Hi all,

I have made some changes in the doc and the usage of FORCE which recreates

the resource 

Thanks
Goutham


-----joehuang <joehu...@huawei.com> wrote: -----
To: Goutham Pratapa <goutham.prat...@tcs.com>
From: joehuang <joehu...@huawei.com>
Date: 11/30/2016 06:57PM
Cc: Ashish Singh7 <ashish.sin...@tcs.com>, Dimitri Mazmanov     
<dimitri.mazma...@ericsson.com>, Ashish singh <ashishsingh...@gmail.com>, 
"caizhiyuan (A)" <caizhiyu...@huawei.com>, Meimei <mei...@huawei.com>, 
opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>, 
"pratapagout...@gmail.com" <pratapagout...@gmail.com>
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach

      
hello, Goutham, 

  
When I tried to review your update, and click "see new changes", it said you 
have removed the update, I did not find the update yet.
 

 
 
Best Regards Chaoyi Huang (joehuang)  
  
From: Goutham Pratapa [goutham.prat...@tcs.com]
 Sent: 29 November 2016 17:09
 To: joehuang
 Cc: Ashish Singh7; Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; pratapagout...@gmail.com
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
 
Hi all,
 
 I have made some comments regarding the keypair syncing.
 
 which allows user to sync only specified keypair and option for syncing all 
keypairs.
 
 Thanks 
Goutham
  
 
 -----joehuang <joehu...@huawei.com> wrote: ----- 
 
To: Ashish Singh7 <ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 11/01/2016 01:59PM
 Cc: Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, Ashish singh 
<ashishsingh...@gmail.com>, "caizhiyuan (A)" <caizhiyu...@huawei.com>, Meimei 
<mei...@huawei.com>, opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>, 
"Sama, Malla Reddy" <s...@docomolab-euro.com>,  Zhipeng Huang 
<zhipengh...@gmail.com>, Goutham Pratapa <goutham.prat...@tcs.com>, 
"pratapagout...@gmail.com" <pratapagout...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 
Just one more comment for this action: 

  
"All the resources(based on resource-type) from region 1 will be copied to 
region 2 and 3 leaving the overlapped  ones where resource name being the 
identifier. " 

  
I think we can add one option to allow the force replacement for the 
overlapping items. If the user select force replacement, then  the overlapping 
item should be fully replaced with the items from the source region
  

 
 
Best Regards Chaoyi Huang (joehuang)  
  
From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 01 November 2016 14:52
 To: joehuang
 Cc: Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; Goutham Pratapa; 
pratapagout...@gmail.com
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
 
Hi Joe,
 
 Thanks for the comments, have incorporated those.
 
 
 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. IT Services
 Business Solutions
 Consulting
 ____________________________________________
 
 
 -----joehuang <joehu...@huawei.com> wrote: -----  
 
To: Ashish Singh7 <ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 11/01/2016 08:03AM
 Cc: Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, Ashish singh 
<ashishsingh...@gmail.com>, "caizhiyuan (A)" <caizhiyu...@huawei.com>, Meimei 
<mei...@huawei.com>, opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>, 
"Sama, Malla Reddy" <s...@docomolab-euro.com>,  Zhipeng Huang 
<zhipengh...@gmail.com>, Goutham Pratapa <goutham.prat...@tcs.com>, 
"pratapagout...@gmail.com" <pratapagout...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
Ashish, 

   
Some minor comment has been added in the doc 
 

 
 
Best Regards Chaoyi Huang (joehuang)   
  
From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 27 October 2016 16:59
 To: joehuang
 Cc: Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; Goutham Pratapa; 
pratapagout...@gmail.com
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
  
 
Hi All, 
  
Have replied to the comment and added API structure as well. 
Have a look and comment accordingly. 
  

 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. IT Services
 Business Solutions
 Consulting
 ____________________________________________
  
 
 -----joehuang <joehu...@huawei.com> wrote: -----   
 
To: Ashish Singh7 <ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 10/27/2016 01:35AM
 Cc: Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, Ashish singh 
<ashishsingh...@gmail.com>, "caizhiyuan (A)" <caizhiyu...@huawei.com>, Meimei 
<mei...@huawei.com>, opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>, 
"Sama, Malla Reddy" <s...@docomolab-euro.com>,  Zhipeng Huang 
<zhipengh...@gmail.com>, Goutham Pratapa <goutham.prat...@tcs.com>, 
"pratapagout...@gmail.com" <pratapagout...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
Hello, Ashish, 

  
Good update, just one comment in the doc.
 

