b3a210f643
With the plan [1] to stop enabling it by Neutron iptables firewall driver itself, deployment tools should catch up and enable the firewall themselves. This is needed for distributions that decided to disable the kernel firewall by default (upstream kernel has it enabled). This is also needed for distributions that ship newer kernels but don't load the br_netfilter module before starting nova-network or Neutron iptables firewall driver. In the latter case, firewall may not work, depending on the order of operations executed by the driver. To isolate devstack setups from the difference in distribution kernel configuration and version, the following steps are done: - we load bridge kernel module, and br_netfilter if present, to get access to sysctl knobs controlling the firewall; - once knobs are available, we unconditionally set them to 1, to make sure the firewall is in effect. More details at: http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf [1] I9137ea017624ac92a05f73863b77f9ee4681bbe7 Change-Id: Id6bfd9595f0772a63d1096ef83ebbb6cd630fafd Related-Bug: #1622914
125 lines
4.0 KiB
Bash
125 lines
4.0 KiB
Bash
#!/bin/bash
|
|
#
|
|
# common functions for ovs based plugin
|
|
# -------------------------------------
|
|
|
|
# Save trace setting
|
|
_XTRACE_NEUTRON_OVS_BASE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
OVS_BRIDGE=${OVS_BRIDGE:-br-int}
|
|
# OVS recognize default 'system' datapath or 'netdev' for userspace datapath
|
|
OVS_DATAPATH_TYPE=${OVS_DATAPATH_TYPE:-system}
|
|
OVS_TUNNEL_BRIDGE=${OVS_TUNNEL_BRIDGE:-br-tun}
|
|
|
|
function is_neutron_ovs_base_plugin {
|
|
# Yes, we use OVS.
|
|
return 0
|
|
}
|
|
|
|
function _neutron_ovs_base_add_bridge {
|
|
local bridge=$1
|
|
local addbr_cmd="sudo ovs-vsctl -- --may-exist add-br $bridge"
|
|
|
|
if [ "$OVS_DATAPATH_TYPE" != "system" ] ; then
|
|
addbr_cmd="$addbr_cmd -- set Bridge $bridge datapath_type=${OVS_DATAPATH_TYPE}"
|
|
fi
|
|
|
|
$addbr_cmd
|
|
}
|
|
|
|
function _neutron_ovs_base_setup_bridge {
|
|
local bridge=$1
|
|
neutron-ovs-cleanup
|
|
_neutron_ovs_base_add_bridge $bridge
|
|
sudo ovs-vsctl --no-wait br-set-external-id $bridge bridge-id $bridge
|
|
}
|
|
|
|
function neutron_ovs_base_cleanup {
|
|
# remove all OVS ports that look like Neutron created ports
|
|
for port in $(sudo ovs-vsctl list port | grep -o -e [a-zA-Z\-]*tap[0-9a-f\-]* -e q[rg]-[0-9a-f\-]*); do
|
|
sudo ovs-vsctl del-port ${port}
|
|
done
|
|
|
|
# remove all OVS bridges created by Neutron
|
|
for bridge in $(sudo ovs-vsctl list-br | grep -o -e ${OVS_BRIDGE} -e ${PUBLIC_BRIDGE} -e ${OVS_TUNNEL_BRIDGE}); do
|
|
sudo ovs-vsctl del-br ${bridge}
|
|
done
|
|
}
|
|
|
|
function _neutron_ovs_base_install_ubuntu_dkms {
|
|
# install Dynamic Kernel Module Support packages if needed
|
|
local kernel_version
|
|
kernel_version=$(uname -r)
|
|
local kernel_major_minor
|
|
kernel_major_minor=`echo $kernel_version | cut -d. -f1-2`
|
|
# From kernel 3.13 on, openvswitch-datapath-dkms is not needed
|
|
if vercmp "$kernel_major_minor" "<" "3.13" ; then
|
|
install_package "dkms openvswitch-datapath-dkms linux-headers-$kernel_version"
|
|
fi
|
|
}
|
|
|
|
function _neutron_ovs_base_install_agent_packages {
|
|
# Install deps
|
|
install_package $(get_packages "openvswitch")
|
|
if is_ubuntu; then
|
|
_neutron_ovs_base_install_ubuntu_dkms
|
|
restart_service openvswitch-switch
|
|
elif is_fedora; then
|
|
restart_service openvswitch
|
|
sudo systemctl enable openvswitch
|
|
elif is_suse; then
|
|
restart_service openvswitch-switch
|
|
fi
|
|
}
|
|
|
|
function _neutron_ovs_base_configure_debug_command {
|
|
if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
|
|
iniset $NEUTRON_TEST_CONFIG_FILE DEFAULT external_network_bridge ""
|
|
else
|
|
iniset $NEUTRON_TEST_CONFIG_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE
|
|
fi
|
|
}
|
|
|
|
function _neutron_ovs_base_configure_firewall_driver {
|
|
if [[ "$Q_USE_SECGROUP" == "True" ]]; then
|
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
|
enable_kernel_bridge_firewall
|
|
else
|
|
iniset /$Q_PLUGIN_CONF_FILE securitygroup firewall_driver neutron.agent.firewall.NoopFirewallDriver
|
|
fi
|
|
}
|
|
|
|
function _neutron_ovs_base_configure_l3_agent {
|
|
if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
|
|
iniset $Q_L3_CONF_FILE DEFAULT external_network_bridge ""
|
|
else
|
|
iniset $Q_L3_CONF_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE
|
|
fi
|
|
|
|
neutron-ovs-cleanup
|
|
if [[ "$Q_USE_PUBLIC_VETH" = "True" ]]; then
|
|
ip link show $Q_PUBLIC_VETH_INT > /dev/null 2>&1 ||
|
|
sudo ip link add $Q_PUBLIC_VETH_INT type veth \
|
|
peer name $Q_PUBLIC_VETH_EX
|
|
sudo ip link set $Q_PUBLIC_VETH_INT up
|
|
sudo ip link set $Q_PUBLIC_VETH_EX up
|
|
sudo ip addr flush dev $Q_PUBLIC_VETH_EX
|
|
else
|
|
_neutron_ovs_base_add_public_bridge
|
|
sudo ovs-vsctl br-set-external-id $PUBLIC_BRIDGE bridge-id $PUBLIC_BRIDGE
|
|
fi
|
|
}
|
|
|
|
function _neutron_ovs_base_add_public_bridge {
|
|
_neutron_ovs_base_add_bridge $PUBLIC_BRIDGE
|
|
set_mtu $PUBLIC_BRIDGE $PUBLIC_BRIDGE_MTU
|
|
}
|
|
|
|
function _neutron_ovs_base_configure_nova_vif_driver {
|
|
:
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_NEUTRON_OVS_BASE
|