Difference between revisions of "NaaS-Core"
| Line 14: | Line 14: | ||
A network created with the core NaaS API can be regarded as a virtual network switch which potentially spans over all the compute nodes in the cloud. NaaS APIs should be decoupled by the actual implementation of the core service, which should be provided by a plugin implementing the core Naas API. This implies that NaaS does not mandate any specific model for created networks (e.g.: VLANs, IP tunnels). | A network created with the core NaaS API can be regarded as a virtual network switch which potentially spans over all the compute nodes in the cloud. NaaS APIs should be decoupled by the actual implementation of the core service, which should be provided by a plugin implementing the core Naas API. This implies that NaaS does not mandate any specific model for created networks (e.g.: VLANs, IP tunnels). | ||
| − | The core NaaS service can also be regarded as a container for higher level services, for instance DHCP and NAT. Higher level services will come their own API and implementation and they are discussed in detail | + | The core NaaS service can also be regarded as a container for higher level services, for instance DHCP and NAT. Higher level services will come their own API and implementation and they are discussed in detail in the [http://wiki.openstack.org/NaaS-HigherLayer Naas-Higher-Layer blueprint]. |
== Goals == | == Goals == | ||
| Line 25: | Line 25: | ||
'''Goal 4''': Allow customers to configure network policies for networks, ports, and devices attached to them. These policies can include, for instance, port security polices, access control lists, or QoS policies (which are typically available on physical network switches). Since a 'minimum set' of policies supported by each possible plugin can hardly be identified, network policies should be assumed as plugin-specific and always be configured through API extension mechanisms. | '''Goal 4''': Allow customers to configure network policies for networks, ports, and devices attached to them. These policies can include, for instance, port security polices, access control lists, or QoS policies (which are typically available on physical network switches). Since a 'minimum set' of policies supported by each possible plugin can hardly be identified, network policies should be assumed as plugin-specific and always be configured through API extension mechanisms. | ||
| − | '''Goal 5''': Allow CSPs to register and configure the plugins providing the actual implementation of the core service, as well as register and configure plugins for higher-level services such as DHCP, Firewall or Load Balancing. CSPs shoould be able to select and plug in third-party technologies as appropriate. This may be for extended features, improved performance, or reduced complexity or cost | + | '''Goal 5''': Allow CSPs to register and configure the plugins providing the actual implementation of the core service, as well as register and configure plugins for higher-level services such as DHCP, Firewall or Load Balancing. CSPs shoould be able to select and plug in third-party technologies as appropriate. This may be for extended features, improved performance, or reduced complexity or cost. |
| − | |||
| − | |||
== Use cases == | == Use cases == | ||
| Line 69: | Line 67: | ||
* NaaS Core API serves requests from customers concerning networks and virtual ports. The NaaS API layer then dispatches the request to the plugin (which is not part of Core NaaS). The plugin then enforces network/port configuration on hypervisors using proprietary mechanisms; | * NaaS Core API serves requests from customers concerning networks and virtual ports. The NaaS API layer then dispatches the request to the plugin (which is not part of Core NaaS). The plugin then enforces network/port configuration on hypervisors using proprietary mechanisms; | ||
| − | |||
* The Compute service should not have any knowledge of the hypervisor's networking stack and uses NaaS Core API for plugging VIFs into networks (this is sligthly different from current nova design where part of the network manager's code - namely setup_compute_network - is used by the compute service as well); | * The Compute service should not have any knowledge of the hypervisor's networking stack and uses NaaS Core API for plugging VIFs into networks (this is sligthly different from current nova design where part of the network manager's code - namely setup_compute_network - is used by the compute service as well); | ||
* Although the diagram supposes a plugin has a 'manager' component on the NaaS node and agent 'component', this might not be always true, as NaaS should be completely agnostic w.r.t. plugin implementations; | * Although the diagram supposes a plugin has a 'manager' component on the NaaS node and agent 'component', this might not be always true, as NaaS should be completely agnostic w.r.t. plugin implementations; | ||
| Line 80: | Line 77: | ||
If IP configuration is deemed part of the core API, the following goal should then be added to the above list: | If IP configuration is deemed part of the core API, the following goal should then be added to the above list: | ||
| − | '''Goal | + | '''Goal 6''': Customers should be able to configure IP subnets for their networks. Zero, One, or more IP subnets can be associated with a network. |
---- | ---- | ||
[[Category:Spec]] | [[Category:Spec]] | ||
Revision as of 09:43, 25 March 2011
This blueprint is being redrafted. Ewan Mellor and Salvatore Orlando will be happy to hear from you if you wish to contribute. Nothing here is committed.
- Launchpad Entry: NovaSpec:network-service
- Created: 24 March 2011
- Contributors: Ewan Mellor,Salvatore Orlando,Youcef Laribi
Summary
The core functionality of Openstack Network-as-a-service (NaaS) is to provide a customer-facing service for creating and managing networks intended as "collection of virtual ports with shared connectivity".
Rationale
A network created with the core NaaS API can be regarded as a virtual network switch which potentially spans over all the compute nodes in the cloud. NaaS APIs should be decoupled by the actual implementation of the core service, which should be provided by a plugin implementing the core Naas API. This implies that NaaS does not mandate any specific model for created networks (e.g.: VLANs, IP tunnels).
The core NaaS service can also be regarded as a container for higher level services, for instance DHCP and NAT. Higher level services will come their own API and implementation and they are discussed in detail in the Naas-Higher-Layer blueprint.
Goals
Goal 1: Allow customers and CSPs to create networks. Networks can either be private, i.e.: available only to a specific customer, or shared. Networks shared only among a specific group of customers can also be considered.
Goal 2: Allow customers to manage virtual ports for their networks, and attach instances or other network appliances (physical or virtual) available in the cloud to them.
Goal 3: Allow customers to extend their networks from the cloud to a remote site, by attaching a bridging device within the cloud to their networks'; the bridging device would then bridge to the appropriate remote site.
Goal 4: Allow customers to configure network policies for networks, ports, and devices attached to them. These policies can include, for instance, port security polices, access control lists, or QoS policies (which are typically available on physical network switches). Since a 'minimum set' of policies supported by each possible plugin can hardly be identified, network policies should be assumed as plugin-specific and always be configured through API extension mechanisms.
Goal 5: Allow CSPs to register and configure the plugins providing the actual implementation of the core service, as well as register and configure plugins for higher-level services such as DHCP, Firewall or Load Balancing. CSPs shoould be able to select and plug in third-party technologies as appropriate. This may be for extended features, improved performance, or reduced complexity or cost.
Use cases
Use case 1: Create private network and attach instance to it
Related topology: Each tenant has an isolated network. Tenants are free to do whatever they want on their network, because it is completely isolated from those of other tenants. This is the NASA Nebula model as of today, implemented using one VLAN per tenant. Note that although this same model could equally be implemented with different technologies (e.g. GRE tunnels instead of VLANs for isolation), this would not change the nature of the model itself.
- Customer uses the Core NaaS API to create a Network;
- On success, Core NaaS API return a unique identifier for the newly created network;
- Customer uses Core NaaS API for configuring a logical port on the network;
- Customer invokes Cloud Controller API to run an instance, specifying network and virtual port for it;
- Cloud Controller API dispatches request to compute service;
- Compute service creates VM and VIFs. For each VIF, it asks Naas Core to plug it into port and network specified by Customer in (4).
Use case 2: Attach instance to default public network
Related topology: Similar to the 'Flat' mode currently supported by nova network. Instances from different customers are all deployed on the same virtual network. In this case, the Core NaaS service can provide port isolation policy in order to ensure VM security.
- Customer uses Core Naas API to retrieve public networks;
- On success, Core Naas API returns a list of unique network identifiers; Customer selects a networks from this list;
- Customer uses Core NaaS API for configuring a logical port on the network;
- Customer invokes Cloud Controller API to run an instance, specifying network and virtual port for it;
- Cloud Controller API dispatches request to compute service;
- Compute service creates VM and VIFs. For each VIF, it asks Naas Core to plug it into port and network specified by Customer in (4).
The main difference between this use case and the previous one is that the Customer uses a pre-configured network instead of creating it. Another point that needs to be discussed is whether customers should be allowed to manage ports for public networks. Alternatively, the compute service can implicitly create a port when it contacts the Core NaaS API.
Use case 3: Register bridge for connecting cloud network to other site
Related topology: Customer on-premise data centre extending into the cloud, interconnecting networks in distinct cloud. Although actual implementation can be provided in several ways. we are interested in the abstract model: a single connectivity domain spanning two ore more networks in distinct administrative domains.
- Customer uses Core NaaS API to register a bridge for its network;
- On success the Core NaaS API returns the bridge identifier;
- Customer uses Core NaaS API to provide bridge configuration (e.g.: remote endpoint, port, credentials);
- Customer uses Core NaaS API to create a virtual port on the network for the bridge device;
- Customer uses Core NaaS API to plug bridge device into network
Design Ideas
At this stage any attempt to provide a design for Core NaaS would be quite unrealistic. This section should be therefore regarded as a first attempt to define general design guidelines for NaaS.
At a very high-level view Core NaaS and its interactions with other entities (compute service, nova database, plugins) can be summarized as follows:
File:NaaS-Core$NaaSCore-highlevel.png
- NaaS Core API serves requests from customers concerning networks and virtual ports. The NaaS API layer then dispatches the request to the plugin (which is not part of Core NaaS). The plugin then enforces network/port configuration on hypervisors using proprietary mechanisms;
- The Compute service should not have any knowledge of the hypervisor's networking stack and uses NaaS Core API for plugging VIFs into networks (this is sligthly different from current nova design where part of the network manager's code - namely setup_compute_network - is used by the compute service as well);
- Although the diagram supposes a plugin has a 'manager' component on the NaaS node and agent 'component', this might not be always true, as NaaS should be completely agnostic w.r.t. plugin implementations;
- Just like today's nova-network service, Core NaaS used the nova DB. However, the database table for describing networks will be much simpler, as it will not contain information about higher-level services, such as VPN. Customer-Network association can still be performed on a project base, but it might be worth thinking about a 1:N association between networks and projects. IP information for networks are a slightly different argument, and will be discussed later in this blueprint.
As far as IP configuration is concerned, this aspect can be regarded as border-line between the core service and a higher-layer service. On the one hand, given that the aim of core service is to provide basic connectivity only, just like a switch provides network connectivity to servers in a rack, IP configuration should be regarded as a higher layer service; for instance, a DHCP service represents an example of an higher-level service for providing instances with IP configuration. On the other hand, it might be rightly argued that IP addressing is such a fundamental service that it should be part of the Core NaaS; the NaaS Core API will then also provide functionalities for configuring IP subnets in terms of CIDR, netmask, and gateway. However, the implementation for the IP API could be provided by a different plugin, and several plugins providing different IP configuration strategies could coexist on the NaaS node (e.g.: DHCP and IP injection).
If IP configuration is deemed part of the core API, the following goal should then be added to the above list:
Goal 6: Customers should be able to configure IP subnets for their networks. Zero, One, or more IP subnets can be associated with a network.
