Browse code
Support Quantum security group
Adds Q_USE_SECGROUP flag for quantum security group
- Added has_quantum_plugin_security_group method for each plugin.
- Set NOVA_VIF_DRIVER to the hybrid VIF driver for plugins with
iptables based security group support.
- Specifying device_owner type on debug port in lib/quantum and
quantum-adv-test.sh. This change makes apply quantum security
group fro debug port
Change-Id: Ifd155798912247d85a9765ef73a2186b929237b4
Akihiro MOTOKI authored on 2013/03/21 14:11:27Showing 10 changed files
- exercises/quantum-adv-test.sh
- lib/quantum
- lib/quantum_plugins/README.md
- lib/quantum_plugins/bigswitch_floodlight
- lib/quantum_plugins/brocade
- lib/quantum_plugins/linuxbridge
- lib/quantum_plugins/nicira
- lib/quantum_plugins/openvswitch
- lib/quantum_plugins/ovs_base
- lib/quantum_plugins/ryu
| ... | ... |
@@ -235,7 +235,7 @@ function create_network {
|
| 235 | 235 |
source $TOP_DIR/openrc $TENANT $TENANT |
| 236 | 236 |
local NET_ID=$(quantum net-create --tenant_id $TENANT_ID $NET_NAME $EXTRA| grep ' id ' | awk '{print $4}' )
|
| 237 | 237 |
quantum subnet-create --ip_version 4 --tenant_id $TENANT_ID --gateway $GATEWAY $NET_ID $CIDR |
| 238 |
- quantum-debug probe-create $NET_ID |
|
| 238 |
+ quantum-debug probe-create --device-owner compute $NET_ID |
|
| 239 | 239 |
source $TOP_DIR/openrc demo demo |
| 240 | 240 |
} |
| 241 | 241 |
|
| ... | ... |
@@ -181,6 +181,13 @@ source $TOP_DIR/lib/quantum_plugins/$Q_PLUGIN |
| 181 | 181 |
# Hardcoding for 1 service plugin for now |
| 182 | 182 |
source $TOP_DIR/lib/quantum_plugins/agent_loadbalancer |
| 183 | 183 |
|
| 184 |
+# Use security group or not |
|
| 185 |
+if has_quantum_plugin_security_group; then |
|
| 186 |
+ Q_USE_SECGROUP=${Q_USE_SECGROUP:-True}
|
|
| 187 |
+else |
|
| 188 |
+ Q_USE_SECGROUP=False |
|
| 189 |
+fi |
|
| 190 |
+ |
|
| 184 | 191 |
# Entry Points |
| 185 | 192 |
# ------------ |
| 186 | 193 |
|
| ... | ... |
@@ -222,6 +229,11 @@ function create_nova_conf_quantum() {
|
| 222 | 222 |
iniset $NOVA_CONF DEFAULT quantum_admin_tenant_name "$SERVICE_TENANT_NAME" |
| 223 | 223 |
iniset $NOVA_CONF DEFAULT quantum_url "http://$Q_HOST:$Q_PORT" |
| 224 | 224 |
|
| 225 |
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
|
| 226 |
+ LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver |
|
| 227 |
+ iniset $NOVA_CONF DEFAULT security_group_api quantum |
|
| 228 |
+ fi |
|
| 229 |
+ |
|
| 225 | 230 |
# set NOVA_VIF_DRIVER and optionally set options in nova_conf |
| 226 | 231 |
quantum_plugin_create_nova_conf |
| 227 | 232 |
|
| ... | ... |
@@ -646,9 +658,9 @@ function delete_probe() {
|
| 646 | 646 |
function setup_quantum_debug() {
|
| 647 | 647 |
if [[ "$Q_USE_DEBUG_COMMAND" == "True" ]]; then |
| 648 | 648 |
public_net_id=`_get_net_id $PUBLIC_NETWORK_NAME` |
| 649 |
- quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create $public_net_id |
|
| 649 |
+ quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create --device-owner compute $public_net_id |
|
| 650 | 650 |
private_net_id=`_get_net_id $PRIVATE_NETWORK_NAME` |
| 651 |
- quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create $private_net_id |
|
| 651 |
+ quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create --device-owner compute $private_net_id |
|
| 652 | 652 |
fi |
| 653 | 653 |
} |
| 654 | 654 |
|
| ... | ... |
@@ -32,3 +32,5 @@ functions |
| 32 | 32 |
* ``quantum_plugin_configure_plugin_agent`` |
| 33 | 33 |
* ``quantum_plugin_configure_service`` |
| 34 | 34 |
* ``quantum_plugin_setup_interface_driver`` |
| 35 |
+* ``has_quantum_plugin_security_group``: |
|
| 36 |
+ return 0 if the plugin support quantum security group otherwise return 1 |
| ... | ... |
@@ -51,5 +51,10 @@ function quantum_plugin_setup_interface_driver() {
|
| 51 | 51 |
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver |
| 52 | 52 |
} |
| 53 | 53 |
|
| 54 |
+function has_quantum_plugin_security_group() {
|
|
| 55 |
+ # 1 means False here |
|
| 56 |
+ return 1 |
|
| 57 |
+} |
|
| 58 |
+ |
|
| 54 | 59 |
# Restore xtrace |
| 55 | 60 |
$MY_XTRACE |
| ... | ... |
@@ -45,5 +45,10 @@ function quantum_plugin_setup_interface_driver() {
|
| 45 | 45 |
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver |
| 46 | 46 |
} |
| 47 | 47 |
|
| 48 |
+function has_quantum_plugin_security_group() {
|
|
| 49 |
+ # 0 means True here |
|
| 50 |
+ return 0 |
|
| 51 |
+} |
|
| 52 |
+ |
|
| 48 | 53 |
# Restore xtrace |
| 49 | 54 |
$BRCD_XTRACE |
| ... | ... |
@@ -48,6 +48,11 @@ function quantum_plugin_configure_plugin_agent() {
|
| 48 | 48 |
if [[ "$LB_INTERFACE_MAPPINGS" != "" ]]; then |
| 49 | 49 |
iniset /$Q_PLUGIN_CONF_FILE LINUX_BRIDGE physical_interface_mappings $LB_INTERFACE_MAPPINGS |
| 50 | 50 |
fi |
| 51 |
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
|
| 52 |
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.IptablesFirewallDriver |
|
| 53 |
+ else |
|
| 54 |
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver |
|
| 55 |
+ fi |
|
| 51 | 56 |
AGENT_BINARY="$QUANTUM_DIR/bin/quantum-linuxbridge-agent" |
| 52 | 57 |
} |
| 53 | 58 |
|
| ... | ... |
@@ -76,5 +81,10 @@ function quantum_plugin_setup_interface_driver() {
|
| 76 | 76 |
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver |
| 77 | 77 |
} |
| 78 | 78 |
|
| 79 |
+function has_quantum_plugin_security_group() {
|
|
| 80 |
+ # 0 means True here |
|
| 81 |
+ return 0 |
|
| 82 |
+} |
|
| 83 |
+ |
|
| 79 | 84 |
# Restore xtrace |
| 80 | 85 |
$MY_XTRACE |
| ... | ... |
@@ -141,5 +141,10 @@ function quantum_plugin_setup_interface_driver() {
|
| 141 | 141 |
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver |
| 142 | 142 |
} |
| 143 | 143 |
|
| 144 |
+function has_quantum_plugin_security_group() {
|
|
| 145 |
+ # 0 means True here |
|
| 146 |
+ return 0 |
|
| 147 |
+} |
|
| 148 |
+ |
|
| 144 | 149 |
# Restore xtrace |
| 145 | 150 |
$MY_XTRACE |
| ... | ... |
@@ -8,7 +8,7 @@ set +o xtrace |
| 8 | 8 |
source $TOP_DIR/lib/quantum_plugins/ovs_base |
| 9 | 9 |
|
| 10 | 10 |
function quantum_plugin_create_nova_conf() {
|
| 11 |
- NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
|
|
| 11 |
+ _quantum_ovs_base_configure_nova_vif_driver |
|
| 12 | 12 |
if [ "$VIRT_DRIVER" = 'xenserver' ]; then |
| 13 | 13 |
iniset $NOVA_CONF DEFAULT xenapi_vif_driver nova.virt.xenapi.vif.XenAPIOpenVswitchDriver |
| 14 | 14 |
iniset $NOVA_CONF DEFAULT xenapi_ovs_integration_bridge $FLAT_NETWORK_BRIDGE |
| ... | ... |
@@ -43,6 +43,7 @@ function quantum_plugin_configure_plugin_agent() {
|
| 43 | 43 |
# Setup integration bridge |
| 44 | 44 |
OVS_BRIDGE=${OVS_BRIDGE:-br-int}
|
| 45 | 45 |
