Jump to: navigation, search

Difference between revisions of "Meetings/VPNaaS"

(Agenda)
(Agenda)
Line 15: Line 15:
 
= Agenda =
 
= Agenda =
  
Updated July 7th, 2015
+
Updated July 21st, 2015
  
 +
* Grenade Plugin
 +
* VPN Functional tests for Neutron commits
 +
* Migration changes
 
* Local tunnel IP
 
* Local tunnel IP
 
* VPN with HA router
 
* VPN with HA router
Line 25: Line 28:
 
== Announcements ==
 
== Announcements ==
  
* Grenade job for Neutron disabling services
+
* DevStack Plugin is upstreamed, removing VPN setup from DevStack
* Devstack plugin for VPN, out for review (https://review.openstack.org/200592)
+
* Grenade tests for VPN are experimental right now
* "M" summit VPN topics?
+
 
 +
== Grenade Plugin ==
 +
Working on plugin, have code out for review (https://review.openstack.org/#/c/203159/). Having an issue with getting the plugin to actually trigger.
 +
 
 +
== VPN Functional Tests for Neutron Commits ==
 +
Testing with dummy Neutron commit, but VPN functional test is NOT using the Neutron patchset, and instead is using latest from Neutron. Investigating.
 +
 
 +
== Migration Changes ==
 +
Neutron is changing migration into two branches, one that does the "safe" migration, and one that does the "unsafe" migration (after new version is restarted). Ihar is working on changing both Neutron and VPn repos.
  
 
== Local Tunnel IP ==
 
== Local Tunnel IP ==
Working on implementing https://bugs.launchpad.net/neutron/+bug/1464387. Code out for review (please look at it). Will do separate commit for Neutron client. Suggest we do validation check for IPsec connection, ensuring peer's IP version matches IP version of router's fixed IPs.
+
Code out for review (https://review.openstack.org/#/c/199670/). Waiting for Grenade plugin (to be able to test migration part of this change - though I've checked it manually), and changes to migration as mentioned above (of which a minor change is needed to this patch-set), but overall it works (please review!). No client mod is needed.
  
 
== VPN with HA Router ==
 
== VPN with HA Router ==
WIP code out for review https://review.openstack.org/200636. Needs review. Concern over GW IP (local tunnel IP) impact.
+
Anything new here (https://review.openstack.org/200636)?
  
 
== Multiple Local Subnets on VPN connection ==
 
== Multiple Local Subnets on VPN connection ==
Line 39: Line 50:
 
Ref: https://bugs.launchpad.net/neutron/+bug/1459423
 
Ref: https://bugs.launchpad.net/neutron/+bug/1459423
  
Review of developer reference doc (https://review.openstack.org/#/c/191944). New rev available; please review so we can converge on a proposal. Would like to know if it will work for other VPN flavors.
+
Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused.
  
 
== BGP/MPLS and Edge VPN ==
 
== BGP/MPLS and Edge VPN ==
Line 70: Line 81:
  
 
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
 
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
* Create VPN grenade job to test migrations for VPN.
 
 
* Validation that peer IP for VPN connection is of same version as router's GW I/F.
 
* Validation that peer IP for VPN connection is of same version as router's GW I/F.
 
* User documentation for Networking Guide. (including limitations/restrictions)
 
* User documentation for Networking Guide. (including limitations/restrictions)
 
* Coverage, especially in database and device driver modules, is lacking.
 
* Coverage, especially in database and device driver modules, is lacking.
* Need functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
+
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
 
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
 
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
 
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
Line 84: Line 94:
 
* Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
 
* Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
 
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
 
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
* Devstack support for VPNaaS (see LBaaS including devstack setup in their repo).
 
 
* There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
 
* There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
 
* Should enhance/add unit test cases for:
 
* Should enhance/add unit test cases for:

Revision as of 12:20, 21 July 2015

Meetings

  • Weekly on-demand on Tuesdays at 1600 UTC
  • IRC channel: #openstack-meeting-3
  • Chair: pc_m (Paul Michali)


If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.

Next meeting: Tuesday, July 14th, 2015.

Logs and Minutes

Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/

Agenda

Updated July 21st, 2015

  • Grenade Plugin
  • VPN Functional tests for Neutron commits
  • Migration changes
  • Local tunnel IP
  • VPN with HA router
  • Multiple local subnet enhancement
  • BGP/MPLS VPN and Edge VPN discussion


Announcements

  • DevStack Plugin is upstreamed, removing VPN setup from DevStack
  • Grenade tests for VPN are experimental right now

Grenade Plugin

Working on plugin, have code out for review (https://review.openstack.org/#/c/203159/). Having an issue with getting the plugin to actually trigger.

VPN Functional Tests for Neutron Commits

Testing with dummy Neutron commit, but VPN functional test is NOT using the Neutron patchset, and instead is using latest from Neutron. Investigating.

Migration Changes

Neutron is changing migration into two branches, one that does the "safe" migration, and one that does the "unsafe" migration (after new version is restarted). Ihar is working on changing both Neutron and VPn repos.

Local Tunnel IP

Code out for review (https://review.openstack.org/#/c/199670/). Waiting for Grenade plugin (to be able to test migration part of this change - though I've checked it manually), and changes to migration as mentioned above (of which a minor change is needed to this patch-set), but overall it works (please review!). No client mod is needed.

VPN with HA Router

Anything new here (https://review.openstack.org/200636)?

Multiple Local Subnets on VPN connection

Ref: https://bugs.launchpad.net/neutron/+bug/1459423

Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused.

BGP/MPLS and Edge VPN

Need feedback from the BGP team, on the endpoints API proposal to see if it can adapt for use in the future for BGPVPN.

Please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.

Anything to discuss here? Next steps?

Info:

Bugs under Review

Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Need resolution of gate issues for: https://review.openstack.org/#/c/159746


Open Discussion

Bucket List

Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...

  • Validation that peer IP for VPN connection is of same version as router's GW I/F.
  • User documentation for Networking Guide. (including limitations/restrictions)
  • Coverage, especially in database and device driver modules, is lacking.
  • Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
  • Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
  • The OpenSwan class should be separated from the ABC definition, and placed into a new module.
  • Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
  • Documentation on how to use StrongSwan
  • Developer Reference Documentation needed.
  • Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
  • StrongSwan execute_with_mount() to allow configurable rootwrap config file.
  • Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
  • Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
  • There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
  • Should enhance/add unit test cases for:
    • Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
    • Verification of contents of configuration files created for StrongSwan and OpenSwan.
    • Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).


Interested People

List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):

  • Paul Michali (pc_m)
  • Sridhar Ramaswamy (sridha_ram)
  • Al Miller (ajmiller)


Charter

VPNaaS Team Charter


Meeting Commands

/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo

...

#endmeeting




Retrieved from "https://wiki.openstack.org/w/index.php?title=Meetings/VPNaaS&oldid=86393"