diff --git a/devstack/exercises/gbp.sh b/devstack/exercises/gbp.sh new file mode 100755 index 000000000..826efe631 --- /dev/null +++ b/devstack/exercises/gbp.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env bash + +# **gbp.sh** + +# Sanity check that gbp started if enabled + +echo "*********************************************************************" +echo "Begin DevStack Exercise: $0" +echo "*********************************************************************" + +# This script exits on an error so that errors don't compound and you see +# only the first error that occurred. +set -o errexit + +# Print the commands being run so that we can see the command that triggers +# an error. It is also useful for following allowing as the install occurs. +set -o xtrace + + +# Settings +# ======== + +# Keep track of the current directory +EXERCISE_DIR=$(cd $(dirname "$0") && pwd) +TOP_DIR=$(cd $EXERCISE_DIR/..; pwd) + +# Import common functions +source $TOP_DIR/functions + +# Import configuration +source $TOP_DIR/openrc + +# Import exercise configuration +source $TOP_DIR/exerciserc + +source $TOP_DIR/openrc demo demo + +function confirm_server_active { + local VM_UUID=$1 + if ! timeout $ACTIVE_TIMEOUT sh -c "while ! nova show $VM_UUID | grep status | grep -q ACTIVE; do sleep 1; done"; then + echo "server '$VM_UUID' did not become active!" + false + fi +} + +# Create allow action that can used in several rules +gbp policy-action-create allow --action-type allow + +# Create ICMP rule +gbp policy-classifier-create icmp-traffic --protocol icmp --direction bi +gbp policy-rule-create ping-policy-rule --classifier icmp-traffic --actions allow + +# Create SSH Rule (Optional) +# gbp policy-classifier-create ssh-traffic --protocol tcp --port-range 22 --direction bi +# gbp policy-rule-create ssh-policy-rule --classifier ssh-traffic --actions allow + +# Create HTTP Rule +gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in +gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow + +# Create HTTPs Rule +gbp policy-classifier-create secure-web-traffic --protocol tcp --port-range 443 --direction in +gbp policy-rule-create secure-web-policy-rule --classifier secure-web-traffic --actions allow + +# ICMP policy-rule-set +gbp policy-rule-set-create icmp-policy-rule-set --policy-rules ping-policy-rule + +# WEB policy-rule-set +gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule + +# ====== PROJECT OPERATION ====== +# PTGs creation +gbp group-create web +gbp group-create client-1 +gbp group-create client-2 + +# PT creation +WEB_PORT=$(gbp policy-target-create web-pt-1 --policy-target-group web | awk "/port_id/ {print \$4}") +CLIENT1_PORT=$(gbp policy-target-create client-pt-1 --policy-target-group client-1 | awk "/port_id/ {print \$4}") +CLIENT2_PORT=$(gbp policy-target-create client-pt-2 --policy-target-group client-2 | awk "/port_id/ {print \$4}") + +WEB_VM_1_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$WEB_PORT web-vm-1 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'` +die_if_not_set $LINENO WEB_VM_1_UUID "Failure launching web-vm-1" +confirm_server_active $WEB_VM_1_UUID + +CLIENT_VM_1_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$CLIENT1_PORT client-vm-1 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'` +die_if_not_set $LINENO CLIENT_VM_1_UUID "Failure launching client-vm-1" +confirm_server_active $CLIENT_VM_1_UUID + +CLIENT_VM_2_UUID=`nova boot --flavor m1.tiny --image $DEFAULT_IMAGE_NAME --nic port-id=$CLIENT2_PORT client-vm-2 | grep ' id ' | cut -d"|" -f3 | sed 's/ //g'` +die_if_not_set $LINENO CLIENT_VM_2_UUID "Failure launching client-vm-2" +confirm_server_active $CLIENT_VM_2_UUID + +####CHECKPOINT: No traffic flows + +# policy-rule-set Association +gbp group-update client-1 --consumed-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope" +gbp group-update client-2 --consumed-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope" +gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=scope,web-policy-rule-set=scope" + +####CHECKPOINT: ICMP and HTTP work from app to web and vice versa + +gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule" + +####CHECKPOINT: HTTP stops working for both the client PTGs, HTTPs is now enabled + +nova delete web-vm-1 +nova delete client-vm-1 +nova delete client-vm-2 + +if ! timeout $TERMINATE_TIMEOUT sh -c "while nova list | grep -q ACTIVE; do sleep 1; done"; then + die $LINENO "Some VMs failed to shutdown" +fi + +gbp policy-target-delete web-pt-1 +gbp policy-target-delete client-pt-1 +gbp policy-target-delete client-pt-2 + +gbp group-delete web +gbp group-delete client-1 +gbp group-delete client-2 + +gbp policy-rule-set-delete icmp-policy-rule-set +gbp policy-rule-set-delete web-policy-rule-set + +gbp policy-rule-delete secure-web-policy-rule +gbp policy-rule-delete web-policy-rule +gbp policy-rule-delete ping-policy-rule + +gbp policy-classifier-delete secure-web-traffic +gbp policy-classifier-delete web-traffic +gbp policy-classifier-delete icmp-traffic + +gbp policy-action-delete allow + +set +o xtrace +echo "*********************************************************************" +echo "SUCCESS: End DevStack Exercise: $0" +echo "*********************************************************************" diff --git a/devstack/lib/gbp b/devstack/lib/gbp new file mode 100755 index 000000000..8bfb391d5 --- /dev/null +++ b/devstack/lib/gbp @@ -0,0 +1,108 @@ +# lib/gbp +# functions - functions specific to group-based-policy + +# Dependencies: +# ``functions`` file +# ``DEST`` must be defined +# ``STACK_USER`` must be defined + +# ``stack.sh`` calls the entry points in this order: +# +# - install_gbp +# - install_gbpclient +# - init_gbp +# +# ``unstack.sh`` calls the entry points in this order: + +# Set up default directories +GBPSERVICE_DIR=$DEST/gbp +GBPCLIENT_DIR=$DEST/python-gbpclient +GBPHEAT_DIR=$DEST/gbpautomation +GBPUI_DIR=$DEST/gbpui +NEUTRON_CONF_DIR=/etc/neutron +NEUTRON_CONF=$NEUTRON_CONF_DIR/neutron.conf +GBP_CONF_DIR=/etc/gbp +AIM_REPO=http://github.com/noironetworks/aci-integration-module.git +AIM_DIR=$DEST/aim +APICML2_REPO=http://github.com/noironetworks/apic-ml2-driver.git +APICML2_DIR=$DEST/apic_ml2 + +# Save trace setting +XTRACE=$(set +o | grep xtrace) +set +o xtrace + + +# Functions +# --------- + +# init_gbpservice() - Initialize databases, etc. +function init_gbpservice { + # Run GBP db migrations + gbp-db-manage --config-file $NEUTRON_CONF --config-file /$Q_PLUGIN_CONF_FILE upgrade head + iniset $NEUTRON_CONF DEFAULT policy_dirs $GBP_CONF_DIR +} + +# install_gbpservice() - Collect source and prepare +function install_gbpservice { + git_clone $GBPSERVICE_REPO $GBPSERVICE_DIR $GBPSERVICE_BRANCH + mv $GBPSERVICE_DIR/test-requirements.txt $GBPSERVICE_DIR/_test-requirements.txt + setup_develop $GBPSERVICE_DIR + mv -f $NEUTRON_CONF_DIR/policy.json $NEUTRON_CONF_DIR/policy.json.original 2>/dev/null; true + cp -f $GBPSERVICE_DIR/etc/policy.json $NEUTRON_CONF_DIR/policy.json + mv $GBPSERVICE_DIR/_test-requirements.txt $GBPSERVICE_DIR/test-requirements.txt +} + +# install_gbpclient() - Collect source and prepare +function install_gbpclient { + git_clone $GBPCLIENT_REPO $GBPCLIENT_DIR $GBPCLIENT_BRANCH + mv $GBPCLIENT_DIR/test-requirements.txt $GBPCLIENT_DIR/_test-requirements.txt + setup_develop $GBPCLIENT_DIR + sudo install -D -m 0644 -o $STACK_USER {$GBPCLIENT_DIR/tools/,/etc/bash_completion.d/}gbp.bash_completion + mv $GBPCLIENT_DIR/_test-requirements.txt $GBPCLIENT_DIR/test-requirements.txt +} + +# install_gbpclient() - Collect source and prepare +function install_gbpheat { + git_clone $GBPHEAT_REPO $GBPHEAT_DIR $GBPHEAT_BRANCH + mv $GBPHEAT_DIR/test-requirements.txt $GBPHEAT_DIR/_test-requirements.txt + setup_develop $GBPHEAT_DIR + mv $GBPHEAT_DIR/_test-requirements.txt $GBPHEAT_DIR/test-requirements.txt +} + +# install_gbpui() - Collect source and prepare +function install_gbpui { + git_clone $GBPUI_REPO $GBPUI_DIR $GBPUI_BRANCH + mv $GBPUI_DIR/test-requirements.txt $GBPUI_DIR/_test-requirements.txt + setup_develop $GBPUI_DIR + ln -sf $GBPUI_DIR/gbpui/_*project*.py $HORIZON_DIR/openstack_dashboard/enabled + cd $GBPUI_DIR + python $HORIZON_DIR/manage.py collectstatic --noinput + mv $GBPUI_DIR/_test-requirements.txt $GBPUI_DIR/test-requirements.txt +} + +function install_aim { + git_clone $AIM_REPO $AIM_DIR $AIM_BRANCH + mv $AIM_DIR/test-requirements.txt $AIM_DIR/_test-requirements.txt + setup_develop $AIM_DIR + mv $AIM_DIR/_test-requirements.txt $AIM_DIR/test-requirements.txt +} + +function init_aim { + aim -c $NEUTRON_CONF db-migration upgrade +} + +function install_apic_ml2 { + git_clone $APICML2_REPO $APICML2_DIR $APICML2_BRANCH + mv $APICML2_DIR/test-requirements.txt $APICML2_DIR/_test-requirements.txt + setup_develop $APICML2_DIR + mv $APICML2_DIR/_test-requirements.txt $APICML2_DIR/test-requirements.txt +} + + +# Restore xtrace +$XTRACE + +# Tell emacs to use shell-script-mode +## Local variables: +## mode: shell-script +## End: diff --git a/devstack/override-defaults b/devstack/override-defaults new file mode 100755 index 000000000..09ac66b05 --- /dev/null +++ b/devstack/override-defaults @@ -0,0 +1 @@ +NEUTRON_CREATE_INITIAL_NETWORKS="False" diff --git a/devstack/plugin.sh b/devstack/plugin.sh new file mode 100755 index 000000000..020609623 --- /dev/null +++ b/devstack/plugin.sh @@ -0,0 +1,60 @@ +GBP="Group-Based Policy" + +function gbp_configure_nova { + iniset $NOVA_CONF neutron allow_duplicate_networks "True" +} + +function gbp_configure_heat { + local HEAT_PLUGINS_DIR="/opt/stack/gbpautomation/gbpautomation/heat" + iniset $HEAT_CONF DEFAULT plugin_dirs "$HEAT_PLUGINS_DIR" +} + +function gbp_configure_neutron { + iniset $NEUTRON_CONF group_policy policy_drivers "implicit_policy,resource_mapping" + iniset $NEUTRON_CONF group_policy extension_drivers "proxy_group" + iniset $NEUTRON_CONF servicechain servicechain_drivers "simplechain_driver" + iniset $NEUTRON_CONF node_composition_plugin node_plumber "stitching_plumber" + iniset $NEUTRON_CONF node_composition_plugin node_drivers "heat_node_driver" + iniset $NEUTRON_CONF quotas default_quota "-1" + iniset $NEUTRON_CONF quotas quota_network "-1" + iniset $NEUTRON_CONF quotas quota_subnet "-1" + iniset $NEUTRON_CONF quotas quota_port "-1" + iniset $NEUTRON_CONF quotas quota_security_group "-1" + iniset $NEUTRON_CONF quotas quota_security_group_rule "-1" + iniset $NEUTRON_CONF quotas quota_router "-1" + iniset $NEUTRON_CONF quotas quota_floatingip "-1" +} + +# Process contract +if is_service_enabled group-policy; then + if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then + echo_summary "Preparing $GBP" + elif [[ "$1" == "stack" && "$2" == "install" ]]; then + echo_summary "Installing $GBP" + elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then + echo_summary "Configuring $GBP" + gbp_configure_nova + gbp_configure_heat + gbp_configure_neutron +# install_apic_ml2 +# install_aim +# init_aim + install_gbpclient + install_gbpservice + init_gbpservice + install_gbpheat + install_gbpui + stop_apache_server + start_apache_server + elif [[ "$1" == "stack" && "$2" == "extra" ]]; then + echo_summary "Initializing $GBP" + fi + + if [[ "$1" == "unstack" ]]; then + echo_summary "Removing $GBP" + fi + + if [[ "$1" == "clean" ]]; then + echo_summary "Cleaning $GBP" + fi +fi diff --git a/devstack/settings b/devstack/settings new file mode 100755 index 000000000..0350ec174 --- /dev/null +++ b/devstack/settings @@ -0,0 +1,42 @@ +# Make sure the plugin name in local.conf is "gbp", as in: enable_plugin gbp +source $DEST/gbp/devstack/lib/gbp + +# Enable necessary Neutron plugins, including group_policy and ncp +Q_SERVICE_PLUGIN_CLASSES=neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,group_policy,ncp + +# Preferred git mirror +GIT_BASE=${GIT_BASE:-https://git.openstack.org} + +# Git repositories needed to deploy GBP: +GBPSERVICE_REPO=${GBPSERVICE_REPO:-${GIT_BASE}/openstack/group-based-policy.git} +GBPSERVICE_BRANCH=${GBPSERVICE_BRANCH:-master} +GBPCLIENT_REPO=${GBPCLIENT_REPO:-${GIT_BASE}/openstack/python-group-based-policy-client.git} +GBPCLIENT_BRANCH=${GBPCLIENT_BRANCH:-master} +GBPUI_REPO=${GBPUI_REPO:-${GIT_BASE}/openstack/group-based-policy-ui.git} +GBPUI_BRANCH=${GBPUI_BRANCH:-master} +GBPHEAT_REPO=${GBPHEAT_REPO:-${GIT_BASE}/openstack/group-based-policy-automation.git} +GBPHEAT_BRANCH=${GBPHEAT_BRANCH:-master} +AIM_BRANCH=${AIM_BRANCH:-master} +APICML2_BRANCH=${APICML2_BRANCH:-master} + +# Enable necessary services, including group-policy (and disable others) +disable_service n-net +enable_service n-novnc +enable_service q-svc +enable_service q-agt +enable_service q-dhcp +enable_service q-l3 +enable_service q-fwaas +enable_service q-lbaas +enable_service q-meta +enable_service neutron +enable_service group-policy +disable_service tempest +ENABLED_SERVICES+=,heat,h-api,h-api-cfn,h-api-cw,h-eng + +# Deployment preferences +SYSLOG=${SYSLOG:-True} + +# Skip exercises by default (can be overridden in local.conf) +SKIP_EXERCISES=${SKIP_EXERCISES:-volumes,trove,swift,sahara,euca,bundle,boot_from_volume,aggregates,zaqar,client-env,neutron-adv-test,floating_ips,client-args,horizon,sec_groups,gbp_servicechain,gbp_heat} + diff --git a/doc/source/installation.rst b/doc/source/installation.rst index d249092f3..e61f50e9f 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -10,3 +10,38 @@ Or, if you have virtualenvwrapper installed:: $ mkvirtualenv gbpservice $ pip install gbpservice + +Using DevStack +-------------- + +First, clone the latest ``stable/mitaka`` branch of DevStack:: + + $ git clone -b stable/mitaka https://git.openstack.org/openstack-dev/devstack + $ cd devstack + +Then, create a basic ``local.conf`` including at least the following lines:: + + [[local|localrc]] + enable_plugin gbp https://git.openstack.org/openstack/group-based-policy master + +Finally, you are ready to run ``stack.sh``. + +Here is an example of a working Group-Based Policy DevStack local.conf file +with logging, a custom password for all services and a custom git remote +pointing to GitHub:: + + [[local|localrc]] + SERVICE_TOKEN=password + ADMIN_PASSWORD=password + DATABASE_PASSWORD=password + RABBIT_PASSWORD=password + SERVICE_PASSWORD=$ADMIN_PASSWORD + + LOGFILE=$DEST/logs/stack.sh.log + LOGDAYS=2 + + GIT_BASE=https://github.com + RECLONE=True + + enable_plugin gbp https://github.com/openstack/group-based-policy.git master +