summaryrefslogtreecommitdiffstats
path: root/docs/design
diff options
context:
space:
mode:
Diffstat (limited to 'docs/design')
-rw-r--r--docs/design/architecture.rst2
-rw-r--r--docs/design/definitions.rst5
-rw-r--r--docs/design/index.rst2
-rw-r--r--docs/design/introduction.rst20
-rw-r--r--docs/design/requirements.rst32
-rw-r--r--docs/design/usecases.rst65
6 files changed, 57 insertions, 69 deletions
diff --git a/docs/design/architecture.rst b/docs/design/architecture.rst
index 9d9d3c3..02d8335 100644
--- a/docs/design/architecture.rst
+++ b/docs/design/architecture.rst
@@ -1,7 +1,7 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
Architecture
============
diff --git a/docs/design/definitions.rst b/docs/design/definitions.rst
index 6c0175d..5552696 100644
--- a/docs/design/definitions.rst
+++ b/docs/design/definitions.rst
@@ -1,7 +1,7 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
Definitions
===========
@@ -41,3 +41,6 @@ Abbreviations
* - VNF
- Virtual Network Function
+
+ * - NFVI
+ - Network Function Virtualization Infrastructure
diff --git a/docs/design/index.rst b/docs/design/index.rst
index df46a02..b1bc74b 100644
--- a/docs/design/index.rst
+++ b/docs/design/index.rst
@@ -1,7 +1,7 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
********************
OPNFV Copper Project
diff --git a/docs/design/introduction.rst b/docs/design/introduction.rst
index e4d273b..cc2ceee 100644
--- a/docs/design/introduction.rst
+++ b/docs/design/introduction.rst
@@ -1,15 +1,15 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
Introduction
============
..
- This work is licensed under a Creative Commons Attribution 3.0 Unported License.
+ This work is licensed under a Creative Commons Attribution 4.0 Unported License.
- http://creativecommons.org/licenses/by/3.0/legalcode
+ http://creativecommons.org/licenses/by/4.0
.. NOTE::
This is the working documentation for the Copper project.
@@ -18,8 +18,8 @@ The `OPNFV Copper <https://wiki.opnfv.org/copper>`_ project aims to help ensure
that virtualized infrastructure and application deployments comply with goals of
the NFV service provider or the VNF designer/user.
-This is the second ("Colorado") release of the Copper project. The documenation
-provided here focuses on the overall goals of the Copper project, and the
+This is the third ("Danube") release of the Copper project. The documentation
+provided here focuses on the overall goals of the Copper project and the
specific features supported in the Colorado release.
Overall Goals for Configuration Policy
@@ -36,7 +36,7 @@ in specific terms or more abstractly, but at the highest level they express:
* what I don't want
Using road-based transportation as an analogy, some examples of this are shown
-below.
+below:
.. list-table:: Configuration Intent Example
:widths: 10 45 45
@@ -77,7 +77,7 @@ Examples of such translation are:
* - network security
- firewall, DPI, private subnets
* - compute/storage security
- - vulerability monitoring, resource access controls
+ - vulnerability monitoring, resource access controls
* - high availability
- clustering, auto-scaling, anti-affinity, live migration
* - disaster recovery
@@ -89,11 +89,11 @@ Examples of such translation are:
* - resource reclamation
- low-usage monitoring
-Although such intent to capability translation is conceptually useful, it is
+Although such intent-to-capability translation is conceptually useful, it is
unclear how it can address the variety of aspects that may affect the choice of
an applicable configuration capability.
For that reason, the Copper project will initially focus on more specific
configuration requirements as fulfilled by specific configuration capabilities,
-and how those requirements and capabilities are expressed in VNF and service
-design and packaging, or as generic poicies for the NFVI.
+as well as how those requirements and capabilities are expressed in VNF and service
+design and packaging or as generic policies for the NFV Infrastructure.
diff --git a/docs/design/requirements.rst b/docs/design/requirements.rst
index 7940cda..87894cf 100644
--- a/docs/design/requirements.rst
+++ b/docs/design/requirements.rst
@@ -1,7 +1,7 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
Requirements
============
@@ -22,10 +22,8 @@ include multiple ways in which resource requirements can be expressed and fulfil
* OpenStack Nova
- * the `image <http://docs.openstack.org/openstack-ops/content/user_facing_images.html>`_ feature, enabling "VM templates" to be defined for NFs,
- and referenced by name as a specific NF version to be used
- * the `flavor <http://docs.openstack.org/openstack-ops/content/flavors.html>`_ feature, addressing basic compute and
- storage requirements, with extensibility for custom attributes
+ * the Image feature, enabling "VM templates" to be defined for NFs and referenced by name as a specific NF version to be used
+ * the Flavor feature, addressing basic compute and storage requirements, with extensibility for custom attributes
* OpenStack Heat
@@ -44,10 +42,8 @@ include multiple ways in which resource requirements can be expressed and fulfil
* orchestration service user management (requires
`Keystone <http://docs.openstack.org/developer/keystone/>`_)
* shared storage (requires `Manila <https://wiki.openstack.org/wiki/Manila>`_)
- * load balancing (requires Neutron
- `LBaaS <http://docs.openstack.org/admin-guide-cloud/content/section_lbaas-overview.html>`_)
- * firewalls (requires Neutron
- `FWaaS <http://docs.openstack.org/admin-guide-cloud/content/install_neutron-fwaas-agent.html>`_)
+ * load balancing (requires `Neutron LBaaS <http://docs.openstack.org/admin-guide/networking.html>`_)
+ * firewalls (requires `Neutron FWaaS <http://docs.openstack.org/admin-guide/networking.html>`_)
* various Neutron-based network and security configuration items
* Nova flavors
* Nova server attributes including access control
@@ -58,19 +54,19 @@ include multiple ways in which resource requirements can be expressed and fulfil
* "multi-tenant cloud messaging and notification service" (requires
`Zaqar <http://docs.openstack.org/developer/zaqar/>`_)
- * OpenStack `Group-Based Policy <https://wiki.openstack.org/wiki/GroupBasedPolicy>`_
+ * `OpenStack Group-Based Policy <https://wiki.openstack.org/wiki/GroupBasedPolicy>`_
* API-based grouping of endpoints with associated contractual expectations for data flow processing and service chaining
- * OpenStack `Tacker <https://wiki.openstack.org/wiki/Tacker>`_
+ * `OpenStack Tacker <https://wiki.openstack.org/wiki/Tacker>`_
* "a fully functional ETSI MANO based general purpose NFV Orchestrator and VNF Manager for OpenStack"
- * OpenDaylight `Group-Based Policy <https://wiki.opendaylight.org/view/Group_Based_Policy_(GBP)>`_
+ * `OpenDaylight Group-Based Policy <https://wiki.opendaylight.org/view/Group_Based_Policy_(GBP)>`_
* model-based grouping of endpoints with associated contractual expectations for data flow processing
- * OpenDaylight `Service Function Chaining (SFC) <https://wiki.opendaylight.org/view/Service_Function_Chaining:Main>`_
+ * `OpenDaylight Service Function Chaining (SFC) <https://wiki.opendaylight.org/view/Service_Function_Chaining:Main>`_
* model-based management of "service chains" and the infrastucture that enables them
@@ -113,17 +109,13 @@ high-level required capabilities include:
Upstream projects already include multiple ways in which configuration conditions
can be monitored and responded to:
- * OpenStack `Congress <https://wiki.openstack.org/wiki/Congress>`_ provides a
+ * OpenStack `Congress <http://docs.openstack.org/developer/congress/index.html>`_ provides a
table-based mechanism for state monitoring and proactive/reactive policy
enforcement, including data obtained from internal databases of OpenStack
core and optional services. The Congress design approach is also extensible
to other VIMs (e.g. SDNCs) through development of data source drivers for
- the new monitored state information. See
- `Stackforge Congress Data Source Translators <https://github.com/stackforge/congress/tree/master/congress/datasources>`_,
- `congress.readthedocs.org <http://congress.readthedocs.org/en/latest/cloudservices.html#drivers>`_,
- and the `Congress specs <https://github.com/stackforge/congress-specs>`_ for
- more info.
- * OpenStack `Ceilometer <https://wiki.openstack.org/wiki/Ceilometer>`_
+ the new monitored state information.
+ * OpenStack `Aodh <https://wiki.openstack.org/wiki/Telemetry#Aodh>`_
provides means to trigger alarms upon a wide variety of conditions derived
from its monitored OpenStack analytics.
* `Nagios <https://www.nagios.org/#/>`_ "offers complete monitoring and alerting for servers, switches, applications, and services".
diff --git a/docs/design/usecases.rst b/docs/design/usecases.rst
index 891539c..431590d 100644
--- a/docs/design/usecases.rst
+++ b/docs/design/usecases.rst
@@ -1,12 +1,12 @@
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
-.. (c) 2015-2016 AT&T Intellectual Property, Inc
+.. (c) 2015-2017 AT&T Intellectual Property, Inc
Use Cases
=========
-Implemented as of this release
+Implemented in Current Release
------------------------------
Network Bridging
@@ -18,16 +18,14 @@ network.
An example implementation is shown in the Congress use case test "Network
Bridging" (bridging.sh) in the Copper repo under the tests folder. This test:
- * Identifies VMs with connected to Service Provider defined networks via
- floating IPs.
- * Identifies VMs that are connected to two such networks with different
- security levels.
- * For VMs that are thus connected, identifies those that are not owned
- by the SP.
- * Reactively enforces the network bridging rule by pausing VMs found to be in
- violation of the policy.
+
+ * Identifies VMs that are connected to Service Provider (SP) defined networks via floating IPs
+ * Identifies VMs that are connected to two such networks with different security levels
+ * For VMs that are thus connected, identifies those that are not owned by the Service Provider
+ * Reactively enforces the network bridging rule by pausing VMs found to be in violation of the policy
Note the assumptions related to the following example:
+
* "SP" is the service provider tenant, and only the SP can create tenants
As implemented through OpenStack Congress:
@@ -63,17 +61,14 @@ DMZ Deployment
..............
As a service provider, I need to ensure that applications which have not been
-designed for exposure in a DMZ zone, are not attached to DMZ networks.
+designed for exposure in a DMZ zone are not attached to DMZ networks.
An example implementation is shown in the Congress use case test "DMZ Placement"
(dmz.sh) in the Copper repo under the tests folder. This test:
- * Identifies VMs connected to a DMZ (currently identified through a
- specifically-named security group)
- * Identifes VMs connected to a DMZ, which are by policy not allowed to be
- (currently implemented through an image tag intended to identify images
- that are "authorized" i.e. tested and secure, to be DMZ-connected)
- * Reactively enforces the dmz placement rule by pausing VMs found to be in
- violation of the policy.
+
+ * Identifies VMs connected to a DMZ (currently identified through a specifically-named security group)
+ * Identifies VMs connected to a DMZ, which are by policy not allowed to be (currently implemented through an image tag intended to identify images that are "authorized" i.e. tested and secure, to be DMZ-connected)
+ * Reactively enforces the dmz placement rule by pausing VMs found to be in violation of the policy.
As implemented through OpenStack Congress:
@@ -103,10 +98,11 @@ or reactive policy enforcement.
An example implementation is shown in the Congress use case test "SMTP Ingress"
(smtp_ingress.sh) in the Copper repo under the tests folder. This test:
+
* Detects that a VM is associated with a security group that allows SMTP
ingress (TCP port 25)
* Adds a policy table row entry for the VM, which can be later investigated
- for appropriate use of the security group, etc
+ for appropriate use of the security group
As implemented through OpenStack Congress:
@@ -125,12 +121,12 @@ As implemented through OpenStack Congress:
Reserved Resources
..................
-As an NFVI provider, I need to ensure that my admins do not inadvertently
+As an NFV Infrastructure provider, I need to ensure that my admins do not inadvertently
enable VMs to connect to reserved subnets.
-An example implementation is shown in the Congress use case test "Reserved
-Subnet" (reserved_subnet.sh) in the Copper repo under the tests folder. This
-test:
+An example implementation is shown in the Congress use case test "Reserved Subnet"
+(reserved_subnet.sh) in the Copper repo under the tests folder. This test:
+
* Detects that a subnet has been created in a reserved range
* Reactively deletes the subnet
@@ -145,7 +141,7 @@ As implemented through OpenStack Congress:
reserved_subnet_error(x)
-For further analysis and implementation
+For Further Analysis and Implementation
---------------------------------------
Affinity
@@ -187,10 +183,10 @@ Anti-Affinity
.............
Ensures that the VM instance is launched "with anti-affinity to" specific resources,
-e.g. outside a compute or storage cluster, or geographic location. Examples
-include: "Different Host Filter", i.e. ensures that the VM instance is launched
-on a different compute node from a given set of instances, as defined in a
-scheduler hint list.
+e.g. outside a compute or storage cluster, or geographic location.
+Examples include: "Different Host Filter", i.e. ensures that the VM instance is
+launched on a different compute node from a given set of instances, as defined
+in a scheduler hint list.
As implemented by OpenStack Heat using scheduler hints:
@@ -230,8 +226,7 @@ As implemented by OpenStack Heat using scheduler hints:
Network Access Control
......................
-Networks connected to VMs must be public, or owned by someone in the VM owner's
-group.
+Networks connected to VMs must be public or owned by someone in the VM owner's group.
This use case captures the intent of the following sub-use-cases:
@@ -295,9 +290,8 @@ As implemented through OpenStack Congress:
Resource Reclamation
....................
-As a service provider or tenant, I need to be informed of VMs that are
-under-utilized so that I can reclaim the VI resources. (example from
-`RuleYourCloud blog <http://ruleyourcloud.com/2015/03/12/scaling-up-congress.html>`_)
+As a service provider or tenant, I need to be informed of VMs that are under-utilized
+so that I can reclaim the VI resources. (example from `RuleYourCloud blog <http://ruleyourcloud.com/2015/03/12/scaling-up-congress.html>`_)
As implemented through OpenStack Congress:
@@ -317,8 +311,8 @@ As implemented through OpenStack Congress:
Resource Use Limits
...................
-As a tenant or service provider, I need to be automatically terminate an
-instance that has run for a pre-agreed maximum duration.
+As a tenant or service provider, I need to be automatically terminate an instance
+that has run for a pre-agreed maximum duration.
As implemented through OpenStack Congress:
@@ -334,4 +328,3 @@ As implemented through OpenStack Congress:
reclaim_server(vm),
nova:servers(vm, vm_name, user_id),
keystone:users(user_id, email)
-