 
 
Best Regards Chaoyi Huang (joehuang)  
  
From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 26 October 2016 18:40
 To: joehuang
 Cc: Dimitri Mazmanov; Ashish singh; caizhiyuan (A); Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang; Goutham Pratapa; 
pratapagout...@gmail.com
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
 
 
Hi All, 
ÿ 
Have added ssh-keys in place of secgroup in the document as per our latest 
discussion. 
Please have a look and comment accordingly. 

 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. IT Services
 Business Solutions
 Consulting
 ____________________________________________
  
 
 -----joehuang <joehu...@huawei.com> wrote: ----- 
 
To: Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, Ashish Singh 
<ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 10/11/2016 08:11AM
 Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)" 
<caizhiyu...@huawei.com>, Meimei <mei...@huawei.com>, opnfv-tech-discuss 
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 
Hello, 

  
the following comment is also added in the doc: 

  
My opinion is to exclude SEG from the sync in Kingbird, because SEG sync action 
will lead to data plane in unpredictable situation  during multi-region 
concurrent CRUD operation, this is some action will greatly impact the tenant's 
data plane service immediately, especially SEG is for security purpose.
 
 For KeyPair, because it's user based granularity resource, that means will be 
manipulated by single user, so the con-currency is not an  issue. But we have 
to allow the user being able to start the sync, but not only Admin role
 

 
 
Best Regards Chaoyi Huang (joehuang)  
  
From: Dimitri Mazmanov [dimitri.mazma...@ericsson.com]
 Sent: 10 October 2016 18:24
 To: joehuang; Ashish Singh
 Cc: Ashish singh; caizhiyuan (A); Meimei; opnfv-tech-discuss; Sama, Malla 
Reddy; Zhipeng Huang
 Subject: Re: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
  
 
 
 Hi,
 Please see my comments as well
 ÿ
 
 From:  joehuang <joehu...@huawei.com>
 Date: Sunday, 9 October 2016 at 03:24
 To: Ashish Singh <ashish.sin...@tcs.com>
 Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)" 
<caizhiyu...@huawei.com>, Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, 
Meimei <mei...@huawei.com>, opnfv-tech-discuss 
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>,  Zhipeng Huang <zhipengh...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
  
 ÿ
  
 Hello, Ashish, 
 
 ÿ
  
 More comments in the doc. Thank you.
 
 ÿ
 
 
 Best Regards
  Chaoyi Huang (joehuang)
   
 
   
 From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 04 October 2016 14:51
 To: joehuang
 Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
  
 
 Hi Joe,
  
 ÿ
  
 I have replied, Please check.
  
 ÿ
  
 
 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. IT Services
 Business Solutions
 Consulting
 ____________________________________________
  
 
 -----joehuang <joehu...@huawei.com> wrote: ----- 
 
 
 To: Ashish Singh7 <ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 10/04/2016 12:19PM
 Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)" 
<caizhiyu...@huawei.com>, Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, 
Meimei <mei...@huawei.com>, opnfv-tech-discuss 
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>,  Zhipeng Huang <zhipengh...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 Thank you Ashish, comments are put in the document. 
 
 
 ÿ
 
 
 Best Regards
  Chaoyi Huang (joehuang)
   
 
   
 From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 29 September 2016 22:04
 To: joehuang
 Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
  
 
 Hi All,
  
 ÿ
  
 I have updated the document with an approach to solve concurrency problem.
  
 ÿ
  
 Please have a look and comment accordingly.
  
 ÿ
  
 ÿ
  
 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. IT Services
 Business Solutions
 Consulting
 ____________________________________________
  
 
 -----joehuang <joehu...@huawei.com> wrote: ----- 
 
 
 To: Ashish Singh7 <ashish.sin...@tcs.com>
 From: joehuang <joehu...@huawei.com>
 Date: 09/27/2016 09:10AM
 Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)" 
<caizhiyu...@huawei.com>, Dimitri Mazmanov <dimitri.mazma...@ericsson.com>, 
Meimei <mei...@huawei.com>, opnfv-tech-discuss 
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>,  Zhipeng Huang <zhipengh...@gmail.com>
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 Hello, Ashish, 
 
 ÿ
  
 Thank you for the BP and doc, seeÿcomments in the doc. 
 
