Latest revision as of 17:15, 13 November 2015

Meetings

On-demand on Tuesdays at 1600 UTC
IRC channel: #openstack-meeting-3
Chair: pc_m (Paul Michali)

There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).

Next meeting: TBD

Logs and Minutes

Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/

Agenda

Updated Oct 5th, 2015

Local multiple subnet

Announcements

Endpoint group server and client code is upstreamed.
Devstack plugin for neutronclient commit to make voting.
Multiple local subnet feature and CLI pushed for review.

Multiple Local Subnets

Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.

Will work on follow-up commits for functional tests, API documentation, and additional validation.

DevRef: https://review.openstack.org/#/c/191944

Bugs under Review

Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Open Discussion

Bucket List

Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:

Very Important

Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).

Important

Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
Documentation on how to use StrongSwan
Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.

Nice to Have

Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
Improve coverage in UTs.
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
The OpenSwan class should be separated from the ABC definition, and placed into a new module.
Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
Developer Reference Documentation needed.
Migrate to using neutronclient extension for VPN (and create job).
StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).

Pie in the Sky Items

Explore leveraging off of endpoint group mechanism for other VPN flavors.
Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?

Interested People

List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):

Paul Michali (pc_m)
Sridhar Ramaswamy (sridha_ram)
Al Miller (ajmiller)
Victor Howard (vichoward)

Charter

VPNaaS Team Charter

Meeting Commands

/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo

...

#endmeeting

@@ Line 1: / Line 1: @@
 = Meetings =
-* Weekly on Tuesdays at 1500 UTC
+* On-demand on Tuesdays at 1600 UTC
-* IRC channel: <code><nowiki>#openstack-meeting-4</nowiki></code>
+* IRC channel: #openstack-meeting-3
-* Chair: Paul Michali (pc_m)
+* Chair: pc_m (Paul Michali)
+There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).
+Next meeting: TBD
 = Logs and Minutes=
@@ Line 9: / Line 14: @@
 = Agenda =
+Updated Oct 5th, 2015
-Updated February 17th, 2015
+* Local multiple subnet
 == Announcements ==
+* Endpoint group server and client code is upstreamed.
+* Devstack plugin for neutronclient commit to make voting.
+* Multiple local subnet feature and CLI pushed for review.
+== Multiple Local Subnets ==
+Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.
+Will work on follow-up commits for functional tests, API documentation, and additional validation.
+DevRef: https://review.openstack.org/#/c/191944
+== Bugs under Review ==
-* Will need new functional job for StrongSwan. Plan to use separate root areas.
+Current bugs: [https://bugs.launchpad.net/neutron/+bugs?field.searchtext=vpnaas&search=Search&field.status%3Alist=NEW&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.assignee=&field.bug_reporter=&field.omit_dupes=on&field.has_patch=&field.has_no_package=&orderby=status&start=0 VPN bugs]
-* Deferring making functional gate voting, until restructure functional tests.
-* Please push up for review (or recheck existing reviews) code for functional tests.
-* Review out to enable functional test coverage for VPN.
-* Please review open bugs and blueprints.
-== Functional Testing ==
+Current reviews:  [https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z VPNaaS reviews]
-Be sure to check dsvm-neutron-vpnaas-dsvm-functional test results, when code pushed for review, as test is non-voting.
+== Open Discussion ==
-Since StrongSwan has different requirements for operation (IPSEC_PACKAGE set to strongswan, and AppArmor disabled), a separate job will be needed. WIll be posting a proposal to mailing list on how to organize test area, along with questions on handling scenario testing (see below)
+== Bucket List ==
+Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:
-Need functional tests for both OpenSwan and StrongSwan (have some under https://review.openstack.org/#/c/144391/).
+=== Very Important ===
+* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
+* Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).
-== Scenario Testing ==
+=== Important ===
-Several complications here. First, we'll need different jobs to handle the StrongSwan versus OpenSwan cases.
+* Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
+* Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
+* User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
+* Documentation on how to use StrongSwan
+* Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
+* Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
+* Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
+* Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
+* Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
+* Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
+* Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
+* Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.
-Second, we have two implementations of functional tests out for review (https://review.openstack.org/#/c/140072/8, https://review.openstack.org/#/c/153292/5). Have discussed with both developers and neither had a preference on their particular proposal. Nikolay is able to proceed with his review (the first one), Zhang is on vacation for 10 days, and agreed that it would be fine to move forward with Nikolay's implementation. It's great that both are stepping up to help on this. We need everyone's help in making sure the solution that we end up with is the best, so please review Nikolay's code and provide feedback (also look at Zhang's and if there are elements there that should be in Nikolay's). If there are better approaches to testing this, please speak up in the review, so we avoid rework!
+=== Nice to Have ===
+* Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
+* Improve coverage in UTs.
+** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
+** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
+* Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
+* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
+* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
+* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
+* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
+* Developer Reference Documentation needed.
+* Migrate to using neutronclient extension for VPN (and create job).
+* StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
+* Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).
-Third, both commits are targeted to the Tempest repo, which is in the process of being migrated to Neutron, and a tempest library is being developed. Need to discuss with QA team (above email will start discussion), on whether the scenario test should be placed into the Tempest repo and then let it migrate along with other tests, or whether this can be placed in the VPNaaS repo and use the tempest library (and when will that be available).
+=== Pie in the Sky Items ===
+* Explore leveraging off of endpoint group mechanism for other VPN flavors.
+* Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?
-== Bugs ==
+== Interested People ==
-Current bugs:  [https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z VPNaaS bugs]
-Bring up any bugs of interest.
+List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
-== Open Discussion ==
+* Paul Michali (pc_m)
+* Sridhar Ramaswamy (sridha_ram)
+* Al Miller (ajmiller)
+* Victor Howard (vichoward)
 == Charter ==
 [[NeutronSubteamCharters#VPNaaS_Team|VPNaaS Team Charter]]
 == Meeting Commands ==
-<nowiki>/join #openstack-meeting-4</nowiki><br />
+<nowiki>/join #openstack-meeting-3</nowiki><br />
 <nowiki>#startmeeting vpnaas</nowiki><br />
 <nowiki>#topic Announcements</nowiki><br />

Difference between revisions of "Meetings/VPNaaS"