wiki:OpenFlow/FOAM

Version 1 (modified by Josh Smift, 8 years ago) (diff)

--

OpenFlow aggregates in GENI are migrating to FOAM from Expedient.

Info for experimenters

The following sections are mostly of interest to GENI experimenters.

Getting your sliver approved

If you allocate a shared resource that connects to an OpenFlow aggregate (e.g. a MyPLC plnode or ProtoGENI host), you'll typically also need to reserve some OpenFlow resources. When you do this, your reservation request may be held for approval, and a local FOAM admin needs to approve your request before your sliver actually becomes live. The FOAM admin isn't (yet) notified of your request, so you'll usually want to contact them to ask them to opt in your sliver.

If you're setting up a multi-campus topology, we recommend writing to response-team@geni.net, which will reach all of the campus FOAM admins (as well as other GENI resource admins), so everyone will know what you're doing.

If you only need to create a sliver at one site, here's a list of FOAM aggregates, and contact info for the admins:

OpenFlow Aggregate info page FOAM admin
Clemson openflow_help-L@clemson.edu
Georgia Tech Russ.Clark@gatech.edu
GPO Lab gpo-infra@geni.net
Indiana? meylor@grnoc.iu.edu
Rutgers? seskar@winlab.rutgers.edu
Stanford deployment-help@openflowswitch.org
Washington? balkan@cs.washington.edu
Wisconsin agember@cs.wisc.edu
Internet2 geni-openflow@internet2.edu
NLR? openflow@nlr.net

Info for admins

The following sections are mostly of interest to FOAM admins.

Moving orphaned Expedient-created FV slices to FOAM slivers

If you've shut down Expedient and brought up FOAM, you may have FlowVisor slices that were created by Expedient, which are now essentially orphaned. For each of those FV slices, its owner should create an OpenFlow v3 rspec (the format FOAM uses), and create a new sliver in FOAM. You can then verify that the new sliver looks right, manually delete their old sliver, and approve the new one.

Here's an example, of migrating the jbs15 and jbs16 slivers at BBN.

Check to see that the new slivers are there in FOAM, awaiting approval:

+$ foamctl list-slivers -s Pending --passwd-file=/opt/foam/etc/foampasswd
{
 "slivers": [
  {
   "status": "Pending", 
   "flowvisor_slice": "8d32974c-5a1b-4ebf-8c5f-097c9c64cf8d", 
   "deleted": "False", 
   "slice_urn": "urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbs15", 
   "enabled": false, 
   "id": 1, 
   "expiration": "2011-10-19 02:56:32.798032", 
   "sliver_urn": "urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbs15:8d32974c-5a1b-4ebf-8c5f-097c9c64cf8d", 
   "email": "jbs@bbn.com", 
   "desc": "The controller on naxos:33015, for jbs15."
  }, 
  {
   "status": "Pending", 
   "flowvisor_slice": "d82dae58-5de5-4caa-b458-46ee130462d0", 
   "deleted": "False", 
   "slice_urn": "urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbs16", 
   "enabled": false, 
   "id": 2, 
   "expiration": "2011-10-19 02:56:51.263455", 
   "sliver_urn": "urn:publicid:IDN+pgeni.gpolab.bbn.com+slice+jbs16:d82dae58-5de5-4caa-b458-46ee130462d0", 
   "email": "jbs@bbn.com", 
   "desc": "The controller on naxos:33016, for jbs16."
  }
 ]
}

Identify the Expedient-created FV slices:

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd listSlices | grep jbs15
Slice 8: jbs15-naxos-33015_ID__tulum_gpolab_bbn_com_133

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd getSliceInfo jbs15-naxos-33015_ID__tulum_gpolab_bbn_com_133
Got reply:
connection_2=06:d6:00:24:a8:c4:b9:00-->/192.1.249.23:45621-->naxos.gpolab.bbn.com/192.1.249.133:33015
connection_1=06:d6:00:12:e2:b8:a5:d0-->/192.1.249.23:45563-->naxos.gpolab.bbn.com/192.1.249.133:33015
contact_email=jbs@bbn.com
controller_hostname=naxos.gpolab.bbn.com
controller_port=33015
creator=fvadmin

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd listSlices | grep jbs16
Slice 16: jbs16-naxos-33016_ID__tulum_gpolab_bbn_com_106

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd getSliceInfo jbs16-naxos-33016_ID__tulum_gpolab_bbn_com_106
Got reply:
connection_2=06:d6:00:24:a8:c4:b9:00-->/192.1.249.23:36076-->naxos.gpolab.bbn.com/192.1.249.133:33016
connection_1=06:d6:00:12:e2:b8:a5:d0-->/192.1.249.23:36018-->naxos.gpolab.bbn.com/192.1.249.133:33016
contact_email=jbs@bbn.com
controller_hostname=naxos.gpolab.bbn.com
controller_port=33016
creator=fvadmin

Delete those:

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd deleteSlice jbs16-naxos-33016_ID__tulum_gpolab_bbn_com_106
success!

+$ fvctl --passwd-file=/etc/flowvisor/fvpasswd deleteSlice jbs15-naxos-33015_ID__tulum_gpolab_bbn_com_133
success!

Approve the new FOAM slivers:

+$ slicename=jbs15 ; sliver_urn=$(foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+$slicename | sed -e 's/ *"sliver_urn": "\(.*\)".*/\1/') ; flowvisor_slice=$(echo $sliver_urn | awk -F : '{print $NF}')
+$ foamctl approve-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd

+$ slicename=jbs16 ; sliver_urn=$(foamctl list-slivers --passwd-file=/opt/foam/etc/foampasswd | egrep sliver_urn.+$slicename | sed -e 's/ *"sliver_urn": "\(.*\)".*/\1/') ; flowvisor_slice=$(echo $sliver_urn | awk -F : '{print $NF}')
+$ foamctl approve-sliver -u $sliver_urn --passwd-file=/opt/foam/etc/foampasswd

And voila.

Slice Authority trust configuration

You may want to configure FOAM to trust user certificates signed by additional Slice Authorities. To do that, install the CA cert for the Slice Authority in a file in /opt/foam/etc/gcf-ca-certs, and then rebuild the nginx CA cert bundle and restart FOAM and nginx:

sudo foamctl bundle-certs
sudo service foam restart
sudo service nginx restart

In particular, campus mesoscale deployments may want to trust the pgeni.gpolab.bbn.com SA; you can get the cert from http://www.pgeni.gpolab.bbn.com/ca-cert/pgeni.gpolab.bbn.com.pem.