Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Neil Jerram]

Hi Jonathan,

There's also Calico [1,2], which in its simplest form (and as currently
implemented):

- uses just IP routing (v4 and/or v6)‎ to connect workloads (VMs /
containers / pods / bare metal)

- has a security model that works across workloads hosted in different
clouds, and so can specify whether and how hybrid cloud workloads should be
able to talk to each other (and an agent, Felix, that implements that
model).

(That does imply a couple of restrictions: that current Calico doesn’t
support (1) workloads that genuinely need to be L2-adjacent to each other,
and (2) overlapping IPs or "bring your own addressing." We have plans for
those if they're really needed, and in the meantime we're seeing plenty of
interest in adoption where those points aren't needed, and the simplicity
and scalability of Calico's approach are attractive.)

One of the reasons for choosing a flat routed IP model was precisely so
that workloads just fit into whatever network infrastructure is already
there — and a big driver for that was so that interconnection between “in
cluster” and “out of cluster” resources would be completely straightforward
(not requiring on/off ramps, configuring virtual router ports, mapping
between VLANs, etc.)

Calico has been separately integrated for some time with OpenStack,
Kubernetes and Docker, and there's work underway to demonstrate hybrid
cloud combinations of those, I hope in Barcelona.

I hope that's of interest; sorry for replying relatively late to this
thread.

  Neil


[1] http://docs.openstack.org/developer/networking-calico/
[2] https://www.projectcalico.org/


On Mon, Oct 3, 2016 at 6:54 PM Jonathan Proulx  wrote:

>
> So my sense from responses so far:
>
> No one is doing unified SDN solutions across clouds and no one really
> wants to.
>
> Consensus is just treat each network island like another remote DC and
> use normal VPN type stuff to glue them together.
>
> ( nod to http://romana.io an interesting looking network and security
> automation project as a network agnostic alternative to SDN for
> managing cross cloud policy on whatever networks are available. )
>
> -Jon
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[John van Ommen]

In regards to your last comment, that "it would be great for tenants
to be able to setup connections into AWS", HP CSA comes close to doing
that:

http://www8.hp.com/us/en/software-solutions/cloud-service-automation/

It's not *exactly* what you're looking for, you wouldn't be using the
OpenStack API. But it's as close as you can get right now.

IMHO, HP's OpenStack and it's integration with HP's automation tools
has made giant strides in the last year.

On Mon, Oct 3, 2016 at 4:29 PM, Curtis  wrote:
> On Mon, Oct 3, 2016 at 11:52 AM, Jonathan Proulx  wrote:
>>
>> So my sense from responses so far:
>>
>> No one is doing unified SDN solutions across clouds and no one really
>> wants to.
>
> I do want to (but am not doing). When I worked at a public cloud based
> on openstack we certainly wanted this kind of functionality, mostly
> between openstack regions. Likely so would telecoms, hence the
> tricircle link that was sent. But I left before we really got into it
> so I'm not sure what's happened there, or what has or is happening in
> openstack-land.
>
> I would also think it would be great for tenants to be able to setup
> connections into AWS, and even start up AWS instances via the
> openstack API. :)
>
> Thanks,
> Curtis.
>
>>
>> Consensus is just treat each network island like another remote DC and
>> use normal VPN type stuff to glue them together.
>>
>> ( nod to http://romana.io an interesting looking network and security
>> automation project as a network agnostic alternative to SDN for
>> managing cross cloud policy on whatever networks are available. )
>>
>> -Jon
>>
>> ___
>> OpenStack-operators mailing list
>> OpenStack-operators@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
> --
> Blog: serverascode.com
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Curtis]

On Mon, Oct 3, 2016 at 11:52 AM, Jonathan Proulx  wrote:
>
> So my sense from responses so far:
>
> No one is doing unified SDN solutions across clouds and no one really
> wants to.

I do want to (but am not doing). When I worked at a public cloud based
on openstack we certainly wanted this kind of functionality, mostly
between openstack regions. Likely so would telecoms, hence the
tricircle link that was sent. But I left before we really got into it
so I'm not sure what's happened there, or what has or is happening in
openstack-land.

I would also think it would be great for tenants to be able to setup
connections into AWS, and even start up AWS instances via the
openstack API. :)

Thanks,
Curtis.

>
> Consensus is just treat each network island like another remote DC and
> use normal VPN type stuff to glue them together.
>
> ( nod to http://romana.io an interesting looking network and security
> automation project as a network agnostic alternative to SDN for
> managing cross cloud policy on whatever networks are available. )
>
> -Jon
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



-- 
Blog: serverascode.com

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Clint Byrum]

Excerpts from Jonathan Proulx's message of 2016-10-03 13:52:42 -0400:
> 
> So my sense from responses so far:
> 
> No one is doing unified SDN solutions across clouds and no one really
> wants to.
> 
> Consensus is just treat each network island like another remote DC and
> use normal VPN type stuff to glue them together.
> 
> ( nod to http://romana.io an interesting looking network and security
> automation project as a network agnostic alternative to SDN for
> managing cross cloud policy on whatever networks are available. )
> 

Oh sorry, there are people taking the complex route to what you want..
sort of:

https://wiki.openstack.org/wiki/Tricircle

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Jonathan Proulx]

So my sense from responses so far:

No one is doing unified SDN solutions across clouds and no one really
wants to.

Consensus is just treat each network island like another remote DC and
use normal VPN type stuff to glue them together.

( nod to http://romana.io an interesting looking network and security
automation project as a network agnostic alternative to SDN for
managing cross cloud policy on whatever networks are available. )

-Jon

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Silence Dogood]

I think the best general way to view networking in cloud is WAN vs Cloud
Lan.

There's almost always an edge routing env for your cloud environments (
whether they be by region or by policy or by tim is an angry dude and you
don't touch his instances ).

Everything beyond that edge is a WAN problem and can be handled in fairly
traditional ways... of course that's over simplifying things like BGP
passing into your cloud's lan env.  Or multihoming the edge router for that
cloud env to multiple networks ( god help you if there is spanning tree
involved ).

Honestly, I'd still use that demarcation though.  It helps split the issue
into manageable chunks.

-Matt

On Mon, Oct 3, 2016 at 11:59 AM, Chris Marino  wrote:

> This can also be done with IPv4 address as well. Not quite the flexibility
> that comes with v6, but workable for all but the very largest environments.
>
> This is the approach that is embodied in the Romana (http://romana.io/) 
> project
> (I am part of this effort).
>
> If you run all your OpenStack VMs on a 10/8 provider network, you can
> carve up the address space for projects, subnets, etc. You can NAT to your
> existing network, or push host routes to the VMs that need access (a
> feature that has not yet been implemented).
>
> CM
> ᐧ
>
> On Mon, Oct 3, 2016 at 8:20 AM, Jonathan Proulx  wrote:
>
>> On Sat, Oct 01, 2016 at 11:47:56AM -0600, Curtis wrote:
>> :On Fri, Sep 30, 2016 at 8:15 AM, Jonathan Proulx 
>> wrote:
>> :>
>> :> Starting to think refactoring my SDN world (currently just neutron
>> :> ml2/ovs inside OpenStack) in preparation for maybe finally lighting up
>> :> that second Region I've been threatening for the past year...
>> :>
>> :> Networking is always the hardest design challeng.  Has anyone seen my
>> :> unicorn?  I dream of something the first works with neutron of course
>> :> but also can extend the same network features to hardware out side
>> :> openstack and into random public cloud infrastructures through VM
>> and/or
>> :> containerised gateways.  Also I don't want to hire a whole networking
>> :> team to run it.
>> :>
>> :> I'm fairly certain this is still fantasy though I've heard various
>> :> vendors promise the earth and stars but I'd love to hear if anyone is
>> :> actually getting close to this in production systems and if so what
>> :> your experience has been like.
>> :>
>> :
>> :Do you want to have tenants be able to connect their openstack
>> :networks to another public clouds network using some kind of API? If
>> :so, what are your tenant networks? vlans? vxlan?
>>
>> Yes, I do  want to have tenants be able to connect their openstack
>> networks to another public clouds network using some kind of API.
>>
>> Since this is under consideration as part of a new region I haven't
>> implemented anything yet (current region is GRE but willing to cut
>> that off as 'legacy' epecially as we're trying to wind down the DC it
>> lives in).  So at this point all possibilites are on the table.
>>
>> My main question is "is anyone actually doing this" with a follow up
>> of "if so how?"
>>
>> Thanks,
>> -Jon
>>
>> :Thanks,
>> :Curtis.
>> :
>> :> -Jon
>> :>
>> :> --
>> :>
>> :> ___
>> :> OpenStack-operators mailing list
>> :> OpenStack-operators@lists.openstack.org
>> :> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstac
>> k-operators
>> :
>> :
>> :
>> :--
>> :Blog: serverascode.com
>>
>> --
>>
>> ___
>> OpenStack-operators mailing list
>> OpenStack-operators@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Chris Marino]

This can also be done with IPv4 address as well. Not quite the flexibility
that comes with v6, but workable for all but the very largest environments.

This is the approach that is embodied in the Romana (http://romana.io/) project
(I am part of this effort).

If you run all your OpenStack VMs on a 10/8 provider network, you can carve
up the address space for projects, subnets, etc. You can NAT to your
existing network, or push host routes to the VMs that need access (a
feature that has not yet been implemented).

CM
ᐧ

On Mon, Oct 3, 2016 at 8:20 AM, Jonathan Proulx  wrote:

> On Sat, Oct 01, 2016 at 11:47:56AM -0600, Curtis wrote:
> :On Fri, Sep 30, 2016 at 8:15 AM, Jonathan Proulx 
> wrote:
> :>
> :> Starting to think refactoring my SDN world (currently just neutron
> :> ml2/ovs inside OpenStack) in preparation for maybe finally lighting up
> :> that second Region I've been threatening for the past year...
> :>
> :> Networking is always the hardest design challeng.  Has anyone seen my
> :> unicorn?  I dream of something the first works with neutron of course
> :> but also can extend the same network features to hardware out side
> :> openstack and into random public cloud infrastructures through VM and/or
> :> containerised gateways.  Also I don't want to hire a whole networking
> :> team to run it.
> :>
> :> I'm fairly certain this is still fantasy though I've heard various
> :> vendors promise the earth and stars but I'd love to hear if anyone is
> :> actually getting close to this in production systems and if so what
> :> your experience has been like.
> :>
> :
> :Do you want to have tenants be able to connect their openstack
> :networks to another public clouds network using some kind of API? If
> :so, what are your tenant networks? vlans? vxlan?
>
> Yes, I do  want to have tenants be able to connect their openstack
> networks to another public clouds network using some kind of API.
>
> Since this is under consideration as part of a new region I haven't
> implemented anything yet (current region is GRE but willing to cut
> that off as 'legacy' epecially as we're trying to wind down the DC it
> lives in).  So at this point all possibilites are on the table.
>
> My main question is "is anyone actually doing this" with a follow up
> of "if so how?"
>
> Thanks,
> -Jon
>
> :Thanks,
> :Curtis.
> :
> :> -Jon
> :>
> :> --
> :>
> :> ___
> :> OpenStack-operators mailing list
> :> OpenStack-operators@lists.openstack.org
> :> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> :
> :
> :
> :--
> :Blog: serverascode.com
>
> --
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Clint Byrum]

Excerpts from Jonathan Proulx's message of 2016-10-03 11:16:03 -0400:
> On Sat, Oct 01, 2016 at 02:39:38PM -0700, Clint Byrum wrote:
> 
> :I know it's hard to believe, but this world was foretold long ago and
> :what you want requires no special equipment or changes to OpenStack,
> :just will-power.  You can achieve it now if you can use operating system
> :versions published in the last 5 or so years.
> :
> :The steps to do this:
> :
> :1) Fix your apps to work via IPv6
> :2) Fix your internal users to have v6 native
> :3) Attach your VMs and containers to a provider network with v6 subnets
> :4) Use IPSec and firewalls for critical isolation. (What we use L2
> :   separation for now)
> 
> That *is* hard to belive :) IPv6 has been coming soon since I started
> in tech a very long time ago ... 
> 
> I will consider that but I have a diverse set of users I don't
> control.  I *may* be able to apply pressure in the if you really need
> this then do the right thing, but I probably still want a v4 solution
> in my pocket.
> 

Treat v4 as an internet-only, insecure, extra service that one must ask
for. It's extremely easy, with OpenStack, to provide both if people want
it, and just let them choose. Those who choose v4 only will find they
can't do some things, and have a clear incentive to change.

It's not that v6 is coming. It's here, knocking on your door. But,
like a vampire, you still have to invite it in.

