OpenStack Congress & Datalog (English)

Transcript

1. © 2015 VMware Inc. All rights reserved. OpenStack Congress &

   Datalog 2nd Tokyo OpenStack Meetup at Vmware K.K. Motonori Shindo (@motonori_shindo) CTO Ambassador / Technical Leader VMware

2. Self Introduction • Motonori Shindo • Bio – Tokyo Electric

   Power Co (TEPCO), School of Computer Science at Carnegie Mellon University, Ascend Communications, CoSine Communications, Proxim, Fivefront, Nicira, VMware 2

3. What is OpenStack Congress ? • One of the projects

   in OpenStack to provide “Policy as a Service”. • Why called “Congress” ? – Because that’s where policy is defined J 3

4. Why does Congress live in OpenStack? • Congress is a

   generic policy engine so it works as standalone (i.e. without OpenStack) • That said, in order to define a meaningful / useful policy, some sort of information (“data source”) upon which policy can be defined is needed. • OpenStack has a rich set of data sources that can be consumed by Congress, so it is a great place for Congress to live! 4

5. What is “Policy” • No single answer but let’s think

   of it as something that dictates how the system should behave in order to conform to: – Law / Regulations – Business rule – Application requirement – Geographical constraint – Security requirement – … 5 A generic language that can dictates these policies is needed!

6. Datalog • Declarative Language based on First Order Logic –

   Often used as a query language • Syntactically it is similar to Prolog but it has different semantics : – No Function Symbols – Guarantee to terminate – Order of rule definition is irrelevant – No “List” construct – No Cut （!) and fail operators 6

7. Datalog Syntax 7 <atom> :- <literal 1>, <literal 2>, <literal

   3> … , <literal N>. Head Body

8. Safety Properties of Datalog • All variables that appear in

   the head must also appear in the body in the rule as non-arithmetic positive literal. • All variables that appear in the body as negative literal must also appear in other positive literals. • Example of non-Safety rules – q(X, Y, Z) :- r1(X,Y), X < Z. – q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z). • Example of Safety rules – q(X, Y, Z) :- r1(X, Y), r2(Y, Z), X < Z. – q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z), r3(Y, Z). 8

9. Datalog (Prolog) Example 1 9 parent(motonori, manzo). parent(motonori, keiko). male(manzo).

   male(motonori). female(keiko). father(X, Y) :- parent(X,Y), male(Y). mother(X, Y) :- parent(X,Y), female(Y). ?- father(motonori, X). father(motonori, manzo).

10. Datalog (Prolog) Example 2 10 adjacent(a, b). adjacent(b, c). adjacent(c,

    d). adjacent(a, d). adjacent(e, f). reachable(X, Y) :- adjacent(X, Y). reachable(X, Y) :- adjacent(X, Z), reachable(Z, Y). ?- reachable(b, d). reachable(b, d). ?- reachable(a, f). a b d f c e

11. What Congress can do today (and in the future) •

    Monitoring – Check the current status of Cloud against policy and report error if there’s a mismatch • Enforcement – Take an action in order to avoid policy violation – Proactively / Reactively / Interactively • Auditing – History management of policy and policy violation 11

12. Datalog in Congress • Syntax • Restrictions – Recursion is

    not supported (at least for the time being) 12 <policy> ::= <rule>* <rule> ::= <head> COLONMINUS <literal> (COMMA <literal>)* <head> ::= <atom> <head> ::= EXECUTE[<atom>] <literal> ::= <atom> <literal> ::= NOT <atom> <atom> ::= TABLENAME LPAREN <arg> (COMMA <arg>)* RPAREN <arg> ::= <term> <arg> ::= COLUMNNAME=<term> <term> ::= INTEGER | FLOAT | STRING | VARIABLE

13. Extension in Congress • Tables in certain data source may

    have many number of columns. When writing policy using such a table it is cumbersome to write all those columns explicitly. • Full form: • Simplified form: 13 port(id) :- neutron:ports(id, tenant_id, name, network_id, mac_address, admin_state_up, status, device_owner, fixed_ips, security_groups). port(id) :- neutron:ports(id=id).

14. Drivers that are currently supported for Congress • OpenStack Ceilometer

    • OpenStack Cinder • OpenStack Glance (v2) • OpenStack Ironic • OpenStack Keystone • OpenStack Murano • OpenStack Neutron (v2) • OpenStack Nova • OpenStack Switft • Cloud Foundry • Plexxi • vCenter 14

15. Example 1: Congress Policy (for monitoring) 15 error(vm, network) :-

    nova:virtual_machine(vm), nova:network(vm, network), nova:owner(vm, vm_owner), neutron:owner(network, network_owner), not neutron:public_network(network), not same_group(vm_owner, network_owner) same_group(user1, user2) :- ad:group(user1, group), ad:group(user2, group)

16. Example 2: Congress Policy (for enforcement) 16 Execute[neutron:disconnectNetwork(vm, network)] :-

    error(vm, network) Execute[nova:pause(x)] :- nova:servers(id=x, status=“ACTIVE”)

17. Congress -- Policies 17

18. Congress – Data Sources 18

19. Congress – Data Sources 19

20. Congress – Data Sources 20

21. Live Demo 21 Goal : Detect a policy violation when

    a VM is spun up with a flavor lager than or equal to 4GB of memory

22. STEP 1: • Create the following two rules under “classification”

    policy by CLI: 22 % openstack congress policy rule create classification 'large_flavor(id) :- nova:flavors(id, name, vcpus, ram, disk, ephemeral, rxtx_factor), gteq(ram, 4096)' % openstack congress policy rule create classification 'error(id, name) :- nova:servers(id, name, host_id, status, tenant_id, user_id, image_id, flavor_id), large_flavor(flavor_id)'

23. STEP 2: • Launch a VM with a flavor “m1.nano”

    and confirm that there’s no policy violation detected by Congress. 23

24. STEP 3: 24 • Launch another VM with a flavor

    “m1.large” and confirm Congress detected a policy violation with VM ID and its name.

25. Questions