 Hi, my name is Alex Yip from VMware. I work on Congress. Welcome to our hands-on. Today I'm going to go through a few slides just to make sure that everyone's up to speed on kind of what Congress is, what it looks like inside, and what you can do with it. And then we'll move on from there to a hands-on that we have set up for you guys today. Alright, so one of the first questions that comes up when you talk about Congress and policy is what do we mean by policy? The word's kind of generic, so it's better to just go through and describe what it is that we do mean. So for us, Congress means, you know, an individual's thoughts and ideas about how their data center is supposed to behave. And different people, different groups may have different ideas about what that policy should mean for their data center. So for example, the security team, the security team might say, you know, I want to make sure that all VMs that are accessible by the Internet have Port 80 blocked. You know, I don't want to allow any access or connections through Port 80 because of whatever, you know, maybe they have SSL policies in place. The administrators may have a different policy. For example, you know, they might say, okay, I only want prod users to be able to own prod jobs so that we don't have any mistakes about what's running as prod or what's running as dev in case someone wants to delete a job. Business ops might have something else. You know, they might say, okay, I want to make sure that all the idle machines are shut down or that machines are not really idling much because that's a waste of money and waste of energy. You know, similarly legal teams might have completely different types of policies like all German data must reside within the boundaries of Germany itself. And so the idea behind Congress is to take all of these policies and put them in one place and then use those policies to impose the individual's desires and thoughts about policy onto the OpenStack data center itself. So what does Congress do? It takes that policy and actually is able to do several things. These are three things that I'm going to talk about today. First is monitoring. So monitoring means looking at the state of the data center and comparing it to the policies and making sure that all the policies are followed by the data center. The second is proactive enforcement in which the the Congress system is actually preventing violations from happening and it can do that by acting as a gatekeeper to change requests to the data center. And finally, reactive enforcement and this is a case in which Congress is actually making changes itself whenever it sees a violation it should in reactive cases it will know via people writing policy how to fix those violations and to reverse those violations on its own. So before I go and I'm not going to talk about these in more detail with more examples but first I want to give an overview of the architecture of Congress. What does it look like inside? So in this picture we have this big blue rectangle and that's Congress. It consists of mostly two types of components inside. The top one you'll see is called the policy engine and that's where the various admins and users can insert their policy. They'll say okay Congress here's my policy and that's where that policy lives in the policy engine. That's where it's actually doing the rule checking. On the bottom half of the Congress box you can see a number of drivers. You know we have Neutron, Nova, Cinder, Swift and a driver is really a kind of specialized piece of code that interacts with each of the data center services that you see below in the small blue boxes. So Neutron has a Neutron driver, Nova has a Nova driver, etc. And what's actually happening here is that each of those drivers is reading the state of the data center service. The Nova driver is saying hey Nova can you give me a list of all the hosts, give me a list of their you know the VMs living on those hosts and all the kind of associated metadata about those servers and it's giving it to the policy engine in the form of tables. You know much like a sequel database these tables describe the state of the data source and given that state the policy engine can read that those tables and it can actually try to understand the state of the data center and that way can in that way can do those policy checks right there. So let's go through an example of how monitoring works in this world. So let's say the policy we have that we want to work with says okay no server should have more than 20 VMs and maybe we want to do this for latency requirements or quality of service. So what does that mean? So Congress in this blue box is going to read all the data that it needs from Nova because that's kind of all the only source of data for this particular policy and the policy is going to check you know it's going to go through all the servers and it's going to count up all the VMs in each of the servers and make sure it doesn't exceed the limit of 20 and so Congress will either say okay all the policies are okay everything is looking good or if you have a server that has exceeded the quota or this policy then the policy and you'll say hey there's a policy violation there's more than 20 VMs on this server and it's going to notify the admin who can then go and fix that explicitly by itself. So the second case of so that's a kind of a brief description of how monitoring works. The second type of implementation we want to talk about is proactive enforcement and this is where Congress can actually gate API calls and make sure that the data center stays within its constraints stays within its valid policy. So in this case we're talking about policy in which each VM must have a network ACL you know so this is pretty generic and doesn't really mean anything but it gives an idea of how this policies how Congress works and so what can happen is the admin or the system that's accepting API calls to make changes into the data center will say hey Congress I want to delete this ACL this is probably prompted by an admin or a user or something that's trying to make changes to their network saying hey Congress can I delete this ACL rule and what happens is Congress can go and it can kind of pretend that it's making this change so it's like okay if I delete this ACL rules I got to run through the policies that I have in the policy engine to make sure there are no new violations that happen as a result of this change and so Congress say yes it's safe I simulated this this change the ACL rule and you know this particular network or this particular VM has already has 10 ACL rules and so deleting one doesn't cause a violation of this policy you know on the other hand you know if the server has only one remaining only one ACL rule remaining then removing that rule will actually cause a violation and Congress will say hey no that's that's gonna cause a violation and then the admin can will realize oh maybe I can't make this change it's very much like a permission check that you might have in your OS you know am I permitted to open this file it with right permissions that's the kind of idea that this proactive enforcement is going after and so the third way that Congress implements policy is in this reactive way and this is the where the policy engine is actually making changes to the data's center itself so if we revisit this policy that we mentioned just before each VM must have a network ACL well and oh you can see in this picture in the center on the right hand side you know we have a bunch of servers and there's ACLs attached to them now what happens if someone goes and adds a new adds a new VM well if it doesn't have an ACL that causes a violation and this is something that Congress can detect soon after that the VMs are added and then if if we have a reactive enforcement policy with Congress can actually say hey I'm gonna add these ACL rules to this VM because because of that violation now we can go and fix it so that's kind of the three main ways that Congress can implement the policies that it has in this policy engine and at this point you might be wondering okay now how do I write policy in Congress and at a high level we can write policy in the language called data log and kind of the overall idea here is that there are tables like I described that were coming from the data sources policy rules or data log rules take those inputs in this field form tables to produce new tables and you can kind of do this over and over until you get to or there's a special table called the error table or warning table you may have heard before and if we populate the error or warning table given these rules then that's essentially telling Congress that there is a violation so in this case P is the resulting table is the output it's a new table and it's derived from input tables Q and R so you can imagine Q and R coming from Nova or Neutron and P could be the error table or it could be an intermediate table on its way to becoming a violation in the error table and so to make this more concrete well we're going to go through this policy where each VM needs to be connected to that is connected to the internet needs to have a security group or be in a security group and so here we have the error which is the output of this rule is derived from whether the device ID import ID is connected to the internet whether or not it has a security group and we're doing we're connecting or kind of joining this with a server table from the Nova driver and also the Keystone driver to give us the list of email addresses so we know who to talk to when there is a problem and there's also this other intermediate intermediate table has security group which we use in the above rule just to illustrate the example of creating intermediate tables along the way to producing these violation tables so for the rest of this hands-on we're going to be focusing on one particular policy which is that no virtual machine may be connected to the internet and also allow ingress traffic on TCP port a this is the kind of example where I think I mentioned already where if you have where the admin wants to say okay we can have VMs that are connected to the internet but we want don't want to allow unsecured traffic so we're only going to allow people to connect on port 443 instead of port 80 and this particular example uses three data sources Nova and Neutron and Keystone so with that I want to switch gears there are instructions for the hands-on at this website I'll be around I have a few other guys from the team here Tim and Aaron and Pete are over in the corner over here so if you have any questions feel free to ask us you know we'll be happy to help all right