ipsec over vxlan tunnel support.

[releng/builder.git] / jjb / integration / include-raw-integration-deploy-openstack-run-test.sh

diff --git a/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh b/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
index bf0fc2ce4780ef86d7847040aca85cde92c005ca..703e8f6aef414b0582a165e22b4fe25c292b358f 100644 (file)
--- a/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
+++ b/jjb/integration/include-raw-integration-deploy-openstack-run-test.sh
@@ -190,9 +190,10 @@ cat >> ${local_conf_file_name} << EOF
 minimize_polling=True
 
 [ml2]
-# Needed for VLAN provider tests - because our provider networks are always encapsulated in VXLAN (br-physnet1)
-# MTU(1440) + VXLAN(50) + VLAN(4) = 1494 < MTU eth0/br-physnet1(1500)
+# Needed for VLAN provider tests - because our provider networks are always encapsulated in VXLAN (br-phys1)
+# MTU(1440) + VXLAN(50) + VLAN(4) = 1494 < MTU eth0/br-phys1(1500)
 physical_network_mtus = ${PUBLIC_PHYSICAL_NETWORK}:1440
+path_mtu = 1490
 
 [[post-config|/etc/neutron/dhcp_agent.ini]]
 [DEFAULT]
@@ -668,9 +669,43 @@ do
     ${SSH} $ip "sudo ovs-vsctl --may-exist add-br $PUBLIC_BRIDGE -- set bridge $PUBLIC_BRIDGE other-config:disable-in-band=true other_config:hwaddr=f6:00:00:ff:01:0$((devstack_index++))"
 done
 
+# ipsec support
+if [ "${IPSEC_VXLAN_TUNNELS_ENABLED}" == "yes" ]; then
+    ALL_NODES=(${OPENSTACK_CONTROL_NODE_IP} ${COMPUTE_IPS[*]})
+    for ((inx_ip1=0; inx_ip1<$((${#ALL_NODES[@]} - 1)); inx_ip1++))
+    do
+        for ((inx_ip2=$((inx_ip1 + 1)); inx_ip2<${#ALL_NODES[@]}; inx_ip2++))
+        do
+            KEY1=0x$(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)
+            KEY2=0x$(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)
+            ID=0x$(dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8)
+            ip1=${ALL_NODES[$inx_ip1]}
+            ip2=${ALL_NODES[$inx_ip2]}
+            ${SSH} $ip1 "sudo ip xfrm state add src $ip1 dst $ip2 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip1 "sudo ip xfrm state add src $ip2 dst $ip1 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip1 "sudo ip xfrm policy add src $ip1 dst $ip2 proto udp dir out tmpl src $ip1 dst $ip2 proto esp reqid $ID mode transport"
+            ${SSH} $ip1 "sudo ip xfrm policy add src $ip2 dst $ip1 proto udp dir in tmpl src $ip2 dst $ip1 proto esp reqid $ID mode transport"
+
+            ${SSH} $ip2 "sudo ip xfrm state add src $ip2 dst $ip1 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip2 "sudo ip xfrm state add src $ip1 dst $ip2 proto esp spi $ID reqid $ID mode transport auth sha256 $KEY1 enc aes $KEY2"
+            ${SSH} $ip2 "sudo ip xfrm policy add src $ip2 dst $ip1 proto udp dir out tmpl src $ip2 dst $ip1 proto esp reqid $ID mode transport"
+            ${SSH} $ip2 "sudo ip xfrm policy add src $ip1 dst $ip2 proto udp dir in tmpl src $ip1 dst $ip2 proto esp reqid $ID mode transport"
+        done
+    done
+
+    for ip in ${OPENSTACK_CONTROL_NODE_IP} ${COMPUTE_IPS[*]}
+    do
+        echo "ip xfrm configuration for node $ip:"
+        ${SSH} $ip "sudo ip xfrm policy list"
+        ${SSH} $ip "sudo ip xfrm state list"
+    done
+fi
+
 # Control Node - PUBLIC_BRIDGE will act as the external router
 GATEWAY_IP="10.10.10.250" # FIXME this should be a parameter, also shared with integration-test
-${SSH} ${OPENSTACK_CONTROL_NODE_IP} "sudo ifconfig $PUBLIC_BRIDGE up ${GATEWAY_IP}/24"
+${SSH} ${OPENSTACK_CONTROL_NODE_IP} "sudo ip link add link ${PUBLIC_BRIDGE} name  ${PUBLIC_BRIDGE}.167 type vlan id 167"
+${SSH} ${OPENSTACK_CONTROL_NODE_IP} "sudo ifconfig  ${PUBLIC_BRIDGE} up"
+${SSH} ${OPENSTACK_CONTROL_NODE_IP} "sudo ifconfig   ${PUBLIC_BRIDGE}.167 up ${GATEWAY_IP}/24"
 compute_index=1
 for compute_ip in ${COMPUTE_IPS[*]}
 do