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Jonathan Proulx]

On Sat, Oct 01, 2016 at 02:39:38PM -0700, Clint Byrum wrote:

:I know it's hard to believe, but this world was foretold long ago and
:what you want requires no special equipment or changes to OpenStack,
:just will-power.  You can achieve it now if you can use operating system
:versions published in the last 5 or so years.
:
:The steps to do this:
:
:1) Fix your apps to work via IPv6
:2) Fix your internal users to have v6 native
:3) Attach your VMs and containers to a provider network with v6 subnets
:4) Use IPSec and firewalls for critical isolation. (What we use L2
:   separation for now)

That *is* hard to belive :) IPv6 has been coming soon since I started
in tech a very long time ago ... 

I will consider that but I have a diverse set of users I don't
control.  I *may* be able to apply pressure in the if you really need
this then do the right thing, but I probably still want a v4 solution
in my pocket.

-Jon
 

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Clint Byrum]

Excerpts from Jonathan Proulx's message of 2016-09-30 10:15:26 -0400:
> 
> Starting to think refactoring my SDN world (currently just neutron
> ml2/ovs inside OpenStack) in preparation for maybe finally lighting up
> that second Region I've been threatening for the past year...
> 
> Networking is always the hardest design challeng.  Has anyone seen my
> unicorn?  I dream of something the first works with neutron of course
> but also can extend the same network features to hardware out side
> openstack and into random public cloud infrastructures through VM and/or
> containerised gateways.  Also I don't want to hire a whole networking
> team to run it.
> 
> I'm fairly certain this is still fantasy though I've heard various
> vendors promise the earth and stars but I'd love to hear if anyone is
> actually getting close to this in production systems and if so what
> your experience has been like.
> 

I know it's hard to believe, but this world was foretold long ago and
what you want requires no special equipment or changes to OpenStack,
just will-power.  You can achieve it now if you can use operating system
versions published in the last 5 or so years.

The steps to do this:

1) Fix your apps to work via IPv6
2) Fix your internal users to have v6 native
3) Attach your VMs and containers to a provider network with v6 subnets
4) Use IPSec and firewalls for critical isolation. (What we use L2
   separation for now)

This is not complicated, but your SDN vendor probably doesn't want you
to know that. You can still attach v4 addresses to your edge endpoints
so they can talk to legacy stuff while you migrate. But the idea here
is, if you control both ends of a connection, there is no reason you
should still be using v4 except tradition.

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Re: [Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Curtis]

On Fri, Sep 30, 2016 at 8:15 AM, Jonathan Proulx  wrote:
>
> Starting to think refactoring my SDN world (currently just neutron
> ml2/ovs inside OpenStack) in preparation for maybe finally lighting up
> that second Region I've been threatening for the past year...
>
> Networking is always the hardest design challeng.  Has anyone seen my
> unicorn?  I dream of something the first works with neutron of course
> but also can extend the same network features to hardware out side
> openstack and into random public cloud infrastructures through VM and/or
> containerised gateways.  Also I don't want to hire a whole networking
> team to run it.
>
> I'm fairly certain this is still fantasy though I've heard various
> vendors promise the earth and stars but I'd love to hear if anyone is
> actually getting close to this in production systems and if so what
> your experience has been like.
>

Do you want to have tenants be able to connect their openstack
networks to another public clouds network using some kind of API? If
so, what are your tenant networks? vlans? vxlan?

Thanks,
Curtis.

> -Jon
>
> --
>
> ___
> OpenStack-operators mailing list
> OpenStack-operators@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



-- 
Blog: serverascode.com

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

[Openstack-operators] SDN for hybridcloud, does it *really* exist?

[Jonathan Proulx]

Starting to think refactoring my SDN world (currently just neutron
ml2/ovs inside OpenStack) in preparation for maybe finally lighting up
that second Region I've been threatening for the past year...

Networking is always the hardest design challeng.  Has anyone seen my
unicorn?  I dream of something the first works with neutron of course
but also can extend the same network features to hardware out side
openstack and into random public cloud infrastructures through VM and/or
containerised gateways.  Also I don't want to hire a whole networking
team to run it.

I'm fairly certain this is still fantasy though I've heard various
vendors promise the earth and stars but I'd love to hear if anyone is
actually getting close to this in production systems and if so what
your experience has been like.

-Jon

-- 

___
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators