340 lines
11 KiB
ReStructuredText
340 lines
11 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
..
|
|
|
|
==========================================================
|
|
Deploy tap-as-a-service (TaaS) Neutron / Dashboard plugin
|
|
==========================================================
|
|
|
|
This guide explains how to deploy tap-as-a-service (TaaS) Neutron plugin and
|
|
TaaS Dashboard plugin in Neutron and Horizon charts respectively.
|
|
|
|
TaaS plugin provides a mechanism to mirror certain traffic (for example tagged
|
|
with specific VLANs) from a source VM to any traffic analyzer VM. When packet
|
|
will be forwarded, the original value of source and target ip/ports information
|
|
will not be altered and the system administrator will be able to run, for ex.
|
|
tcpdump, on the target VM to trace these packets.
|
|
|
|
For more details, refer to TaaS specification: Tap-as-a-service_.
|
|
|
|
.. _Tap-as-a-service: https://github.com/openstack/tap-as-a-service/blob/master/specs/mitaka/tap-as-a-service.rst
|
|
|
|
|
|
TaaS Architecture
|
|
==================
|
|
|
|
As any other Neutron plugin, TaaS neutron plugin functionality consists of
|
|
following modules:
|
|
|
|
.. figure:: figures/taas-architecture.png
|
|
:alt: Neutron TaaS Architecture
|
|
|
|
**TaaS Plugin**: This is the front-end of TaaS which runs on controller node
|
|
(Neutron server). This serves TaaS APIs and stores/retrieves TaaS configuration
|
|
state to/from Neutron TaaS DB.
|
|
|
|
**TaaS Agent, TaaS OVS Driver and TaaS SR-IOV Driver**: This forms the back-end
|
|
of TaaS which runs as a ML2 agent extension on compute nodes. It handles the RPC
|
|
calls made by TaaS Plugin and configures the mechanism driver, i.e. OpenVSwitch
|
|
or SR-IOV Nic Switch.
|
|
|
|
**TaaS Dashboard Plugin**: Horizon Plugin which adds GUI panels for TaaS
|
|
resources in the Horizon Dashboard.
|
|
|
|
|
|
Prepare LOCI images
|
|
======================
|
|
|
|
Before deploying TaaS and/or TaaS Dashboard, it needs to be added in Neutron
|
|
and/or Horizon LOCI images.
|
|
|
|
This is a two step process, i.e.
|
|
|
|
#. Prepare a requirements LOCI image with Neutron TaaS and TaaS Dashboard code
|
|
installed.
|
|
|
|
#. Prepare Neutron or Horizon LOCI image using this requirements image as
|
|
:code:`docker build --build-arg WHEELS` command argument.
|
|
|
|
Requirements LOCI image
|
|
-------------------------
|
|
|
|
* Create a patchset for ``openstack/requirements`` repo
|
|
|
|
Add TaaS and TaaS dashboard dependencies in :code:`upper-constraints.txt`
|
|
file in :code:`openstack/requirements` repo, i.e.
|
|
https://opendev.org/openstack/requirements
|
|
|
|
.. path upper-constraints
|
|
.. code-block:: none
|
|
|
|
git+https://opendev.org/openstack/tap-as-a-service@master#egg=tap-as-a-service
|
|
git+https://opendev.org/openstack/tap-as-a-service-dashboard@master#egg=tap-as-a-service-dashboard
|
|
|
|
.. end
|
|
|
|
For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x",
|
|
so export the :code:`REQUIREMENTS_REF_SPEC` variable as follows:
|
|
|
|
.. path REQUIREMENTS_REF_SPEC
|
|
.. code-block:: bash
|
|
|
|
export REQUIREMENTS_REF_SPEC="refs/changes/xx/xxxxxx/x"
|
|
|
|
.. end
|
|
|
|
* Build the requirements LOCI image using above commit
|
|
|
|
Use it as ``docker build --build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC}``
|
|
command argument to build the requirements LOCI image.
|
|
|
|
|
|
Neutron and Horizon LOCI images
|
|
---------------------------------
|
|
|
|
* Create a patchset for ``openstack/neutron`` repo
|
|
|
|
Add TaaS dependency in ``requirements.txt`` file in ``openstack/neutron``
|
|
repo, i.e. https://opendev.org/openstack/neutron
|
|
|
|
.. path patchset-neutron
|
|
.. code-block:: none
|
|
|
|
tap-as-a-service
|
|
|
|
.. end
|
|
|
|
For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x";
|
|
so export the :code:`NEUTRON_REF_SPEC` variable as follows:
|
|
|
|
.. path patchset-neutron-export
|
|
.. code-block:: bash
|
|
|
|
export NEUTRON_REF_SPEC="refs/changes/xx/xxxxxx/x"
|
|
|
|
.. end
|
|
|
|
* Create a patchset for ``openstack/horizon`` repo
|
|
|
|
Add TaaS Dashboard dependency in ``requirements.txt`` file in
|
|
``openstack/horizon`` repo, i.e. https://opendev.org/openstack/horizon
|
|
|
|
.. path patchset-horizon
|
|
.. code-block:: none
|
|
|
|
tap-as-a-service-dashboard
|
|
|
|
.. end
|
|
|
|
For example if gerrit refspec for this commit is "refs/changes/xx/xxxxxx/x";
|
|
so export the :code:`HORIZON_REF_SPEC` variable as follows:
|
|
|
|
.. path patchset-horizon-export
|
|
.. code-block:: bash
|
|
|
|
export HORIZON_REF_SPEC="refs/changes/xx/xxxxxx/x"
|
|
|
|
.. end
|
|
|
|
* Putting it all together
|
|
|
|
Apart from the variables above with gerrit refspec values, additionally
|
|
export following environment variables with values as applicable:
|
|
|
|
.. path other-env-export
|
|
.. code-block:: bash
|
|
|
|
export OPENSTACK_VERSION="stable/ocata"
|
|
export PRIVATE_REPO="docker.io/username"
|
|
|
|
.. end
|
|
|
|
Use above gerrit commits to prepare the LOCI images using following script:
|
|
|
|
.. path main-script
|
|
.. code-block:: bash
|
|
|
|
#!/bin/bash
|
|
set -ex
|
|
|
|
# export following variables with applicable values before invoking the script
|
|
#----------
|
|
: ${OPENSTACK_VERSION:="stable/ocata"}
|
|
: ${REQUIREMENTS_REF_SPEC:=""}
|
|
: ${NEUTRON_REF_SPEC:=""}
|
|
: ${HORIZON_REF_SPEC:=""}
|
|
: ${PRIVATE_REPO:="docker.io/username"} # Replace with your own dockerhub repo
|
|
#----------
|
|
|
|
IMAGE_TAG="${OPENSTACK_VERSION#*/}"
|
|
REGEX_GERRIT_REF_SPEC="^refs"
|
|
|
|
[[ ${REQUIREMENTS_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
|
|
(echo "Please set a proper value for REQUIREMENTS_REF_SPEC env variable" && exit)
|
|
|
|
[[ ${NEUTRON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
|
|
(echo "Please set a proper value for NEUTRON_REF_SPEC env variable" && exit)
|
|
|
|
[[ ${HORIZON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] ||
|
|
(echo "Please set a proper value for HORIZON_REF_SPEC env variable" && exit)
|
|
|
|
# Login to private-repo : provide login password when asked
|
|
sudo docker login
|
|
|
|
sudo docker run -d \
|
|
--name docker-in-docker \
|
|
--privileged=true \
|
|
--net=host \
|
|
-v /var/lib/docker \
|
|
-v ${HOME}/.docker/config.json:/root/.docker/config.json:ro\
|
|
docker.io/docker:17.07.0-dind \
|
|
dockerd \
|
|
--pidfile=/var/run/docker.pid \
|
|
--host=unix:///var/run/docker.sock \
|
|
--storage-driver=overlay2
|
|
sudo docker exec docker-in-docker apk update
|
|
sudo docker exec docker-in-docker apk add git
|
|
|
|
# Prepare Requirements image
|
|
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
|
|
https://opendev.org/openstack/loci.git \
|
|
--network host \
|
|
--build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
|
|
--build-arg PROJECT=requirements \
|
|
--build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC} \
|
|
--tag ${PRIVATE_REPO}/requirements:${IMAGE_TAG}
|
|
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/requirements:${IMAGE_TAG}
|
|
|
|
# Prepare Neutron image
|
|
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
|
|
https://opendev.org/openstack/loci.git \
|
|
--build-arg PROJECT=neutron \
|
|
--build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \
|
|
--build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
|
|
--build-arg PROFILES="fluent neutron linuxbridge openvswitch" \
|
|
--build-arg PIP_PACKAGES="pycrypto" \
|
|
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
|
|
--tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG}
|
|
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG}
|
|
|
|
# Prepare Neutron sriov image
|
|
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
|
|
https://opendev.org/openstack/loci.git \
|
|
--build-arg PROJECT=neutron \
|
|
--build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \
|
|
--build-arg FROM=docker.io/ubuntu:18.04 \
|
|
--build-arg PROFILES="fluent neutron linuxbridge openvswitch" \
|
|
--build-arg PIP_PACKAGES="pycrypto" \
|
|
--build-arg DIST_PACKAGES="ethtool lshw" \
|
|
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
|
|
--tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804
|
|
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804
|
|
|
|
# Prepare Horizon image
|
|
sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \
|
|
https://opendev.org/openstack/loci.git \
|
|
--build-arg PROJECT=horizon \
|
|
--build-arg PROJECT_REF=${HORIZON_REF_SPEC} \
|
|
--build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \
|
|
--build-arg PROFILES="fluent horizon apache" \
|
|
--build-arg PIP_PACKAGES="pycrypto" \
|
|
--build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \
|
|
--tag ${PRIVATE_REPO}/horizon:${IMAGE_TAG}
|
|
sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/horizon:${IMAGE_TAG}
|
|
|
|
.. end
|
|
|
|
|
|
Deploy TaaS Plugin
|
|
==================
|
|
|
|
Override images in Neutron chart
|
|
---------------------------------
|
|
|
|
Override the :code:`images` section parameters for Neutron chart with the
|
|
custom LOCI image's tag, prepared as explained in above sections.
|
|
|
|
.. code-block:: yaml
|
|
|
|
images:
|
|
tags:
|
|
neutron_db_sync: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_server: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_dhcp: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_metadata: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_l3: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_openvswitch_agent: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_linuxbridge_agent: ${PRIVATE_REPO}/neutron:ocata
|
|
neutron_sriov_agent: ${PRIVATE_REPO}/neutron:ocata-sriov-1804
|
|
neutron_sriov_agent_init: ${PRIVATE_REPO}/neutron:ocata-sriov-1804
|
|
|
|
Configure TaaS in Neutron chart
|
|
--------------------------------
|
|
|
|
While deploying neutron-server and L2 agents, TaaS should be enabled in
|
|
``conf: neutron`` section to add TaaS as a service plugin; in ``conf: plugins``
|
|
section to add TaaS as a L2 agent extension; in ``conf: taas_plugin`` section
|
|
to configure the ``service_provider`` endpoint used by Neutron TaaS plugin:
|
|
|
|
.. code-block:: yaml
|
|
|
|
conf:
|
|
neutron:
|
|
DEFAULT:
|
|
service_plugins: taas
|
|
plugins:
|
|
ml2_conf:
|
|
agent:
|
|
extensions: taas
|
|
taas:
|
|
taas:
|
|
enabled: True
|
|
taas_plugin:
|
|
service_providers:
|
|
service_provider: TAAS:TAAS:neutron_taas.services.taas.service_drivers.taas_rpc.TaasRpcDriver:default
|
|
|
|
|
|
Deploy TaaS Dashboard Plugin
|
|
============================
|
|
|
|
TaaS dashboard plugin can be deployed simply by using custom LOCI images having
|
|
TaaS Dashboard code installed (as explained in above sections), i.e. override
|
|
the :code:`images` section parameters for Horizon charts:
|
|
|
|
.. code-block:: yaml
|
|
|
|
images:
|
|
tags:
|
|
horizon_db_sync: ${PRIVATE_REPO}/horizon:ocata
|
|
horizon: ${PRIVATE_REPO}/horizon:ocata
|
|
|
|
|
|
Set log level for TaaS
|
|
======================
|
|
|
|
Default log level for Neutron TaaS is :code:`INFO`. For changing it, override
|
|
following parameter:
|
|
|
|
.. code-block:: yaml
|
|
|
|
conf:
|
|
logging:
|
|
logger_neutron_taas:
|
|
level: INFO
|
|
|
|
|
|
References
|
|
==========
|
|
#. Neutron TaaS support in Openstack-Helm commits:
|
|
|
|
- https://review.openstack.org/#/c/597200/
|
|
- https://review.openstack.org/#/c/607392/
|
|
|
|
#. Add TaaS panel to Horizon Dashboard:
|
|
|
|
- https://review.openstack.org/#/c/621606/
|