Add devstack plugin support for fwaas v2
This sets up a new devstack keyword - q-fwaas-v1 - in addition to the
existing q-fwaas plugin. The q-fwaas keyword configures the devstack
plugin to support FWaaS v2. FWaaS v2 is the future, and should be the
default for development at this point. But the new keyword, q-fwaas-v1,
will set things up for FWaaS v1, and there is also q-fwaas-v2 to
explicitly select FWaaS v2.
Also ensure that /etc/neutron/policy.d gets set up for FWaaS
policy.json.
Change-Id: If35ca26028ddedcf1bc22dd8749cb11c69a1ccbb
(cherry picked from commit a66f3a68bf
)
This commit is contained in:
parent
9b86e3590f
commit
f5106188f8
|
@ -5,18 +5,20 @@ This is setup as a DevStack plugin. For more information on DevStack plugins,
|
|||
see the `DevStack Plugins documentation
|
||||
<http://docs.openstack.org/developer/devstack/plugins.html>`_.
|
||||
|
||||
This was created using the `devstack-plugin-cookiecutter
|
||||
<https://github.com/openstack-dev/devstack-plugin-cookiecutter>`_ tool.
|
||||
Please note that the old 'q-fwaas' keyword still exists, and will run FWaaS V1.
|
||||
This default will be changed during the Ocata cycle. The introduction of two
|
||||
new keywords, 'q-fwaas-v1' and 'q-fwaas-v2' allow you to explicitly select the
|
||||
version you with to run.
|
||||
|
||||
How to run FWaaS in DevStack
|
||||
=========================
|
||||
How to run FWaaS V2 in DevStack
|
||||
===============================
|
||||
|
||||
Add the following to the localrc section of your local.conf:
|
||||
Add the following to the localrc section of your local.conf to configure FWaaS v2.
|
||||
|
||||
.. code-block:: none
|
||||
[[local|localrc]]
|
||||
enable_plugin neutron-fwaas http://git.openstack.org/openstack/neutron-fwaas
|
||||
enable_service q-fwaas
|
||||
enable_service q-fwaas-v2
|
||||
|
||||
To check a specific patchset that is currently under development, use a form
|
||||
like the below example, which is checking out change 214350 patch set 14 for
|
||||
|
@ -25,4 +27,23 @@ testing.
|
|||
.. code-block:: none
|
||||
[[local|localrc]]
|
||||
enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14
|
||||
enable_service q-fwaas
|
||||
enable_service q-fwaas-v2
|
||||
|
||||
How to run FWaaS V1 in DevStack
|
||||
===============================
|
||||
|
||||
Add the following to the localrc section of your local.conf to configure FWaaS v1.
|
||||
|
||||
.. code-block:: none
|
||||
[[local|localrc]]
|
||||
enable_plugin neutron-fwaas http://git.openstack.org/openstack/neutron-fwaas
|
||||
enable_service q-fwaas-v1
|
||||
|
||||
To check a specific patchset that is currently under development, use a form
|
||||
like the below example, which is checking out change 214350 patch set 14 for
|
||||
testing.
|
||||
|
||||
.. code-block:: none
|
||||
[[local|localrc]]
|
||||
enable_plugin neutron-fwaas https://review.openstack.org/p/openstack/neutron-fwaas refs/changes/50/214350/14
|
||||
enable_service q-fwaas-v1
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
# This file was shamelessly stolen from the neutron repository here:
|
||||
# http://git.openstack.org/cgit/openstack/neutron/tree/devstack/lib/l2_agent
|
||||
|
||||
function plugin_agent_add_l2_agent_extension {
|
||||
local l2_agent_extension=$1
|
||||
if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then
|
||||
L2_AGENT_EXTENSIONS=$l2_agent_extension
|
||||
elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then
|
||||
L2_AGENT_EXTENSIONS+=",$l2_agent_extension"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function configure_l2_agent {
|
||||
iniset /$Q_PLUGIN_CONF_FILE agent extensions "$L2_AGENT_EXTENSIONS"
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# This file is completely based on one in the neutron repository here:
|
||||
# http://git.openstack.org/cgit/openstack/neutron/tree/devstack/lib/l2_agent
|
||||
|
||||
function plugin_agent_add_l3_agent_extension {
|
||||
local l3_agent_extension=$1
|
||||
if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then
|
||||
L3_AGENT_EXTENSIONS=$l3_agent_extension
|
||||
elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then
|
||||
L3_AGENT_EXTENSIONS+=",$l3_agent_extension"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function configure_l3_agent {
|
||||
iniset $Q_L3_CONF_FILE AGENT extensions "$L3_AGENT_EXTENSIONS"
|
||||
}
|
|
@ -21,6 +21,11 @@
|
|||
XTRACE=$(set +o | grep xtrace)
|
||||
set +o xtrace
|
||||
|
||||
# Source in L2 and L3 agent extension management
|
||||
LIBDIR=$DEST/neutron-fwaas/devstack/lib
|
||||
source $LIBDIR/l2_agent
|
||||
source $LIBDIR/l3_agent
|
||||
|
||||
function pre_install_fwaas() {
|
||||
# Install OS packages if necessary with "install_package ...".
|
||||
:
|
||||
|
@ -33,14 +38,23 @@ function install_fwaas() {
|
|||
setup_develop $DEST/neutron-fwaas
|
||||
}
|
||||
|
||||
function configure_fwaas() {
|
||||
neutron_fwaas_configure_driver
|
||||
iniset_multiline $Q_L3_CONF_FILE AGENT extensions fwaas
|
||||
function configure_fwaas_v1() {
|
||||
neutron_fwaas_configure_driver fwaas
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v1
|
||||
}
|
||||
|
||||
function configure_fwaas_v2() {
|
||||
neutron_fwaas_configure_driver fwaas_v2
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
|
||||
}
|
||||
|
||||
function init_fwaas() {
|
||||
# Initialize and start the service.
|
||||
:
|
||||
if [ ! -d /etc/neutron/policy.d ]; then
|
||||
mkdir /etc/neutron/policy.d
|
||||
fi
|
||||
cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json
|
||||
}
|
||||
|
||||
function shutdown_fwaas() {
|
||||
|
@ -54,16 +68,24 @@ function cleanup_fwaas() {
|
|||
}
|
||||
|
||||
function neutron_fwaas_configure_common {
|
||||
_neutron_service_plugin_class_add $FWAAS_PLUGIN
|
||||
if is_service_enabled q-fwaas-v1; then
|
||||
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V1
|
||||
elif is_service_enabled q-fwaas-v2; then
|
||||
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V2
|
||||
else
|
||||
_neutron_service_plugin_class_add $FWAAS_PLUGIN_V1
|
||||
fi
|
||||
}
|
||||
|
||||
function neutron_fwaas_configure_driver {
|
||||
plugin_agent_add_l3_agent_extension $1
|
||||
configure_l3_agent
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
|
||||
}
|
||||
|
||||
# check for service enabled
|
||||
if is_service_enabled q-svc && is_service_enabled q-fwaas; then
|
||||
if is_service_enabled q-svc && ( is_service_enabled q-fwaas || is_service_enabled q-fwaas-v1 || is_service_enabled q-fwaas-v2 ) then
|
||||
|
||||
if [[ "$1" == "stack" && "$2" == "pre-install" ]]; then
|
||||
# Set up system services
|
||||
|
@ -77,8 +99,16 @@ if is_service_enabled q-svc && is_service_enabled q-fwaas; then
|
|||
|
||||
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
|
||||
# Configure after the other layer 1 and 2 services have been configured
|
||||
echo_summary "Configuring q-fwaas"
|
||||
configure_fwaas
|
||||
if is_service_enabled q-fwaas-v1; then
|
||||
echo_summary "Configuring q-fwaas for FWaaS v1"
|
||||
configure_fwaas_v1
|
||||
elif is_service_enabled q-fwaas-v2; then
|
||||
echo_summary "Configuring q-fwaas for FWaaS v2"
|
||||
configure_fwaas_v2
|
||||
else
|
||||
echo_summary "Configuring q-fwaas for FWaaS v1"
|
||||
configure_fwaas_v1
|
||||
fi
|
||||
|
||||
elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
||||
# Initialize and start the q-fwaas service
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
|
||||
FWAAS_PLUGIN=${FWAAS_PLUGIN:-firewall}
|
||||
FWAAS_PLUGIN_V1=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin}
|
||||
FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2}
|
||||
|
|
|
@ -31,5 +31,5 @@
|
|||
"get_firewall_group:public": "rule:admin_only",
|
||||
"update_firewall_group": "rule:admin_or_owner",
|
||||
"update_firewall_group:public": "rule:admin_only",
|
||||
"delete_firewall_group": "rule:admin_or_owner",
|
||||
"delete_firewall_group": "rule:admin_or_owner"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue