6wind-virtual-accelerator-plugin: implement security group deactivation

This patch reworks plugin to: - remove the possibility to disable ipset since starting from Virtual Accelerator 1.4 ipset are fully supported. - allow neutron security groups deactivation to benefit from better performances. Disabling security groups needs (different) configurations on controller and compute nodes. For this reason this patch moves all the node specific neutron configuration in specific tasks for a better separation of code. Signed-off-by: Francesco Santoro <francesco.santoro@6wind.com> Closes-bug: #1631953 Change-Id: I030d41751811831144be0b640ae19e56f22a8f0b
2016-10-10 14:46:16 +02:00 · 2016-10-10 14:46:16 +02:00 · d3f2e1fdc6
parent bdea8de749
commit d3f2e1fdc6
10 changed files with 87 additions and 25 deletions
--- a/deployment_scripts/puppet/manifests/neutron_conf.pp
+++ b/deployment_scripts/puppet/manifests/neutron_conf.pp
@ -1,7 +0,0 @@
-#
-# Copyright 2016 6WIND S.A.
-
-notice('MODULAR: virtual_accelerator/neutron_conf.pp')
-
-include virtual_accelerator
-class { 'virtual_accelerator::neutron_conf': }
--- a/deployment_scripts/puppet/manifests/neutron_conf_compute.pp
+++ b/deployment_scripts/puppet/manifests/neutron_conf_compute.pp
@ -0,0 +1,7 @@
+#
+# Copyright 2016 6WIND S.A.
+
+notice('MODULAR: virtual_accelerator/neutron_conf_compute.pp')
+
+include virtual_accelerator
+class { 'virtual_accelerator::neutron_conf_compute': }
--- a/deployment_scripts/puppet/manifests/neutron_conf_controller.pp
+++ b/deployment_scripts/puppet/manifests/neutron_conf_controller.pp
@ -0,0 +1,7 @@
+#
+# Copyright 2016 6WIND S.A.
+
+notice('MODULAR: virtual_accelerator/neutron_conf_controller.pp')
+
+include virtual_accelerator
+class { 'virtual_accelerator::neutron_conf_controller': }
--- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp
+++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp
@ -14,7 +14,7 @@ class virtual_accelerator {
  $fp_mem = $settings['fp_mem']
  $vm_mem = $settings['vm_mem']
  $va_conf_file = ''
-  $disable_ipset = $settings['disable_ipset']
+  $disable_secgroup = $settings['disable_secgroup']
  $enable_host_cpu = $settings['enable_host_cpu']
  $va_version = $settings['va_version']
  $mellanox_support = $settings['mellanox_support']
--- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_compute.pp
+++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_compute.pp
@ -1,21 +1,22 @@
 #
 # Copyright 2016 6WIND S.A.

-class virtual_accelerator::neutron_conf inherits virtual_accelerator {
+class virtual_accelerator::neutron_conf_compute inherits virtual_accelerator {

-  $advanced_params = $virtual_accelerator::advanced_params
+  $disable_secgroup = $virtual_accelerator::disable_secgroup

-  $disable_ipset = $virtual_accelerator::disable_ipset
-  $va_version = $virtual_accelerator::va_version
-
-  if $disable_ipset == true or $va_version == '1.3' {
-      $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/ml2_conf.ini"
+  if $disable_secgroup == true {
+      $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/openvswitch_agent.ini"

      package { 'crudini':
         ensure => 'latest',
+      }
+
+      exec { 'disable_secgroup':
+         command => "crudini --set ${OVS_CONF_FILE} securitygroup enable_security_group False",
      } ->
-      exec { 'disable_ipset':
-         command => "crudini --set ${OVS_CONF_FILE} securitygroup enable_ipset False",
+      exec { 'disable_firewall':
+         command => "crudini --set ${OVS_CONF_FILE} securitygroup firewall_driver noop",
         notify => Service['openvswitch-switch'],
      }

@ -30,4 +31,3 @@ class virtual_accelerator::neutron_conf inherits virtual_accelerator {
  }

 }
-
--- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp
+++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp
@ -0,0 +1,26 @@
+#
+# Copyright 2016 6WIND S.A.
+
+class virtual_accelerator::neutron_conf_controller inherits virtual_accelerator {
+
+  $disable_secgroup = $virtual_accelerator::disable_secgroup
+
+  if $disable_secgroup == true {
+      $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/ml2_conf.ini"
+
+      package { 'crudini':
+         ensure => 'latest',
+         notify => Exec['disable_firewall'],
+      }
+
+      exec { 'disable_firewall':
+         command => "crudini --set ${OVS_CONF_FILE} securitygroup firewall_driver noop",
+         notify => Service['neutron-server'],
+      }
+
+      service { 'neutron-server':
+         ensure => 'running',
+      }
+  }
+
+}
--- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp
+++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp
@ -19,6 +19,13 @@ class virtual_accelerator::nova_conf inherits virtual_accelerator {
    install_options => ['--allow-unauthenticated'],
  }

+  if $disable_secgroup == true {
+    exec { 'disable_secgroup':
+        command => "crudini --del ${NOVA_CONF_FILE} DEFAULT security_group_api",
+        notify => Exec['vcpu_pin'],
+    }
+  }
+
  exec { 'vcpu_pin':
      command => "crudini --set ${NOVA_CONF_FILE} DEFAULT vcpu_pin_set $(python /usr/local/bin/get_vcpu_pin_set.py)",
  }
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@ -57,13 +57,23 @@
    puppet_modules: puppet/modules:/etc/puppet/modules
    timeout: 3600

- id: 6wind-virtual-accelerator-neutron-conf
+- id: 6wind-virtual-accelerator-neutron-conf-compute
  type: puppet
-  role: ['primary-controller', '6wind-virtual-accelerator']
+  role: [6wind-virtual-accelerator]
+  required_for: [6wind-virtual-accelerator-start]
+  requires: [post_deployment_start]
+  parameters:
+    puppet_manifest: puppet/manifests/neutron_conf_compute.pp
+    puppet_modules: puppet/modules:/etc/puppet/modules
+    timeout: 3600
+
+- id: 6wind-virtual-accelerator-neutron-conf-controller
+  type: puppet
+  role: [primary-controller]
  required_for: [post_deployment_end]
  requires: [post_deployment_start]
  parameters:
-    puppet_manifest: puppet/manifests/neutron_conf.pp
+    puppet_manifest: puppet/manifests/neutron_conf_controller.pp
    puppet_modules: puppet/modules:/etc/puppet/modules
    timeout: 3600

--- a/doc/source/user-guide.rst
+++ b/doc/source/user-guide.rst
@ -101,6 +101,18 @@ This plugin offers the possibility to enable/disable such configuration in Nova
 with a specific option (`Host cpu emulation for guests`) in the advanced
 parameters.

+Disable security groups
+-----------------------
+
+By default Fuel installs Openstack with security groups active to enable
+traffic filtering between virtual machines.
+In many cases (including NFV) such filtering is not really necessary
+and it heavily affects vm to vm traffic performances.
+
+6WIND Virtual Accelerator Fuel plugin makes possible to disable such
+security group configuration in both Nova/Neutron via the specific option
+(`Disable neutron securty groups`) in the advanced parameters.
+
 Configure hugepages support for virtual machines
 ------------------------------------------------

--- a/environment_config.yaml
+++ b/environment_config.yaml
@ -94,11 +94,11 @@ attributes:
      - condition: "settings:6wind-virtual-accelerator.advanced_params_enabled.value == false"
        action: hide

-  disable_ipset:
+  disable_secgroup:
    value: false
-    label: 'Disable neutron ipset'
-    description: 'Set/unset support for ipset when using security groups'
-    weight: 80
+    label: 'Disable neutron security groups'
+    description: 'Enable/disable security groups for some cases such as NFV'
+    weight: 76
    type: "checkbox"
    restrictions:
      - condition: "settings:6wind-virtual-accelerator.advanced_params_enabled.value == false"