From 4251f3ca9b4271649f9670468529ba2b077269d0 Mon Sep 17 00:00:00 2001 From: "carey.xu" Date: Wed, 11 Nov 2015 23:57:32 +0800 Subject: support FWaaS and VPNaaS JIRA: COMPASS-149 Change-Id: Ib523580fb7a7a2cd62e4fabb27fd710361cdeef3 Signed-off-by: carey.xu --- .../openstack/templates/neutron-network.conf | 465 --------------------- .../ansible/openstack/templates/neutron.conf | 12 +- .../adapters/ansible/roles/common/tasks/main.yml | 9 +- .../adapters/ansible/roles/common/vars/RedHat.yml | 2 +- .../ansible/roles/neutron-compute/tasks/main.yml | 2 +- .../roles/neutron-network/files/vpnaas.filters | 7 + .../roles/neutron-network/handlers/main.yml | 14 +- .../roles/neutron-network/tasks/firewall.yml | 9 + .../ansible/roles/neutron-network/tasks/main.yml | 55 +-- .../ansible/roles/neutron-network/tasks/vpn.yml | 26 ++ .../ansible/roles/neutron-network/vars/RedHat.yml | 7 + deploy/client.py | 8 + deploy/conf/base.conf | 2 + deploy/deploy_host.sh | 2 +- 14 files changed, 114 insertions(+), 506 deletions(-) delete mode 100644 deploy/adapters/ansible/openstack/templates/neutron-network.conf create mode 100644 deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters create mode 100755 deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml create mode 100755 deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml (limited to 'deploy') diff --git a/deploy/adapters/ansible/openstack/templates/neutron-network.conf b/deploy/adapters/ansible/openstack/templates/neutron-network.conf deleted file mode 100644 index 63ac27ee..00000000 --- a/deploy/adapters/ansible/openstack/templates/neutron-network.conf +++ /dev/null @@ -1,465 +0,0 @@ -[DEFAULT] -# Print more verbose output (set logging level to INFO instead of default WARNING level). -verbose = {{ VERBOSE }} - -# Print debugging output (set logging level to DEBUG instead of default WARNING level). -debug = {{ DEBUG }} - -# Where to store Neutron state files. This directory must be writable by the -# user executing the agent. -state_path = /var/lib/neutron - -# Where to store lock files -lock_path = $state_path/lock - -# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s -# log_date_format = %Y-%m-%d %H:%M:%S - -# use_syslog -> syslog -# log_file and log_dir -> log_dir/log_file -# (not log_file) and log_dir -> log_dir/{binary_name}.log -# use_stderr -> stderr -# (not user_stderr) and (not log_file) -> stdout -# publish_errors -> notification system - -# use_syslog = False -# syslog_log_facility = LOG_USER - -# use_stderr = True -# log_file = -log_dir = /var/log/neutron - -# publish_errors = False - -# Address to bind the API server to -bind_host = {{ network_server_host }} - -# Port the bind the API server to -bind_port = 9696 - -# Path to the extensions. Note that this can be a colon-separated list of -# paths. For example: -# api_extensions_path = extensions:/path/to/more/extensions:/even/more/extensions -# The __path__ of neutron.extensions is appended to this, so if your -# extensions are in there you don't need to specify them here -# api_extensions_path = - -# (StrOpt) Neutron core plugin entrypoint to be loaded from the -# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of the -# plugins included in the neutron source distribution. For compatibility with -# previous versions, the class name of a plugin can be specified instead of its -# entrypoint name. -# -#core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin -core_plugin = ml2 -# Example: core_plugin = ml2 - -# (ListOpt) List of service plugin entrypoints to be loaded from the -# neutron.service_plugins namespace. See setup.cfg for the entrypoint names of -# the plugins included in the neutron source distribution. For compatibility -# with previous versions, the class name of a plugin can be specified instead -# of its entrypoint name. -# -# service_plugins = -# Example: service_plugins = router,firewall,lbaas,vpnaas,metering -service_plugins = router - -# Paste configuration file -api_paste_config = api-paste.ini - -# The strategy to be used for auth. -# Supported values are 'keystone'(default), 'noauth'. -auth_strategy = keystone - -# Base MAC address. The first 3 octets will remain unchanged. If the -# 4h octet is not 00, it will also be used. The others will be -# randomly generated. -# 3 octet -# base_mac = fa:16:3e:00:00:00 -# 4 octet -# base_mac = fa:16:3e:4f:00:00 - -# Maximum amount of retries to generate a unique MAC address -# mac_generation_retries = 16 - -# DHCP Lease duration (in seconds) -dhcp_lease_duration = 86400 - -# Allow sending resource operation notification to DHCP agent -# dhcp_agent_notification = True - -# Enable or disable bulk create/update/delete operations -# allow_bulk = True -# Enable or disable pagination -# allow_pagination = False -# Enable or disable sorting -# allow_sorting = False -# Enable or disable overlapping IPs for subnets -# Attention: the following parameter MUST be set to False if Neutron is -# being used in conjunction with nova security groups -allow_overlapping_ips = True -# Ensure that configured gateway is on subnet -# force_gateway_on_subnet = False - - -# RPC configuration options. Defined in rpc __init__ -# The messaging module to use, defaults to kombu. -# rpc_backend = neutron.openstack.common.rpc.impl_kombu -rpc_backend = rabbit -rabbit_host = {{ rabbit_host }} -rabbit_password = {{ RABBIT_PASS }} - -# Size of RPC thread pool -rpc_thread_pool_size = 240 -# Size of RPC connection pool -rpc_conn_pool_size = 100 -# Seconds to wait for a response from call or multicall -rpc_response_timeout = 300 -# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. -rpc_cast_timeout = 300 -# Modules of exceptions that are permitted to be recreated -# upon receiving exception data from an rpc call. -# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.exception -# AMQP exchange to connect to if using RabbitMQ or QPID -# control_exchange = neutron - -# If passed, use a fake RabbitMQ provider -# fake_rabbit = False - -# Configuration options if sending notifications via kombu rpc (these are -# the defaults) -# SSL version to use (valid only if SSL enabled) -# kombu_ssl_version = -# SSL key file (valid only if SSL enabled) -# kombu_ssl_keyfile = -# SSL cert file (valid only if SSL enabled) -# kombu_ssl_certfile = -# SSL certification authority file (valid only if SSL enabled) -# kombu_ssl_ca_certs = -# Port where RabbitMQ server is running/listening -rabbit_port = 5672 -# RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672) -# rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port' -# rabbit_hosts = localhost:5672 -# User ID used for RabbitMQ connections -rabbit_userid = {{ RABBIT_USER }} -# Location of a virtual RabbitMQ installation. -# rabbit_virtual_host = / -# Maximum retries with trying to connect to RabbitMQ -# (the default of 0 implies an infinite retry count) -# rabbit_max_retries = 0 -# RabbitMQ connection retry interval -# rabbit_retry_interval = 1 -# Use HA queues in RabbitMQ (x-ha-policy: all). You need to -# wipe RabbitMQ database when changing this option. (boolean value) -# rabbit_ha_queues = false -# QPID -# rpc_backend=neutron.openstack.common.rpc.impl_qpid -# Qpid broker hostname -# qpid_hostname = localhost -# Qpid broker port -# qpid_port = 5672 -# Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672) -# qpid_hosts is defaulted to '$qpid_hostname:$qpid_port' -# qpid_hosts = localhost:5672 -# Username for qpid connection -# qpid_username = '' -# Password for qpid connection -# qpid_password = '' -# Space separated list of SASL mechanisms to use for auth -# qpid_sasl_mechanisms = '' -# Seconds between connection keepalive heartbeats -# qpid_heartbeat = 60 -# Transport to use, either 'tcp' or 'ssl' -# qpid_protocol = tcp -# Disable Nagle algorithm -# qpid_tcp_nodelay = True - -# ZMQ -# rpc_backend=neutron.openstack.common.rpc.impl_zmq -# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. -# The "host" option should point or resolve to this address. -# rpc_zmq_bind_address = * - -# ============ Notification System Options ===================== - -# Notifications can be sent when network/subnet/port are created, updated or deleted. -# There are three methods of sending notifications: logging (via the -# log_file directive), rpc (via a message queue) and -# noop (no notifications sent, the default) - -# Notification_driver can be defined multiple times -# Do nothing driver -# notification_driver = neutron.openstack.common.notifier.no_op_notifier -# Logging driver -# notification_driver = neutron.openstack.common.notifier.log_notifier -# RPC driver. -notification_driver = neutron.openstack.common.notifier.rpc_notifier - -# default_notification_level is used to form actual topic name(s) or to set logging level -default_notification_level = INFO - -# default_publisher_id is a part of the notification payload -# host = myhost.com -# default_publisher_id = $host - -# Defined in rpc_notifier, can be comma separated values. -# The actual topic names will be %s.%(default_notification_level)s -notification_topics = notifications - -# Default maximum number of items returned in a single response, -# value == infinite and value < 0 means no max limit, and value must -# be greater than 0. If the number of items requested is greater than -# pagination_max_limit, server will just return pagination_max_limit -# of number of items. -# pagination_max_limit = -1 - -# Maximum number of DNS nameservers per subnet -# max_dns_nameservers = 5 - -# Maximum number of host routes per subnet -# max_subnet_host_routes = 20 - -# Maximum number of fixed ips per port -# max_fixed_ips_per_port = 5 - -# =========== items for agent management extension ============= -# Seconds to regard the agent as down; should be at least twice -# report_interval, to be sure the agent is down for good -agent_down_time = 75 -# =========== end of items for agent management extension ===== - -# =========== items for agent scheduler extension ============= -# Driver to use for scheduling network to DHCP agent -network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler -# Driver to use for scheduling router to a default L3 agent -router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.ChanceScheduler -# Driver to use for scheduling a loadbalancer pool to an lbaas agent -# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.agent_scheduler.ChanceScheduler - -# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted -# networks to first DHCP agent which sends get_active_networks message to -# neutron server -# network_auto_schedule = True - -# Allow auto scheduling routers to L3 agent. It will schedule non-hosted -# routers to first L3 agent which sends sync_routers message to neutron server -# router_auto_schedule = True - -# Number of DHCP agents scheduled to host a network. This enables redundant -# DHCP agents for configured networks. -# dhcp_agents_per_network = 1 - -# =========== end of items for agent scheduler extension ===== - -# =========== WSGI parameters related to the API server ============== -# Number of separate worker processes to spawn. The default, 0, runs the -# worker thread in the current process. Greater than 0 launches that number of -# child processes as workers. The parent process manages them. -api_workers = 8 - -# Number of separate RPC worker processes to spawn. The default, 0, runs the -# worker thread in the current process. Greater than 0 launches that number of -# child processes as RPC workers. The parent process manages them. -# This feature is experimental until issues are addressed and testing has been -# enabled for various plugins for compatibility. -rpc_workers = 8 - -# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when -# starting API server. Not supported on OS X. -# tcp_keepidle = 600 - -# Number of seconds to keep retrying to listen -# retry_until_window = 30 - -# Number of backlog requests to configure the socket with. -# backlog = 4096 - -# Max header line to accommodate large tokens -# max_header_line = 16384 - -# Enable SSL on the API server -# use_ssl = False - -# Certificate file to use when starting API server securely -# ssl_cert_file = /path/to/certfile - -# Private key file to use when starting API server securely -# ssl_key_file = /path/to/keyfile - -# CA certificate file to use when starting API server securely to -# verify connecting clients. This is an optional parameter only required if -# API clients need to authenticate to the API server using SSL certificates -# signed by a trusted CA -# ssl_ca_file = /path/to/cafile -# ======== end of WSGI parameters related to the API server ========== - - -# ======== neutron nova interactions ========== -# Send notification to nova when port status is active. -notify_nova_on_port_status_changes = True - -# Send notifications to nova when port data (fixed_ips/floatingips) change -# so nova can update it's cache. -notify_nova_on_port_data_changes = True - -# URL for connection to nova (Only supports one nova region currently). -nova_url = http://{{ internal_vip.ip }}:8774/v2 - -# Name of nova region to use. Useful if keystone