Deploying OpenWRT as VNF¶
Once the tacker is installed successfully, follow the steps given below to deploy OpenWRT as VNF:
Ensure Glance already contains OpenWRT image.
If the tacker is installed using devstack, it tries to add the OpenWRT image to Glance during installation.
Make sure that the OpenWRT image has been successfully added to Glance by running following command:
openstack image list$ openstack image list +--------------------------------------+--------------------------+--------+ | ID | Name | Status | +--------------------------------------+--------------------------+--------+ | 8cc2aaa8-5218-49e7-9a57-ddb97dc68d98 | OpenWRT | active | | 32f875b0-9e24-4971-b82d-84d6ec620136 | cirros-0.4.0-x86_64-disk | active | | ab0abeb8-f73c-467b-9743-b17083c02093 | cirros-0.5.1-x86_64-disk | active | +--------------------------------------+--------------------------+--------+
If OpenWRT image does not exist in the output of
openstack image list, you can get the customized image of OpenWRT 15.05.1 in your tacker repository, or download the image from 1.After downloading the image file, execute following steps:
First Unzip it by using following commands:
$ cd /path/to/tacker/samples/images/ $ gunzip openwrt-x86-kvm_guest-combined-ext4.img.gz
Then upload the image into Glance by using following command:
$ openstack image create OpenWRT --disk-format qcow2 \ --container-format bare \ --file /path/to/openwrt-x86-kvm_guest-combined-ext4.img \ --public
Configure OpenWRT
The example below shows how to create the OpenWRT-based Firewall VNF.
We have a yaml template which contains the configuration of OpenWRT as shown below: tosca-vnfd-openwrt.yaml 2
tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0 description: OpenWRT with services metadata: template_name: OpenWRT topology_template: node_templates: VDU1: type: tosca.nodes.nfv.VDU.Tacker capabilities: nfv_compute: properties: num_cpus: 1 mem_size: 512 MB disk_size: 1 GB properties: image: OpenWRT config: | param0: key1 param1: key2 mgmt_driver: openwrt monitoring_policy: name: ping parameters: count: 3 interval: 10 actions: failure: respawn CP1: type: tosca.nodes.nfv.CP.Tacker properties: management: true order: 0 anti_spoofing_protection: false requirements: - virtualLink: node: VL1 - virtualBinding: node: VDU1 CP2: type: tosca.nodes.nfv.CP.Tacker properties: order: 1 anti_spoofing_protection: false requirements: - virtualLink: node: VL2 - virtualBinding: node: VDU1 CP3: type: tosca.nodes.nfv.CP.Tacker properties: order: 2 anti_spoofing_protection: false requirements: - virtualLink: node: VL3 - virtualBinding: node: VDU1 VL1: type: tosca.nodes.nfv.VL properties: network_name: net_mgmt vendor: Tacker VL2: type: tosca.nodes.nfv.VL properties: network_name: net0 vendor: Tacker VL3: type: tosca.nodes.nfv.VL properties: network_name: net1 vendor: Tacker
We also have another configuration yaml template with some firewall rules of OpenWRT. tosca-config-openwrt-firewall.yaml 3
vdus: VDU1: config: firewall: | package firewall config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' config zone option name 'lan' list network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '190/sec' option family 'ipv6' option target 'REJECT'
In this template file, we specify the
mgmt_driver: openwrt, which means this VNFD is managed by openwrt driver 4.This driver can inject firewall rules defined in VNFD to OpenWRT instance by using SSH protocol. We can run
cat /etc/config/firewallto confirm if firewall rules are injected successfully.Create a sample vnfd
$ openstack vnf descriptor create \ --vnfd-file tosca-vnfd-openwrt.yaml <VNFD_NAME>
Create a VNF
$ openstack vnf create --vnfd-name <VNFD_NAME> \ --config-file tosca-config-openwrt-firewall.yaml <NAME>
Check the status
$ openstack vnf list $ openstack vnf show <VNF_ID>
We can replace the configuration files containing firewall rules with tosca-config-openwrt-vrouter.yaml 5, tosca-config-openwrt-dnsmasq.yaml 6, or tosca-config-openwrt-qos.yaml 7 to deploy the router, DHCP, DNS, or QoS VNFs.
The OpenWRT VNFM management driver will follow same way to inject the desired service rules into the OpenWRT instance.
We can run the following commands to check if firewall rules are injected successfully or not:
$ cat /etc/config/network # to check vrouter. $ cat /etc/config/dhcp # to check DHCP and DNS. $ cat /etc/config/qos # to check the QoS rules.
Notes
OpenWRT user and password
The user account is ‘root’ and password is ‘’, which means there is no password for root account.
Procedure to customize the OpenWRT image
The OpenWRT is modified based on KVM OpenWRT 15.05.1 to be suitable for Tacker. Following is the procedure:
$ cd ~ $ wget https://archive.openwrt.org/chaos_calmer/15.05.1/x86/kvm_guest/openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz \ -O openwrt-x86-kvm_guest-combined-ext4.img.gz $ gunzip openwrt-x86-kvm_guest-combined-ext4.img.gz $ mkdir -p imgroot $ sudo kpartx -av openwrt-x86-kvm_guest-combined-ext4.img # Replace the loopXp2 with the result of above command, e.g., loop0p2 $ sudo mount -o loop /dev/mapper/loopXp2 imgroot $ sudo chroot imgroot /bin/ash # Set password of this image to blank, type follow command and then enter two times $ passwd # Set DHCP for the network of OpenWRT so that the VNF can be ping $ uci set network.lan.proto=dhcp; uci commit $ exit $ sudo umount imgroot $ sudo kpartx -dv openwrt-x86-kvm_guest-combined-ext4.img
Footnotes
