 Yeah, okay. Well, you can keep copying while I talk. I'll just I'm just gonna spend about 15 minutes giving you an overview of Congress and the hands-on lab So my name is Tim Hinrichs. I Didn't do all the work for this though. Alex. Yep is actually the guy who did all the preparation for it So but he could make it so I so I'm here talking. I am the PTL of Congress There are another a couple of people from Congress here. So if you have questions, they are good people to talk to Raise your hand if you're on Congress Okay, so you have some Hint, okay good. All right, we'll do this again at the end. Okay, um Before I get into actually what Congress does I want to explain a little bit about why it exists okay, and the reason why Congress exists is that When you're talking about an open-stat cloud There are really a whole bunch of different kinds of people who have ideas about how they want that open-stat cloud to behave All right, and on this slide. We've got you know business operators, right? We've got audit and compliance people security people legal people administrators You've got application developers as well and everybody has a different idea about what they want that opens that cloud to do nobody has a complete picture though and So Congress was designed to solve what we're calling the policy problem and the policy problem is very simple It just says well all of these different stakeholders Different users contributors to the cloud have different ideas about how that cloud is supposed to behave and So what we are trying to do is solve the problem of how do we get those ideas out of their head and Convey them to open-stack in a way that open-stack now knows what it is supposed to be doing So that it can obey those obey their obey its users the right way Okay, so let me give you an example. So here's an example that you'll see in the hands-on lab And this is a very simple example. You'll notice that this is just a constraint It's not a it's not a complete description of how the cloud is supposed to behave. It's just a slice. It's a constraint It's an idea about what is supposed to happen. There could be lots of things that are supposed to happen but this is just one of them one of them is that We want it to be the case that There's never a virtual machine that's connected to the internet that has port 80 open All right and conceptually what this means is maybe this is a security person stating this what they're saying is We only want to allow HTTPS traffic. We want to only allow secure traffic Okay, so this is one thing that maybe the operator the administrator of the cloud wants to impose on all the applications that are running on On the open-stack cloud on all the virtual machines All right And what you'll notice about this particular policy is that it relies on a couple of different services It relies on information from Nova about which virtual machines are connected to which ports And it relies on information from neutron that says which ports are connected to the internet All right, and so what you'll notice fundamentally about this kind of policy about this kind of behavior is That it fundamentally requires information from multiple services This kind of idea this constraint about how the cloud is supposed to behave is something that we can't simply give to Nova or To neutron we can't give it to any one of the existing services in open-stack Because they don't know about what's going on in the other service Nova doesn't necessarily know everything that's going on neutron Neutron doesn't necessarily know everything that's going on in Nova. All right, so what Congress does is It's a system that's designed to solve this policy problem In particular what it does is it is Fundamental input is is a policy a policy describes how the cloud how they opens that cloud ought to behave What things are permitted and what things are not All right, you saw an example in the last slide the other input that it actually gets is all of this services that are running in an open-stack that It's supposed to be able to use in order to to enforce or monitor or audit that policy Okay, so the idea here is that the the existing services Nova neutron cinder Swift and the like represent the actual state of the data center for Congress The policy represents the desired state of the data center And so Congress is sort of a standard policy system It's got those it differentiates desired from actual state and once it has those two inputs It's going to do a number of things with it right it knows desired state and it knows actual state So the most obvious thing that it can do is it can say well Let's look for mismatches between the desired state and the actual state and we call this monitoring, right? We're just we know what's supposed to happen. We know what's actually happening. So let's find mismatches The more interesting thing of course what everybody wants is enforcement, right? Everybody wants Congress to actually affect how the data center is behaving so that the actual state and the desired state coincide and Here there are a couple of different ways that Congress tries to to enforce policy the first we're calling proactive and Here the idea is that Congress is trying to prevent violations before they occur and In particular think of this sort of like Keystone today, right? So Keystone Keystone policy. I should say Stops API calls from being executed that the Keystone policy says shouldn't be executed So in this proactive form of enforcement, you can imagine Congress doing the same kind of thing Which is that before let's say Nova spins up a new virtual machine It could ask Congress and say should I do this or should I not and Congress has a rich policy language that could potentially answer that question The second kind of enforcement that Congress does is reactive and here the idea is that Congress is going to try to correct violations after they've already occurred, right? You can imagine Congress sitting there and monitoring it has the actual state It has the desired state it finds a mismatch and now maybe Congress can actually take some action to correct To eliminate that violation to eliminate that mismatch between desired and actual state Another kind of enforcement is delegation and here the idea is pretty simple Conceptually at least this is the one that's far by far the least well developed But here the idea is that there are a number of policy engines running around in the data center, right? We know that there are some with an open stack, right? GBP is a networking policy system Swift has some policy capabilities for storage and so the idea behind delegation is well if Congress has this overarching policy that may mention both They may mention a bunch of services Nova Neutron syndrome Swift what we could imagine it doing is looking at that policy Grabbing this the swift relevant portion and handing it to Swift grabbing the networking relevant portion and handing it to GBP All right So the idea behind delegation is that we want to take this one policy that Congress has been given that describes all the behavior that's permitted in the data center and Hand off the problem of enforcement to other special purpose policy engines that already exist All right, so that's the concept behind delegation Unlike the rest of them which you'll which you'll see today Delegation is one that we're still working on still prototyping so you won't get experience with it But it's super exciting. We're all we're all we all think it's a future So we'll you'll hear more about that in future summits The last capability here that we have on the list is audit and here the idea is pretty simple Like if you've got desired an actual state It would be nice to have it a record of all the policy violations that have occurred Maybe what was their cause? What did people do to to to