Deploying OpenWRT as VNFΒΆ
Once tacker is installed successfully, follow the steps given below to get started with deploying OpenWRT as VNF.
1. Ensure Glance already contains OpenWRT image. Normally, Tacker tries to add OpenWRT image to Glance while installing via devstack. By running glance image-list to check OpenWRT image if exists. If not, download the image from OpenWRT official site. And upload this image into Glance by using either of the commands below:
Using glance cli:
glance image-create --name OpenWRT \
--disk-format qcow2 \
--container-format bare \
--progress \
--file /path_to_image/openwrt-x86-kvm_guest-combined-ext4.img \
--visibility public
OR, using OpenStack cli:
openstack image create OpenWRT --disk-format qcow2 \
--container-format bare \
--file /path_to_image/openwrt-x86-kvm_guest-combined-ext4.img \
--visibility public
2. Create a yaml template named tosca-vnfd-openwrt-with-firewall-rules.yaml which contains basic configuration of OpenWRT and some firewall rules of OpenWRT. All contents of the template file shows below:
tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
description: OpenWRT with services
metadata:
template_name: OpenWRT
topology_template:
node_templates:
VDU1:
type: tosca.nodes.nfv.VDU.Tacker
capabilities:
nfv_compute:
properties:
num_cpus: 1
mem_size: 512 MB
disk_size: 1 GB
properties:
image: OpenWRT
config:
firewall: |
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
mgmt_driver: openwrt
monitoring_policy:
name: ping
parameters:
count: 3
interval: 10
actions:
failure: respawn
CP1:
type: tosca.nodes.nfv.CP.Tacker
properties:
management: true
anti_spoofing_protection: false
requirements:
- virtualLink:
node: VL1
- virtualBinding:
node: VDU1
VL1:
type: tosca.nodes.nfv.VL
properties:
network_name: net_mgmt
vendor: Tacker
The above template file comes from two files. One is tosca-vnfd-openwrt.yaml and other one is tosca-config-openwrt-with-firewall.yaml. In this template file, we specify the mgmt_driver: openwrt which means this VNFD is managed by openwrt driver. This driver can inject firewall rules which defined in VNFD into OpenWRT instance by using SSH protocol. We can run cat /etc/config/firewall to confirm the firewall rules if inject succeed.
3.Create a sample vnfd:
tacker vnfd-create \
--vnfd-file tosca-vnfd-openwrt-with-firewall-rules.yaml \
<VNFD_NAME>
4.Create a VNF:
tacker vnf-create --vnfd-name <VNFD_NAME> <NAME>
This VNF will contains all the firewall rules that VNFD contains by using ‘cat /etc/config/firewall’ in VNF.
5.Check the status:
tacker vnf-list
tacker vnf-show <VNF_ID>