Hi Joe, Thanks for the comments, have incorporated those.
Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ -----joehuang <[email protected]> wrote: ----- To: Ashish Singh7 <[email protected]> From: joehuang <[email protected]> Date: 11/01/2016 08:03AM Cc: Dimitri Mazmanov <[email protected]>, Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]>, Goutham Pratapa <[email protected]>, "[email protected]" <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Ashish, Some minor comment has been added in the doc Best Regards Chaoyi Huang (joehuang) From: Ashish Singh7 [[email protected]] Sent: 27 October 2016 16:59 To: joehuang Cc: Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; Goutham Pratapa; [email protected] Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi All, Have replied to the comment and added API structure as well. Have a look and comment accordingly. Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ -----joehuang <[email protected]> wrote: ----- To: Ashish Singh7 <[email protected]> From: joehuang <[email protected]> Date: 10/27/2016 01:35AM Cc: Dimitri Mazmanov <[email protected]>, Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]>, Goutham Pratapa <[email protected]>, "[email protected]" <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello, Ashish, Good update, just one comment in the doc. Best Regards Chaoyi Huang (joehuang) From: Ashish Singh7 [[email protected]] Sent: 26 October 2016 18:40 To: joehuang Cc: Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; Goutham Pratapa; [email protected] Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi All, Have added ssh-keys in place of secgroup in the document as per our latest discussion. Please have a look and comment accordingly. Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ -----joehuang <[email protected]> wrote: ----- To: Dimitri Mazmanov <[email protected]>, Ashish Singh <[email protected]> From: joehuang <[email protected]> Date: 10/11/2016 08:11AM Cc: Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello, the following comment is also added in the doc: My opinion is to exclude SEG from the sync in Kingbird, because SEG sync action will lead to data plane in unpredictable situation during multi-region concurrent CRUD operation, this is some action will greatly impact the tenant's data plane service immediately, especially SEG is for security purpose. For KeyPair, because it's user based granularity resource, that means will be manipulated by single user, so the con-currency is not an issue. But we have to allow the user being able to start the sync, but not only Admin role Best Regards Chaoyi Huang (joehuang) From: Dimitri Mazmanov [[email protected]] Sent: 10 October 2016 18:24 To: joehuang; Ashish Singh Cc: Ashish singh; caizhiyuan (A); Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang Subject: Re: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi, Please see my comments as well From: joehuang <[email protected]> Date: Sunday, 9 October 2016 at 03:24 To: Ashish Singh <[email protected]> Cc: Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Dimitri Mazmanov <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello, Ashish, More comments in the doc. Thank you. Best Regards Chaoyi Huang (joehuang) From: Ashish Singh7 [[email protected]] Sent: 04 October 2016 14:51 To: joehuang Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi Joe, ÿ I have replied, Please check. ÿ Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ -----joehuang <[email protected]> wrote: ----- To: Ashish Singh7 <[email protected]> From: joehuang <[email protected]> Date: 10/04/2016 12:19PM Cc: Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Dimitri Mazmanov <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Thank you Ashish, comments are put in the document. ÿ Best Regards Chaoyi Huang (joehuang) From: Ashish Singh7 [[email protected]] Sent: 29 September 2016 22:04 To: joehuang Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi All, ÿ I have updated the document with an approach to solve concurrency problem. ÿ Please have a look and comment accordingly. ÿ ÿ Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ -----joehuang <[email protected]> wrote: ----- To: Ashish Singh7 <[email protected]> From: joehuang <[email protected]> Date: 09/27/2016 09:10AM Cc: Ashish singh <[email protected]>, "caizhiyuan (A)" <[email protected]>, Dimitri Mazmanov <[email protected]>, Meimei <[email protected]>, opnfv-tech-discuss <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]> Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello, Ashish, ÿ Thank you for the BP and doc, seeÿcomments in the doc. ÿ Best Regards Chaoyi Huang (joehuang) From: Ashish Singh7 [[email protected]] Sent: 26 September 2016 18:28 To: joehuang Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi All, I have registered a blueprint on "Resouce Syncing" and tied with a supporting document. Blueprint: https://blueprints.launchpad.net/kingbird/+spec/resource-syncing ÿ Google Docs link https://docs.google.com/document/d/1N6HFAFUT5BbEp1wbnYjgaKdOlyJanwkXccv-_1zsVQc/edit?usp=sharing Let us use this to discuss the feature and finalize it. Regards Ashish Singh Tata Consultancy Services Cell:- 9030419618 Mailto: [email protected] Website: http://www.tcs.com ____________________________________________ Experience certainty. ÿ ÿ ÿ ÿIT Services ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿBusiness Solutions ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿConsulting ____________________________________________ From: ÿ ÿ ÿ ÿjoehuang <[email protected]> To: ÿ ÿ ÿ ÿAshish singh <[email protected]>, opnfv-tech-discuss <[email protected]>, "caizhiyuan (A)" <[email protected]>, Meimei <[email protected]>, "Sama, Malla Reddy" <[email protected]>, Zhipeng Huang <[email protected]>, "Dimitri Mazmanov" <[email protected]>, Ashish Singh7 <[email protected]> Date: ÿ ÿ ÿ ÿ09/21/2016 02:23 PM Subject: ÿ ÿ ÿ ÿRE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello team, Last