x/group-based-policy
Code Issues Proposed changes
12eea1bc31
group-based-policy/devstack/plugin.sh
Anna Khmelnitsky e30de6e13d [VMware] VMware NSX Policy driver 
This introduces driver for Vmware NSX Policy.
The driver assumes nsx_v3 core plugin.
It implements direct configuration of NSX Policy endpoint for security
and inherits connectivity functionality from resource mapping driver.

On startup, the driver will configure NSX Policy enforcement point to be
the NSX manager core plugin is running against.

The driver implements the following resource mapping:

Openstack project => NSX Policy domain
GBP group = > NSX Policy group + communication maps
GBP classifier => NSX Policy service
GBP rule set => NSX Policy communication profile

Change-Id: I0d5593b458f7e51c21fc2b34d1ab4d898abb6c51
2017-07-17 14:01:12 -07:00

159 lines
6.2 KiB
Bash
Executable File
Raw Blame History

GBP="Group-Based Policy"
[[ $ENABLE_NFP = True ]] && NFP="Network Function Plugin"
function gbp_configure_nova {
iniset $NOVA_CONF neutron allow_duplicate_networks "True"
}
function gbp_configure_heat {
local HEAT_PLUGINS_DIR="/opt/stack/gbpautomation/gbpautomation/heat"
iniset $HEAT_CONF DEFAULT plugin_dirs "$HEAT_PLUGINS_DIR"
}
function gbp_configure_neutron {
iniset $NEUTRON_CONF group_policy policy_drivers "implicit_policy,resource_mapping,chain_mapping"
iniset $NEUTRON_CONF group_policy extension_drivers "proxy_group"
iniset $NEUTRON_CONF servicechain servicechain_drivers "simplechain_driver"
iniset $NEUTRON_CONF node_composition_plugin node_plumber "stitching_plumber"
iniset $NEUTRON_CONF node_composition_plugin node_drivers "heat_node_driver"
iniset $NEUTRON_CONF quotas default_quota "-1"
iniset $NEUTRON_CONF quotas quota_network "-1"
iniset $NEUTRON_CONF quotas quota_subnet "-1"
iniset $NEUTRON_CONF quotas quota_port "-1"
iniset $NEUTRON_CONF quotas quota_security_group "-1"
iniset $NEUTRON_CONF quotas quota_security_group_rule "-1"
iniset $NEUTRON_CONF quotas quota_router "-1"
iniset $NEUTRON_CONF quotas quota_floatingip "-1"
iniset $NEUTRON_CONF agent extensions "qos"
}
function nfp_configure_neutron {
NEUTRON_ML2_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"
iniset $NEUTRON_CONF keystone_authtoken project_name "service"
iniset $NEUTRON_CONF keystone_authtoken username "neutron"
iniset $NEUTRON_CONF keystone_authtoken password $ADMIN_PASSWORD
iniset $NEUTRON_CONF node_composition_plugin node_plumber "admin_owned_resources_apic_plumber"
iniset $NEUTRON_CONF node_composition_plugin node_drivers "nfp_node_driver"
iniset $NEUTRON_CONF admin_owned_resources_apic_tscp plumbing_resource_owner_user "neutron"
iniset $NEUTRON_CONF admin_owned_resources_apic_tscp plumbing_resource_owner_password $ADMIN_PASSWORD
iniset $NEUTRON_CONF admin_owned_resources_apic_tscp plumbing_resource_owner_tenant_name "service"
if [[ $EXT_NET_GATEWAY && $EXT_NET_ALLOCATION_POOL_START && $EXT_NET_ALLOCATION_POOL_END && $EXT_NET_CIDR ]]; then
iniset $NEUTRON_CONF group_policy_implicit_policy default_external_segment_name "default"
fi
iniset $NEUTRON_CONF nfp_node_driver is_service_admin_owned "False"
iniset $NEUTRON_CONF nfp_node_driver svc_management_ptg_name "svc_management_ptg"
extn_drivers=$(iniget $NEUTRON_ML2_CONF ml2 extension_drivers)
