summaryrefslogtreecommitdiffstats
path: root/kud/tests/vIPSec/ipsec
diff options
context:
space:
mode:
authorRuoyu Ying <ruoyu.ying@intel.com>2019-12-25 01:33:06 +0800
committerRuoyu Ying <ruoyu.ying@intel.com>2020-01-08 23:33:56 +0800
commit4341b41f3f949119b9106a58b243f42b50119b82 (patch)
tree609897297257881318a0bf79714bbe33959774c7 /kud/tests/vIPSec/ipsec
parent20b0ff063a92e6d4a5ecaf621e527c09ff1e5515 (diff)
Add execution script for vIPSec in k8s
Add execution scripts for each component in vIPSec to make it work for k8s. These scripts are going to be used along with the helm chart named 'vipsec' inside the demo folder. It aims to construct the vIPSec use case to set up a secure tunnel between peers and improve its performance along with hardware acceleration technologies such as SRIOV and QAT. Issue-ID: MULTICLOUD-969 Change-Id: I261272439b264db4d70cf8d5d2958a891c351b61 Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
Diffstat (limited to 'kud/tests/vIPSec/ipsec')
-rwxr-xr-xkud/tests/vIPSec/ipsec163
1 files changed, 163 insertions, 0 deletions
diff --git a/kud/tests/vIPSec/ipsec b/kud/tests/vIPSec/ipsec
new file mode 100755
index 00000000..4b278574
--- /dev/null
+++ b/kud/tests/vIPSec/ipsec
@@ -0,0 +1,163 @@
+#!/bin/bash
+# COPYRIGHT NOTICE STARTS HERE
+#
+# Copyright 2019 Intel Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# COPYRIGHT NOTICE ENDS HERE
+
+# This script prepares the runtime environment
+# for running vIPSec shell scripts on Ubuntu 18.04
+
+set -o nounset
+set -o pipefail
+set -o xtrace
+set -o errexit
+
+function setup_dependencies {
+ apt-get update
+ apt-get install -y curl gnupg2 pciutils make gcc libnuma-dev python git linux-headers-`uname -r` module-init-tools libssl-dev
+ echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu bionic main" >> /etc/apt/sources.list.d/99fd.io.list
+ curl -L https://packagecloud.io/fdio/master/gpgkey | apt-key add -
+}
+
+function install_vpp {
+ apt-get update
+ apt-get install -y vpp vpp-plugin-core vpp-plugin-dpdk
+}
+
+function install_dpdk {
+ cd /opt
+ git clone http://dpdk.org/git/dpdk
+ cd /opt/dpdk
+ export RTE_TARGET=x86_64-native-linux-gcc/ && export DESTDIR=/opt/dpdk && export RTE_SDK=/opt/dpdk && make install T=x86_64-native-linux-gcc
+ modprobe uio
+ insmod x86_64-native-linux-gcc/kmod/igb_uio.ko
+}
+
+function ipsec_settings {
+# Create vpp configuration file
+ cat > /opt/config/vpp.config << EOF
+ unix {
+ exec /opt/config/ipsec.conf
+ nodaemon
+ cli-listen /run/vpp/cli.sock
+ log /tmp/vpp.log
+ }
+
+ cpu {
+ main-core 0
+ corelist-workers 1
+ }
+
+ dpdk {
+ socket-mem 512
+ log-level debug
+ no-tx-checksum-offload
+ dev default{
+ num-tx-desc 512
+ num-rx-desc 512
+ }
+ dev interfaceABus
+ {
+ workers 0
+ }
+ dev interfaceBBus
+ {
+ workers 0
+ }
+ vdev crypto_aesni_mb0
+
+ no-multi-seg
+
+ #enable_cryptodev
+
+ }
+EOF
+
+# Check if sriov and qat are enabled, bind the pci devices with igb_uio driver
+ if [ "$sriov_enabled" = true ]; then
+ export interfaceABus=$(lspci -D -nn | grep -m1 '8086:154c' | cut -d ' ' -f 1)
+ export interfaceBBus=$(lspci -D -nn | grep -m2 '8086:154c' | cut -d ' ' -f 1 | tail -n1)
+ else
+ export interfaceABus=$(ls -la /sys/class/net | grep 'eth1' | cut -d '/' -f 5)
+ export interfaceBBus=$(ls -la /sys/class/net | grep 'eth3' | cut -d '/' -f 5)
+ fi
+ sed -i -e "s/interfaceABus/${interfaceABus}/g" -e "s/interfaceBBus/${interfaceBBus}/g" /opt/config/vpp.config
+ python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $interfaceABus $interfaceBBus
+ export interfaceA=$(vppctl sh int | awk '$2 == "1"' | cut -d ' ' -f 1)
