Add support for Neutron FWaaS v2

This patch adds support for deploying Neutron FWaaS v2 with OpenStack Ansible Change-Id: I2eae414fba7ddfac44ad6f5125e08740dc7a80a2
2016-10-18 13:11:56 +00:00 · 2016-10-18 13:11:56 +00:00 · 7c64d5ea8e
commit 7c64d5ea8e
parent 213137468a
8 changed files with 95 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -243,7 +243,7 @@ neutron_notifications_designate: notifications_designate
 # Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
 # neutron_plugin_base:
 #   - router
-#   - firewall
+#   - firewall/firewall_v2 either one or the other, not both
 #   - lbaas
 #   - neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
 #   - neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin
--- a/doc/source/configure-network-services.rst
+++ b/doc/source/configure-network-services.rst
@ -29,6 +29,9 @@ Firewall service (optional)
 The following procedure describes how to modify the
 ``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.

+Deploying FWaaS v1
+------------------
+
 #. Override the default list of neutron plugins to include
   ``firewall``:

@ -68,6 +71,43 @@ The FWaaS default configuration options may be changed through the
 `conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
 dict.

+Deploying FWaaS v2
+------------------
+
+FWaaS v2 is the next generation Neutron firewall service and will provide
+a rich set of APIs for securing OpenStack networks. It is still under
+active development.
+
+Refer to the `FWaaS 2.0 API specification
+<https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html>`_
+for more information on these FWaaS v2 features
+
+Follow the steps below to deploy FWaaS v2:
+
+.. note::
+    FWaaS v1 and v2 cannot be deployed simultaneously.
+
+#. Add the FWaaS v2 plugin to the ``neutron_plugin_base`` variable
+   in ``/etc/openstack_deploy/user_variables.yml``:
+
+   .. code-block:: yaml
+
+      neutron_plugin_base:
+        - router
+        - metering
+        - firewall_v2
+
+   Ensure that ``neutron_plugin_base`` includes all of the plugins that you
+   want to deploy with neutron in addition to the firewall_v2 plugin.
+
+#. Run the neutron playbook to deploy the FWaaS v2 service plugin
+
+   .. code-block:: console
+
+       # cd /opt/openstack-ansible/playbooks
+       # openstack-ansible os-neutron-install.yml
+
+
 Load balancing service (optional)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
+++ b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - FWaaS V2 has been added to neutron. To enable this service simply add
+    "firewall_v2" to the "neutron_plugin_base" list.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- include: neutron_check.yml
+
+
 - name: Gather variables for each operating system
  include_vars: "{{ item }}"
  with_first_found:
--- a/tasks/neutron_check.yml
+++ b/tasks/neutron_check.yml
@ -0,0 +1,23 @@
+---
+# Copyright 2016
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure FWaaS v1 and v2 are not enabled simultaneously
+  fail:
+    message: |
+      FWaaS v1 and v2 cannot be enabled at the same time.
+      Verify that your neutron_plugin_base variable is correct.
+  when:
+    - neutron_fwaas | bool
+    - neutron_fwaas_v2 | bool
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@ -27,3 +27,25 @@ send_arp_for_ha = 3

 # Metadata
 enable_metadata_proxy = True
+
+{% if neutron_fwaas | bool %}
+
+[fwaas]
+enabled = true
+driver = iptables
+agent_version = v1
+
+[AGENT]
+extensions = fwaas
+
+{% elif neutron_fwaas_v2 | bool %}
+
+[fwaas]
+enabled = true
+driver = iptables_v2
+agent_version = v2
+
+[AGENT]
+extensions = fwaas_v2
+
+{% endif %}
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -206,12 +206,6 @@ auth_version = 3

 {% endif %}

-{% if neutron_fwaas | bool %}
-[fwaas]
-enabled = true
-driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
-{% endif %}
-
 # Agent
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}
@ -241,5 +235,3 @@ transport_url = rabbit://{% for host in neutron_rabbitmq_telemetry_servers.split
 # Concurrency (locking mechanisms)
 [oslo_concurrency]
 lock_path = {{ neutron_lock_path }}
-
-
--- a/vars/main.yml
+++ b/vars/main.yml
@ -265,7 +265,8 @@ neutron_metadata: "{% if neutron_plugin_type.split('.')[0] == 'ml2' %}True{% els
 ###

 # Please add the 'firewall' to the neutron_plugin_base list
-neutron_fwaas: "{% if 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
+neutron_fwaas: "{{ 'firewall' in neutron_plugin_base | ternary('True', 'False') }}"
+neutron_fwaas_v2: "{{ 'firewall_v2' in neutron_plugin_base | ternary('True', 'False') }}"

 ###
 ### LBaaS Plugin Configuration