 
 ÿ
 
 
 Best Regards
  Chaoyi Huang (joehuang)
   
 
   
 From: Ashish Singh7 [ashish.sin...@tcs.com]
 Sent: 26 September 2016 18:28
 To: joehuang
 Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; 
opnfv-tech-discuss; Sama, Malla Reddy; Zhipeng Huang
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
  
 Hi All, 
 
 I have registered a blueprint on "Resouce Syncing" and tied with a supporting 
document. 
 
 Blueprint: 
 https://blueprints.launchpad.net/kingbird/+spec/resource-syncing 
 ÿ 
 Google Docs link 
 
https://docs.google.com/document/d/1N6HFAFUT5BbEp1wbnYjgaKdOlyJanwkXccv-_1zsVQc/edit?usp=sharing
 
 
 
 Let us use this to discuss the feature and finalize it. 
 
 Regards
 Ashish Singh
 Tata Consultancy Services
 Cell:- 9030419618
 Mailto: ashish.sin...@tcs.com
 Website: http://www.tcs.com
 ____________________________________________
 Experience certainty. ÿ ÿ ÿ ÿIT Services
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿBusiness Solutions
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿConsulting
 ____________________________________________
 
 
 
 
 From: ÿ ÿ ÿ ÿjoehuang <joehu...@huawei.com> 
 To: ÿ ÿ ÿ ÿAshish singh <ashishsingh...@gmail.com>, opnfv-tech-discuss 
<opnfv-tech-discuss@lists.opnfv.org>,  "caizhiyuan (A)" 
<caizhiyu...@huawei.com>, Meimei <mei...@huawei.com>, "Sama, Malla Reddy" 
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>, "Dimitri 
Mazmanov" <dimitri.mazma...@ericsson.com>, Ashish Singh7 
<ashish.sin...@tcs.com> 
 Date: ÿ ÿ ÿ ÿ09/21/2016 02:23 PM 
 Subject: ÿ ÿ ÿ ÿRE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach 
 
   
 
 
 Hello team, 
 
 Last year, use case 4 was discussed, some network related requirements were 
identified: https://etherpad.opnfv.org/p/multisite_centralized_servic 
  global view for tenant level IP address / mac address space management 

 If a tenant has networks in multiple region, and these networks are routable 
(for example, connected with VPN), then, IP address may be duplicated. Need a 
global view for IP address space management    If IP v4 used, this issue needs 
to be considered. For IPv6, it should not be a problem. IR - disagree with this 
statement. This requirement is important not just for prevention of duplicate  
address. ÿ
 
 For security and other reasons it's important to know which IP Addresses (IPv4 
and IPv6) are used in which region. 
 Can we also extend such requirement to MAC address tracking? 
 Can we also extend such requirement to mapping for floating and public IP 
Addresses   A service to clone security groups across regions
 
 No appropriate service to security groups across multiple region if the tenant 
has resources distributed, has to set the security groups in different region 
manually. 
 And during the discussion thread with netready, one more issue identified 
http://lists.opnfv.org/pipermail/opnfv-tech-discuss/2016-July/011499.html: 
  ÿVxLAN pool cross site management for VxLAN segmentation allocation
 All these issues needs to be addressed, we can discuss them together. 
 
 Tricircle( now Tricircle team is working on the cleaning to make Tricircle 
dedicated for networking automation across Neutron, mentioned below) could be 
the reference, the design blueprint has just been updated  for your reference: 
https://docs.google.com/document/d/1zcxwl8xMEpxVCqLTce2-dUOtB-ObmzJTbV1uSQ6qTsY/,
  local network and shared VLAN network and L3 has been implemented in Newton 
release. Of course, in NFV area, L2 networking should be enough in most 
scenario. 
 
 And the spec for Tricircle Local Neutron Plugin is in review: 
https://review.openstack.org/#/c/368529/ 
 
 Best Regards 
 Chaoyi Huang (joehuang) 
 
   
 From: joehuang
 Sent: 09 September 2016 16:59
 To: Ashish singh; opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla 
Reddy; Zhipeng Huang; Dimitri Mazmanov; Ashish Singh7
 Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 Hello, ÿAshish, 
 
 I think sync itself (if excluding the remote sec-group) is not complex, the 
complexity is to ensure the rules set in different region of Neutron will not 
conflict with each other. Otherwise,  it'll become mess. 
 
 So I agree with you "We must use neutron to perform all our operations as with 
neutron we have total control  over it." (Is my understanding correct?) 
 
 That's the way of Tricircle(please forgive me to explain a little: Tricircle 
now is only a project about networking automation across Neutron. And the 
Nova/Cinder API-Gateway  part will be moved to Trio2o, a new created project: 
https://docs.google.com/presentation/d/1kpVo5rsL6p_rq9TvkuczjommJSsisDiKJiurbhaQg7E/edit),And
  the SEG sync has been implemented in the Tricircle, and we are now doing the 
tricircle splitting and cleaning. 
 
 If we implement seg sync in Kingbird, we have to write lots of duplicated code 
which has already done in Neutron, for example, SEG CRUD, rule CRUD, 
validation, rule checking, default rule  management, etc. 
 
 Best Regards 
 Chaoyi Huang(joehuang) 
 
   
 From: Ashish singh [ashishsingh...@gmail.com]
 Sent: 08 September 2016 23:57
 To: opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla Reddy; Zhipeng 
Huang; Ashish singh; Dimitri Mazmanov; joehuang; Ashish Singh7
 Subject: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
 
 Hi All, 
 
 I have drafted a basic approach for security group synching in release D and 
it is as follows. 
 
 - Get list of secgroups ÿwith rules for a tenant from all the regions which do 
not have remote group references(currently, we ignore remote secgroup 
references as there can be lot nested dependencies). 
 - Traverse each region and do the following 
 ÿ ÿ ÿ ÿ- Get the list of secgroup which are present in all the regions except 
the current region, These are the secgroups which we need to sync in current 
region: say it GRP_TO_BE_SYNCED 
 ÿ ÿ ÿ ÿ- There can be case where the secgroup from GRP_TO_BE_SYNCED may have 
the same rules as the secgroup in current region(If not initially but which 
will obviously happen after a sync job). 
 ÿ ÿ ÿ ÿ- Traverse through the GRP_TO_BE_SYNCED and check if there are such 
secgroups(rules overlapping groups), if there, ignore it. After this filtering, 
the remaining secgroup will be the final list of secgroup which should be 
created for the current region. 
 ÿ ÿ ÿ ÿ- Create the secgroup with the final list of secgroups in the region. 
 - Repeat the process for all the tenant in batches. 
 The default security group is not syned, as I feel region specific default 
secgroup has to there in each region. 
 
 We must use neutron to perform all our operations as with neutron we have 
total control over it. 
 
 
 For creating a security group we need the following information 
 
 ÿ ÿ ÿ--tenant-id TENANT_ID  
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿThe owner tenant ID. 
 ÿ--description DESCRIPTION  
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿDescription of security group rule. 
 ÿ--direction {ingress,egress} 
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿDirection of traffic: ingress/egress. 
 ÿ--ethertype ETHERTYPE  
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿIPv4/IPv6 
 ÿ--protocol PROTOCOL ÿ Protocol of packet. Allowed values are [icmp, icmpv6, 
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿtcp, udp] and integer representations [0-255] 
 ÿ--port-range-min PORT_RANGE_MIN 
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿStarting port range. For ICMP it is type. 
 ÿ--port-range-max PORT_RANGE_MAX ÿ ÿ ÿEnding port range. For ICMP it is code. 
 ÿ--remote-ip-prefix REMOTE_IP_PREFIX 
 ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿCIDR to match on. 
 We have all these details with us available. 
 
 
 Let us take this forward, Please review/comment.
 
 -- 
 Best Regards, 
 Ashish Singh 
 =====-----=====-----=====
 Notice: The information contained in this e-mail
 message and/or attachments to it may contain 
 confidential or privileged information. If you are 
 not the intended recipient, any dissemination, use, 
 review, distribution, printing or copying of the 
 information contained in this e-mail message 
 and/or attachments to it are strictly prohibited. If 
 you have received this communication in error, 
 please notify us by reply e-mail or telephone and 
 immediately and permanently delete the message 
 and any attachments. Thank you
                                                 
_______________________________________________
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Reply via email to