Support Quantum security group
Adds Q_USE_SECGROUP flag for quantum security group
- Added has_quantum_plugin_security_group method for each plugin.
- Set NOVA_VIF_DRIVER to the hybrid VIF driver for plugins with
iptables based security group support.
- Specifying device_owner type on debug port in lib/quantum and
quantum-adv-test.sh. This change makes apply quantum security
group fro debug port
Change-Id: Ifd155798912247d85a9765ef73a2186b929237b4
diff --git a/lib/quantum_plugins/README.md b/lib/quantum_plugins/README.md
index 5411de0..05bfb85 100644
--- a/lib/quantum_plugins/README.md
+++ b/lib/quantum_plugins/README.md
@@ -32,3 +32,5 @@
* ``quantum_plugin_configure_plugin_agent``
* ``quantum_plugin_configure_service``
* ``quantum_plugin_setup_interface_driver``
+* ``has_quantum_plugin_security_group``:
+ return 0 if the plugin support quantum security group otherwise return 1
diff --git a/lib/quantum_plugins/bigswitch_floodlight b/lib/quantum_plugins/bigswitch_floodlight
index 7d3fd96..4857f49 100644
--- a/lib/quantum_plugins/bigswitch_floodlight
+++ b/lib/quantum_plugins/bigswitch_floodlight
@@ -51,5 +51,10 @@
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver
}
+function has_quantum_plugin_security_group() {
+ # 1 means False here
+ return 1
+}
+
# Restore xtrace
$MY_XTRACE
diff --git a/lib/quantum_plugins/brocade b/lib/quantum_plugins/brocade
index ac91143..6e26ad7 100644
--- a/lib/quantum_plugins/brocade
+++ b/lib/quantum_plugins/brocade
@@ -45,5 +45,10 @@
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver
}
+function has_quantum_plugin_security_group() {
+ # 0 means True here
+ return 0
+}
+
# Restore xtrace
$BRCD_XTRACE
diff --git a/lib/quantum_plugins/linuxbridge b/lib/quantum_plugins/linuxbridge
index 11bc585..324e255 100644
--- a/lib/quantum_plugins/linuxbridge
+++ b/lib/quantum_plugins/linuxbridge
@@ -48,6 +48,11 @@
if [[ "$LB_INTERFACE_MAPPINGS" != "" ]]; then
iniset /$Q_PLUGIN_CONF_FILE LINUX_BRIDGE physical_interface_mappings $LB_INTERFACE_MAPPINGS
fi
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.IptablesFirewallDriver
+ else
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver
+ fi
AGENT_BINARY="$QUANTUM_DIR/bin/quantum-linuxbridge-agent"
}
@@ -76,5 +81,10 @@
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.BridgeInterfaceDriver
}
+function has_quantum_plugin_security_group() {
+ # 0 means True here
+ return 0
+}
+
# Restore xtrace
$MY_XTRACE
diff --git a/lib/quantum_plugins/nicira b/lib/quantum_plugins/nicira
index 8c150b1..6eefb02 100644
--- a/lib/quantum_plugins/nicira
+++ b/lib/quantum_plugins/nicira
@@ -141,5 +141,10 @@
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver
}
+function has_quantum_plugin_security_group() {
+ # 0 means True here
+ return 0
+}
+
# Restore xtrace
$MY_XTRACE
diff --git a/lib/quantum_plugins/openvswitch b/lib/quantum_plugins/openvswitch
index dda1239..ab16483 100644
--- a/lib/quantum_plugins/openvswitch
+++ b/lib/quantum_plugins/openvswitch
@@ -8,7 +8,7 @@
source $TOP_DIR/lib/quantum_plugins/ovs_base
function quantum_plugin_create_nova_conf() {
- NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
+ _quantum_ovs_base_configure_nova_vif_driver
if [ "$VIRT_DRIVER" = 'xenserver' ]; then
iniset $NOVA_CONF DEFAULT xenapi_vif_driver nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
iniset $NOVA_CONF DEFAULT xenapi_ovs_integration_bridge $FLAT_NETWORK_BRIDGE
@@ -43,6 +43,7 @@
# Setup integration bridge
OVS_BRIDGE=${OVS_BRIDGE:-br-int}
_quantum_ovs_base_setup_bridge $OVS_BRIDGE
+ _quantum_ovs_base_configure_firewall_driver
# Setup agent for tunneling
if [[ "$OVS_ENABLE_TUNNELING" = "True" ]]; then
@@ -139,5 +140,9 @@
iniset $conf_file DEFAULT interface_driver quantum.agent.linux.interface.OVSInterfaceDriver
}
+function has_quantum_plugin_security_group() {
+ return 0
+}
+
# Restore xtrace
$MY_XTRACE
diff --git a/lib/quantum_plugins/ovs_base b/lib/quantum_plugins/ovs_base
index ab988d9..2ada0db 100644
--- a/lib/quantum_plugins/ovs_base
+++ b/lib/quantum_plugins/ovs_base
@@ -39,6 +39,14 @@
iniset $QUANTUM_TEST_CONFIG_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE
}
+function _quantum_ovs_base_configure_firewall_driver() {
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+ else
+ iniset /$Q_PLUGIN_CONF_FILE SECURITYGROUP firewall_driver quantum.agent.firewall.NoopFirewallDriver
+ fi
+}
+
function _quantum_ovs_base_configure_l3_agent() {
iniset $Q_L3_CONF_FILE DEFAULT external_network_bridge $PUBLIC_BRIDGE
@@ -48,5 +56,15 @@
sudo ip addr flush dev $PUBLIC_BRIDGE
}
+function _quantum_ovs_base_configure_nova_vif_driver() {
+ # The hybrid VIF driver needs to be specified when Quantum Security Group
+ # is enabled (until vif_security attributes are supported in VIF extension)
+ if [[ "$Q_USE_SECGROUP" == "True" ]]; then
+ NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"}
+ else
+ NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtGenericVIFDriver"}
+ fi
+}
+
# Restore xtrace
$MY_XTRACE
diff --git a/lib/quantum_plugins/ryu b/lib/quantum_plugins/ryu
index d1d7382..1139232 100644
--- a/lib/quantum_plugins/ryu
+++ b/lib/quantum_plugins/ryu
@@ -9,7 +9,7 @@
source $TOP_DIR/lib/quantum_thirdparty/ryu # for configuration value
function quantum_plugin_create_nova_conf() {
- NOVA_VIF_DRIVER=${NOVA_VIF_DRIVER:-"nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver"}
+ _quantum_ovs_base_configure_nova_vif_driver
iniset $NOVA_CONF DEFAULT libvirt_ovs_integration_bridge "$OVS_BRIDGE"
}
@@ -52,6 +52,8 @@
fi
iniset /$Q_PLUGIN_CONF_FILE OVS integration_bridge $OVS_BRIDGE
AGENT_BINARY="$QUANTUM_DIR/quantum/plugins/ryu/agent/ryu_quantum_agent.py"
+
+ _quantum_ovs_base_configure_firewall_driver
}
function quantum_plugin_configure_service() {
@@ -64,5 +66,10 @@
iniset $conf_file DEFAULT ovs_use_veth True
}
+function has_quantum_plugin_security_group() {
+ # 0 means True here
+ return 0
+}
+
# Restore xtrace
$MY_XTRACE