[neutron][Cisco ACI] Multi-VMM domain support (SOC - 10471)

A Single ACI fabric can support multiple VMM domains. Each VMM domain can be governed by a different controller (Eg: VMWare vCenter or OpenStack or MicroSoft SCVMM). Several production data centers tend to use multiple VMM domains and expect to be able to monitor and control network policies from a single ACI fabric. Integration of OpenStack with such a setup requires crowbar to provide parameters specific to each VMM domain. This commit adds the additional parameters and logic to validate and send these to the correct config location. The changes now allow to provide "Vmware" or "OpenStack" as the VMM type. Multiple entries of either types are possible. - Also added "ssl_mode" as a configurable parameter which is needed to be in "encrypted" mode if ESXi is used as compute. Other use-cases may need to change it as required and hence included it as a configurable parameter within the opflex node structure.
crowbar · Sep 27, 2019 · 1f16436 · 1f16436
1 parent e18adc6
commit 1f16436
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 30 deletions.
diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb
@@ -108,6 +108,7 @@
     socketgroup: neutron[:neutron][:platform][:group],
     opflex_peer_ip: opflex[:peer_ip],
     opflex_peer_port: opflex[:peer_port],
+    opflex_ssl_mode: opflex[:ssl_mode],
     opflex_int_bridge: opflex[:integration_bridge],
     opflex_access_bridge: opflex[:access_bridge],
     opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface],
@@ -132,8 +133,8 @@
 end
 utils_systemd_service_restart "neutron-opflex-agent"
 
-service "agent-ovs" do
+service "opflex-agent" do
   action [:enable, :start]
-  subscribes :restart, resources("template[#{opflex_agent_conf}]")
+  subscribes :restart, resources("template[#{node[:neutron][:opflex_config_file]}]")
 end
-utils_systemd_service_restart "agent-ovs"
+utils_systemd_service_restart "opflex-agent"
diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb
@@ -41,6 +41,7 @@
 end
 
 aciswitches = node[:neutron][:apic][:apic_switches].to_hash
+acivmms = node[:neutron][:apic][:apic_vmms]
 
 template node[:neutron][:ml2_cisco_apic_config_file] do
   cookbook "neutron"
@@ -51,6 +52,9 @@
   variables(
     vpc_pairs: node[:neutron][:apic][:vpc_pairs],
     apic_switches: aciswitches,
+    optimized_dhcp: node[:neutron][:apic][:optimized_dhcp],
+    optimized_metadata: node[:neutron][:apic][:optimized_metadata],
+    apic_vmms: acivmms,
     ml2_mechanism_drivers: node[:neutron][:ml2_mechanism_drivers],
     policy_drivers: "implicit_policy,apic",
     default_ip_pool: "192.168.0.0/16"

diff --git a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb
@@ -2,7 +2,7 @@
 apic_system_id=<%= node[:neutron][:apic][:system_id] %>
 [opflex]
 networks = *
-[ml2_cisco_apic]
+[apic]
 apic_hosts=<%= node[:neutron][:apic][:hosts] %>
 apic_username=<%= node[:neutron][:apic][:username] %>
 apic_password=<%= node[:neutron][:apic][:password] %>
@@ -11,8 +11,8 @@ apic_name_mapping = use_name
 apic_clear_node_profiles = True
 enable_aci_routing = True
 apic_arp_flooding = True
-enable_optimized_metadata = <%= node[:neutron][:apic][:optimized_metadata] %>
-enable_optimized_dhcp = <%= node[:neutron][:apic][:optimized_dhcp] %>
+enable_optimized_metadata = <%= @optimized_metadata %>
+enable_optimized_dhcp = <%= @optimized_dhcp %>
 apic_provision_infra = True
 apic_provision_hostlinks = True
 <%  unless @vpc_pairs.nil? -%>
@@ -41,3 +41,12 @@ enable_nat = <%= node[:neutron][:apic][:ext_net][:nat_enabled] %>
 <% end -%>
 external_epg = <%= node[:neutron][:apic][:ext_net][:ext_epg] %>
 host_pool_cidr = <%= node[:neutron][:apic][:ext_net][:host_pool_cidr] %>
+
+<% @apic_vmms.each do |vmm_domain| -%>
+[apic_vmdom:<%= vmm_domain[:vmm_name]%>]
+vmm_type = <%= vmm_domain[:vmm_type]%>
+<%   if vmm_domain[:vlan_ranges] -%>
+vlan_ranges = <%= vmm_domain[:vlan_ranges] %> 
+<%   end -%>
+<% end -%>
+
diff --git a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb
@@ -10,7 +10,7 @@
       {"hostname": "<%= @opflex_peer_ip %>", "port": "<%= @opflex_peer_port %>"}
     ],
     "ssl": {
-      "mode": "enabled",
+      "mode": "<%= @opflex_ssl_mode %>",
       "ca-store": "/etc/ssl/certs/"
     },
     "inspector": {

diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb
@@ -0,0 +1,15 @@
+def upgrade(tattr, tdep, attr, dep)
+  unless attr["apic"].key?("apic_vmms")
+    attr["apic"]["apic_vmms"] = tattr["apic"]["apic_vmms"]
+  end
+
+  return attr, dep
+end
+
+def downgrade(tattr, tdep, attr, dep)
+  unless tattr["apic"].key?("apic_vmms")
+    attr["apic"].delete("apic_vmms") if attr.key?("apic_vmms")
+  end
+
+  return attr, dep
+end
diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb
diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json
@@ -63,6 +63,7 @@
           "nodes" : [],
           "peer_ip": "",
           "peer_port": 8009,
+          "ssl_mode": "encrypted",
           "encap": "vxlan",
           "integration_bridge": "br-int",
           "access_bridge": "br-fabric",
@@ -98,7 +99,17 @@
               }
             }
           }
-        }
+        },
+        "apic_vmms": [{
+          "vmm_name": "soc_kvm_domain",
+          "vmm_type": "openstack",
+          "vlan_ranges": ""
+        },
+        {
+          "vmm_name": "soc_vm_domain",
+          "vmm_type": "vmware",
+          "vlan_ranges": ""
+        }]
       },
       "allow_overlapping_ips": true,
       "use_syslog": false,

diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema
@@ -71,6 +71,7 @@
                           "nodes": { "type" : "seq", "required" : true, "sequence": [ { "type": "str" } ] },
                           "peer_ip": { "type": "str", "required" : true },
                           "peer_port": { "type": "int", "required" : true },
+                          "ssl_mode": { "type": "str", "required": true },
                           "encap": { "type": "str", "required": true },
                           "integration_bridge": { "type": "str", "required": true },
                           "access_bridge": { "type": "str", "required": true },
@@ -94,7 +95,14 @@
                             }}
                           }}
                         }}
-                      }
+                      },
+                      "apic_vmms": { "type" : "seq", "required" : true, "sequence" : [ {
+                        "type" : "map", "required" : true, "mapping" : {
+                          "vmm_name": { "type": "str", "required": true },
+                          "vmm_type": { "type": "str", "required": true },
+                          "vlan_ranges": { "type": "str", "required": true }
+                        }
+                      } ] }
                     }},
                     "allow_overlapping_ips": { "type": "bool", "required": true },
                     "cisco_switches": {