summaryrefslogtreecommitdiffstats
path: root/deploy/adapters/ansible/roles/neutron-network
diff options
context:
space:
mode:
Diffstat (limited to 'deploy/adapters/ansible/roles/neutron-network')
-rw-r--r--deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters7
-rw-r--r--deploy/adapters/ansible/roles/neutron-network/handlers/main.yml14
-rwxr-xr-xdeploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml9
-rw-r--r--deploy/adapters/ansible/roles/neutron-network/tasks/main.yml55
-rwxr-xr-xdeploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml26
-rw-r--r--deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml7
6 files changed, 88 insertions, 30 deletions
diff --git a/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters
new file mode 100644
index 00000000..c5eaa80c
--- /dev/null
+++ b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters
@@ -0,0 +1,7 @@
+[Filters]
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
+ipsec: CommandFilter, ipsec, root
+strongswan: CommandFilter, strongswan, root
+neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
+neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
diff --git a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml
index 7e67b76e..945724b4 100644
--- a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml
+++ b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml
@@ -1,15 +1,19 @@
---
-- name: restart common neutron network relation service
- service: name={{ item }} state=restarted enabled=yes
- with_items: services_noarch
-
- name: restart neutron network relation service
service: name={{ item }} state=restarted enabled=yes
- with_items: services
+ with_flattened:
+ - services_noarch
+ - services
- name: restart openvswitch agent service
service: name=neutron-openvswitch-agent state=restarted enabled=yes
+- name: restart vpn agent service
+ service: name={{ item }} state=restarted enabled=yes
+ with_items:
+ - neutron-vpn-agent
+ - strongswan
+
- name: kill dnsmasq
command: killall dnsmasq
ignore_errors: True
diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml
new file mode 100755
index 00000000..16624a4c
--- /dev/null
+++ b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml
@@ -0,0 +1,9 @@
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: install firewall packages
+ action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+ with_items: firewall_packages
+
+- name: update firewall related conf
+ shell: crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins firewall
diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml
index 7d643d5a..f8e9e8c4 100644
--- a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml
+++ b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml
@@ -13,6 +13,24 @@
sysctl: name=net.ipv4.conf.default.rp_filter
value=0 state=present reload=yes
+- name: assert kernel support for vxlan
+ command: modinfo -F version vxlan
+ when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+
+- name: assert iproute2 suppport for vxlan
+ command: ip link add type vxlan help
+ register: iproute_out
+ failed_when: iproute_out.rc == 255
+ when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+
+- name: update epel-release
+ shell: yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
+ ignore_errors: True
+
+- name: update rdo-release-kilo repo
+ shell: yum install -y http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm
+ ignore_errors: True
+
- name: install neutron network related packages
action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
with_items: packages | union(packages_noarch)
@@ -48,36 +66,23 @@
dest=/etc/neutron/plugins/ml2/ml2_conf.ini
backup=yes
-- name: config neutron
- template: src=templates/neutron-network.conf
- dest=/etc/neutron/neutron.conf backup=yes
- notify:
- - restart common neutron network relation service
- - restart neutron network relation service
- - kill dnsmasq
-
-- meta: flush_handlers
-
- name: ln plugin.ini
file: src=/etc/neutron/plugins/ml2/ml2_conf.ini dest=/etc/neutron/plugin.ini state=link
-- name: restart openvswitch-agent service
- service: name={{ openvswitch_agent }} state=restarted enabled=yes
-
-- meta: flush_handlers
-
-#- include: igmp-router.yml
-# when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }} and ansible_os_family == 'Debian'"
+- name: config neutron
+ template: src=templates/neutron.conf
+ dest=/etc/neutron/neutron.conf backup=yes
-- name: assert kernel support for vxlan
- command: modinfo -F version vxlan
- when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+- include: firewall.yml
+ when: enable_fwaas == True
-- name: assert iproute2 suppport for vxlan
- command: ip link add type vxlan help
- register: iproute_out
- failed_when: iproute_out.rc == 255
- when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}"
+- include: vpn.yml
+ when: enable_vpnaas == True
- include: odl.yml
when: "'opendaylight' in {{ NEUTRON_MECHANISM_DRIVERS }}"
+
+- name: restart neutron services
+ debug: msg="restart neutron services"
+ notify:
+ - restart neutron network relation service
diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml
new file mode 100755
index 00000000..6f70a68b
--- /dev/null
+++ b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml
@@ -0,0 +1,26 @@
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: install vpn packages
+ action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+ with_items: vpn_packages
+
+- name: update vpn related conf
+ shell: crudini --set /etc/neutron/l3_agent.ini vpnagent vpn_device_driver neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver;
+ crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins vpnaas
+ crudini --set /etc/neutron/neutron_vpnaas.conf service_providers service_provider 'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
+
+- name: make sure rootwrap.d dir exist
+ file: path=/etc/neutron/rootwrap.d state=directory mode=0755
+
+- name: update rootwrap
+ copy: src=vpnaas.filters dest=/etc/neutron/rootwrap.d/vpnaas.filters
+
+- name: enable vpn service
+ service: name={{ item }} state=started enabled=yes
+ with_items:
+ - neutron-vpn-agent
+ - strongswan
+ notify:
+ - restart vpn agent service
+
diff --git a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml
index 14fd7731..f5e03090 100644
--- a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml
+++ b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml
@@ -3,6 +3,13 @@ packages:
- openstack-neutron-ml2
- openstack-neutron-openvswitch
+vpn_packages:
+ - openstack-neutron-vpn-agent
+ - strongswan
+
+firewall_packages:
+ - openstack-neutron-fwaas
+
services:
- openvswitch
- neutron-openvswitch-agent