GroupBasedPolicy/InstallDevstack
< GroupBasedPolicy
Revision as of 02:37, 12 December 2014 by Ivar Lazzaro (talk | contribs)
Contents
Installing and Running GBP
The following are a set of instructions for installing and working with GBP:
Devstack Installation
0. Install Ubuntu 14.04
1. git clone http://github.com/group-policy/devstack -b juno-gbp-3
2. cd devstack
3. ./stack.sh
4. source openrc demo demo
5. Use the "gbp" CLI binary ("gbp --help" will give you the commands)
GBP Basic CLI and Workflow
Example scenario: Modeling connectivity between Web and App Tiers using GBP:
# Create allow action that can used in several rules gbp policy-action-create allow --action-type allow
# Create ICMP rule gbp policy-classifier-create icmp-traffic --protocol icmp --direction bi gbp policy-rule-create ping-policy-rule --classifier icmp-traffic --actions allow
# Create SSH Rule (Optional) # gbp policy-classifier-create ssh-traffic --protocol tcp --port-range 22 --direction bi # gbp policy-rule-create ssh-policy-rule --classifier ssh-traffic --actions allow
# Create HTTP Rule gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow
# Create HTTPs Rule gbp policy-classifier-create secure-web-traffic --protocol tcp --port-range 443 --direction in gbp policy-rule-create secure-web-policy-rule --classifier secure-web-traffic --actions allow
# ICMP policy-rule-set gbp policy-rule-set-create icmp-policy-rule-set --policy-rules ping-policy-rule
# WEB policy-rule-set gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule
# Policy Target Group creation gbp group-create web gbp group-create client-1 gbp group-create client-2
# Policy Target ceation and launching VMs
WEB1=$(gbp policy-target-create web-ep-1 --policy-target-group web | awk "/port_id/ {print \$4}")
CLIENT1=$(gbp policy-target-create client-ep-1 --policy-target-group client-1 | awk "/port_id/ {print \$4}")
CLIENT2=$(gbp policy-target-create client-ep-2 --policy-target-group client-2 | awk "/port_id/ {print \$4}")
nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$WEB1 web-vm-1 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT1 client-vm-1 nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$CLIENT2 client-vm-2
####CHECKPOINT: No traffic flows
# policy-rule-set Association gbp group-update client-1 --consumed-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true" gbp group-update client-2 --consumed-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true" gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"
####CHECKPOINT: ICMP and HTTP work from app to web and vice versa
gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"
####CHECKPOINT: HTTP stops working for both the client EPGs, HTTPs is now enabled
Configuring and testing External Connecitiviy
Implicit workflow for RMD (high level constructs, CLI is not defined yet).
# ADMIN: create default external segment based on the name configured in "default_external_segment_name"
# NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
POST /grouppolicy/external_segments {"external_segment": {"name": <default-name>, "subnet_id":<neutron-external-subnet-id>, external_routes: [{"destination": "0.0.0.0/0", "nexthop":null }], "shared":true}}
# USER (any tenant): create PTG with the normal workflow gbp group-create group-with-external-access
# Create external PTG (called External Policy)
POST /grouppolicy/external_policies {"external_policy": {"name": <choose-your-name>}}
# Provide and Consumes PRS on normal PTGs and EPs
gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
PUT /grouppolicy/external_policies {"external_policy": {"provided_policy_target_groups": {<web-policy-rule-set-id>: <scope>}}}
###HTTP traffic is now enabled towards the external world
Explicit Workflow (old non-external workflow still assumed implicit here):
# ADMIN: create non-default external segment for a given tenant (or shared)
# NOTE: in Juno, the RMD requires the Neutron external subnet to pre-exist.
POST /grouppolicy/external_segments {"external_segment": {"name": <name>, "subnet_id":<neutron-external-subnet-id>, external_routes: [{"destination": "0.0.0.0/0", "nexthop":null }], "shared":true}}
# USER: create PTG with the normal workflow gbp group-create group-with-external-access
# Link the implicitly created L3P to the external segment
PUT /grouppolicy/l3_policy {"l3_policy": {"external_segments": {<es_id>: [<list_of_ips_or_none>]}}}
# Create external PTG (called External Policy) linked to the External Segment
POST /grouppolicy/external_policies {"external_policy": {"name": <choose-your-name>}, "external_segments": [<es_id>]}
# Provide and Consumes PRS on normal PTGs and EPs
gbp group-update group-with-external-access --consumed-policy-rule-sets "web-policy-rule-set=true"
PUT /grouppolicy/external_policies {"external_policy": {"provided_policy_target_groups": {<web-policy-rule-set-id>: <scope>}}}
###HTTP traffic is now enabled towards the external world
