From da9e0e4b9b0ba9dbea1c985b0ae169e5a910120c Mon Sep 17 00:00:00 2001 From: Nguyen Hai Date: Mon, 12 Feb 2018 19:18:14 +0900 Subject: [PATCH] Modify OpenWRT image & rewrite deployment OpenWRT instruction This patch adds the customized OpenWRT image that enables DHCP making the VNF can be ping. Therefore, the continuously respawning of VNF can be fixed. This patch also rewrites the instruction of deploying VNF based on OpenWRT. Change-Id: Ieb4d98fe374676bad101a6c2965354a9b19ea0a2 Closes-Bug: #1557008 Closes-Bug: #1749243 Closes-Bug: #1709557 --- devstack/lib/tacker | 3 +- doc/source/install/deploy_openwrt.rst | 270 +++++++++++++----- .../vnfd/tosca-config-openwrt-vrouter.yaml | 12 +- 3 files changed, 209 insertions(+), 76 deletions(-) diff --git a/devstack/lib/tacker b/devstack/lib/tacker index d1f40cb1f..de264b313 100644 --- a/devstack/lib/tacker +++ b/devstack/lib/tacker @@ -340,7 +340,8 @@ function openstack_image_create { function tacker_check_and_download_images { local image_url image_url[0]='http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-disk.img' - image_url[1]='https://downloads.openwrt.org/chaos_calmer/15.05/x86/kvm_guest/openwrt-15.05-x86-kvm_guest-combined-ext4.img.gz' + # Customized image of OpenWRT 15.05.1 that can fix the continuously respawning OpenWRT-based VNFs + image_url[1]='https://anda.ssu.ac.kr/~openwrt/openwrt-x86-kvm_guest-combined-ext4.img.gz' local image_fname image_name glance_name gz_pattern local length=${#image_url[@]} diff --git a/doc/source/install/deploy_openwrt.rst b/doc/source/install/deploy_openwrt.rst index ca671816d..62fbf010a 100644 --- a/doc/source/install/deploy_openwrt.rst +++ b/doc/source/install/deploy_openwrt.rst @@ -24,10 +24,16 @@ started with deploying OpenWRT as VNF. 1. Ensure Glance already contains OpenWRT image. Normally, Tacker tries to add OpenWRT image to Glance while installing via devstack. By running **openstack image list** to check OpenWRT image if exists. If not, download -the image from -`OpenWRT official site -`_. -And upload this image into Glance by using the command specified below: +the customized image of OpenWRT 15.05.1 [#f1]_. Unzip the file by using +the command below: + +.. code-block:: console + + gunzip openwrt-x86-kvm_guest-combined-ext4.img.gz + +.. + +And then upload this image into Glance by using the command specified below: .. code-block:: console @@ -37,9 +43,9 @@ And upload this image into Glance by using the command specified below: --public .. -2. Create a yaml template named tosca-vnfd-openwrt-with-firewall-rules.yaml -which contains basic configuration of OpenWRT and some firewall rules of -OpenWRT. All contents of the template file shows below: +2. The below example shows how to create the OpenWRT-based Firewall VNF. +First, we have a yaml template which contains the configuration of +OpenWRT as shown below: .. code-block:: ini @@ -52,6 +58,7 @@ OpenWRT. All contents of the template file shows below: topology_template: node_templates: + VDU1: type: tosca.nodes.nfv.VDU.Tacker capabilities: @@ -62,52 +69,9 @@ OpenWRT. All contents of the template file shows below: disk_size: 1 GB properties: image: OpenWRT - config: - firewall: | - package firewall - - config defaults - option syn_flood '1' - option input 'ACCEPT' - option output 'ACCEPT' - option forward 'REJECT' - - config zone - option name 'lan' - list network 'lan' - option input 'ACCEPT' - option output 'ACCEPT' - option forward 'ACCEPT' - - config zone - option name 'wan' - list network 'wan' - list network 'wan6' - option input 'REJECT' - option output 'ACCEPT' - option forward 'REJECT' - option masq '1' - option mtu_fix '1' - - config forwarding - option src 'lan' - option dest 'wan' - - config rule - option name 'Allow-DHCP-Renew' - option src 'wan' - option proto 'udp' - option dest_port '68' - option target 'ACCEPT' - option family 'ipv4' - - config rule - option name 'Allow-Ping' - option src 'wan' - option proto 'icmp' - option icmp_type 'echo-request' - option family 'ipv4' - option target 'ACCEPT' + config: | + param0: key1 + param1: key2 mgmt_driver: openwrt monitoring_policy: name: ping @@ -117,35 +81,160 @@ OpenWRT. All contents of the template file shows below: actions: failure: respawn - CP1: + CP1: type: tosca.nodes.nfv.CP.Tacker properties: management: true + order: 0 anti_spoofing_protection: false requirements: - virtualLink: - node: VL1 + node: VL1 - virtualBinding: node: VDU1 - VL1: + CP2: + type: tosca.nodes.nfv.CP.Tacker + properties: + order: 1 + anti_spoofing_protection: false + requirements: + - virtualLink: + node: VL2 + - virtualBinding: + node: VDU1 + + CP3: + type: tosca.nodes.nfv.CP.Tacker + properties: + order: 2 + anti_spoofing_protection: false + requirements: + - virtualLink: + node: VL3 + - virtualBinding: + node: VDU1 + + VL1: type: tosca.nodes.nfv.VL properties: network_name: net_mgmt vendor: Tacker + VL2: + type: tosca.nodes.nfv.VL + properties: + network_name: net0 + vendor: Tacker + + VL3: + type: tosca.nodes.nfv.VL + properties: + network_name: net1 + vendor: Tacker firewall + .. -The above template file comes from two files. One is `tosca-vnfd-openwrt.yaml -`_ and other one is -`tosca-config-openwrt-with-firewall.yaml -`_. +We also have another configuration yaml template with +some firewall rules of OpenWRT. + +.. code-block:: ini + + vdus: + VDU1: + config: + firewall: | + package firewall + config defaults + option syn_flood '1' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'REJECT' + config zone + option name 'lan' + list network 'lan' + option input 'ACCEPT' + option output 'ACCEPT' + option forward 'ACCEPT' + config zone + option name 'wan' + list network 'wan' + list network 'wan6' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option masq '1' + option mtu_fix '1' + config forwarding + option src 'lan' + option dest 'wan' + config rule + option name 'Allow-DHCP-Renew' + option src 'wan' + option proto 'udp' + option dest_port '68' + option target 'ACCEPT' + option family 'ipv4' + config rule + option name 'Allow-Ping' + option src 'wan' + option proto 'icmp' + option icmp_type 'echo-request' + option family 'ipv4' + option target 'ACCEPT' + config rule + option name 'Allow-IGMP' + option src 'wan' + option proto 'igmp' + option family 'ipv4' + option target 'ACCEPT' + config rule + option name 'Allow-DHCPv6' + option src 'wan' + option proto 'udp' + option src_ip 'fe80::/10' + option src_port '547' + option dest_ip 'fe80::/10' + option dest_port '546' + option family 'ipv6' + option target 'ACCEPT' + config rule + option name 'Allow-MLD' + option src 'wan' + option proto 'icmp' + option src_ip 'fe80::/10' + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family 'ipv6' + option target 'ACCEPT' + config rule + option name 'Allow-ICMPv6-Input' + option src 'wan' + option proto 'icmp' + list icmp_type 'echo-request' + list icmp_type 'echo-reply' + list icmp_type 'destination-unreachable' + list icmp_type 'packet-too-big' + list icmp_type 'time-exceeded' + list icmp_type 'bad-header' + list icmp_type 'unknown-header-type' + list icmp_type 'router-solicitation' + list icmp_type 'neighbour-solicitation' + list icmp_type 'router-advertisement' + list icmp_type 'neighbour-advertisement' + option limit '190/sec' + option family 'ipv6' + option target 'REJECT' + +.. + +The above template files come from Tacker Repo. +One is tosca-vnfd-openwrt.yaml [#f2]_ and +other one is tosca-config-openwrt-with-firewall.yaml [#f3]_. In this template file, we specify the **mgmt_driver: openwrt** which means -this VNFD is managed by `openwrt driver -`_. This driver can inject firewall rules +this VNFD is managed by openwrt driver [#f4]_. This driver can inject firewall rules which defined in VNFD into OpenWRT instance by using SSH protocol. We can run **cat /etc/config/firewall** to confirm the firewall rules if inject succeed. @@ -154,16 +243,15 @@ succeed. .. code-block:: console - tacker vnfd-create \ - --vnfd-file tosca-vnfd-openwrt-with-firewall-rules.yaml \ - + tacker vnfd-create --vnfd-file tosca-vnfd-openwrt.yaml .. 4.Create a VNF: .. code-block:: console - tacker vnf-create --vnfd-name + tacker vnf-create --vnfd-name \ + --config-file tosca-config-openwrt-with-firewall.yaml .. This VNF will contains all the firewall rules that VNFD contains @@ -177,3 +265,47 @@ by using 'cat /etc/config/firewall' in VNF. tacker vnf-list tacker vnf-show .. + +We can replace the firewall rules configuration file with +tosca-config-openwrt-vrouter.yaml [#f5]_ +to create the OpenWRT-based Router VNF. + +6. Notes + +Note that the OpenWRT is modified based on KVM OpenWRT 15.05.1 +to be suitable for OpenStack Tacker. The procedure is following as below: + +.. code-block:: console + + cd ~ + wget https://archive.openwrt.org/chaos_calmer/15.05.1/x86/kvm_guest/openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz \ + -O openwrt-x86-kvm_guest-combined-ext4.img.gz + gunzip openwrt-x86-kvm_guest-combined-ext4.img.gz + + mkdir -p imgroot + + sudo kpartx -av openwrt-x86-kvm_guest-combined-ext4.img + + # Replace the loopXp2 with the result of above command, e.g., loop0p2 + sudo mount -o loop /dev/mapper/loopXp2 imgroot + sudo chroot imgroot /bin/ash + + # Set password of this image to blank, type follow command and then enter two times + passwd + + # Set DHCP for the network of OpenWRT so that the VNF can be ping + uci set network.lan.proto=dhcp; uci commit + exit + + sudo umount imgroot + sudo kpartx -dv openwrt-x86-kvm_guest-combined-ext4.img + +.. + +.. rubric:: Footnotes + +.. [#f1] https://anda.ssu.ac.kr/~openwrt/openwrt-x86-kvm_guest-combined-ext4.img.gz +.. [#f2] https://github.com/openstack/tacker/blob/master/samples/tosca-templates/vnfd/tosca-vnfd-openwrt.yaml +.. [#f3] https://github.com/openstack/tacker/blob/master/samples/tosca-templates/vnfd/tosca-config-openwrt-with-firewall.yaml +.. [#f4] https://github.com/openstack/tacker/blob/master/tacker/vnfm/mgmt_drivers/openwrt/openwrt.py +.. [#f5] https://github.com/openstack/tacker/blob/master/samples/tosca-templates/vnfd/tosca-config-openwrt-vrouter.yaml diff --git a/samples/tosca-templates/vnfd/tosca-config-openwrt-vrouter.yaml b/samples/tosca-templates/vnfd/tosca-config-openwrt-vrouter.yaml index 0c410615a..71ef41828 100644 --- a/samples/tosca-templates/vnfd/tosca-config-openwrt-vrouter.yaml +++ b/samples/tosca-templates/vnfd/tosca-config-openwrt-vrouter.yaml @@ -10,15 +10,15 @@ vdus: option ipaddr '127.0.0.1' option netmask '255.0.0.0' - config interface 'mgmt_net' + config interface 'net_mgmt' option ifname 'eth0' option proto 'dhcp' - config interface 'net1' + config interface 'net0' option ifname 'eth1' option proto 'dhcp' - config interface 'net2' + config interface 'net1' option ifname 'eth2' option proto 'dhcp' @@ -32,15 +32,15 @@ vdus: option forward 'ACCEPT' config zone - option name 'mgmt_net' - option network 'mgmt_net' + option name 'net_mgmt' + option network 'net_mgmt' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' - list network 'net1 net2' + list network 'net0 net1' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT'