Matthew, Please see https://cwiki.apache.org/confluence/display/CLOUDSTACK/Extending+CloudStack+Networking
Thanks, Murali On 22/09/16, 11:23 PM, "Matthew Smart" <msm...@smartsoftwareinc.com> wrote: >Hey Murali, > >I have been reading through the API and other documentation to try to >get a basic understanding of the network service offering abstraction >methodology in CS. I have not dove into the code yet but before I did I >thought I would try a different approach. > >Imagine I were to come to this list and say that I have a network >offering that I sell and that I wanted to write whatever I needed to in >order to integrate it as an offering in CloudStack. Is there some >specific documentation and guidelines you would direct me to read in >order to gather the knowledge necessary to create a cloudstack >compatible interface for my product? > >I don't know the history but I see several products that have navigated >this process (Nuage, Nicira, ...etc) and am wondering how a new provider >would work with you guys to navigate that process. If this is too vague, >we can pretend my new offering is a hardware firewall device. > >My goal here is to gain an understanding of how CS interacts with third >party offerings underneath the hood. I have some thoughts (I think >inline with Will Steven's brain dump and diagram) but want to make sure >I am not suffering some misapprehensions about the architecture and, >short of tracing code, was not successful at finding the information I >needed to satisfy myself that I know how it is designed. > >Thanks, > >Matthew Smart >President >Smart Software Solutions Inc. >108 S Pierre St. >Pierre, SD 57501 > >Phone: (605) 280-0383 >Skype: msmart13 >Email: msm...@smartsoftwareinc.com > >On 09/20/2016 04:54 AM, Murali Reddy wrote: >> Configuration management of network appliances particularly for Cloud and >> NFV scenarios is still evolving area. Programmability is the not the >> strength for even the most popular network operating systems like IOS, JunoS >> etc. So its not surprising why CloudStack integrates in a archaic way with >> stock linux for the VR. >> >> VR was never integral/hardcoded option in CloudStack. Its always been a >> plugin. CloudStack network orchestration is well abstracted and designed >> with vision to compose a network with different set of providers for >> different services. Yes that vision is not fully realised yet, and we don’t >> have true service function chains. That would be different discussion topic. >> >> I tend to agree with Simon, as alternate/interim option we can take hard >> look whats causing the problems with current VR integration. Personally, I >> think it would be easier we take a cue from configuration managers and >> network configuration solutions out there (for e.g promise theory based >> Cisco ACI) move to more declarative model of expressing desired state of >> network configuration. Infact current VR from 4.6, actually holds the >> desired state per service basis, seems to be in that direction. >> >> It does make sense to evaluate new appliances which can provide rich >> semantics (like programmable API, declarative configuration, versioning, >> commit/rollback etc), but will need significant engineering effort and time >> to stabilise. We may make same mistakes with integration of other appliance >> as well, if we fully don’t understand the nature of the current problems >> with CloudStack core and service provider interaction and current VR >> integration. >> >> >> On 16/09/16, 11:59 PM, "Simon Weller" <swel...@ena.com> wrote: >> >>> I think our other option is to take a real look at what it would take to >>> fix the VR. In my opinion, a lot of the problems are related to the >>> monolithic python code base and the fact nothing is actually separated. >>> >>> Secondly, the python scripts (and bash scripts) don't use any established >>> libraries to complete tasks and instead shell out and run commands that are >>> both hard to track and hard to parse on return. >>> >>> >>> If we daemonized this, used a real api for Agent to VR communication, used >>> common already existing libraries for the system service and network >>> interactions and spent a bit of time separating out code into distinct >>> modules, everything would behave a lot better. >>> >>> >>> The pain and suffering is due to years and years of patches and constant >>> shelling out to complete tasks in my opinion. If we spend time to rethink >>> how we interact with the VR in general and we abstract the systems and >>> networking stuff and use well known and stable libraries to do the work, >>> the VR would be much easier to maintain. >>> >>> >>> - Si >>> >>> >>> >>> >>> ________________________________ >>> From: Marty Godsey <ma...@gonsource.com> >>> Sent: Friday, September 16, 2016 12:24 PM >>> To: dev@cloudstack.apache.org >>> Subject: RE: [DISCUSS] Replacing the VR >>> >>> So based upon this discussion would it be prudent to wait on VyOS 2.0? The >>> current VR is giving us issues but would the time invested in another >>> "solution" be wasted especially if by the time another option is chose, >>> then coded, then tested, then implemented and right as that time happened >>> to be when VyOS 2.0 is released. Of course you said they are just in the >>> scoping range so this could still be a year or more out. >>> >>> Thoughts? >>> >>> Regards, >>> Marty Godsey >>> nSource Solutions >>> >>> -----Original Message----- >>> From: williamstev...@gmail.com [mailto:williamstev...@gmail.com] On Behalf >>> Of Will Stevens >>> Sent: Friday, September 16, 2016 10:31 AM >>> To: dev@cloudstack.apache.org >>> Cc: dan...@baturin.org >>> Subject: Re: [DISCUSS] Replacing the VR >>> >>> I just had a quick chat with a couple of the guys over on the VyOS chat. >>> I have CC'ed one of them in case we have more licensing questions. >>> >>> So here is the status with the license "the code inherited from Vyatta and >>> our modifications from it is GPLv2 (strict, not v2+). The config reading >>> library is GPLv2 too, so anything that links to is is GPLv2. >>> Some auxiliary components we made after the fork are more permissive, >>> LGPLv2+ or MIT." >>> >>> They are currently in the process of scoping a redesign (VyOS 2.0), "we are >>> planning a clean rewrite that will solve issues of the current config >>> system". >>> This will include the ability to configure via the API. >>> >>> If we have more questions for VyOS, they are very friendly and responsive, >>> so we should be able to get answers. >>> >>> *Will STEVENS* >>> Lead Developer >>> >>> *CloudOps* *| *Cloud Solutions Experts >>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw >>> @CloudOps_ >>> >>> On Fri, Sep 16, 2016 at 9:37 AM, Syed Ahmed <sah...@cloudops.com> wrote: >>> >>>> I agree with Will Ilya. There are so many problems with the VR right now. >>>> Most of the outages we've had recently have somehow involved the VR. >>>> We set custom iptables rules on the VR which can and have easily gone >>>> wrong. >>>> Openswan is broken, Strongswan replacement still needs to be tested. >>>> VVRP with redundant router still needs work, and not to mention the >>>> problems we will have when we introduce IPv6 into the whole picture. >>>> >>>> I think the spirit of the discussion is to rely on a 3rd party to do >>>> the networking for us (eg VyOS) and have us handle just the >>>> orchestration. All the problems that I've described have already been >>>> solved in VyOS. We also get the advantage of a potential wider >>>> community to fix and maintain the VR and given our current development >>>> velocity, it think it totally makes sense to look for a 3rd party option. >>>> >>>> -Syed >>>> >>>> >>>> On Fri, Sep 16, 2016 at 9:18 AM, Will Stevens <wstev...@cloudops.com> >>>> wrote: >>>> >>>>> The VR has been biting us far too often recently, which is why we >>>>> have started looking into alternative implementations. >>>>> >>>>> One of the things that is nice about potentially using the VyOS is >>>>> that >>>> it >>>>> is based on Debian, so we should be able to run the other services >>>>> that >>>> we >>>>> currently have like the password server and userdata on the VyOS. >>>>> This means we would not have to change our architecture initially >>>>> and could focus on only replacing the networking paths. >>>>> >>>>> *Will STEVENS* >>>>> Lead Developer >>>>> >>>>> *CloudOps* *| *Cloud Solutions Experts >>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* >>>>> tw @CloudOps_ >>>>> >>>>> On Fri, Sep 16, 2016 at 6:20 AM, Nux! <n...@li.nux.ro> wrote: >>>>> >>>>>> The more this is discussed the more I think we should stick with >>>>>> our >>>> VR. >>>>>> All these other options either seem unfinished or with >>>>>> incompatible license. >>>>>> >>>>>> VyOS looks the most promising so far, it's a serious, mature project. >>>>>> Adopting it though means we'll have to microservice our way out of >>>>>> it >>>>> with >>>>>> extra machines for DNS/USERDATA/etc, unless we can make VyOS serve >>>> those >>>>>> too. Imho this adds complexity we should void. >>>>>> >>>>>> -- >>>>>> Sent from the Delta quadrant using Borg technology! >>>>>> >>>>>> Nux! >>>>>> www.nux.ro >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Will Stevens" <wstev...@cloudops.com> >>>>>>> To: dev@cloudstack.apache.org >>>>>>> Sent: Thursday, 15 September, 2016 17:21:28 >>>>>>> Subject: Re: [DISCUSS] Replacing the VR >>>>>>> Ya, we would need to add a daemon for VPN as well. Load >>>>>>> balancing is another aspect which we will need to consider if we went >>>>>>> this route. >>>>>>> Something like https://traefik.io/ could potentially be a good >>>>>>> fit >>>> due >>>>>> to >>>>>>> its API driven configuration, but it may be more than what we need. >>>>>>> >>>>>>> We should probably try define which pieces make sense to be >>>>>>> solved >>>>>> together >>>>>>> and which pieces would be best suited to be broken out. >>>>>>> >>>>>>> I think the network connectivity, routing and firewalling should >>>>> probably >>>>>>> all stay together since the majority of the tools we would >>>> potentially >>>>>> use >>>>>>> would handle all of that together in a single implementation. >>>>>>> >>>>>>> The password server and userdata seems like a good option for >>>>>>> being >>>>>> broken >>>>>>> out and handled independently (and probably rewritten completely >>>> since >>>>>> they >>>>>>> currently have some issues). >>>>>>> >>>>>>> Load balancing is another that could warrant splitting out, but >>>>>>> that depends on what direction we go and how we would be managing it. >>>> DHCP >>>>>> and >>>>>>> DNS are others which could go either way. >>>>>>> >>>>>>> If we do split out services, I think we should consolidate as >>>>>>> much as >>>>> we >>>>>>> can into each service we break out. Ideally a network packet >>>>>>> would >>>>> never >>>>>>> hit more than one, maybe two, services. I don't think we should >>>>>>> be splitting services 'just because', I think we need a valid >>>>>>> case for splitting any service out because it adds complexity. >>>>>>> Our project is already complex enough, we need to avoid adding >>>>>>> complexity unless it >>>> is >>>>>>> really needed. >>>>>>> >>>>>>> Some more of my thoughts on this anyway... >>>>>>> >>>>>>> *Will STEVENS* >>>>>>> Lead Developer >>>>>>> >>>>>>> *CloudOps* *| *Cloud Solutions Experts >>>>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com >>>>>>> *|* tw @CloudOps_ >>>>>>> >>>>>>> On Thu, Sep 15, 2016 at 10:28 AM, Simon Weller <swel...@ena.com> >>>>> wrote: >>>>>>>> I do agree with you that this probably isn't the right place >>>>>>>> the >>>>>> password >>>>>>>> service and user data. >>>>>>>> >>>>>>>> >>>>>>>> Having said that, after taking a cursory look at the dev docs, >>>>>>>> it >>>>>> doesn't >>>>>>>> seem that difficult to add new daemons: >>>> https://opensnaproute.github. >>>>>>>> io/docs/developer.html#creating-new-component >>>>>>>> >>>>>>>> <https://opensnaproute.github.io/docs/developer.html# >>>>>>>> creating-new-component> >>>>>>>> >>>>>>>> >>>>>>>> They've definitely build it with a microservices architecture >>>>>>>> in >>>> mind, >>>>>> so >>>>>>>> each individual feature is abstracted into it's own small >>>>>>>> daemon >>>>>> process. >>>>>>>> We could just create a daemon for the password server and the >>>> userdata >>>>>>>> components if we really had to. >>>>>>>> >>>>>>>> >>>>>>>> - Si >>>>>>>> >>>>>>>> >>>>>>>> ________________________________ >>>>>>>> From: williamstev...@gmail.com <williamstev...@gmail.com> on >>>>>>>> behalf >>>>> of >>>>>>>> Will Stevens <wstev...@cloudops.com> >>>>>>>> Sent: Thursday, September 15, 2016 9:17 AM >>>>>>>> To: dev@cloudstack.apache.org >>>>>>>> Subject: Re: [DISCUSS] Replacing the VR >>>>>>>> >>>>>>>> A big part of why I know about it is because it is written in Go. >>>> :P >>>>>>>> Yes, it is definitely interesting for the routing and traffic >>>> handling >>>>>>>> aspects of the VR. We will likely have to rethink some of the >>>> pieces >>>>> a >>>>>>>> little bit like the password server and userdata if we are to >>>>>>>> adopt >>>> a >>>>>>>> different VR approach. This is where I think some of JohnB and >>>>>> Chiradeep's >>>>>>>> ideas make sense. In many ways, it does not make sense for the >>>> device >>>>>>>> handling routing and network traffic to also be responsible for >>>>>> passwords >>>>>>>> and userdata. >>>>>>>> >>>>>>>> *Will STEVENS* >>>>>>>> Lead Developer >>>>>>>> >>>>>>>> *CloudOps* *| *Cloud Solutions Experts >>>>>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com >>>>>>>> *|* tw @CloudOps_ >>>>>>>> >>>>>>>> On Thu, Sep 15, 2016 at 9:10 AM, Simon Weller <swel...@ena.com> >>>>> wrote: >>>>>>>>> I hadn't heard of Flexswitch until you mentioned it. It looks >>>> pretty >>>>>>>> cool! >>>>>>>>> It even supports ONIE install. >>>>>>>>> >>>>>>>>> To be honest, the ipsec feature could be added, or we could >>>> offload >>>>>> it to >>>>>>>>> separate vm if we needed to. The fact it is so feature rich >>>>>>>>> from a >>>>>>>> routing >>>>>>>>> perspective (and all API driven) is really nice. >>>>>>>>> >>>>>>>>> >>>>>>>>> Based on the roadmap, it looks like they plan to also support >>>>>>>> capabilities >>>>>>>>> such as BGP-MPLS based L3VPN, EVPN, VPLS in the future. This >>>>>>>>> will >>>> be >>>>>> huge >>>>>>>>> for our carrier community that rely on these technologies to >>>>>>>>> do >>>>>> private >>>>>>>>> gateway and inter-VPC interconnections today. We handle this >>>>>>>>> stuff >>>>> on >>>>>> our >>>>>>>>> ASRs right now with a vlan interconnect into the VR. Being >>>>>>>>> able to >>>>> do >>>>>>>> MPLS >>>>>>>>> all the way to the VR would be awesome. >>>>>>>>> >>>>>>>>> >>>>>>>>> It also seems to be written in GO (a language here at ENA we >>>>>>>>> know >>>>> very >>>>>>>>> well). >>>>>>>>> >>>>>>>>> >>>>>>>>> - Si >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ________________________________ >>>>>>>>> From: Will Stevens <williamstev...@gmail.com> >>>>>>>>> Sent: Thursday, September 15, 2016 7:06 AM >>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>> Subject: RE: [DISCUSS] Replacing the VR >>>>>>>>> >>>>>>>>> Ya. I don't think it covers our whole use case, but what it >>>>>>>>> does >>>>>> cover is >>>>>>>>> all api driven... >>>>>>>>> >>>>>>>>> On Sep 15, 2016 1:48 AM, "Marty Godsey" <ma...@gonsource.com> >>>>> wrote: >>>>>>>>>> Though I don’t see VPN in Snaproute.. Makes sense since it >>>>>>>>>> was >>>> not >>>>>>>>>> intended to do IPSec. >>>>>>>>>> >>>>>>>>>> It seems as though VyOS is starting to look like the best >>>> option. >>>>>>>>>> Regards, >>>>>>>>>> Marty Godsey >>>>>>>>>> nSource Solutions >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: williamstev...@gmail.com >>>>>>>>>> [mailto:williamstev...@gmail.com >>>> ] >>>>> On >>>>>>>>>> Behalf Of Will Stevens >>>>>>>>>> Sent: Wednesday, September 14, 2016 11:06 PM >>>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>>> Subject: Re: [DISCUSS] Replacing the VR >>>>>>>>>> >>>>>>>>>> Or we could go completely crazy and go with something like >>>>>> FlexSwitch >>>>>>>>> from >>>>>>>>>> SnapRoute >>>>>>>>>> - http://www.snaproute.com/ >>>>>>>>>> - https://opensnaproute.github.io/docs/apis.html >>>>>>>>>> >>>>>>>>>> *Will STEVENS* >>>>>>>>>> Lead Developer >>>>>>>>>> >>>>>>>>>> *CloudOps* *| *Cloud Solutions Experts >>>>>>>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w >>>>>>>>>> cloudops.com >>>>> *|* >>>>>> tw >>>>>>>>>> @CloudOps_ >>>>>>>>>> >>>>>>>>>> On Wed, Sep 14, 2016 at 10:55 PM, Will Stevens < >>>>>> wstev...@cloudops.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> I tend to agree with Syed and Marty. I am not sure what >>>>> problems >>>>>> are >>>>>>>>>>> solved by splitting up the function of the VR into a >>>>>>>>>>> bunch of >>>>>>>> separate >>>>>>>>>>> services. As Syed points out, the complexity added is >>>>>> non-trivial. >>>>>>>>>>> We now have to manage all the intercontainer networking >>>>>>>>>>> as >>>> well >>>>> as >>>>>>>> the >>>>>>>>>>> orchestrated ACS networking. >>>>>>>>>>> >>>>>>>>>>> VyOS is interesting to me because it covers the majority >>>>>>>>>>> of >>>> our >>>>>> use >>>>>>>>>>> case with a single unified control plane. It also has >>>>>>>>>>> good >>>>>> support >>>>>>>>>>> for extending features we care about, like IPv6, VXLAN, >>>>>>>>>>> VRRP, transactions, etc... >>>>>>>>>>> >>>>>>>>>>> *Will STEVENS* >>>>>>>>>>> Lead Developer >>>>>>>>>>> >>>>>>>>>>> *CloudOps* *| *Cloud Solutions Experts >>>>>>>>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w >>>> cloudops.com >>>>>> *|* >>>>>>>> tw >>>>>>>>>>> @CloudOps_ >>>>>>>>>>> >>>>>>>>>>> On Wed, Sep 14, 2016 at 9:49 PM, Syed Ahmed < >>>>> sah...