History

Adam Gandelman 467e637975 Update import: neutron.i18n -> neutron._i18n This was coming for a while and finally got dropped in Neutron as of f35c4f72e8991045c88212129f4e62a64f657b0d. Change-Id: I8e1f51da171ed0cb27c3f5059c7fc0b61a281f17		2016-06-23 18:22:39 -07:00
..
db	Adds Astara BYONF API extension	2016-03-17 17:20:21 -07:00
extensions	Merge "Ensure router interfaces properly reflect the state"	2016-05-02 16:44:43 +00:00
plugins	Update import: neutron.i18n -> neutron._i18n	2016-06-23 18:22:39 -07:00
README.rst	akanda->astara 3rd step: Rename + modify code	2015-12-04 10:32:25 -08:00
__init__.py	akanda->astara 3rd step: Rename + modify code	2015-12-04 10:32:25 -08:00
version.py	Add reno for release notes management	2016-01-15 17:07:06 +00:00

README.rst

Akanda User-facing API implemented as a Neutron Resource Extension

Provides

Portforward

portfoward.py implemented under neutron/extensions allows the ability to create portforwarding rules.

Filterrule

filterrule.py implemented under neutron/extensions allows the ability to create firewall rules that eventually gets implemented as OpenBSD PF rules within the Akanda appliance.

AddressBook

addressbook.py implemented under neutron/extensions allows the ability to administratively manage IP Address groups that can be used in filter rules.

Info

This is the home for the REST API that users will be calling directly with their preferred REST tool (curl, Python wrapper, etc.).

This code could eventually become part of OpenStack Neutron or act as a source or inspiration that will. As such, this API should be constructed entirely with standard OpenStack tools.

Authz

The resource extensions are implemented with the ability to leverage AuthZ. In order to use AuthZ, update Neutron's policy file for the extension to work with the following:

"create_portforward": [],
"get_portforward": [["rule:admin_or_owner"]],
"update_portforward": [["rule:admin_or_owner"]],
"delete_portforward": [["rule:admin_or_owner"]]

To use quotas, add to the QUOTAS section of neutron.conf:

quota_portforward = 10

Installation - DevStack (single node setup)

Preliminary Steps

Create a localrc file under the devstack directory with the following:

MYSQL_PASSWORD=openstack
RABBIT_PASSWORD=openstack
SERVICE_TOKEN=openstack
SERVICE_PASSWORD=openstack
ADMIN_PASSWORD=openstack
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service neutron
enable_service q-l3
LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver
Q_PLUGIN=openvswitch
NOVA_USE_NEUTRON_API=v2

Run ./stack.sh until the stack account and /opt/stack directory gets created.
Run ./unstack.sh

Neutron Extensions install

<workdir> = https://github.com/dreamhost/akanda/tree/master/userapi_extensions/akanda/neutron

Clone neutron to /opt/stack using git clone https://github.com/openstack/neutron.git
Change to the userapi_extensions dir within the Akanda project
Run python setup.py develop

Return to devstack directory and replace the following lines:

-        Q_PLUGIN_CLASS="neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2"
+        Q_PLUGIN_CLASS="akanda.neutron.plugins.ovs_neutron_plugin.OVSNeutronPluginV2"

Add the following line to load the extension right above Q_AUTH_STRATEGY:

+    iniset $Q_CONF_FILE DEFAULT api_extensions_path "extensions:/opt/stack/akanda/userapi_extensions/akanda/neutron/extensions"

Run ./stack.sh again to generate the required DB migrations and start the required services.

You should see for example (dhaddressbook in this case), something similar to the following to indicate a successful load of an extension, however it is not complete without quotas:

2012-09-11 09:17:04     INFO [neutron.api.extensions] Initializing extension manager.
2012-09-11 09:17:04     INFO [neutron.api.extensions] Loading extension file: _authzbase.py
2012-09-11 09:17:04     INFO [neutron.api.extensions] Loading extension file: addressbook.py
2012-09-11 09:17:04    DEBUG [neutron.api.extensions] Ext name: addressbook
2012-09-11 09:17:04    DEBUG [neutron.api.extensions] Ext alias: dhaddressbook
2012-09-11 09:17:04    DEBUG [neutron.api.extensions] Ext description: An addressbook extension
2012-09-11 09:17:04    DEBUG [neutron.api.extensions] Ext namespace: http://docs.dreamcompute.com/api/ext/v1.0

Switch to q-svc screen and press Ctrl-C

To enable Quote Support

Stop q-svc as add the following to [QUOTA] section of /etc/neutron/neutron.conf:

quota_portforward = 10
quota_filterrule = 100
quota_addressbook = 5
quota_addressbookgroup = 50
quota_addressbookentry = 250

Add the follow to /etc/neutron/policy.json to enable policies:

"create_filerrule": [],
"get_filterrule": [["rule:admin_or_owner"]],
"update_filterrule": [["rule:admin_or_owner"]],
"delete_filterrule": [["rule:admin_or_owner"]],
"create_addressbook": [],
"get_addressbook": [["rule:admin_or_owner"]],
"update_addressbook": [["rule:admin_or_owner"]],
"delete_addressbook": [["rule:admin_or_owner"]],
"create_addressbookgroup": [],
"get_addressbookgroup": [["rule:admin_or_owner"]],
"update_addressbookgroup": [["rule:admin_or_owner"]],
"delete_addressbookgroup": [["rule:admin_or_owner"]],
"create_addressbookentry": [],
"get_addressbookentry": [["rule:admin_or_owner"]],
"update_addressbookentry": [["rule:admin_or_owner"]],
"delete_addressbookentry": [["rule:admin_or_owner"]],
"update_routerstatus": [["rule:admin_only"]]

Restart q-svc by using up arrow to retrieve the command from the history.

Appendix

To manually start and stop Neutron Services under DevStack:

Run 'screen -x'. To show a list of screens, use Ctrl+A+" (double quote char)
Select q-svc. In most cases - Ctrl+A+1 should work.
Run the following to start Neutron or Ctrl+C to stop:
```
$ need-command-here
```

Gotchas

There is no Neutron Model validation for source and destination protocols in FilterRule. I.e., you can create forward rules between UDP and TCP or anything else. Currently validation happens only in Horizon. If you use the API directly, you are on your own!