[neutron][Cisco ACI] Multi-VMM domain support (SOC - 10471)

Varadhan Veerapuram · mmnelemane · commit 1f164360fda2 · 2019-09-27T16:34:12.000+02:00
A Single ACI fabric can support multiple VMM domains. Each VMM domain
can be governed by a different controller (Eg: VMWare vCenter or
OpenStack or MicroSoft SCVMM). Several production data centers tend
to use multiple VMM domains and expect to be able to monitor and
control network policies from a single ACI fabric. Integration of
OpenStack with such a setup requires crowbar to provide parameters
specific to each VMM domain. This commit adds the additional
parameters and logic to validate and send these to the correct
config location. The changes now allow to provide "Vmware" or
"OpenStack" as the VMM type. Multiple entries of either types
are possible.

- Also added "ssl_mode" as a configurable parameter which is
needed to be in "encrypted" mode if ESXi is used as compute.
Other use-cases may need to change it as required and hence
included it as a configurable parameter within the opflex
node structure.
diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb b/chef/cookbooks/neutron/recipes/cisco_apic_agents.rb
@@ -108,6 +108,7 @@
     socketgroup: neutron[:neutron][:platform][:group],
     opflex_peer_ip: opflex[:peer_ip],
     opflex_peer_port: opflex[:peer_port],
+    opflex_ssl_mode: opflex[:ssl_mode],
     opflex_int_bridge: opflex[:integration_bridge],
     opflex_access_bridge: opflex[:access_bridge],
     opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface],
@@ -132,8 +133,8 @@
 end
 utils_systemd_service_restart "neutron-opflex-agent"
 
-service "agent-ovs" do
+service "opflex-agent" do
   action [:enable, :start]
-  subscribes :restart, resources("template[#{opflex_agent_conf}]")
+  subscribes :restart, resources("template[#{node[:neutron][:opflex_config_file]}]")
 end
-utils_systemd_service_restart "agent-ovs"
+utils_systemd_service_restart "opflex-agent"
diff --git a/chef/cookbooks/neutron/recipes/cisco_apic_support.rb b/chef/cookbooks/neutron/recipes/cisco_apic_support.rb
@@ -41,6 +41,7 @@
 end
 
 aciswitches = node[:neutron][:apic][:apic_switches].to_hash
+acivmms = node[:neutron][:apic][:apic_vmms]
 
 template node[:neutron][:ml2_cisco_apic_config_file] do
   cookbook "neutron"
@@ -51,6 +52,9 @@
   variables(
     vpc_pairs: node[:neutron][:apic][:vpc_pairs],
     apic_switches: aciswitches,
+    optimized_dhcp: node[:neutron][:apic][:optimized_dhcp],
+    optimized_metadata: node[:neutron][:apic][:optimized_metadata],
+    apic_vmms: acivmms,
     ml2_mechanism_drivers: node[:neutron][:ml2_mechanism_drivers],
     policy_drivers: "implicit_policy,apic",
     default_ip_pool: "192.168.0.0/16"
diff --git a/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb b/chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb
@@ -2,7 +2,7 @@
 apic_system_id=<%= node[:neutron][:apic][:system_id] %>
 [opflex]
 networks = *
-[ml2_cisco_apic]
+[apic]
 apic_hosts=<%= node[:neutron][:apic][:hosts] %>
 apic_username=<%= node[:neutron][:apic][:username] %>
 apic_password=<%= node[:neutron][:apic][:password] %>
@@ -11,8 +11,8 @@ apic_name_mapping = use_name
 apic_clear_node_profiles = True
 enable_aci_routing = True
 apic_arp_flooding = True
-enable_optimized_metadata = <%= node[:neutron][:apic][:optimized_metadata] %>
-enable_optimized_dhcp = <%= node[:neutron][:apic][:optimized_dhcp] %>
+enable_optimized_metadata = <%= @optimized_metadata %>
+enable_optimized_dhcp = <%= @optimized_dhcp %>
 apic_provision_infra = True
 apic_provision_hostlinks = True
 <%  unless @vpc_pairs.nil? -%>
@@ -41,3 +41,12 @@ enable_nat = <%= node[:neutron][:apic][:ext_net][:nat_enabled] %>
 <% end -%>
 external_epg = <%= node[:neutron][:apic][:ext_net][:ext_epg] %>
 host_pool_cidr = <%= node[:neutron][:apic][:ext_net][:host_pool_cidr] %>
+
+<% @apic_vmms.each do |vmm_domain| -%>
+[apic_vmdom:<%= vmm_domain[:vmm_name]%>]
+vmm_type = <%= vmm_domain[:vmm_type]%>
+<%   if vmm_domain[:vlan_ranges] -%>
+vlan_ranges = <%= vmm_domain[:vlan_ranges] %> 
+<%   end -%>
+<% end -%>
+
diff --git a/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb b/chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb
@@ -10,7 +10,7 @@
       {"hostname": "<%= @opflex_peer_ip %>", "port": "<%= @opflex_peer_port %>"}
     ],
     "ssl": {
-      "mode": "enabled",
+      "mode": "<%= @opflex_ssl_mode %>",
       "ca-store": "/etc/ssl/certs/"
     },
     "inspector": {
diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_apic_multi_vmm_domains.rb
@@ -0,0 +1,15 @@
+def upgrade(tattr, tdep, attr, dep)
+  unless attr["apic"].key?("apic_vmms")
+    attr["apic"]["apic_vmms"] = tattr["apic"]["apic_vmms"]
+  end
+
+  return attr, dep
+end
+
+def downgrade(tattr, tdep, attr, dep)
+  unless tattr["apic"].key?("apic_vmms")
+    attr["apic"].delete("apic_vmms") if attr.key?("apic_vmms")
+  end
+
+  return attr, dep
+end
diff --git a/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb b/chef/data_bags/crowbar/migrate/neutron/308_add_opflex_access_integration_bridge.rb
diff --git a/chef/data_bags/crowbar/template-neutron.json b/chef/data_bags/crowbar/template-neutron.json
@@ -63,6 +63,7 @@
           "nodes" : [],
           "peer_ip": "",
           "peer_port": 8009,
+          "ssl_mode": "encrypted",
           "encap": "vxlan",
           "integration_bridge": "br-int",
           "access_bridge": "br-fabric",
@@ -98,7 +99,17 @@
               }
             }
           }
-        }
+        },
+        "apic_vmms": [{
+          "vmm_name": "soc_kvm_domain",
+          "vmm_type": "openstack",
+          "vlan_ranges": ""
+        },
+        {
+          "vmm_name": "soc_vm_domain",
+          "vmm_type": "vmware",
+          "vlan_ranges": ""
+        }]
       },
       "allow_overlapping_ips": true,
       "use_syslog": false,
diff --git a/chef/data_bags/crowbar/template-neutron.schema b/chef/data_bags/crowbar/template-neutron.schema
@@ -71,6 +71,7 @@
                           "nodes": { "type" : "seq", "required" : true, "sequence": [ { "type": "str" } ] },
                           "peer_ip": { "type": "str", "required" : true },
                           "peer_port": { "type": "int", "required" : true },
+                          "ssl_mode": { "type": "str", "required": true },
                           "encap": { "type": "str", "required": true },
                           "integration_bridge": { "type": "str", "required": true },
                           "access_bridge": { "type": "str", "required": true },
@@ -94,7 +95,14 @@
                             }}
                           }}
                         }}
-                      }
+                      },
+                      "apic_vmms": { "type" : "seq", "required" : true, "sequence" : [ {
+                        "type" : "map", "required" : true, "mapping" : {
+                          "vmm_name": { "type": "str", "required": true },
+                          "vmm_type": { "type": "str", "required": true },
+                          "vlan_ranges": { "type": "str", "required": true }
+                        }
+                      } ] }
                     }},
                     "allow_overlapping_ips": { "type": "bool", "required": true },
                     "cisco_switches": {
