Neutron Extension API

How to develop new API extensions

in OpenStack networking (Neutron)

2015 August 23Fujitsu Vietnam LimitedPODC (Platform Offshore Development Center)Cao Xuan Hoang ([email protected])

Copyright 2015 Fujitsu Vietnam Limited

Agenda

2 Copyright 2015 Fujitsu Vietnam Limited

How API of OpenStack work?API extensionsExperiments

Example use case Security group implementation sequence Support logging feature/API for SG Security group logging experiment Firewall logging experiment

How API of OpenStack work?

3 Copyright 2015 Fujitsu Vietnam LimitedOpenStack includes several services that can be managed through the API.

There are two ways we can use OpenStack: API and SDK.

An application can either call the API itself, or use an SDK available for the application's programming language.

API extensions (1)


The OpenStack API extension mechanism makes it possible to add functionality to OpenStack APIs in a manner that ensures compatibility with existing clients.

The below image is an example for LBaaS API extensions that comes from operators/users use cases demand.

API extensions (2)


What can be extended and how:New elements and attributes.New resources.New parameters.New headers.New verbs.New media types.New actions.New states.Other capabilities.

Experiment – example use case


What will happening when Banks may hacked by someone else (strangers)? Lost a mount bank’s accounts. Lost a mount of money. Finance transferring may stopped. ……

How long does it require to fix the problem? As fast as possible or almost immediately.

How do we know exactly who is/are hacked Bank’s database? We have to check records/history/…. => from logs.

Has OpenStack networking supports log feature to get packet logs? Not yet.

It means NEW logging API extension comes from operators/users use case demand (necessary).

How to develop/support logging API extension? See next pages.

Security group implementation sequence


We are going to show an example of logging feature that should be implemented in NEW API

Host OVSAgent Neutron Server Neutron Client

Firewall

update_port_filter

update iptables

create security group rule or delete rule

security_groups_rule_updated

security_group_rules_for_devices

Retrive security group rules from DB.

Sequence: security group updated ( created or deleted )

Support logging for SG (1)


We are going to show an example of logging feature that should be implemented in NEW API

Agent Server

OVSRpcCallbacks

OVSBridgePluginV2

OVSPluginApi

OVSNeutronAgentRPC

SecurityGroupAgentRPC

SecurityGroupAgentRpcCallbackMixin

SecurityGroupServerRpcApiMixin SecurityGroupServerRpcCallbackMixin

security_groups_logging_update orsecurity_groups_rule_logging_update

security_group_info_for_devicessecurity_group_rules_for_devices

*A

*A security_groups_logging_updated or security_groups_rule_logging_updated

: New classes

Others boxes : Inherit from existing classes

SecurityGroupDbMixin

AgentNotifierApi

PacketLoggingDbMixin

PacketLoggingNotifier

SecurityGroupAgentRpcApiMixin

security_groups_logging_update orsecurity_groups_rule_logging_update



Main steps in source code implementing: Create resource:

Class name:class Packetlogging(extensions.ExtensionDescriptor)

Resource name: packet_loggings

Interface API:get_packet_loggings(list cmd)get_packet_logging(show cmd)create_packet_logging(create cmd)delete_packet_logging(delete cmd)

Create database to store resource: Class name:

class PacketLogging (model_base.BASEV2, models_v2.HasId, models_v2.HasTenant)Database name:

packet_loggingCreate columns :

object_id = sa.Column(sa.String(36)) service_type = sa.Column(sa.Enum('fw', 'fw-rule', 'sg', 'sg-rule', name='supported_servicetypes'))

Migration database: $ neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini revision -m

"packet logging" edit xxx_packet_logging.py for migration database.



Main steps in source code implementing: Notify Agent:

Class name:class PacketLoggingNotifier(sg_rpc.SecurityGroupAgentRpcApiMixin)

Topics: Agent, version: 1.0Interface:

Server: In class SecurityGroupAgentRpcApiMixinsecurity_group_logging_updated(self, context, security_group_id)security_group_rule_logging_updated(self, context, security_group_rule_id)

Agent: In class SecurityGroupAgentRpcCallbackMixinsecurity_group_logging_updated(self, context, **kwargs)security_group_rule_logging_updated(self, context, **kwargs)

Driver: _add_security_group_rule_logging(self, port, direction) => Implement add LOG rule into

Iptables.

Create instances (VMs) which attached custom security-group

Security group logging experiment (1)





Enable/Disable logging and check Iptables and packet log.

Firewall logging experiment (1)


Create firewall as normally.



Create firewall as normally.



Enable/Disable logging and check Iptables and packet log.1. Method: POST2. URL: http://192.168.100.73:9696/v2.0/packet-loggings3. Hearders:

x-auth-token: 8b93abf5fdeb4097a1a163fd421d8a3d4. Body:

{ "packet_logging": { "tenant_id": "aaf1bfbf6fbc4b948f2c98899c513525", "object_id": "0988a52c-9a57-4f80-8914-b6dd4cb130d5", "service_type": “fw" }}

Conclusion: We have already implemented NEW API extension.

THANK YOU!


Reference linkhttps://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g33084527_0_60https://review.openstack.org/#/c/204481/ Patch set 1https://review.openstack.org/#/c/204484/ Patch set 1

https://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g33084527_0_60



https://review.openstack.org/#/c/204481/




Neutron Extension API

Technology

Transcript of Neutron Extension API