Browse Source

Specification for Enable Neutron VPN as Service

Blueprint neutron-vpnaas-enablement

Change-Id: I47d7d185e9ddf9a13d6219b7676ae01e18977ae0
Xuhan Peng 4 years ago
parent
commit
ef26dce50c
1 changed files with 176 additions and 0 deletions
  1. 176
    0
      specs/juno/network/neutron-vpnaas-enablement.rst

+ 176
- 0
specs/juno/network/neutron-vpnaas-enablement.rst View File

@@ -0,0 +1,176 @@
1
+=============================
2
+Enable Neutron VPN as Service
3
+=============================
4
+
5
+Include the URL of your launchpad blueprint:
6
+
7
+https://blueprints.launchpad.net/openstack-chef/+spec/neutron-vpnaas-enablement
8
+
9
+Problem description
10
+===================
11
+
12
+VPN service is a key feature provided by Neutron to enable Secured Private
13
+connection to OpenStack cloud. The reference VPN implementation in Neutron at
14
+this time is [IPSec]_ VPN, and the IPSec driver is [OPENSWAN]_.
15
+
16
+Currently, there is no Chef cookbook support to configure and start Neutron
17
+VPN service.
18
+
19
+
20
+Proposed change
21
+===============
22
+
23
+Add a recipe, and related attribute/unit tests to cookbook-openstack-network
24
+to install, configure and start VPN service.
25
+
26
+The packages need to be installed are:
27
+
28
+* Ubuntu: neutron-plugin-vpn-agent
29
+
30
+* RedHat: openstack-neutron
31
+
32
+* Suse:  openstack-neutron-vpn-agent
33
+
34
+The attributes need to be added includes:
35
+
36
+* A new attribute to decide if VPN agent or L3 agent should be started::
37
+
38
+       ['openstack']['network']['enable_vpn']
39
+
40
+* New attributes for VPN configurations in /etc/neutron/vpn_agent.ini::
41
+
42
+       ['openstack']['network']['vpn']['vpn_device_driver']
43
+       ['openstack']['network']['vpn']['ipsec_status_check_interval']
44
+
45
+The recipe will check if VPN service should be installed, configured and
46
+started, then uses the attribute value to configure VPN agent configuration
47
+file and start VPN service.
48
+
49
+Alternatives
50
+------------
51
+
52
+No alternatives at this time.
53
+
54
+Data model impact
55
+-----------------
56
+
57
+No Data model impact
58
+
59
+REST API impact
60
+---------------
61
+
62
+No API change
63
+
64
+Security impact
65
+---------------
66
+
67
+Right now only IKE with "PSK" (Pre-Shared Key) authentication mode is implemented
68
+in Neutron VPNaaS for simplicity. And the psk is a input of IPsec site connection
69
+establishment process.
70
+
71
+For example, "secret" psk can be used in a new IPsec site connection::
72
+
73
+      neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn
74
+      --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233
75
+      --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret
76
+
77
+Since the authentication and key exchange are not in the scope of starting and
78
+configuring VPN service, there should be no security impact of this Spec.
79
+
80
+Notifications impact
81
+--------------------
82
+
83
+No notification impact
84
+
85
+Other end user impact
86
+---------------------
87
+
88
+
89
+Performance Impact
90
+------------------
91
+
92
+
93
+Other deployer impact
94
+---------------------
95
+
96
+
97
+Developer impact
98
+----------------
99
+
100
+
101
+
102
+Implementation
103
+==============
104
+
105
+Assignee(s)
106
+-----------
107
+
108
+Primary assignee:
109
+  - gekun@cn.ibm.com
110
+
111
+
112
+Work Items
113
+----------
114
+
115
+* Add a new attribute value to decide if VPN agent or L3 agent should be started,
116
+  since these two services cannot be started at the same time.
117
+
118
+* Add new attributes for VPN configurations in /etc/neutron/vpn_agent.ini and
119
+  a new vpn template.
120
+
121
+* Add a new recipe to install the VPN packages, configure the [VPN_TEMPLATE]_
122
+  and start VPN service
123
+
124
+* Enable VPN support in Horizon [VPN_HORIZON]_
125
+  Configure /opt/stack/horizon/openstack_dashboard/local/local_settings.py::
126
+
127
+       OPENSTACK_NEUTRON_NETWORK = {
128
+            'enable_vpn': True,
129
+       }
130
+
131
+* Add validations to ensure VPN service is up and running correctly.
132
+
133
+* Add unit tests
134
+
135
+* ref to ask openstack on this topic [HOW_TO_SETUP_VPN]_
136
+
137
+
138
+Dependencies
139
+============
140
+
141
+Testing
142
+=======
143
+
144
+* Add unit tests for the new recipe.
145
+
146
+* For function tests and CI integration tests, at least one node with three NICs is
147
+  recommanded. One NIC is used for external network connection, one NIC is used for
148
+  data network and the other is used for management network.
149
+
150
+Documentation Impact
151
+====================
152
+
153
+* Configure attribute ['openstack']['network']['enable_vpn'] = 'True'
154
+  to enable VPN service.
155
+
156
+* Configure VPN related attributes, for example::
157
+
158
+      ['openstack']['network']['vpn']['vpn_device_driver'] =
159
+      neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
160
+      ['openstack']['network']['vpn']['ipsec_status_check_interval'] = 60
161
+
162
+References
163
+==========
164
+.. [IPSec] `Security Architecture for the Internet Protocol RFC
165
+   <http://tools.ietf.org/html/rfc4301>`_
166
+
167
+.. [OPENSWAN] `OpenSwan website
168
+   <https://www.openswan.org>`_
169
+
170
+.. [VPN_TEMPLATE] `VPN template values
171
+   <http://docs.openstack.org/trunk/config-reference/content/networking-options-vpn.html>`_
172
+
173
+.. [VPN_HORIZON] `VPN support in Horizon <https://review.openstack.org/#/c/108493/1>`_
174
+
175
+.. [HOW_TO_SETUP_VPN] `How to setup VPNaaS
176
+   <https://ask.openstack.org/en/question/6243/how-to-set-up-neutron-vpn-service-vpnaas/>`_

Loading…
Cancel
Save