Migrate DevStack support to a DevStack plugin

This change adds a DevStack plugin for Group-Based Policy.

A new top-level directory, devstack, has been created to fulfill
the contract of the DevStack plugin mechanism [1].

Documentation on how to enable the plugin has been added to
doc/source/installation.rst.

[1] http://docs.openstack.org/developer/devstack/plugins.html

Change-Id: I7e6c95408fbb132e33823d803a44f2867541a922
Closes-Bug: #1564893

devstack/exercises/gbp.sh

@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+
+# **gbp.sh**
+
+# Sanity check that gbp started if enabled
+
+echo "*********************************************************************"
+echo "Begin DevStack Exercise: $0"
+echo "*********************************************************************"
+
+# This script exits on an error so that errors don't compound and you see
+# only the first error that occurred.
+set -o errexit
+
+# Print the commands being run so that we can see the command that triggers
+# an error.  It is also useful for following allowing as the install occurs.
+set -o xtrace
+
+
+# Settings
+# ========
+
+# Keep track of the current directory
+EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
+TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
+
+# Import common functions
+source $TOP_DIR/functions
+
+# Import configuration
+source $TOP_DIR/openrc
+
+# Import exercise configuration
+source $TOP_DIR/exerciserc
+
+source $TOP_DIR/openrc demo demo
+
+function confirm_server_active {
+    local VM_UUID=$1
+    if ! timeout $ACTIVE_TIMEOUT sh -c "while ! nova show $VM_UUID | grep status | grep -q ACTIVE; do sleep 1; done"; then
+        echo "server '$VM_UUID' did not become active!"
+        false
+    fi
+}
+
+# Create allow action that can used in several rules
+gbp policy-action-create allow --action-type allow
+
+# Create ICMP rule
+gbp policy-classifier-create icmp-traffic --protocol icmp --direction bi
+gbp policy-rule-create ping-policy-rule --classifier icmp-traffic --actions allow
+
+# Create SSH Rule (Optional)
+# gbp policy-classifier-create ssh-traffic --protocol tcp --port-range 22 --direction bi
+# gbp policy-rule-create ssh-policy-rule --classifier ssh-traffic --actions allow
+
+# Create HTTP Rule
+gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in
+gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow
+
+# Create HTTPs Rule
+gbp policy-classifier-create secure-web-traffic --protocol tcp --port-range 443 --direction in
+gbp policy-rule-create secure-web-policy-rule --classifier secure-web-traffic --actions allow
+
+# ICMP policy-rule-set
+gbp policy-rule-set-create icmp-policy-rule-set --policy-rules ping-policy-rule
+
+# WEB policy-rule-set
+gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule
+
+# ====== PROJECT OPERATION ======
+# PTGs creation
+gbp group-create  web
+gbp group-create  client-1
+gbp group-create  client-2
+
+# PT creation
+WEB_PORT=$(gbp policy-target-create web-pt-1 --policy-target-group web | awk "/port_id/ {print \$4}")
+CLIENT1_PORT=$(gbp policy-target-create client-pt-1 --policy-target-group client-1 | awk "/port_id/ {print \$4}")
+CLIENT2_PORT=$(gbp policy-target-create client-pt-2 --policy-target-group client-2 | awk "/port_id/ {print \$4}")
+
+WEB_VM_1_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$WEB_PORT web-vm-1 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'`
+die_if_not_set $LINENO WEB_VM_1_UUID "Failure launching web-vm-1"
+confirm_server_active $WEB_VM_1_UUID
+
+CLIENT_VM_1_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$CLIENT1_PORT client-vm-1 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'`
+die_if_not_set $LINENO CLIENT_VM_1_UUID "Failure launching client-vm-1"
+confirm_server_active $CLIENT_VM_1_UUID
+
+CLIENT_VM_2_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$CLIENT2_PORT client-vm-2 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'`
+die_if_not_set $LINENO CLIENT_VM_2_UUID "Failure launching client-vm-2"
+confirm_server_active $CLIENT_VM_2_UUID
+
+####CHECKPOINT: No traffic flows
+
+# policy-rule-set Association
+gbp group-update client-1 --consumed-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope"
+gbp group-update client-2 --consumed-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope"
+gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope"
+
+####CHECKPOINT: ICMP and HTTP work from app to web and vice versa
+
+gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"
+
+####CHECKPOINT: HTTP stops working for both the client PTGs, HTTPs is now enabled
+
+nova delete web-vm-1
+nova delete client-vm-1
+nova delete client-vm-2
+
+if ! timeout $TERMINATE_TIMEOUT sh -c "while nova list | grep -q ACTIVE; do sleep 1; done"; then
+    die $LINENO "Some VMs failed to shutdown"
+fi
+
+gbp policy-target-delete web-pt-1
+gbp policy-target-delete client-pt-1
+gbp policy-target-delete client-pt-2
+
+gbp group-delete  web
+gbp group-delete  client-1
+gbp group-delete  client-2
+
+gbp policy-rule-set-delete icmp-policy-rule-set
+gbp policy-rule-set-delete web-policy-rule-set
+
+gbp policy-rule-delete secure-web-policy-rule
+gbp policy-rule-delete web-policy-rule
+gbp policy-rule-delete ping-policy-rule
+
+gbp policy-classifier-delete secure-web-traffic
+gbp policy-classifier-delete web-traffic
+gbp policy-classifier-delete icmp-traffic
+
+gbp policy-action-delete allow
+
+set +o xtrace
+echo "*********************************************************************"
+echo "SUCCESS: End DevStack Exercise: $0"
+echo "*********************************************************************"

