From 3452f8eb8663a8cfc5733784d918b59947630cf8 Mon Sep 17 00:00:00 2001 From: Akihiro MOTOKI Date: Thu, 21 Mar 2013 14:11:27 +0900 Subject: [PATCH] Support Quantum security group Adds Q_USE_SECGROUP flag for quantum security group - Added has_quantum_plugin_security_group method for each plugin. - Set NOVA_VIF_DRIVER to the hybrid VIF driver for plugins with iptables based security group support. - Specifying device_owner type on debug port in lib/quantum and quantum-adv-test.sh. This change makes apply quantum security group fro debug port Change-Id: Ifd155798912247d85a9765ef73a2186b929237b4 --- exercises/quantum-adv-test.sh | 2 +- lib/quantum | 16 ++++++++++++++-- lib/quantum_plugins/README.md | 2 ++ lib/quantum_plugins/bigswitch_floodlight | 5 +++++ lib/quantum_plugins/brocade | 5 +++++ lib/quantum_plugins/linuxbridge | 10 ++++++++++ lib/quantum_plugins/nicira | 5 +++++ lib/quantum_plugins/openvswitch | 7 ++++++- lib/quantum_plugins/ovs_base | 18 ++++++++++++++++++ lib/quantum_plugins/ryu | 9 ++++++++- 10 files changed, 74 insertions(+), 5 deletions(-) diff --git a/exercises/quantum-adv-test.sh b/exercises/quantum-adv-test.sh index 5c4b16ea5e..a1fb2ad03c 100755 --- a/exercises/quantum-adv-test.sh +++ b/exercises/quantum-adv-test.sh @@ -235,7 +235,7 @@ function create_network { source $TOP_DIR/openrc $TENANT $TENANT local NET_ID=$(quantum net-create --tenant_id $TENANT_ID $NET_NAME $EXTRA| grep ' id ' | awk '{print $4}' ) quantum subnet-create --ip_version 4 --tenant_id $TENANT_ID --gateway $GATEWAY $NET_ID $CIDR - quantum-debug probe-create $NET_ID + quantum-debug probe-create --device-owner compute $NET_ID source $TOP_DIR/openrc demo demo } diff --git a/lib/quantum b/lib/quantum index 09cde6417d..efdd43d071 100644 --- a/lib/quantum +++ b/lib/quantum @@ -181,6 +181,13 @@ source $TOP_DIR/lib/quantum_plugins/$Q_PLUGIN # Hardcoding for 1 service plugin for now source $TOP_DIR/lib/quantum_plugins/agent_loadbalancer +# Use security group or not +if has_quantum_plugin_security_group; then + Q_USE_SECGROUP=${Q_USE_SECGROUP:-True} +else + Q_USE_SECGROUP=False +fi + # Entry Points # ------------ @@ -222,6 +229,11 @@ function create_nova_conf_quantum() { iniset $NOVA_CONF DEFAULT quantum_admin_tenant_name "$SERVICE_TENANT_NAME" iniset $NOVA_CONF DEFAULT quantum_url "http://$Q_HOST:$Q_PORT" + if [[ "$Q_USE_SECGROUP" == "True" ]]; then + LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver + iniset $NOVA_CONF DEFAULT security_group_api quantum + fi + # set NOVA_VIF_DRIVER and optionally set options in nova_conf quantum_plugin_create_nova_conf @@ -646,9 +658,9 @@ function delete_probe() { function setup_quantum_debug() { if [[ "$Q_USE_DEBUG_COMMAND" == "True" ]]; then public_net_id=`_get_net_id $PUBLIC_NETWORK_NAME` - quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create $public_net_id + quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create --device-owner compute $public_net_id private_net_id=`_get_net_id $PRIVATE_NETWORK_NAME` - quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create $private_net_id + quantum-debug --os-tenant-name admin --os-username admin --os-password $ADMIN_PASSWORD probe-create --device-owner compute $private_net_id fi } diff --git a/lib/quantum_plugins/README.md b/lib/quantum_plugins/README.md index 5411de00c7..05bfb85125 100644 --- a/lib/quantum_plugins/README.md +++ b/lib/quantum_plugins/README.md @@ -32,3 +32,5 @@ functions * ``quantum_plugin_configure_plugin_agent`` * ``quantum_plugin_configure_service`` * ``quantum_plugin_setup_interface_driver`` +* ``has_quantum_plugin_security_group``: + return 0 if the plugin support quantum security group otherwise return 1 diff --git a/lib/quantum_plugins/bigswitch_floodlight b/lib/quantum_plugins/bigswitch_floodlight index 7d3fd9675c..4857f49569 100644 --- a/lib/quantum_plugins/bigswitch_floodlight +++ b/lib/quantum_plugins/bigswitch_floodlight @@ -51,5 +51,10 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver } +function has_quantum_plugin_security_group() { + # 1 means False here + return 1 +} + # Restore xtrace $MY_XTRACE diff --git a/lib/quantum_plugins/brocade b/lib/quantum_plugins/brocade index ac911439a3..6e26ad7842 100644 --- a/lib/quantum_plugins/brocade +++ b/lib/quantum_plugins/brocade @@ -45,5 +45,10 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver } +function has_quantum_plugin_security_group() { + # 0 means True here + return 0 +} + # Restore xtrace $BRCD_XTRACE diff --git a/lib/quantum_plugins/linuxbridge b/lib/quantum_plugins/linuxbridge index 11bc585fe9..324e255231 100644 --- a/lib/quantum_plugins/linuxbridge +++ b/lib/quantum_plugins/linuxbridge @@ -48,6 +48,11 @@ function quantum_plugin_configure_plugin_agent() { if [[ "$LB_INTERFACE_MAPPINGS" != "" ]]; then iniset /$Q_PLUGIN_CONF_FILE LINUX_BRIDGE physical_interface_mappings $LB_INTERFACE_MAPPINGS fi + if [[ "$Q_USE_SECGROUP" == "True" ]]; then + iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.IptablesFirewallDriver + else + iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver + fi AGENT_BINARY="$QUANTUM_DIR/bin/quantum-linuxbridge-agent" } @@ -76,5 +81,10 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver } +function has_quantum_plugin_security_group() { + # 0 means True here + return 0 +} + # Restore xtrace $MY_XTRACE diff --git a/lib/quantum_plugins/nicira b/lib/quantum_plugins/nicira index 8c150b11f5..6eefb022ec 100644 --- a/lib/quantum_plugins/nicira +++ b/lib/quantum_plugins/nicira @@ -141,5 +141,10 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver } +function has_quantum_plugin_security_group() { + # 0 means True here + return 0 +} + # Restore xtrace $MY_XTRACE diff --git a/lib/quantum_plugins/openvswitch b/lib/quantum_plugins/openvswitch index dda1239cb9..ab16483452 100644 --- a/lib/quantum_plugins/openvswitch +++ b/lib/quantum_plugins/openvswitch @@ -8,7 +8,7 @@ set +o xtrace source $TOP_DIR/lib/quantum_plugins/ovs_base function quantum_plugin_create_nova_conf() { - NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"} + _quantum_ovs_base_configure_nova_vif_driver if [ "$VIRT_DRIVER" = 'xenserver' ]; then iniset $NOVA_CONF DEFAULT xenapi_vif_driver nova.virt.xenapi.vif.XenAPIOpenVswitchDriver iniset $NOVA_CONF DEFAULT xenapi_ovs_integration_bridge $FLAT_NETWORK_BRIDGE @@ -43,6 +43,7 @@ function quantum_plugin_configure_plugin_agent() { # Setup integration bridge OVS_BRIDGE=${OVS_BRIDGE:-br-int} _quantum_ovs_base_setup_bridge $OVS_BRIDGE + _quantum_ovs_base_configure_firewall_driver # Setup agent for tunneling if [[ "$OVS_ENABLE_TUNNELING" = "True" ]]; then @@ -139,5 +140,9 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver } +function has_quantum_plugin_security_group() { + return 0 +} + # Restore xtrace $MY_XTRACE diff --git a/lib/quantum_plugins/ovs_base b/lib/quantum_plugins/ovs_base index ab988d9f62..2ada0dbf5a 100644 --- a/lib/quantum_plugins/ovs_base +++ b/lib/quantum_plugins/ovs_base @@ -39,6 +39,14 @@ function _quantum_ovs_base_configure_debug_command() { iniset $QUANTUM_TEST_CONFIG_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE } +function _quantum_ovs_base_configure_firewall_driver() { + if [[ "$Q_USE_SECGROUP" == "True" ]]; then + iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver + else + iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver + fi +} + function _quantum_ovs_base_configure_l3_agent() { iniset $Q_L3_CONF_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE @@ -48,5 +56,15 @@ function _quantum_ovs_base_configure_l3_agent() { sudo ip addr flush dev $PUBLIC_BRIDGE } +function _quantum_ovs_base_configure_nova_vif_driver() { + # The hybrid VIF driver needs to be specified when Quantum Security Group + # is enabled (until vif_security attributes are supported in VIF extension) + if [[ "$Q_USE_SECGROUP" == "True" ]]; then + NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"} + else + NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"} + fi +} + # Restore xtrace $MY_XTRACE diff --git a/lib/quantum_plugins/ryu b/lib/quantum_plugins/ryu index d1d7382c4b..113923235c 100644 --- a/lib/quantum_plugins/ryu +++ b/lib/quantum_plugins/ryu @@ -9,7 +9,7 @@ source $TOP_DIR/lib/quantum_plugins/ovs_base source $TOP_DIR/lib/quantum_thirdparty/ryu # for configuration value function quantum_plugin_create_nova_conf() { - NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"} + _quantum_ovs_base_configure_nova_vif_driver iniset $NOVA_CONF DEFAULT libvirt_ovs_integration_bridge "$OVS_BRIDGE" } @@ -52,6 +52,8 @@ function quantum_plugin_configure_plugin_agent() { fi iniset /$Q_PLUGIN_CONF_FILE OVS integration_bridge $OVS_BRIDGE AGENT_BINARY="$QUANTUM_DIR/quantum/plugins/ryu/agent/ryu_quantum_agent.py" + + _quantum_ovs_base_configure_firewall_driver } function quantum_plugin_configure_service() { @@ -64,5 +66,10 @@ function quantum_plugin_setup_interface_driver() { iniset $conf_file DEFAULT ovs_use_veth True } +function has_quantum_plugin_security_group() { + # 0 means True here + return 0 +} + # Restore xtrace $MY_XTRACE