eliminate them or to say no those are actually okay We'll leave those be Audit is it is another piece of functionality that we don't have yet Okay, so one slide on architecture just because you will need to to know this As you do the lab and it's a very simple architecture So it's it's not conceptually difficult, but this sort of gets to the point of How does Congress interact with all of the other services in OpenStack? How does Congress talk to Nova and Neutron and sender in order to actually get their actual state and? Conceptually is very simple There is a policy engine that runs within Congress and that policy engine talks to a Bunch of other drivers one driver for each of the services that are connected So there's a Neutron driver a Nova driver a sender driver a Swift driver a Driver for every service you want to hook up to Congress and all of those drivers connect with the policy engine and talk to the policy engine Exchange data and policy and everything else in the world over a message bus All right, and so what you can imagine happening here is it periodically? Let's say the Nova driver Makes a bunch of API calls to Nova and actually says give me the list of servers give me the list of Tell me for each server how how much memory it has how much disk space and so on and then it takes that data The result of those API calls pumps it across a message bus and hands it to the policy engine who then does its thing Whatever its thing happens to be monitoring enforcement or audit One other slide that I'll go through here, which is just a quick example of how you write policy Right. Hopefully at this point it's sort of conceptually clear what you're going to how you would hook up a new data source, right? How you would hook up a new data source? So here we're going to see how you actually write a policy and give it to Congress And this is the policy that that this is a piece of the policy that we talked about earlier Okay, so in English the policy says that Every Nova server That's connected to the internet must have a security group if it doesn't have a security group Then there's an error because then necessarily port 80 is open, okay? All right And the way that we write this policy and data log is that we kind of think of it as Defining a function and let's say Python or something okay, and the way this is going to work is we're going to conceptually Be writing a function that describes all the conditions under which There is an error in the current state of the data center Okay, there's an error in the current state of the data center, okay? And so if you see on this slide what we're looking at here is We're starting the definition of error and here in particular what we're going to say is that the function error is going to be true Of a particular VM ID a user ID and an email exactly when well first we go and ask Nova is this VM ID and user ID a Legitimate server all right, and then we we ask this sort of Question which is is this VM ID? connected to the internet on Some port which we're calling port ID here All right, and then if that particular port ID doesn't have a security group Then there's an error and finally we'll go and ask Keystone for the email address of this particular user To sort of fill in the last bit of information there. Yes Good question, so maybe I should have started with data log is a variant of prologue sequel for sort of logic They're all very similar all in the same vein So if you know any of those languages you have some clues to what we're talking about here The interesting thing about this particular example is that you'll notice that some of those Functions that we're calling are prefixed with the name of a service Nova And Keystone are the ones that we see here And so obviously what's happening there is that conceptually We're making a function call on and asking Nova tell me the list of servers and and check whether this VM ID and this user ID are One of the ones that get returned by that API call But the other ones the ones that don't have a prefix of a service name Well those are things that are going to be defined within policy itself So think of these as helper functions in a traditional programming language in this particular example We've only shown one of them which is it has security group And so how do you know whether a particular port ID has a security group? Well again, we define the function as we did before and here it turns out to just be sufficient to go and ask neutron Whether there's a security group port binding for that port And that's efficient. Yeah, you will see that in the lab, but it is a function exactly Yes All right, so you get the idea right so when you're writing these functions call them functions if you will You're either going and talking to these services directly to get information or you're using helper functions that you yourself defined within policy all right, okay, so The only other thing that I'm going to do is go through a quick overview of what you're going to actually do in the hands-on lab to get A get a more visceral feel for for what how to use Congress Okay, and I think you all know that we are giving you a virtual machine that has the full dev stack installed with Congress There's some more USB keys here And then you're going to be you're going to take on the role of a Congress user Okay, and the first thing you're going to do is you're going to have to figure out what is the policy that I actually want to enforce and Okay, you're going to just Choose the one that we give you so that you can copy and paste and this is the policy that I mentioned a moment ago No virtual machine may be connected to the internet and allow ingress traffic on tcb port 80 So that's the policy that you as the user trying to get Congress to do the right thing with trying to get Congress to Monitor and force it and then the first thing you're going to do is you're going to have to connect some data sources You're going to I think it's neutron that you have to connect or maybe it's nova We've connected the other ones for you that you need so you'll see firsthand how to connect a data source You won't have to write the code for the driver. You just have to tell Congress to spin up that driver And then you're going to copy and paste a data log encoding of that policy and Tell Congress to actually go ahead and insert it All right, and now you've given Congress the two inputs You've given Congress the the data sources that is pulling data from to get the actual state And you've given Congress the desired state a description of the desired state And then you're going to ask Congress. Are there any policy violations? And then maybe you'll create a violation and maybe you'll eliminate that violation manually and then you'll go ahead and Pretend you're another service like nova and ask Congress if some change that you were about to make is Permitted by policy or is not and in so doing you'll see how proactive enforcement would work remember where Congress is trying to prevent violations And then finally you'll go ahead and write a little bit of policy that describes to Congress how to correct violations when they occur Okay, so here we'll see reactive enforcement. All right Any questions about that here? I've got a few instructions on how to get started I think all of us know has has anyone not gotten a chance to download the Virtual machine image Okay, looks like we got everybody. Okay, so so we're off and running which is great. Oh, we've got one and so once you've gotten those once you've gotten virtual box installed and And you've got the Congress hands-on lab then the instructions which are linked from That address will get you up and running Okay They're also inside the virtual box, but Any questions right now, okay, so we'll be walking around if you have questions just toss up a hand