From 2709a9bee6a562cc6acef75b394d7c4e9a3b3f3f Mon Sep 17 00:00:00 2001
From: "carey.xu" <carey.xuhan@huawei.com>
Date: Fri, 30 Oct 2015 10:33:51 +0800
Subject: add option to disable security group

JIRA: COMPASS-126

Change-Id: Ie9417be0e78690b5580d460b9c61f77ccc1d91c6
Signed-off-by: carey.xu <carey.xuhan@huawei.com>
---
 .../ansible/openstack/HA-ansible-multinodes.yml    |  6 +++++
 .../ansible/roles/secgroup/handlers/main.yml       | 10 ++++++++
 .../adapters/ansible/roles/secgroup/tasks/main.yml | 10 ++++++++
 .../ansible/roles/secgroup/tasks/secgroup.yml      | 27 ++++++++++++++++++++++
 .../ansible/roles/secgroup/templates/neutron.j2    |  4 ++++
 .../ansible/roles/secgroup/templates/nova.j2       |  3 +++
 .../ansible/roles/secgroup/vars/Debian.yml         | 27 ++++++++++++++++++++++
 .../ansible/roles/secgroup/vars/RedHat.yml         | 27 ++++++++++++++++++++++
 .../adapters/ansible/roles/secgroup/vars/main.yml  |  3 +++
 deploy/client.py                                   | 13 ++++-------
 deploy/conf/base.conf                              |  1 +
 deploy/deploy_host.sh                              |  3 ++-
 12 files changed, 125 insertions(+), 9 deletions(-)
 create mode 100644 deploy/adapters/ansible/roles/secgroup/handlers/main.yml
 create mode 100644 deploy/adapters/ansible/roles/secgroup/tasks/main.yml
 create mode 100644 deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
 create mode 100644 deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
 create mode 100644 deploy/adapters/ansible/roles/secgroup/templates/nova.j2
 create mode 100644 deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
 create mode 100644 deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
 create mode 100644 deploy/adapters/ansible/roles/secgroup/vars/main.yml