devstack/lib/gbp

@@ -0,0 +1,108 @@
+# lib/gbp
+# functions - functions specific to group-based-policy
+
+# Dependencies:
+# ``functions`` file
+# ``DEST`` must be defined
+# ``STACK_USER`` must be defined
+
+# ``stack.sh`` calls the entry points in this order:
+#
+# - install_gbp
+# - install_gbpclient
+# - init_gbp
+#
+# ``unstack.sh`` calls the entry points in this order:
+
+# Set up default directories
+GBPSERVICE_DIR=$DEST/gbp
+GBPCLIENT_DIR=$DEST/python-gbpclient
+GBPHEAT_DIR=$DEST/gbpautomation
+GBPUI_DIR=$DEST/gbpui
+NEUTRON_CONF_DIR=/etc/neutron
+NEUTRON_CONF=$NEUTRON_CONF_DIR/neutron.conf
+GBP_CONF_DIR=/etc/gbp
+AIM_REPO=http://github.com/noironetworks/aci-integration-module.git
+AIM_DIR=$DEST/aim
+APICML2_REPO=http://github.com/noironetworks/apic-ml2-driver.git
+APICML2_DIR=$DEST/apic_ml2
+
+# Save trace setting
+XTRACE=$(set +o | grep xtrace)
+set +o xtrace
+
+
+# Functions
+# ---------
+
+# init_gbpservice() - Initialize databases, etc.
+function init_gbpservice {
+    # Run GBP db migrations
+    gbp-db-manage --config-file $NEUTRON_CONF --config-file /$Q_PLUGIN_CONF_FILE upgrade head
+    iniset $NEUTRON_CONF DEFAULT policy_dirs $GBP_CONF_DIR
+}
+
+# install_gbpservice() - Collect source and prepare
+function install_gbpservice {
+    git_clone $GBPSERVICE_REPO $GBPSERVICE_DIR $GBPSERVICE_BRANCH
+    mv $GBPSERVICE_DIR/test-requirements.txt $GBPSERVICE_DIR/_test-requirements.txt
+    setup_develop $GBPSERVICE_DIR
+    mv -f $NEUTRON_CONF_DIR/policy.json $NEUTRON_CONF_DIR/policy.json.original 2>/dev/null; true
+    cp -f $GBPSERVICE_DIR/etc/policy.json $NEUTRON_CONF_DIR/policy.json
+    mv $GBPSERVICE_DIR/_test-requirements.txt $GBPSERVICE_DIR/test-requirements.txt
+}
+
+# install_gbpclient() - Collect source and prepare
+function install_gbpclient {
+    git_clone $GBPCLIENT_REPO $GBPCLIENT_DIR $GBPCLIENT_BRANCH
+    mv $GBPCLIENT_DIR/test-requirements.txt $GBPCLIENT_DIR/_test-requirements.txt
+    setup_develop $GBPCLIENT_DIR
+    sudo install -D -m 0644 -o $STACK_USER {$GBPCLIENT_DIR/tools/,/etc/bash_completion.d/}gbp.bash_completion
+    mv $GBPCLIENT_DIR/_test-requirements.txt $GBPCLIENT_DIR/test-requirements.txt
+}
+
+# install_gbpclient() - Collect source and prepare
+function install_gbpheat {
+    git_clone $GBPHEAT_REPO $GBPHEAT_DIR $GBPHEAT_BRANCH
+    mv $GBPHEAT_DIR/test-requirements.txt $GBPHEAT_DIR/_test-requirements.txt
+    setup_develop $GBPHEAT_DIR
+    mv $GBPHEAT_DIR/_test-requirements.txt $GBPHEAT_DIR/test-requirements.txt
+}
+
+# install_gbpui() - Collect source and prepare
+function install_gbpui {
+    git_clone $GBPUI_REPO $GBPUI_DIR $GBPUI_BRANCH
+    mv $GBPUI_DIR/test-requirements.txt $GBPUI_DIR/_test-requirements.txt
+    setup_develop $GBPUI_DIR
+    ln -sf $GBPUI_DIR/gbpui/_*project*.py $HORIZON_DIR/openstack_dashboard/enabled
+    cd $GBPUI_DIR
+    python $HORIZON_DIR/manage.py collectstatic --noinput
+    mv $GBPUI_DIR/_test-requirements.txt $GBPUI_DIR/test-requirements.txt
+}
+
+function install_aim {
+    git_clone $AIM_REPO $AIM_DIR $AIM_BRANCH
+    mv $AIM_DIR/test-requirements.txt $AIM_DIR/_test-requirements.txt
+    setup_develop $AIM_DIR
+    mv $AIM_DIR/_test-requirements.txt $AIM_DIR/test-requirements.txt
+}
+
+function init_aim {
+    aim -c $NEUTRON_CONF db-migration upgrade
+}
+
+function install_apic_ml2 {
+    git_clone $APICML2_REPO $APICML2_DIR $APICML2_BRANCH
+    mv $APICML2_DIR/test-requirements.txt $APICML2_DIR/_test-requirements.txt
+    setup_develop $APICML2_DIR
+    mv $APICML2_DIR/_test-requirements.txt $APICML2_DIR/test-requirements.txt
+}
+
+
+# Restore xtrace
+$XTRACE
+
+# Tell emacs to use shell-script-mode
+## Local variables:
+## mode: shell-script
+## End:

