summaryrefslogtreecommitdiffstats
path: root/deploy/adapters
diff options
context:
space:
mode:
authorcarey.xu <carey.xuhan@huawei.com>2015-10-30 10:33:51 +0800
committercarey.xu <carey.xuhan@huawei.com>2015-11-08 12:29:42 +0800
commit2709a9bee6a562cc6acef75b394d7c4e9a3b3f3f (patch)
tree2e86fbbfe3779459a2fff18c45dbad43d7cfddd5 /deploy/adapters
parentfc218067fdea16f45b8b9d01201a8c8b25ca9eb0 (diff)
add option to disable security group
JIRA: COMPASS-126 Change-Id: Ie9417be0e78690b5580d460b9c61f77ccc1d91c6 Signed-off-by: carey.xu <carey.xuhan@huawei.com>
Diffstat (limited to 'deploy/adapters')
-rw-r--r--deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml6
-rw-r--r--deploy/adapters/ansible/roles/secgroup/handlers/main.yml10
-rw-r--r--deploy/adapters/ansible/roles/secgroup/tasks/main.yml10
-rw-r--r--deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/templates/neutron.j24
-rw-r--r--deploy/adapters/ansible/roles/secgroup/templates/nova.j23
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/Debian.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml27
-rw-r--r--deploy/adapters/ansible/roles/secgroup/vars/main.yml3
9 files changed, 117 insertions, 0 deletions
diff --git a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
index ac2f2a8d..d3cec000 100644
--- a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
+++ b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
@@ -67,3 +67,9 @@
sudo: True
roles:
- monitor
+
+- hosts: all
+ remote_user: root
+ sudo: True
+ roles:
+ - secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/handlers/main.yml b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
new file mode 100644
index 00000000..551258d2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart controller relation service
+ service: name={{ item }} state=restarted enabled=yes
+ ignore_errors: True
+ with_items: controller_services
+
+- name: restart compute relation service
+ service: name={{ item }} state=restarted enabled=yes
+ ignore_errors: True
+ with_items: compute_services
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/main.yml b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
new file mode 100644
index 00000000..c26af4b0
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+ tags: secgroup
+
+- debug: msg={{ enable_secgroup }}
+ tags: secgroup
+
+- include: secgroup.yml
+ when: '{{ enable_secgroup }} == False'
+ tags: secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
new file mode 100644
index 00000000..f2a6c0ab
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
@@ -0,0 +1,27 @@
+---
+- name: make sure template dir exits
+ file: path=/opt/os_templates state=directory mode=0755
+ tags: secgroup
+
+- name: copy configs
+ template: src={{ item.src}} dest=/opt/os_templates
+ with_items: "{{ configs_templates }}"
+ tags: secgroup
+
+- name: update controller configs
+ shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+ tags: secgroup
+ with_subelements:
+ - configs_templates
+ - dest
+ notify: restart controller relation service
+ when: inventory_hostname in "{{ groups['controller'] }}"
+
+- name: update compute configs
+ shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+ tags: secgroup
+ with_subelements:
+ - configs_templates
+ - dest
+ notify: restart compute relation service
+ when: inventory_hostname in "{{ groups['compute'] }}"
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
new file mode 100644
index 00000000..7b39e18c
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
@@ -0,0 +1,4 @@
+[securitygroup]
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = False
+
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
new file mode 100644
index 00000000..91fa6cd2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
@@ -0,0 +1,3 @@
+[DEFAULT]
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = nova
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
new file mode 100644
index 00000000..85025bf5
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+ - src: nova.j2
+ dest:
+ - /etc/nova/nova.conf
+ - src: neutron.j2
+ dest:
+ - /etc/neutron/plugins/ml2/ml2_conf.ini
+ - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+ - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+ - nova-api
+ - nova-cert
+ - nova-conductor
+ - nova-consoleauth
+ - nova-novncproxy
+ - nova-scheduler
+ - neutron-server
+ - neutron-plugin-openvswitch-agent
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+ - neutron-metadata-agent
+
+compute_services:
+ - nova-compute
+ - neutron-plugin-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
new file mode 100644
index 00000000..533bbe9d
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+ - src: nova.j2
+ dest:
+ - /etc/nova/nova.conf
+ - src: neutron.j2
+ dest:
+ - /etc/neutron/plugins/ml2/ml2_conf.ini
+ - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+ - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+ - openstack-nova-api
+ - openstack-nova-cert
+ - openstack-nova-conductor
+ - openstack-nova-consoleauth
+ - openstack-nova-novncproxy
+ - openstack-nova-scheduler
+ - neutron-openvswitch-agent
+ - neutron-l3-agent
+ - neutron-dhcp-agent
+ - neutron-metadata-agent
+ - neutron-server
+
+compute_services:
+ - openstack-nova-compute
+ - neutron-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/main.yml b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
new file mode 100644
index 00000000..bb87da65
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
@@ -0,0 +1,3 @@
+---
+packages_noarch: []
+metering_secret: 1c5df72079b31fb47747