openstack
/
openstack-helm
Code Issues Proposed changes
openstack-helm/doc/source/install/plugins/deploy-tap-as-a-service-neu...

11 KiB
Raw Blame History

Deploy tap-as-a-service (TaaS) Neutron / Dashboard plugin

This guide explains how to deploy tap-as-a-service (TaaS) Neutron plugin and TaaS Dashboard plugin in Neutron and Horizon charts respectively.

TaaS plugin provides a mechanism to mirror certain traffic (for example tagged with specific VLANs) from a source VM to any traffic analyzer VM. When packet will be forwarded, the original value of source and target ip/ports information will not be altered and the system administrator will be able to run, for ex. tcpdump, on the target VM to trace these packets.

For more details, refer to TaaS specification: Tap-as-a-service.

TaaS Architecture

As any other Neutron plugin, TaaS neutron plugin functionality consists of following modules:

TaaS Plugin: This is the front-end of TaaS which runs on controller node (Neutron server). This serves TaaS APIs and stores/retrieves TaaS configuration state to/from Neutron TaaS DB.

TaaS Agent, TaaS OVS Driver and TaaS SR-IOV Driver: This forms the back-end of TaaS which runs as a ML2 agent extension on compute nodes. It handles the RPC calls made by TaaS Plugin and configures the mechanism driver, i.e. OpenVSwitch or SR-IOV Nic Switch.

TaaS Dashboard Plugin: Horizon Plugin which adds GUI panels for TaaS resources in the Horizon Dashboard.

Prepare LOCI images

Before deploying TaaS and/or TaaS Dashboard, it needs to be added in Neutron and/or Horizon LOCI images.

This is a two step process, i.e.

  1. Prepare a requirements LOCI image with Neutron TaaS and TaaS Dashboard code installed.
  2. Prepare Neutron or Horizon LOCI image using this requirements image as docker build --build-arg WHEELS command argument.

Requirements LOCI image

  • Create a patchset for openstack/requirements repo

    Add TaaS and TaaS dashboard dependencies in upper-constraints.txt file in openstack/requirements repo, i.e. https://git.openstack.org/openstack/requirements

    git+https://git.openstack.org/openstack/tap-as-a-service@master#egg=tap-as-a-service
git+https://git.openstack.org/openstack/tap-as-a-service-dashboard@master#egg=tap-as-a-service-dashboard

    For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x", so export the REQUIREMENTS_REF_SPEC variable as follows:

    export REQUIREMENTS_REF_SPEC="refs/changes/xx/xxxxxx/x"

  • Build the requirements LOCI image using above commit

    Use it as docker build --build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC} command argument to build the requirements LOCI image.

Neutron and Horizon LOCI images

  • Create a patchset for openstack/neutron repo

    Add TaaS dependency in requirements.txt file in openstack/neutron repo, i.e. https://git.openstack.org/openstack/neutron

    tap-as-a-service

    For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x"; so export the NEUTRON_REF_SPEC variable as follows:

    export NEUTRON_REF_SPEC="refs/changes/xx/xxxxxx/x"

  • Create a patchset for openstack/horizon repo

    Add TaaS Dashboard dependency in requirements.txt file in openstack/horizon repo, i.e. https://git.openstack.org/openstack/horizon

    tap-as-a-service-dashboard

    For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x"; so export the HORIZON_REF_SPEC variable as follows:

    export HORIZON_REF_SPEC="refs/changes/xx/xxxxxx/x"

  • Putting it all together

    Apart from the variables above with gerrit refspec values, additionally export following environment variables with values as applicable:

    export OPENSTACK_VERSION="stable/ocata"
export PRIVATE_REPO="docker.io/username"

    Use above gerrit commits to prepare the LOCI images using following script:

    #!/bin/bash
set -ex

# export following variables with applicable values before invoking the script
#----------
: ${OPENSTACK_VERSION:="stable/ocata"}
: ${REQUIREMENTS_REF_SPEC:=""}
: ${NEUTRON_REF_SPEC:=""}
: ${HORIZON_REF_SPEC:=""}
: ${PRIVATE_REPO:="docker.io/username"} # Replace with your own dockerhub repo
#----------

IMAGE_TAG="${OPENSTACK_VERSION#*/}"
REGEX_GERRIT_REF_SPEC="^refs"

[[ ${REQUIREMENTS_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
(echo "Please set a proper value for REQUIREMENTS_REF_SPEC env variable" && exit)

[[ ${NEUTRON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
(echo "Please set a proper value for NEUTRON_REF_SPEC env variable" && exit)

[[ ${HORIZON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
(echo "Please set a proper value for HORIZON_REF_SPEC env variable" && exit)

# Login to private-repo : provide login password when asked
sudo docker login

sudo docker run -d \
  --name docker-in-docker \
  --privileged=true \
  --net=host \
  -v /var/lib/docker \
  -v ${HOME}/.docker/config.json:/root/.docker/config.json:ro\
  docker.io/docker:17.07.0-dind \
  dockerd \
    --pidfile=/var/run/docker.pid \
    --host=unix:///var/run/docker.sock \
    --storage-driver=overlay2
sudo docker exec docker-in-docker apk update
sudo docker exec docker-in-docker apk add git

# Prepare Requirements image
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
    https://git.openstack.org/openstack/loci.git \
    --network host \
    --build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
    --build-arg PROJECT=requirements \
    --build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC} \
    --tag ${PRIVATE_REPO}/requirements:${IMAGE_TAG}
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/requirements:${IMAGE_TAG}

# Prepare Neutron image
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
https://git.openstack.org/openstack/loci.git \
--build-arg PROJECT=neutron \
--build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \
--build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
--build-arg PROFILES="fluent neutron linuxbridge openvswitch" \
--build-arg PIP_PACKAGES="pycrypto" \
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
--tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG}
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG}

# Prepare Neutron sriov image
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
https://git.openstack.org/openstack/loci.git \
--build-arg PROJECT=neutron \
--build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \
--build-arg FROM=docker.io/ubuntu:18.04 \
--build-arg PROFILES="fluent neutron linuxbridge openvswitch" \
--build-arg PIP_PACKAGES="pycrypto" \
--build-arg DIST_PACKAGES="ethtool lshw" \
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
--tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804

# Prepare Horizon image
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
https://git.openstack.org/openstack/loci.git \
--build-arg PROJECT=horizon \
--build-arg PROJECT_REF=${HORIZON_REF_SPEC} \
--build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
--build-arg PROFILES="fluent horizon apache" \
--build-arg PIP_PACKAGES="pycrypto" \
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
--tag ${PRIVATE_REPO}/horizon:${IMAGE_TAG}
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/horizon:${IMAGE_TAG}

Deploy TaaS Plugin

Override images in Neutron chart

Override the images section parameters for Neutron chart with the custom LOCI image's tag, prepared as explained in above sections.

images:
  tags:
    neutron_db_sync: ${PRIVATE_REPO}/neutron:ocata
    neutron_server: ${PRIVATE_REPO}/neutron:ocata
    neutron_dhcp: ${PRIVATE_REPO}/neutron:ocata
    neutron_metadata: ${PRIVATE_REPO}/neutron:ocata
    neutron_l3: ${PRIVATE_REPO}/neutron:ocata
    neutron_openvswitch_agent: ${PRIVATE_REPO}/neutron:ocata
    neutron_linuxbridge_agent: ${PRIVATE_REPO}/neutron:ocata
    neutron_sriov_agent: ${PRIVATE_REPO}/neutron:ocata-sriov-1804
    neutron_sriov_agent_init: ${PRIVATE_REPO}/neutron:ocata-sriov-1804

Configure TaaS in Neutron chart

While deploying neutron-server and L2 agents, TaaS should be enabled in conf: neutron section to add TaaS as a service plugin; in conf: plugins section to add TaaS as a L2 agent extension; in conf: taas_plugin section to configure the service_provider endpoint used by Neutron TaaS plugin:

conf:
  neutron:
    DEFAULT:
      service_plugins: taas
  plugins:
    ml2_conf:
      agent:
        extensions: taas
    taas:
      taas:
        enabled: True
  taas_plugin:
    service_providers:
      service_provider: TAAS:TAAS:neutron_taas.services.taas.service_drivers.taas_rpc.TaasRpcDriver:default

Deploy TaaS Dashboard Plugin

TaaS dashboard plugin can be deployed simply by using custom LOCI images having TaaS Dashboard code installed (as explained in above sections), i.e. override the images section parameters for Horizon charts:

images:
  tags:
    horizon_db_sync: ${PRIVATE_REPO}/horizon:ocata
    horizon: ${PRIVATE_REPO}/horizon:ocata

Set log level for TaaS

Default log level for Neutron TaaS is INFO. For changing it, override following parameter:

conf:
  logging:
    logger_neutron_taas:
      level: INFO

References

  1. Neutron TaaS support in Openstack-Helm commits:
  2. Add TaaS panel to Horizon Dashboard: