Add devstack plugin support for fwaas v2
This sets up a new devstack keyword - q-fwaas-v1 - in addition to the
existing q-fwaas plugin. The q-fwaas keyword configures the devstack
plugin to support FWaaS v2. FWaaS v2 is the future, and should be the
default for development at this point. But the new keyword, q-fwaas-v1,
will set things up for FWaaS v1, and there is also q-fwaas-v2 to
explicitly select FWaaS v2.
Also ensure that /etc/neutron/policy.d gets set up for FWaaS
policy.json.
Change-Id: If35ca26028ddedcf1bc22dd8749cb11c69a1ccbb
(cherry picked from commit a66f3a68bf
)
This commit is contained in:
parent
9b86e3590f
commit
f5106188f8
|
@ -5,18 +5,20 @@ This is setup as a DevStack plugin. For more information on DevStack plugins,
|
||||||
see the `DevStack Plugins documentation
|
see the `DevStack Plugins documentation
|
||||||
<http://docs.openstack.org/developer/devstack/plugins.html>`_.
|
<http://docs.openstack.org/developer/devstack/plugins.html>`_.
|
||||||
|
|
||||||
This was created using the `devstack-plugin-cookiecutter
|
Please note that the old 'q-fwaas' keyword still exists, and will run FWaaS V1.
|
||||||
<https://github.com/openstack-dev/devstack-plugin-cookiecutter>`_ tool.
|
This default will be changed during the Ocata cycle. The introduction of two
|
||||||
|
new keywords, 'q-fwaas-v1' and 'q-fwaas-v2' allow you to explicitly select the
|
||||||
|
version you with to run.
|
||||||
|
|
||||||
How to run FWaaS in DevStack
|
How to run FWaaS V2 in DevStack
|
||||||
=========================
|
===============================
|
||||||
|
|
||||||
Add the following to the localrc section of your local.conf:
|
Add the following to the localrc section of your local.conf to configure FWaaS v2.
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
[[local|localrc]]
|
[[local|localrc]]
|
||||||
enable_plugin neutron-fwaas http://git.openstack.org/openstack/neutron-fwaas
|
enable_plugin neutron-fwaas http://git.openstack.org/openstack/neutron-fwaas
|
||||||
enable_service q-fwaas
|
enable_service q-fwaas-v2
|
||||||
|
|
||||||
To check a specific patchset that is currently under development, use a form
|
To check a specific patchset that is currently under development, use a form
|
||||||
like the below example, which is checking out change 214350 patch set 14 for
|
like the below example, which is checking out change 214350 patch set 14 for
|
||||||
|
@ -25,4 +27,23 @@ testing.
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
[[local|localrc]]
|
[[local|localrc]]
|
||||||
enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14
|
enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14
|
||||||
enable_service q-fwaas
|
enable_service q-fwaas-v2
|
||||||
|
|
||||||
|
How to run FWaaS V1 in DevStack
|
||||||
|
===============================
|
||||||
|
|
||||||
|
Add the following to the localrc section of your local.conf to configure FWaaS v1.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
[[local|localrc]]
|
||||||
|
enable_plugin neutron-fwaas http://git.openstack.org/openstack/neutron-fwaas
|
||||||
|
enable_service q-fwaas-v1
|
||||||
|
|
||||||
|
To check a specific patchset that is currently under development, use a form
|
||||||
|
like the below example, which is checking out change 214350 patch set 14 for
|
||||||
|
testing.
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
[[local|localrc]]
|
||||||
|
enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14
|
||||||
|
enable_service q-fwaas-v1
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
# This file was shamelessly stolen from the neutron repository here:
|
||||||
|
# http://git.openstack.org/cgit/openstack/neutron/tree/devstack/lib/l2_agent
|
||||||
|
|
||||||
|
function plugin_agent_add_l2_agent_extension {
|
||||||
|
local l2_agent_extension=$1
|
||||||
|
if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then
|
||||||
|
L2_AGENT_EXTENSIONS=$l2_agent_extension
|
||||||
|
elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then
|
||||||
|
L2_AGENT_EXTENSIONS+=",$l2_agent_extension"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function configure_l2_agent {
|
||||||
|
iniset /$Q_PLUGIN_CONF_FILE agent extensions "$L2_AGENT_EXTENSIONS"
|
||||||
|
}
|
|
@ -0,0 +1,16 @@
|
||||||
|
# This file is completely based on one in the neutron repository here:
|
||||||
|
# http://git.openstack.org/cgit/openstack/neutron/tree/devstack/lib/l2_agent
|
||||||
|
|
||||||
|
function plugin_agent_add_l3_agent_extension {
|
||||||
|
local l3_agent_extension=$1
|
||||||
|
if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then
|
||||||
|
L3_AGENT_EXTENSIONS=$l3_agent_extension
|
||||||
|
elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then
|
||||||
|
L3_AGENT_EXTENSIONS+=",$l3_agent_extension"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function configure_l3_agent {
|
||||||
|
iniset $Q_L3_CONF_FILE AGENT extensions "$L3_AGENT_EXTENSIONS"
|
||||||
|
}
|
|
@ -21,6 +21,11 @@
|
||||||
XTRACE=$(set +o | grep xtrace)
|
XTRACE=$(set +o | grep xtrace)
