect directly-connected tenant networks with external networks  to connect to instances directly from an external network using floating IP addresses. Provider networks : map directly to an existing physical network. Useful network types are flat (untagged) and VLAN (tagged). Provider networks can be shared among tenants

Event / Place / Date 12

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant Agreement n Glance-Image Store INFN CHAIN REDS School on Cloud Computing

What is Glance Event / Place / Date 14  Glance project provides a service where users can upload and discover data assets meant to be used with other services  Images  Metadata definitions  Glance image services allow to discover, register and retrieve virtual machine images  RESTful API for query of image metadata as well as retrieval  VM images made available by Glance can be stored in multiple locations  Local filesystem  Object storage (Swift)

Glance architecture Event / Place / Date 15 Img source : Glance-api : accepts API calls (by nova and/or end users) for image discovery, retrieval and storage Glance-registry : stores, processes and retrieve metadata about images Size, type, etc… Glance-database : persistent storage of images metadata

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant Agreement n Dashboard : Horizon INFN CHAIN REDS School on Cloud Computing

What is Horizon Event / Place / Date 17  Horizon provides a modular, web-based, user interface for the Openstack services  Stateless  Error handling delegated to backend  Not all API functions supported  Sessions stored via memcached or database  Updates get via polling to nova- api  Basic operations  From UI  Login  Specification of VM params  VM creation  Under the hood  Conversion of form parameters into POST data  HTTP post request to backend  Possible to cache authorization cache avoiding to contact Keystone each time

Horizon – Admin overview Event / Place / Date 18

Horizon – Instances overview Event / Place / Date 19

Horizon – Images overview Event / Place / Date 20

Horizon – launch instance Event / Place / Date 21

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant Agreement n Thank you !