diff --git a/CHANGELOG.md b/CHANGELOG.md index 02750f97..89f9f7de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # CHANGELOG for cookbook-openstack-network This file is used to list changes made in each version of cookbook-openstack-network. +## 10.1.0 +* Add support for Neutron VPN Service + ## 10.0.1 * Add tunnel_types item in ovs_neutron_plugin.ini.erb diff --git a/README.md b/README.md index ca10b310..c11e21a4 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,11 @@ l3\_agent - Installs the L3 agent and metadata agent +vpn\_agent +-------- + +- Installs the VPN agent + Identity-registration --------------------- @@ -122,6 +127,12 @@ L3 Agent Configuration ---------------------- * `openstack['openstack']['network']['l3']['router_delete_namespaces'] - (StrOpt) If True, namespaces will be deleted when a router is destroyed. +VPN Agent Configuration +---------------------- +* `openstack['openstack']['network']['enable_vpn'] - (BoolOpt) Enable VPN agent. (default false) +* `openstack['openstack']['network']['vpn']['vpn_device_driver'] - (StrOpt) VPN device drivers which VPN agent will use +* `openstack['openstack']['network']['vpn']['ipsec_status_check_interval'] - (IntOpt) Status check interval for ipsec VPN + The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance: * `openstack['endpoints']['network-api-bind']['host']` - The IP address to bind the api service to @@ -136,6 +147,7 @@ Templates * `api-paste.ini.erb` - Paste config for OpenStack Network server * `neutron.conf.erb` - Config file for OpenStack Network server * `ml2_conf.ini.erb` - Configuration of Network ML2 Plugins +* `vpn_agent.ini.erb` - Config file for Network VPN agent Testing ======= diff --git a/attributes/default.rb b/attributes/default.rb index ed575638..e4cdcb24 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -176,6 +176,9 @@ default['openstack']['network']['dhcp_driver'] = 'neutron.agent.linux.dhcp.Dnsma default['openstack']['network']['use_namespaces'] = 'True' default['openstack']['network']['allow_overlapping_ips'] = 'False' +# vpn agent configuration, default is false +default['openstack']['network']['enable_vpn'] = false + # use neutron root wrap default['openstack']['network']['use_rootwrap'] = true # rootwrap.conf @@ -347,6 +350,11 @@ default['openstack']['network']['l3']['periodic_fuzzy_delay'] = 5 # If True, namespaces will be deleted when a router is destroyed default['openstack']['network']['l3']['router_delete_namespaces'] = 'False' +# ============================= VPN Agent Configuration ==================== + +default['openstack']['network']['vpn']['vpn_device_driver'] = 'neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver' +default['openstack']['network']['vpn']['ipsec_status_check_interval'] = 60 + # ============================= Metadata Agent Configuration =============== # The location of the Nova Metadata API service to proxy to (nil uses default) @@ -986,6 +994,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this 'neutron_dhcp_packages' => ['openstack-neutron'], 'neutron_dhcp_build_packages' => [], 'neutron_l3_packages' => ['openstack-neutron'], + 'neutron_vpn_packages' => ['openstack-neutron'], 'neutron_lb_packages' => ['openstack-neutron', 'haproxy'], 'neutron_openvswitch_packages' => ['openvswitch'], 'neutron_openvswitch_agent_packages' => ['openstack-neutron-openvswitch'], @@ -995,6 +1004,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this 'neutron_server_packages' => [], 'neutron_dhcp_agent_service' => 'neutron-dhcp-agent', 'neutron_l3_agent_service' => 'neutron-l3-agent', + 'neutron_vpn_agent_service' => 'neutron-vpn-agent', 'neutron_lb_agent_service' => 'neutron-lbaas-agent', 'neutron_metadata_agent_service' => 'neutron-metadata-agent', 'neutron_openvswitch_service' => 'openvswitch', @@ -1013,6 +1023,7 @@ when 'suse' 'neutron_dhcp_packages' => ['openstack-neutron-dhcp-agent'], 'neutron_dhcp_build_packages' => [], 'neutron_l3_packages' => ['openstack-neutron-l3-agent'], + 'neutron_vpn_packages' => ['openstack-neutron-vpn-agent'], 'neutron_lb_packages' => ['openstack-neutron-lbaas-agent'], # plugins are installed by the main openstack-neutron package on SUSE 'neutron_plugin_package' => '', @@ -1024,6 +1035,7 @@ when 'suse' 'neutron_server_packages' => [], 'neutron_dhcp_agent_service' => 'openstack-neutron-dhcp-agent', 'neutron_l3_agent_service' => 'openstack-neutron-l3-agent', + 'neutron_vpn_agent_service' => 'openstack-neutron-vpn-agent', 'neutron_lb_agent_service' => 'openstack-neutron-lbaas-agent', 'neutron_metadata_agent_service' => 'openstack-neutron-metadata-agent', 'neutron_openvswitch_service' => 'openvswitch-switch', @@ -1042,6 +1054,7 @@ when 'debian' 'neutron_dhcp_packages' => ['neutron-dhcp-agent'], 'neutron_dhcp_build_packages' => %w(build-essential pkg-config libidn11-dev libdbus-1-dev libnetfilter-conntrack-dev gettext), 'neutron_l3_packages' => ['neutron-l3-agent'], + 'neutron_vpn_packages' => ['neutron-vpn-agent'], 'neutron_lb_packages' => ['neutron-lbaas-agent', 'haproxy'], 'neutron_openvswitch_packages' => ['openvswitch-switch', 'openvswitch-datapath-dkms', 'bridge-utils'], 'neutron_openvswitch_build_packages' => %w(build-essential pkg-config fakeroot libssl-dev openssl debhelper autoconf dkms python-all python-qt4 python-zopeinterface python-twisted-conch), @@ -1052,6 +1065,7 @@ when 'debian' 'neutron_server_packages' => ['neutron-server'], 'neutron_dhcp_agent_service' => 'neutron-dhcp-agent', 'neutron_l3_agent_service' => 'neutron-l3-agent', + 'neutron_vpn_agent_service' => 'neutron-vpn-agent', 'neutron_lb_agent_service' => 'neutron-lbaas-agent', 'neutron_metadata_agent_service' => 'neutron-metadata-agent', 'neutron_openvswitch_service' => 'openvswitch-switch', diff --git a/metadata.rb b/metadata.rb index fa1f8874..5747a4e0 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,12 +5,13 @@ maintainer 'Jay Pipes ' license 'Apache 2.0' description 'Installs and configures the OpenStack Network API Service and various agents and plugins' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '10.0.1' +version '10.1.0' recipe 'openstack-network::client', 'Install packages required for network client' recipe 'openstack-network::server', 'Installs packages required for a OpenStack Network server' recipe 'openstack-network::openvswitch', 'Installs packages required for OVS' recipe 'openstack-network::metadata_agent', 'Installs packages required for a OpenStack Network Metadata Agent' recipe 'openstack-network::identity_registration', 'Registers OpenStack Network endpoints and service user with Keystone' +recipe 'openstack-network::vpn_agent', 'Installs packages required for Network VPN Agent' %w{ ubuntu fedora redhat centos suse }.each do |os| supports os diff --git a/recipes/l3_agent.rb b/recipes/l3_agent.rb index e3a50e67..f6b9d1da 100644 --- a/recipes/l3_agent.rb +++ b/recipes/l3_agent.rb @@ -38,17 +38,23 @@ end service 'neutron-l3-agent' do service_name platform_options['neutron_l3_agent_service'] supports status: true, restart: true - - action :enable - subscribes :restart, 'template[/etc/neutron/neutron.conf]' + # if the vpn agent is enabled, we should stop and disable the l3 agent + if node['openstack']['network']['enable_vpn'] + action [:stop, :disable] + else + action :enable + subscribes :restart, 'template[/etc/neutron/neutron.conf]' + end end template '/etc/neutron/l3_agent.ini' do source 'l3_agent.ini.erb' owner node['openstack']['network']['platform']['user'] group node['openstack']['network']['platform']['group'] - mode 00644 - notifies :restart, 'service[neutron-l3-agent]', :immediately + mode 00640 + unless node['openstack']['network']['enable_vpn'] + notifies :restart, 'service[neutron-l3-agent]', :immediately + end end driver_name = node['openstack']['network']['interface_driver'].split('.').last diff --git a/recipes/vpn_agent.rb b/recipes/vpn_agent.rb new file mode 100644 index 00000000..7869f361 --- /dev/null +++ b/recipes/vpn_agent.rb @@ -0,0 +1,53 @@ +# Encoding: utf-8 +# +# Cookbook Name:: openstack-network +# Recipe:: vpn_agent +# +# Copyright 2013, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +['quantum', 'neutron'].include?(node['openstack']['compute']['network']['service_type']) || return +return unless node['openstack']['network']['enable_vpn'] + +# VPN agent is based on L3 agent +include_recipe 'openstack-network::l3_agent' + +platform_options = node['openstack']['network']['platform'] +core_plugin = node['openstack']['network']['core_plugin'] +main_plugin = node['openstack']['network']['core_plugin_map'][core_plugin.split('.').last.downcase] + +platform_options['neutron_vpn_packages'].each do |pkg| + package pkg do + options platform_options['package_overrides'] + action :upgrade + # The vpn agent is depends on l3_agent and the providers below do not use the generic L3 agent... + not_if { ['nicira', 'plumgrid', 'bigswitch'].include?(main_plugin) } + end +end + +service 'neutron-vpn-agent' do + service_name platform_options['neutron_vpn_agent_service'] + supports status: true, restart: true + action :enable + subscribes :restart, 'template[/etc/neutron/neutron.conf]' +end + +template '/etc/neutron/vpn_agent.ini' do + source 'vpn_agent.ini.erb' + owner node['openstack']['network']['platform']['user'] + group node['openstack']['network']['platform']['group'] + mode 00640 + notifies :restart, 'service[neutron-vpn-agent]', :immediately +end diff --git a/spec/l3_agent_spec.rb b/spec/l3_agent_spec.rb index 2bb571ad..679b6f41 100644 --- a/spec/l3_agent_spec.rb +++ b/spec/l3_agent_spec.rb @@ -40,7 +40,7 @@ describe 'openstack-network::l3_agent' do expect(chef_run).to create_template(file.name).with( user: 'neutron', group: 'neutron', - mode: 0644 + mode: 0640 ) end diff --git a/spec/vpn_agent_spec.rb b/spec/vpn_agent_spec.rb new file mode 100644 index 00000000..f7236028 --- /dev/null +++ b/spec/vpn_agent_spec.rb @@ -0,0 +1,54 @@ +# Encoding: utf-8 +require_relative 'spec_helper' + +describe 'openstack-network::vpn_agent' do + + describe 'ubuntu' do + let(:runner) { ChefSpec::Runner.new(UBUNTU_OPTS) } + let(:node) { runner.node } + let(:chef_run) do + node.set['openstack']['compute']['network']['service_type'] = 'neutron' + node.set['openstack']['network']['enable_vpn'] = true + runner.converge(described_recipe) + end + + include_context 'neutron-stubs' + + it 'include the recipe openstack-network::l3_agent' do + expect(chef_run).to include_recipe('openstack-network::l3_agent') + end + + it 'verify l3 agent is stoped and disabled' do + expect(chef_run).to stop_service('neutron-l3-agent') + expect(chef_run).to disable_service('neutron-l3-agent') + end + + it 'upgrades neutron vpn package' do + expect(chef_run).to upgrade_package('neutron-vpn-agent') + end + + it 'starts the vpn agent on boot' do + expect(chef_run).to enable_service('neutron-vpn-agent') + end + + it 'subscribes the vpn agent service to neutron.conf' do + expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/neutron.conf]').delayed + end + + describe 'vpn_agent.ini' do + let(:file) { chef_run.template('/etc/neutron/vpn_agent.ini') } + + it 'creates vpn_agent.ini' do + expect(chef_run).to create_template(file.name).with( + user: 'neutron', + group: 'neutron', + mode: 0640 + ) + end + + it 'notifies the vpn agent service' do + expect(file).to notify('service[neutron-vpn-agent]').to(:restart).immediately + end + end + end +end diff --git a/templates/default/vpn_agent.ini.erb b/templates/default/vpn_agent.ini.erb new file mode 100644 index 00000000..24ab39af --- /dev/null +++ b/templates/default/vpn_agent.ini.erb @@ -0,0 +1,19 @@ +<%= node["openstack"]["network"]["custom_template_banner"] %> + +[DEFAULT] +# VPN-Agent configuration file +# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also +debug = <%= node["openstack"]["network"]["debug"] %> +interface_driver = <%= node["openstack"]["network"]["interface_driver"] %> + +[vpnagent] +# vpn device drivers which vpn agent will use +# If we want to use multiple drivers, we need to define this option multiple times. +# vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver +# vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver +# vpn_device_driver=another_driver +vpn_device_driver = <%= node['openstack']['network']['vpn']['vpn_device_driver'] %> + +[ipsec] +# Status check interval +ipsec_status_check_interval = <%= node['openstack']['network']['vpn']['ipsec_status_check_interval'] %> \ No newline at end of file