Jump to: navigation, search

GroupBasedPolicy/InstallDevstack

< GroupBasedPolicy
Revision as of 22:40, 2 November 2014 by Snaiksat (talk | contribs) (Created page with "== Installing and Running GBP == The following are a set of instructions for installing and working with GBP: 0. Install Ubuntu 14.04 1. git clone http://github.com/group-po...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installing and Running GBP

The following are a set of instructions for installing and working with GBP:

0. Install Ubuntu 14.04

1. git clone http://github.com/group-policy/devstack -b juno-gbp-1

2. cd devstack

3. ./stack.sh

Currently the CLI is usable, so:

4. source openrc demo demo

5. Use the "gbp" CLI binary ("gbp --help" will give you the commands)

Modeling connectivity between Web and App Tiers using GBP: 

 # Create allow action that can used in several rules
 gbp policy-action-create allow --action-type allow

 # Create ICMP rule
 gbp policy-classifier-create icmp-traffic --protocol icmp --direction bi
 gbp policy-rule-create ping-policy-rule --classifier icmp-traffic --actions allow

 # Create SSH Rule (Optional)
 # gbp policy-classifier-create ssh-traffic --protocol tcp --port-range 22 --direction bi
 # gbp policy-rule-create ssh-policy-rule --classifier ssh-traffic --actions allow

 # Create HTTP Rule
 gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in
 gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow

 # Create HTTPs Rule
 gbp policy-classifier-create secure-web-traffic --protocol tcp --port-range 443 --direction in
 gbp policy-rule-create secure-web-policy-rule --classifier secure-web-traffic --actions allow

 # ICMP policy-rule-set
 gbp policy-rule-set-create icmp-policy-rule-set --policy-rules ping-policy-rule

 # WEB policy-rule-set
 gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule

 # Policy Target Group creation
 gbp group-create  web
 gbp group-create  client-1
 gbp group-create  client-2

 # Member CLI used for demo but not for Juno
 #policy member-create --group web web-1
 #policy member-create --group client-1 client-1-1
 #policy member-create --group client-2 client-2-1

 # Policy Target ceation and launching VMs
 WEB1=$(gbp policy-target-create web-ep-1 --endpoint-group web | awk "/port_id/ {print \$4}")
 CLIENT1=$(gbp policy-target-create client-ep-1 --endpoint-group client-1 | awk "/port_id/ {print \$4}")
 CLIENT2=$(gbp policy-target-create client-ep-2 --endpoint-group client-2 | awk "/port_id/ {print \$4}")

 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$WEB1 web-vm-1
 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT1 client-vm-1
 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT2 client-vm-2

 ####CHECKPOINT: No traffic flows

 # policy-rule-set Association
 gbp group-update client-1 --consumed-contracts "icmp-policy-rule-set=scope,web-policy-rule-set=scope"
 gbp group-update client-2 --consumed-contracts "icmp-policy-rule-set=scope,web-policy-rule-set=scope"
 gbp group-update web --provided-contracts "icmp-policy-rule-set=scope,web-policy-rule-set=scope"

 ####CHECKPOINT: ICMP and HTTP work from app to web and vice versa

 gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"

 ####CHECKPOINT: HTTP stops working for both the client EPGs, HTTPs is now enabled
Retrieved from "https://wiki.openstack.org/w/index.php?title=GroupBasedPolicy/InstallDevstack&oldid=67148"