if [[ -n $extn_drivers ]];then
iniset $NEUTRON_ML2_CONF ml2 extension_drivers $extn_drivers,port_security
else
iniset $NEUTRON_ML2_CONF ml2 extension_drivers port_security
fi
}
function configure_nfp_loadbalancer {
echo "Configuring NFP Loadbalancer plugin driver"
LBAAS_SERVICE_PROVIDER=LOADBALANCERV2:loadbalancerv2:gbpservice.contrib.nfp.service_plugins.loadbalancer.drivers.nfp_lbaasv2_plugin_driver.HaproxyOnVMPluginDriver:default
sudo\
sed\
-i\
'/^service_provider.*:default/'\
's'/\
':default'/\
'\n'\
"service_provider = $LBAAS_SERVICE_PROVIDER"/\
/etc/neutron/neutron_lbaas.conf
}
function configure_nfp_firewall {
echo "Configuring NFP Firewall plugin"
sudo\
sed\
-i\
'/^service_plugins/'\
's'/\
'neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin'/\
'gbpservice.contrib.nfp.service_plugins.firewall.nfp_fwaas_plugin.NFPFirewallPlugin'/\
/etc/neutron/neutron.conf
}
function configure_nfp_vpn {
echo "Configuring NFP VPN plugin driver"
sudo\
sed\
-i\
'/^service_provider.*IPsecVPNDriver:default/'\
's'/\
':default'/\
'\n'\
'service_provider = VPN:vpn:gbpservice.contrib.nfp.service_plugins.vpn.drivers.nfp_vpnaas_driver.NFPIPsecVPNDriver:default'/\
/etc/neutron/neutron_vpnaas.conf
}
# Process contract
if is_service_enabled group-policy; then
if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then
echo_summary "Preparing $GBP"
elif [[ "$1" == "stack" && "$2" == "install" ]]; then
echo_summary "Installing $GBP"
[[ $ENABLE_APIC_AIM = True || $ENABLE_APIC_AIM_GATE = True ]] && install_apic_aim
if [[ $ENABLE_NFP = True ]]; then
echo_summary "Installing $NFP"
prepare_nfp_image_builder
fi
if [[ $ENABLE_NSX_POLICY = True ]]; then
echo_summary "Installing NSX Policy requirements"
prepare_nsx_policy
fi
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
echo_summary "Configuring $GBP"
[[ $ENABLE_APIC_AIM_GATE = False ]] && gbp_configure_nova
[[ $ENABLE_APIC_AIM_GATE = False ]] && gbp_configure_heat
gbp_configure_neutron
if [[ $ENABLE_NSX_POLICY = True ]]; then
echo_summary "Configuring NSX"
nsx_configure_neutron
fi
if [[ $ENABLE_NFP = True ]]; then
echo_summary "Configuring $NFP"
nfp_configure_neutron
if [[ $NFP_DEVSTACK_MODE = advanced ]]; then
configure_nfp_loadbalancer
configure_nfp_firewall
configure_nfp_vpn
fi
fi
# REVISIT move installs to install phase?
# install_apic_ml2
install_gbpclient
install_gbpservice
[[ $ENABLE_NFP = True ]] && install_nfpgbpservice
init_gbpservice
[[ $ENABLE_NFP = True ]] && init_nfpgbpservice
[[ $ENABLE_APIC_AIM_GATE = False ]] && install_gbpheat
[[ $ENABLE_APIC_AIM_GATE = False ]] && install_gbpui
[[ $ENABLE_APIC_AIM = True || $ENABLE_APIC_AIM_GATE = True ]] && configure_apic_aim
[[ $ENABLE_APIC_AIM_GATE = False ]] && stop_apache_server
[[ $ENABLE_APIC_AIM_GATE = False ]] && start_apache_server
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
echo_summary "Initializing $GBP"
if [[ $ENABLE_NFP = True ]]; then
echo_summary "Initializing $NFP"
assign_user_role_credential
create_nfp_gbp_resources
create_nfp_image
[[ $NFP_DEVSTACK_MODE = advanced ]] && launch_configuratorVM
copy_nfp_files_and_start_process
fi
fi
if [[ "$1" == "unstack" ]]; then
echo_summary "Removing $GBP"
fi
if [[ "$1" == "clean" ]]; then
echo_summary "Cleaning $GBP"
fi
fi
View Git Blame Copy Permalink