_quantum_ovs_base_setup_bridge $OVS_BRIDGE |
| 46 |
+ _quantum_ovs_base_configure_firewall_driver |
|
| 46 | 47 |
|
| 47 | 48 |
# Setup agent for tunneling |
| 48 | 49 |
if [[ "$OVS_ENABLE_TUNNELING" = "True" ]]; then |
| ... | ... |
@@ -139,5 +140,9 @@ function quantum_plugin_setup_interface_driver() {
|
| 139 | 139 |
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver |
| 140 | 140 |
} |
| 141 | 141 |
|
| 142 |
+function has_quantum_plugin_security_group() {
|
|
| 143 |
+ return 0 |
|
| 144 |
+} |
|
| 145 |
+ |
|
| 142 | 146 |
# Restore xtrace |
| 143 | 147 |
$MY_XTRACE |
| ... | ... |
@@ -39,6 +39,14 @@ function _quantum_ovs_base_configure_debug_command() {
|
| 39 | 39 |
iniset $QUANTUM_TEST_CONFIG_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE |
| 40 | 40 |
} |
| 41 | 41 |
|
| 42 |
+function _quantum_ovs_base_configure_firewall_driver() {
|
|
| 43 |
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
|
| 44 |
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver |
|
| 45 |
+ else |
|
| 46 |
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver |
|
| 47 |
+ fi |
|
| 48 |
+} |
|
| 49 |
+ |
|
| 42 | 50 |
function _quantum_ovs_base_configure_l3_agent() {
|
| 43 | 51 |
iniset $Q_L3_CONF_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE |
| 44 | 52 |
|
| ... | ... |
@@ -48,5 +56,15 @@ function _quantum_ovs_base_configure_l3_agent() {
|
| 48 | 48 |
sudo ip addr flush dev $PUBLIC_BRIDGE |
| 49 | 49 |
} |
| 50 | 50 |
|
| 51 |
+function _quantum_ovs_base_configure_nova_vif_driver() {
|
|
| 52 |
+ # The hybrid VIF driver needs to be specified when Quantum Security Group |
|
| 53 |
+ # is enabled (until vif_security attributes are supported in VIF extension) |
|
| 54 |
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then |
|
| 55 |
+ NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"}
|
|
| 56 |
+ else |
|
| 57 |
+ NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
|
|
| 58 |
+ fi |
|
| 59 |
+} |
|
| 60 |
+ |
|
| 51 | 61 |
# Restore xtrace |
| 52 | 62 |
$MY_XTRACE |
| ... | ... |
@@ -9,7 +9,7 @@ source $TOP_DIR/lib/quantum_plugins/ovs_base |
| 9 | 9 |
source $TOP_DIR/lib/quantum_thirdparty/ryu # for configuration value |
| 10 | 10 |
|
| 11 | 11 |
function quantum_plugin_create_nova_conf() {
|
| 12 |
- NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"}
|
|
| 12 |
+ _quantum_ovs_base_configure_nova_vif_driver |
|
| 13 | 13 |
iniset $NOVA_CONF DEFAULT libvirt_ovs_integration_bridge "$OVS_BRIDGE" |
| 14 | 14 |
} |
| 15 | 15 |
|
| ... | ... |
@@ -52,6 +52,8 @@ function quantum_plugin_configure_plugin_agent() {
|
| 52 | 52 |
fi |
| 53 | 53 |
iniset /$Q_PLUGIN_CONF_FILE OVS integration_bridge $OVS_BRIDGE |
| 54 | 54 |
AGENT_BINARY="$QUANTUM_DIR/quantum/plugins/ryu/agent/ryu_quantum_agent.py" |
| 55 |
+ |
|
| 56 |
+ _quantum_ovs_base_configure_firewall_driver |
|
| 55 | 57 |
} |
| 56 | 58 |
|
| 57 | 59 |
function quantum_plugin_configure_service() {
|
| ... | ... |
@@ -64,5 +66,10 @@ function quantum_plugin_setup_interface_driver() {
|
| 64 | 64 |
iniset $conf_file DEFAULT ovs_use_veth True |
| 65 | 65 |
} |
| 66 | 66 |
|
| 67 |
+function has_quantum_plugin_security_group() {
|
|
| 68 |
+ # 0 means True here |
|
| 69 |
+ return 0 |
|
| 70 |
+} |
|
| 71 |
+ |
|
| 67 | 72 |
# Restore xtrace |
| 68 | 73 |
$MY_XTRACE |