Difference between revisions of "Meetings/VPNaaS"
Paul Michali (talk | contribs) (→Agenda) |
Paul Michali (talk | contribs) (→Agenda) |
||
| Line 17: | Line 17: | ||
Updated July 21st, 2015 | Updated July 21st, 2015 | ||
| − | * Grenade Plugin | + | * Devstack Plugin - reverting changes and will redo effort |
| − | * VPN Functional tests for Neutron commits | + | * Grenade Plugin postponed for now |
| − | * Local tunnel IP | + | * VPN Functional tests for Neutron commits stalled |
| − | * Multiple local subnet enhancement | + | * Local tunnel IP awaiting approval |
| + | * Multiple local subnet enhancement - started on tunnel endpoints. | ||
== Announcements == | == Announcements == | ||
| − | * | + | * Problem with DevStack Plugin and kilo release, so reverting and re-designing |
| + | * Will go back to on-demand meetings | ||
| + | |||
| + | == Devstack plugin == | ||
| + | Found a few problems, once deployed. First, neutronclient and EC2 project use VPN in tests (needed plugin for them). Second, cannot have both q-vpn service and plugin in use at the same time (double config). Third, disabling q-vpn, although good for several jobs, applies globally and thus breaks stable/kilo jobs, which don't have the plugin. | ||
| + | |||
| + | Plan: | ||
| + | * Revert changes so that q-vpn service is re-enabled, and plugin is not used. | ||
| + | * Modify devstack and plugin so that both q-vpn and plugin can be specified (with plugin overriding). | ||
| + | * Create new jobs for Liberty that use the plugin. | ||
| + | * Remove q-vpn use from jobs that shouldn't be testing it. | ||
| + | * Backport those change to Kilo. | ||
| + | * Remove q-vpn specification. | ||
| + | |||
== Grenade Plugin == | == Grenade Plugin == | ||
| − | + | Because Grenade does not support nested upgrades (Neutron + Advanced Services), work on this has been postponed(https://review.openstack.org/#/c/203159/). Will either need to modify Grenade to support nested updates or to (possibly) clone advanced services during neutron project processing and then create new project for advanced services processing. | |
| + | |||
== VPN Functional Tests for Neutron Commits == | == VPN Functional Tests for Neutron Commits == | ||
| Line 35: | Line 50: | ||
== Local Tunnel IP == | == Local Tunnel IP == | ||
| − | Code out for review (https://review.openstack.org/#/c/199670/) | + | Code out for review (https://review.openstack.org/#/c/199670/). Waiting for core approval, but delayed because of DevStack/test issues. |
== Multiple Local Subnets on VPN connection == | == Multiple Local Subnets on VPN connection == | ||
| Line 41: | Line 56: | ||
Ref: https://bugs.launchpad.net/neutron/+bug/1459423 | Ref: https://bugs.launchpad.net/neutron/+bug/1459423 | ||
| − | Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused. | + | Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused. Started implementing create API for endpoint groups |
| − | |||
== Bugs under Review == | == Bugs under Review == | ||
| Line 58: | Line 72: | ||
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)... | Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)... | ||
* Could use python34 support added to neutron-vpnaas. Several tests are being disabled. | * Could use python34 support added to neutron-vpnaas. Several tests are being disabled. | ||
| + | * Grenade work to support Advanced Services, so that plugin can be activated. | ||
* Validation that peer IP for VPN connection is of same version as router's GW I/F. | * Validation that peer IP for VPN connection is of same version as router's GW I/F. | ||
* User documentation for Networking Guide. (including limitations/restrictions) | * User documentation for Networking Guide. (including limitations/restrictions) | ||
Revision as of 13:06, 11 August 2015
Contents
- 1 Meetings
- 2 Logs and Minutes
- 3 Agenda
- 3.1 Announcements
- 3.2 Devstack plugin
- 3.3 Grenade Plugin
- 3.4 VPN Functional Tests for Neutron Commits
- 3.5 Local Tunnel IP
- 3.6 Multiple Local Subnets on VPN connection
- 3.7 Bugs under Review
- 3.8 Open Discussion
- 3.9 Bucket List
- 3.10 BGP/MPLS and Edge VPN
- 3.11 Interested People
- 3.12 Charter
- 3.13 Meeting Commands
Meetings
- Weekly on-demand on Tuesdays at 1600 UTC
- IRC channel: #openstack-meeting-3
- Chair: pc_m (Paul Michali)
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
Next meeting: Tuesday, August 4th, 2015.
Logs and Minutes
Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/
Agenda
Updated July 21st, 2015
- Devstack Plugin - reverting changes and will redo effort
- Grenade Plugin postponed for now
- VPN Functional tests for Neutron commits stalled
- Local tunnel IP awaiting approval
- Multiple local subnet enhancement - started on tunnel endpoints.
Announcements
- Problem with DevStack Plugin and kilo release, so reverting and re-designing
- Will go back to on-demand meetings
Devstack plugin
Found a few problems, once deployed. First, neutronclient and EC2 project use VPN in tests (needed plugin for them). Second, cannot have both q-vpn service and plugin in use at the same time (double config). Third, disabling q-vpn, although good for several jobs, applies globally and thus breaks stable/kilo jobs, which don't have the plugin.
Plan:
- Revert changes so that q-vpn service is re-enabled, and plugin is not used.
- Modify devstack and plugin so that both q-vpn and plugin can be specified (with plugin overriding).
- Create new jobs for Liberty that use the plugin.
- Remove q-vpn use from jobs that shouldn't be testing it.
- Backport those change to Kilo.
- Remove q-vpn specification.
Grenade Plugin
Because Grenade does not support nested upgrades (Neutron + Advanced Services), work on this has been postponed(https://review.openstack.org/#/c/203159/). Will either need to modify Grenade to support nested updates or to (possibly) clone advanced services during neutron project processing and then create new project for advanced services processing.
VPN Functional Tests for Neutron Commits
Testing is stalled. VPN functional test is NOT using the neutron patch set correctly.
Local Tunnel IP
Code out for review (https://review.openstack.org/#/c/199670/). Waiting for core approval, but delayed because of DevStack/test issues.
Multiple Local Subnets on VPN connection
Ref: https://bugs.launchpad.net/neutron/+bug/1459423
Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused. Started implementing create API for endpoint groups
Bugs under Review
Current bugs: VPN bugs
Current reviews: VPNaaS reviews
Need resolution of gate issues for: https://review.openstack.org/#/c/159746
Open Discussion
Bucket List
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
- Could use python34 support added to neutron-vpnaas. Several tests are being disabled.
- Grenade work to support Advanced Services, so that plugin can be activated.
- Validation that peer IP for VPN connection is of same version as router's GW I/F.
- User documentation for Networking Guide. (including limitations/restrictions)
- Coverage, especially in database and device driver modules, is lacking.
- Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
- Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
- The OpenSwan class should be separated from the ABC definition, and placed into a new module.
- Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
- Documentation on how to use StrongSwan
- Developer Reference Documentation needed.
- Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
- StrongSwan execute_with_mount() to allow configurable rootwrap config file.
- Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
- Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
- There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
- Should enhance/add unit test cases for:
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of contents of configuration files created for StrongSwan and OpenSwan.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
BGP/MPLS and Edge VPN
Info:
- Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with specs:
- Edge VPN service provisioning APIs: https://review.openstack.org/#/c/201378
- Neutron extension for edge VPN: https://review.openstack.org/#/c/201381
- BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposal https://review.openstack.org/#/c/177740
Interested People
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
- Paul Michali (pc_m)
- Sridhar Ramaswamy (sridha_ram)
- Al Miller (ajmiller)
Charter
Meeting Commands
/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo
...
#endmeeting
