Enable Neutron VPN as Service
Add a recipe, related attribute/template, and unit tests to to install, configure and start VPN service. Stop L3 agent if VPN is enabled. Change-Id: I63322e3c43e38444163371636cbab2c3bbdeaacf Implements: Blueprint neutron-vpnaas-enablement
This commit is contained in:
parent
30bc1c8da3
commit
1dd7be7ee4
|
@ -1,6 +1,9 @@
|
|||
# CHANGELOG for cookbook-openstack-network
|
||||
This file is used to list changes made in each version of cookbook-openstack-network.
|
||||
|
||||
## 10.1.0
|
||||
* Add support for Neutron VPN Service
|
||||
|
||||
## 10.0.1
|
||||
* Add tunnel_types item in ovs_neutron_plugin.ini.erb
|
||||
|
||||
|
|
12
README.md
12
README.md
|
@ -49,6 +49,11 @@ l3\_agent
|
|||
|
||||
- Installs the L3 agent and metadata agent
|
||||
|
||||
vpn\_agent
|
||||
--------
|
||||
|
||||
- Installs the VPN agent
|
||||
|
||||
Identity-registration
|
||||
---------------------
|
||||
|
||||
|
@ -122,6 +127,12 @@ L3 Agent Configuration
|
|||
----------------------
|
||||
* `openstack['openstack']['network']['l3']['router_delete_namespaces'] - (StrOpt) If True, namespaces will be deleted when a router is destroyed.
|
||||
|
||||
VPN Agent Configuration
|
||||
----------------------
|
||||
* `openstack['openstack']['network']['enable_vpn'] - (BoolOpt) Enable VPN agent. (default false)
|
||||
* `openstack['openstack']['network']['vpn']['vpn_device_driver'] - (StrOpt) VPN device drivers which VPN agent will use
|
||||
* `openstack['openstack']['network']['vpn']['ipsec_status_check_interval'] - (IntOpt) Status check interval for ipsec VPN
|
||||
|
||||
The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
|
||||
|
||||
* `openstack['endpoints']['network-api-bind']['host']` - The IP address to bind the api service to
|
||||
|
@ -136,6 +147,7 @@ Templates
|
|||
* `api-paste.ini.erb` - Paste config for OpenStack Network server
|
||||
* `neutron.conf.erb` - Config file for OpenStack Network server
|
||||
* `ml2_conf.ini.erb` - Configuration of Network ML2 Plugins
|
||||
* `vpn_agent.ini.erb` - Config file for Network VPN agent
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
|
|
@ -176,6 +176,9 @@ default['openstack']['network']['dhcp_driver'] = 'neutron.agent.linux.dhcp.Dnsma
|
|||
default['openstack']['network']['use_namespaces'] = 'True'
|
||||
default['openstack']['network']['allow_overlapping_ips'] = 'False'
|
||||
|
||||
# vpn agent configuration, default is false
|
||||
default['openstack']['network']['enable_vpn'] = false
|
||||
|
||||
# use neutron root wrap
|
||||
default['openstack']['network']['use_rootwrap'] = true
|
||||
# rootwrap.conf
|
||||
|
@ -347,6 +350,11 @@ default['openstack']['network']['l3']['periodic_fuzzy_delay'] = 5
|
|||
# If True, namespaces will be deleted when a router is destroyed
|
||||
default['openstack']['network']['l3']['router_delete_namespaces'] = 'False'
|
||||
|
||||
# ============================= VPN Agent Configuration ====================
|
||||
|
||||
default['openstack']['network']['vpn']['vpn_device_driver'] = 'neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver'
|
||||
default['openstack']['network']['vpn']['ipsec_status_check_interval'] = 60
|
||||
|
||||
# ============================= Metadata Agent Configuration ===============
|
||||
|
||||
# The location of the Nova Metadata API service to proxy to (nil uses default)
|
||||
|
@ -986,6 +994,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
|
|||
'neutron_dhcp_packages' => ['openstack-neutron'],
|
||||
'neutron_dhcp_build_packages' => [],
|
||||
'neutron_l3_packages' => ['openstack-neutron'],
|
||||
'neutron_vpn_packages' => ['openstack-neutron'],
|
||||
'neutron_lb_packages' => ['openstack-neutron', 'haproxy'],
|
||||
'neutron_openvswitch_packages' => ['openvswitch'],
|
||||
'neutron_openvswitch_agent_packages' => ['openstack-neutron-openvswitch'],
|
||||
|
@ -995,6 +1004,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
|
|||
'neutron_server_packages' => [],
|
||||
'neutron_dhcp_agent_service' => 'neutron-dhcp-agent',
|
||||
'neutron_l3_agent_service' => 'neutron-l3-agent',
|
||||
'neutron_vpn_agent_service' => 'neutron-vpn-agent',
|
||||
'neutron_lb_agent_service' => 'neutron-lbaas-agent',
|
||||
'neutron_metadata_agent_service' => 'neutron-metadata-agent',
|
||||
'neutron_openvswitch_service' => 'openvswitch',
|
||||
|
@ -1013,6 +1023,7 @@ when 'suse'
|
|||
'neutron_dhcp_packages' => ['openstack-neutron-dhcp-agent'],
|
||||
'neutron_dhcp_build_packages' => [],
|
||||
'neutron_l3_packages' => ['openstack-neutron-l3-agent'],
|
||||
'neutron_vpn_packages' => ['openstack-neutron-vpn-agent'],
|
||||
'neutron_lb_packages' => ['openstack-neutron-lbaas-agent'],
|
||||
# plugins are installed by the main openstack-neutron package on SUSE
|
||||
'neutron_plugin_package' => '',
|
||||
|
@ -1024,6 +1035,7 @@ when 'suse'
|
|||
'neutron_server_packages' => [],
|
||||
'neutron_dhcp_agent_service' => 'openstack-neutron-dhcp-agent',
|
||||
'neutron_l3_agent_service' => 'openstack-neutron-l3-agent',
|
||||
'neutron_vpn_agent_service' => 'openstack-neutron-vpn-agent',
|
||||
'neutron_lb_agent_service' => 'openstack-neutron-lbaas-agent',
|
||||
'neutron_metadata_agent_service' => 'openstack-neutron-metadata-agent',
|
||||
'neutron_openvswitch_service' => 'openvswitch-switch',
|
||||
|
@ -1042,6 +1054,7 @@ when 'debian'
|
|||
'neutron_dhcp_packages' => ['neutron-dhcp-agent'],
|
||||
'neutron_dhcp_build_packages' => %w(build-essential pkg-config libidn11-dev libdbus-1-dev libnetfilter-conntrack-dev gettext),
|
||||
'neutron_l3_packages' => ['neutron-l3-agent'],
|
||||
'neutron_vpn_packages' => ['neutron-vpn-agent'],
|
||||
'neutron_lb_packages' => ['neutron-lbaas-agent', 'haproxy'],
|
||||
'neutron_openvswitch_packages' => ['openvswitch-switch', 'openvswitch-datapath-dkms', 'bridge-utils'],
|
||||
'neutron_openvswitch_build_packages' => %w(build-essential pkg-config fakeroot libssl-dev openssl debhelper autoconf dkms python-all python-qt4 python-zopeinterface python-twisted-conch),
|
||||
|
@ -1052,6 +1065,7 @@ when 'debian'
|
|||
'neutron_server_packages' => ['neutron-server'],
|
||||
'neutron_dhcp_agent_service' => 'neutron-dhcp-agent',
|
||||
'neutron_l3_agent_service' => 'neutron-l3-agent',
|
||||
'neutron_vpn_agent_service' => 'neutron-vpn-agent',
|
||||
'neutron_lb_agent_service' => 'neutron-lbaas-agent',
|
||||
'neutron_metadata_agent_service' => 'neutron-metadata-agent',
|
||||
'neutron_openvswitch_service' => 'openvswitch-switch',
|
||||
|
|
|
@ -5,12 +5,13 @@ maintainer 'Jay Pipes <jaypipes@gmail.com>'
|
|||
license 'Apache 2.0'
|
||||
description 'Installs and configures the OpenStack Network API Service and various agents and plugins'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '10.0.1'
|
||||
version '10.1.0'
|
||||
recipe 'openstack-network::client', 'Install packages required for network client'
|
||||
recipe 'openstack-network::server', 'Installs packages required for a OpenStack Network server'
|
||||
recipe 'openstack-network::openvswitch', 'Installs packages required for OVS'
|
||||
recipe 'openstack-network::metadata_agent', 'Installs packages required for a OpenStack Network Metadata Agent'
|
||||
recipe 'openstack-network::identity_registration', 'Registers OpenStack Network endpoints and service user with Keystone'
|
||||
recipe 'openstack-network::vpn_agent', 'Installs packages required for Network VPN Agent'
|
||||
|
||||
%w{ ubuntu fedora redhat centos suse }.each do |os|
|
||||
supports os
|
||||
|
|
|
@ -38,17 +38,23 @@ end
|
|||
service 'neutron-l3-agent' do
|
||||
service_name platform_options['neutron_l3_agent_service']
|
||||
supports status: true, restart: true
|
||||
|
||||
action :enable
|
||||
subscribes :restart, 'template[/etc/neutron/neutron.conf]'
|
||||
# if the vpn agent is enabled, we should stop and disable the l3 agent
|
||||
if node['openstack']['network']['enable_vpn']
|
||||
action [:stop, :disable]
|
||||
else
|
||||
action :enable
|
||||
subscribes :restart, 'template[/etc/neutron/neutron.conf]'
|
||||
end
|
||||
end
|
||||
|
||||
template '/etc/neutron/l3_agent.ini' do
|
||||
source 'l3_agent.ini.erb'
|
||||
owner node['openstack']['network']['platform']['user']
|
||||
group node['openstack']['network']['platform']['group']
|
||||
mode 00644
|
||||
notifies :restart, 'service[neutron-l3-agent]', :immediately
|
||||
mode 00640
|
||||
unless node['openstack']['network']['enable_vpn']
|
||||
notifies :restart, 'service[neutron-l3-agent]', :immediately
|
||||
end
|
||||
end
|
||||
|
||||
driver_name = node['openstack']['network']['interface_driver'].split('.').last
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
# Encoding: utf-8
|
||||
#
|
||||
# Cookbook Name:: openstack-network
|
||||
# Recipe:: vpn_agent
|
||||
#
|
||||
# Copyright 2013, AT&T
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
['quantum', 'neutron'].include?(node['openstack']['compute']['network']['service_type']) || return
|
||||
return unless node['openstack']['network']['enable_vpn']
|
||||
|
||||
# VPN agent is based on L3 agent
|
||||
include_recipe 'openstack-network::l3_agent'
|
||||
|
||||
platform_options = node['openstack']['network']['platform']
|
||||
core_plugin = node['openstack']['network']['core_plugin']
|
||||
main_plugin = node['openstack']['network']['core_plugin_map'][core_plugin.split('.').last.downcase]
|
||||
|
||||
platform_options['neutron_vpn_packages'].each do |pkg|
|
||||
package pkg do
|
||||
options platform_options['package_overrides']
|
||||
action :upgrade
|
||||
# The vpn agent is depends on l3_agent and the providers below do not use the generic L3 agent...
|
||||
not_if { ['nicira', 'plumgrid', 'bigswitch'].include?(main_plugin) }
|
||||
end
|
||||
end
|
||||
|
||||
service 'neutron-vpn-agent' do
|
||||
service_name platform_options['neutron_vpn_agent_service']
|
||||
supports status: true, restart: true
|
||||
action :enable
|
||||
subscribes :restart, 'template[/etc/neutron/neutron.conf]'
|
||||
end
|
||||
|
||||
template '/etc/neutron/vpn_agent.ini' do
|
||||
source 'vpn_agent.ini.erb'
|
||||
owner node['openstack']['network']['platform']['user']
|
||||
group node['openstack']['network']['platform']['group']
|
||||
mode 00640
|
||||
notifies :restart, 'service[neutron-vpn-agent]', :immediately
|
||||
end
|
|
@ -40,7 +40,7 @@ describe 'openstack-network::l3_agent' do
|
|||
expect(chef_run).to create_template(file.name).with(
|
||||
user: 'neutron',
|
||||
group: 'neutron',
|
||||
mode: 0644
|
||||
mode: 0640
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,54 @@
|
|||
# Encoding: utf-8
|
||||
require_relative 'spec_helper'
|
||||
|
||||
describe 'openstack-network::vpn_agent' do
|
||||
|
||||
describe 'ubuntu' do
|
||||
let(:runner) { ChefSpec::Runner.new(UBUNTU_OPTS) }
|
||||
let(:node) { runner.node }
|
||||
let(:chef_run) do
|
||||
node.set['openstack']['compute']['network']['service_type'] = 'neutron'
|
||||
node.set['openstack']['network']['enable_vpn'] = true
|
||||
runner.converge(described_recipe)
|
||||
end
|
||||
|
||||
include_context 'neutron-stubs'
|
||||
|
||||
it 'include the recipe openstack-network::l3_agent' do
|
||||
expect(chef_run).to include_recipe('openstack-network::l3_agent')
|
||||
end
|
||||
|
||||
it 'verify l3 agent is stoped and disabled' do
|
||||
expect(chef_run).to stop_service('neutron-l3-agent')
|
||||
expect(chef_run).to disable_service('neutron-l3-agent')
|
||||
end
|
||||
|
||||
it 'upgrades neutron vpn package' do
|
||||
expect(chef_run).to upgrade_package('neutron-vpn-agent')
|
||||
end
|
||||
|
||||
it 'starts the vpn agent on boot' do
|
||||
expect(chef_run).to enable_service('neutron-vpn-agent')
|
||||
end
|
||||
|
||||
it 'subscribes the vpn agent service to neutron.conf' do
|
||||
expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/neutron.conf]').delayed
|
||||
end
|
||||
|
||||
describe 'vpn_agent.ini' do
|
||||
let(:file) { chef_run.template('/etc/neutron/vpn_agent.ini') }
|
||||
|
||||
it 'creates vpn_agent.ini' do
|
||||
expect(chef_run).to create_template(file.name).with(
|
||||
user: 'neutron',
|
||||
group: 'neutron',
|
||||
mode: 0640
|
||||
)
|
||||
end
|
||||
|
||||
it 'notifies the vpn agent service' do
|
||||
expect(file).to notify('service[neutron-vpn-agent]').to(:restart).immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,19 @@
|
|||
<%= node["openstack"]["network"]["custom_template_banner"] %>
|
||||
|
||||
[DEFAULT]
|
||||
# VPN-Agent configuration file
|
||||
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
|
||||
debug = <%= node["openstack"]["network"]["debug"] %>
|
||||
interface_driver = <%= node["openstack"]["network"]["interface_driver"] %>
|
||||
|
||||
[vpnagent]
|
||||
# vpn device drivers which vpn agent will use
|
||||
# If we want to use multiple drivers, we need to define this option multiple times.
|
||||
# vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
|
||||
# vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
|
||||
# vpn_device_driver=another_driver
|
||||
vpn_device_driver = <%= node['openstack']['network']['vpn']['vpn_device_driver'] %>
|
||||
|
||||
[ipsec]
|
||||
# Status check interval
|
||||
ipsec_status_check_interval = <%= node['openstack']['network']['vpn']['ipsec_status_check_interval'] %>
|
Loading…
Reference in New Issue