year, use case 4 was discussed, some network related requirements were identified: https://etherpad.opnfv.org/p/multisite_centralized_servic global view for tenant level IP address / mac address space management If a tenant has networks in multiple region, and these networks are routable (for example, connected with VPN), then, IP address may be duplicated. Need a global view for IP address space management If IP v4 used, this issue needs to be considered. For IPv6, it should not be a problem. IR - disagree with this statement. This requirement is important not just for prevention of duplicate address. ÿ For security and other reasons it's important to know which IP Addresses (IPv4 and IPv6) are used in which region. Can we also extend such requirement to MAC address tracking? Can we also extend such requirement to mapping for floating and public IP Addresses A service to clone security groups across regions No appropriate service to security groups across multiple region if the tenant has resources distributed, has to set the security groups in different region manually. And during the discussion thread with netready, one more issue identified http://lists.opnfv.org/pipermail/opnfv-tech-discuss/2016-July/011499.html: ÿVxLAN pool cross site management for VxLAN segmentation allocation All these issues needs to be addressed, we can discuss them together. Tricircle( now Tricircle team is working on the cleaning to make Tricircle dedicated for networking automation across Neutron, mentioned below) could be the reference, the design blueprint has just been updated for your reference: https://docs.google.com/document/d/1zcxwl8xMEpxVCqLTce2-dUOtB-ObmzJTbV1uSQ6qTsY/, local network and shared VLAN network and L3 has been implemented in Newton release. Of course, in NFV area, L2 networking should be enough in most scenario. And the spec for Tricircle Local Neutron Plugin is in review: https://review.openstack.org/#/c/368529/ Best Regards Chaoyi Huang (joehuang) From: joehuang Sent: 09 September 2016 16:59 To: Ashish singh; opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla Reddy; Zhipeng Huang; Dimitri Mazmanov; Ashish Singh7 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hello, ÿAshish, I think sync itself (if excluding the remote sec-group) is not complex, the complexity is to ensure the rules set in different region of Neutron will not conflict with each other. Otherwise, it'll become mess. So I agree with you "We must use neutron to perform all our operations as with neutron we have total control over it." (Is my understanding correct?) That's the way of Tricircle(please forgive me to explain a little: Tricircle now is only a project about networking automation across Neutron. And the Nova/Cinder API-Gateway part will be moved to Trio2o, a new created project: https://docs.google.com/presentation/d/1kpVo5rsL6p_rq9TvkuczjommJSsisDiKJiurbhaQg7E/edit),And the SEG sync has been implemented in the Tricircle, and we are now doing the tricircle splitting and cleaning. If we implement seg sync in Kingbird, we have to write lots of duplicated code which has already done in Neutron, for example, SEG CRUD, rule CRUD, validation, rule checking, default rule management, etc. Best Regards Chaoyi Huang(joehuang) From: Ashish singh [[email protected]] Sent: 08 September 2016 23:57 To: opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla Reddy; Zhipeng Huang; Ashish singh; Dimitri Mazmanov; joehuang; Ashish Singh7 Subject: [opnfv-tech-discuss][multisite] Secgroup syncing Approach Hi All, I have drafted a basic approach for security group synching in release D and it is as follows. - Get list of secgroups ÿwith rules for a tenant from all the regions which do not have remote group references(currently, we ignore remote secgroup references as there can be lot nested dependencies). - Traverse each region and do the following ÿ ÿ ÿ ÿ- Get the list of secgroup which are present in all the regions except the current region, These are the secgroups which we need to sync in current region: say it GRP_TO_BE_SYNCED ÿ ÿ ÿ ÿ- There can be case where the secgroup from GRP_TO_BE_SYNCED may have the same rules as the secgroup in current region(If not initially but which will obviously happen after a sync job). ÿ ÿ ÿ ÿ- Traverse through the GRP_TO_BE_SYNCED and check if there are such secgroups(rules overlapping groups), if there, ignore it. After this filtering, the remaining secgroup will be the final list of secgroup which should be created for the current region. ÿ ÿ ÿ ÿ- Create the secgroup with the final list of secgroups in the region. - Repeat the process for all the tenant in batches. The default security group is not syned, as I feel region specific default secgroup has to there in each region. We must use neutron to perform all our operations as with neutron we have total control over it. For creating a security group we need the following information ÿ ÿ ÿ--tenant-id TENANT_ID ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿThe owner tenant ID. ÿ--description DESCRIPTION ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿDescription of security group rule. ÿ--direction {ingress,egress} ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿDirection of traffic: ingress/egress. ÿ--ethertype ETHERTYPE ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿIPv4/IPv6 ÿ--protocol PROTOCOL ÿ Protocol of packet. Allowed values are [icmp, icmpv6, ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿtcp, udp] and integer representations [0-255] ÿ--port-range-min PORT_RANGE_MIN ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿStarting port range. For ICMP it is type. ÿ--port-range-max PORT_RANGE_MAX ÿ ÿ ÿEnding port range. For ICMP it is code. ÿ--remote-ip-prefix REMOTE_IP_PREFIX ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿCIDR to match on. We have all these details with us available. Let us take this forward, Please review/comment. -- Best Regards, Ashish Singh =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
