Difference between revisions of "Meetings/VPNaaS"
Paul Michali (talk | contribs) (→Agenda) |
Paul Michali (talk | contribs) (→Agenda) |
||
Line 15: | Line 15: | ||
= Agenda = | = Agenda = | ||
− | Updated July | + | Updated July 21st, 2015 |
+ | * Grenade Plugin | ||
+ | * VPN Functional tests for Neutron commits | ||
+ | * Migration changes | ||
* Local tunnel IP | * Local tunnel IP | ||
* VPN with HA router | * VPN with HA router | ||
Line 25: | Line 28: | ||
== Announcements == | == Announcements == | ||
− | * Grenade | + | * DevStack Plugin is upstreamed, removing VPN setup from DevStack |
− | + | * Grenade tests for VPN are experimental right now | |
− | + | ||
+ | == Grenade Plugin == | ||
+ | Working on plugin, have code out for review (https://review.openstack.org/#/c/203159/). Having an issue with getting the plugin to actually trigger. | ||
+ | |||
+ | == VPN Functional Tests for Neutron Commits == | ||
+ | Testing with dummy Neutron commit, but VPN functional test is NOT using the Neutron patchset, and instead is using latest from Neutron. Investigating. | ||
+ | |||
+ | == Migration Changes == | ||
+ | Neutron is changing migration into two branches, one that does the "safe" migration, and one that does the "unsafe" migration (after new version is restarted). Ihar is working on changing both Neutron and VPn repos. | ||
== Local Tunnel IP == | == Local Tunnel IP == | ||
− | + | Code out for review (https://review.openstack.org/#/c/199670/). Waiting for Grenade plugin (to be able to test migration part of this change - though I've checked it manually), and changes to migration as mentioned above (of which a minor change is needed to this patch-set), but overall it works (please review!). No client mod is needed. | |
== VPN with HA Router == | == VPN with HA Router == | ||
− | + | Anything new here (https://review.openstack.org/200636)? | |
== Multiple Local Subnets on VPN connection == | == Multiple Local Subnets on VPN connection == | ||
Line 39: | Line 50: | ||
Ref: https://bugs.launchpad.net/neutron/+bug/1459423 | Ref: https://bugs.launchpad.net/neutron/+bug/1459423 | ||
− | + | Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused. | |
== BGP/MPLS and Edge VPN == | == BGP/MPLS and Edge VPN == | ||
Line 70: | Line 81: | ||
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)... | Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)... | ||
− | |||
* Validation that peer IP for VPN connection is of same version as router's GW I/F. | * Validation that peer IP for VPN connection is of same version as router's GW I/F. | ||
* User documentation for Networking Guide. (including limitations/restrictions) | * User documentation for Networking Guide. (including limitations/restrictions) | ||
* Coverage, especially in database and device driver modules, is lacking. | * Coverage, especially in database and device driver modules, is lacking. | ||
− | * Need functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). | + | * Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). |
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta) | * Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta) | ||
* The OpenSwan class should be separated from the ABC definition, and placed into a new module. | * The OpenSwan class should be separated from the ABC definition, and placed into a new module. | ||
Line 84: | Line 94: | ||
* Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS? | * Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS? | ||
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. | * Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. | ||
− | |||
* There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute). | * There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute). | ||
* Should enhance/add unit test cases for: | * Should enhance/add unit test cases for: |
Revision as of 12:20, 21 July 2015
Contents
- 1 Meetings
- 2 Logs and Minutes
- 3 Agenda
- 3.1 Announcements
- 3.2 Grenade Plugin
- 3.3 VPN Functional Tests for Neutron Commits
- 3.4 Migration Changes
- 3.5 Local Tunnel IP
- 3.6 VPN with HA Router
- 3.7 Multiple Local Subnets on VPN connection
- 3.8 BGP/MPLS and Edge VPN
- 3.9 Bugs under Review
- 3.10 Open Discussion
- 3.11 Bucket List
- 3.12 Interested People
- 3.13 Charter
- 3.14 Meeting Commands
Meetings
- Weekly on-demand on Tuesdays at 1600 UTC
- IRC channel: #openstack-meeting-3
- Chair: pc_m (Paul Michali)
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
Next meeting: Tuesday, July 14th, 2015.
Logs and Minutes
Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/
Agenda
Updated July 21st, 2015
- Grenade Plugin
- VPN Functional tests for Neutron commits
- Migration changes
- Local tunnel IP
- VPN with HA router
- Multiple local subnet enhancement
- BGP/MPLS VPN and Edge VPN discussion
Announcements
- DevStack Plugin is upstreamed, removing VPN setup from DevStack
- Grenade tests for VPN are experimental right now
Grenade Plugin
Working on plugin, have code out for review (https://review.openstack.org/#/c/203159/). Having an issue with getting the plugin to actually trigger.
VPN Functional Tests for Neutron Commits
Testing with dummy Neutron commit, but VPN functional test is NOT using the Neutron patchset, and instead is using latest from Neutron. Investigating.
Migration Changes
Neutron is changing migration into two branches, one that does the "safe" migration, and one that does the "unsafe" migration (after new version is restarted). Ihar is working on changing both Neutron and VPn repos.
Local Tunnel IP
Code out for review (https://review.openstack.org/#/c/199670/). Waiting for Grenade plugin (to be able to test migration part of this change - though I've checked it manually), and changes to migration as mentioned above (of which a minor change is needed to this patch-set), but overall it works (please review!). No client mod is needed.
VPN with HA Router
Anything new here (https://review.openstack.org/200636)?
Multiple Local Subnets on VPN connection
Ref: https://bugs.launchpad.net/neutron/+bug/1459423
Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused.
BGP/MPLS and Edge VPN
Need feedback from the BGP team, on the endpoints API proposal to see if it can adapt for use in the future for BGPVPN.
Please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.
Anything to discuss here? Next steps?
Info:
- Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with specs:
- Edge VPN service provisioning APIs: https://review.openstack.org/#/c/201378
- Neutron extension for edge VPN: https://review.openstack.org/#/c/201381
- BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposal https://review.openstack.org/#/c/177740
Bugs under Review
Current bugs: VPN bugs
Current reviews: VPNaaS reviews
Need resolution of gate issues for: https://review.openstack.org/#/c/159746
Open Discussion
Bucket List
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
- Validation that peer IP for VPN connection is of same version as router's GW I/F.
- User documentation for Networking Guide. (including limitations/restrictions)
- Coverage, especially in database and device driver modules, is lacking.
- Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
- Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
- The OpenSwan class should be separated from the ABC definition, and placed into a new module.
- Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
- Documentation on how to use StrongSwan
- Developer Reference Documentation needed.
- Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
- StrongSwan execute_with_mount() to allow configurable rootwrap config file.
- Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
- Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
- There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
- Should enhance/add unit test cases for:
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of contents of configuration files created for StrongSwan and OpenSwan.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
Interested People
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
- Paul Michali (pc_m)
- Sridhar Ramaswamy (sridha_ram)
- Al Miller (ajmiller)
Charter
Meeting Commands
/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo
...
#endmeeting