manages more than one region -nova_region_name = regionOne - -# Username for connection to nova in admin context -nova_admin_username = nova - -# The uuid of the admin nova tenant - -# Password for connection to nova in admin context. -nova_admin_password = {{ NOVA_PASS }} - -# Authorization URL for connection to nova in admin context. -nova_admin_auth_url = http://{{ internal_vip.ip }}:35357/v2.0 - -# Number of seconds between sending events to nova if there are any events to send -send_events_interval = 2 - -# ======== end of neutron nova interactions ========== - -[quotas] -# Default driver to use for quota checks -quota_driver = neutron.db.quota_db.DbQuotaDriver - -# Resource name(s) that are supported in quota features -quota_items = network,subnet,port - -# Default number of resource allowed per tenant. A negative value means -# unlimited. -default_quota = -1 - -# Number of networks allowed per tenant. A negative value means unlimited. -quota_network = 100 - -# Number of subnets allowed per tenant. A negative value means unlimited. -quota_subnet = 100 - -# Number of ports allowed per tenant. A negative value means unlimited. -quota_port = 8000 - -# Number of security groups allowed per tenant. A negative value means -# unlimited. -quota_security_group = 1000 - -# Number of security group rules allowed per tenant. A negative value means -# unlimited. -quota_security_group_rule = 1000 - -# Number of vips allowed per tenant. A negative value means unlimited. -# quota_vip = 10 - -# Number of pools allowed per tenant. A negative value means unlimited. -# quota_pool = 10 - -# Number of pool members allowed per tenant. A negative value means unlimited. -# The default is unlimited because a member is not a real resource consumer -# on Openstack. However, on back-end, a member is a resource consumer -# and that is the reason why quota is possible. -# quota_member = -1 - -# Number of health monitors allowed per tenant. A negative value means -# unlimited. -# The default is unlimited because a health monitor is not a real resource -# consumer on Openstack. However, on back-end, a member is a resource consumer -# and that is the reason why quota is possible. -# quota_health_monitors = -1 - -# Number of routers allowed per tenant. A negative value means unlimited. -# quota_router = 10 - -# Number of floating IPs allowed per tenant. A negative value means unlimited. -# quota_floatingip = 50 - -[agent] -# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real -# root filter facility. -# Change to "sudo" to skip the filtering and just run the comand directly -root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf" - -# =========== items for agent management extension ============= -# seconds between nodes reporting state to server; should be less than -# agent_down_time, best if it is half or less than agent_down_time -report_interval = 30 - -# =========== end of items for agent management extension ===== - -[keystone_authtoken] -auth_uri = http://{{ internal_vip.ip }}:5000/v2.0 -identity_uri = http://{{ internal_vip.ip }}:35357 -admin_tenant_name = service -admin_user = neutron -admin_password = {{ NEUTRON_PASS }} -signing_dir = $state_path/keystone-signing - -[database] -# This line MUST be changed to actually run the plugin. -# Example: -# connection = mysql://root:pass@127.0.0.1:3306/neutron -# Replace 127.0.0.1 above with the IP address of the database used by the -# main neutron server. (Leave it as is if the database runs on this host.) -# connection = sqlite:////var/lib/neutron/neutron.sqlite -#connection = mysql://neutron:{{ NEUTRON_DBPASS }}@{{ db_host }}/neutron - -# The SQLAlchemy connection string used to connect to the slave database -slave_connection = - -# Database reconnection retry times - in event connectivity is lost -# set to -1 implies an infinite retry count -max_retries = 10 - -# Database reconnection interval in seconds - if the initial connection to the -# database fails -retry_interval = 10 - -# Minimum number of SQL connections to keep open in a pool -min_pool_size = 1 - -# Maximum number of SQL connections to keep open in a pool -max_pool_size = 100 - -# Timeout in seconds before idle sql connections are reaped -idle_timeout = 3600 - -# If set, use this value for max_overflow with sqlalchemy -max_overflow = 100 - -# Verbosity of SQL debugging information. 0=None, 100=Everything -connection_debug = 0 - -# Add python stack traces to SQL as comment strings -connection_trace = False - -# If set, use this value for pool_timeout with sqlalchemy -pool_timeout = 10 - -[service_providers] -# Specify service providers (drivers) for advanced services like loadbalancer, VPN, Firewall. -# Must be in form: -# service_provider=::[:default] -# List of allowed service types includes LOADBALANCER, FIREWALL, VPN -# Combination of and must be unique; must also be unique -# This is multiline option, example for default provider: -# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default -# example of non-default provider: -# service_provider=FIREWALL:name2:firewall_driver_path -# --- Reference implementations --- -service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default -service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default -# In order to activate Radware's lbaas driver you need to uncomment the next line. -# If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below. -# Otherwise comment the HA Proxy line -# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.drivers.radware.driver.LoadBalancerDriver:default -# uncomment the following line to make the 'netscaler' LBaaS provider available. -# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.drivers.netscaler.netscaler_driver.NetScalerPluginDriver -# Uncomment the following line (and comment out the OpenSwan VPN line) to enable Cisco's VPN driver. -# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default -# Uncomment the line below to use Embrane heleos as Load Balancer service provider. -# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default diff --git a/deploy/adapters/ansible/openstack/templates/neutron.conf b/deploy/adapters/ansible/openstack/templates/neutron.conf index 8a5e76ee..02a2cfa2 100644 --- a/deploy/adapters/ansible/openstack/templates/neutron.conf +++ b/deploy/adapters/ansible/openstack/templates/neutron.conf @@ -313,8 +313,9 @@ nova_region_name = regionOne nova_admin_username = nova # The uuid of the admin nova tenant +{% if NOVA_ADMIN_TENANT_ID|default('') %} nova_admin_tenant_id = {{ NOVA_ADMIN_TENANT_ID.stdout_lines[0] }} - +{% endif %} # Password for connection to nova in admin context. nova_admin_password = {{ NOVA_PASS }} @@ -452,8 +453,7 @@ pool_timeout = 10 # example of non-default provider: # service_provider=FIREWALL:name2:firewall_driver_path # --- Reference implementations --- -service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default -service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default +service_provider=FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewllDriver:default # In order to activate Radware's lbaas driver you need to uncomment the next line. # If you want to keep the HA Proxy as the default lbaas driver, remove the attribute default from the line below. # Otherwise comment the HA Proxy line @@ -464,3 +464,9 @@ service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVP # service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.CiscoCsrIPsecVPNDriver:default # Uncomment the line below to use Embrane heleos as Load Balancer service provider. # service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.embrane.driver.EmbraneLbaas:default + +{% if enable_fwaas %} +[fwaas] +driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver +enabled = True +{% endif %} diff --git a/deploy/adapters/ansible/roles/common/tasks/main.yml b/deploy/adapters/ansible/roles/common/tasks/main.yml index 3114e638..3097d092 100644 --- a/deploy/adapters/ansible/roles/common/tasks/main.yml +++ b/deploy/adapters/ansible/roles/common/tasks/main.yml @@ -5,11 +5,6 @@ apt: pkg=landscape-common state=absent purge=yes when: ansible_os_family == "Debian" - -- name: install pip packages - pip: name={{ item }} state=present extra_args='--pre' - with_items: pip_packages - - name: update hosts files to all hosts template: src=hosts dest=/etc/hosts backup=yes @@ -42,6 +37,10 @@ - name: update pip.conf template: src=pip.conf dest=~/.pip/{{ pip_conf }} +- name: install pip packages + pip: name={{ item }} state=present extra_args='--pre' + with_items: pip_packages + - name: update ntp conf template: src=ntp.conf dest=/etc/ntp.conf backup=yes diff --git a/deploy/adapters/ansible/roles/common/vars/RedHat.yml b/deploy/adapters/ansible/roles/common/vars/RedHat.yml index 10aa7715..6618748f 100644 --- a/deploy/adapters/ansible/roles/common/vars/RedHat.yml +++ b/deploy/adapters/ansible/roles/common/vars/RedHat.yml @@ -5,7 +5,7 @@ packages: pip_packages: - crudini -pip_conf: .pip.conf +pip_conf: pip.conf services: - openvswitch diff --git a/deploy/adapters/ansible/roles/neutron-compute/tasks/main.yml b/deploy/adapters/ansible/roles/neutron-compute/tasks/main.yml index e7ee13fc..640692ff 100644 --- a/deploy/adapters/ansible/roles/neutron-compute/tasks/main.yml +++ b/deploy/adapters/ansible/roles/neutron-compute/tasks/main.yml @@ -36,7 +36,7 @@ file: src=/etc/neutron/plugins/ml2/ml2_conf.ini dest=/etc/neutron/plugin.ini state=link - name: config neutron - template: src=templates/neutron-network.conf + template: src=templates/neutron.conf dest=/etc/neutron/neutron.conf backup=yes notify: - restart neutron compute service diff --git a/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters new file mode 100644 index 00000000..c5eaa80c --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/files/vpnaas.filters @@ -0,0 +1,7 @@ +[Filters] +ip: IpFilter, ip, root +ip_exec: IpNetnsExecFilter, ip, root +ipsec: CommandFilter, ipsec, root +strongswan: CommandFilter, strongswan, root +neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root +neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root diff --git a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml index 7e67b76e..945724b4 100644 --- a/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml +++ b/deploy/adapters/ansible/roles/neutron-network/handlers/main.yml @@ -1,15 +1,19 @@ --- -- name: restart common neutron network relation service - service: name={{ item }} state=restarted enabled=yes - with_items: services_noarch - - name: restart neutron network relation service service: name={{ item }} state=restarted enabled=yes - with_items: services + with_flattened: + - services_noarch + - services - name: restart openvswitch agent service service: name=neutron-openvswitch-agent state=restarted enabled=yes +- name: restart vpn agent service + service: name={{ item }} state=restarted enabled=yes + with_items: + - neutron-vpn-agent + - strongswan + - name: kill dnsmasq command: killall dnsmasq ignore_errors: True diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml new file mode 100755 index 00000000..16624a4c --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/firewall.yml @@ -0,0 +1,9 @@ +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install firewall packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: firewall_packages + +- name: update firewall related conf + shell: crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins firewall diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml index 7d643d5a..f8e9e8c4 100644 --- a/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/main.yml @@ -13,6 +13,24 @@ sysctl: name=net.ipv4.conf.default.rp_filter value=0 state=present reload=yes +- name: assert kernel support for vxlan + command: modinfo -F version vxlan + when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" + +- name: assert iproute2 suppport for vxlan + command: ip link add type vxlan help + register: iproute_out + failed_when: iproute_out.rc == 255 + when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" + +- name: update epel-release + shell: yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm + ignore_errors: True + +- name: update rdo-release-kilo repo + shell: yum install -y http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm + ignore_errors: True + - name: install neutron network related packages action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" with_items: packages | union(packages_noarch) @@ -48,36 +66,23 @@ dest=/etc/neutron/plugins/ml2/ml2_conf.ini backup=yes -- name: config neutron - template: src=templates/neutron-network.conf - dest=/etc/neutron/neutron.conf backup=yes - notify: - - restart common neutron network relation service - - restart neutron network relation service - - kill dnsmasq - -- meta: flush_handlers - - name: ln plugin.ini file: src=/etc/neutron/plugins/ml2/ml2_conf.ini dest=/etc/neutron/plugin.ini state=link -- name: restart openvswitch-agent service - service: name={{ openvswitch_agent }} state=restarted enabled=yes - -- meta: flush_handlers - -#- include: igmp-router.yml -# when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }} and ansible_os_family == 'Debian'" +- name: config neutron + template: src=templates/neutron.conf + dest=/etc/neutron/neutron.conf backup=yes -- name: assert kernel support for vxlan - command: modinfo -F version vxlan - when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" +- include: firewall.yml + when: enable_fwaas == True -- name: assert iproute2 suppport for vxlan - command: ip link add type vxlan help - register: iproute_out - failed_when: iproute_out.rc == 255 - when: "'vxlan' in {{ NEUTRON_TUNNEL_TYPES }}" +- include: vpn.yml + when: enable_vpnaas == True - include: odl.yml when: "'opendaylight' in {{ NEUTRON_MECHANISM_DRIVERS }}" + +- name: restart neutron services + debug: msg="restart neutron services" + notify: + - restart neutron network relation service diff --git a/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml new file mode 100755 index 00000000..6f70a68b --- /dev/null +++ b/deploy/adapters/ansible/roles/neutron-network/tasks/vpn.yml @@ -0,0 +1,26 @@ +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install vpn packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: vpn_packages + +- name: update vpn related conf + shell: crudini --set /etc/neutron/l3_agent.ini vpnagent vpn_device_driver neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver; + crudini --set --list /etc/neutron/neutron.conf DEFAULT service_plugins vpnaas + crudini --set /etc/neutron/neutron_vpnaas.conf service_providers service_provider 'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default' + +- name: make sure rootwrap.d dir exist + file: path=/etc/neutron/rootwrap.d state=directory mode=0755 + +- name: update rootwrap + copy: src=vpnaas.filters dest=/etc/neutron/rootwrap.d/vpnaas.filters + +- name: enable vpn service + service: name={{ item }} state=started enabled=yes + with_items: + - neutron-vpn-agent + - strongswan + notify: + - restart vpn agent service + diff --git a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml index 14fd7731..f5e03090 100644 --- a/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml +++ b/deploy/adapters/ansible/roles/neutron-network/vars/RedHat.yml @@ -3,6 +3,13 @@ packages: - openstack-neutron-ml2 - openstack-neutron-openvswitch +vpn_packages: + - openstack-neutron-vpn-agent + - strongswan + +firewall_packages: + - openstack-neutron-fwaas + services: - openvswitch - neutron-openvswitch-agent diff --git a/deploy/client.py b/deploy/client.py index b69b8acc..15f1ba8d 100644 --- a/deploy/client.py +++ b/deploy/client.py @@ -204,6 +204,12 @@ opts = [ cfg.StrOpt('enable_secgroup', help='enable security group', default='true'), + cfg.StrOpt('enable_vpnaas', + help='enable vpn as service', + default='true'), + cfg.StrOpt('enable_fwaas', + help='enable firewall as service', + default='true'), cfg.StrOpt('network_cfg', help='netowrk config file', default=''), @@ -702,6 +708,8 @@ class CompassClient(object): package_config["ha_proxy"]["vip"] = CONF.cluster_vip package_config['enable_secgroup'] = (CONF.enable_secgroup == "true") + package_config['enable_fwaas'] = (CONF.enable_fwaas== "true") + package_config['enable_vpnaas'] = (CONF.enable_vpnaas== "true") status, resp = self.client.update_cluster_config( cluster_id, package_config=package_config) diff --git a/deploy/conf/base.conf b/deploy/conf/base.conf index a77fa9b2..131cd57d 100644 --- a/deploy/conf/base.conf +++ b/deploy/conf/base.conf @@ -19,6 +19,8 @@ export MANAGEMENT_IP_START=${MANAGEMENT_IP_START:-'10.1.0.50'} export MANAGEMENT_INTERFACE=${MANAGEMENT_INTERFACE:-eth0} export DASHBOARD_URL="" export ENABLE_SECGROUP="false" +export ENABLE_VPNAAS="false" +export ENABLE_FWAAS="false" function next_ip { ip_addr=$1 diff --git a/deploy/deploy_host.sh b/deploy/deploy_host.sh index e708bc28..e7dedb89 100644 --- a/deploy/deploy_host.sh +++ b/deploy/deploy_host.sh @@ -23,6 +23,6 @@ function deploy_host(){ --machines=${machines//\'} --switch_credential="${SWITCH_CREDENTIAL}" --deploy_type="${TYPE}" \ --deployment_timeout="${DEPLOYMENT_TIMEOUT}" --${POLL_SWITCHES_FLAG} --dashboard_url="${DASHBOARD_URL}" \ --cluster_vip="${VIP}" --network_cfg="$NETWORK" --neutron_cfg="$NEUTRON" \ - --enable_secgroup="${ENABLE_SECGROUP}" + --enable_secgroup="${ENABLE_SECGROUP}" --enable_fwaas="${ENABLE_FWAAS}" --enable_vpnaas="${ENABLE_VPNAAS}" } -- cgit 1.2.3-korg