Agent Membership API

In MidoNet, each MidoNet agent must be ‘activated’ in order to join the MidoNet deployment. This step ensures that no rogue MidoNet agent automatically joins the MidoNet deployment. This document describes the ‘agent-membership’ Neutron extension API that provides this feature.

Problem Description

In the previous MidoNet API, the authorization step to allow a MidoNet agent to be activated in the deployment was to add it to a tunnel zone.

This was undesirable because it required explicit tunnel zone coniguration using the API, and in an OpenStack-MidoNet deployment, there was no use case known or supported that requires more than one tunnel zone to exist. By forcing users to create a tunnel zone and adding individual hosts to them, it was creating unnecessary potential failure points without adding any value.

Proposed Change

Maintain a singleton default Tunnel Zone, with the name, “DEFAULT”, in the system. This tunnel zone is created automatically by the MidoNet cluster. The Neutron plugin signals the cluster to do create it when it starts up by submitting a new task type, CONFIG.

CONFIG task contains all the global configuration values settable in Neutron that MidoNet would find useful. The handling of the case in which the cluster fails to process this task is outside the scope of this proposal, and it is assumed that CONFIG task is treated the same as any other tasks.

For this particular change, only one new field is introduced in CONFIG, which is ‘tunnel_protocol’, that indicates the global tunneling protocol that MidoNet should use. This value is used by MidoNet to create the singleton Tunnel Zone. The default tunneling protocol used is ‘vxlan’, but you can override it by specifying the following in neutron.conf:

[MIDONET] tunnel_protocol=gre # Could be vxlan or gre

With this approach, the concept of Tunnel Zone is completely hidden from the user as well as from the neutron implementation.

To authorize an agent to be added to the deployment, ‘agent-membership’ Neutron extension API described below is defined.

REST API

AgentMembership

Attribute Name Type POST/ PUT Required Description
id string (UUID) POST generated ID of the MidoNet agent, which maps to hostId in cluster
ip_address string POST Yes IP address to use for tunneling

Only POST and DELETE operations are permitted, and only admin can execute them.

Only IPv4 address is supported for ‘ip_address’.

‘id’ field is the ID of the MidoNet ‘host’ object, which you can retrieve using the ‘agent’ API extension of Neutron (not implemented yet). The agents and the MidoNet hosts map one-to-one. Likewise, the ‘agent’ API will also include the host interfaces and their IP addresses, useful to populate the ‘ip_address’ field for the agent membership API.

DB Model

midonet_agent_membership

Name Type Description
id String ID of the agent (same as host in the cluster)
ip_address String IP address to use for tunneling

Only IPv4 address is supported for ‘ip_address’.

New task types are:

  • CONFIG: Represents global Neutron configurations
  • AGENTMEMBERSHIP: Represents AgentMembershp resource

Security

Only admins are allowed to execute the agent-membership API. This explicit step to add each agent as a member provides an extra layer of security to prevent unwanted agents to join automatically.

Client

The following command lists all the memberships:

::
neutron agent-membership-list [-h] [-P SIZE] [–sort-key FIELD]
[–sort-dir {asc, desc}]
-h, –help::
show the help message
-P SIZE, –page-size SIZE::
Specify retrieve unit of each request
–sort-key FIELD::
Sorts the list by the specified fields
–sort-dir {asc,desc}::
Sorts the list in the specified direction

The following command adds an agent to the MidoNet deployment membership:

::
neutron agent-membership-create [-h] [–agent-id AGENT]
[–ip-address IP_ADDRESS]
-h, –help::
show the help message
-a, –agent-id::
Specify the ID of the agent to add to membership
-a, --ip-address
 Set IP address to use for tunneling

The following command removes an agent from the MidoNet deployment membership:

::
neutron agent-membership-delete [-h] AGENT_MEMBERSHIP
AGENT_MEMBERSHIP::
ID of the agent membership to remove