From 6547e45fd9f60437811ef35b9d101cdaef494542 Mon Sep 17 00:00:00 2001 From: Bin Yang Date: Sun, 23 Feb 2020 20:18:41 +0800 Subject: [PATCH] Add cnf for firewall with network of sriov sriov driver can be either netdevice or vfio start scripts support netdevice only yet Change-Id: Ifa1e9acc558387d38245bd99669225fbf5fb8d05 Issue-ID: MULTICLOUD-999 Signed-off-by: Bin Yang --- starlingx/demo/firewall-sriov/.helmignore | 22 +++++ starlingx/demo/firewall-sriov/Chart.yaml | 5 + .../firewall-sriov/charts/pktgen-sriov/.helmignore | 22 +++++ .../firewall-sriov/charts/pktgen-sriov/Chart.yaml | 5 + .../resources/scripts/init/vpg_start.sh | 100 ++++++++++++++++++++ .../charts/pktgen-sriov/templates/_helpers.tpl | 32 +++++++ .../charts/pktgen-sriov/templates/configmap.yaml | 27 ++++++ .../charts/pktgen-sriov/templates/deployment.yaml | 89 ++++++++++++++++++ .../charts/pktgen-sriov/templates/service.yaml | 16 ++++ .../firewall-sriov/charts/pktgen-sriov/values.yaml | 26 ++++++ .../firewall-sriov/charts/sink-sriov/.helmignore | 22 +++++ .../firewall-sriov/charts/sink-sriov/Chart.yaml | 5 + .../sink-sriov/resources/scripts/init/vsn_start.sh | 21 +++++ .../charts/sink-sriov/templates/_helpers.tpl | 32 +++++++ .../charts/sink-sriov/templates/configmap.yaml | 10 ++ .../charts/sink-sriov/templates/deployment.yaml | 72 +++++++++++++++ .../charts/sink-sriov/templates/service.yaml | 16 ++++ .../firewall-sriov/charts/sink-sriov/values.yaml | 30 ++++++ .../resources/scripts/init/vfw_start.sh | 64 +++++++++++++ .../demo/firewall-sriov/templates/_helpers.tpl | 32 +++++++ .../demo/firewall-sriov/templates/configmap.yaml | 27 ++++++ .../demo/firewall-sriov/templates/deployment.yaml | 101 +++++++++++++++++++++ .../templates/protected-private-net.yaml | 29 ++++++ .../templates/unprotected-private-net.yaml | 29 ++++++ starlingx/demo/firewall-sriov/values.yaml | 92 +++++++++++++++++++ 25 files changed, 926 insertions(+) create mode 100644 starlingx/demo/firewall-sriov/.helmignore create mode 100644 starlingx/demo/firewall-sriov/Chart.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/.helmignore create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/Chart.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/resources/scripts/init/vpg_start.sh create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/service.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/pktgen-sriov/values.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/.helmignore create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/Chart.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/resources/scripts/init/vsn_start.sh create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/templates/service.yaml create mode 100644 starlingx/demo/firewall-sriov/charts/sink-sriov/values.yaml create mode 100644 starlingx/demo/firewall-sriov/resources/scripts/init/vfw_start.sh create mode 100644 starlingx/demo/firewall-sriov/templates/_helpers.tpl create mode 100644 starlingx/demo/firewall-sriov/templates/configmap.yaml create mode 100644 starlingx/demo/firewall-sriov/templates/deployment.yaml create mode 100644 starlingx/demo/firewall-sriov/templates/protected-private-net.yaml create mode 100644 starlingx/demo/firewall-sriov/templates/unprotected-private-net.yaml create mode 100644 starlingx/demo/firewall-sriov/values.yaml diff --git a/starlingx/demo/firewall-sriov/.helmignore b/starlingx/demo/firewall-sriov/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-sriov/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-sriov/Chart.yaml b/starlingx/demo/firewall-sriov/Chart.yaml new file mode 100644 index 00000000..19ba60af --- /dev/null +++ b/starlingx/demo/firewall-sriov/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy Firewall app for vFirewall, networking backend is sriov +name: firewall-sriov +version: 0.1.0 diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/.helmignore b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/Chart.yaml b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/Chart.yaml new file mode 100644 index 00000000..b07a1270 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy packet generator for vFirewall +name: pktgen-sriov +version: 0.1.0 diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/resources/scripts/init/vpg_start.sh b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/resources/scripts/init/vpg_start.sh new file mode 100644 index 00000000..936e9d53 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/resources/scripts/init/vpg_start.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 wget + +curl -s https://packagecloud.io/install/repositories/fdio/release/script.deb.sh | sudo bash + +export VPP_VER=19.01.2-release +apt-get install -y vpp=$VPP_VER vpp-lib=$VPP_VER + +apt-get install -y vpp-plugins=$VPP_VER + +if [ -e /run/vpp/cli-vpp1.sock ]; then + rm /run/vpp/cli-vpp1.sock +fi + +# root@vpktgen:/# taskset -p --cpu-list 1 +# pid 1's current affinity list: 1,2,29 + +corelist=`taskset -p -c 1 |cut -d : -f 2 | sed 's/^ *//' | sed 's/ *$//'` +#extract master core +mastercoreidx=`echo $corelist | cut -d , -f 1` +#extract worker cores +workercorelist=`echo $corelist | sed -E 's/^[0-9]*,//'` + +echo 'start... vpp' +vpp unix {cli-listen /run/vpp/cli-vpp1.sock} api-segment { prefix vpp1 } \ + cpu { main-core $mastercoreidx corelist-workers $workercorelist } + +echo 'wait vpp be up ...' +while [ ! -e /run/vpp/cli-vpp1.sock ]; do + sleep 1; +done + +echo 'configure vpp ...' + + +vppctl -s /run/vpp/cli-vpp1.sock show ver +vppctl -s /run/vpp/cli-vpp1.sock show threads + +vppctl -s /run/vpp/cli-vpp1.sock create host-interface name veth11 + +vppctl -s /run/vpp/cli-vpp1.sock set int state host-veth11 up + +vppctl -s /run/vpp/cli-vpp1.sock show int +vppctl -s /run/vpp/cli-vpp1.sock show hardware + +vppctl -s /run/vpp/cli-vpp1.sock set int ip address host-veth11 10.10.1.2/24 + +vppctl -s /run/vpp/cli-vpp1.sock show int addr + +vppctl -s /run/vpp/cli-vpp1.sock ip route add 10.10.2.0/24 via 10.10.1.1 + +vppctl -s /run/vpp/cli-vpp1.sock show ip fib + +#vppctl -s /run/vpp/cli-vpp1.sock trace add af-packet-input 10 + +echo "provision streams" +### pktgen config +vppctl -s /run/vpp/cli-vpp1.sock loop create +vppctl -s /run/vpp/cli-vpp1.sock set int ip address loop0 11.22.33.1/24 +vppctl -s /run/vpp/cli-vpp1.sock set int state loop0 up + +cd /opt + +mkdir /home/root +cat < /home/root/stream_fw_udp1_loop0 +packet-generator new { + name fw_udp1 + rate 10 + node ip4-input + size 64-64 + no-recycle + interface loop0 + data { + UDP: 10.10.1.2 -> 10.10.2.2 + UDP: 15320 -> 8080 + length 128 checksum 0 incrementing 1 + } + } +EOF + +vppctl -s /run/vpp/cli-vpp1.sock exec /home/root/stream_fw_udp1_loop0 + +#vppctl -s /run/vpp/cli-vpp1.sock show packet-generator + +#vppctl -s /run/vpp/cli-vpp1.sock trace add pg-input 10 + +vppctl -s /run/vpp/cli-vpp1.sock packet-generator enable + +vppctl -s /run/vpp/cli-vpp1.sock show packet-generator + +vppctl -s /run/vpp/cli-vpp1.sock show int + +#vppctl -s /run/vpp/cli-vpp1.sock packet-generator disable + +#vppctl -s /run/vpp/cli-vpp1.sock packet-generator delete fw_udp1 + +echo "done" +sleep infinity \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/_helpers.tpl b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/_helpers.tpl new file mode 100644 index 00000000..322b7c68 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "packetgen.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "packetgen.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "packetgen.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/configmap.yaml b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/configmap.yaml new file mode 100644 index 00000000..731fabb0 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/deployment.yaml b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/deployment.yaml new file mode 100644 index 00000000..6c7000a7 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "packetgen.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "packetgen.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "packetgen.name" .}} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "packetgen.name" .}} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "sriov-device-{{ .Values.global.unprotectedNetName }}", + "interface": "veth11" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGwIp + value: "{{.Values.global.unprotectedNetGwIp}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + - name: unprotectedNetProviderDriver + value: "{{.Values.global.unprotectedNetProviderDriver}}" + - name: protectedNetProviderDriver + value: "{{.Values.global.protectedNetProviderDriver}}" + command: ["/bin/bash", "/opt/vpg_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - mountPath: /hugepages + name: hugepage + - name: lib-modules + mountPath: /lib/modules + - name: src + mountPath: /usr/src + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1' + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1' + volumes: + - name: hugepage + emptyDir: + medium: HugePages + - name: lib-modules + hostPath: + path: /lib/modules + - name: src + hostPath: + path: /usr/src + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/service.yaml b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/service.yaml new file mode 100644 index 00000000..7b8fd9db --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: packetgen-service + labels: + app: {{ include "packetgen.name" . }} + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + selector: + app: {{ include "packetgen.name" . }} + release: {{ .Release.Name }} diff --git a/starlingx/demo/firewall-sriov/charts/pktgen-sriov/values.yaml b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/values.yaml new file mode 100644 index 00000000..a6ce488e --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/pktgen-sriov/values.yaml @@ -0,0 +1,26 @@ +# Default values for packetgen. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +### must be 1 in this case, since host-device are allocatd statically +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: +#serivce port value for packetgen service + type: NodePort + ports: + port: 2831 + nodePort: 30831 + +resources: + cpu: 3 + memory: 4Gi + hugepage: 256Mi diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/.helmignore b/starlingx/demo/firewall-sriov/charts/sink-sriov/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/Chart.yaml b/starlingx/demo/firewall-sriov/charts/sink-sriov/Chart.yaml new file mode 100644 index 00000000..90ac47ea --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart to deploy sink for vFirewall +name: sink-sriov +version: 0.1.0 diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/resources/scripts/init/vsn_start.sh b/starlingx/demo/firewall-sriov/charts/sink-sriov/resources/scripts/init/vsn_start.sh new file mode 100644 index 00000000..63acfff1 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/resources/scripts/init/vsn_start.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 inetutils-ping wget darkstat unzip + +echo "provision interfaces" + +ifconfig veth22 10.10.2.2/24 + +echo "add route entries" +ip route add 10.10.1.0/24 via 10.10.2.1 + +echo "update darkstat configuration" +sed -i "s/START_DARKSTAT=.*/START_DARKSTAT=yes/g;s/INTERFACE=.*/INTERFACE=\"-i veth22\"/g" /etc/darkstat/init.cfg + +echo "start darkstat" + +darkstat -i veth22 + +echo "done" +sleep infinity \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/_helpers.tpl b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/_helpers.tpl new file mode 100644 index 00000000..7d82d08d --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sink.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sink.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sink.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/configmap.yaml b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/configmap.yaml new file mode 100644 index 00000000..1d4b755d --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/deployment.yaml b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/deployment.yaml new file mode 100644 index 00000000..f3c29f05 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/deployment.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sink.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "sink.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "sriov-device-{{ .Values.global.protectedNetName }}", + "interface": "veth22" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGwIp + value: "{{.Values.global.unprotectedNetGwIp}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + - name: unprotectedNetProviderDriver + value: "{{.Values.global.unprotectedNetProviderDriver}}" + - name: protectedNetProviderDriver + value: "{{.Values.global.protectedNetProviderDriver}}" + command: ["/bin/bash", "/opt/vsn_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1' + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1' + volumes: + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/service.yaml b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/service.yaml new file mode 100644 index 00000000..99da7de7 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: sink-service + labels: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} + chart: {{ .Chart.Name }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.ports.port }} + nodePort: {{ .Values.service.ports.nodePort }} + selector: + app: {{ include "sink.name" . }} + release: {{ .Release.Name }} diff --git a/starlingx/demo/firewall-sriov/charts/sink-sriov/values.yaml b/starlingx/demo/firewall-sriov/charts/sink-sriov/values.yaml new file mode 100644 index 00000000..3e379cc4 --- /dev/null +++ b/starlingx/demo/firewall-sriov/charts/sink-sriov/values.yaml @@ -0,0 +1,30 @@ +# Default values for sink. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +resources: + cpu: 1 + memory: 4Gi + +service: +#serivce port value for sink service + type: NodePort + ports: + port: 667 + nodePort: 30667 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/starlingx/demo/firewall-sriov/resources/scripts/init/vfw_start.sh b/starlingx/demo/firewall-sriov/resources/scripts/init/vfw_start.sh new file mode 100644 index 00000000..fd44793e --- /dev/null +++ b/starlingx/demo/firewall-sriov/resources/scripts/init/vfw_start.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +apt-get update +apt-get install -y sudo curl net-tools iproute2 +curl -s https://packagecloud.io/install/repositories/fdio/release/script.deb.sh | sudo bash +export VPP_VER=19.01.2-release +apt-get install -y vpp=$VPP_VER vpp-lib=$VPP_VER +apt-get install -y vpp-plugins=$VPP_VER + +if [ -e /run/vpp/cli-vpp2.sock ]; then + rm /run/vpp/cli-vpp2.sock +fi + +# extract core list +# root@vpktgen:/# taskset -p --cpu-list 1 +# pid 1's current affinity list: 1,2,29 + +corelist=`taskset -p -c 1 |cut -d : -f 2 | sed 's/^ *//' | sed 's/ *$//'` +#extract master core +mastercoreidx=`echo $corelist | cut -d , -f 1` +#extract worker cores +workercorelist=`echo $corelist | sed -E 's/^[0-9]*,//'` + +echo 'start... vpp' +vpp unix {cli-listen /run/vpp/cli-vpp2.sock} api-segment { prefix vpp2 } \ + cpu { main-core $mastercoreidx corelist-workers $workercorelist } + +echo 'wait vpp be up ...' +while [ ! -e /run/vpp/cli-vpp2.sock ]; do + sleep 1; +done + +echo 'configure vpp ...' + +vppctl -s /run/vpp/cli-vpp2.sock show ver +vppctl -s /run/vpp/cli-vpp2.sock show threads + +vppctl -s /run/vpp/cli-vpp2.sock create host-interface name veth12 + +vppctl -s /run/vpp/cli-vpp2.sock set int state host-veth12 up + +vppctl -s /run/vpp/cli-vpp2.sock set int ip address host-veth12 10.10.1.1/24 + +vppctl -s /run/vpp/cli-vpp2.sock create host-interface name veth21 + +vppctl -s /run/vpp/cli-vpp2.sock set int state host-veth21 up + +vppctl -s /run/vpp/cli-vpp2.sock set int ip address host-veth21 10.10.2.1/24 + +vppctl -s /run/vpp/cli-vpp2.sock show hardware +vppctl -s /run/vpp/cli-vpp2.sock show int +vppctl -s /run/vpp/cli-vpp2.sock show int addr + +vppctl -s /run/vpp/cli-vpp2.sock show ip fib + +#vppctl -s /run/vpp/cli-vpp2.sock trace add af-packet-input 10 + +#vppctl -s /run/vpp/cli-vpp2.sock ping 10.10.1.2 + +#vppctl -s /run/vpp/cli-vpp2.sock show trace +#vppctl -s /run/vpp/cli-vpp2.sock show ip arp + +echo "done" +sleep infinity diff --git a/starlingx/demo/firewall-sriov/templates/_helpers.tpl b/starlingx/demo/firewall-sriov/templates/_helpers.tpl new file mode 100644 index 00000000..7593e779 --- /dev/null +++ b/starlingx/demo/firewall-sriov/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "firewall.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "firewall.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "firewall.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/starlingx/demo/firewall-sriov/templates/configmap.yaml b/starlingx/demo/firewall-sriov/templates/configmap.yaml new file mode 100644 index 00000000..731fabb0 --- /dev/null +++ b/starlingx/demo/firewall-sriov/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-scripts-configmap + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +data: +{{ tpl (.Files.Glob "resources/scripts/init/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/templates/deployment.yaml b/starlingx/demo/firewall-sriov/templates/deployment.yaml new file mode 100644 index 00000000..90677163 --- /dev/null +++ b/starlingx/demo/firewall-sriov/templates/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "firewall.fullname" . }} + labels: + release: {{ .Release.Name }} + app: {{ include "firewall.name" . }} + chart: {{ .Chart.Name }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "firewall.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ include "firewall.name" . }} + release: {{ .Release.Name }} + annotations: + k8s.v1.cni.cncf.io/networks: '[ + { "name": "sriov-device-{{ .Values.global.unprotectedNetName }}", + "interface": "veth12" }, + { "name": "sriov-device-{{ .Values.global.protectedNetName }}", + "interface": "veth21" } + ]' + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + tty: true + stdin: true + env: + - name: unprotectedNetCidr + value: "{{.Values.global.unprotectedNetCidr}}" + - name: unprotectedNetGwIp + value: "{{.Values.global.unprotectedNetGwIp}}" + - name: protectedNetCidr + value: "{{.Values.global.protectedNetCidr}}" + - name: protectedNetGwIp + value: "{{.Values.global.protectedNetGwIp}}" + - name: dcaeCollectorIp + value: "{{.Values.global.dcaeCollectorIp}}" + - name: dcaeCollectorPort + value: "{{.Values.global.dcaeCollectorPort}}" + - name: unprotectedNetProviderDriver + value: "{{.Values.global.unprotectedNetProviderDriver}}" + - name: protectedNetProviderDriver + value: "{{.Values.global.protectedNetProviderDriver}}" + command: ["/bin/bash", "/opt/vfw_start.sh"] + securityContext: + privileged: true + capabilities: + add: + - CAP_SYS_ADMIN + volumeMounts: + - mountPath: /hugepages + name: hugepage + - name: lib-modules + mountPath: /lib/modules + - name: src + mountPath: /usr/src + - name: scripts + mountPath: /opt + resources: + requests: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2' + {{- else }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1' + intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1' + {{ end }} + limits: + cpu: {{ .Values.resources.cpu }} + memory: {{ .Values.resources.memory }} + hugepages-2Mi: {{ .Values.resources.hugepage }} + {{- if eq .Values.global.protectedNetProviderName .Values.global.unprotectedNetProviderName }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '2' + {{- else }} + intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }}: '1' + intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }}: '1' + {{ end }} + volumes: + - name: hugepage + emptyDir: + medium: HugePages + - name: lib-modules + hostPath: + path: /lib/modules + - name: src + hostPath: + path: /usr/src + - name: scripts + configMap: + name: {{ .Chart.Name }}-scripts-configmap + imagePullSecrets: + - name: admin-registry-secret diff --git a/starlingx/demo/firewall-sriov/templates/protected-private-net.yaml b/starlingx/demo/firewall-sriov/templates/protected-private-net.yaml new file mode 100644 index 00000000..f30e9c52 --- /dev/null +++ b/starlingx/demo/firewall-sriov/templates/protected-private-net.yaml @@ -0,0 +1,29 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: sriov-device-{{ .Values.global.protectedNetName }} + annotations: + k8s.v1.cni.cncf.io/resourceName: intel.com/pci_sriov_net_{{ .Values.global.protectedNetProviderName }} +{{- if eq .Values.global.protectedNetProviderDriver "netdevice" }} +spec: + config: '{ + "type": "sriov", + "name": "sriov-device", + "vlan": {{ .Values.global.protectedNetProviderVlan }}, + "ipam": { + "type": "host-local", + "subnet": "{{ .Values.global.protectedNetCidr }}", + "routes": [{ + "dst": "0.0.0.0/0" + }], + "gateway": "{{ .Values.global.protectedNetGwIp }}" + } + }' +{{- else }} +spec: + config: '{ + "type": "sriov", + "name": "sriov-device", + "vlan": {{ .Values.global.protectedNetProviderVlan }} + }' +{{ end -}} \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/templates/unprotected-private-net.yaml b/starlingx/demo/firewall-sriov/templates/unprotected-private-net.yaml new file mode 100644 index 00000000..568768f7 --- /dev/null +++ b/starlingx/demo/firewall-sriov/templates/unprotected-private-net.yaml @@ -0,0 +1,29 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: sriov-device-{{ .Values.global.unprotectedNetName }} + annotations: + k8s.v1.cni.cncf.io/resourceName: intel.com/pci_sriov_net_{{ .Values.global.unprotectedNetProviderName }} +{{- if eq .Values.global.unprotectedNetProviderDriver "netdevice" }} +spec: + config: '{ + "type": "sriov", + "name": "sriov-device", + "vlan": {{ .Values.global.unprotectedNetProviderVlan }}, + "ipam": { + "type": "host-local", + "subnet": "{{ .Values.global.unprotectedNetCidr }}", + "routes": [{ + "dst": "0.0.0.0/0" + }], + "gateway": "{{ .Values.global.unprotectedNetGwIp }}" + } + }' +{{- else }} +spec: + config: '{ + "type": "sriov", + "name": "sriov-device", + "vlan": {{ .Values.global.unprotectedNetProviderVlan }} + }' +{{ end -}} \ No newline at end of file diff --git a/starlingx/demo/firewall-sriov/values.yaml b/starlingx/demo/firewall-sriov/values.yaml new file mode 100644 index 00000000..53aa9de1 --- /dev/null +++ b/starlingx/demo/firewall-sriov/values.yaml @@ -0,0 +1,92 @@ +# Default values for firewall. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: ubuntu + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +resources: + cpu: 3 + memory: 4Gi + hugepage: 256Mi + +#global vars for parent and subcharts. +global: + + nodeAffinity: + key: nodeName + values: worker-0 + op: In + + #Networks + #unprotectedNetworkName: unprotected-private-net + #protectedPrivateNetCidr: 192.168.10.0/24 + #protectedPrivateNetGw: 192.168.10.1/24 + + #unprotected network + unprotectedNetName: unprotectednet + #physical network name for unprotected network + unprotectedNetProviderName: sriov0 + unprotectedNetProviderVlan: 7 + #driver options: netdevice, vfio + unprotectedNetProviderDriver: netdevice + #unprotectedNetPortVpg: veth11 + #unprotectedNetPortVfw: veth12 + unprotectedNetCidr: 10.10.1.0/24 + #unprotectedNetGw: 10.10.1.1/24 + unprotectedNetGwIp: 10.10.1.1 + + #onapPrivateNetworkName: onap-private-net + #onapPrivateNetCidr: 10.10.0.0/16 + #onapPrivateNetGw: 10.10.0.1/16 + + #protectedNetworkName: protected-private-net + #protectedNetCidr: 192.168.20.0/24 + #protectedNetGwIp: 192.168.20.100 + #protectedNetGw: 192.168.20.100/24 + + + #unprotected network + protectedNetName: protectednet + #physical network name for unprotected network + protectedNetProviderName: sriov0 + protectedNetProviderVlan: 8 + #driver options: netdevice, vfio + protectedNetProviderDriver: netdevice + #protectedNetPortVfw: veth21 + #protectedNetPortVsn: veth22 + protectedNetCidr: 10.10.2.0/24 + protectedNetGwIp: 10.10.2.1 + #protectedNetGw: 10.10.2.1/24 + + #vFirewall container + #vfwPrivateIp0: 192.168.10.3 + #vfwPrivateIp1: 192.168.20.2 + #vfwPrivateIp2: 10.10.100.3 + vfwPrivateIp0: 10.10.1.1 + vfwPrivateIp1: 10.10.2.1 + + #Packetgen container + #vpgPrivateIp0: 192.168.10.2 + #vpgPrivateIp1: 10.0.100.2 + vpgPrivateIp0: 10.10.1.2 + + #Sink container + #vsnPrivateIp0: 192.168.20.3 + #vsnPrivateIp1: 10.10.100.4 + vsnPrivateIp0: 10.10.2.2 + + ######### + #demoArtifactsVersion: 1.5.0 + #dcaeCollectorIp: 10.0.4.1 + #dcaeCollectorPort: 8081 + dcaeCollectorIp: 10.12.7.4 + dcaeCollectorPort: 30235 + -- 2.16.6