Neutron GBP
Group Based Policy (GBP) is an optional service plugin for Neutron that provides declarative abstractions for achieving scalable intent-based infrastructure automation. GBP complements the OpenStack networking model with the notion of policies that can be applied between groups of network endpoints.
GBP Status
The Juno release of Group Based Policy has been developed in StackForge as an add-on service plugin for Neutron, along with a supporting client library and integrations with Horizon and Heat. See the GBP project wiki for upstream project details. This page describes installation and configuration of GBP for Juno RDO on Fedora 20, Fedora 21, or EL 7 .
Note that this describes use of the GBP's resource_mapping reference policy driver, which should work with any Neutron core plugin, such as ML2. Policy drivers for Cisco ACI, Nuage VSP and One Convergence NVSD are also included, but will be documented separately by those vendors.
Configuring GBP
Start with a working Packstack installation with Neutron, such as is described in Quickstart. If you plan to use Heat with GBP, be sure to generate an answer file, edit it to enable Heat, and use that answer file when running packstack. The remaining steps are all executed as root on the controller node(s) where neutron-server runs. No changes are needed on compute or network nodes when using the resource_mapping policy driver.
Configuring Neutron
Install the server and client RPMs:
yum install openstack-neutron-gbp
yum install python-gbpclient
Stop the Neutron server:
systemctl stop neutron-server
Edit the Neutron configuration to include the GBP service plugin and its reference policy drivers:
` crudini --set /etc/neutron/neutron.conf DEFAULT service_plugins "`crudini --get /etc/neutron/neutron.conf DEFAULT service_plugins`,group_policy" `
crudini --set /etc/neutron/neutron.conf group_policy policy_drivers "implicit_policy,resource_mapping"
Update the Neutron DB schema to include the GBP tables:
gbp-db-manage --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head
Start the Neutron server and check its status:
systemctl start neutron-server
systemctl status neutron-server
Configuring Horizon
Install the RPMs:
yum install openstack-dashboard-gbp
Restart the web server and check its status:
systemctl restart httpd
systemctl status httpd
Configuring Heat
Assuming Heat is enabled in your RDO deployment, install the RPM:
yum install openstack-heat-gbp
Edit the Heat configuration to include the GBP plugin:
crudini --set /etc/heat/heat.conf DEFAULT plugin_dirs "/usr/lib64/heat,/usr/lib/heat,/usr/lib/python2.7/site-packages/gbpautomation/heat"
Restart the Heat engine and check its status:
systemctl restart openstack-heat-engine
systemctl status openstack-heat-engine
Using GBP
Once the neutron server is configured with GBP and running, basic operation can be verified using its API. The following commands are run with normal cloud tenant credentials on a system where the python-gbpclient package has been installed.
Create a group:
gbp group-create test1 --description "first test group"
The response should show the details of the group.
List the groups:
gbp group-list
You should see the group you just created.
Verify that implicit L2 and L3 policies were created:
gbp l2policy-list
gbp l3policy-list
You should see an L2 policy with the same name as the group, and an L3 policy named "default".
Verify that neutron resources were created:
neutron net-list
neutron subnet-list
You should see a network and a subnet with names derived from the group name.
If all is well, you can proceed to create policy rule sets controlling connectivity between groups. Then create policy targets, and to use their ports to create nova instances. The devstack instructions show this in detail.