Openstack Juno – Group based policy

This blog is part of my series on Openstack Juno. In this blog, I will cover Group based policy in Openstack Juno. For more information on Group based policy(GBP), please refer to my earlier blogs on GBP basics and ODL integration.

Group based policy(GBP) support in Juno:

Preliminary support for GBP is available in Juno, more functionality will come in Kilo release. We need to pull a GBP label based devstack to get the GBP functionality. I followed the instructions in Openstack GBP wiki to try out GBP functionality with devstack. The exercise walks through a dummy application stack with 2 client groups and 1 web server group and having some policies between the 3 group application to control the interactions.

Following are some advantages that I realized as part of trying the exercise:

  • Policies include L2, L3, security groups and Network services. All policies are aggregated into 1 location. Initially, I was viewing GBP as extension of security groups but then I realized that it achieves a lot more than that.
  • IP addressing and network connectivity part for applications are automatically taken care based on the policy applied so that user does not have to worry about low level networking details.
  • Policies are defined at the application level rather than at individual VM level.

As explained in the exercise, ping and web traffic works based on the policy applied.

I see following L2 networks created, 1 L2 network per group.

$ neutron net-list
+--------------------------------------+--------------+----------------------------------------------------+
| id                                   | name         | subnets                                            |
+--------------------------------------+--------------+----------------------------------------------------+
| 35c436b1-894f-49ea-a739-9614ca04ff1b | l2p_client-2 | 34f6dfaa-9bff-403a-b1f5-8182d7e3016b 10.0.0.128/26 |
| 6a017a61-e7da-4ea2-9d44-cff1b8828474 | l2p_web      | 13503fc0-eb56-4201-93da-c9c6f88dd777 10.0.0.0/26   |
| f4647eb7-28b1-40bf-acd6-90ef96a6c4dc | l2p_client-1 | 4cbbb338-7f64-4df7-ad3d-694fb758f865 10.0.0.64/26  |
+--------------------------------------+--------------+----------------------------------------------------+

A L3 router connects the 3 L2 networks together:

$ neutron router-list
+--------------------------------------+-------------+-----------------------+
| id                                   | name        | external_gateway_info |
+--------------------------------------+-------------+-----------------------+
| 01e6a7ae-3f61-432b-8e10-0ec01b5dca5a | l3p_default | null                  |
+--------------------------------------+-------------+-----------------------+
$ neutron router-port-list 01e6a7ae-3f61-432b-8e10-0ec01b5dca5a
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                         |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+
| b2b7bba3-eeed-468b-8048-2986287ed472 |      | fa:16:3e:37:0a:96 | {"subnet_id": "13503fc0-eb56-4201-93da-c9c6f88dd777", "ip_address": "10.0.0.1"}   |
| b83cd62b-c0aa-43df-b786-59212d698f44 |      | fa:16:3e:18:d0:da | {"subnet_id": "4cbbb338-7f64-4df7-ad3d-694fb758f865", "ip_address": "10.0.0.65"}  |
| bec1da47-4815-4453-993b-d64159d165d4 |      | fa:16:3e:f2:db:2d | {"subnet_id": "34f6dfaa-9bff-403a-b1f5-8182d7e3016b", "ip_address": "10.0.0.129"} |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------+

Following command shows the 3 VMs that are part of the 3 different groups:

$ nova list
+--------------------------------------+-------------+--------+------------+-------------+-------------------------+
| ID                                   | Name        | Status | Task State | Power State | Networks                |
+--------------------------------------+-------------+--------+------------+-------------+-------------------------+
| fea82139-ae00-49d1-b65d-0ecb8e7faaba | client-vm-1 | ACTIVE | -          | Running     | l2p_client-1=10.0.0.66  |
| 60514b2a-e0f4-457a-8e2c-f07011fdb104 | client-vm-2 | ACTIVE | -          | Running     | l2p_client-2=10.0.0.130 |
| 54a13edf-ec44-43a1-93c4-2ae914a8a2d6 | web-vm-1    | ACTIVE | -          | Running     | l2p_web=10.0.0.2        |
+--------------------------------------+-------------+--------+------------+-------------+-------------------------+

There is a wiki which explains how to do Openstack GBP + ODL integration, I have not yet got a chance to try that.

References:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s