Difference between revisions of "Heat/Blueprints/Multi Region Support for Heat"
< Heat
| Line 140: | Line 140: | ||
| phase1_negotiation_mode || IKE mode "main". | | phase1_negotiation_mode || IKE mode "main". | ||
|- | |- | ||
| − | | lifetime_units || Lifetime of the SA unit in | + | | lifetime_units || Lifetime of the SA unit in "seconds" or "kilobytes". |
|- | |- | ||
| − | | lifetime_value || Lifetime value in | + | | lifetime_value || Lifetime value in seconds or kilobytes. |
|- | |- | ||
| − | | pfs || Perfect Forward Secrecy ( | + | | pfs || Perfect Forward Secrecy (group2, group5, group14). |
|- | |- | ||
| ike_version || v1 or v2 version. | | ike_version || v1 or v2 version. | ||
| Line 158: | Line 158: | ||
"Type" : "OS::Quantum::IKEPolicy", | "Type" : "OS::Quantum::IKEPolicy", | ||
"Properties" : { | "Properties" : { | ||
| − | "Name" : | + | "Name" : "MyIKEPolicy", |
| − | "Description" : | + | "Description" : "My new IKE policy", |
| − | "AuthAlgorithm" : | + | "AuthAlgorithm" : "sha1", |
"EncryptionAlgorithm" : "3des", | "EncryptionAlgorithm" : "3des", | ||
| − | "Phase1NegotiationMode" : | + | "Phase1NegotiationMode" : "main", |
| − | + | "LifetimeUnits" : "seconds", | |
| − | + | "LifetimeValue" : 3600, | |
| − | + | "PFS" : "group5", | |
| − | + | "IKEVersion" : "v1", | |
} | } | ||
... | ... | ||
Revision as of 20:39, 15 July 2013
Contents
Overview
Introduction
Most of enterprises are focusing on Multi-cloud (using both private and public clouds) as enterprise cloud strategy. They will not completely migrate to Service Provider's cloud (public cloud). They will still keep their mission critical information assets to their premise or collocation space (private cloud).
Our goal is to create Hybrid-cloud (combination of public and private cloud). Creating Hybrid-cloud requires:
- Seamless operation among heterogeneous environment
- End-to-end automatic provisioning based on system template (VM, network, topology)
- Unified control and monitoring
- Multi-Hypervisor including bare-metal
- Multi-Region control
- Secure network access via Internet (VPN connection)
Multi Region Heat
Requirements & Challenges
Requirements for Heat:
- Mapping between Regions and API endpoints
- Mapping between Regions and Images
- Specifying Region for each resource
- Support for VPN as resource
- Horizon interface for Heat with multi regions
Challenges:
- dealing with dependencies between resources in different regions
- minimizing number of single region templates for which multi region template will be split
- figure out efficient way to update multi region stack
Goal
Basic Use Case Scenario
Multi region first use case
We have two regions (East and West) with separate OpenStack installations. We want to use Heat with multi region support to create in both regions:
- Quantum Network
- Quantum Subnet
- 10.1.0.0/24 in East
- 10.2.0.0/24 in West
- Router
- Router Interface for created subnet
- Router Gateway for external network
- VPN Service for created router
- IKE Policy
- IPsec Policy
- VPN Connection
- Server connected to created subnet
Template file example in appendix.
Architecture
Overview
Components Diagram
Description:
- More than one region (for example two: East and West)
- Separate OpenStack installation (Nova, Glance, Swift, Neutron and Cinder) in each region
- One Keystone service for all regions
- One Horizon with multi region support
- One Heat for multi region orchestration - to be clear right now it does not exist
Template Flow
Template flow
Challenges & Solutions
| Challenge | First step | Future work |
|---|---|---|
| Dependencies between resources from different regions. | There will be not such dependencies and we do not need to deal with them. | Multi region Heat component will be responsible for dealing with dependencies and creation order (needs to create dependencies graph where each node is a single region template). |
| Amount of single region templates. | Only one template for each region containing all resources from that region. It is possible because there is not dependencies between regions. | Decreasing number of templates by putting independent resources to the same template (assuming we have dependencies between resources from different regions). |
| Update stack | Silly update (Delete old and Create new) | More efficient update. |
What needs to be done
Heat
Engine
Adding new resources types:
- VPNServices
- IKEPolicy
- IPsecPolicy
- VPNConnections
VPNServices
| Property | Description |
|---|---|
| name | Name of the VPN Service. |
| description | Description of the VPN Service. |
| admin_state_up | Administrative state of vpnservice. If false (down), port does not forward packets. |
| subnet_id | Subnet id in which the tenant wants the vpn service. |
| router_id | Router id to which the vpn service is inserted. |
Example:
...
"Resources" : {
...
"VPNService" : {
"Type" : "OS::Quantum::VPNService",
"Properties" : {
"Name" : "MyVPN",
"Description" : "My new VPN",
"AdminStateUP" : True,
"SubnetId" : { "Ref" : "Subnet" },
"RouterId" : { "Ref" : "Router" }
}
...
},
...
IKEPolicy
| Property | Description |
|---|---|
| name | Friendly name for the IKE policy. |
| description | Description of the IKE policy. |
| auth_algorithm | Authentication Hash algorithms "sha1". |
| encryption_algorithm | Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc. |
| phase1_negotiation_mode | IKE mode "main". |
| lifetime_units | Lifetime of the SA unit in "seconds" or "kilobytes". |
| lifetime_value | Lifetime value in seconds or kilobytes. |
| pfs | Perfect Forward Secrecy (group2, group5, group14). |
| ike_version | v1 or v2 version. |
Example:
...
"Resources" : {
...
"IKEPolicy" : {
"Type" : "OS::Quantum::IKEPolicy",
"Properties" : {
"Name" : "MyIKEPolicy",
"Description" : "My new IKE policy",
"AuthAlgorithm" : "sha1",
"EncryptionAlgorithm" : "3des",
"Phase1NegotiationMode" : "main",
"LifetimeUnits" : "seconds",
"LifetimeValue" : 3600,
"PFS" : "group5",
"IKEVersion" : "v1",
}
...
},
...
IPsecPolicy
VPNConnections
API/CLI
Probably we do not need to add any new command.
UI
Existing UI views:
- Stack List for Tenant
- Launch new Stack
- Stack Details
- Overview tab
- Resources tab
- Events tab
- Resource Details
