diff --git a/specs/11.0/security-groups-support-for-ovs.rst b/specs/11.0/security-groups-support-for-ovs.rst new file mode 100644 index 00000000..59ca67b9 --- /dev/null +++ b/specs/11.0/security-groups-support-for-ovs.rst @@ -0,0 +1,233 @@ +.. + This work is licensed under a Creative Commons Attribution 3.0 Unported + License. + + http://creativecommons.org/licenses/by/3.0/legalcode + +======================================= +Security Groups support for Neutron/OVS +======================================= + +https://blueprints.launchpad.net/fuel/+spec/security-groups-support-for-ovs + +It is required to implement a radio button in Fuel to switch a Neutron Firewall +driver. `IPTables-based Firewall Driver` and `Open vSwitch Firewall Driver` +should be able. IPTables functionality should be used by default. + +------------------- +Problem description +------------------- + +Until now, only one firewall was implemented in OpenStack's Neutron project: +an iptables-based firewall. As long as now there is a second option to natively +utilize OVS for implementing security groups instead of the former +iptables/linux bridge solution we should have an attribute in Fuel for +selecting firewall driver. + +---------------- +Proposed changes +---------------- + +We should add a cluster attrubute for selecting firewall driver and apply +appropriate settings in nova and neutron configs. + +Web UI +====== + +None + +Nailgun +======= + +* Change openstack.yaml as described in the + :ref:`Data model` section. +* Add the security_groups attribute to the white list for the installation + info. + +.. _security-groups-data-model: + +Data model +---------- + +* openstack.yaml changes:: + + attributes_metadata: + editable: + common: + security_groups: + value: "iptables_firewall" + values: + - data: "ovs_firewall" + label: "Open vSwitch Firewall Driver" + description: "Choose this driver for OVS based security groups implementation." + - data: "iptables_firewall" + label: "IPTables-based Firewall Driver" + description: "Choose this driver for iptables/linux bridge based security groups implementation." + label: "Security Groups" + group: "security" + weight: 20 + type: "radio" + +REST API +-------- + +None + +Orchestration +============= + +None + +RPC Protocol +------------ + +None + +Fuel Client +=========== + +None + +Plugins +======= + +None + +Fuel Library +============ + +Fuel-library should apply firewall settings in neutron and nova configs. +* neutron/plugins/ml2/openvswitch_agent.ini: set OVS firewall driver in the +`securitygroup` section. +* nova/nova.conf: adjust linuxnet_interface_driver for non-dpdk case. +**Attribute `security_groups` impacts only non-dpdk case.** +**In dpdk case, `Open vSwitch Firewall Driver` should be used.** + +------------ +Alternatives +------------ + +None + +-------------- +Upgrade impact +-------------- + +Data migration should be prepared according to the changes in data models. +After upgrade procedure, a Neutron Firewall driver switching is forbidden. +An appropriate warning should be added to release notes. + +--------------- +Security impact +--------------- + +None + +-------------------- +Notifications impact +-------------------- + +None + +--------------- +End user impact +--------------- + +None + +------------------ +Performance impact +------------------ + +Performance impact is not expected. + +----------------- +Deployment impact +----------------- + +Rerun the deployment with changing a Neutron Firewall driver is forbidden. +An appropriate warning should be added to release notes. + +---------------- +Developer impact +---------------- + +None + +--------------------- +Infrastructure impact +--------------------- + +None + +-------------------- +Documentation impact +-------------------- + +The user guide should be updated according to the described feature. + +-------------- +Implementation +-------------- + +Assignee(s) +=========== + +Primary assignee: + Anastasia Balobashina + Mikhail Polenchuk + +Mandatory design review: + Vladimir Eremin + +Work Items +========== + +* Change openstack.yaml as described in the + :ref:`Data model ` section. +* Apply firewall settings in neutron and nova configs +* Test manually. +* Verify the :ref:`acceptance criteria `. + +Dependencies +============ + +None + +----------- +Testing, QA +----------- + +* Test cases for configuring and deployment of environment with the OVS based + security groups, VLAN/VXLAN segmentation, but without enabled DPDK. +* Test cases for configuring and deployment of environment with the OVS based + security groups, VLAN/VXLAN segmentation and enabled DPDK. +* Web UI test cases for configuring the OVS based security group. +* Functional testing. +* Performance testing. + +.. _security-groups-acceptance-criteria: + +Acceptance criteria +=================== + +* OVS based security group is tested and working with MOS + OVS and MOS + + OVS/DPDK. +* The OVS performance should be equivalent or better to iptables in kernel at + 1000 VM and 2000 VM scale. +* OVS/DPDK performance should result in no more than 15% performance + degradation vs no security groups at 1000 VM and 2000 VM scale. +* Scale limit testing: Test the maximum number of flows supported per OVS, + get a model such that we know when OVS based security groups will fail. +* Default should still utilize iptables as OVS based security groups are new + and not well tested yet. +* When OVS/DPDK is used on the host OS then we must automatically configure to + use OVS based security groups. Iptables based security groups do not work + with OVS/DPDK. +* The radio button in UI to choose a firewall_driver. + +---------- +References +---------- + +[0] - http://docs.openstack.org/developer/neutron/devref/openvswitch_firewall.html