Merge "Migrate SNBI dev docs to rst"

[docs.git] / docs / opendaylight-with-openstack / openstack-with-gbp.rst

OpenStack with GroupBasedPolicy
===============================

This section is for Application Developers and Network Administrators
who are looking to integrate Group Based Policy with OpenStack.

To enable the **GBP** Neutron Mapper feature, at the karaf console:

.. code-block:: bash

    feature:install odl-groupbasedpolicy-neutronmapper

Neutron Mapper has the following dependencies that are automatically loaded:

.. code-block:: bash

    odl-neutron-service

Neutron Northbound implementing REST API used by OpenStack

.. code-block:: bash

    odl-groupbasedpolicy-base

Base **GBP** feature set, such as policy resolution, data model etc.

.. code-block:: bash

    odl-groupbasedpolicy-ofoverlay

For this release, **GBP** has one renderer, hence this is loaded by default.

REST calls from OpenStack Neutron are by the Neutron NorthBound project.

**GBP** provides the implementation of the `Neutron V2.0 API <neutron_v2api_>`_.

Features
--------

List of supported Neutron entities:

* Port
* Network

  * Standard Internal
  * External provider L2/L3 network

* Subnet
* Security-groups
* Routers

  * Distributed functionality with local routing per compute
  * External gateway access per compute node (dedicated port required)
  * Multiple routers per tenant

* FloatingIP NAT
* IPv4/IPv6 support

The mapping of Neutron entities to **GBP** entities is as follows:

**Neutron Port**

.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-port.png

   Neutron Port

The Neutron port is mapped to an endpoint.

The current implementation supports one IP address per Neutron port.

An endpoint and L3-endpoint belong to multiple EndpointGroups if the Neutron
port is in multiple Neutron Security Groups.

The key for endpoint is L2-bridge-domain obtained as the parent of
L2-flood-domain representing Neutron network. The MAC address is from the
Neutron port.
An L3-endpoint is created based on L3-context (the parent of the
L2-bridge-domain) and IP address of Neutron Port.

**Neutron Network**

.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-network.png

   Neutron Network

A Neutron network has the following characteristics:

* defines a broadcast domain
* defines a L2 transmission domain
* defines a L2 name space.

To represent this, a Neutron Network is mapped to multiple **GBP** entities.
The first mapping is to an L2 flood-domain to reflect that the Neutron network
is one flooding or broadcast domain.
An L2-bridge-domain is then associated as the parent of L2 flood-domain. This
reflects both the L2 transmission domain as well as the L2 addressing namespace.

The third mapping is to L3-context, which represents the distinct L3 address space.
The L3-context is the parent of L2-bridge-domain.

**Neutron Subnet**


.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-subnet.png

   Neutron Subnet

Neutron subnet is associated with a Neutron network. The Neutron subnet is
mapped to a *GBP* subnet where the parent of the subnet is L2-flood-domain
representing the Neutron network.

**Neutron Security Group**


.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-securitygroup.png

   Neutron Security Group and Rules

**GBP** entity representing Neutron security-group is EndpointGroup.

**Infrastructure EndpointGroups**

Neutron-mapper automatically creates EndpointGroups to manage key infrastructure
items such as:

* DHCP EndpointGroup - contains endpoints representing Neutron DHCP ports
* Router EndpointGroup - contains endpoints representing Neutron router
  interfaces
* External EndpointGroup - holds L3-endpoints representing Neutron router
  gateway ports, also associated with FloatingIP ports.

**Neutron Security Group Rules**

This mapping is most complicated among all others because Neutron
security-group-rules are mapped to contracts with clauses,
subjects, rules, action-refs, classifier-refs, etc.
Contracts are used between endpoint groups representing Neutron Security Groups.
For simplification it is important to note that Neutron security-group-rules are
similar to a **GBP** rule containing:

* classifier with direction
* action of *allow*.


**Neutron Routers**


.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-router.png

   Neutron Router

Neutron router is represented as a L3-context. This treats a router as a Layer3
namespace, and hence every network attached to it a part
of that Layer3 namespace.

This allows for multiple routers per tenant with complete isolation.

The mapping of the router to an endpoint represents the router's interface or
gateway port.

The mapping to an EndpointGroup represents the internal infrastructure
EndpointGroups created by the **GBP** Neutron Mapper

When a Neutron router interface is attached to a network/subnet, that
network/subnet and its associated endpoints or Neutron Ports are seamlessly
added to the namespace.

**Neutron FloatingIP**

When associated with a Neutron Port, this leverages the *GBP* OfOverlay
renderer's NAT capabilities.

A dedicated *external* interface on each Nova compute host allows for
disitributed external access. Each Nova instance associated with a
FloatingIP address can access the external network directly without having to
route via the Neutron controller, or having to enable any form
of Neutron distributed routing functionality.

Assuming the gateway provisioned in the Neutron Subnet command for the external
network is reachable, the combination of *GBP* Neutron Mapper and
OfOverlay renderer will automatically ARP for this default gateway, requiring
no user intervention.


**Troubleshooting within GBP**

Logging level for the mapping functionality can be set for package
org.opendaylight.groupbasedpolicy.neutron.mapper. An example of enabling TRACE
logging level on karaf console:

.. code-block:: bash

    log:set TRACE org.opendaylight.groupbasedpolicy.neutron.mapper

**Neutron mapping example**

As an example for mapping can be used creation of Neutron network, subnet and
port. When a Neutron network is created 3 **GBP** entities are created:
l2-flood-domain, l2-bridge-domain, l3-context.

.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-network-example.png

   Neutron network mapping

After an subnet is created in the network mapping looks like this.

.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-subnet-example.png

   Neutron subnet mapping

If an Neutron port is created in the subnet an endpoint and l3-endpoint are
created. The endpoint has key composed from l2-bridge-domain and MAC address
from Neutron port. A key of l3-endpoint is compesed from l3-context and IP
address. The network containment of endpoint and l3-endpoint points to the
subnet.


.. figure:: images/groupbasedpolicy/neutronmapper-gbp-mapping-port-example.png

   Neutron port mapping

Configuring GBP Neutron
-----------------------

No intervention passed initial OpenStack setup is required by the user.

More information about configuration can be found in our DevStack demo
environment on the `GBP wiki <gbp_wiki_>`_.

Administering or Managing GBP Neutron
-------------------------------------

For consistencies sake, all provisioning should be performed via the Neutron API. (CLI or Horizon).

The mapped policies can be augmented via the **GBP** UX,UX, to:

* Enable Service Function Chaining
* Add endpoints from outside of Neutron i.e. VMs/containers not provisioned in OpenStack
* Augment policies/contracts derived from Security Group Rules
* Overlay additional contracts or groupings

Tutorials
---------

A DevStack demo environment can be found on the
`GBP wiki <gbp_wiki_>`_.

.. _gbp_wiki: https://wiki.opendaylight.org/view/Group_Based_Policy_(GBP)
.. _neutron_v2api: http://developer.openstack.org/api-ref-networking-v2.html