diff options
author | carey.xu <carey.xuhan@huawei.com> | 2015-10-30 10:33:51 +0800 |
---|---|---|
committer | carey.xu <carey.xuhan@huawei.com> | 2015-11-08 12:29:42 +0800 |
commit | 2709a9bee6a562cc6acef75b394d7c4e9a3b3f3f (patch) | |
tree | 2e86fbbfe3779459a2fff18c45dbad43d7cfddd5 | |
parent | fc218067fdea16f45b8b9d01201a8c8b25ca9eb0 (diff) |
add option to disable security group
JIRA: COMPASS-126
Change-Id: Ie9417be0e78690b5580d460b9c61f77ccc1d91c6
Signed-off-by: carey.xu <carey.xuhan@huawei.com>
-rw-r--r-- | deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml | 6 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/handlers/main.yml | 10 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/tasks/main.yml | 10 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml | 27 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 | 4 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/templates/nova.j2 | 3 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/vars/Debian.yml | 27 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml | 27 | ||||
-rw-r--r-- | deploy/adapters/ansible/roles/secgroup/vars/main.yml | 3 | ||||
-rw-r--r-- | deploy/client.py | 13 | ||||
-rw-r--r-- | deploy/conf/base.conf | 1 | ||||
-rw-r--r-- | deploy/deploy_host.sh | 3 |
12 files changed, 125 insertions, 9 deletions
diff --git a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml index ac2f2a8d..d3cec000 100644 --- a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml +++ b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml @@ -67,3 +67,9 @@ sudo: True roles: - monitor + +- hosts: all + remote_user: root + sudo: True + roles: + - secgroup diff --git a/deploy/adapters/ansible/roles/secgroup/handlers/main.yml b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml new file mode 100644 index 00000000..551258d2 --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart controller relation service + service: name={{ item }} state=restarted enabled=yes + ignore_errors: True + with_items: controller_services + +- name: restart compute relation service + service: name={{ item }} state=restarted enabled=yes + ignore_errors: True + with_items: compute_services diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/main.yml b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml new file mode 100644 index 00000000..c26af4b0 --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- include_vars: "{{ ansible_os_family }}.yml" + tags: secgroup + +- debug: msg={{ enable_secgroup }} + tags: secgroup + +- include: secgroup.yml + when: '{{ enable_secgroup }} == False' + tags: secgroup diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml new file mode 100644 index 00000000..f2a6c0ab --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml @@ -0,0 +1,27 @@ +--- +- name: make sure template dir exits + file: path=/opt/os_templates state=directory mode=0755 + tags: secgroup + +- name: copy configs + template: src={{ item.src}} dest=/opt/os_templates + with_items: "{{ configs_templates }}" + tags: secgroup + +- name: update controller configs + shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true' + tags: secgroup + with_subelements: + - configs_templates + - dest + notify: restart controller relation service + when: inventory_hostname in "{{ groups['controller'] }}" + +- name: update compute configs + shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true' + tags: secgroup + with_subelements: + - configs_templates + - dest + notify: restart compute relation service + when: inventory_hostname in "{{ groups['compute'] }}" diff --git a/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 new file mode 100644 index 00000000..7b39e18c --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 @@ -0,0 +1,4 @@ +[securitygroup] +firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver +enable_security_group = False + diff --git a/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 new file mode 100644 index 00000000..91fa6cd2 --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 @@ -0,0 +1,3 @@ +[DEFAULT] +firewall_driver = nova.virt.firewall.NoopFirewallDriver +security_group_api = nova diff --git a/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml new file mode 100644 index 00000000..85025bf5 --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml @@ -0,0 +1,27 @@ +--- +configs_templates: + - src: nova.j2 + dest: + - /etc/nova/nova.conf + - src: neutron.j2 + dest: + - /etc/neutron/plugins/ml2/ml2_conf.ini + - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini + - /etc/neutron/plugins/ml2/restproxy.ini + +controller_services: + - nova-api + - nova-cert + - nova-conductor + - nova-consoleauth + - nova-novncproxy + - nova-scheduler + - neutron-server + - neutron-plugin-openvswitch-agent + - neutron-l3-agent + - neutron-dhcp-agent + - neutron-metadata-agent + +compute_services: + - nova-compute + - neutron-plugin-openvswitch-agent diff --git a/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml new file mode 100644 index 00000000..533bbe9d --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml @@ -0,0 +1,27 @@ +--- +configs_templates: + - src: nova.j2 + dest: + - /etc/nova/nova.conf + - src: neutron.j2 + dest: + - /etc/neutron/plugins/ml2/ml2_conf.ini + - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini + - /etc/neutron/plugins/ml2/restproxy.ini + +controller_services: + - openstack-nova-api + - openstack-nova-cert + - openstack-nova-conductor + - openstack-nova-consoleauth + - openstack-nova-novncproxy + - openstack-nova-scheduler + - neutron-openvswitch-agent + - neutron-l3-agent + - neutron-dhcp-agent + - neutron-metadata-agent + - neutron-server + +compute_services: + - openstack-nova-compute + - neutron-openvswitch-agent diff --git a/deploy/adapters/ansible/roles/secgroup/vars/main.yml b/deploy/adapters/ansible/roles/secgroup/vars/main.yml new file mode 100644 index 00000000..bb87da65 --- /dev/null +++ b/deploy/adapters/ansible/roles/secgroup/vars/main.yml @@ -0,0 +1,3 @@ +--- +packages_noarch: [] +metering_secret: 1c5df72079b31fb47747 diff --git a/deploy/client.py b/deploy/client.py index 84041af5..b69b8acc 100644 --- a/deploy/client.py +++ b/deploy/client.py @@ -201,6 +201,9 @@ opts = [ cfg.StrOpt('cluster_vip', help='cluster ip address', default=''), + cfg.StrOpt('enable_secgroup', + help='enable security group', + default='true'), cfg.StrOpt('network_cfg', help='netowrk config file', default=''), @@ -695,17 +698,11 @@ class CompassClient(object): ) """ package_config['ha_proxy'] = {} - - #TODO, we need two vip - if CONF.cluster_pub_vip: - package_config["ha_proxy"]["pub_vip"] = CONF.cluster_pub_vip - - if CONF.cluster_prv_vip: - package_config["ha_proxy"]["prv_vip"] = CONF.cluster_prv_vip - if CONF.cluster_vip: package_config["ha_proxy"]["vip"] = CONF.cluster_vip + package_config['enable_secgroup'] = (CONF.enable_secgroup == "true") + status, resp = self.client.update_cluster_config( cluster_id, package_config=package_config) LOG.info( diff --git a/deploy/conf/base.conf b/deploy/conf/base.conf index d3d535dc..21be0bbf 100644 --- a/deploy/conf/base.conf +++ b/deploy/conf/base.conf @@ -18,6 +18,7 @@ export SUBNETS="10.1.0.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24" export MANAGEMENT_IP_START=${MANAGEMENT_IP_START:-'10.1.0.50'} export MANAGEMENT_INTERFACE=${MANAGEMENT_INTERFACE:-eth0} export DASHBOARD_URL="" +export ENABLE_SECGROUP="false" function next_ip { ip_addr=$1 diff --git a/deploy/deploy_host.sh b/deploy/deploy_host.sh index 02a53cd5..e708bc28 100644 --- a/deploy/deploy_host.sh +++ b/deploy/deploy_host.sh @@ -22,6 +22,7 @@ function deploy_host(){ --host_roles="${HOST_ROLES}" --default_roles="${DEFAULT_ROLES}" --switch_ips="${SWITCH_IPS}" \ --machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" --deploy_type="${TYPE}" \ --deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \ - --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON" + --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON" \ + --enable_secgroup="${ENABLE_SECGROUP}" } |