diff --git a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
index ac2f2a8d..d3cec000 100644
--- a/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
+++ b/deploy/adapters/ansible/openstack/HA-ansible-multinodes.yml
@@ -67,3 +67,9 @@
   sudo: True
   roles:
     - monitor
+
+- hosts: all
+  remote_user: root
+  sudo: True
+  roles:
+    - secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/handlers/main.yml b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
new file mode 100644
index 00000000..551258d2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart controller relation service
+  service: name={{ item }} state=restarted enabled=yes
+  ignore_errors: True
+  with_items: controller_services
+
+- name: restart compute relation service
+  service: name={{ item }} state=restarted enabled=yes
+  ignore_errors: True
+  with_items: compute_services
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/main.yml b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
new file mode 100644
index 00000000..c26af4b0
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+  tags: secgroup
+
+- debug: msg={{ enable_secgroup }}
+  tags: secgroup
+
+- include: secgroup.yml
+  when: '{{ enable_secgroup }} == False'
+  tags: secgroup
diff --git a/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
new file mode 100644
index 00000000..f2a6c0ab
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/tasks/secgroup.yml
@@ -0,0 +1,27 @@
+---
+- name: make sure template dir exits
+  file: path=/opt/os_templates state=directory mode=0755
+  tags: secgroup
+
+- name: copy configs
+  template: src={{ item.src}} dest=/opt/os_templates
+  with_items: "{{ configs_templates }}"
+  tags: secgroup
+
+- name: update controller configs
+  shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+  tags: secgroup
+  with_subelements:
+    - configs_templates
+    - dest
+  notify: restart controller relation service
+  when: inventory_hostname in "{{ groups['controller'] }}"
+
+- name: update compute configs
+  shell: '[ -f {{ item.1 }} ] && crudini --merge {{ item.1 }} < /opt/os_templates/{{ item.0.src }} || /bin/true'
+  tags: secgroup
+  with_subelements:
+    - configs_templates
+    - dest
+  notify: restart compute relation service
+  when: inventory_hostname in "{{ groups['compute'] }}"
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2 b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
new file mode 100644
index 00000000..7b39e18c
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/neutron.j2
@@ -0,0 +1,4 @@
+[securitygroup]
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+enable_security_group = False
+
diff --git a/deploy/adapters/ansible/roles/secgroup/templates/nova.j2 b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
new file mode 100644
index 00000000..91fa6cd2
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/templates/nova.j2
@@ -0,0 +1,3 @@
+[DEFAULT]
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = nova
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
new file mode 100644
index 00000000..85025bf5
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/Debian.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+  - src: nova.j2
+    dest:
+      - /etc/nova/nova.conf
+  - src: neutron.j2
+    dest:
+      - /etc/neutron/plugins/ml2/ml2_conf.ini
+      - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+      - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+  - nova-api
+  - nova-cert
+  - nova-conductor
+  - nova-consoleauth
+  - nova-novncproxy
+  - nova-scheduler
+  - neutron-server
+  - neutron-plugin-openvswitch-agent
+  - neutron-l3-agent
+  - neutron-dhcp-agent
+  - neutron-metadata-agent
+
+compute_services:
+  - nova-compute
+  - neutron-plugin-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
new file mode 100644
index 00000000..533bbe9d
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/RedHat.yml
@@ -0,0 +1,27 @@
+---
+configs_templates:
+  - src: nova.j2
+    dest:
+      - /etc/nova/nova.conf
+  - src: neutron.j2
+    dest:
+      - /etc/neutron/plugins/ml2/ml2_conf.ini
+      - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+      - /etc/neutron/plugins/ml2/restproxy.ini
+
+controller_services:
+  - openstack-nova-api
+  - openstack-nova-cert
+  - openstack-nova-conductor
+  - openstack-nova-consoleauth
+  - openstack-nova-novncproxy
+  - openstack-nova-scheduler
+  - neutron-openvswitch-agent
+  - neutron-l3-agent
+  - neutron-dhcp-agent
+  - neutron-metadata-agent
+  - neutron-server
+
+compute_services:
+  - openstack-nova-compute
+  - neutron-openvswitch-agent
diff --git a/deploy/adapters/ansible/roles/secgroup/vars/main.yml b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
new file mode 100644
index 00000000..bb87da65
--- /dev/null
+++ b/deploy/adapters/ansible/roles/secgroup/vars/main.yml
@@ -0,0 +1,3 @@
+---
+packages_noarch: []
+metering_secret: 1c5df72079b31fb47747
diff --git a/deploy/client.py b/deploy/client.py
index 84041af5..b69b8acc 100644
--- a/deploy/client.py
+++ b/deploy/client.py
@@ -201,6 +201,9 @@ opts = [
     cfg.StrOpt('cluster_vip',
               help='cluster ip address',
               default=''),
+    cfg.StrOpt('enable_secgroup',
+              help='enable security group',
+              default='true'),
     cfg.StrOpt('network_cfg',
               help='netowrk config file',
               default=''),
@@ -695,17 +698,11 @@ class CompassClient(object):
             )
         """
         package_config['ha_proxy'] = {}
-
-        #TODO, we need two vip
-        if CONF.cluster_pub_vip:
-            package_config["ha_proxy"]["pub_vip"] = CONF.cluster_pub_vip
-
-        if CONF.cluster_prv_vip:
-            package_config["ha_proxy"]["prv_vip"] = CONF.cluster_prv_vip
-
         if CONF.cluster_vip:
             package_config["ha_proxy"]["vip"] = CONF.cluster_vip
 
+        package_config['enable_secgroup'] = (CONF.enable_secgroup == "true")
+
         status, resp = self.client.update_cluster_config(
             cluster_id, package_config=package_config)
         LOG.info(
diff --git a/deploy/conf/base.conf b/deploy/conf/base.conf
index d3d535dc..21be0bbf 100644
--- a/deploy/conf/base.conf
+++ b/deploy/conf/base.conf
@@ -18,6 +18,7 @@ export SUBNETS="10.1.0.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24"
 export MANAGEMENT_IP_START=${MANAGEMENT_IP_START:-'10.1.0.50'}
 export MANAGEMENT_INTERFACE=${MANAGEMENT_INTERFACE:-eth0}
 export DASHBOARD_URL=""
+export ENABLE_SECGROUP="false"
 
 function next_ip {
     ip_addr=$1
diff --git a/deploy/deploy_host.sh b/deploy/deploy_host.sh
index 02a53cd5..e708bc28 100644
--- a/deploy/deploy_host.sh
+++ b/deploy/deploy_host.sh
@@ -22,6 +22,7 @@ function deploy_host(){
     --host_roles="${HOST_ROLES}" --default_roles="${DEFAULT_ROLES}" --switch_ips="${SWITCH_IPS}" \
     --machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" --deploy_type="${TYPE}" \
     --deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \
-    --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON"
+    --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON" \
+    --enable_secgroup="${ENABLE_SECGROUP}"
 
 }
-- 
cgit 1.2.3-korg