Enable Neutron VPN as Service

Add a recipe, related attribute/template, and unit tests to
to install, configure and start VPN service.
Stop L3 agent if VPN is enabled.

Change-Id: I63322e3c43e38444163371636cbab2c3bbdeaacf
Implements: Blueprint neutron-vpnaas-enablement

CHANGELOG.md

@@ -1,6 +1,9 @@
 # CHANGELOG for cookbook-openstack-network
 This file is used to list changes made in each version of cookbook-openstack-network.
 
+## 10.1.0
+* Add support for Neutron VPN Service
+
 ## 10.0.1
 * Add tunnel_types item in ovs_neutron_plugin.ini.erb
 

README.md

@@ -49,6 +49,11 @@ l3\_agent
 
 - Installs the L3 agent and metadata agent
 
+vpn\_agent
+--------
+
+- Installs the VPN agent
+
 Identity-registration
 ---------------------
 
@@ -122,6 +127,12 @@ L3 Agent Configuration
 ----------------------
 * `openstack['openstack']['network']['l3']['router_delete_namespaces'] - (StrOpt) If True, namespaces will be deleted when a router is destroyed.
 
+VPN Agent Configuration
+----------------------
+* `openstack['openstack']['network']['enable_vpn'] - (BoolOpt) Enable VPN agent. (default false)
+* `openstack['openstack']['network']['vpn']['vpn_device_driver'] - (StrOpt) VPN device drivers which VPN agent will use
+* `openstack['openstack']['network']['vpn']['ipsec_status_check_interval'] - (IntOpt) Status check interval for ipsec VPN
+
 The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
 
 * `openstack['endpoints']['network-api-bind']['host']` - The IP address to bind the api service to
@@ -136,6 +147,7 @@ Templates
 * `api-paste.ini.erb` - Paste config for OpenStack Network server
 * `neutron.conf.erb` - Config file for OpenStack Network server
 * `ml2_conf.ini.erb` - Configuration of Network ML2 Plugins
+* `vpn_agent.ini.erb` - Config file for Network VPN agent
 
 Testing
 =======

attributes/default.rb

@@ -176,6 +176,9 @@ default['openstack']['network']['dhcp_driver'] = 'neutron.agent.linux.dhcp.Dnsma
 default['openstack']['network']['use_namespaces'] = 'True'
 default['openstack']['network']['allow_overlapping_ips'] = 'False'
 
+# vpn agent configuration, default is false
+default['openstack']['network']['enable_vpn'] = false
+
 # use neutron root wrap
 default['openstack']['network']['use_rootwrap'] = true
 # rootwrap.conf
@@ -347,6 +350,11 @@ default['openstack']['network']['l3']['periodic_fuzzy_delay'] = 5
 # If True, namespaces will be deleted when a router is destroyed
 default['openstack']['network']['l3']['router_delete_namespaces'] = 'False'
 
+# ============================= VPN Agent Configuration ====================
+
+default['openstack']['network']['vpn']['vpn_device_driver'] = 'neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver'
+default['openstack']['network']['vpn']['ipsec_status_check_interval'] = 60
+
 # ============================= Metadata Agent Configuration ===============
 
 # The location of the Nova Metadata API service to proxy to (nil uses default)
@@ -986,6 +994,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
     'neutron_dhcp_packages' => ['openstack-neutron'],
     'neutron_dhcp_build_packages' => [],
     'neutron_l3_packages' => ['openstack-neutron'],
+    'neutron_vpn_packages' => ['openstack-neutron'],
     'neutron_lb_packages' => ['openstack-neutron', 'haproxy'],
     'neutron_openvswitch_packages' => ['openvswitch'],
     'neutron_openvswitch_agent_packages' => ['openstack-neutron-openvswitch'],
@@ -995,6 +1004,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
     'neutron_server_packages' => [],
     'neutron_dhcp_agent_service' => 'neutron-dhcp-agent',
     'neutron_l3_agent_service' => 'neutron-l3-agent',
+    'neutron_vpn_agent_service' => 'neutron-vpn-agent',
     'neutron_lb_agent_service' => 'neutron-lbaas-agent',
     'neutron_metadata_agent_service' => 'neutron-metadata-agent',
     'neutron_openvswitch_service' => 'openvswitch',
@@ -1013,6 +1023,7 @@ when 'suse'
     'neutron_dhcp_packages' => ['openstack-neutron-dhcp-agent'],
     'neutron_dhcp_build_packages' => [],
     'neutron_l3_packages' => ['openstack-neutron-l3-agent'],
+    'neutron_vpn_packages' => ['openstack-neutron-vpn-agent'],
     'neutron_lb_packages' => ['openstack-neutron-lbaas-agent'],
     # plugins are installed by the main openstack-neutron package on SUSE
     'neutron_plugin_package' => '',
@@ -1024,6 +1035,7 @@ when 'suse'
     'neutron_server_packages' => [],
     'neutron_dhcp_agent_service' => 'openstack-neutron-dhcp-agent',
     'neutron_l3_agent_service' => 'openstack-neutron-l3-agent',
+    'neutron_vpn_agent_service' => 'openstack-neutron-vpn-agent',
     'neutron_lb_agent_service' => 'openstack-neutron-lbaas-agent',
     'neutron_metadata_agent_service' => 'openstack-neutron-metadata-agent',
     'neutron_openvswitch_service' => 'openvswitch-switch',
@@ -1042,6 +1054,7 @@ when 'debian'
     'neutron_dhcp_packages' => ['neutron-dhcp-agent'],
     'neutron_dhcp_build_packages' => %w(build-essential pkg-config libidn11-dev libdbus-1-dev libnetfilter-conntrack-dev gettext),
     'neutron_l3_packages' => ['neutron-l3-agent'],
+    'neutron_vpn_packages' => ['neutron-vpn-agent'],
     'neutron_lb_packages' => ['neutron-lbaas-agent', 'haproxy'],
     'neutron_openvswitch_packages' => ['openvswitch-switch', 'openvswitch-datapath-dkms', 'bridge-utils'],
     'neutron_openvswitch_build_packages' => %w(build-essential pkg-config fakeroot libssl-dev openssl debhelper autoconf dkms python-all python-qt4 python-zopeinterface python-twisted-conch),
@@ -1052,6 +1065,7 @@ when 'debian'
     'neutron_server_packages' => ['neutron-server'],
     'neutron_dhcp_agent_service' => 'neutron-dhcp-agent',
     'neutron_l3_agent_service' => 'neutron-l3-agent',
+    'neutron_vpn_agent_service' => 'neutron-vpn-agent',
     'neutron_lb_agent_service' => 'neutron-lbaas-agent',
     'neutron_metadata_agent_service' => 'neutron-metadata-agent',
     'neutron_openvswitch_service' => 'openvswitch-switch',

metadata.rb

@@ -5,12 +5,13 @@ maintainer        'Jay Pipes <jaypipes@gmail.com>'
 license           'Apache 2.0'
 description       'Installs and configures the OpenStack Network API Service and various agents and plugins'
 long_description  IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version           '10.0.1'
+version           '10.1.0'
 recipe            'openstack-network::client', 'Install packages required for network client'
 recipe            'openstack-network::server', 'Installs packages required for a OpenStack Network server'
 recipe            'openstack-network::openvswitch', 'Installs packages required for OVS'
 recipe            'openstack-network::metadata_agent', 'Installs packages required for a OpenStack Network Metadata Agent'
 recipe            'openstack-network::identity_registration', 'Registers OpenStack Network endpoints and service user with Keystone'
+recipe            'openstack-network::vpn_agent', 'Installs packages required for Network VPN Agent'
 
 %w{ ubuntu fedora redhat centos suse }.each do |os|
   supports os

recipes/l3_agent.rb

@@ -38,17 +38,23 @@ end
 service 'neutron-l3-agent' do
   service_name platform_options['neutron_l3_agent_service']
   supports status: true, restart: true
-
+  # if the vpn agent is enabled, we should stop and disable the l3 agent
-  action :enable
+  if node['openstack']['network']['enable_vpn']
-  subscribes :restart, 'template[/etc/neutron/neutron.conf]'
+    action [:stop, :disable]
+  else
+    action :enable
+    subscribes :restart, 'template[/etc/neutron/neutron.conf]'
+  end
 end
 
 template '/etc/neutron/l3_agent.ini' do
   source 'l3_agent.ini.erb'
   owner node['openstack']['network']['platform']['user']
   group node['openstack']['network']['platform']['group']
-  mode   00644
+  mode   00640
-  notifies :restart, 'service[neutron-l3-agent]', :immediately
+  unless node['openstack']['network']['enable_vpn']
+    notifies :restart, 'service[neutron-l3-agent]', :immediately
+  end
 end
 
 driver_name = node['openstack']['network']['interface_driver'].split('.').last

recipes/vpn_agent.rb

@@ -0,0 +1,53 @@
+# Encoding: utf-8
+#
+# Cookbook Name:: openstack-network
+# Recipe:: vpn_agent
+#
+# Copyright 2013, AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+['quantum', 'neutron'].include?(node['openstack']['compute']['network']['service_type']) || return
+return unless node['openstack']['network']['enable_vpn']
+
+# VPN agent is based on L3 agent
+include_recipe 'openstack-network::l3_agent'
+
+platform_options = node['openstack']['network']['platform']
+core_plugin = node['openstack']['network']['core_plugin']
+main_plugin = node['openstack']['network']['core_plugin_map'][core_plugin.split('.').last.downcase]
+
+platform_options['neutron_vpn_packages'].each do |pkg|
+  package pkg do
+    options platform_options['package_overrides']
+    action :upgrade
+    # The vpn agent is depends on l3_agent and the providers below do not use the generic L3 agent...
+    not_if { ['nicira', 'plumgrid', 'bigswitch'].include?(main_plugin) }
+  end
+end
+
+service 'neutron-vpn-agent' do
+  service_name platform_options['neutron_vpn_agent_service']
+  supports status: true, restart: true
+  action :enable
+  subscribes :restart, 'template[/etc/neutron/neutron.conf]'
+end
+
+template '/etc/neutron/vpn_agent.ini' do
+  source 'vpn_agent.ini.erb'
+  owner node['openstack']['network']['platform']['user']
+  group node['openstack']['network']['platform']['group']
+  mode   00640
+  notifies :restart, 'service[neutron-vpn-agent]', :immediately
+end

spec/l3_agent_spec.rb

@@ -40,7 +40,7 @@ describe 'openstack-network::l3_agent' do
         expect(chef_run).to create_template(file.name).with(
           user: 'neutron',
           group: 'neutron',
-          mode: 0644
+          mode: 0640
         )
       end
 

spec/vpn_agent_spec.rb

@@ -0,0 +1,54 @@
+# Encoding: utf-8
+require_relative 'spec_helper'
+
+describe 'openstack-network::vpn_agent' do
+
+  describe 'ubuntu' do
+    let(:runner) { ChefSpec::Runner.new(UBUNTU_OPTS) }
+    let(:node) { runner.node }
+    let(:chef_run) do
+      node.set['openstack']['compute']['network']['service_type'] = 'neutron'
+      node.set['openstack']['network']['enable_vpn'] = true
+      runner.converge(described_recipe)
+    end
+
+    include_context 'neutron-stubs'
+
+    it 'include the recipe openstack-network::l3_agent' do
+      expect(chef_run).to include_recipe('openstack-network::l3_agent')
+    end
+
+    it 'verify l3 agent is stoped and disabled' do
+      expect(chef_run).to stop_service('neutron-l3-agent')
+      expect(chef_run).to disable_service('neutron-l3-agent')
+    end
+
+    it 'upgrades neutron vpn package' do
+      expect(chef_run).to upgrade_package('neutron-vpn-agent')
+    end
+
+    it 'starts the vpn agent on boot' do
+      expect(chef_run).to enable_service('neutron-vpn-agent')
+    end
+
+    it 'subscribes the vpn agent service to neutron.conf' do
+      expect(chef_run.service('neutron-vpn-agent')).to subscribe_to('template[/etc/neutron/neutron.conf]').delayed
+    end
+
+    describe 'vpn_agent.ini' do
+      let(:file) { chef_run.template('/etc/neutron/vpn_agent.ini') }
+
+      it 'creates vpn_agent.ini' do
+        expect(chef_run).to create_template(file.name).with(
+          user: 'neutron',
+          group: 'neutron',
+          mode: 0640
+        )
+      end
+
+      it 'notifies the vpn agent service' do
+        expect(file).to notify('service[neutron-vpn-agent]').to(:restart).immediately
+      end
+    end
+  end
+end

templates/default/vpn_agent.ini.erb

@@ -0,0 +1,19 @@
+<%= node["openstack"]["network"]["custom_template_banner"] %>
+
+[DEFAULT]
+# VPN-Agent configuration file
+# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
+debug = <%= node["openstack"]["network"]["debug"] %>
+interface_driver = <%= node["openstack"]["network"]["interface_driver"] %>
+
+[vpnagent]
+# vpn device drivers which vpn agent will use
+# If we want to use multiple drivers,  we need to define this option multiple times.
+# vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
+# vpn_device_driver=neutron.services.vpn.device_drivers.cisco_ipsec.CiscoCsrIPsecDriver
+# vpn_device_driver=another_driver
+vpn_device_driver = <%= node['openstack']['network']['vpn']['vpn_device_driver'] %>
+
+[ipsec]
+# Status check interval
+ipsec_status_check_interval = <%= node['openstack']['network']['vpn']['ipsec_status_check_interval'] %>