Horizon-NFV-configuration

Network Function Virtualization -- Horizon Dashboard Support

OpenStack Neutron is being extended to support Network Function Virtualization, the ability to request and deploy virtual machines (VMs) that provide common network services. These include Fire Wall as a Service (FWaaS), Load Balancer as a Service (LBaaS), Virtual Private network as a Service (VPNaaS), Intrusion Detection (IDaaS) and more. We shall refer to this category of VMs as service VMs. Further, OpenStack seeks to support plugin implementations of the service VMs, and allow cloud users a choice of implementations and pricing models.

The Horizon dashboard allows cloud users to request a VM and configure various aspects, such as flavor (hard ware and other characteristics desired), the VM image to be used (from a list of options in Glance the image repository). This is in addition to the ability to monitor all their VMs.

To ease the use of service VMs, we seek to provide in Horizon:

1. Ability to request a Service VM type
2. Provide a list of service VM options given a type (ideally provided via an API in Neutron)
3. Configure standard options for the service VM
4. Provide the ability to configure advanced options.

NFV instances

Tenant Instances.
The tenant instance table will display all the VMs associated with the tenant, including service VMs. We recommend adding a column to indicate whether an instance is an Service VM or not, possibly labeled NFV. The column value would be NONE, or one of FWaaS, IDaaS, LBaaS ..

Launching a Service VM
A service VM is launched by clicking on the Launch button (circled in the image above), just like regular VMs.
Launch parameters

As before flavor, glance image, quota data are all specified. The difference lies in an additional field "Service Type". If not NONE, then a list of service providers providing the desired service is made available to the user, which in turn prunes the list of images ( held by Neutron in the first incarnation of this implementation, and later possibly moved to Glance) that provide the desired service. Note that there is no conflict in multiple services being provided by a single service VM image. Often times a service provider may provide a single VM image that can be configured to provide one service or another or even possibly a combination of services. For instance the McAfee Next Generation Firewall can function as a Firewall and/or Intrusion detection system. Should the service VM require any basic configuration, then the configure button is highlighted.

Service VM Basic Configuration
Here we show basic Load Balancer configuration.

Image filtering and Sanity Alerts
The list of images provided to the user during launch is pre-filtered based on whether the selected flavor has adequate resources to support the image. In addition to this filtering in the context of service VMs we need to filter on image meta data or from the neutron client (or other API) that the image provides the service of the specified type.
If a vendor is provided, the images should further be pruned based on the vendor. Should no vendor be provided, all images providing the desired service type should be made available. Service VM Advanced Configuration
Any vendor specific advanced configuration is accessed via the Advanced button. The button essentially takes the user to the provider specified URL for configuration. This is available via Neutron API that lists all NFVs available, their associated images and configuration URL. In so doing, Horizon does not constantly need to be updated to incorporate and provider upgrades and changes to their services. Neither does any proprietary information need to be leaked to OpenStack. Modularity of service VMs is maintained. It is likely that service providers may have an agent resident in the cloud that provides the configuration service or its equivalent that passes the configuration data to nova prior to VM launch, or holds the configuration data and then injects the same into the service VM once it is launched. The example of the latter would be McAfee's next generation firewall in its first incarnation as incorporated as a service in OpenStack.