|
||||||
set +o xtrace
|
set +o xtrace
|
||||||
|
|
||||||
|
# Source in L2 and L3 agent extension management
|
||||||
|
LIBDIR=$DEST/neutron-fwaas/devstack/lib
|
||||||
|
source $LIBDIR/l2_agent
|
||||||
|
source $LIBDIR/l3_agent
|
||||||
|
|
||||||
function pre_install_fwaas() {
|
function pre_install_fwaas() {
|
||||||
# Install OS packages if necessary with "install_package ...".
|
# Install OS packages if necessary with "install_package ...".
|
||||||
:
|
:
|
||||||
|
@ -33,14 +38,23 @@ function install_fwaas() {
|
||||||
setup_develop $DEST/neutron-fwaas
|
setup_develop $DEST/neutron-fwaas
|
||||||
}
|
}
|
||||||
|
|
||||||
function configure_fwaas() {
|
function configure_fwaas_v1() {
|
||||||
neutron_fwaas_configure_driver
|
neutron_fwaas_configure_driver fwaas
|
||||||
iniset_multiline $Q_L3_CONF_FILE AGENT extensions fwaas
|
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v1
|
||||||
|
}
|
||||||
|
|
||||||
|
function configure_fwaas_v2() {
|
||||||
|
neutron_fwaas_configure_driver fwaas_v2
|
||||||
|
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
|
||||||
}
|
}
|
||||||
|
|
||||||
function init_fwaas() {
|
function init_fwaas() {
|
||||||
# Initialize and start the service.
|
# Initialize and start the service.
|
||||||
:
|
:
|
||||||
|
if [ ! -d /etc/neutron/policy.d ]; then
|
||||||
|
mkdir /etc/neutron/policy.d
|
||||||
|
fi
|
||||||
|
cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json
|
||||||
}
|
}
|
||||||
|
|
||||||
function shutdown_fwaas() {
|
function shutdown_fwaas() {
|
||||||
|
@ -54,16 +68,24 @@ function cleanup_fwaas() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function neutron_fwaas_configure_common {
|
function neutron_fwaas_configure_common {
|
||||||
_neutron_service_plugin_class_add $FWAAS_PLUGIN
|
if is_service_enabled q-fwaas-v1; then
|
||||||
|
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V1
|
||||||
|
elif is_service_enabled q-fwaas-v2; then
|
||||||
|
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V2
|
||||||
|
else
|
||||||
|
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function neutron_fwaas_configure_driver {
|
function neutron_fwaas_configure_driver {
|
||||||
|
plugin_agent_add_l3_agent_extension $1
|
||||||
|
configure_l3_agent
|
||||||
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
||||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
|
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
|
||||||
}
|
}
|
||||||
|
|
||||||
# check for service enabled
|
# check for service enabled
|
||||||
if is_service_enabled q-svc && is_service_enabled q-fwaas; then
|
if is_service_enabled q-svc && ( is_service_enabled q-fwaas || is_service_enabled q-fwaas-v1 || is_service_enabled q-fwaas-v2 ) then
|
||||||
|
|
||||||
if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then
|
if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then
|
||||||
# Set up system services
|
# Set up system services
|
||||||
|
@ -77,8 +99,16 @@ if is_service_enabled q-svc && is_service_enabled q-fwaas; then
|
||||||
|
|
||||||
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
||||||
# Configure after the other layer 1 and 2 services have been configured
|
# Configure after the other layer 1 and 2 services have been configured
|
||||||
echo_summary "Configuring q-fwaas"
|
if is_service_enabled q-fwaas-v1; then
|
||||||
configure_fwaas
|
echo_summary "Configuring q-fwaas for FWaaS v1"
|
||||||
|
configure_fwaas_v1
|
||||||
|
elif is_service_enabled q-fwaas-v2; then
|
||||||
|
echo_summary "Configuring q-fwaas for FWaaS v2"
|
||||||
|
configure_fwaas_v2
|
||||||
|
else
|
||||||
|
echo_summary "Configuring q-fwaas for FWaaS v1"
|
||||||
|
configure_fwaas_v1
|
||||||
|
fi
|
||||||
|
|
||||||
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
||||||
# Initialize and start the q-fwaas service
|
# Initialize and start the q-fwaas service
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
|
FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
|
||||||
FWAAS_PLUGIN=${FWAAS_PLUGIN:-firewall}
|
FWAAS_PLUGIN_V1=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin}
|
||||||
|
FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2}
|
||||||
|
|
|
@ -31,5 +31,5 @@
|
||||||
"get_firewall_group:public": "rule:admin_only",
|
"get_firewall_group:public": "rule:admin_only",
|
||||||
"update_firewall_group": "rule:admin_or_owner",
|
"update_firewall_group": "rule:admin_or_owner",
|
||||||
"update_firewall_group:public": "rule:admin_only",
|
"update_firewall_group:public": "rule:admin_only",
|
||||||
"delete_firewall_group": "rule:admin_or_owner",
|
"delete_firewall_group": "rule:admin_or_owner"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue