Changes between Version 11 and Version 12 of OpenFlow/FOAM


Ignore:
Timestamp:
02/14/12 13:03:53 (12 years ago)
Author:
Josh Smift
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • OpenFlow/FOAM

    v11 v12  
    3939If you allocate a shared resource that connects to an !OpenFlow aggregate (e.g. a MyPLC plnode or ProtoGENI host), you'll typically also need to reserve some !OpenFlow resources. When you do this, your reservation request may be held for approval, and a local FOAM admin needs to approve your request before your sliver actually becomes live. You should get e-mail from FOAM when your sliver is created, and another message when it's been approved; if you don't hear back, you may be able to reach a FOAM admin by replying to that message.
    4040
    41 Note that you don't need to send a separate email to the administrator, like you did for Expedient, FOAM
    42 will automatically send the email to the administrator of FOAM. Make sure that you also provide a '''valid
    43 email address''' in your rspec so that you can get the notifications about status changes of your !OpenFlow sliver.   
     41Note that you don't need to send a separate email to the administrator, like you did for Expedient, FOAM will automatically send the email to the administrator of FOAM. Make sure that you also provide a '''valid email address''' in your rspec so that you can get the notifications about status changes of your !OpenFlow sliver.   
    4442
    4543If you're setting up a multi-campus topology, note that your sliver will need to be approved separately at each FOAM aggregate.
     
    6967
    7068We don't currently think that there's a valid use case for an experimenter wanting to specify a match at one layer without specifying the protocol at a lower layer, but will amend this advisory if we encounter one.
     69
     70== Sliver approval workflow ==
     71
     72This section describes our workflow for approving slivers at BBN.
     73
     74FOAM sends e-mail about new slivers to the FOAM admin e-mail address that you configured when you set up FOAM. If further communication about a sliver request is needed, we copy that address on the e-mail, so that everyone will see it. We also send mail to to that address when we approve or reject the sliver (or if we review the request and we're not sure whether to approve or reject it), so everyone knows who did it.
     75
     76Using the commands below, decide whether to approve it:
     77
     78 * Get a list of pending slivers, and look for the new sliver in that list.
     79 * Get the sliver URN from the slicename.
     80 * Show the sliver's basic info, to confirm that we've got the right sliver URN:
     81   * Verify that the email field is valid, so that we and FOAM can contact the experimenter later about the sliver.
     82 * Show the sliver's rspec, to confirm that it matches the owner's description of what they're asking for:
     83   * Public information about common requests is on [ggw:GeniAggregate/GpoLabOpenFlow the GPO Lab OpenFlow aggregate info page].
     84   * For more complicated requests:
     85     * Look up the DPID in our inventory and find out what switch/VLAN it is.
     86     * Look up the hosts the experimenter asked for in our inventory, and make sure the ports the experimenter requested make sense.
     87 * Show the sliver's flowspace, and confirm that it matches the rspec, and doesn't contain anything dangerous, such as:
     88   * Look for flowspace rules that match '''any''' packet -- the third field in each rule -- as these might indicate a subtle error in the rspec.
     89   * Check to make sure the rspec and flowspace don't include multiple cross-connects, unless the experimenter has convinced us that they understand the risks and will be careful.
     90   * Check to make sure the rspec and flowspace don't include I2 plnodes (ganel, gardil, sardis) and NLR VLANs/cross-connects, or NLR plnodes (bain, navis) and I2 VLANs/cross-connects.
     91
     92If we conclude that the sliver is ok, approve it:
     93
     94{{{
     95foamctl approve-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     96}}}
     97
     98If we conclude that we should definitely not approve the sliver, reject it:
     99
     100{{{
     101foamctl reject-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     102}}}
     103
     104If we're not sure, do nothing, which will leave the sliver as Pending while we get more information.
     105
     106Regardless, send e-mail to the admin address saying what we did, so everyone's in the loop. (One convenient way is to reply to the notification message about the sliver.)
     107
     108== Managing FOAM slivers ==
     109
     110https://openflow.stanford.edu/display/FOAM/foamctl+Guide is the official guide to foamctl, and describes in detail everything that it can do. Here are some specific commands that we've found useful for performing common tasks.
     111
     112These commands all assume that you're running them on the FOAM server, and that you have a file /opt/foam/etc/foampasswd, containing the FOAM admin password.
     113
     114=== Get a list of slivers ===
     115
     116Pending ones:
     117
     118{{{
     119foamctl list-slivers -s Pending --passwd-file=/opt/foam/etc/foampasswd
     120}}}
     121
     122All active ones:
     123
     124{{{
     125foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd
     126}}}
     127
     128Either of these will give you a sliver URN; if you do
     129
     130{{{
     131sliver_urn=urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbsstghosts:678fc69b-76e1-4a50-9fb2-ab5c4a5298d6
     132}}}
     133
     134(with the actual URN of course), the rest of these commands will then work as-is.
     135
     136Deleted ones:
     137
     138{{{
     139foamctl list-slivers -d --passwd-file=/opt/foam/etc/foampasswd
     140}}}
     141
     142=== Find a sliver from a slice name ===
     143
     144If you know a user's slice name, you can grep for it:
     145
     146{{{
     147foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+exampleslice
     148}}}
     149
     150You can use this to get a sliver URN and/or an FV slice name from a GENI slice name, assigned to $sliver_urn and $flowvisor_slice:
     151
     152{{{
     153slicename=exampleslice ; sliver_urn=$(foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+$slicename | sed -e 's/ *"sliver_urn": "\(.*\)".*/\1/') ; flowvisor_slice=$(echo $sliver_urn | awk -F : '{print $NF}')
     154}}}
     155
     156The rest of these commands assume that you've used that (or something similar) to set $sliver_urn.
     157
     158=== Show a sliver's basic info ===
     159
     160{{{
     161foamctl show-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     162}}}
     163
     164=== Show a sliver's rspec ===
     165
     166{{{
     167foamctl show-sliver -r -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     168}}}
     169
     170=== Show a sliver's flowspec ===
     171
     172{{{
     173foamctl show-sliver -s -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     174}}}
     175
     176=== Show a sliver's flowspace ===
     177
     178{{{
     179foamctl show-sliver -f -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     180}}}
     181
     182=== Approve a sliver ===
     183
     184This marks a sliver in FOAM as Approved, and adds a FV slice and flowspace rules for it to the !FlowVisor.
     185
     186{{{
     187foamctl approve-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     188}}}
     189
     190=== Disable a sliver ===
     191
     192This marks a sliver in FOAM as Pending, and removes a FV slice and flowspace rules for it from the !FlowVisor.
     193
     194{{{
     195foamctl disable-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     196}}}
     197
     198=== Reject a sliver ===
     199
     200This marks a sliver in FOAM as Rejected, and removes a FV slice and flowspace rules for it from the !FlowVisor.
     201
     202{{{
     203foamctl reject-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     204}}}
     205
     206=== Delete a sliver ===
     207
     208This disables a sliver, and marks it as deleted, just like the GENI AM API !DeleteSliver call.
     209
     210{{{
     211foamctl delete-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
     212}}}
     213
     214You should generally only do this with the experimenter's permission, and if the experimenter can't delete their own sliver for some reason, so they're not confused about where their sliver went. (If you disable or reject it, they can still see it; if you delete it, it's essentially gone forever from their point of view.)
     215
     216== Slice Authority trust configuration ==
     217
     218You may want to configure FOAM to trust user certificates signed by additional Slice Authorities. To do that, install the CA cert for the Slice Authority in a file in /opt/foam/etc/gcf-ca-certs, and then rebuild the nginx CA cert bundle and restart FOAM and nginx:
     219
     220{{{
     221sudo foamctl bundle-certs
     222sudo service foam restart
     223sudo service nginx restart
     224}}}
     225
     226In particular, GENI mesoscale deployments should trust the pgeni.gpolab.bbn.com SA; the official FOAM installation guide includes this step, or you can get the cert from http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem if you need it.
    71227
    72228== Switching from Expedient to FOAM ==
     
    115271
    116272If you encounter any bugs, or have improvement or feature requests, https://openflow.stanford.edu/bugs/browse/FOAM is the JIRA issue tracker for FOAM. (There's also one for !FlowVisor, and other Stanford !OpenFlow projects.)
    117 
    118 == Managing FOAM slivers ==
    119 
    120 https://openflow.stanford.edu/display/FOAM/foamctl+Guide is the official guide to foamctl, and describes in detail everything that it can do. Here are some specific commands that we've found useful for performing common tasks.
    121 
    122 These commands all assume that you're running them on the FOAM server, and that you have a file /opt/foam/etc/foampasswd, containing the FOAM admin password.
    123 
    124 === Get a list of slivers ===
    125 
    126 Pending ones:
    127 
    128 {{{
    129 foamctl list-slivers -s Pending --passwd-file=/opt/foam/etc/foampasswd
    130 }}}
    131 
    132 All active ones:
    133 
    134 {{{
    135 foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd
    136 }}}
    137 
    138 Either of these will give you a sliver URN; if you do
    139 
    140 {{{
    141 sliver_urn=urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbsstghosts:678fc69b-76e1-4a50-9fb2-ab5c4a5298d6
    142 }}}
    143 
    144 (with the actual URN of course), the rest of these commands will then work as-is.
    145 
    146 Deleted ones:
    147 
    148 {{{
    149 foamctl list-slivers -d --passwd-file=/opt/foam/etc/foampasswd
    150 }}}
    151 
    152 === Find a sliver from a slice name ===
    153 
    154 If you know a user's slice name, you can grep for it:
    155 
    156 {{{
    157 foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+exampleslice
    158 }}}
    159 
    160 You can use this to get a sliver URN and/or an FV slice name from a GENI slice name, assigned to $sliver_urn and $flowvisor_slice:
    161 
    162 {{{
    163 slicename=exampleslice ; sliver_urn=$(foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+$slicename | sed -e 's/ *"sliver_urn": "\(.*\)".*/\1/') ; flowvisor_slice=$(echo $sliver_urn | awk -F : '{print $NF}')
    164 }}}
    165 
    166 The rest of these commands assume that you've used that (or something similar) to set $sliver_urn.
    167 
    168 === Show a sliver's basic info ===
    169 
    170 {{{
    171 foamctl show-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    172 }}}
    173 
    174 === Show a sliver's rspec ===
    175 
    176 {{{
    177 foamctl show-sliver -r -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    178 }}}
    179 
    180 === Show a sliver's flowspec ===
    181 
    182 {{{
    183 foamctl show-sliver -s -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    184 }}}
    185 
    186 === Show a sliver's flowspace ===
    187 
    188 {{{
    189 foamctl show-sliver -f -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    190 }}}
    191 
    192 === Approve a sliver ===
    193 
    194 This marks a sliver in FOAM as Approved, and adds a FV slice and flowspace rules for it to the !FlowVisor.
    195 
    196 {{{
    197 foamctl approve-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    198 }}}
    199 
    200 === Disable a sliver ===
    201 
    202 This marks a sliver in FOAM as Pending, and removes a FV slice and flowspace rules for it from the !FlowVisor.
    203 
    204 {{{
    205 foamctl disable-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    206 }}}
    207 
    208 === Reject a sliver ===
    209 
    210 This marks a sliver in FOAM as Rejected, and removes a FV slice and flowspace rules for it from the !FlowVisor.
    211 
    212 {{{
    213 foamctl reject-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    214 }}}
    215 
    216 === Delete a sliver ===
    217 
    218 This disables a sliver, and marks it as deleted, just like the GENI AM API !DeleteSliver call.
    219 
    220 {{{
    221 foamctl delete-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd
    222 }}}
    223 
    224 You should generally only do this with the experimenter's permission, and if the experimenter can't delete their own sliver for some reason, so they're not confused about where their sliver went. (If you disable or reject it, they can still see it; if you delete it, it's essentially gone forever from their point of view.)
    225273
    226274== Moving orphaned Expedient-created FV slices to FOAM slivers ==
     
    313361
    314362And voila.
    315 
    316 == Slice Authority trust configuration ==
    317 
    318 You may want to configure FOAM to trust user certificates signed by additional Slice Authorities. To do that, install the CA cert for the Slice Authority in a file in /opt/foam/etc/gcf-ca-certs, and then rebuild the nginx CA cert bundle and restart FOAM and nginx:
    319 
    320 {{{
    321 sudo foamctl bundle-certs
    322 sudo service foam restart
    323 sudo service nginx restart
    324 }}}
    325 
    326 In particular, GENI mesoscale deployments should trust the pgeni.gpolab.bbn.com SA; the official FOAM installation guide includes this step, or you can get the cert from http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem if you need it.