+ export interfaceB=$(vppctl sh int | awk '$2 == "2"' | cut -d ' ' -f 1)
+
+ if [ "$qat_enabled" = true ]; then
+ export qatABus=$(lspci -D -nn | grep -m1 '8086:37c9' | cut -d ' ' -f 1)
+ export qatBBus=$(lspci -D -nn | grep -m2 '8086:37c9' | cut -d ' ' -f 1 | tail -n1)
+ python /opt/dpdk/usertools/dpdk-devbind.py -b igb_uio $qatABus $qatBBus
+ sed -i "/#enable_cryptodev/a\n dev $qatABus\n dev $qatBBus\n" /opt/config/vpp.config
+ sed -i "/vdev crypto_aesni_mb0/d" /opt/config/vpp.config
+ fi
+
+# Create the sample ipsec configuration file
+ cat > /opt/config/ipsec.conf << EOF
+ set interface state VirtualFunctionEthernet0/5/0 up
+ set interface state VirtualFunctionEthernet0/6/0 up
+
+ set interface ip address VirtualFunctionEthernet0/5/0 input_interface_ip/24
+ set interface ip address VirtualFunctionEthernet0/6/0 output_interface_ip/24
+
+ set int promiscuous on VirtualFunctionEthernet0/5/0
+ set int promiscuous on VirtualFunctionEthernet0/6/0
+
+ set ip arp VirtualFunctionEthernet0/6/0 remote_tunnel_ip fa:16:3e:a6:e4:c7
+ set ip arp VirtualFunctionEthernet0/5/0 input_interface_ip fa:16:3e:f1:65:dc
+
+ ip route add count 1 packet_dst/32 via route_interface VirtualFunctionEthernet0/6/0
+
+ ipsec spd add 1
+ set interface ipsec spd VirtualFunctionEthernet0/6/0 1
+ ipsec sa add 1 spi 1921681003 esp tunnel-src output_interface_ip tunnel-dst remote_tunnel_ip crypto-key 2b7e151628aed2a6abf7158809cf4f3d crypto-alg aes-cbc-128 integ-key 6867666568676665686766656867666568676669 integ-alg sha1-96
+ ipsec policy add spd 1 traffic_direction priority 100 action protect sa 1 local-ip-range packet_src-packet_src remote-ip-range packet_dst-packet_dst
+ ipsec policy add spd 1 traffic_direction priority 90 protocol 50 action bypass local-ip-range packet_src-255.255.255.255 remote-ip-range remote_tunnel_ip-remote_tunnel_ip
+EOF
+
+# Replace all ip and interfaces inside the ipsec configuration file
+ sed -i -e "s/input_interface_ip/${input_interface_ip}/g" -e "s/output_interface_ip/${output_interface_ip}/g" -e "s/remote_tunnel_ip/${remote_tunnel_ip}/g" -e "s/route_interface/${route_interface}/g" -e "s#VirtualFunctionEthernet0/5/0#${interfaceA}#g" -e "s#VirtualFunctionEthernet0/6/0#${interfaceB}/g" -e "s/packet_src/${packet_src}/g" -e "s/packet_dst/${packet_dst}/g" -e "s/traffic_direction/${traffic_direction}/g" /opt/config/ipsec.conf
+ vpp -c /opt/config/vpp.config
+}
+
+
+mkdir /opt/config
+echo "$demo_artifacts_version" > /opt/config/demo_artifacts_version.txt
+echo "$dcae_collector_ip" > /opt/config/dcae_collector_ip.txt
+echo "$dcae_collector_port" > /opt/config/dcae_collector_port.txt
+echo "$ipsec_private_net_gw" > /opt/config/ipsec_private_net_gw_ip.txt
+echo "$ipsec_private_net_cidr" > /opt/config/ipsec_private_net_cidr.txt
+echo "$ipsec_private_network_name" > /opt/config/ipsec_private_network_name.txt
+echo "$packet_src" > /opt/config/packet_source_ip.txt
+echo "$packet_dst" > /opt/config/packet_destination_ip.txt
+echo "$remote_tunnel_ip" > /opt/config/remote_tunnel.txt
+echo "$route_interface" > /opt/config/route_interface.txt
+echo "$traffic_direction" > /opt/config/traffic_direction.txt
+echo "$vipsecA_private_ip_0" > /opt/config/vipsecA_private_ip0.txt
+echo "$vipsecA_private_ip_2" > /opt/config/vipsecA_private_ip2.txt
+echo "$protected_clientA_network_name" > /opt/config/protected_clientA_network_name.txt
+echo "$protected_clientA_net_gw" > /opt/config/protected_clientA_net_gw.txt
+echo "$protected_clientA_net_cidr" > /opt/config/protected_clientA_net_cidr.txt
+
+echo 'vm.nr_hugepages = 1024' >> /etc/sysctl.conf
+sysctl -p
+
+setup_dependencies
+install_vpp
+install_dpdk
+ipsec_settings