This section is for Application Developers and Network Administrators who are looking to integrate Group Based Policy with OpenStack.
To enable the GBP Neutron Mapper feature, at the karaf console:
feature:install odl-groupbasedpolicy-neutronmapper
Neutron Mapper has the following dependencies that are automatically loaded:
odl-neutron-service
Neutron Northbound implementing REST API used by OpenStack
odl-groupbasedpolicy-base
Base GBP feature set, such as policy resolution, data model etc.
odl-groupbasedpolicy-ofoverlay
For this release, GBP has one renderer, hence this is loaded by default.
REST calls from OpenStack Neutron are by the Neutron NorthBound project.
GBP provides the implementation of the Neutron V2.0 API.
List of supported Neutron entities:
The mapping of Neutron entities to GBP entities is as follows:
Neutron Port
Neutron Port
The Neutron port is mapped to an endpoint.
The current implementation supports one IP address per Neutron port.
An endpoint and L3-endpoint belong to multiple EndpointGroups if the Neutron port is in multiple Neutron Security Groups.
The key for endpoint is L2-bridge-domain obtained as the parent of L2-flood-domain representing Neutron network. The MAC address is from the Neutron port. An L3-endpoint is created based on L3-context (the parent of the L2-bridge-domain) and IP address of Neutron Port.
Neutron Network
Neutron Network
A Neutron network has the following characteristics:
To represent this, a Neutron Network is mapped to multiple GBP entities. The first mapping is to an L2 flood-domain to reflect that the Neutron network is one flooding or broadcast domain. An L2-bridge-domain is then associated as the parent of L2 flood-domain. This reflects both the L2 transmission domain as well as the L2 addressing namespace.
The third mapping is to L3-context, which represents the distinct L3 address space. The L3-context is the parent of L2-bridge-domain.
Neutron Subnet
Neutron Subnet
Neutron subnet is associated with a Neutron network. The Neutron subnet is mapped to a GBP subnet where the parent of the subnet is L2-flood-domain representing the Neutron network.
Neutron Security Group
Neutron Security Group and Rules
GBP entity representing Neutron security-group is EndpointGroup.
Infrastructure EndpointGroups
Neutron-mapper automatically creates EndpointGroups to manage key infrastructure items such as:
Neutron Security Group Rules
This mapping is most complicated among all others because Neutron security-group-rules are mapped to contracts with clauses, subjects, rules, action-refs, classifier-refs, etc. Contracts are used between endpoint groups representing Neutron Security Groups. For simplification it is important to note that Neutron security-group-rules are similar to a GBP rule containing:
Neutron Routers
Neutron Router
Neutron router is represented as a L3-context. This treats a router as a Layer3 namespace, and hence every network attached to it a part of that Layer3 namespace.
This allows for multiple routers per tenant with complete isolation.
The mapping of the router to an endpoint represents the router’s interface or gateway port.
The mapping to an EndpointGroup represents the internal infrastructure EndpointGroups created by the GBP Neutron Mapper
When a Neutron router interface is attached to a network/subnet, that network/subnet and its associated endpoints or Neutron Ports are seamlessly added to the namespace.
Neutron FloatingIP
When associated with a Neutron Port, this leverages the GBP OfOverlay renderer’s NAT capabilities.
A dedicated external interface on each Nova compute host allows for disitributed external access. Each Nova instance associated with a FloatingIP address can access the external network directly without having to route via the Neutron controller, or having to enable any form of Neutron distributed routing functionality.
Assuming the gateway provisioned in the Neutron Subnet command for the external network is reachable, the combination of GBP Neutron Mapper and OfOverlay renderer will automatically ARP for this default gateway, requiring no user intervention.
Troubleshooting within GBP
Logging level for the mapping functionality can be set for package org.opendaylight.groupbasedpolicy.neutron.mapper. An example of enabling TRACE logging level on karaf console:
log:set TRACE org.opendaylight.groupbasedpolicy.neutron.mapper
Neutron mapping example
As an example for mapping can be used creation of Neutron network, subnet and port. When a Neutron network is created 3 GBP entities are created: l2-flood-domain, l2-bridge-domain, l3-context.
Neutron network mapping
After an subnet is created in the network mapping looks like this.
Neutron subnet mapping
If an Neutron port is created in the subnet an endpoint and l3-endpoint are created. The endpoint has key composed from l2-bridge-domain and MAC address from Neutron port. A key of l3-endpoint is compesed from l3-context and IP address. The network containment of endpoint and l3-endpoint points to the subnet.
Neutron port mapping
No intervention passed initial OpenStack setup is required by the user.
More information about configuration can be found in our DevStack demo environment on the GBP wiki.
For consistencies sake, all provisioning should be performed via the Neutron API. (CLI or Horizon).
The mapped policies can be augmented via the GBP UX,UX, to: