diff --git a/deployment_scripts/ivs_packages/ubuntu/ivs-dbg_3.6.0_amd64.deb b/deployment_scripts/ivs_packages/ubuntu/ivs-dbg_3.6.0_amd64.deb new file mode 100644 index 0000000..07ea0f2 Binary files /dev/null and b/deployment_scripts/ivs_packages/ubuntu/ivs-dbg_3.6.0_amd64.deb differ diff --git a/deployment_scripts/ivs_packages/ubuntu/ivs_3.6.0_amd64.deb b/deployment_scripts/ivs_packages/ubuntu/ivs_3.6.0_amd64.deb new file mode 100644 index 0000000..ee7a507 Binary files /dev/null and b/deployment_scripts/ivs_packages/ubuntu/ivs_3.6.0_amd64.deb differ diff --git a/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py b/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py index cc11ede..8df07d1 100644 --- a/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py +++ b/deployment_scripts/puppet/modules/bcf/files/p_v/bcf_rest_client.py @@ -202,7 +202,7 @@ class RestLib(object): @debug_func(log_return=True) def program_segment_and_membership_rule( server, cookie, tenant, segment, internal_port, vlan, - port=BCF_CONTROLLER_PORT): + bcf_version, port=BCF_CONTROLLER_PORT): existing_segments = RestLib.get_os_mgmt_segments( server, cookie, tenant, port) @@ -247,10 +247,18 @@ class RestLib(object): pg_rule_url = (r'''applications/bcf/tenant[name="%(tenant)s"]/''' '''segment[name="%(segment)s"]/''' - '''interface-group-membership-rule''' % + '''port-group-membership-rule''' % {'tenant': tenant, 'segment': segment}) - rule_data = {"interface-group": ANY, "vlan": vlan} + rule_data = {"port-group": ANY, "vlan": vlan} + if "3.6" in bcf_version: + pg_rule_url = (r'''applications/bcf/tenant[name="%(tenant)s"]/''' + '''segment[name="%(segment)s"]/''' + '''interface-group-membership-rule''' % + {'tenant': tenant, + 'segment': segment}) + rule_data = {"interface-group": ANY, "vlan": vlan} + try: ret = RestLib.post(cookie, pg_rule_url, server, port, json.dumps(rule_data)) @@ -293,6 +301,8 @@ if __name__ == '__main__': help="Openstack management tenant.") parser.add_argument("-f", "--fuel-cluster-id", required=True, help="The custer id of the fuel environment") + parser.add_argument("-b", "--bcf-version", required=True, + help="The BCF version") args = parser.parse_args() ctrls = args.controllers.split(',') @@ -308,7 +318,7 @@ if __name__ == '__main__': seg_vlan = int(vlan) RestLib.program_segment_and_membership_rule( active_server, cookie, args.management_tenant, - segment_name, internal_port, seg_vlan) + segment_name, internal_port, seg_vlan, args.bcf_version) sys.exit(0) except Exception as e: diff --git a/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh b/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh index 6b5a70c..9aa2c19 100644 --- a/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh +++ b/deployment_scripts/puppet/modules/bcf/files/p_v/ivs-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash -if [ "$#" -ne 6 ]; then - echo "Usage: $0 " >&2 +if [ "$#" -ne 7 ]; then + echo "Usage: $0 " >&2 exit 1 fi @@ -15,6 +15,7 @@ declare -a interfaces=($4) IFS='{}' read -ra array1 <<< $5 deployment_id=$6 +bcf_version=$7 cdr2mask () { @@ -25,10 +26,10 @@ cdr2mask () } # install ivs -dpkg --force-all -i /etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs_3.5.0_amd64.deb -dpkg --force-all -i /etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs-dbg_3.5.0_amd64.deb apt-get install -y libnl-genl-3-200 apt-get -f install -y +dpkg --force-all -i "/etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs_${bcf_version}_amd64.deb" +dpkg --force-all -i "/etc/fuel/plugins/fuel-plugin-bigswitch-1.0/ivs_packages/ubuntu/ivs-dbg_${bcf_version}_amd64.deb" apt-get install -y apport # full installation @@ -49,17 +50,20 @@ for (( i=0; i<$len; i++ )); do IFS='=>' declare -a bridge_ip=(${entry}) key=$(echo "${bridge_ip[0]}" | sed -e 's/"//' -e 's/"//') - itf_ip=$(echo "${bridge_ip[2]}" | sed -e 's/\[//' -e 's/"//' -e 's/"//' -e 's/]//') - IFS='/' - declare -a ip_address=(${itf_ip}) - netmask=$( cdr2mask ${ip_address[1]} ) + netmask="" + if [[ "$key" =~ "br-storage" ]] || [[ "$key" =~ "br-mgmt" ]]; then + itf_ip=$(echo "${bridge_ip[2]}" | sed -e 's/\[//' -e 's/"//' -e 's/"//' -e 's/]//') + IFS='/' + declare -a ip_address=(${itf_ip}) + netmask=$( cdr2mask ${ip_address[1]} ) + fi internal_interface="" if [[ "$key" =~ "br-storage" ]]; then - internal_interface="s${deployment_id}" + internal_interface="sto${deployment_id}" elif [[ "$key" =~ "br-mgmt" ]]; then - internal_interface="m${deployment_id}" + internal_interface="mgm${deployment_id}" elif [[ "$key" =~ "br-ex" ]]; then - internal_interface="e${deployment_id}" + internal_interface="ex${deployment_id}" fi if [[ "$internal_interface" =~ "$deployment_id" ]]; then @@ -71,7 +75,8 @@ for (( i=0; i<$len; i++ )); do ifconfig $internal_interface up ip link set $internal_interface up - ifconfig $internal_interface ${ip_address[0]} netmask ${netmask} + ifconfig $internal_interface ${ip_address[0]} + ifconfig $internal_interface netmask ${netmask} fi echo -e '\n' >> /etc/network/interfaces @@ -91,8 +96,6 @@ echo -e ' bridge_ports' ${mgmt_itf} >> /etc/network/interfaces echo -e ' address' ${mgmt_ip} >> /etc/network/interfaces echo -e '\n' >> /etc/network/interfaces -exit 0 - #reset uplinks to move them out of bond len=${#uplinks[@]} for (( i=0; i<$len; i++ )); do @@ -132,7 +135,5 @@ easy_install pip puppet module install --force puppetlabs-inifile puppet module install --force puppetlabs-stdlib -set -e - exit 0 diff --git a/deployment_scripts/puppet/modules/bcf/files/rootwrap/api-metadata.filters b/deployment_scripts/puppet/modules/bcf/files/rootwrap/api-metadata.filters new file mode 100644 index 0000000..1aa6f83 --- /dev/null +++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/api-metadata.filters @@ -0,0 +1,13 @@ +# nova-rootwrap command filters for api-metadata nodes +# This is needed on nova-api hosts running with "metadata" in enabled_apis +# or when running nova-api-metadata +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-compute-ipmi.filters b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-compute-ipmi.filters new file mode 100644 index 0000000..4132a99 --- /dev/null +++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-compute-ipmi.filters @@ -0,0 +1,9 @@ +# nova-rootwrap command filters for compute nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/baremetal/ipmi.py: 'ipmitool', .. +ipmitool: CommandFilter, ipmitool, root + +# nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid) +kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM diff --git a/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-deploy-helper.filters b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-deploy-helper.filters new file mode 100644 index 0000000..6d14b5d --- /dev/null +++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/baremetal-deploy-helper.filters @@ -0,0 +1,11 @@ +# nova-rootwrap command filters for nova-baremetal-deploy-helper +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova-baremetal-deploy-helper +iscsiadm: CommandFilter, iscsiadm, root +sfdisk: CommandFilter, sfdisk, root +dd: CommandFilter, dd, root +mkswap: CommandFilter, mkswap, root +blkid: CommandFilter, blkid, root +mkfs: CommandFilter, mkfs, root diff --git a/deployment_scripts/puppet/modules/bcf/files/rootwrap/compute.filters b/deployment_scripts/puppet/modules/bcf/files/rootwrap/compute.filters new file mode 100644 index 0000000..f4424ae --- /dev/null +++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/compute.filters @@ -0,0 +1,228 @@ +# nova-rootwrap command filters for compute nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/disk/mount/api.py: 'kpartx', '-a', device +# nova/virt/disk/mount/api.py: 'kpartx', '-d', device +kpartx: CommandFilter, kpartx, root + +# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path +# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path +tune2fs: CommandFilter, tune2fs, root + +# nova/virt/disk/mount/api.py: 'mount', mapped_device +# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target +# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. +# nova/virt/configdrive.py: 'mount', device, mountdir +# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... +mount: CommandFilter, mount, root + +# nova/virt/disk/mount/api.py: 'umount', mapped_device +# nova/virt/disk/api.py: 'umount' target +# nova/virt/xenapi/vm_utils.py: 'umount', dev_path +# nova/virt/configdrive.py: 'umount', mountdir +umount: CommandFilter, umount, root + +# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image +# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device +qemu-nbd: CommandFilter, qemu-nbd, root + +# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image +# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device +losetup: CommandFilter, losetup, root + +# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path +# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device +blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* + +# nova/virt/disk/vfs/localfs.py: 'tee', canonpath +tee: CommandFilter, tee, root + +# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath +mkdir: CommandFilter, mkdir, root + +# nova/virt/disk/vfs/localfs.py: 'chown' +# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log +# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log +# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') +chown: CommandFilter, chown, root + +# nova/virt/disk/vfs/localfs.py: 'chmod' +chmod: CommandFilter, chmod, root + +# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev +# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. +# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. +# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. +# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) +# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] +# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge +# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. +# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. +# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' +# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' +# nova/network/linux_net.py: 'ip', 'route', 'add', .. +# nova/network/linux_net.py: 'ip', 'route', 'del', . +# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev +ip: CommandFilter, ip, root + +# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev +# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev +tunctl: CommandFilter, tunctl, root + +# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... +# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... +# nova/network/linux_net.py: 'ovs-vsctl', .... +ovs-vsctl: CommandFilter, ovs-vsctl, root + +# nova/network/linux_net.py: 'ovs-ofctl', .... +ovs-ofctl: CommandFilter, ovs-ofctl, root + +# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... +dd: CommandFilter, dd, root + +# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... +iscsiadm: CommandFilter, iscsiadm, root + +# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev +# nova/virt/libvirt/volume.py: 'aoe-discover' +aoe-revalidate: CommandFilter, aoe-revalidate, root +aoe-discover: CommandFilter, aoe-discover, root + +# nova/virt/xenapi/vm_utils.py: parted, --script, ... +# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. +parted: CommandFilter, parted, root + +# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path +pygrub: CommandFilter, pygrub, root + +# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s +fdisk: CommandFilter, fdisk, root + +# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path +# nova/virt/disk/api.py: e2fsck, -f, -p, image +e2fsck: CommandFilter, e2fsck, root + +# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path +# nova/virt/disk/api.py: resize2fs, image +resize2fs: CommandFilter, resize2fs, root + +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... +# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. +arping: CommandFilter, arping, root + +# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address +dhcp_release: CommandFilter, dhcp_release, root + +# nova/network/linux_net.py: 'kill', '-9', pid +# nova/network/linux_net.py: 'kill', '-HUP', pid +kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +# nova/network/linux_net.py: 'kill', pid +kill_radvd: KillFilter, root, /usr/sbin/radvd + +# nova/network/linux_net.py: dnsmasq call +dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq + +# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. +radvd: CommandFilter, radvd, root + +# nova/network/linux_net.py: 'brctl', 'addbr', bridge +# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 +# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' +# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface +brctl: CommandFilter, brctl, root + +# nova/virt/libvirt/utils.py: 'mkswap' +# nova/virt/xenapi/vm_utils.py: 'mkswap' +mkswap: CommandFilter, mkswap, root + +# nova/virt/xenapi/vm_utils.py: 'mkfs' +# nova/utils.py: 'mkfs', fs, path, label +mkfs: CommandFilter, mkfs, root + +# nova/virt/libvirt/utils.py: 'qemu-img' +qemu-img: CommandFilter, qemu-img, root + +# nova/virt/disk/vfs/localfs.py: 'readlink', '-e' +readlink: CommandFilter, readlink, root + +# nova/virt/disk/api.py: 'touch', target +touch: CommandFilter, touch, root + +# nova/virt/disk/api.py: +mkfs.ext3: CommandFilter, mkfs.ext3, root +mkfs.ntfs: CommandFilter, mkfs.ntfs, root + +# nova/virt/libvirt/connection.py: +read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi + +# nova/virt/libvirt/connection.py: +lvremove: CommandFilter, lvremove, root + +# nova/virt/libvirt/utils.py: +lvcreate: CommandFilter, lvcreate, root + +# nova/virt/libvirt/utils.py: +lvs: CommandFilter, lvs, root + +# nova/virt/libvirt/utils.py: +vgs: CommandFilter, vgs, root + +# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... +tgtadm: CommandFilter, tgtadm, root + +# nova/utils.py:read_file_as_root: 'cat', file_path +# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) +read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd +read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow + +# nova/virt/libvirt/volume.py: 'multipath' '-R' +multipath: CommandFilter, multipath, root + +# nova/virt/libvirt/utils.py: +systool: CommandFilter, systool, root + +# nova/virt/libvirt/volume.py: +sginfo: CommandFilter, sginfo, root +sg_scan: CommandFilter, sg_scan, root +ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.* + +# nova/volume/encryptors.py: +# nova/virt/libvirt/dmcrypt.py: +cryptsetup: CommandFilter, cryptsetup, root + +# nova/virt/xenapi/vm_utils.py: +xenstore-read: CommandFilter, xenstore-read, root + +# nova/virt/baremetal/tilera.py: 'rpc.mountd' +rpc.mountd: CommandFilter, rpc.mountd, root + +# nova/virt/libvirt/utils.py: +rbd: CommandFilter, rbd, root + +# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path +shred: CommandFilter, shred, root + +# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. +cp: CommandFilter, cp, root + +# nova/virt/xenapi/vm_utils.py: +sync: CommandFilter, sync, root + diff --git a/deployment_scripts/puppet/modules/bcf/files/rootwrap/network.filters b/deployment_scripts/puppet/modules/bcf/files/rootwrap/network.filters new file mode 100644 index 0000000..568e8d4 --- /dev/null +++ b/deployment_scripts/puppet/modules/bcf/files/rootwrap/network.filters @@ -0,0 +1,94 @@ +# nova-rootwrap command filters for network nodes +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' +# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev +# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. +# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. +# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. +# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) +# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] +# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge +# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. +# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. +# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. +# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' +# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' +# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. +# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' +# nova/network/linux_net.py: 'ip', 'route', 'add', .. +# nova/network/linux_net.py: 'ip', 'route', 'del', . +# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev +ip: CommandFilter, ip, root + +# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... +# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... +# nova/network/linux_net.py: 'ovs-vsctl', .... +ovs-vsctl: CommandFilter, ovs-vsctl, root + +# nova/network/linux_net.py: 'ovs-ofctl', .... +ovs-ofctl: CommandFilter, ovs-ofctl, root + +# nova/virt/libvirt/vif.py: 'ivs-ctl', ... +# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... +# nova/network/linux_net.py: 'ivs-ctl', .... +ivs-ctl: CommandFilter, ivs-ctl, root + +# nova/virt/libvirt/vif.py: 'ifc_ctl', ... +ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root + +# nova/virt/libvirt/vif.py: 'ebrctl', ... +ebrctl: CommandFilter, ebrctl, root + +# nova/virt/libvirt/vif.py: 'mm-ctl', ... +mm-ctl: CommandFilter, mm-ctl, root + +# nova/network/linux_net.py: 'ebtables', '-D' ... +# nova/network/linux_net.py: 'ebtables', '-I' ... +ebtables: CommandFilter, ebtables, root +ebtables_usr: CommandFilter, ebtables, root + +# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... +iptables-save: CommandFilter, iptables-save, root +ip6tables-save: CommandFilter, ip6tables-save, root + +# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) +iptables-restore: CommandFilter, iptables-restore, root +ip6tables-restore: CommandFilter, ip6tables-restore, root + +# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... +# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. +arping: CommandFilter, arping, root + +# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address +dhcp_release: CommandFilter, dhcp_release, root + +# nova/network/linux_net.py: 'kill', '-9', pid +# nova/network/linux_net.py: 'kill', '-HUP', pid +kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP + +# nova/network/linux_net.py: 'kill', pid +kill_radvd: KillFilter, root, /usr/sbin/radvd + +# nova/network/linux_net.py: dnsmasq call +dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq + +# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. +radvd: CommandFilter, radvd, root + +# nova/network/linux_net.py: 'brctl', 'addbr', bridge +# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 +# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' +# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface +brctl: CommandFilter, brctl, root + +# nova/network/linux_net.py: 'sysctl', .... +sysctl: CommandFilter, sysctl, root + +# nova/network/linux_net.py: 'conntrack' +conntrack: CommandFilter, conntrack, root diff --git a/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp b/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp index 080509f..b6a14d6 100644 --- a/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp +++ b/deployment_scripts/puppet/modules/bcf/manifests/p_only/reconfigure_neutron.pp @@ -179,11 +179,11 @@ class bcf::p_only::reconfigure_neutron { value => '/etc/neutron/plugins/ml2', notify => Service['neutron-server'], } - if $bcf::params::openstack::bcf_controller_2 == ':8000' { - $server = $bcf::params::openstack::bcf_controller_1 + if $bcf::params::openstack::bcf_controller_2 == '' { + $server = "${bcf::params::openstack::bcf_controller_1}:8000" } else { - $server = "${bcf::params::openstack::bcf_controller_1},${bcf::params::openstack::bcf_controller_2}" + $server = "${bcf::params::openstack::bcf_controller_1}:8000,${bcf::params::openstack::bcf_controller_2}:8000" } ini_setting { 'ml2 restproxy servers': diff --git a/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp b/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp index 305076b..d8ca216 100644 --- a/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp +++ b/deployment_scripts/puppet/modules/bcf/manifests/p_v/compute.pp @@ -29,7 +29,7 @@ class bcf::p_v::compute { $mgmt_ip = $bcf::existing_bridges['br-fw-admin']['IP'] if has_key($bcf::existing_bridges, 'br-storage') { $bridge_ips['br-storage'] = $bcf::existing_bridges['br-storage']['IP'] - $ivs_internal_ports['br-storage'] = "s${bcf::deployment_id}" + $ivs_internal_ports['br-storage'] = "sto${bcf::deployment_id}" } if has_key($bcf::existing_bridges, 'br-prv') { @@ -38,12 +38,12 @@ class bcf::p_v::compute { if has_key($bcf::existing_bridges, 'br-mgmt') { $bridge_ips['br-mgmt'] = $bcf::existing_bridges['br-mgmt']['IP'] - $ivs_internal_ports['br-mgmt'] = "m${bcf::deployment_id}" + $ivs_internal_ports['br-mgmt'] = "mgm${bcf::deployment_id}" } if has_key($bcf::existing_bridges, 'br-ex') { $bridge_ips['br-ex'] = $bcf::existing_bridges['br-ex']['IP'] - $ivs_internal_ports['br-ex'] = "e${bcf::deployment_id}" + $ivs_internal_ports['br-ex'] = "ex${bcf::deployment_id}" } $bridge_list = split(inline_template("<%= @bridge_ips.keys.join(',') %>", ',')) @@ -54,8 +54,31 @@ class bcf::p_v::compute { notice("bigswitch bond_name ${bcf::bond_name}") notice("bigswitch interfaces ${interfaces}") + # Install rootwrap filter + file { '/etc/neutron/rootwrap.d/network.filters': + ensure => 'file', + source => 'puppet:///modules/bcf/rootwrap/network.filters', + } + file { '/etc/neutron/rootwrap.d/api-metadata.filters': + ensure => 'file', + source => 'puppet:///modules/bcf/rootwrap/api-metadata.filters', + } + file { '/etc/neutron/rootwrap.d/baremetal-deploy-helper.filters': + ensure => 'file', + source => 'puppet:///modules/bcf/rootwrap/baremetal-deploy-helper.filters', + } + file { '/etc/neutron/rootwrap.d/baremetal-compute-ipmi.filters': + ensure => 'file', + source => 'puppet:///modules/bcf/rootwrap/baremetal-compute-ipmi.filters', + } + file { '/etc/neutron/rootwrap.d/compute.filters': + ensure => 'file', + source => 'puppet:///modules/bcf/rootwrap/compute.filters', + } + package { 'python-pip': ensure => 'installed', + require => File['/etc/neutron/rootwrap.d/network.filters'] } exec { 'bsnstacklib': command => 'pip install "bsnstacklib<2015.2"', @@ -74,9 +97,10 @@ class bcf::p_v::compute { require => File['/etc/bigswitch'] } exec { 'clean up ovs bridges': - command => "bash /etc/bigswitch/bridge-cleanup.sh ${bridge_list} ${bcf::bond_name}", - path => '/usr/local/bin/:/usr/bin/:/bin', - require => File['/etc/bigswitch/bridge-cleanup.sh'] + command => "bash /etc/bigswitch/bridge-cleanup.sh ${bridge_list} ${bcf::bond_name}", + path => '/sbin:/usr/local/bin/:/usr/bin/:/bin', + logoutput => true, + require => File['/etc/bigswitch/bridge-cleanup.sh'] } file { '/etc/bigswitch/ivs-setup.sh': ensure => 'file', @@ -84,9 +108,10 @@ class bcf::p_v::compute { require => EXEC['clean up ovs bridges'] } exec { 'set up ivs': - command => "bash /etc/bigswitch/ivs-setup.sh ${bcf::mgmt_itf} ${mgmt_ip} ${bcf::itfs} ${interfaces} \'${bridge_ips}\' ${bcf::deployment_id}", - path => '/usr/local/bin/:/usr/bin/:/bin', - require => File['/etc/bigswitch/ivs-setup.sh'] + command => "bash /etc/bigswitch/ivs-setup.sh ${bcf::mgmt_itf} ${mgmt_ip} ${bcf::itfs} ${interfaces} \'${bridge_ips}\' ${bcf::deployment_id} ${bcf::params::openstack::bcf_version}", + path => '/sbin:/usr/local/bin/:/usr/bin/:/bin', + logoutput => true, + require => File['/etc/bigswitch/ivs-setup.sh'] } file { '/etc/default/ivs': ensure => file, @@ -219,7 +244,7 @@ start on runlevel [2345] stop on runlevel [!2345] respawn script - exec /usr/local/bin/neutron-bsn-agent --config-file=/etc/neutron/neutron.conf --config-dir /etc/neutron/conf.d/common --log-file=/var/log/neutron/neutron-bsn-agent.log + exec /usr/local/bin/neutron-bsn-agent --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/plugin.ini --log-file=/var/log/neutron/neutron-bsn-agent.log end script ", } diff --git a/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp b/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp index 142c7c1..697be3a 100644 --- a/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp +++ b/deployment_scripts/puppet/modules/bcf/manifests/p_v/reconfigure_neutron.pp @@ -282,7 +282,7 @@ class bcf::p_v::reconfigure_neutron { source => 'puppet:///modules/bcf/p_v/bcf_rest_client.py', } exec { 'Openstack segment membership': - command => "python /etc/bigswitch/bcf_rest_client.py -u ${bcf::params::openstack::bcf_username} -p ${bcf::params::openstack::bcf_password} -c ${rest_server} -m ${bcf::params::openstack::bcf_os_mgmt_tenant} -f ${bcf::params::openstack::deployment_id}", + command => "python /etc/bigswitch/bcf_rest_client.py -u ${bcf::params::openstack::bcf_username} -p ${bcf::params::openstack::bcf_password} -c ${rest_server} -m ${bcf::params::openstack::bcf_os_mgmt_tenant} -f ${bcf::deployment_id} -b ${bcf::params::openstack::bcf_version}", path => '/usr/local/bin/:/usr/bin/:/bin', require => FILE['/etc/bigswitch/bcf_rest_client.py'] } diff --git a/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp b/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp index f4720aa..94e42a7 100644 --- a/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp +++ b/deployment_scripts/puppet/modules/bcf/manifests/params/openstack.pp @@ -18,7 +18,6 @@ class bcf::params::openstack { $virtual_cluster_name = 'OpenStackCluster' $ceph_virtual_cluster_name = 'CephCluster' - $deployment_id = hiera('deployment_id') $quantum_settings = hiera('quantum_settings') $keystone_vip = hiera('management_vip') $auth_user = 'neutron' @@ -45,5 +44,6 @@ class bcf::params::openstack { $bcf_password = $bcf_hash['bcf_controller_password'] $bcf_instance_id = $bcf_hash['openstack_instance_id'] $bcf_os_mgmt_tenant = $bcf_hash['openstack_mgmt_tenant'] + $bcf_version = $bcf_hash['bcf_version'] $access_tenant = 'services' } diff --git a/environment_config.yaml b/environment_config.yaml index a2904bc..e751e0d 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -20,7 +20,7 @@ attributes: bcf_controller_1: value: "" label: "BCF Controller1" - description: "BCF Controller' IP address" + description: "BCF Controller' IP address." weight: 10 type: "text" regex: @@ -30,7 +30,7 @@ attributes: bcf_controller_2: value: "" label: "BCF Controller2" - description: "The second BCF Controller' IP address" + description: "The second BCF Controller' IP address." weight: 11 type: "text" regex: @@ -40,27 +40,39 @@ attributes: bcf_controller_username: value: "" label: "BCF Controller Username" - description: "Username to access BCF controllers" + description: "Username to access BCF controllers." weight: 20 type: "text" bcf_controller_password: value: "" label: "BCF Controller Password" - description: "Password to access BCF controllers" + description: "Password to access BCF controllers." weight: 21 type: "password" openstack_instance_id: value: "" label: "Openstack Instance ID" - description: "The Openstack instance ID that is unique within the BCF fabric" + description: "The Openstack instance ID that is unique within the BCF fabric." weight: 30 type: "text" openstack_mgmt_tenant: value: "" label: "Management Tenant" - description: "The BCF Management Tenant" + description: "The BCF Management Tenant. Not needed in P_Only mode." weight: 40 type: "text" + + bcf_version: + type: "select" + weight: 50 + value: "3.5.0" + label: "BCF Fabric Version" + description: "The plugin supports BCF 3.5.0 or 3.6.0 release. Not needed in P_Only mode." + values: + - data: "3.5.0" + label: "3.5.0" + - data: "3.6.0" + label: "3.6.0"