aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorcarey.xu <carey.xuhan@huawei.com>2015-10-30 10:33:51 +0800
committercarey.xu <carey.xuhan@huawei.com>2015-11-08 12:29:42 +0800
commit2709a9bee6a562cc6acef75b394d7c4e9a3b3f3f (patch)
tree2e86fbbfe3779459a2fff18c45dbad43d7cfddd5
parentfc218067fdea16f45b8b9d01201a8c8b25ca9eb0 (diff)
add option to disable security group
JIRA: COMPASS-126 Change-Id: Ie9417be0e78690b5580d460b9c61f77ccc1d91c6 Signed-off-by: carey.xu <carey.xuhan@huawei.com>
-rw-r--r--deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml6
-rw-r--r--deploy/adapters/ansible/roles/secgroup/handlers/main.yml10
-rw-r--r--deploy/adapters/ansible/roles/secgroup/tasks/main.yml10
-rw-r--r--deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/templates/neutron.j24
-rw-r--r--deploy/adapters/ansible/roles/secgroup/templates/nova.j23
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/Debian.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/main.yml3
-rw-r--r--deploy/client.py13
-rw-r--r--deploy/conf/base.conf1
-rw-r--r--deploy/deploy_host.sh3
12 files changed, 125 insertions, 9 deletions
diff --git a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
index ac2f2a8d..d3cec000 100644
--- a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
+++ b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
@@ -67,3 +67,9 @@
sudo: True
roles:
- monitor
+
+- hosts: all
+ remote_user: root
+ sudo: True
+ roles:
+ - secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/handlers/main.yml b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
new file mode 100644
index 00000000..551258d2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart controller relation service
+ service: name={{ item }} state=restarted enabled=yes
+ ignore_errors: True
+ with_items: controller_services
+
+- name: restart compute relation service
+ service: name={{ item }} state=restarted enabled=yes
+ ignore_errors: True
+ with_items: compute_services
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/main.yml b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
new file mode 100644
index 00000000..c26af4b0
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+ tags: secgroup
+
+- debug: msg={{ enable_secgroup }}
+ tags: secgroup
+
+- include: secgroup.yml
+ when: '{{ enable_secgroup }} == False'
+ tags: secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
new file mode 100644
index 00000000..f2a6c0ab
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
@@ -0,0 +1,27 @@
+---
+- name: make sure template dir exits
+ file: path=/opt/os_templates state=directory mode=0755
+ tags: secgroup
+
+- name: copy configs
+ template: src={{ item.src}} dest=/opt/os_templates
+ with_items: "{{ configs_templates }}"
+ tags: secgroup
+
+- name: update controller configs
+ shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+ tags: secgroup
+ with_subelements:
+ - configs_templates
+ - dest
+ notify: restart controller relation service
+ when: inventory_hostname in "{{ groups['controller'] }}"
+
+- name: update compute configs
+ shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+ tags: secgroup
+ with_subelements:
+ - configs_templates
+ - dest
+ notify: restart compute relation service
+ when: inventory_hostname in "{{ groups['compute'] }}"
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
new file mode 100644
index 00000000..7b39e18c
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
@@ -0,0 +1,4 @@
+[securitygroup]
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = False
+
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
new file mode 100644
index 00000000..91fa6cd2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
@@ -0,0 +1,3 @@
+[DEFAULT]
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = nova
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
new file mode 100644
index 00000000..85025bf5
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+ - src: nova.j2
+ dest:
+ - /etc/nova/nova.conf
+ - src: neutron.j2
+ dest:
+ - /etc/neutron/plugins/ml2/ml2_conf.ini
+ - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+ - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+ - nova-api
+ - nova-cert
+ - nova-conductor
+ - nova-consoleauth
+ - nova-novncproxy
+ - nova-scheduler
+ - neutron-server
+ - neutron-plugin-openvswitch-agent
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+ - neutron-metadata-agent
+
+compute_services:
+ - nova-compute
+ - neutron-plugin-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
new file mode 100644
index 00000000..533bbe9d
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+ - src: nova.j2
+ dest:
+ - /etc/nova/nova.conf
+ - src: neutron.j2
+ dest:
+ - /etc/neutron/plugins/ml2/ml2_conf.ini
+ - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+ - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+ - openstack-nova-api
+ - openstack-nova-cert
+ - openstack-nova-conductor
+ - openstack-nova-consoleauth
+ - openstack-nova-novncproxy
+ - openstack-nova-scheduler
+ - neutron-openvswitch-agent
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+ - neutron-metadata-agent
+ - neutron-server
+
+compute_services:
+ - openstack-nova-compute
+ - neutron-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/main.yml b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
new file mode 100644
index 00000000..bb87da65
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
@@ -0,0 +1,3 @@
+---
+packages_noarch: []
+metering_secret: 1c5df72079b31fb47747
diff --git a/deploy/client.py b/deploy/client.py
index 84041af5..b69b8acc 100644
--- a/deploy/client.py
+++ b/deploy/client.py
@@ -201,6 +201,9 @@ opts = [
cfg.StrOpt('cluster_vip',
help='cluster ip address',
default=''),
+ cfg.StrOpt('enable_secgroup',
+ help='enable security group',
+ default='true'),
cfg.StrOpt('network_cfg',
help='netowrk config file',
default=''),
@@ -695,17 +698,11 @@ class CompassClient(object):
)
"""
package_config['ha_proxy'] = {}
-
- #TODO, we need two vip
- if CONF.cluster_pub_vip:
- package_config["ha_proxy"]["pub_vip"] = CONF.cluster_pub_vip
-
- if CONF.cluster_prv_vip:
- package_config["ha_proxy"]["prv_vip"] = CONF.cluster_prv_vip
-
if CONF.cluster_vip:
package_config["ha_proxy"]["vip"] = CONF.cluster_vip
+ package_config['enable_secgroup'] = (CONF.enable_secgroup == "true")
+
status, resp = self.client.update_cluster_config(
cluster_id, package_config=package_config)
LOG.info(
diff --git a/deploy/conf/base.conf b/deploy/conf/base.conf
index d3d535dc..21be0bbf 100644
--- a/deploy/conf/base.conf
+++ b/deploy/conf/base.conf
@@ -18,6 +18,7 @@ export SUBNETS="10.1.0.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24"
export MANAGEMENT_IP_START=${MANAGEMENT_IP_START:-'10.1.0.50'}
export MANAGEMENT_INTERFACE=${MANAGEMENT_INTERFACE:-eth0}
export DASHBOARD_URL=""
+export ENABLE_SECGROUP="false"
function next_ip {
ip_addr=$1
diff --git a/deploy/deploy_host.sh b/deploy/deploy_host.sh
index 02a53cd5..e708bc28 100644
--- a/deploy/deploy_host.sh
+++ b/deploy/deploy_host.sh
@@ -22,6 +22,7 @@ function deploy_host(){
--host_roles="${HOST_ROLES}" --default_roles="${DEFAULT_ROLES}" --switch_ips="${SWITCH_IPS}" \
--machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" --deploy_type="${TYPE}" \
--deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \
- --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON"
+ --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON" \
+ --enable_secgroup="${ENABLE_SECGROUP}"
}