1. 22 Jun, 2018 6 commits
  2. 21 Jun, 2018 2 commits
  3. 24 May, 2018 1 commit
  4. 14 Dec, 2017 1 commit
    • David Johnson's avatar
      Effectively force the default ovs NORMAL br-ex flow to always persist. · cbe828aa
      David Johnson authored
      From the comments:
      
        A final hack.  These days (i.e. Pike), the neutron-openvswitch-agent
        is very aggressive to delete the default NORMAL flow on the br-ex
        bridge.  This causes problems for testbed.service on reboot, because
        connectivity effectively flaps as the NORMAL flow gets deleted and
        added.  So, we make a default NORMAL flow with our cookie, so it
        effectively won't be deleted.  Once the agent has initialized, its
        cookie will replace ours for this priority=0,actions=NORMAL flow, but
        that is fine.
      cbe828aa
  5. 25 Oct, 2017 3 commits
  6. 23 Oct, 2017 2 commits
    • David Johnson's avatar
      Deal with a new behavior in Mitaka Neutron openvswitch plugin. · ca1048e6
      David Johnson authored
        Huge hack.  Somewhere in Mitaka, something starts removing the first
        flow rule from the table (and that is the rule allowing our control
        net iface ARP replies to go out!).  So, put a simple rule at the head
        of the line that simply allows ARP replies from the local control net
        default gateway to arrive on our control net iface.  This rule is of
        course eclipsed by the "Allow any inbound ARP replies on the control
        network" rule below -- thus it is safe to allow this arbitrary process
        to delete.
      
      Of course, there is probably some assumption that the plugin is making
      that might be going wrong.  Oh well, let's wait for that to happen.
      Don't have time to read the code right now to find the remover-culprit.
      ca1048e6
    • David Johnson's avatar
      Make sure our anti-ARP spoofing flow rules are re-added on reboot. · 76865ca1
      David Johnson authored
      This is necessary for Mitaka and on.  I don't know if I hadn't done it,
      or just can't find the old mechanism that no longer works :).  Anyway,
      now I do it in a new way!
      76865ca1
  7. 11 Oct, 2016 3 commits
    • David Johnson's avatar
      Improvements in ovs/linuxbridge iface config and hosts file setup. · 938d5fe0
      David Johnson authored
      Also, I had to change the linuxbridge configuration around.  I'd been
      using statically-configured linux bridges, and I'd assumed I could tell
      Neutron to use them.  Unfortunately, this is sort of true, but not
      enough; from the comments:
      
       NB: We can only control the name of the external br-ex bridge,
       because only the Neutron linuxbridge driver accepts both a map of
       physical networks to physical interfaces; and physical network to
       bridge names.  Nova assumes that the bridge it must plug a device
       into is named according to the physical network uuid.  Thus, for
       the linuxbridge case, we only setup bridge_mappings for
       br-ex... modulo a flag.  Hopefully in the future they will see the
       sense in allowing static bridge configurations.
      
      So for now, only br-ex is static; the others are dynamic.  What a pain
      for debugging!  Stupid.
      
      More importantly, this commit also takes integrates correctly with the
      new Emulab clientside improvements that let the user customize interface
      config and /etc/hosts file generation.  To handle hosts, we create a
      static manifest file that tells Emulab to call an rc.hostnames
      pre-hook.  This hook basically grabs our latest special openstack hosts
      entries, and ensures they make it into /etc/hosts.head, so that
      genhostsfile prepends our special names.  To handle interfaces, we
      further customize /etc/network/interfaces so that Emulab's rc.ifconfig
      only tries to configure interfaces we haven't handled.
      
      Thus, if the clientside of the disk image the scripts are operating on
      includes the new clientside hookable support, we no longer move
      rc.ifconfig and rc.hostnames out of our way --- we let them run, secure
      in the knowledge that our customizations won't get trampled.
      
      (All this improvement was necessary so that blockstores and event system
      stuff would work.)
      938d5fe0
    • David Johnson's avatar
      Record more control net info, too. · 19a6adfe
      David Johnson authored
      19a6adfe
    • David Johnson's avatar
  8. 19 Aug, 2016 1 commit
    • David Johnson's avatar
      Add Mitaka; unified controller/networkmanager; Manila; linuxbridge. · 6d23a989
      David Johnson authored
      The feature notes:
      
        * Mitaka is now the default OpenStack release configured by this
          profile.  Kilo and Juno are deprecated, and we are no longer testing
          the profile's functionality under those versions (although we have
          no concrete plans to remove the code at this point).  They may
          continue to work, or they may not.  You should update to Mitaka if
          possible, of course.
      
        * The default topology is now down to two nodes: a controller (`ctl`)
          node and a compute (`cp-1`) node; the networkmanager node's
          functionality has been moved to the controller, as is the default in
          the OpenStack Ubuntu/Apt documentation.  You can return to the old
          three-node configuration by changing the name of the
          "networkmanager" node in the Advanced Parameters from `ctl` to `nm`.
      
        * One of the bigger Mitaka features is shared filesystem support
          (Manila).  We download a shared filesystem image and configure
          Manila so that you can immediately create a share and connect it to
          guests.
      
        * We have added support for the Neutron ML2 "Linuxbridge" driver,
          although we continue to install the "OpenVSwitch" ML2 driver by
          default.  The Linuxbridge driver is not as well-tested as the
          OpenVSwitch driver, in all possible configurations of this profile.
          Although OpenStack has switched to the linuxbridge driver as its
          default, we have no plans to do that yet.
      
        * You can now choose an Apt mirror and set a custom mirror path if you
          require fast localized access to a mirror.
      
        * The MTU that dnsmasq pushes to your OpenStack VMs has been reduced
          from 1454 bytes to 1450 bytes.  1454 is an adequate setting for GRE
          tunnels, of course, but not for VXLAN networks, which require 1450
          on a normal physical network with 1500-byte MTU.  Somehow this
          mistake escaped prior testing.
      
      A few details:
      
        * I refactored the Neutron ML2 plugin setup code, since all nodes
          have to be configured essentially the same way.  Moreover, it
          supports either openvswitch or linuxbridge.
      
        * I haven't setup Manila for aarch64 because there is no available
          Manila service image for aarch64.  Have to build one of my own.
      6d23a989
  9. 23 Dec, 2015 1 commit
    • David Johnson's avatar
      Support dynamic addition/deletion of compute nodes. · 1dc78db1
      David Johnson authored
      Also, adds a geni-lib script that generates an rspec instead of printing
      it (although print still works at portal) and generates input for
      CM::AddNodes() when requested.  This generator is stateful; it tries
      to avoid generating new nodes with previously-used IPs or client_ids;
      thus it is a separate object.  It is designed so that it can be imported
      into a script, and the importing script can look for special
      DYNSLICE_GENERATOR variables to use its rspec foo to create a slice and
      add nodes in some semantic way.
      1dc78db1
  10. 08 Dec, 2015 1 commit
  11. 02 Dec, 2015 1 commit
    • David Johnson's avatar
      Make package installation optional, and separate install/upgrade. · b2634d01
      David Johnson authored
      Quit trying to apt-get packages if they're installed, unless the
      user selects the new DO_APT_UPGRADE option.  Always install was nice
      in the beginning, but it is no longer the best use case, and it can
      cause uncertainty when failures happen (i.e., if new versions of
      packages get installed that the scripts can't handle).  So now there
      are three apt options in the scripts and in the geni-lib script:
      
      DO_APT_UPDATE -- updates the apt cache (often hard to do pkg
        install/upgrade if the cache is out of date); defaults to 1
      DO_APT_INSTALL -- if this is set 0, we don't install *anything*
        other than critical deps (think python-m2crypto); defaults to 1
      DO_APT_UPGRADE -- if this is set 1, we always run apt-get install
        to either install and/or upgrade OpenStack packages and deps.
        The big change is that this now defaults to 0 -- so packages are
        not upgraded from their current versions if they exist.
      b2634d01
  12. 26 Oct, 2015 1 commit
  13. 21 Oct, 2015 1 commit
  14. 06 Oct, 2015 2 commits
  15. 16 Jul, 2015 1 commit
    • David Johnson's avatar
      Lots of new features, especially drastically improved network config. · a9265ea7
      David Johnson authored
      Setup several kinds of networks: tunnels, flat networks, flat networks
      multiplexed via vlans over physical networks (where openstack doesn't
      manage the vlan ids), and real vlan networks (where openstack *does*
      manage the vlan ids).  Tunnels always go over the first flat data net.
      
      Be very flexible in terms of assigning IPs; generate them ourselves
      if they dind't come to us, or if user wants to use our generated ones.
      I tried to be smart (enough) with this.
      
      Setup VNC-based consoles on x86-64; working in dashboard.
      
      Don't put plaintext admin password in profile anymore; instead, expect
      a hash of the admin password.  Replace the temp admin password in the
      keystone database with the hash we get.  But, since the CLI tools
      all require real user auth, setup a secondary 'adminapi' account
      that is a real admin, and use that to see admin-openrc.sh for CLI
      tools, and for all our configuration, and places where the services
      use a real admin account to auth.  Also, push the admin password
      hash all the way into our instance images.
      a9265ea7
  16. 30 Jun, 2015 1 commit
  17. 14 May, 2015 1 commit
  18. 22 Apr, 2015 1 commit
  19. 18 Apr, 2015 1 commit
  20. 17 Apr, 2015 1 commit
    • David Johnson's avatar
      Add a simple openflow-based ARP reply filter. · 635988d8
      David Johnson authored
      This disallows any control net ARP replies emanating from one of
      the physical machines in this experiment, for IP addresses it does
      not own/control (i.e., its own control net addr, or any of the
      public addresses the experimenter asked for).
      
      I had to use ovs-ofctl and flow rules.  As it turns out, arptables
      does not drop packets --- it merely drops ARP table *entries*.
      This behavior is not what you'd expect, and the man page makes it
      sound like you'll drop packets.  So it's useless to us.
      
      Since OVS switch-bridges don't support netfilter bridge hooks (i.e.,
      ebtables), we're left to adding openflow drop rules.  Good enough.
      635988d8
  21. 15 Apr, 2015 1 commit
    • David Johnson's avatar
      Support vlan-based lans. · e46b0a94
      David Johnson authored
      Have to notice that the experiment lans are atop vlans so we can use
      the right regexes to collect info, and so we can save their
      configuration appropriately in our static rewrite of
      /etc/network/interfaces .
      e46b0a94
  22. 20 Mar, 2015 1 commit
    • David Johnson's avatar
      Fix the saving of the static network config so reboots work. · cc2e7d4a
      David Johnson authored
      Since we migrate part of the Emulab ifconfig to OVS bridges, etc,
      we have to save it in /etc/network/interfaces, /etc/hostname, and
      make sure /etc/resolv.conf gets setup right.
      
      I had made a couple bad assumptions about what openvswitch would do, and
      needed to also handle /etc/resolv.conf .  Doh!
      cc2e7d4a
  23. 17 Mar, 2015 1 commit
  24. 13 Mar, 2015 2 commits