© 2015 VMware Inc. All rights reserved. OpenStack Congress & Datalog 2nd Tokyo OpenStack Meetup at Vmware K.K. Motonori Shindo (@motonori_shindo) CTO Ambassador / Technical Leader VMware

Self Introduction • Motonori Shindo • Bio – Tokyo Electric Power Co (TEPCO), School of Computer Science at Carnegie Mellon University, Ascend Communications, CoSine Communications, Proxim, Fivefront, Nicira, VMware 2

What is OpenStack Congress ? • One of the projects in OpenStack to provide “Policy as a Service”. • Why called “Congress” ? – Because that’s where policy is defined J 3

Why does Congress live in OpenStack? • Congress is a generic policy engine so it works as standalone (i.e. without OpenStack) • That said, in order to define a meaningful / useful policy, some sort of information (“data source”) upon which policy can be defined is needed. • OpenStack has a rich set of data sources that can be consumed by Congress, so it is a great place for Congress to live! 4

What is “Policy” • No single answer but let’s think of it as something that dictates how the system should behave in order to conform to: – Law / Regulations – Business rule – Application requirement – Geographical constraint – Security requirement – … 5 A generic language that can dictates these policies is needed!

Datalog • Declarative Language based on First Order Logic – Often used as a query language • Syntactically it is similar to Prolog but it has different semantics : – No Function Symbols – Guarantee to terminate – Order of rule definition is irrelevant – No “List” construct – No Cut （!) and fail operators 6

Datalog Syntax 7 :- , , … , . Head Body

Safety Properties of Datalog • All variables that appear in the head must also appear in the body in the rule as non-arithmetic positive literal. • All variables that appear in the body as negative literal must also appear in other positive literals. • Example of non-Safety rules – q(X, Y, Z) :- r1(X,Y), X < Z. – q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z). • Example of Safety rules – q(X, Y, Z) :- r1(X, Y), r2(Y, Z), X < Z. – q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z), r3(Y, Z). 8

Datalog (Prolog) Example 1 9 parent(motonori, manzo). parent(motonori, keiko). male(manzo). male(motonori). female(keiko). father(X, Y) :- parent(X,Y), male(Y). mother(X, Y) :- parent(X,Y), female(Y). ?- father(motonori, X). father(motonori, manzo).

Datalog (Prolog) Example 2 10 adjacent(a, b). adjacent(b, c). adjacent(c, d). adjacent(a, d). adjacent(e, f). reachable(X, Y) :- adjacent(X, Y). reachable(X, Y) :- adjacent(X, Z), reachable(Z, Y). ?- reachable(b, d). reachable(b, d). ?- reachable(a, f). a b d f c e

What Congress can do today (and in the future) • Monitoring – Check the current status of Cloud against policy and report error if there’s a mismatch • Enforcement – Take an action in order to avoid policy violation – Proactively / Reactively / Interactively • Auditing – History management of policy and policy violation 11

Datalog in Congress • Syntax • Restrictions – Recursion is not supported (at least for the time being) 12 ::= * ::= COLONMINUS (COMMA )* ::= ::= EXECUTE[] ::= ::= NOT ::= TABLENAME LPAREN (COMMA )* RPAREN ::= ::= COLUMNNAME= ::= INTEGER | FLOAT | STRING | VARIABLE

Extension in Congress • Tables in certain data source may have many number of columns. When writing policy using such a table it is cumbersome to write all those columns explicitly. • Full form: • Simplified form: 13 port(id) :- neutron:ports(id, tenant_id, name, network_id, mac_address, admin_state_up, status, device_owner, fixed_ips, security_groups). port(id) :- neutron:ports(id=id).

Drivers that are currently supported for Congress • OpenStack Ceilometer • OpenStack Cinder • OpenStack Glance (v2) • OpenStack Ironic • OpenStack Keystone • OpenStack Murano • OpenStack Neutron (v2) • OpenStack Nova • OpenStack Switft • Cloud Foundry • Plexxi • vCenter 14

Example 1: Congress Policy (for monitoring) 15 error(vm, network) :- nova:virtual_machine(vm), nova:network(vm, network), nova:owner(vm, vm_owner), neutron:owner(network, network_owner), not neutron:public_network(network), not same_group(vm_owner, network_owner) same_group(user1, user2) :- ad:group(user1, group), ad:group(user2, group)

Example 2: Congress Policy (for enforcement) 16 Execute[neutron:disconnectNetwork(vm, network)] :- error(vm, network) Execute[nova:pause(x)] :- nova:servers(id=x, status=“ACTIVE”)

Congress -- Policies 17

Congress – Data Sources 18

Congress – Data Sources 19

Congress – Data Sources 20

Live Demo 21 Goal : Detect a policy violation when a VM is spun up with a flavor lager than or equal to 4GB of memory

STEP 1: • Create the following two rules under “classification” policy by CLI: 22 % openstack congress policy rule create classification 'large_flavor(id) :- nova:flavors(id, name, vcpus, ram, disk, ephemeral, rxtx_factor), gteq(ram, 4096)' % openstack congress policy rule create classification 'error(id, name) :- nova:servers(id, name, host_id, status, tenant_id, user_id, image_id, flavor_id), large_flavor(flavor_id)'

STEP 2: • Launch a VM with a flavor “m1.nano” and confirm that there’s no policy violation detected by Congress. 23

STEP 3: 24 • Launch another VM with a flavor “m1.large” and confirm Congress detected a policy violation with VM ID and its name.

Questions