From d3f2e1fdc6c373ecb42c3ef1bc8d230d6ca51847 Mon Sep 17 00:00:00 2001 From: Francesco Santoro Date: Mon, 10 Oct 2016 14:46:16 +0200 Subject: [PATCH] 6wind-virtual-accelerator-plugin: implement security group deactivation This patch reworks plugin to: - remove the possibility to disable ipset since starting from Virtual Accelerator 1.4 ipset are fully supported. - allow neutron security groups deactivation to benefit from better performances. Disabling security groups needs (different) configurations on controller and compute nodes. For this reason this patch moves all the node specific neutron configuration in specific tasks for a better separation of code. Signed-off-by: Francesco Santoro Closes-bug: #1631953 Change-Id: I030d41751811831144be0b640ae19e56f22a8f0b --- .../puppet/manifests/neutron_conf.pp | 7 ----- .../puppet/manifests/neutron_conf_compute.pp | 7 +++++ .../manifests/neutron_conf_controller.pp | 7 +++++ .../virtual_accelerator/manifests/init.pp | 2 +- ...eutron_conf.pp => neutron_conf_compute.pp} | 20 +++++++------- .../manifests/neutron_conf_controller.pp | 26 +++++++++++++++++++ .../manifests/nova_conf.pp | 7 +++++ deployment_tasks.yaml | 16 +++++++++--- doc/source/user-guide.rst | 12 +++++++++ environment_config.yaml | 8 +++--- 10 files changed, 87 insertions(+), 25 deletions(-) delete mode 100644 deployment_scripts/puppet/manifests/neutron_conf.pp create mode 100644 deployment_scripts/puppet/manifests/neutron_conf_compute.pp create mode 100644 deployment_scripts/puppet/manifests/neutron_conf_controller.pp rename deployment_scripts/puppet/modules/virtual_accelerator/manifests/{neutron_conf.pp => neutron_conf_compute.pp} (50%) create mode 100644 deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp diff --git a/deployment_scripts/puppet/manifests/neutron_conf.pp b/deployment_scripts/puppet/manifests/neutron_conf.pp deleted file mode 100644 index cb264d1..0000000 --- a/deployment_scripts/puppet/manifests/neutron_conf.pp +++ /dev/null @@ -1,7 +0,0 @@ -# -# Copyright 2016 6WIND S.A. - -notice('MODULAR: virtual_accelerator/neutron_conf.pp') - -include virtual_accelerator -class { 'virtual_accelerator::neutron_conf': } \ No newline at end of file diff --git a/deployment_scripts/puppet/manifests/neutron_conf_compute.pp b/deployment_scripts/puppet/manifests/neutron_conf_compute.pp new file mode 100644 index 0000000..df40064 --- /dev/null +++ b/deployment_scripts/puppet/manifests/neutron_conf_compute.pp @@ -0,0 +1,7 @@ +# +# Copyright 2016 6WIND S.A. + +notice('MODULAR: virtual_accelerator/neutron_conf_compute.pp') + +include virtual_accelerator +class { 'virtual_accelerator::neutron_conf_compute': } diff --git a/deployment_scripts/puppet/manifests/neutron_conf_controller.pp b/deployment_scripts/puppet/manifests/neutron_conf_controller.pp new file mode 100644 index 0000000..db8749d --- /dev/null +++ b/deployment_scripts/puppet/manifests/neutron_conf_controller.pp @@ -0,0 +1,7 @@ +# +# Copyright 2016 6WIND S.A. + +notice('MODULAR: virtual_accelerator/neutron_conf_controller.pp') + +include virtual_accelerator +class { 'virtual_accelerator::neutron_conf_controller': } diff --git a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp index aa50370..69913a0 100644 --- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp +++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/init.pp @@ -14,7 +14,7 @@ class virtual_accelerator { $fp_mem = $settings['fp_mem'] $vm_mem = $settings['vm_mem'] $va_conf_file = '' - $disable_ipset = $settings['disable_ipset'] + $disable_secgroup = $settings['disable_secgroup'] $enable_host_cpu = $settings['enable_host_cpu'] $va_version = $settings['va_version'] $mellanox_support = $settings['mellanox_support'] diff --git a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf.pp b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_compute.pp similarity index 50% rename from deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf.pp rename to deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_compute.pp index f4e1f26..1f2dc03 100644 --- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf.pp +++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_compute.pp @@ -1,21 +1,22 @@ # # Copyright 2016 6WIND S.A. -class virtual_accelerator::neutron_conf inherits virtual_accelerator { +class virtual_accelerator::neutron_conf_compute inherits virtual_accelerator { - $advanced_params = $virtual_accelerator::advanced_params + $disable_secgroup = $virtual_accelerator::disable_secgroup - $disable_ipset = $virtual_accelerator::disable_ipset - $va_version = $virtual_accelerator::va_version - - if $disable_ipset == true or $va_version == '1.3' { - $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/ml2_conf.ini" + if $disable_secgroup == true { + $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/openvswitch_agent.ini" package { 'crudini': ensure => 'latest', + } + + exec { 'disable_secgroup': + command => "crudini --set ${OVS_CONF_FILE} securitygroup enable_security_group False", } -> - exec { 'disable_ipset': - command => "crudini --set ${OVS_CONF_FILE} securitygroup enable_ipset False", + exec { 'disable_firewall': + command => "crudini --set ${OVS_CONF_FILE} securitygroup firewall_driver noop", notify => Service['openvswitch-switch'], } @@ -30,4 +31,3 @@ class virtual_accelerator::neutron_conf inherits virtual_accelerator { } } - diff --git a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp new file mode 100644 index 0000000..274b8e8 --- /dev/null +++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/neutron_conf_controller.pp @@ -0,0 +1,26 @@ +# +# Copyright 2016 6WIND S.A. + +class virtual_accelerator::neutron_conf_controller inherits virtual_accelerator { + + $disable_secgroup = $virtual_accelerator::disable_secgroup + + if $disable_secgroup == true { + $OVS_CONF_FILE = "/etc/neutron/plugins/ml2/ml2_conf.ini" + + package { 'crudini': + ensure => 'latest', + notify => Exec['disable_firewall'], + } + + exec { 'disable_firewall': + command => "crudini --set ${OVS_CONF_FILE} securitygroup firewall_driver noop", + notify => Service['neutron-server'], + } + + service { 'neutron-server': + ensure => 'running', + } + } + +} diff --git a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp index 7bdf23c..a9d0d94 100644 --- a/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp +++ b/deployment_scripts/puppet/modules/virtual_accelerator/manifests/nova_conf.pp @@ -19,6 +19,13 @@ class virtual_accelerator::nova_conf inherits virtual_accelerator { install_options => ['--allow-unauthenticated'], } + if $disable_secgroup == true { + exec { 'disable_secgroup': + command => "crudini --del ${NOVA_CONF_FILE} DEFAULT security_group_api", + notify => Exec['vcpu_pin'], + } + } + exec { 'vcpu_pin': command => "crudini --set ${NOVA_CONF_FILE} DEFAULT vcpu_pin_set $(python /usr/local/bin/get_vcpu_pin_set.py)", } diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml index e0a0b33..83da1d9 100644 --- a/deployment_tasks.yaml +++ b/deployment_tasks.yaml @@ -57,13 +57,23 @@ puppet_modules: puppet/modules:/etc/puppet/modules timeout: 3600 -- id: 6wind-virtual-accelerator-neutron-conf +- id: 6wind-virtual-accelerator-neutron-conf-compute type: puppet - role: ['primary-controller', '6wind-virtual-accelerator'] + role: [6wind-virtual-accelerator] + required_for: [6wind-virtual-accelerator-start] + requires: [post_deployment_start] + parameters: + puppet_manifest: puppet/manifests/neutron_conf_compute.pp + puppet_modules: puppet/modules:/etc/puppet/modules + timeout: 3600 + +- id: 6wind-virtual-accelerator-neutron-conf-controller + type: puppet + role: [primary-controller] required_for: [post_deployment_end] requires: [post_deployment_start] parameters: - puppet_manifest: puppet/manifests/neutron_conf.pp + puppet_manifest: puppet/manifests/neutron_conf_controller.pp puppet_modules: puppet/modules:/etc/puppet/modules timeout: 3600 diff --git a/doc/source/user-guide.rst b/doc/source/user-guide.rst index 0265689..886ef00 100644 --- a/doc/source/user-guide.rst +++ b/doc/source/user-guide.rst @@ -101,6 +101,18 @@ This plugin offers the possibility to enable/disable such configuration in Nova with a specific option (`Host cpu emulation for guests`) in the advanced parameters. +Disable security groups +----------------------- + +By default Fuel installs Openstack with security groups active to enable +traffic filtering between virtual machines. +In many cases (including NFV) such filtering is not really necessary +and it heavily affects vm to vm traffic performances. + +6WIND Virtual Accelerator Fuel plugin makes possible to disable such +security group configuration in both Nova/Neutron via the specific option +(`Disable neutron securty groups`) in the advanced parameters. + Configure hugepages support for virtual machines ------------------------------------------------ diff --git a/environment_config.yaml b/environment_config.yaml index 6b015df..0406eec 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -94,11 +94,11 @@ attributes: - condition: "settings:6wind-virtual-accelerator.advanced_params_enabled.value == false" action: hide - disable_ipset: + disable_secgroup: value: false - label: 'Disable neutron ipset' - description: 'Set/unset support for ipset when using security groups' - weight: 80 + label: 'Disable neutron security groups' + description: 'Enable/disable security groups for some cases such as NFV' + weight: 76 type: "checkbox" restrictions: - condition: "settings:6wind-virtual-accelerator.advanced_params_enabled.value == false"