openstack
/
neutron-vpnaas
Code Issues Proposed changes

Merge "Replace neutron CLI with openstack CLI"

This commit is contained in:
Zuul 2019-04-24 02:43:35 +00:00 committed by Gerrit Code Review
parent f9e9712dca 0585b53530
commit b568b7afcd
3 changed files with 156 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
doc/source/contributor/multiple-local-subnets.rst
View File

@ -44,13 +44,15 @@ Client CLI API
-------------- --------------
The originally implemented client CLI APIs (which are still available The originally implemented client CLI APIs (which are still available
for backward compatibility) for an IPsec connection are:: for backward compatibility) for an IPsec connection are:
neutron vpn-service-create ROUTER SUBNET .. code-block:: none
neutron ipsec-site-connection-create
--vpnservice-id VPNSERVICE openstack vpn service create --router ROUTER --subnet SUBNET NAME
--ikepolicy-id IKEPOLICY openstack vpn ipsec site connection create
--ipsecpolicy-id IPSECPOLICY --vpnservice VPNSERVICE
--ikepolicy IKEPOLICY
--ipsecpolicy IPSECPOLICY
--peer-address PEER_ADDRESS --peer-address PEER_ADDRESS
--peer-id PEER_ID --peer-id PEER_ID
--peer-cidr PEER_CIDRS --peer-cidr PEER_CIDRS
@ -58,34 +60,39 @@ for backward compatibility) for an IPsec connection are::
--initiator {bi-directional | response-only} --initiator {bi-directional | response-only}
--mtu MTU --mtu MTU
--psk PSK --psk PSK
VPN_IPSEC_SITE_CONNECTION_NAME
Changes to the API, to support multiple local subnets, are shown in Changes to the API, to support multiple local subnets, are shown in
**bold** text:: **highlighted** text:
neutron vpn-service-create ROUTER .. code-block:: none
**neutron vpn-endpoint-groups-create** :emphasize-lines: 2-6,17-18
**--name OPTIONAL-NAME**
**--description OPTIONAL-DESCRIPTION** openstack vpn service create --router ROUTER NAME
**--ep-type={subnet,cidr,network,vlan,router}** openstack vpn endpoint group create
**--ep-value=[list-of-endpoints-of-type]** --description OPTIONAL-DESCRIPTION
neutron ipsec-site-connection-create --type={subnet,cidr,network,vlan,router}
--vpnservice-id VPNSERVICE --value=ENDPOINT-OF-TYPE[,--value=ENDPOINT-OF-TYPE,...]
--ikepolicy-id IKEPOLICY ENDPOINT-GROUP-NAME
--ipsecpolicy-id IPSECPOLICY openstack vpn ipsec site connection create
--vpnservice VPNSERVICE
--ikepolicy IKEPOLICY
--ipsecpolicy IPSECPOLICY
--peer-address PEER_ADDRESS --peer-address PEER_ADDRESS
--peer-id PEER_ID --peer-id PEER_ID
--dpd action=ACTION,interval=INTERVAL,timeout=TIMEOUT --dpd action=ACTION,interval=INTERVAL,timeout=TIMEOUT
--initiator {bi-directional | response-only} --initiator {bi-directional | response-only}
--mtu MTU --mtu MTU
--psk PSK --psk PSK
**--local-endpoints ENDPOINT-GROUPS-UUID** --local-endpoint-group ENDPOINT-GROUP-UUID
**--peer-endpoints ENDPOINT-GROUPS-UUID** --peer-endpoint-group ENDPOINT-GROUP-UUID
VPN_IPSEC_SITE_CONNECTION_NAME
The SUBNET in the original service API is optional, and will be used as an The SUBNET in the original service API is optional, and will be used as an
indicator of whether or not the multiple local subnets feature is active. indicator of whether or not the multiple local subnets feature is active.
See the 'Backward Compatibility' section, below, for details. See the 'Backward Compatibility' section, below, for details.
For the endpoint groups, the --ep-type value is a string, so that other For the endpoint groups, the ``--type`` value is a string, so that other
types can be supported in the future. types can be supported in the future.
The endpoint groups API would enforce that the endpoint values are all of The endpoint groups API would enforce that the endpoint values are all of
@ -102,58 +109,59 @@ specified, and the type would be 'network'.
The ROUTER may also be able to be removed, in the future, and can be The ROUTER may also be able to be removed, in the future, and can be
determined, when the connections are created. determined, when the connections are created.
Note: Using --ep-type, as --endpoint-type is already used elsewhere, and
--type is too generic. Using --ep-value, as --endpoint is already in use,
--end-point could be easily mistyped as --endpoint, and --value is too
generic.
Examples Examples
-------- --------
The original APIs to create one side of an IPSec connection with The original APIs to create one side of an IPSec connection with
only one local and peer subnet:: only one local and peer subnet:
neutron vpn-ikepolicy-create ikepolicy .. code-block:: none
neutron vpn-ipsecpolicy-create ipsecpolicy
neutron vpn-service-create --name myvpn router1 privateA openstack vpn ike policy create ikepolicy
neutron ipsec-site-connection-create openstack vpn ipsec policy create ipsecpolicy
--name vpnconnection1 openstack vpn service create --router router1 --subnet privateA myvpn
--vpnservice-id myvpn openstack vpn ipsec site connection create
--ikepolicy-id ikepolicy --vpnservice myvpn
--ipsecpolicy-id ipsecpolicy --ikepolicy ikepolicy
--ipsecpolicy ipsecpolicy
--peer-address 172.24.4.13 --peer-address 172.24.4.13
--peer-id 172.24.4.13 --peer-id 172.24.4.13
--peer-cidr 10.3.0.0/24 --peer-cidr 10.3.0.0/24
--psk secret --psk secret
vpnconnection1
The local CIDR is obtained from the subnet, privateA. In this example, The local CIDR is obtained from the subnet, privateA. In this example,
that would be 10.1.0.0/24 (because that's how privateA was created). that would be 10.1.0.0/24 (because that's how privateA was created).
Using the multiple local subnet feature, the APIs (with changes shown Using the multiple local subnet feature, the APIs (with changes shown
in **bold** below:: in **highlighted** below:
neutron vpn-ikepolicy-create ikepolicy .. code-block:: none
neutron vpn-ipsecpolicy-create ipsecpolicy :emphasize-lines: 4-12,20-21
neutron vpn-service-create --name myvpn router1
**neutron vpn-endpoint-group-create** openstack vpn ike policy create ikepolicy
**--name local-eps** openstack vpn ipsec policy create ipsecpolicy
**--ep-type=subnet** openstack vpn service create --router router1 myvpn
**--ep-value=privateA** openstack vpn endpoint group create
**--ep-value=privateB** --type=subnet
**neutron vpn-endpoint-group-create** --value=privateA
**--name peer-eps** --value=privateB
**--ep-type=cidr** local-eps
**--ep-vallue=10.3.0.0/24** openstack vpn endpoint group create
neutron ipsec-site-connection-create --type=cidr
--name vpnconnection1 --value=10.3.0.0/24
--vpnservice-id myvpn peer-eps
--ikepolicy-id ikepolicy openstack vpn ipsec site connection create
--ipsecpolicy-id ipsecpolicy --vpnservice myvpn
--ikepolicy ikepolicy
--ipsecpolicy ipsecpolicy
--peer-address 172.24.4.13 --peer-address 172.24.4.13
--peer-id 172.24.4.13
--psk secret --psk secret
**--local-endpoints local-eps** --local-endpoint-group local-eps
**--peer-endpoints peer-eps** --peer-endpoint-group peer-eps
vpnconnection1
The subnets privateA and privateB are used for local endpoints and the The subnets privateA and privateB are used for local endpoints and the
10.3.0.0/24 CIDR is used for the peer endpoint. 10.3.0.0/24 CIDR is used for the peer endpoint.

111
doc/source/contributor/testing-with-devstack.rst
View File

@ -99,27 +99,33 @@ On ``East``
.. code-block:: none .. code-block:: none
neutron vpn-ikepolicy-create ikepolicy1 openstack vpn ike policy create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1 openstack vpn ipsec policy create ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" router1 openstack vpn service create --description "My vpn service" \
neutron vpn-endpoint-group-create --name my-locals --type subnet --value mysubnet --router router1 myvpn
neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.2.0.0/24 openstack vpn endpoint group create --type subnet --value mysubnet my-locals
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 my-peers
--ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 \ openstack vpn ipsec site connection create --vpnservice myvpn \
--peer-id 172.24.4.233 --local-ep-group my-locals --peer-ep-group my-peers --psk secret --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \
--peer-address 172.24.4.233 --peer-id 172.24.4.233 \
--local-endpoint-group my-locals --peer-endpoint-group my-peers \
--psk secret vpnconnection1
On ``West`` On ``West``
.. code-block:: none .. code-block:: none
neutron vpn-ikepolicy-create ikepolicy1 openstack vpn ike policy create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1 openstack vpn ipsec policy create ipsecpolicy1
neutron vpn-service-create --name myvpn --description "My vpn service" router1 openstack vpn service create --description "My vpn service" \
neutron vpn-endpoint-group-create --name my-locals --type subnet --value mysubnet --router router1 myvpn
neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.1.0.0/24 openstack vpn endpoint group create --type subnet --value mysubnet my-locals
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ openstack vpn endpoint group create --type cidr --value 10.1.0.0/24 my-peers
--ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.226 \ openstack vpn ipsec site connection create --vpnservice myvpn \
--peer-id 172.24.4.226 --local-ep-group my-locals --peer-ep-group my-peers --psk secret --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \
--peer-address 172.24.4.226 --peer-id 172.24.4.226 \
--local-endpoint-group my-locals --peer-endpoint-group my-peers \
--psk secret vpnconnection1
.. note:: .. note::
@ -176,19 +182,21 @@ to be created, and a VM spun up in each private network.
# Create second net, subnet, router # Create second net, subnet, router
source ~/devstack/openrc admin demo source ~/devstack/openrc admin demo
neutron net-create privateB openstack network create privateB
neutron subnet-create --name subB privateB 10.2.0.0/24 --gateway 10.2.0.1 openstack subnet create --network privateB --subnet-range 10.2.0.0/24 --gateway 10.2.0.1 subB
neutron router-create routerB openstack router create routerB
neutron router-interface-add routerB subB openstack router add subnet routerB subB
neutron router-gateway-set routerB public openstack router set --external-gateway public routerB
# Start up a VM in the privateA subnet. # Start up a VM in the privateA subnet.
PRIVATE_NET=`neutron net-list | grep 'private ' | cut -f 2 -d' '` PRIVATE_NET=`openstack network show private -c id -f value`
nova boot --flavor 1 --image cirros-0.3.5-x86_64-uec --nic net-id=$PRIVATE_NET peter openstack server create --flavor 1 --image cirros-0.3.5-x86_64-uec \
--nic net-id=$PRIVATE_NET peter
# Start up a VM in the privateB subnet # Start up a VM in the privateB subnet
PRIVATE_NETB=`neutron net-list | grep privateB | cut -f 2 -d' '` PRIVATE_NETB=`openstack network show privateB -c id -f value`
nova boot --flavor 1 --image cirros-0.3.5-x86_64-uec --nic net-id=$PRIVATE_NETB paul openstack server create --flavor 1 --image cirros-0.3.5-x86_64-uec \
--nic net-id=$PRIVATE_NETB paul
At this point, you can verify that you have basic connectivity. At this point, you can verify that you have basic connectivity.
@ -205,21 +213,27 @@ The following commands will create the IPsec connection:
.. code-block:: none .. code-block:: none
# Create VPN connections # Create VPN connections
neutron vpn-ikepolicy-create ikepolicy openstack vpn ike policy create ikepolicy
neutron vpn-ipsecpolicy-create ipsecpolicy openstack vpn ipsec policy create ipsecpolicy
neutron vpn-service-create --name myvpn --description "My vpn service" router1 openstack vpn service create --router router1 \
neutron vpn-endpoint-group-create --name my-localsA --type subnet --value privateA --description "My vpn service" myvpn
neutron vpn-endpoint-group-create --name my-peersA --type cidr --value 10.2.0.0/24 openstack vpn endpoint group create --type subnet --value privateA my-localsA
neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn \ openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 my-peersA
--ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.13 \ openstack vpn ipsec site connection create --vpnservice myvpn \
--peer-id 172.24.4.13 --local-ep-group my-localsA --peer-ep-group my-peersA --psk secret --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \
--peer-address 172.24.4.13 --peer-id 172.24.4.13 \
--local-endpoint-group my-localsA --peer-endpoint-group my-peersA \
--psk secret vpnconnection1
neutron vpn-service-create --name myvpnB --description "My vpn serviceB" routerB openstack vpn service create --router routerB \
neutron vpn-endpoint-group-create --name my-localsB --type subnet --value subB --description "My vpn serviceB" myvpnB
neutron vpn-endpoint-group-create --name my-peersB --type cidr --value 10.1.0.0/24 openstack vpn endpoint group create --type subnet --value subB my-localsB
neutron ipsec-site-connection-create --name vpnconnection2 --vpnservice-id myvpnB \ openstack vpn endpoint group create --type cidr --value 10.1.0.0/24 my-peersB
--ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \ openstack vpn ipsec site connection create --vpnservice myvpnB \
--peer-id 172.24.4.11 --local-ep-group my-localsB --peer-ep-group my-peersB --psk secret --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \
--peer-address 172.24.4.11 --peer-id 172.24.4.11 \
--local-endpoint-group my-localsB --peer-endpoint-group my-peersB \
--psk secret vpnconnection2
At this point (once the connections become active - which can take up to 30 seconds or so), At this point (once the connections become active - which can take up to 30 seconds or so),
you should be able to ping from the VM in the privateA network, to the VM in the privateB you should be able to ping from the VM in the privateA network, to the VM in the privateB
@ -252,17 +266,18 @@ of VPN, in the future. An example:
.. code-block:: none .. code-block:: none
# Create VPN connections # Create VPN connections
neutron vpn-ikepolicy-create ikepolicy openstack vpn ike policy create ikepolicy
neutron vpn-ipsecpolicy-create ipsecpolicy openstack vpn ipsec policy create ipsecpolicy
neutron vpn-service-create --name myvpnC --description "My vpn service" router1 openstack vpn service create --router router1 \
--description "My vpn service" myvpnC
To prepare for an IPsec site-to-site, one would create an endpoint group for To prepare for an IPsec site-to-site, one would create an endpoint group for
the local subnets, and an endpoint group for the peer CIDRs, like so: the local subnets, and an endpoint group for the peer CIDRs, like so:
.. code-block:: none .. code-block:: none
neutron vpn-endpoint-group-create --name my-locals --type subnet --value privateA --value privateA2 openstack vpn endpoint group create --type subnet --value privateA --value privateA2 my-locals
neutron vpn-endpoint-group-create --name my-peers --type cidr --value 10.2.0.0/24 --value 20.2.0.0/24 openstack vpn endpoint group create --type cidr --value 10.2.0.0/24 --value 20.2.0.0/24 my-peers
where privateA and privateA2 are two local (private) subnets, and 10.2.0.0/24 and 20.2.0.0/24 where privateA and privateA2 are two local (private) subnets, and 10.2.0.0/24 and 20.2.0.0/24
are two CIDRs representing peer (private) subnets that will be used by a connection. are two CIDRs representing peer (private) subnets that will be used by a connection.
@ -271,9 +286,11 @@ be specified, instead of the peer-cidrs attribute:
.. code-block:: none .. code-block:: none
neutron ipsec-site-connection-create --name vpnconnection3 --vpnservice-id myvpnC \ openstack vpn ipsec site connection create --vpnservice myvpnC \
--ikepolicy-id ikepolicy --ipsecpolicy-id ipsecpolicy --peer-address 172.24.4.11 \ --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy \
--peer-id 172.24.4.11 --local-ep-group my-locals --peer-ep-group my-peers --psk secret --peer-address 172.24.4.11 --peer-id 172.24.4.11 \
--local-endpoint-group my-locals --peer-endpoint-group my-peers \
--psk secret vpnconnection3
.. note:: .. note::
- The validation logic makes sure that endpoint groups and peer CIDRs are not intermixed. - The validation logic makes sure that endpoint groups and peer CIDRs are not intermixed.

54
tools/test_script.sh
View File

@ -1,52 +1,58 @@
#!/usr/bin/env bash #!/usr/bin/env bash
EXT_NW_ID=`neutron net-list | awk '/public/{print $2}'` EXT_NW_ID=`openstack network show public -c id -f value`
EXTERNAL_SUBNET_IP_VERSION='v4'
WEST_SUBNET='192.168.1.0/24' WEST_SUBNET='192.168.1.0/24'
EAST_SUBNET='192.168.2.0/24' EAST_SUBNET='192.168.2.0/24'
function setup_site(){ function setup_site(){
local site_name=$1 local site_name=$1
local cidr=$2 local cidr=$2
neutron net-create net_$site_name openstack network create net_$site_name
neutron subnet-create --name subnet_$site_name net_$site_name $2 openstack subnet create --network net_$site_name --subnet-range $2 subnet_$site_name
neutron router-create router_$site_name openstack router create router_$site_name
neutron router-interface-add router_$site_name subnet_$site_name openstack router add subnet router_$site_name subnet_$site_name
neutron router-gateway-set router_$site_name $EXT_NW_ID openstack router set --external-gateway $EXT_NW_ID router_$site_name
neutron vpn-service-create --name vpn_$site_name router_$site_name subnet_$site_name openstack vpn service create --subnet subnet_$site_name --router router_$site_name vpn_$site_name
} }
function get_external_ip(){ function get_external_ip(){
local router_id=`neutron router-show $1 | awk '/ id /{print $4}'` echo `openstack vpn service show $1 -c external_${EXTERNAL_SUBNET_IP_VERSION}_ip -f value`
echo `neutron port-list -c fixed_ips -c device_id -c device_owner|grep router_gateway | awk '/'.$router_id.'/{print $5}' | sed 's/["}]//g'`
} }
function clean_site(){ function clean_site(){
local site_name=$1 local site_name=$1
neutron ipsec-site-connection-delete conn_$site_name openstack vpn ipsec site connection delete conn_$site_name
neutron vpn-service-list | awk '/vpn_'$site_name'/{print "neutron vpn-service-delete " $2}' | bash openstack vpn service delete vpn_$site_name
neutron router-gateway-clear router_$site_name openstack router unset --external-gateway router_$site_name
neutron router-interface-delete router_$site_name subnet_$site_name openstack router remove subnet router_$site_name subnet_$site_name
neutron router-list | awk '/router_'$site_name'/{print "neutron router-delete " $2}' | bash openstack router delete router_$site_name
neutron subnet-list | awk '/subnet_'$site_name'/{print "neutron subnet-delete " $2}' | bash openstack subnet delete subnet_$site_name
neutron net-list | awk '/net_'$site_name'/{print "neutron net-delete " $2}' | bash openstack network delete net_$site_name
} }
function setup(){ function setup(){
neutron vpn-ikepolicy-create ikepolicy1 openstack vpn ike policy create ikepolicy1
neutron vpn-ipsecpolicy-create ipsecpolicy1 openstack vpn ipsec policy create ipsecpolicy1
setup_site west $WEST_SUBNET setup_site west $WEST_SUBNET
WEST_IP=$(get_external_ip router_west) WEST_IP=$(get_external_ip vpn_west)
setup_site east $EAST_SUBNET setup_site east $EAST_SUBNET
EAST_IP=$(get_external_ip router_east) EAST_IP=$(get_external_ip vpn_east)
neutron ipsec-site-connection-create --name conn_east --vpnservice-id vpn_east --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr $WEST_SUBNET --psk secret openstack vpn ipsec site connection create \
neutron ipsec-site-connection-create --name conn_west --vpnservice-id vpn_west --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr $EAST_SUBNET --psk secret --vpnservice vpn_east --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \
--peer-address $WEST_IP --peer-id $WEST_IP --peer-cidr $WEST_SUBNET \
--psk secret conn_east
openstack vpn ipsec site connection create \
--vpnservice vpn_west --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 \
--peer-address $EAST_IP --peer-id $EAST_IP --peer-cidr $EAST_SUBNET \
--psk secret conn_west
} }
function cleanup(){ function cleanup(){
clean_site west clean_site west
clean_site east clean_site east
neutron vpn-ikepolicy-delete ikepolicy1 openstack vpn ike policy delete ikepolicy1
neutron vpn-ipsecpolicy-delete ipsecpolicy1 openstack vpn ipsec policy delete ipsecpolicy1
} }
cleanup cleanup