[ English | Indonesia | 한국어 (대한민국) | Deutsch | English (United Kingdom) ]
Deploy tap-as-a-service (TaaS) Neutron / Dashboard plugin¶
This guide explains how to deploy tap-as-a-service (TaaS) Neutron plugin and TaaS Dashboard plugin in Neutron and Horizon charts respectively.
TaaS plugin provides a mechanism to mirror certain traffic (for example tagged with specific VLANs) from a source VM to any traffic analyzer VM. When packet will be forwarded, the original value of source and target ip/ports information will not be altered and the system administrator will be able to run, for ex. tcpdump, on the target VM to trace these packets.
For more details, refer to TaaS specification: Tap-as-a-service.
TaaS Architecture¶
As any other Neutron plugin, TaaS neutron plugin functionality consists of following modules:
TaaS Plugin: This is the front-end of TaaS which runs on controller node (Neutron server). This serves TaaS APIs and stores/retrieves TaaS configuration state to/from Neutron TaaS DB.
TaaS Agent, TaaS OVS Driver and TaaS SR-IOV Driver: This forms the back-end of TaaS which runs as a ML2 agent extension on compute nodes. It handles the RPC calls made by TaaS Plugin and configures the mechanism driver, i.e. OpenVSwitch or SR-IOV Nic Switch.
TaaS Dashboard Plugin: Horizon Plugin which adds GUI panels for TaaS resources in the Horizon Dashboard.
Prepare LOCI images¶
Before deploying TaaS and/or TaaS Dashboard, it needs to be added in Neutron and/or Horizon LOCI images.
This is a two step process, i.e.
Prepare a requirements LOCI image with Neutron TaaS and TaaS Dashboard code installed.
Prepare Neutron or Horizon LOCI image using this requirements image as
docker build --build-arg WHEELScommand argument.
Requirements LOCI image¶
Create a patchset for
openstack/requirementsrepoAdd TaaS and TaaS dashboard dependencies in
upper-constraints.txtfile inopenstack/requirementsrepo, i.e. https://opendev.org/openstack/requirementsgit+https://opendev.org/openstack/tap-as-a-service@master#egg=tap-as-a-service git+https://opendev.org/openstack/tap-as-a-service-dashboard@master#egg=tap-as-a-service-dashboard
For example if gerrit refspec for this commit is „refs/changes/xx/xxxxxx/x“, so export the
REQUIREMENTS_REF_SPECvariable as follows:export REQUIREMENTS_REF_SPEC="refs/changes/xx/xxxxxx/x"
Build the requirements LOCI image using above commit
Use it as
docker build --build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC}command argument to build the requirements LOCI image.
Neutron and Horizon LOCI images¶
Create a patchset for
openstack/neutronrepoAdd TaaS dependency in
requirements.txtfile inopenstack/neutronrepo, i.e. https://opendev.org/openstack/neutrontap-as-a-service
For example if gerrit refspec for this commit is „refs/changes/xx/xxxxxx/x“; so export the
NEUTRON_REF_SPECvariable as follows:export NEUTRON_REF_SPEC="refs/changes/xx/xxxxxx/x"
Create a patchset for
openstack/horizonrepoAdd TaaS Dashboard dependency in
requirements.txtfile inopenstack/horizonrepo, i.e. https://opendev.org/openstack/horizontap-as-a-service-dashboard
For example if gerrit refspec for this commit is „refs/changes/xx/xxxxxx/x“; so export the
HORIZON_REF_SPECvariable as follows:export HORIZON_REF_SPEC="refs/changes/xx/xxxxxx/x"
Putting it all together
Apart from the variables above with gerrit refspec values, additionally export following environment variables with values as applicable:
export OPENSTACK_VERSION="stable/ocata" export PRIVATE_REPO="docker.io/username"
Use above gerrit commits to prepare the LOCI images using following script:
#!/bin/bash set -ex # export following variables with applicable values before invoking the script #---------- : ${OPENSTACK_VERSION:="stable/ocata"} : ${REQUIREMENTS_REF_SPEC:=""} : ${NEUTRON_REF_SPEC:=""} : ${HORIZON_REF_SPEC:=""} : ${PRIVATE_REPO:="docker.io/username"} # Replace with your own dockerhub repo #---------- IMAGE_TAG="${OPENSTACK_VERSION#*/}" REGEX_GERRIT_REF_SPEC="^refs" [[ ${REQUIREMENTS_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] || (echo "Please set a proper value for REQUIREMENTS_REF_SPEC env variable" && exit) [[ ${NEUTRON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] || (echo "Please set a proper value for NEUTRON_REF_SPEC env variable" && exit) [[ ${HORIZON_REF_SPEC} =~ ${REGEX_GERRIT_REF_SPEC} ]] || (echo "Please set a proper value for HORIZON_REF_SPEC env variable" && exit) # Login to private-repo : provide login password when asked sudo docker login sudo docker run -d \ --name docker-in-docker \ --privileged=true \ --net=host \ -v /var/lib/docker \ -v ${HOME}/.docker/config.json:/root/.docker/config.json:ro\ docker.io/docker:17.07.0-dind \ dockerd \ --pidfile=/var/run/docker.pid \ --host=unix:///var/run/docker.sock \ --storage-driver=overlay2 sudo docker exec docker-in-docker apk update sudo docker exec docker-in-docker apk add git # Prepare Requirements image sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \ https://opendev.org/openstack/loci.git \ --network host \ --build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \ --build-arg PROJECT=requirements \ --build-arg PROJECT_REF=${REQUIREMENTS_REF_SPEC} \ --tag ${PRIVATE_REPO}/requirements:${IMAGE_TAG} sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/requirements:${IMAGE_TAG} # Prepare Neutron image sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \ https://opendev.org/openstack/loci.git \ --build-arg PROJECT=neutron \ --build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \ --build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \ --build-arg PROFILES="fluent neutron linuxbridge openvswitch" \ --build-arg PIP_PACKAGES="pycrypto" \ --build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \ --tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG} sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG} # Prepare Neutron sriov image sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \ https://opendev.org/openstack/loci.git \ --build-arg PROJECT=neutron \ --build-arg PROJECT_REF=${NEUTRON_REF_SPEC} \ --build-arg FROM=docker.io/ubuntu:18.04 \ --build-arg PROFILES="fluent neutron linuxbridge openvswitch" \ --build-arg PIP_PACKAGES="pycrypto" \ --build-arg DIST_PACKAGES="ethtool lshw" \ --build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \ --tag ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804 sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/neutron:${IMAGE_TAG}-sriov-1804 # Prepare Horizon image sudo docker exec docker-in-docker docker build --force-rm --pull --no-cache \ https://opendev.org/openstack/loci.git \ --build-arg PROJECT=horizon \ --build-arg PROJECT_REF=${HORIZON_REF_SPEC} \ --build-arg FROM=gcr.io/google_containers/ubuntu-slim:0.14 \ --build-arg PROFILES="fluent horizon apache" \ --build-arg PIP_PACKAGES="pycrypto" \ --build-arg WHEELS=${PRIVATE_REPO}/requirements:${IMAGE_TAG} \ --tag ${PRIVATE_REPO}/horizon:${IMAGE_TAG} sudo docker exec docker-in-docker docker push ${PRIVATE_REPO}/horizon:${IMAGE_TAG}
Deploy TaaS Plugin¶
Override images in Neutron chart¶
Override the images section parameters for Neutron chart with the
custom LOCI image’s tag, prepared as explained in above sections.
images:
tags:
neutron_db_sync: ${PRIVATE_REPO}/neutron:ocata
neutron_server: ${PRIVATE_REPO}/neutron:ocata
neutron_dhcp: ${PRIVATE_REPO}/neutron:ocata
neutron_metadata: ${PRIVATE_REPO}/neutron:ocata
neutron_l3: ${PRIVATE_REPO}/neutron:ocata
neutron_openvswitch_agent: ${PRIVATE_REPO}/neutron:ocata
neutron_linuxbridge_agent: ${PRIVATE_REPO}/neutron:ocata
neutron_sriov_agent: ${PRIVATE_REPO}/neutron:ocata-sriov-1804
neutron_sriov_agent_init: ${PRIVATE_REPO}/neutron:ocata-sriov-1804
Configure TaaS in Neutron chart¶
While deploying neutron-server and L2 agents, TaaS should be enabled in
conf: neutron section to add TaaS as a service plugin; in conf: plugins
section to add TaaS as a L2 agent extension; in conf: taas_plugin section
to configure the service_provider endpoint used by Neutron TaaS plugin:
conf:
neutron:
DEFAULT:
service_plugins: taas
plugins:
ml2_conf:
agent:
extensions: taas
taas:
taas:
enabled: True
taas_plugin:
service_providers:
service_provider: TAAS:TAAS:neutron_taas.services.taas.service_drivers.taas_rpc.TaasRpcDriver:default
Deploy TaaS Dashboard Plugin¶
TaaS dashboard plugin can be deployed simply by using custom LOCI images having
TaaS Dashboard code installed (as explained in above sections), i.e. override
the images section parameters for Horizon charts:
images:
tags:
horizon_db_sync: ${PRIVATE_REPO}/horizon:ocata
horizon: ${PRIVATE_REPO}/horizon:ocata
Set log level for TaaS¶
Default log level for Neutron TaaS is INFO. For changing it, override
following parameter:
conf:
logging:
logger_neutron_taas:
level: INFO
References¶
Neutron TaaS support in Openstack-Helm commits:
Add TaaS panel to Horizon Dashboard:
