From 4251f3ca9b4271649f9670468529ba2b077269d0 Mon Sep 17 00:00:00 2001 From: "carey.xu" Date: Wed, 11 Nov 2015 23:57:32 +0800 Subject: support FWaaS and VPNaaS JIRA: COMPASS-149 Change-Id: Ib523580fb7a7a2cd62e4fabb27fd710361cdeef3 Signed-off-by: carey.xu --- .../roles/neutron-network/files/vpnaas.filters | 7 +++ .../roles/neutron-network/handlers/main.yml | 14 ++++-- .../roles/neutron-network/tasks/firewall.yml | 9 ++++ .../ansible/roles/neutron-network/tasks/main.yml | 55 ++++++++++++---------- .../ansible/roles/neutron-network/tasks/vpn.yml | 26 ++++++++++ .../ansible/roles/neutron-network/vars/RedHat.yml | 7 +++ 6 files changed, 88 insertions(+), 30 deletions(-) create mode 100644 deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters create mode 100755 deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml create mode 100755 deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml (limited to 'deploy/adapters/ansible/roles/neutron-network') diff --git a/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters new file mode 100644 index 00000000..c5eaa80c --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters @@ -0,0 +1,7 @@ +[Filters] +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root +ipsec: CommandFilter, ipsec, root +strongswan: CommandFilter, strongswan, root +neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root +neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root diff --git a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml index 7e67b76e..945724b4 100644 --- a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml +++ b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml @@ -1,15 +1,19 @@ --- -- name: restart common neutron network relation service - service: name={{ item }} state=restarted enabled=yes - with_items: services_noarch - - name: restart neutron network relation service service: name={{ item }} state=restarted enabled=yes - with_items: services + with_flattened: + - services_noarch + - services - name: restart openvswitch agent service service: name=neutron-openvswitch-agent state=restarted enabled=yes +- name: restart vpn agent service + service: name={{ item }} state=restarted enabled=yes + with_items: + - neutron-vpn-agent + - strongswan + - name: kill dnsmasq command: killall dnsmasq ignore_errors: True diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml new file mode 100755 index 00000000..16624a4c --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml @@ -0,0 +1,9 @@ +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install firewall packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: firewall_packages + +- name: update firewall related conf + shell: crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins firewall diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml index 7d643d5a..f8e9e8c4 100644 --- a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml @@ -13,6 +13,24 @@ sysctl: name=net.ipv4.conf.default.rp_filter value=0 state=present reload=yes +- name: assert kernel support for vxlan + command: modinfo -F version vxlan + when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" + +- name: assert iproute2 suppport for vxlan + command: ip link add type vxlan help + register: iproute_out + failed_when: iproute_out.rc == 255 + when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" + +- name: update epel-release + shell: yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm + ignore_errors: True + +- name: update rdo-release-kilo repo + shell: yum install -y http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm + ignore_errors: True + - name: install neutron network related packages action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" with_items: packages | union(packages_noarch) @@ -48,36 +66,23 @@ dest=/etc/neutron/plugins/ml2/ml2_conf.ini backup=yes -- name: config neutron - template: src=templates/neutron-network.conf - dest=/etc/neutron/neutron.conf backup=yes - notify: - - restart common neutron network relation service - - restart neutron network relation service - - kill dnsmasq - -- meta: flush_handlers - - name: ln plugin.ini file: src=/etc/neutron/plugins/ml2/ml2_conf.ini dest=/etc/neutron/plugin.ini state=link -- name: restart openvswitch-agent service - service: name={{ openvswitch_agent }} state=restarted enabled=yes - -- meta: flush_handlers - -#- include: igmp-router.yml -# when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }} and ansible_os_family == 'Debian'" +- name: config neutron + template: src=templates/neutron.conf + dest=/etc/neutron/neutron.conf backup=yes -- name: assert kernel support for vxlan - command: modinfo -F version vxlan - when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" +- include: firewall.yml + when: enable_fwaas == True -- name: assert iproute2 suppport for vxlan - command: ip link add type vxlan help - register: iproute_out - failed_when: iproute_out.rc == 255 - when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" +- include: vpn.yml + when: enable_vpnaas == True - include: odl.yml when: "'opendaylight' in {{ NEUTRON_MECHANISM_DRIVERS }}" + +- name: restart neutron services + debug: msg="restart neutron services" + notify: + - restart neutron network relation service diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml new file mode 100755 index 00000000..6f70a68b --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml @@ -0,0 +1,26 @@ +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install vpn packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: vpn_packages + +- name: update vpn related conf + shell: crudini --set /etc/neutron/l3_agent.ini vpnagent vpn_device_driver neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver; + crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins vpnaas + crudini --set /etc/neutron/neutron_vpnaas.conf service_providers service_provider 'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default' + +- name: make sure rootwrap.d dir exist + file: path=/etc/neutron/rootwrap.d state=directory mode=0755 + +- name: update rootwrap + copy: src=vpnaas.filters dest=/etc/neutron/rootwrap.d/vpnaas.filters + +- name: enable vpn service + service: name={{ item }} state=started enabled=yes + with_items: + - neutron-vpn-agent + - strongswan + notify: + - restart vpn agent service + diff --git a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml index 14fd7731..f5e03090 100644 --- a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml +++ b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml @@ -3,6 +3,13 @@ packages: - openstack-neutron-ml2 - openstack-neutron-openvswitch +vpn_packages: + - openstack-neutron-vpn-agent + - strongswan + +firewall_packages: + - openstack-neutron-fwaas + services: - openvswitch - neutron-openvswitch-agent -- cgit 1.2.3-korg