[skip ci] Investigation on NSX integration#4071
[skip ci] Investigation on NSX integration#4071amandafeng001 wants to merge 11 commits intovmware:masterfrom
Conversation
| ### Create VCH | ||
| specifying 'bridge-network' as the port group 'vxw-dvs-55-virtualwire-1-sid-5000-logical-switch-1': | ||
| * I use this VCH to create containers, they are automatically added to this port group (i.e. logical switch) | ||
| * containerVMs get their IPs in the internal network |
There was a problem hiding this comment.
These IPs are currently assigned by the VCH - is there any IPAM mechanism embedded in NSX that would allow us to configure automatic DHCP response for a portgroup for example?
There was a problem hiding this comment.
This would depends on the NSX configuration and topology. NSX edge can act like a DHCP server, but can only serve interfaces directly connected to it. or NSX Distrubted Logical Router(DLR) can have external DHCP servers via DHCP relay configuration. However, we cannnot configure a DHCP on an ESG and then use the DHCP Relay function from the DLR to get an IP address from the ESG.
| ### docker network create network-a | ||
| Our goal: | ||
| * VMs can communicate with VMs in the same security group. | ||
| * VMs cannot talk to VMs in a differrent security group. |
There was a problem hiding this comment.
Are security groups coupled to IP ranges or completely independent?
There was a problem hiding this comment.
I would say they are not completely independent.
we can tag a VM to make it belong to one security group. but NSX uses this VM's IP to identify and apply security policies.
| Our goal: | ||
| * VMs can communicate with VMs in the same security group. | ||
| * VMs cannot talk to VMs in a differrent security group. | ||
| * one VM to be added to more than one security group. |
There was a problem hiding this comment.
Is it possible to associate a NIC with a security group, or just VMs? I'm asking for the case where a containerVM is attached to a container-network to publish a service. In that case the container-network NIC may well need to take traffic from any source, but the other NIC on the container that's attached to an internal network for communication with other containers would be Policy to Policy (if I'm reading this right).
There was a problem hiding this comment.
Yes. We can associate a NIC with a security group by configuring dynamic membership as entity belong-to <the vNIC>.
I just experimented with VMs with multiple vNICs. The policy on one vNIC does not affect another vNIC.
If I understand correctly, you mean a containerVM may be attached to some external container-network and also have an identity in VIC created internal network? I will need to verify if it works in this case.
| * POST /2.0/services/ipset/{scopeMoref} | ||
| * or create Security Tag | ||
| * POST /2.0/services/securitytags/tag | ||
| * create security group withe IP Sets or Security Tag as members |
| * list all the security groups | ||
| * GET /2.0/services/securitygroup/internal/scope/{scopeId} | ||
| * filter security group names by `<vch name>-SecurityGroup` prefix | ||
| * or if we keep KV pairs of each created network, then we just need to use that to list all the networks |
There was a problem hiding this comment.
The infrastructure is supposed to be the source of truth as this allows a degree of dual-mode management. So, pulling from the infrastructure would be preferred.
There was a problem hiding this comment.
Thanks. Get it. I will update the document.
|
|
||
| ## State Storage | ||
| * we can map a docker network name to a security group name as `<vch name>-SecurityGroup-<network name>` | ||
| * we can store KV pairs for each created network and then everything else will be in the NSX control plane |
There was a problem hiding this comment.
what state needs to be stored outside of NSX? One obvious possibility is the IPAM configuration, but worth being explicit.
There was a problem hiding this comment.
sorry I was not clear here. I meant storing some key/value pair like:
[key]: docker network name, [value]: information of the related objects created on NSX side.
can help fetching network info faster.
but as your previous comment mentioned, pulling from infrastructure would be preferred. Then no states need to be stored outside of NSX.
| ## Unclear / need discussion: | ||
| ### Security Tag v.s IP Sets | ||
| * Security Tag we only need to add the tag to a VM then it is added to a security group, which makes adding VMs to multiple security groups convinient. We do not need to update security groups everytime we create a new containerVM in a network. | ||
| * With IP Sets, we need to add the VM's IP to an IP Set. The downside is that 1. it requires the VM's IP to be static. 2. if we have more than one vch in the environment, containerVMs' IPs overlap, we cannot allow one VM in multiple security groups. 3. it may limit the number of VMs added to an IP Set (how many IPs can be added one IP set?). 4. everytime adding a new containerVM in a network, we need to add its IP to the IP set. |
There was a problem hiding this comment.
Please reflow the numbered points so they render as a list.
Consideration of security tag:
- Seems to apply to a VM instead of an interface on a VM - does this allow for different policies per vNIC?
Other possible considerations of IPs:
5. currently we only assign an IP to a VM when it is powered on so VMs wouldn't have a security group membership when powered off (meaning possible issues with out-of-band power on)
6. no way to prevent a container changing it's IP address
There was a problem hiding this comment.
Thanks Geroge. This is very important input.
Actually at the point when I sent this PR, security tag did not work on VIC. that's why I was considering IP Sets at that time.
After Doug's change #4057, security tag works on VIC.
But associating security group with security tag/VM may not work for the case you mentioned, where a container VM may have an external and internal identities.
I will investigate more on associating security group with vNIC and update the document.
| * all the user cases mentioned in the networking design document should still be valid or improved | ||
|
|
||
| ### To support both cases: with or without NSX? | ||
| * need to find out how to verify if a bridge network specified is a logic switch? |
There was a problem hiding this comment.
bridge network is currently specified as a portgroup
There was a problem hiding this comment.
yes. I meant, if we want to support both cases:
- user has NSX setup.
- user does not have NSX setup.
then we need a way to figure out if the port group here is an NSX created logical switch or just a regular port group.
I think we can search for thesid-inside the name of the port group (for example, a logical switch name may be like thisvxw-dvs-55-virtualwire-12-sid-5010-logical-switch-23)
but this approach may give false positives if someone creates a regular port group name asvxw-dvs-55-virtualwire-12-sid-1
|
|
||
| ### User management | ||
| * NSX allows RBAC, we can add Vcenter users and assign roles for them | ||
| * to my understanding, in terms of using NSX for 'docker network create', we will not need RBAC controls? Unless if we want to restrict users from creating networks, otherwise we may not need RBAC at this point? |
There was a problem hiding this comment.
It depends what else can be done via the NSX management connection.
We started using admin users for VC and as a result have some awkward usages and have had to experimentally determine what privileges we need for what operations.
It's much easier to start with zero privileges while developing and document the addition as they are needed.
The other related question is can NSX use vCenter users for authZ or do we need to add a capability to add/specify an NSX user.
If the latter then we may need two users, one that can create the bridge network for vic-machine, the other to create security groups on it for endpointVM operations.
|
@hickeng , Thanks for the comments. |
amandafeng001
force-pushed
the
NSX-integration
branch
from
06ec3e2 to
b94895a
Compare
anchal-agrawal
left a comment
anchal-agrawal
left a comment
There was a problem hiding this comment.
Suggestions for typos.
|
|
||
|
|
||
| ## A Working Installation of NSX-v | ||
| For VMWare engineers using Nimbus, here is a document about how to install and configure NSX with Vsphere: How to set up VM-to-VM communication on NSX logical switch with Nimbus |
There was a problem hiding this comment.
s/VMWare/VMware
s/Vsphere/vSphere
| Let us use this example to explain the workflow. | ||
|
|
||
| ### Prerequisite | ||
| We assume VSphere admin already has NSX installed and configured on VCenter. That means there is an NSX logical switch created by the admin, which automatically creates a port group on distributed switch. |
There was a problem hiding this comment.
s/VSphere/vSphere
s/VCenter/vCenter
| * vCenter Objects: VMs, Distributed Switches, Clusters, etc. | ||
| * VM Properties: vNICs, VM names, VM operating Systems, etc. | ||
| * NSX Objects: Logical Switches, Security Tags, Logical Routers, etc. | ||
| In this document, we propose to use vNICs as the grouping creteria. We will dicuss more on this later. |
There was a problem hiding this comment.
s/creteria/criteria
s/dicuss/discuss
|
|
||
| ![NSX-v multi-tenancy] (pics/nsx-multi-tenants.png) | ||
|
|
||
| It worths to mention that we would expect only one VCH is created for one tenant. Otherwise there IP overlapping would issue. |
There was a problem hiding this comment.
We can replace this with something like:
"It is worth to mention that we would expect only one VCH to be created for one tenant. Otherwise IP overlapping would occur."
| * need to find out how to verify if a bridge network specified is a logic switch? | ||
|
|
||
| ### User Management | ||
| * NSX allows RBAC, we can add Vcenter users and assign roles for them |
There was a problem hiding this comment.
Thanks Anchal. I will update!
| * Pros: | ||
| * It serves our goals. | ||
| * Cons: | ||
| * Everytime a containerVM is created, we need to update related security groups' by adding one more membership criterias. Not sure the maximum number of membership criterias NSX-v supports. |
There was a problem hiding this comment.
s/criterias/criteria
amandafeng001
force-pushed
the
NSX-integration
branch
from
40231de to
650f399
Compare
| Let us use this example to explain the workflow. | ||
|
|
||
| ### Prerequisite | ||
| We assume vSphere admin already has NSX installed and configured on vCenter. That means there is an NSX logical switch created by the admin, which automatically creates a port group on distributed switch. |
There was a problem hiding this comment.
I'm just curious; can we create the port group for the user in the installer?
There was a problem hiding this comment.
Yes. We can do that. As long as NSX has been installed, in the installer we can make API calls to NSX to create logical switch, which will create corresponding port group :)
|
|
||
| ### docker run --name=containerVM1 <image name> | ||
| * VIC create containerVM1 | ||
| * NSX manager creates security group `<vch name>-SG-bridge` with dynamic membership: NIC-1 (of containerVM1) |
There was a problem hiding this comment.
Is the intent that we create a bridge security group for every container?
There was a problem hiding this comment.
Sorry for the confusion here. I mean we create a security group for each container network. And then everytime we add a container (say with NIC-1) to that network, we update the security group by adding a criteria of 'entitiy equals to NIC-1'. This is how the container's NIC-1 associated to the security group.
| https://{nsxmanager's hostname or IP}/api | ||
|
|
||
| ### API calls | ||
| (details in http://pubs.vmware.com/nsx-63/topic/com.vmware.ICbase/PDF/nsx_63_api.pdf , note that many NSX API methods reference vCenter object IDs in URI parameters, query parameters, request bodies, and response bodies, also it takes XML as request body (sad) ) |
There was a problem hiding this comment.
LOL @ "sad". Is it SOAP by chance? If so, you could probably reuse some of the client code in govmomi to do the wsdl stuff.
There was a problem hiding this comment.
it is a REST API... I think the plan is to add code in govmomi. Then make calls to govmomi from port layer. I'm not familiar with wsdl..what is it? and do you think at least I can use it to handle the xml part?
| ### Adding a ContainerVM to Multiple Networks | ||
| This is not supported in current VIC implementation. | ||
| * Is adding another NIC to a containerVM the right way to do it? | ||
| * Does having multiple interfaces matter ? How would user use multiple NICs? |
There was a problem hiding this comment.
There was a problem hiding this comment.
If we go with the Security Group with vNIC association approach, we can build it on top of what we already have. I think it is loosely like this: scope == docker network versus scope + security group == docker network.
The scopes will still be there. We add security groups on top. The difference is when we add a container to another network, we need to create another vNIC to give it an identify in the new network. Would love to hear @hmahmood 's input on this.
There was a problem hiding this comment.
Currently it is possible to add a container to multiple networks. A new vNIC is added if there is no NIC that is currently connected to the port group in question. It sounds like scope == security group == docker network to me.
| * We only need to tag a VM then it is added to a security group. | ||
| * we do not need to update security groups everytime a new containerVM is created. | ||
| * Cons: | ||
| * It seems at the backend of NSX, IP address is used to identify the membership of a security group. So it does not work in this scenario, for example, when there are two port groups on the same VDS and each of them have a VIC (say VIC-a and VIC-b) created. Then the security group and policy on VIC-a aslo affects VIC-b. (One NSX-v tenant is not allowed to have overlapping IPs. But VIC users might be the same tenant (if our understanding of a NSX tenant is correct).) |
There was a problem hiding this comment.
RE: IP mapping to SG. I'm really surprised by this. You can't tag by something more unique and immutable like mac or MoRef?
There was a problem hiding this comment.
I actually tried to use mac to associate security group. Turns out it eventually still uses IP to identify membership. I found only with vNIC, security group membership can be correctly identified even with overlapping IP.
I asked a NSX-v expert, he said "As dataplane is an IP classification engine, all the members of the security group will be converted to the IP addresses before sending them down to the ESXi host."
|
This work is paused. |
6 participants
Fixes #3936