Changes between Version 5 and Version 6 of GEC21Agenda/DeveloperRoundtable


Ignore:
Timestamp:
10/27/14 16:40:19 (9 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GEC21Agenda/DeveloperRoundtable

    v5 v6  
    3232
    3333== Session Summary ==
     34At the Developer's Roundtable, around 40 people had a lively
     35discussion on various issues of concern; we left with numerous action
     36items, and kept discussing some issues over lunch. Our conversation
     37covered Speaks For authorization, replacing the mesoscale, jFed, aggregate
     38authorization policies, and cross-slice stitching.
     39
     40Some highlights included:
     41 - The Speaks For signer tool supports optional authentication for tools that
     42 need it.
     43 - Max Ott described his slice service which exposes a REST API
     44 version of the AM API.
     45 - A large group including the operations community discussed replacing the mesoscale by enabling multipoint in aggregates, while we
     46 discuss how to do multipoint in the network between aggregates. The
     47 ExoGENI and InstaGENI teams agreed to pursue this.
     48 - Rob Ricci agreed to experiment with an aggregate authorization
     49 service implemented by Marshall Brinn to support cross-testbed
     50 federation policies.
     51 - We had an active discussion of how to enable cross-slice stitching,
     52 supporting a service in a slice or connecting two slices. This will
     53 involve specific requests and actions by the slices, with some
     54 details to be determined.
     55
     56=== Action items ===
     57==== Speaks For ====
     58 * Jon Duerig: Publish description of new authentication mechanism in speaks for signing tool.
     59 * Jon Duerig: Augment signing tool to more readily support changing users on shared workstations.
     60 * Community: Design how speaks for credentials can be delegated, and accepted by services.
     61
     62==== Replacing Mesoscale ====
     63 * Community: Define multipoint, what kind of multipoint in the network we want, and how we might accomplish this in AL2S or elsewhere.
     64 * Rob Ricci: Support a single stitched link connecting to multiple VMs within the aggregate.
     65 * Rob Ricci: Support the GENI !OpenFlow extension for requesting !OpenFlow control on a link.
     66 * Victor Orlikowski: Allow multiple GENI stitched links per slice per aggregate, whether !OpenFlow controlled or not.
     67 * Victor Orlikowski: Explore allowing specifying on a per link basis whether a link is !OpenFlow controlled
     68 * Xi Yang: Support Stitching Schema v2 at the SCS
     69
     70==== jFed & AM API v3 ====
     71 * Brecht Vermeulen / Rob Ricci: Resolve AM API v3 issues at ProtoGENI.
     72
     73==== Aggregate Authorization ====
     74 * GPO: Run the aggregate authorization XMLRPC service for ProtoGENI to experiment.
     75 * Rob Ricci: Call the XMLRPC authorization service to experiment, report results.
     76 * Jim Griffoen: Provide aggregate authorization use cases to !dev@geni.net.
     77
     78==== Cross-Slice Stitching ====
     79 * Rob Ricci, Victor Orlikowski: Review cross-slice stitching design and write up details of how it could be supported in InstaGENI andExoGENI. Circulate design on !dev@geni.net for community discussion and further design.
     80
     81==== Update & Misc Issues ====
     82 * Hussam Nasir: Test using `Allocate` to add a node to an existing slice at InstaGENI.
     83 * Paul Ruth: Explore expanding node groups from RSpecs and single node node groups.
     84 * Rob Ricci: Ensure `DeleteSliver` returns without blocking.
     85 * Aaron Helsinger: Plan future roundtable agendas in a public forum, providing sufficient discussion time.
     86
     87== Session details ==
     88Attendees included representatives of InstaGENI, ExoGENI, Internet2,
     89jFed, GENI Desktop, !LabWiki, NSF Cloud projects, regionals, and
     90experimenters.
     91
     92=== Speaks For ===
     93 - Rob Ricci and Jon Duerig introduced a new mechanism in the speaks
     94 for signing tool allowing tools to receive an authentication token,
     95 for those tools that don't have their own authentication or use OpenID.
     96 - Hussam Nasir described his experience converting GENI Desktop to
     97 using Speaks For. Common APIs and existing hosted tools
     98 helped. Hussam would like the signer tool to more readily support
     99 multiple users sharing a browser. He also noted that more end user
     100 documentation and education is required, particularly to deal with
     101 pop-ups.
     102 - Max Ott described the 'slice service', which exposes a REST API
     103 authorized using Speaks For for calling the AM API and Federation
     104 API. He has an object model using users, slice membership, slices,
     105 slivers and resources, and uses a state model based on jFed. !LabWiki
     106 and the 'slice service' are in fact two separate tools; they should
     107 get separate chained speaks for credentials to work correctly.
     108 As a
     109 group, we need to design how the user authorizes tool A that
     110 authorizes tool B, and then get aggregates to authorize based on that
     111 chain.
     112
     113=== Replacing the Mesoscale ===
     114==== Introduction ====
     115Tim Upthegrove introduced the problem: the mesoscale is going away,
     116and we still want to support complex topologies that may be !OpenFlow
     117controlled. For now, we would like to support something soon, while
     118allowing for future expansion to more complex
     119capabilities. Specifically,
     120 1. Enable multipoint at the aggregates; create stitched links to the
     121 aggregate, allowing multipoint topologies within the aggregate.
     122 2. Allow !OpenFlow control over stitched links plus any connected LAN
     123 within the aggregate.
     124 3. Allow future multipoint topologies in the network between
     125 aggregates.
     126
     127==== Multipoint in the Core ====
     128We then had a side discussion about what more complex topologies we
     129could create, what experimenters might want, what is supported by
     130AL2S, what multipoint actually means, what is safe, and what we
     131want.
     132
     133We considered whether experimenters might want or we might want to allow multipoint involving multiple point to point connections, and agreed that we didn't want to allow this without extra effort.
     134
     135We agreed that this is a critical discussion that deserves more
     136time; therefore, we should aim to complete the easy steps now while we
     137separately pursue this conversation.
     138
     139==== Multipoint in an Aggregate ====
     140For supporting stitching to a multipoint network in an aggregate that might be !OpenFlow controlled:
     141 - Xi Yang explained that the SCS today can group interfaces on a link into their aggregates, and determine that the link is point to point between aggregates.
     142 - We agreed that the representation therefore is accomplished with existing RSpecs - a link with multiple interfaces, and the existing stitching extension.
     143 - Rob Ricci agreed to try to implement this; it requires some changes to the 'mapper'.
     144 - Victor Orlikowski agreed to to remove the restriction to a single stitched link, but otherwise this may work already.
     145
     146==== !OpenFlow Control ====
     147For !OpenFlow controlling these links:
     148 - Victor and Paul Ruth say that currently all links at an aggregate
     149 in a slice need to be !OpenFlow controlled, or not; the switch is by
     150 slice not by link.
     151 - Rob agreed to change to using the standard GENI extension for
     152 marking a link as !OpenFlow.
     153 - Nick noted that there are limits in the switches on how many VLAN
     154 tags can be !OpenFlow controlled - we may need to explore how to
     155 expose this.
     156 - Jim Chen noted that calling a link non-!OpenFlow controlled really
     157 just means that the experimenter is not running the controller.
     158
     159=== jFed ===
     160Brecht Vermeulen described the latest on jFed (slides attached). jFed is a Java tool based on a library that supports AM API calls (v2
     161and v3), Federation API calls, connectivity testing, generating
     162RSpecs, and service debugging. jFed was used for tutorials at this
     163GEC, is used for monitoring status of aggregates as seen at
     164exogeni.net.
     165Brecht then conveyed their experiences using AM API v3. They found a
     166number of issues or surprises at the ProtoGENI implementation. Among
     167other things, they found that the RSpec parser is more strict, they
     168get some certificate errors intermittently, and found some returns
     169unreliable. jFed works around these issues with a number of of special
     170flags, which they track using an [https://flsmonitor.fed4fire.eu/testbeds.xml XML file of properties].