@cloudops.com> >>>>>>>>> wrote: >>>>>>>>>>>> Agree with Marty, adding Docker containers to the >>>>>>>>>>>> picture >>>>>> although >>>>>>>>>>>> can make the VR more flexible but the added complexity >>>>>>>>>>>> is >>>> just >>>>>> not >>>>>>>>>>>> worth it. Not to mention we would need to take care of >>>>> networking >>>>>>>>>>>> each container manually and given that our iptable rules >>>>>>>>>>>> are >>>>> very >>>>>>>>>>>> unstable at the moment I don't see a big value add. >>>>>>>>>>>> >>>>>>>>>>>> Vyos looks like a better solution to me. I know that it >>>>>>>>>>>> does >>>>> not >>>>>>>>>>>> provide an api but it does fit the bill quite well >>>> otherwise. I >>>>>>>>>>>> specially like the fact that it has a transaction based >>>>>>>>>>>> model >>>>> and >>>>>>>> you >>>>>>>>>>>> can rollback changes if something goes wrong. >>>>>>>>>>>> On Wed, Sep 14, 2016 at 9:06 PM Marty Godsey < >>>>>> ma...@gonsource.com> >>>>>>>>>> wrote: >>>>>>>>>>>>> Licensing aside, I think splitting the various >>>>>>>>>>>>> functions >>>> into >>>>>>>>>>>>> containers is not a good route either. This will force >>>> users >>>>> to >>>>>>>>>>>>> have to maintain >>>>>>>>>>>> and >>>>>>>>>>>>> use containers and adds complexity to the networking >>>> aspects >>>>> of >>>>>>>> ACS. >>>>>>>>>>>>> Complexity decreases stability. Now I understand the >>>> argument >>>>>> that >>>>>>>>>>>>> a monolithic approach also brings its own set of >>>>>>>>>>>>> issues but >>>>> it >>>>>>>> also >>>>>>>>>>>>> simplifies it. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> Marty Godsey >>>>>>>>>>>>> nSource Solutions >>>>>>>>>>>>> >>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>> From: Chiradeep Vittal [mailto:chirade...@gmail.com] >>>>>>>>>>>>> Sent: Wednesday, September 14, 2016 5:37 PM >>>>>>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>>>>>> Subject: Re: [DISCUSS] Replacing the VR >>>>>>>>>>>>> >>>>>>>>>>>>> I rather doubt that the Cloudrouter will fit the needs >>>>>>>>>>>>> of >>>> the >>>>>>>>>>>>> CloudStack project >>>>>>>>>>>>> - it is AGPL licensed. Many enterprises will not >>>>>>>>>>>>> touch >>>>>> anything >>>>>>>>>>>>> that >>>>>>>>>>>> has >>>>>>>>>>>>> AGPL >>>>>>>>>>>>> - the github repo shows rather infrequent updates. >>>>>>>>>>>>> Quite >>>>>> likely >>>>>>>>>>>>> they aren't considering the use cases of the >>>>>>>>>>>>> CloudStack >>>>>> community >>>>>>>>>>>>> I'd back John B's comments on disaggregating the VR. >>>>>>>>>>>>> Split >>>> it >>>>>> into >>>>>>>>>>>>> many docker containers >>>>>>>>>>>>> - password server >>>>>>>>>>>>> - userdata server >>>>>>>>>>>>> - DHCP / DNS >>>>>>>>>>>>> - s2s VPN >>>>>>>>>>>>> - RA VPN >>>>>>>>>>>>> - intra-VPC routing and ACL >>>>>>>>>>>>> - Port forwarding + NAT >>>>>>>>>>>>> - FW >>>>>>>>>>>>> - LB (public) >>>>>>>>>>>>> - LB (internal), >>>>>>>>>>>>> - secondary storage >>>>>>>>>>>>> - agent >>>>>>>>>>>>> Glue them together with docker compose files (one per >>>>>>>>>>>>> use >>>>>> case - >>>>>>>>>>>>> basic zone, isolated, VPC, SSVM, etc). >>>>>>>>>>>>> >>>>>>>>>>>>> The VR image then becomes a JeOS + docker. You can >>>>>>>>>>>>> test >>>> each >>>>> of >>>>>>>> the >>>>>>>>>>>>> components independently and fixing one bug in the >>>>>>>>>>>>> field >>>> (say >>>>>>>> DHCP) >>>>>>>>>>>>> is hitless to the other components. You don't need to >>>>>>>>>>>>> build per-hypervisor VRs. You could even run on baremetal. >>>>>>>>>>>>> >>>>>>>>>>>>> Along the way you need to figure out how to >>>>>>>>>>>>> - make the traffic traverse the containers that are >>>>>>>>>>>>> needed >>>>> to >>>>>> be >>>>>>>>>>>>> traversed (in most cases just 1) >>>>>>>>>>>>> - bootstrap the router (how does it find its compose file? >>>>>> where >>>>>>>>>>>>> is the >>>>>>>>>>>>> registry?) >>>>>>>>>>>>> - rethink the command and control of the VR >>>>>>>>>>>>> functions. SSH >>>>>> works, >>>>>>>>>>>>> but something more declarative, idempotent should be >>>>> explored. >>>>>>>>>>>>> As you do this, it becomes clearer which of the >>>>>>>>>>>>> functions >>>> can >>>>>> be >>>>>>>>>>>>> substituted by for example CloudRouter. Command and >>>>>>>>>>>>> Control >>>>> of >>>>>> the >>>>>>>>>>>> docker >>>>>>>>>>>>> containers can be moved out to another container. Etc. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Sep 14, 2016 at 12:59 AM, Marty Godsey >>>>>>>>>>>>> <ma...@gonsource.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> This one does look nice. My biggest concern is the >>>>>>>>>>>>>> lack >>>> of >>>>>>>>>>>>>> VXLANs. It seems that any of the ones we mentioned >>>>>>>>>>>>>> do not >>>>>> have >>>>>>>> an >>>>>>>>>>>>>> API so we may be stuck at the SSH method. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Marty Godsey >>>>>>>>>>>>>> nSource Solutions >>>>>>>>>>>>>> >>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>> From: Abhinandan Prateek >>>>>>>>>>>>>> [mailto:abhinandan.prat...@shapeblue.com] >>>>>>>>>>>>>> Sent: Wednesday, September 14, 2016 2:26 AM >>>>>>>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>>>>>>> Subject: Re: [DISCUSS] Replacing the VR >>>>>>>>>>>>>> >>>>>>>>>>>>>> Cloudrouter looks promising. These have potential to >>>>>>>>>>>>>> save >>>>>> future >>>>>>>>>>>>>> engineering effort for example on ipv6 routing, OSPF etc. >>>>>>>>>>>>>> And the best part is they come with test automation >>>>>> framework. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 13/09/16, 4:22 PM, "Jayapal Uradi" >>>>>>>>>>>>>> <jayapal.ur...@accelerite.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Instead of replacing the VR in first place we >>>>>>>>>>>>>>> should add VyOS/cloudrouter >>>>>>>>>>>>>> as provider. Once it is stable, network offerings >>>>>>>>>>>>>> (on >>>>>> upgrade) >>>>>>>>>>>>>> can be updated to use it and we can drop the VR if >>>>>>>>>>>>>> we >>>> want >>>>> at >>>>>>>>>>>>>> that release >>>>>>>>>>>>> onwards. >>>>>>>>>>>>>>> VR is stabilized over a period of time and some of >>>>>>>>>>>>>>> them >>>>> are >>>>>>>>>>>>>>> running >>>>>>>>>>>>>> without issues. When we replicate the ACS VR >>>>>>>>>>>>>> features in >>>>> new >>>>>>>>>>>>>> solution it takes some to find the missing pieces >>>>>>>>>>>>>> (hidden >>>>>> bugs). >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> Jayapal >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Sep 13, 2016, at 2:52 PM, Nux! < >>>>>>>>>>>>>>>> n...@li.nux.ro> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I like the idea. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Cloudrouter looks really promising, I'm not too >>>>>>>>>>>>>>>> keen >>>> on >>>>>> VyOS >>>>>>>>>>>>>>>> (it >>>>>>>>>>>>>> doesn't have a proper http api etc). >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> Sent from the Delta quadrant using Borg technology! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Nux! >>>>>>>>>>>>>>>> www.nux.ro >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> abhinandan.prat...@shapeblue.com >>>>>>>>>>>>>> www.shapeblue.com<http://www.shapeblue.com> >>>>>>>>>>>>>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK >>>>>> @shapeblue >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>>>>>>> From: "Will Stevens" <williamstev...@gmail.com> >>>>>>>>>>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>>>>>>>>>> Sent: Monday, 12 September, 2016 21:20:11 >>>>>>>>>>>>>>>>> Subject: [DISCUSS] Replacing the VR >>>>>>>>>>>>>>>>> *Disclaimer:* This is a thought experiment and >>>>>>>>>>>>>>>>> should >>>>> be >>>>>>>>>>>>>>>>> treated as >>>>>>>>>>>>>> such. >>>>>>>>>>>>>>>>> Please weigh in with the good and bad of this idea... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> A couple of us have been discussing the idea of >>>>>> potentially >>>>>>>>>>>>>>>>> replacing the ACS VR with the VyOS [1] (Open >>>>>>>>>>>>>>>>> Source >>>>>> Vyatta >>>>>>>>> VM). >>>>>>>>>>>>>>>>> There may be a license issue because I think it >>>>>>>>>>>>>>>>> is >>>>>> licensed >>>>>>>>>>>>>>>>> under GPL, but for the sake of discussion, let's >>>> assume >>>>>> we >>>>>>>>>>>>>>>>> can overcome any >>>>>>>>>>>>>> license issues. >>>>>>>>>>>>>>>>> I have spent some time recently with the VyOS >>>>>>>>>>>>>>>>> and I >>>>> have >>>>>> to >>>>>>>>>>>>>>>>> admit, I was pretty impressed. It is simple and >>>>>> intuitive >>>>>>>>>>>>>>>>> and it gives you a lot more options for auditing >>>>>>>>>>>>>>>>> the >>>>>>>>>> configuration etc... >>>>>>>>>>>>>>>>> Items of potential interest: >>>>>>>>>>>>>>>>> - Clean up our current VR script spaghetti to a >>>> simpler >>>>>> more >>>>>>>>>>>>>>>>> auditable configuration workflow. >>>>>>>>>>>>>>>>> - Gives a cleaner path for IPv6 support. >>>>>>>>>>>>>>>>> - Handles VPN configuration via the same >>>> configuration >>>>>>>>>> interface. >>>>>>>>>>>>>>>>> - Support for OSPF & BGP. >>>>>>>>>>>>>>>>> - VPN support through OpenVPN & StrongSwan. >>>>>>>>>>>>>>>>> - Easily supports HA (redundant routers) through >>>> VRRP. >>>>>>>>>>>>>>>>> - VXLAN support. >>>>>>>>>>>>>>>>> - Transaction based changes to the VR with >>>>>>>>>>>>>>>>> rollback >>>> on >>>>>>>> error. >>>>>>>>>>>>>>>>> Items that could be difficult to solve: >>>>>>>>>>>>>>>>> - Userdata password reset workflow and >>>> implementation. >>>>>>>>>>>>>>>>> - Upgrade process. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The VyOS is not the only option if we were to >>>> consider >>>>>> this >>>>>>>>>>>> approach. >>>>>>>>>>>>>>>>> Another option, which I don't know as well, >>>>>>>>>>>>>>>>> would be CloudRouter (AGPL >>>>>>>>>>>>>>>>> license) [2] which is purely API driven. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Anyway, would love to hear your thoughts... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Will >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [1] https://vyos.io/ [2] >>>>>>>>>>>>>>>>> https://cloudrouter.org/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DISCLAIMER >>>>>>>>>>>>>>> ========== >>>>>>>>>>>>>>> This e-mail may contain privileged and confidential >>>>>> information >>>>>>>>>>>>>>> which is >>>>>>>>>>>>>> the property of Accelerite, a Persistent Systems >>>> business. >>>>>> It is >>>>>>>>>>>>>> intended only for the use of the individual or >>>>>>>>>>>>>> entity to >>>>>> which >>>>>>>> it >>>>>>>>>>>>>> is addressed. If you are not the intended recipient, >>>>>>>>>>>>>> you >>>>> are >>>>>> not >>>>>>>>>>>>>> authorized to read, retain, copy, print, distribute >>>>>>>>>>>>>> or >>>> use >>>>>> this >>>>>>>>>>>>>> message. If you have received this communication in >>>> error, >>>>>>>> please >>>>>>>>>>>>>> notify the sender and delete all copies of this message. >>>>>>>>>>>>>> Accelerite, a Persistent Systems business does not >>>>>>>>>>>>>> accept >>>>> any >>>>>>>>>>>>>> liability for virus >>>>>>>>>>>>> infected mails. >>>>>>>>>>> >