devstack/override-defaults

@@ -0,0 +1 @@
+NEUTRON_CREATE_INITIAL_NETWORKS="False"

devstack/plugin.sh

@@ -0,0 +1,60 @@
+GBP="Group-Based Policy"
+
+function gbp_configure_nova {
+    iniset $NOVA_CONF neutron allow_duplicate_networks "True"
+}
+
+function gbp_configure_heat {
+    local HEAT_PLUGINS_DIR="/opt/stack/gbpautomation/gbpautomation/heat"
+    iniset $HEAT_CONF DEFAULT plugin_dirs "$HEAT_PLUGINS_DIR"
+}
+
+function gbp_configure_neutron {
+    iniset $NEUTRON_CONF group_policy policy_drivers "implicit_policy,resource_mapping"
+    iniset $NEUTRON_CONF group_policy extension_drivers "proxy_group"
+    iniset $NEUTRON_CONF servicechain servicechain_drivers "simplechain_driver"
+    iniset $NEUTRON_CONF node_composition_plugin node_plumber "stitching_plumber"
+    iniset $NEUTRON_CONF node_composition_plugin node_drivers "heat_node_driver"
+    iniset $NEUTRON_CONF quotas default_quota "-1"
+    iniset $NEUTRON_CONF quotas quota_network "-1"
+    iniset $NEUTRON_CONF quotas quota_subnet "-1"
+    iniset $NEUTRON_CONF quotas quota_port "-1"
+    iniset $NEUTRON_CONF quotas quota_security_group "-1"
+    iniset $NEUTRON_CONF quotas quota_security_group_rule "-1"
+    iniset $NEUTRON_CONF quotas quota_router "-1"
+    iniset $NEUTRON_CONF quotas quota_floatingip "-1"
+}
+
+# Process contract
+if is_service_enabled group-policy; then
+    if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then
+        echo_summary "Preparing $GBP"
+    elif [[ "$1" == "stack" && "$2" == "install" ]]; then
+        echo_summary "Installing $GBP"
+    elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
+        echo_summary "Configuring $GBP"
+        gbp_configure_nova
+        gbp_configure_heat
+        gbp_configure_neutron
+#        install_apic_ml2
+#        install_aim
+#        init_aim
+        install_gbpclient
+        install_gbpservice
+        init_gbpservice
+        install_gbpheat
+        install_gbpui
+        stop_apache_server
+	start_apache_server
+    elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
+        echo_summary "Initializing $GBP"
+    fi
+
+    if [[ "$1" == "unstack" ]]; then
+        echo_summary "Removing $GBP"
+    fi
+
+    if [[ "$1" == "clean" ]]; then
+        echo_summary "Cleaning $GBP"
+    fi
+fi

devstack/settings

@@ -0,0 +1,42 @@
+# Make sure the plugin name in local.conf is "gbp", as in: enable_plugin gbp <remote> <branch>
+source $DEST/gbp/devstack/lib/gbp
+
+# Enable necessary Neutron plugins, including group_policy and ncp
+Q_SERVICE_PLUGIN_CLASSES=neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,group_policy,ncp
+
+# Preferred git mirror
+GIT_BASE=${GIT_BASE:-https://git.openstack.org}
+
+# Git repositories needed to deploy GBP:
+GBPSERVICE_REPO=${GBPSERVICE_REPO:-${GIT_BASE}/openstack/group-based-policy.git}
+GBPSERVICE_BRANCH=${GBPSERVICE_BRANCH:-master}
+GBPCLIENT_REPO=${GBPCLIENT_REPO:-${GIT_BASE}/openstack/python-group-based-policy-client.git}
+GBPCLIENT_BRANCH=${GBPCLIENT_BRANCH:-master}
+GBPUI_REPO=${GBPUI_REPO:-${GIT_BASE}/openstack/group-based-policy-ui.git}
+GBPUI_BRANCH=${GBPUI_BRANCH:-master}
+GBPHEAT_REPO=${GBPHEAT_REPO:-${GIT_BASE}/openstack/group-based-policy-automation.git}
+GBPHEAT_BRANCH=${GBPHEAT_BRANCH:-master}
+AIM_BRANCH=${AIM_BRANCH:-master}
+APICML2_BRANCH=${APICML2_BRANCH:-master}
+
+# Enable necessary services, including group-policy (and disable others)
+disable_service n-net
+enable_service n-novnc
+enable_service q-svc
+enable_service q-agt
+enable_service q-dhcp
+enable_service q-l3
+enable_service q-fwaas
+enable_service q-lbaas
+enable_service q-meta
+enable_service neutron
+enable_service group-policy
+disable_service tempest
+ENABLED_SERVICES+=,heat,h-api,h-api-cfn,h-api-cw,h-eng
+
+# Deployment preferences
+SYSLOG=${SYSLOG:-True}
+
+# Skip exercises by default (can be overridden in local.conf)
+SKIP_EXERCISES=${SKIP_EXERCISES:-volumes,trove,swift,sahara,euca,bundle,boot_from_volume,aggregates,zaqar,client-env,neutron-adv-test,floating_ips,client-args,horizon,sec_groups,gbp_servicechain,gbp_heat}
+

doc/source/installation.rst

@@ -10,3 +10,38 @@ Or, if you have virtualenvwrapper installed::
 
     $ mkvirtualenv gbpservice
     $ pip install gbpservice
+
+Using DevStack
+--------------
+
+First, clone the latest ``stable/mitaka`` branch of DevStack::
+
+    $ git clone -b stable/mitaka https://git.openstack.org/openstack-dev/devstack
+    $ cd devstack
+
+Then, create a basic ``local.conf`` including at least the following lines::
+
+    [[local|localrc]]
+    enable_plugin gbp https://git.openstack.org/openstack/group-based-policy master
+
+Finally, you are ready to run ``stack.sh``.
+
+Here is an example of a working Group-Based Policy DevStack local.conf file
+with logging, a custom password for all services and a custom git remote
+pointing to GitHub::
+
+    [[local|localrc]]
+    SERVICE_TOKEN=password
+    ADMIN_PASSWORD=password
+    DATABASE_PASSWORD=password
+    RABBIT_PASSWORD=password
+    SERVICE_PASSWORD=$ADMIN_PASSWORD
+
+    LOGFILE=$DEST/logs/stack.sh.log
+    LOGDAYS=2
+
+    GIT_BASE=https://github.com
+    RECLONE=True
+
+    enable_plugin gbp https://github.com/openstack/group-based-policy.git master
+