Difference between revisions of "GroupBasedPolicy/InstallDevstack"

Latest revision as of 18:09, 14 June 2016

Installing and Running GBP

The following are a set of instructions for installing and working with GBP:

Devstack Installation

For mitaka and beyond (including the master), use the GBP devstack plugin:

https://github.com/openstack/group-based-policy/blob/master/doc/source/installation.rst#using-devstack

For Liberty installation use:

https://github.com/group-policy/gbp-devstack

After the devstack install is complete, use the "gbp" CLI binary ("gbp --help" will give you the commands)

GBP Basic CLI and Workflow

Example scenario: Modeling connectivity between Web and App Tiers using GBP:

 # Create allow action that can used in several rules
 gbp policy-action-create allow --action-type allow

 # Create ICMP rule
 gbp policy-classifier-create icmp-traffic --protocol icmp --direction bi
 gbp policy-rule-create ping-policy-rule --classifier icmp-traffic --actions allow

 # Create SSH Rule (Optional)
 # gbp policy-classifier-create ssh-traffic --protocol tcp --port-range 22 --direction bi
 # gbp policy-rule-create ssh-policy-rule --classifier ssh-traffic --actions allow

 # Create HTTP Rule
 gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in
 gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow

 # Create HTTPs Rule
 gbp policy-classifier-create secure-web-traffic --protocol tcp --port-range 443 --direction in
 gbp policy-rule-create secure-web-policy-rule --classifier secure-web-traffic --actions allow

 # ICMP policy-rule-set
 gbp policy-rule-set-create icmp-policy-rule-set --policy-rules ping-policy-rule

 # WEB policy-rule-set
 gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule

 # Policy Target Group (PTG) creation
 gbp group-create  web
 gbp group-create  client-1
 gbp group-create  client-2

 # Policy Target creation and launching VMs
 WEB1=$(gbp policy-target-create web-ep-1 --policy-target-group web | awk "/port_id/ {print \$4}")
 CLIENT1=$(gbp policy-target-create client-ep-1 --policy-target-group client-1 | awk "/port_id/ {print \$4}")
 CLIENT2=$(gbp policy-target-create client-ep-2 --policy-target-group client-2 | awk "/port_id/ {print \$4}")

 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$WEB1 web-vm-1
 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT1 client-vm-1
 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT2 client-vm-2

 ####CHECKPOINT: No traffic flows

 # policy-rule-set Association
 gbp group-update client-1 --consumed-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"
 gbp group-update client-2 --consumed-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"
 gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"

 ####CHECKPOINT: ICMP and HTTP work from app to web and vice versa

 gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"

 ####CHECKPOINT: HTTP stops working for both the client PTGs, HTTPs is now enabled

Configuring and testing External Connectivity

Implicit workflow for RMD.

 # ADMIN: create default external segment based on the name configured in "default_external_segment_name"
 # NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
 
 gbp external-segment-create default --subnet_id $EXT_SUB_ID --external-route destination=0.0.0.0/0,nexthop= --shared True

 # USER (any tenant): create PTG with the normal workflow
 
 gbp group-create group-with-external-access

 # Create external PTG (called External Policy)
 
 gbp external-policy-create [name]

 # Provide and Consumes PRS on normal PTGs and EPs
 
 gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
 gbp external-policy-update [name] --provided_policy_rule_sets "web-policy-rule-set=true"
 
 ###HTTP traffic is now enabled towards the external world

Explicit Workflow (old non-external workflow still assumed implicit here):

 # ADMIN: create non-default external segment for a given tenant (or shared)
 # NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
 
 EXT_SEG_ID=$(gbp external-segment-create [not-default-name] --subnet_id $EXT_SUB_ID --external-route destination=0.0.0.0/0,nexthop= --shared True | awk "/ id / {print \$4}")

 # USER: create PTG with the normal workflow
 
 gbp group-create group-with-external-access

 # Link the implicitly created L3P to the external segment
 
 gbp l3policy-update [l3-policy-id] --external-segment $EXT_SEG_ID=

 # Create external PTG (called External Policy) linked to the External Segment
 
 gbp external-policy-create [name] --external-segments $EXT_SEG_ID

 # Provide and Consumes PRS on normal PTGs and EPs
 
 gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
 gbp external-policy-update [name] --provided_policy_rule_sets "web-policy-rule-set=true"
 
 ###HTTP traffic is now enabled towards the external world

@@ Line 3: / Line 3: @@
 === Devstack Installation ===
-. Install Ubuntu 14.04
+For mitaka and beyond (including the master), use the GBP devstack plugin:
-. git clone http://github.com/group-policy/devstack -b stable/juno-gbp
+https://github.com/openstack/group-based-policy/blob/master/doc/source/installation.rst#using-devstack
-. cd devstack
+For Liberty installation use:
-. ./stack.sh
+https://github.com/group-policy/gbp-devstack
-. source openrc demo demo
+After the devstack install is complete, use the "gbp" CLI binary ("gbp --help" will give you the commands)
-. Use the "gbp" CLI binary ("gbp --help" will give you the commands)
 == GBP Basic CLI and Workflow ==
@@ Line 43: / Line 41: @@
    gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule
-   # Policy Target Group creation
+   # Policy Target Group (PTG) creation
    gbp group-create  web
    gbp group-create  client-1
    gbp group-create  client-2
-   # Policy Target ceation and launching VMs
+   # Policy Target creation and launching VMs
    WEB1=$(gbp policy-target-create web-ep-1 --policy-target-group web | awk "/port_id/ {print \$4}")
    CLIENT1=$(gbp policy-target-create client-ep-1 --policy-target-group client-1 | awk "/port_id/ {print \$4}")
@@ Line 68: / Line 66: @@
    gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"
-   ####CHECKPOINT: HTTP stops working for both the client EPGs, HTTPs is now enabled
+   ####CHECKPOINT: HTTP stops working for both the client PTGs, HTTPs is now enabled
-== Configuring and testing External Connecitiviy ==
+== Configuring and testing External Connectivity ==
-Implicit workflow for RMD (high level constructs, CLI is not defined yet).
+Implicit workflow for RMD.
    # ADMIN: create default external segment based on the name configured in "default_external_segment_name"
    # NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
-   POST /grouppolicy/external_segments {"external_segment": {"name": <default-name>, "subnet_id":<neutron-external-subnet-id>, external_routes: [{"destination": "0.0.0.0/0", "nexthop":null }], "shared":true}}
+   gbp external-segment-create default --subnet_id $EXT_SUB_ID --external-route destination=0.0.0.0/0,nexthop= --shared True
    # USER (any tenant): create PTG with the normal workflow
-   gbp group-create  group-with-external-access
+   gbp group-create group-with-external-access
    # Create external PTG (called External Policy)
-   POST /grouppolicy/external_policies {"external_policy": {"name": <choose-your-name>}}
+   gbp external-policy-create [name]
    # Provide and Consumes PRS on normal PTGs and EPs
    gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
-   PUT /grouppolicy/external_policies {"external_policy": {"provided_policy_rule_sets": {<web-policy-rule-set-id>: <scope>}}}
+   gbp external-policy-update [name] --provided_policy_rule_sets "web-policy-rule-set=true"
    ###HTTP traffic is now enabled towards the external world
@@ Line 98: / Line 96: @@
    # NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
-   POST /grouppolicy/external_segments {"external_segment": {"name": <name>, "subnet_id":<neutron-external-subnet-id>, external_routes: [{"destination": "0.0.0.0/0", "nexthop":null }],   "shared":true}}
+   EXT_SEG_ID=$(gbp external-segment-create [not-default-name] --subnet_id $EXT_SUB_ID --external-route destination=0.0.0.0/0,nexthop= --shared True | awk "/ id / {print \$4}")
    # USER: create PTG with the normal workflow
-   gbp group-create  group-with-external-access
+   gbp group-create group-with-external-access
    # Link the implicitly created L3P to the external segment
-   PUT /grouppolicy/l3_policy {"l3_policy": {"external_segments": {<es_id>: [<list_of_ips_or_none>]}}}
+   gbp l3policy-update [l3-policy-id] --external-segment $EXT_SEG_ID=
    # Create external PTG (called External Policy) linked to the External Segment
-   POST /grouppolicy/external_policies {"external_policy": {"name": <choose-your-name>}, "external_segments": [<es_id>]}
+   gbp external-policy-create [name] --external-segments $EXT_SEG_ID
    # Provide and Consumes PRS on normal PTGs and EPs
    gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
-   PUT /grouppolicy/external_policies {"external_policy": {"provided_policy_rule_sets": {<web-policy-rule-set-id>: <scope>}}}
+   gbp external-policy-update [name] --provided_policy_rule_sets "web-policy-rule-set=true"
    ###HTTP traffic is now enabled towards the external world