From 914b93cf7546a050f86ec62a2ea8e0743bebee68 Mon Sep 17 00:00:00 2001 From: Madhu Mohan Nelemane Date: Mon, 2 Sep 2019 15:47:55 +0200 Subject: [PATCH 1/2] Changes to integrate with ACI 4.1 and new packages (SOC-10403) This commit provides changes in plugin packages and config files needed for integration of SOC with ACI 4.1 and higher versions. ACI 4.1 uses a slightly different set of plugin packages and configs for integration with OpenStack. This includes: - python-gbpclient renamed to python-group-based-policy-client - ovs-bridge-name in opflex-agent-ovs.conf removed - addition of int-bridge-name and access-bridge-name in opflex-agent-ovs.conf - Renaming of agent-ovs to opflex-agent For uniformity, the template for opflex-agent-ovs.conf is now renamed from 10-opflex-agent-ovs.conf.erb to opflex-agent-ovs.conf.erb - The neutron template schema and json templates are updated to provide integration_bridge and access_bridge details with default values. The corresponding migration scripts are also updated. (cherry picked from commit cb5347d6a47565c2ef1aebf10ef80d980114e046) --- chef/cookbooks/neutron/attributes/default.rb | 11 ++++++---- .../neutron/recipes/cisco_apic_agents.rb | 7 ++++--- ...ovs.conf.erb => opflex-agent-ovs.conf.erb} | 3 ++- ...25_add_opflex_access_integration_bridge.rb | 21 +++++++++++++++++++ chef/data_bags/crowbar/template-neutron.json | 6 ++++-- .../data_bags/crowbar/template-neutron.schema | 2 ++ 6 files changed, 40 insertions(+), 10 deletions(-) rename chef/cookbooks/neutron/templates/default/{10-opflex-agent-ovs.conf.erb => opflex-agent-ovs.conf.erb} (93%) create mode 100644 chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb diff --git a/chef/cookbooks/neutron/attributes/default.rb b/chef/cookbooks/neutron/attributes/default.rb index c4c3953bfb..e58ecf78e8 100644 --- a/chef/cookbooks/neutron/attributes/default.rb +++ b/chef/cookbooks/neutron/attributes/default.rb @@ -32,6 +32,9 @@ default[:neutron][:metadata_agent_config_file] = "/etc/neutron/neutron-metadata-agent.conf.d/100-metadata_agent.conf" default[:neutron][:ml2_config_file] = "/etc/neutron/neutron.conf.d/110-ml2.conf" default[:neutron][:nsx_config_file] = "/etc/neutron/neutron.conf.d/110-nsx.conf" +default[:neutron][:ml2_cisco_config_file] = "/etc/neutron/neutron.conf.d/115-ml2_cisco.conf" +default[:neutron][:ml2_cisco_apic_config_file] = "/etc/neutron/neutron.conf.d/115-ml2_cisco_apic.conf" +default[:neutron][:opflex_config_file] = "/etc/opflex-agent-ovs/conf.d/10-opflex-agent-ovs.conf" default[:neutron][:rpc_workers] = 1 default[:neutron][:db][:database] = "neutron" @@ -126,8 +129,8 @@ cisco_apic_pkgs: ["python-apicapi", "python-neutron-ml2-driver-apic"], cisco_apic_gbp_pkgs: ["openstack-neutron-gbp", - "python-gbpclient"], - cisco_opflex_pkgs: ["agent-ovs", + "python-group-based-policy-client"], + cisco_opflex_pkgs: ["opflex-agent", "lldpd", "openstack-neutron-opflex-agent"], infoblox_pkgs: ["python-infoblox-client", @@ -172,8 +175,8 @@ cisco_apic_pkgs: ["python-apicapi", "python-neutron-ml2-driver-apic"], cisco_apic_gbp_pkgs: ["openstack-neutron-gbp", - "python-gbpclient"], - cisco_opflex_pkgs: ["agent-ovs", + "python-group-based-policy-client"], + cisco_opflex_pkgs: ["opflex-agent", "lldpd", "neutron-opflex-agent"], infoblox_pkgs: [], diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb index 5351655984..c1d8acd4cd 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb @@ -92,15 +92,14 @@ end # Update config file from template -opflex_agent_conf = "/etc/opflex-agent-ovs/conf.d/10-opflex-agent-ovs.conf" apic = neutron[:neutron][:apic] opflex_list = apic[:opflex].select { |i| i[:nodes].include? node[:hostname] } opflex_list.any? || raise("Opflex instance not found for node '#{node[:hostname]}'") opflex_list.one? || raise("Multiple opflex instances found for node '#{node[:hostname]}'") opflex = opflex_list.first -template opflex_agent_conf do +template node[:neutron][:opflex_config_file] do cookbook "neutron" - source "10-opflex-agent-ovs.conf.erb" + source "opflex-agent-ovs.conf.erb" mode "0755" owner "root" group neutron[:neutron][:platform][:group] @@ -110,6 +109,8 @@ socketgroup: neutron[:neutron][:platform][:group], opflex_peer_ip: opflex[:peer_ip], opflex_peer_port: opflex[:peer_port], + opflex_int_bridge: opflex[:integration_bridge], + opflex_access_bridge: opflex[:access_bridge], opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface], opflex_vxlan_uplink_iface: opflex[:vxlan][:uplink_iface], opflex_vxlan_uplink_vlan: opflex[:vxlan][:uplink_vlan], diff --git a/chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb similarity index 93% rename from chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb rename to chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb index 28f504218d..b03e7a3b25 100644 --- a/chef/cookbooks/neutron/templates/default/10-opflex-agent-ovs.conf.erb +++ b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb @@ -36,7 +36,8 @@ "renderers": { "stitched-mode": { - "ovs-bridge-name": "br-int", + "int-bridge-name": "<%= @opflex_int_bridge %>", + "access-bridge-name": "<%= @opflex_access_bridge %>", "encap": { "vxlan" : { "encap-iface": "<%= @opflex_vxlan_encap_iface %>", diff --git a/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb new file mode 100644 index 0000000000..2e781a2005 --- /dev/null +++ b/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb @@ -0,0 +1,21 @@ +def upgrade(tattr, tdep, attr, dep) + unless attr["apic"]["opflex"].key?("integration_bridge") + attr["apic"]["opflex"]["integration_bridge"] = tattr["apic"]["opflex"]["integration_bridge"] + end + unless attr["apic"]["opflex"].key?("access_bridge") + attr["apic"]["opflex"]["access_bridge"] = tattr["apic"]["opflex"]["access_bridge"] + end + + return attr, dep +end + +def downgrade(tattr, tdep, attr, dep) + unless tattr["apic"]["opflex"].key?("integration_bridge") + attr["apic"]["opflex"].delete("integration_bridge") if attr.key?("integration_bridge") + end + unless tattr["apic"]["opflex"].key?("access_bridge") + attr["apic"]["opflex"].delete("access_bridge") if attr.key?("access_bridge") + end + + return attr, dep +end diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json index 0d5a6fc4c1..76a425b27d 100644 --- a/chef/data_bags/crowbar/template-neutron.json +++ b/chef/data_bags/crowbar/template-neutron.json @@ -65,8 +65,10 @@ "peer_ip": "", "peer_port": 8009, "encap": "vxlan", + "integration_bridge": "br-int", + "access_bridge": "br-fabric", "vxlan": { - "encap_iface": "br-int_vxlan0", + "encap_iface": "br-fab_vxlan0", "uplink_iface": "vlan.4093", "uplink_vlan": 4093, "remote_ip": "", @@ -195,7 +197,7 @@ "neutron": { "crowbar-revision": 0, "crowbar-applied": false, - "schema-revision": 124, + "schema-revision": 125, "element_states": { "neutron-server": [ "readying", "ready", "applying" ], "neutron-network": [ "readying", "ready", "applying" ], diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema index ef60e3881e..1897bce036 100644 --- a/chef/data_bags/crowbar/template-neutron.schema +++ b/chef/data_bags/crowbar/template-neutron.schema @@ -73,6 +73,8 @@ "peer_ip": { "type": "str", "required" : true }, "peer_port": { "type": "int", "required" : true }, "encap": { "type": "str", "required": true }, + "integration_bridge": { "type": "str", "required": true }, + "access_bridge": { "type": "str", "required": true }, "vxlan": { "type": "map", "required": true, "mapping" : { "encap_iface": {"type": "str", "required": true }, "uplink_iface": { "type": "str", "required": true }, From dacd4ee28994f25e8333513b7979bbe77c8ba54f Mon Sep 17 00:00:00 2001 From: Varadhan Veerapuram Date: Thu, 1 Feb 2018 18:15:30 +0530 Subject: [PATCH 2/2] [neutron][Cisco ACI] Multi-VMM domain support (SOC - 10471) A Single ACI fabric can support multiple VMM domains. Each VMM domain can be governed by a different controller (Eg: VMWare vCenter or OpenStack or MicroSoft SCVMM). Several production data centers tend to use multiple VMM domains and expect to be able to monitor and control network policies from a single ACI fabric. Integration of OpenStack with such a setup requires crowbar to provide parameters specific to each VMM domain. This commit adds the additional parameters and logic to validate and send these to the correct config location. The changes now allow to provide "Vmware" or "OpenStack" as the VMM type. Multiple entries of either types are possible. - Also added "ssl_mode" as a configurable parameter which is needed to be in "encrypted" mode if ESXi is used as compute. Other use-cases may need to change it as required and hence included it as a configurable parameter within the opflex node structure. (cherry picked from commit 1f164360fda298d36f2e3ab982cd7e3f126b3a3e) --- .../neutron/recipes/cisco_apic_agents.rb | 7 ++++--- .../neutron/recipes/cisco_apic_support.rb | 7 ++++++- chef/cookbooks/neutron/recipes/server.rb | 4 ++-- .../default/ml2_conf_cisco_apic.ini.erb | 15 ++++++++++--- .../default/opflex-agent-ovs.conf.erb | 2 +- .../neutron/125_add_apic_multi_vmm_domains.rb | 15 +++++++++++++ ...25_add_opflex_access_integration_bridge.rb | 21 ------------------- chef/data_bags/crowbar/template-neutron.json | 13 +++++++++++- .../data_bags/crowbar/template-neutron.schema | 10 ++++++++- 9 files changed, 61 insertions(+), 33 deletions(-) create mode 100644 chef/data_bags/crowbar/migrate/neutron/125_add_apic_multi_vmm_domains.rb delete mode 100644 chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb index c1d8acd4cd..7a74d4a9e4 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb @@ -109,6 +109,7 @@ socketgroup: neutron[:neutron][:platform][:group], opflex_peer_ip: opflex[:peer_ip], opflex_peer_port: opflex[:peer_port], + opflex_ssl_mode: opflex[:ssl_mode], opflex_int_bridge: opflex[:integration_bridge], opflex_access_bridge: opflex[:access_bridge], opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface], @@ -133,8 +134,8 @@ end utils_systemd_service_restart "neutron-opflex-agent" -service "agent-ovs" do +service "opflex-agent" do action [:enable, :start] - subscribes :restart, resources("template[#{opflex_agent_conf}]") + subscribes :restart, resources("template[#{node[:neutron][:opflex_config_file]}]") end -utils_systemd_service_restart "agent-ovs" +utils_systemd_service_restart "opflex-agent" diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb index f08d9e50c4..72ea20abaf 100644 --- a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb +++ b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb @@ -21,7 +21,9 @@ end aciswitches = node[:neutron][:apic][:apic_switches].to_hash -template "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco_apic.ini.conf" do +acivmms = node[:neutron][:apic][:apic_vmms] + +template node[:neutron][:ml2_cisco_apic_config_file] do cookbook "neutron" source "ml2_conf_cisco_apic.ini.erb" mode "0640" @@ -30,6 +32,9 @@ variables( vpc_pairs: node[:neutron][:apic][:vpc_pairs], apic_switches: aciswitches, + optimized_dhcp: node[:neutron][:apic][:optimized_dhcp], + optimized_metadata: node[:neutron][:apic][:optimized_metadata], + apic_vmms: acivmms, ml2_mechanism_drivers: node[:neutron][:ml2_mechanism_drivers], policy_drivers: "implicit_policy,apic", default_ip_pool: "192.168.0.0/16" diff --git a/chef/cookbooks/neutron/recipes/server.rb b/chef/cookbooks/neutron/recipes/server.rb index 35f2f8175e..3f156bae75 100644 --- a/chef/cookbooks/neutron/recipes/server.rb +++ b/chef/cookbooks/neutron/recipes/server.rb @@ -85,7 +85,7 @@ else cisco_nexus_link_action = "delete" end -link "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco.ini.conf" do +link "#{node[:neutron][:platform][:ml2_cisco_config_file]}" do to "/etc/neutron/plugins/ml2/ml2_conf_cisco.ini" action cisco_nexus_link_action notifies :restart, "service[#{node[:neutron][:platform][:service_name]}]" @@ -99,7 +99,7 @@ else cisco_apic_link_action = "delete" end -link "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco_apic.ini.conf" do +link "#{node[:neutron][:platform][:ml2_cisco_apic_config_file]}" do to "/etc/neutron/plugins/ml2/ml2_conf_cisco_apic.ini" action cisco_apic_link_action notifies :restart, "service[#{node[:neutron][:platform][:service_name]}]" diff --git a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb index 30e24dc022..421c8bebbc 100644 --- a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb +++ b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb @@ -2,7 +2,7 @@ apic_system_id=<%= node[:neutron][:apic][:system_id] %> [opflex] networks = * -[ml2_cisco_apic] +[apic] apic_hosts=<%= node[:neutron][:apic][:hosts] %> apic_username=<%= node[:neutron][:apic][:username] %> apic_password=<%= node[:neutron][:apic][:password] %> @@ -11,8 +11,8 @@ apic_name_mapping = use_name apic_clear_node_profiles = True enable_aci_routing = True apic_arp_flooding = True -enable_optimized_metadata = <%= node[:neutron][:apic][:optimized_metadata] %> -enable_optimized_dhcp = <%= node[:neutron][:apic][:optimized_dhcp] %> +enable_optimized_metadata = <%= @optimized_metadata %> +enable_optimized_dhcp = <%= @optimized_dhcp %> apic_provision_infra = True apic_provision_hostlinks = True <% unless @vpc_pairs.nil? -%> @@ -41,3 +41,12 @@ enable_nat = <%= node[:neutron][:apic][:ext_net][:nat_enabled] %> <% end -%> external_epg = <%= node[:neutron][:apic][:ext_net][:ext_epg] %> host_pool_cidr = <%= node[:neutron][:apic][:ext_net][:host_pool_cidr] %> + +<% @apic_vmms.each do |vmm_domain| -%> +[apic_vmdom:<%= vmm_domain[:vmm_name]%>] +vmm_type = <%= vmm_domain[:vmm_type]%> +<% if vmm_domain[:vlan_ranges] -%> +vlan_ranges = <%= vmm_domain[:vlan_ranges] %> +<% end -%> +<% end -%> + diff --git a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb index b03e7a3b25..45eb74dcbb 100644 --- a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb +++ b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb @@ -10,7 +10,7 @@ {"hostname": "<%= @opflex_peer_ip %>", "port": "<%= @opflex_peer_port %>"} ], "ssl": { - "mode": "enabled", + "mode": "<%= @opflex_ssl_mode %>", "ca-store": "/etc/ssl/certs/" }, "inspector": { diff --git a/chef/data_bags/crowbar/migrate/neutron/125_add_apic_multi_vmm_domains.rb b/chef/data_bags/crowbar/migrate/neutron/125_add_apic_multi_vmm_domains.rb new file mode 100644 index 0000000000..ac15244d9d --- /dev/null +++ b/chef/data_bags/crowbar/migrate/neutron/125_add_apic_multi_vmm_domains.rb @@ -0,0 +1,15 @@ +def upgrade(tattr, tdep, attr, dep) + unless attr["apic"].key?("apic_vmms") + attr["apic"]["apic_vmms"] = tattr["apic"]["apic_vmms"] + end + + return attr, dep +end + +def downgrade(tattr, tdep, attr, dep) + unless tattr["apic"].key?("apic_vmms") + attr["apic"].delete("apic_vmms") if attr.key?("apic_vmms") + end + + return attr, dep +end diff --git a/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb deleted file mode 100644 index 2e781a2005..0000000000 --- a/chef/data_bags/crowbar/migrate/neutron/125_add_opflex_access_integration_bridge.rb +++ /dev/null @@ -1,21 +0,0 @@ -def upgrade(tattr, tdep, attr, dep) - unless attr["apic"]["opflex"].key?("integration_bridge") - attr["apic"]["opflex"]["integration_bridge"] = tattr["apic"]["opflex"]["integration_bridge"] - end - unless attr["apic"]["opflex"].key?("access_bridge") - attr["apic"]["opflex"]["access_bridge"] = tattr["apic"]["opflex"]["access_bridge"] - end - - return attr, dep -end - -def downgrade(tattr, tdep, attr, dep) - unless tattr["apic"]["opflex"].key?("integration_bridge") - attr["apic"]["opflex"].delete("integration_bridge") if attr.key?("integration_bridge") - end - unless tattr["apic"]["opflex"].key?("access_bridge") - attr["apic"]["opflex"].delete("access_bridge") if attr.key?("access_bridge") - end - - return attr, dep -end diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json index 76a425b27d..7e30ee04ee 100644 --- a/chef/data_bags/crowbar/template-neutron.json +++ b/chef/data_bags/crowbar/template-neutron.json @@ -64,6 +64,7 @@ "nodes" : [], "peer_ip": "", "peer_port": 8009, + "ssl_mode": "encrypted", "encap": "vxlan", "integration_bridge": "br-int", "access_bridge": "br-fabric", @@ -99,7 +100,17 @@ } } } - } + }, + "apic_vmms": [{ + "vmm_name": "soc_kvm_domain", + "vmm_type": "openstack", + "vlan_ranges": "" + }, + { + "vmm_name": "soc_vm_domain", + "vmm_type": "vmware", + "vlan_ranges": "" + }] }, "allow_overlapping_ips": true, "use_syslog": false, diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema index 1897bce036..55da58a801 100644 --- a/chef/data_bags/crowbar/template-neutron.schema +++ b/chef/data_bags/crowbar/template-neutron.schema @@ -72,6 +72,7 @@ "nodes": { "type" : "seq", "required" : true, "sequence": [ { "type": "str" } ] }, "peer_ip": { "type": "str", "required" : true }, "peer_port": { "type": "int", "required" : true }, + "ssl_mode": { "type": "str", "required": true }, "encap": { "type": "str", "required": true }, "integration_bridge": { "type": "str", "required": true }, "access_bridge": { "type": "str", "required": true }, @@ -95,7 +96,14 @@ }} }} }} - } + }, + "apic_vmms": { "type" : "seq", "required" : true, "sequence" : [ { + "type" : "map", "required" : true, "mapping" : { + "vmm_name": { "type": "str", "required": true }, + "vmm_type": { "type": "str", "required": true }, + "vlan_ranges": { "type": "str", "required": true } + } + } ] } }}, "allow_overlapping_ips": { "type": "bool", "required": true }, "cisco_switches": {