[neutron][Cisco ACI] Multi-VMM domain support (SOC - 10471)

A Single ACI fabric can support multiple VMM domains. Each VMM domain
can be governed by a different controller (Eg: VMWare vCenter or
OpenStack or MicroSoft SCVMM). Several production data centers tend
to use multiple VMM domains and expect to be able to monitor and
control network policies from a single ACI fabric. Integration of
OpenStack with such a setup requires crowbar to provide parameters
specific to each VMM domain. This commit adds the additional
parameters and logic to validate and send these to the correct
config location. The changes now allow to provide "Vmware" or
"OpenStack" as the VMM type. Multiple entries of either types
are possible.

- Also added "ssl_mode" as a configurable parameter which is
needed to be in "encrypted" mode if ESXi is used as compute.
Other use-cases may need to change it as required and hence
included it as a configurable parameter within the opflex
node structure.

(cherry picked from commit 1f16436)

chef/cookbooks/neutron/recipes/cisco_apic_agents.rb

@@ -109,6 +109,7 @@
     socketgroup: neutron[:neutron][:platform][:group],
     opflex_peer_ip: opflex[:peer_ip],
     opflex_peer_port: opflex[:peer_port],
+    opflex_ssl_mode: opflex[:ssl_mode],
     opflex_int_bridge: opflex[:integration_bridge],
     opflex_access_bridge: opflex[:access_bridge],
     opflex_vxlan_encap_iface: opflex[:vxlan][:encap_iface],
@@ -133,8 +134,8 @@
 end
 utils_systemd_service_restart "neutron-opflex-agent"
 
-service "agent-ovs" do
+service "opflex-agent" do
   action [:enable, :start]
-  subscribes :restart, resources("template[#{opflex_agent_conf}]")
+  subscribes :restart, resources("template[#{node[:neutron][:opflex_config_file]}]")
 end
-utils_systemd_service_restart "agent-ovs"
+utils_systemd_service_restart "opflex-agent"

chef/cookbooks/neutron/recipes/cisco_apic_support.rb

@@ -21,7 +21,9 @@
 end
 
 aciswitches = node[:neutron][:apic][:apic_switches].to_hash
-template "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco_apic.ini.conf" do
+acivmms = node[:neutron][:apic][:apic_vmms]
+
+template node[:neutron][:ml2_cisco_apic_config_file] do
   cookbook "neutron"
   source "ml2_conf_cisco_apic.ini.erb"
   mode "0640"
@@ -30,6 +32,9 @@
   variables(
     vpc_pairs: node[:neutron][:apic][:vpc_pairs],
     apic_switches: aciswitches,
+    optimized_dhcp: node[:neutron][:apic][:optimized_dhcp],
+    optimized_metadata: node[:neutron][:apic][:optimized_metadata],
+    apic_vmms: acivmms,
     ml2_mechanism_drivers: node[:neutron][:ml2_mechanism_drivers],
     policy_drivers: "implicit_policy,apic",
     default_ip_pool: "192.168.0.0/16"

chef/cookbooks/neutron/recipes/server.rb

@@ -85,7 +85,7 @@
 else
   cisco_nexus_link_action = "delete"
 end
-link "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco.ini.conf" do
+link "#{node[:neutron][:platform][:ml2_cisco_config_file]}" do
   to "/etc/neutron/plugins/ml2/ml2_conf_cisco.ini"
   action cisco_nexus_link_action
   notifies :restart, "service[#{node[:neutron][:platform][:service_name]}]"
@@ -99,7 +99,7 @@
 else
   cisco_apic_link_action = "delete"
 end
-link "/etc/neutron/neutron-server.conf.d/100-ml2_conf_cisco_apic.ini.conf" do
+link "#{node[:neutron][:platform][:ml2_cisco_apic_config_file]}" do
   to "/etc/neutron/plugins/ml2/ml2_conf_cisco_apic.ini"
   action cisco_apic_link_action
   notifies :restart, "service[#{node[:neutron][:platform][:service_name]}]"

chef/cookbooks/neutron/templates/default/ml2_conf_cisco_apic.ini.erb

@@ -2,7 +2,7 @@
 apic_system_id=<%= node[:neutron][:apic][:system_id] %>
 [opflex]
 networks = *
-[ml2_cisco_apic]
+[apic]
 apic_hosts=<%= node[:neutron][:apic][:hosts] %>
 apic_username=<%= node[:neutron][:apic][:username] %>
 apic_password=<%= node[:neutron][:apic][:password] %>
@@ -11,8 +11,8 @@ apic_name_mapping = use_name
 apic_clear_node_profiles = True
 enable_aci_routing = True
 apic_arp_flooding = True
-enable_optimized_metadata = <%= node[:neutron][:apic][:optimized_metadata] %>
-enable_optimized_dhcp = <%= node[:neutron][:apic][:optimized_dhcp] %>
+enable_optimized_metadata = <%= @optimized_metadata %>
+enable_optimized_dhcp = <%= @optimized_dhcp %>
 apic_provision_infra = True
 apic_provision_hostlinks = True
 <%  unless @vpc_pairs.nil? -%>
@@ -41,3 +41,12 @@ enable_nat = <%= node[:neutron][:apic][:ext_net][:nat_enabled] %>
 <% end -%>
 external_epg = <%= node[:neutron][:apic][:ext_net][:ext_epg] %>
 host_pool_cidr = <%= node[:neutron][:apic][:ext_net][:host_pool_cidr] %>
+
+<% @apic_vmms.each do |vmm_domain| -%>
+[apic_vmdom:<%= vmm_domain[:vmm_name]%>]
+vmm_type = <%= vmm_domain[:vmm_type]%>
+<%   if vmm_domain[:vlan_ranges] -%>
+vlan_ranges = <%= vmm_domain[:vlan_ranges] %> 
+<%   end -%>
+<% end -%>
+

chef/cookbooks/neutron/templates/default/opflex-agent-ovs.conf.erb

@@ -10,7 +10,7 @@
       {"hostname": "<%= @opflex_peer_ip %>", "port": "<%= @opflex_peer_port %>"}
     ],
     "ssl": {
-      "mode": "enabled",
+      "mode": "<%= @opflex_ssl_mode %>",
       "ca-store": "/etc/ssl/certs/"
     },
     "inspector": {

chef/data_bags/crowbar/migrate/neutron/125_add_apic_multi_vmm_domains.rb

@@ -0,0 +1,15 @@
+def upgrade(tattr, tdep, attr, dep)
+  unless attr["apic"].key?("apic_vmms")
+    attr["apic"]["apic_vmms"] = tattr["apic"]["apic_vmms"]
+  end
+
+  return attr, dep
+end
+
+def downgrade(tattr, tdep, attr, dep)
+  unless tattr["apic"].key?("apic_vmms")
+    attr["apic"].delete("apic_vmms") if attr.key?("apic_vmms")
+  end
+
+  return attr, dep
+end

chef/data_bags/crowbar/template-neutron.json

@@ -64,6 +64,7 @@
           "nodes" : [],
           "peer_ip": "",
           "peer_port": 8009,
+          "ssl_mode": "encrypted",
           "encap": "vxlan",
           "integration_bridge": "br-int",
           "access_bridge": "br-fabric",
@@ -99,7 +100,17 @@
               }
             }
           }
-        }
+        },
+        "apic_vmms": [{
+          "vmm_name": "soc_kvm_domain",
+          "vmm_type": "openstack",
+          "vlan_ranges": ""
+        },
+        {
+          "vmm_name": "soc_vm_domain",
+          "vmm_type": "vmware",
+          "vlan_ranges": ""
+        }]
       },
       "allow_overlapping_ips": true,
       "use_syslog": false,

chef/data_bags/crowbar/template-neutron.schema

@@ -72,6 +72,7 @@
                           "nodes": { "type" : "seq", "required" : true, "sequence": [ { "type": "str" } ] },
                           "peer_ip": { "type": "str", "required" : true },
                           "peer_port": { "type": "int", "required" : true },
+                          "ssl_mode": { "type": "str", "required": true },
                           "encap": { "type": "str", "required": true },
                           "integration_bridge": { "type": "str", "required": true },
                           "access_bridge": { "type": "str", "required": true },
@@ -95,7 +96,14 @@
                             }}
                           }}
                         }}
-                      }
+                      },
+                      "apic_vmms": { "type" : "seq", "required" : true, "sequence" : [ {
+                        "type" : "map", "required" : true, "mapping" : {
+                          "vmm_name": { "type": "str", "required": true },
+                          "vmm_type": { "type": "str", "required": true },
+                          "vlan_ranges": { "type": "str", "required": true }
+                        }
+                      } ] }
                     }},
                     "allow_overlapping_ips": { "type": "bool", "required": true },
                     "cisco_switches": {