| 34 | At the Developer's Roundtable, around 40 people had a lively |
| 35 | discussion on various issues of concern; we left with numerous action |
| 36 | items, and kept discussing some issues over lunch. Our conversation |
| 37 | covered Speaks For authorization, replacing the mesoscale, jFed, aggregate |
| 38 | authorization policies, and cross-slice stitching. |
| 39 | |
| 40 | Some highlights included: |
| 41 | - The Speaks For signer tool supports optional authentication for tools that |
| 42 | need it. |
| 43 | - Max Ott described his slice service which exposes a REST API |
| 44 | version of the AM API. |
| 45 | - A large group including the operations community discussed replacing the mesoscale by enabling multipoint in aggregates, while we |
| 46 | discuss how to do multipoint in the network between aggregates. The |
| 47 | ExoGENI and InstaGENI teams agreed to pursue this. |
| 48 | - Rob Ricci agreed to experiment with an aggregate authorization |
| 49 | service implemented by Marshall Brinn to support cross-testbed |
| 50 | federation policies. |
| 51 | - We had an active discussion of how to enable cross-slice stitching, |
| 52 | supporting a service in a slice or connecting two slices. This will |
| 53 | involve specific requests and actions by the slices, with some |
| 54 | details to be determined. |
| 55 | |
| 56 | === Action items === |
| 57 | ==== Speaks For ==== |
| 58 | * Jon Duerig: Publish description of new authentication mechanism in speaks for signing tool. |
| 59 | * Jon Duerig: Augment signing tool to more readily support changing users on shared workstations. |
| 60 | * Community: Design how speaks for credentials can be delegated, and accepted by services. |
| 61 | |
| 62 | ==== Replacing Mesoscale ==== |
| 63 | * Community: Define multipoint, what kind of multipoint in the network we want, and how we might accomplish this in AL2S or elsewhere. |
| 64 | * Rob Ricci: Support a single stitched link connecting to multiple VMs within the aggregate. |
| 65 | * Rob Ricci: Support the GENI !OpenFlow extension for requesting !OpenFlow control on a link. |
| 66 | * Victor Orlikowski: Allow multiple GENI stitched links per slice per aggregate, whether !OpenFlow controlled or not. |
| 67 | * Victor Orlikowski: Explore allowing specifying on a per link basis whether a link is !OpenFlow controlled |
| 68 | * Xi Yang: Support Stitching Schema v2 at the SCS |
| 69 | |
| 70 | ==== jFed & AM API v3 ==== |
| 71 | * Brecht Vermeulen / Rob Ricci: Resolve AM API v3 issues at ProtoGENI. |
| 72 | |
| 73 | ==== Aggregate Authorization ==== |
| 74 | * GPO: Run the aggregate authorization XMLRPC service for ProtoGENI to experiment. |
| 75 | * Rob Ricci: Call the XMLRPC authorization service to experiment, report results. |
| 76 | * Jim Griffoen: Provide aggregate authorization use cases to !dev@geni.net. |
| 77 | |
| 78 | ==== Cross-Slice Stitching ==== |
| 79 | * Rob Ricci, Victor Orlikowski: Review cross-slice stitching design and write up details of how it could be supported in InstaGENI andExoGENI. Circulate design on !dev@geni.net for community discussion and further design. |
| 80 | |
| 81 | ==== Update & Misc Issues ==== |
| 82 | * Hussam Nasir: Test using `Allocate` to add a node to an existing slice at InstaGENI. |
| 83 | * Paul Ruth: Explore expanding node groups from RSpecs and single node node groups. |
| 84 | * Rob Ricci: Ensure `DeleteSliver` returns without blocking. |
| 85 | * Aaron Helsinger: Plan future roundtable agendas in a public forum, providing sufficient discussion time. |
| 86 | |
| 87 | == Session details == |
| 88 | Attendees included representatives of InstaGENI, ExoGENI, Internet2, |
| 89 | jFed, GENI Desktop, !LabWiki, NSF Cloud projects, regionals, and |
| 90 | experimenters. |
| 91 | |
| 92 | === Speaks For === |
| 93 | - Rob Ricci and Jon Duerig introduced a new mechanism in the speaks |
| 94 | for signing tool allowing tools to receive an authentication token, |
| 95 | for those tools that don't have their own authentication or use OpenID. |
| 96 | - Hussam Nasir described his experience converting GENI Desktop to |
| 97 | using Speaks For. Common APIs and existing hosted tools |
| 98 | helped. Hussam would like the signer tool to more readily support |
| 99 | multiple users sharing a browser. He also noted that more end user |
| 100 | documentation and education is required, particularly to deal with |
| 101 | pop-ups. |
| 102 | - Max Ott described the 'slice service', which exposes a REST API |
| 103 | authorized using Speaks For for calling the AM API and Federation |
| 104 | API. He has an object model using users, slice membership, slices, |
| 105 | slivers and resources, and uses a state model based on jFed. !LabWiki |
| 106 | and the 'slice service' are in fact two separate tools; they should |
| 107 | get separate chained speaks for credentials to work correctly. |
| 108 | As a |
| 109 | group, we need to design how the user authorizes tool A that |
| 110 | authorizes tool B, and then get aggregates to authorize based on that |
| 111 | chain. |
| 112 | |
| 113 | === Replacing the Mesoscale === |
| 114 | ==== Introduction ==== |
| 115 | Tim Upthegrove introduced the problem: the mesoscale is going away, |
| 116 | and we still want to support complex topologies that may be !OpenFlow |
| 117 | controlled. For now, we would like to support something soon, while |
| 118 | allowing for future expansion to more complex |
| 119 | capabilities. Specifically, |
| 120 | 1. Enable multipoint at the aggregates; create stitched links to the |
| 121 | aggregate, allowing multipoint topologies within the aggregate. |
| 122 | 2. Allow !OpenFlow control over stitched links plus any connected LAN |
| 123 | within the aggregate. |
| 124 | 3. Allow future multipoint topologies in the network between |
| 125 | aggregates. |
| 126 | |
| 127 | ==== Multipoint in the Core ==== |
| 128 | We then had a side discussion about what more complex topologies we |
| 129 | could create, what experimenters might want, what is supported by |
| 130 | AL2S, what multipoint actually means, what is safe, and what we |
| 131 | want. |
| 132 | |
| 133 | We considered whether experimenters might want or we might want to allow multipoint involving multiple point to point connections, and agreed that we didn't want to allow this without extra effort. |
| 134 | |
| 135 | We agreed that this is a critical discussion that deserves more |
| 136 | time; therefore, we should aim to complete the easy steps now while we |
| 137 | separately pursue this conversation. |
| 138 | |
| 139 | ==== Multipoint in an Aggregate ==== |
| 140 | For supporting stitching to a multipoint network in an aggregate that might be !OpenFlow controlled: |
| 141 | - Xi Yang explained that the SCS today can group interfaces on a link into their aggregates, and determine that the link is point to point between aggregates. |
| 142 | - We agreed that the representation therefore is accomplished with existing RSpecs - a link with multiple interfaces, and the existing stitching extension. |
| 143 | - Rob Ricci agreed to try to implement this; it requires some changes to the 'mapper'. |
| 144 | - Victor Orlikowski agreed to to remove the restriction to a single stitched link, but otherwise this may work already. |
| 145 | |
| 146 | ==== !OpenFlow Control ==== |
| 147 | For !OpenFlow controlling these links: |
| 148 | - Victor and Paul Ruth say that currently all links at an aggregate |
| 149 | in a slice need to be !OpenFlow controlled, or not; the switch is by |
| 150 | slice not by link. |
| 151 | - Rob agreed to change to using the standard GENI extension for |
| 152 | marking a link as !OpenFlow. |
| 153 | - Nick noted that there are limits in the switches on how many VLAN |
| 154 | tags can be !OpenFlow controlled - we may need to explore how to |
| 155 | expose this. |
| 156 | - Jim Chen noted that calling a link non-!OpenFlow controlled really |
| 157 | just means that the experimenter is not running the controller. |
| 158 | |
| 159 | === jFed === |
| 160 | Brecht Vermeulen described the latest on jFed (slides attached). jFed is a Java tool based on a library that supports AM API calls (v2 |
| 161 | and v3), Federation API calls, connectivity testing, generating |
| 162 | RSpecs, and service debugging. jFed was used for tutorials at this |
| 163 | GEC, is used for monitoring status of aggregates as seen at |
| 164 | exogeni.net. |
| 165 | Brecht then conveyed their experiences using AM API v3. They found a |
| 166 | number of issues or surprises at the ProtoGENI implementation. Among |
| 167 | other things, they found that the RSpec parser is more strict, they |
| 168 | get some certificate errors intermittently, and found some returns |
| 169 | unreliable. jFed works around these issues with a number of of special |
| 170 | flags, which they track using an [https://flsmonitor.fed4fire.eu/testbeds.xml XML file of properties]. |
| 171 | |
| 172 | === Aggregate Authorization === |
| 173 | Brecht motivated a need for aggregate local authorization policies |
| 174 | that support international federation, quotas, and scheduling. For |
| 175 | example, classes want resources to definitely be there, but we want to |
| 176 | avoid students reserving all resources long term. |
| 177 | Aaron Helsinger described an ABAC-based XMLRPC service that allows |
| 178 | federation and/or local aggregate policy covering whitelists and |
| 179 | blacklists, quotas, scheduling, rules based on different |
| 180 | clearinghouses and resource types. This service was built by Marshall |
| 181 | Brinn, and is supported by the GRAM software that underlies OpenGENI. Rob Ricci agreed to try this in |
| 182 | parallel within the XMLRPC service at ProtoGENI to see how it works. |
| 183 | |
| 184 | === Cross-Slice Stitching === |
| 185 | Paul Ruth's plenary showed a need for combining two slices. To run a |
| 186 | service in a slice, like Choice Net or other FIA architecture, or VTS, |
| 187 | requires connecting multiple slices. Today, that requires using shared |
| 188 | VLANs. Is there a better way? |
| 189 | |
| 190 | Nick Bastin argued that GENI should provide an incremental approach, that may |
| 191 | be unique to aggregate type. One slice tells the aggregate somehow |
| 192 | that it is open to connections, and the 'client' slice specifies the |
| 193 | slice it wants to connect to by URN. |
| 194 | |
| 195 | Rob Ricci suggested that the 'service' slice specifies a node where it |
| 196 | wants to receive connections. The AM probably requires a Perform |
| 197 | Operational Action command for specifying this connection point and |
| 198 | the desire to accept connections. Rob further suggested that this should |
| 199 | then modify the Aggregate's advertisement RSpec to now include this |
| 200 | 'service node' as a node that other slices can request a connection |
| 201 | to. This would require an RSpec extension to specify |
| 202 | fully the type of the node and the owning slice. Rob explained that in |
| 203 | InstaGENI, this would be accomplished with a trunked interface on the |
| 204 | node - so would need to be requested at reservation time. |
| 205 | |
| 206 | Paul Ruth noted that in ExoGENI, they can add interfaces dynamically, |
| 207 | and so could add these at runtime, one per client connection. In |
| 208 | ExoGENI, they would use 'stitch ports', as they do for other |
| 209 | things. So in ExoGENI: nothing is strictly required at creation time, |
| 210 | a POA opens the slice for connections and adds the service slice node |
| 211 | to the Ad. When a client wants a connection, they stitch to the |
| 212 | aggregate, and the aggregate adds an interface to the service node, |
| 213 | allowing the service to distinguish traffic by interface. |
| 214 | In InstaGENI, the initial reservation request by the service slice |
| 215 | must specify that a service slice is |
| 216 | desired, to get a trunked port. The POA requests adding the service |
| 217 | node to the Ad RSpec. When a client requests a connection with a link |
| 218 | to the service slice node, the aggregate adds a new VLAN tag of |
| 219 | traffic on that interface. |
| 220 | |
| 221 | We then discussed authorization. Because the node you are sharing may |
| 222 | be iSCSI device for example, we want the aggregate to provide some level of |
| 223 | authorization. We agreed that this would just be an additional |
| 224 | credential in the createsliver request by the client slice; presumably |
| 225 | this credential would be signed by the owner of the service slice, |
| 226 | binding the service and client slices together in some way - or |
| 227 | something similar. However, this authorization step is not required |
| 228 | for an initial implementation. |
| 229 | |
| 230 | === Update AM API call === |
| 231 | We then briefly discussed updating an existing slice. Specifically, |
| 232 | GENI Desktop would like to be able to add a node - even one without a |
| 233 | link. Jon Duerig noted that at InstaGENI, `Allocate` permits this |
| 234 | now. Paul Ruth noted that you can increase the size of an ExoGENI node |
| 235 | group, but not yet from RSpecs and the GENI AM API. |
| 236 | |
| 237 | Finally, over lunch we had an information discussion on the |
| 238 | conference. We agreed that the Roundtable was a success, but |
| 239 | rushed. We also agreed to try to plan the agenda for the roundtable in |
| 240 | a more public way in future, and to try to extract clear action items |
| 241 | and agreements. We briefly discussed a desire for InstaGENI to |
| 242 | speed up booting of Xen VMs, though it may not be possible, and to |
| 243 | ensure `DeleteSliver` returns without blocking. |