setup-network-plugin-openvswitch.sh 10.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
#!/bin/sh

##
## Setup a OpenStack node to run the openvswitch ML2 plugin.
##

set -x

# Gotta know the rules!
if [ $EUID -ne 0 ] ; then
    echo "This script must be run as root" 1>&2
    exit 1
fi

# Grab our libs
. "`dirname $0`/setup-lib.sh"

if [ -f $OURDIR/setup-network-plugin-openvswitch-done ]; then
    exit 0
fi

22 23
logtstart "network-plugin-openvswitch"

24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
if [ -f $SETTINGS ]; then
    . $SETTINGS
fi
if [ -f $LOCALSETTINGS ]; then
    . $LOCALSETTINGS
fi

# Grab the neutron configuration we computed in setup-lib.sh
. $OURDIR/neutron.vars

cat <<EOF >> /etc/sysctl.conf
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF

sysctl -p

43 44 45 46 47 48
maybe_install_packages neutron-plugin-ml2 conntrack
if [ $OSVERSION -ge $OSROCKY ]; then
    maybe_install_packages neutron-openvswitch-agent
else
    maybe_install_packages neutron-plugin-openvswitch-agent
fi
49 50 51 52 53 54 55 56 57 58 59 60 61

# Only the controller node runs neutron-server and needs the DB.
if [ "$HOSTNAME" != "$CONTROLLER" ]; then
    crudini --del /etc/neutron/neutron.conf database connection
fi
crudini --del /etc/neutron/neutron.conf keystone_authtoken auth_host
crudini --del /etc/neutron/neutron.conf keystone_authtoken auth_port
crudini --del /etc/neutron/neutron.conf keystone_authtoken auth_protocol

crudini --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone
crudini --set /etc/neutron/neutron.conf DEFAULT verbose ${VERBOSE_LOGGING}
crudini --set /etc/neutron/neutron.conf DEFAULT debug ${DEBUG_LOGGING}
crudini --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2
62 63 64 65 66 67 68
if [ $USE_NEUTRON_LBAAS -eq 1 -a $OSVERSION -ge $OSNEWTON ]; then
    crudini --set /etc/neutron/neutron.conf DEFAULT service_plugins \
        'router,metering,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2'
else
    crudini --set /etc/neutron/neutron.conf DEFAULT service_plugins \
        'router,metering'
fi
69 70 71 72
crudini --set /etc/neutron/neutron.conf DEFAULT allow_overlapping_ips True
crudini --set /etc/neutron/neutron.conf DEFAULT notification_driver messagingv2

if [ $OSVERSION -lt $OSKILO ]; then
73
    crudini --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit
74 75 76
    crudini --set /etc/neutron/neutron.conf DEFAULT rabbit_host $CONTROLLER
    crudini --set /etc/neutron/neutron.conf DEFAULT rabbit_userid ${RABBIT_USER}
    crudini --set /etc/neutron/neutron.conf DEFAULT rabbit_password "${RABBIT_PASS}"
77 78 79 80 81 82 83 84 85 86 87
elif [ $OSVERSION -lt $OSNEWTON ]; then
    crudini --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit
    crudini --set /etc/neutron/neutron.conf oslo_messaging_rabbit \
	rabbit_host $CONTROLLER
    crudini --set /etc/neutron/neutron.conf oslo_messaging_rabbit \
	rabbit_userid ${RABBIT_USER}
    crudini --set /etc/neutron/neutron.conf oslo_messaging_rabbit \
	rabbit_password "${RABBIT_PASS}"
else
    crudini --set /etc/neutron/neutron.conf DEFAULT transport_url $RABBIT_URL
fi
88

89
if [ $OSVERSION -lt $OSKILO ]; then
90 91 92
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	auth_uri http://${CONTROLLER}:5000/${KAPISTR}
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
93
	identity_uri http://${CONTROLLER}:${KADMINPORT}
94 95 96 97 98 99 100 101 102 103
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	admin_tenant_name service
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	admin_user neutron
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	admin_password "${NEUTRON_PASS}"
else
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	auth_uri http://${CONTROLLER}:5000
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
104
	auth_url http://${CONTROLLER}:${KADMINPORT}
105 106 107 108 109 110 111 112 113 114 115 116 117
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	${AUTH_TYPE_PARAM} password
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	${PROJECT_DOMAIN_PARAM} default
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	${USER_DOMAIN_PARAM} default
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	project_name service
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	username neutron
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	password "${NEUTRON_PASS}"
fi
118 119 120 121
if [ $OSVERSION -ge $OSMITAKA -o $KEYSTONEUSEMEMCACHE -eq 1 ]; then
    crudini --set /etc/neutron/neutron.conf keystone_authtoken \
	memcached_servers ${CONTROLLER}:11211
fi
122 123 124 125
if [ $OSVERSION -ge $OSOCATA ]; then
    crudini --set /etc/neutron/neutron.conf placement \
	os_region_name $REGION
    crudini --set /etc/neutron/neutron.conf placement \
126
	auth_url http://${CONTROLLER}:${KADMINPORT}/v3
127 128 129 130 131 132 133 134 135 136 137 138 139
    crudini --set /etc/neutron/neutron.conf placement \
	${AUTH_TYPE_PARAM} password
    crudini --set /etc/neutron/neutron.conf placement \
	${PROJECT_DOMAIN_PARAM} default
    crudini --set /etc/neutron/neutron.conf placement \
	${USER_DOMAIN_PARAM} default
    crudini --set /etc/neutron/neutron.conf placement \
	project_name service
    crudini --set /etc/neutron/neutron.conf placement \
	username placement
    crudini --set /etc/neutron/neutron.conf placement \
	password "${PLACEMENT_PASS}"
fi
140 141 142 143 144 145 146

crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
    type_drivers ${network_types}
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
    tenant_network_types ${network_types}
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
    mechanism_drivers openvswitch
147 148 149 150 151 152 153 154
extdrivers=
if [ $OSVERSION -ge $OSNEWTON ]; then
    extdrivers="dns"
fi
if [ -n "$extdrivers" ]; then
    crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
        extension_drivers $extdrivers
fi
155 156 157 158 159 160 161 162 163 164 165 166
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat \
    flat_networks ${flat_networks}
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
    tunnel_id_ranges 1:1000
cat <<EOF >>/etc/neutron/plugins/ml2/ml2_conf.ini
[ml2_type_vlan]
${network_vlan_ranges}
EOF
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan \
    vni_ranges 3000:4000
#crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan \
#    vxlan_group 224.0.0.1
167 168 169 170 171 172 173 174 175
crudini --set /etc/neutron/plugins/ml2/openvswitch_agent.ini securitygroup \
    enable_security_group True
crudini --set /etc/neutron/plugins/ml2/openvswitch_agent.ini securitygroup \
    enable_ipset True
if [ -n "$fwdriver" ]; then
    crudini --set /etc/neutron/plugins/ml2/openvswitch_agent.ini securitygroup \
	firewall_driver $fwdriver
fi
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228
    enable_security_group True
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
    enable_ipset True
if [ -n "$fwdriver" ]; then
    crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
	firewall_driver $fwdriver
fi
cat <<EOF >> /etc/neutron/plugins/ml2/ml2_conf.ini
[ovs]
${gre_local_ip}
${enable_tunneling}
${bridge_mappings}

[agent]
${tunnel_types}
EOF

if [ $OSVERSION -ge $OSMITAKA ]; then
    # In Mitaka, these seem to need to be specifically in the agent file.
    # Must be a change in neutron-server init script.
    # Just slap these in.
    cat <<EOF >> /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]
${gre_local_ip}
${enable_tunneling}
${bridge_mappings}

[agent]
${tunnel_types}
EOF
fi

#
# Ok, also put our FQDN into the hosts file so that local applications can
# resolve that pair even if the network happens to be down.  This happens,
# for instance, because of our anti-ARP spoofing "patch" to the openvswitch
# agent (the agent remove_all_flow()s on a switch periodically and inserts a
# default normal forwarding rule, plus anything it needs --- our patch adds some
# anti-ARP spoofing rules after remove_all but BEFORE the default normal rule
# gets added back (this is just the nature of the existing code in Juno and Kilo
# (the situation is easier to patch more nicely on the master branch, but we
# don't have Liberty yet)) --- and because it adds the rules via command line
# using sudo, and sudo tries to lookup the hostname --- this can cause a hang.)
# Argh, what a pain.  For the rest of this hack, see setup-ovs-node.sh, and
# setup-networkmanager.sh and setup-compute-network.sh where we patch the 
# neutron openvswitch agent.
#
echo "$MYIP    $NFQDN $PFQDN" >> /etc/hosts

#
# Patch the neutron openvswitch agent to try to stop inadvertent spoofing on
# the public emulab/cloudlab control net, sigh.
#
229 230
if [ $OSVERSION -le $OSLIBERTY ]; then
    patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-openvswitch-remove-all-flows-except-system-flows.patch
231
else
232 233
    patch -d / -p0 < $DIRNAME/etc/neutron-${OSCODENAME}-ovs-reserved-cookies.patch
fi
234 235 236 237

#
# https://git.openstack.org/cgit/openstack/neutron/commit/?id=51f6b2e1c9c2f5f5106b9ae8316e57750f09d7c9
#
David Johnson's avatar
David Johnson committed
238
if [ $OSVERSION -ge $OSLIBERTY -a $OSVERSION -lt $OSNEWTON ]; then
239 240 241 242 243 244 245 246 247 248 249 250
    patch -d / -p0 < $DIRNAME/etc/neutron-liberty-ovs-agent-segmentation-id-None.patch
fi

#
# Neutron depends on bridge module, but it doesn't autoload it.
#
modprobe bridge
echo bridge >> /etc/modules

service_restart openvswitch-switch
service_enable openvswitch-switch
service_restart nova-compute
251 252 253 254
# Restart the ovs-cleanup service to ensure it is using the patched code
# and thus will not delete our new cookie-based flows once we add them.
service_restart neutron-ovs-cleanup
service_enable neutron-ovs-cleanup
255 256 257 258 259 260 261 262
if [ $OSVERSION -lt $OSMITAKA ]; then
    service_restart neutron-plugin-openvswitch-agent
    service_enable neutron-plugin-openvswitch-agent
else
    service_restart neutron-openvswitch-agent
    service_enable neutron-openvswitch-agent
fi

263
if [ $OSVERSION -gt $OSLIBERTY ]; then
264 265 266 267 268 269 270 271 272 273 274
    # If we are using the reserved cookies patch, we have to figure out
    # what our cookie is, read it, and then edit all the anti-spoofing
    # flows to have our reserved cookie -- and then re-insert them all.
    # We don't know what our per-host reserved cookie is until the
    # patched ovs code creates one on the first startup after patch.
    echo "*** Re-adding OVS anti-spoofing flows with reserved cookie..."
    i=30
    while [ ! -f /var/lib/neutron/ovs-default-flows.reserved_cookie -a $i -gt 0 ]; do
	sleep 1
	i=`expr $i - 1`
    done
275 276
    # Sleep to let the agent settle further.
    sleep 5
277 278 279
    # Restart the ovs agent one more time; something in its first-time
    # startup doesn't catch the reserved/preserved cookies, and ends up
    # wiping our flows.
280
    service_restart neutron-openvswitch-agent
281 282
    # Let the agent settle again...
    sleep 5
283 284 285 286 287 288 289 290 291 292
    if [ -f /var/lib/neutron/ovs-default-flows.reserved_cookie -a -f /etc/neutron/ovs-default-flows/br-ex ]; then
	cookie=`cat /var/lib/neutron/ovs-default-flows.reserved_cookie`
	for fl in `cat /etc/neutron/ovs-default-flows/br-ex`; do
	    echo "cookie=$cookie,$fl" >> /etc/neutron/ovs-default-flows/br-ex.tmp
	    ovs-ofctl add-flow br-ex "cookie=$cookie,$fl"
	done
	mv /etc/neutron/ovs-default-flows/br-ex.tmp /etc/neutron/ovs-default-flows/br-ex
    fi
fi

293 294
touch $OURDIR/setup-network-plugin-openvswitch-done

295 296
logtend "network-plugin-openvswitch"

297
exit 0