     171
     172=== Aggregate Authorization ===
     173Brecht motivated a need for aggregate local authorization policies
     174that support international federation, quotas, and scheduling. For
     175example, classes want resources to definitely be there, but we want to
     176avoid students reserving all resources long term.
     177Aaron Helsinger described an ABAC-based XMLRPC service that allows
     178federation and/or local aggregate policy covering whitelists and
     179blacklists, quotas, scheduling, rules based on different
     180clearinghouses and resource types. This service was built by Marshall
     181Brinn, and is supported by the GRAM software that underlies OpenGENI. Rob Ricci agreed to try this in
     182parallel within the XMLRPC service at ProtoGENI to see how it works.
     183
     184=== Cross-Slice Stitching ===
     185Paul Ruth's plenary showed a need for combining two slices. To run a
     186service in a slice, like Choice Net or other FIA architecture, or VTS,
     187requires connecting multiple slices. Today, that requires using shared
     188VLANs. Is there a better way?
     189
     190Nick Bastin argued that GENI should provide an incremental approach, that may
     191be unique to aggregate type. One slice tells the aggregate somehow
     192that it is open to connections, and the 'client' slice specifies the
     193slice it wants to connect to by URN.
     194
     195Rob Ricci suggested that the 'service' slice specifies a node where it
     196wants to receive connections. The AM probably requires a Perform
     197Operational Action command for specifying this connection point and
     198the desire to accept connections. Rob further suggested that this should
     199then modify the Aggregate's advertisement RSpec to now include this
     200'service node' as a node that other slices can request a connection
     201to. This would require an RSpec extension to specify
     202fully the type of the node and the owning slice. Rob explained that in
     203InstaGENI, this would be accomplished with a trunked interface on the
     204node - so would need to be requested at reservation time.
     205
     206Paul Ruth noted that in ExoGENI, they can add interfaces dynamically,
     207and so could add these at runtime, one per client connection. In
     208ExoGENI, they would use 'stitch ports', as they do for other
     209things. So in ExoGENI: nothing is strictly required at creation time,
     210a POA opens the slice for connections and adds the service slice node
     211to the Ad. When a client wants a connection, they stitch to the
     212aggregate, and the aggregate adds an interface to the service node,
     213allowing the service to distinguish traffic by interface.
     214In InstaGENI, the initial reservation request by the service slice
     215must specify that a service slice is
     216desired, to get a trunked port. The POA requests adding the service
     217node to the Ad RSpec. When a client requests a connection with a link
     218to the service slice node, the aggregate adds a new VLAN tag of
     219traffic on that interface.
     220
     221We then discussed authorization. Because the node you are sharing may
     222be iSCSI device for example, we want the aggregate to provide some level of
     223authorization. We agreed that this would just be an additional
     224credential in the createsliver request by the client slice; presumably
     225this credential would be signed by the owner of the service slice,
     226binding the service and client slices together in some way - or
     227something similar. However, this authorization step is not required
     228for an initial implementation.
     229
     230=== Update AM API call ===
     231We then briefly discussed updating an existing slice. Specifically,
     232GENI Desktop would like to be able to add a node - even one without a
     233link. Jon Duerig noted that at InstaGENI, `Allocate` permits this
     234now. Paul Ruth noted that you can increase the size of an ExoGENI node
     235group, but not yet from RSpecs and the GENI AM API.
     236
     237Finally, over lunch we had an information discussion on the
     238conference. We agreed that the Roundtable was a success, but
     239rushed. We also agreed to try to plan the agenda for the roundtable in
     240a more public way in future, and to try to extract clear action items
     241and agreements. We briefly discussed a desire for InstaGENI to
     242speed up booting of Xen VMs, though it may not be possible, and to
     243ensure `DeleteSliver` returns without blocking.