openstack/openstack-ansible-os_octavia
Code Issues Proposed changes

Adds iptables rules to protect octavia server container

Browse Source 
- Adds iptables rules
 - Makes sure that health manager ip is the one
   on the management interface
 - Reworks variables
 - Improves documentation
 - Tests now run with an extra octavia network
 - renamed mgmt network to lbaas-mgmt
 - added ubuntu/centos specific iptables save/restore
   commands/packages

Change-Id: I761ce0d2dce73d018c2ba2022798a3962e44b235
This commit is contained in:
German Eichberger 2017-03-17 18:02:24 -04:00
parent cee99ca9aa
commit 38e365f945
10 changed files with 170 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
defaults/main.yml
View File

@ -209,8 +209,6 @@ octavia_loadbalancer_topology: SINGLE
octavia_glance_image_tag: octavia-amphora-image
# add here the id of the image owner to avoid faked images being used
octavia_amp_image_owner_id:
# Name of the Octavia management network
octavia_neutron_management_network_name: mgmt
# Name of the Octavia security group
octavia_security_group_name: octavia_sec_grp
# Restrict access to only authorized hosts
@ -262,8 +260,78 @@ octavia_enable_anti_affinity: False
# for amphora creation
#octavia_amp_availability_zone:
# Name of the Octavia management network in Neutron
octavia_neutron_management_network_name: lbaas-mgmt
# Name of the provider net in the system
octavia_provider_network_name: lbaas
# This sets it to the container managment network based on how you setup
# the provider net
octavia_container_network_name: "{{ octavia_provider_network_name }}_address"
octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_network_name)|list|first }}"
octavia_hm_group: "octavia-health-manager"
octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['ansible_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
# Note: We use some heuritsics here but if you do anyhting special make sure to use the
# ip addresses on the right network. This will use the container newtorking to figure out the ip
octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}"
# Set this to the right container port aka the eth you connect to the octavia
# management network
octavia_container_interface: "{{ octavia_provider_network.container_interface }}"
# Set this to true to drop the iptables rules
octavia_ip_tables_fw: True
# The iptable rules
octavia_iptables_rules:
- # Allow icmp
chain: INPUT
protocol: icmp
ctstate: NEW
icmp_type: 8
jump: ACCEPT
- # Allow existing connections:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
- # Allow heartbeat:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
- # Reject INPUT:
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Reject FORWARD:
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp-port-unreachable
- # Allow icmp6
chain: INPUT
protocol: icmpv6
jump: ACCEPT
ip_version: ipv6
- # Allow existing connections
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
ip_version: ipv6
- # Allow heartbeat
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
protocol: udp
destination_port: "{{ octavia_health_manager_port }}"
jump: ACCEPT
ip_version: ipv6
- # Reject INPUT
chain: INPUT
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
- # Reject FORWARD
chain: FORWARD
in_interface: "{{ octavia_container_interface }}"
reject_with: icmp6-port-unreachable
ip_version: ipv6
# Set up the drivers
octavia_amphora_driver: amphora_haproxy_rest_driver
@ -273,9 +341,4 @@ octavia_network_driver: allowed_address_pairs_driver
## Tunable overrides
octavia_octavia_conf_overrides: {}
octavia_api_paste_ini_overrides: {}
octavia_policy_overrides: {}
octavia_policy_overrides: {}

53
doc/source/configure-octavia.rst
View File

@ -25,27 +25,63 @@ Setup a neutron network for use by octavia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Octavia needs connectivity between the control plane and the
load balancing VMs. For this purpose a provide rnetwork should be
created which bridges containers (if the control plane is installed
in a container) or hosts with vms. Refer to the appropriate documentation
load balancing VMs. For this purpose a provider network should be
created which bridges the octavia containers (if the control plane is installed
in a container) or hosts with VMs. Refer to the appropriate documentation
and consult the tests in this project. In a general case, neutron networking
can be a simple flat network. However in a complex case, this can be whatever
you need and want. Ensure you adjust the deployment accordingly. The following
is an example how to set it up in neutron:
you need and want. Ensure you adjust the deployment accordingly. An example
entry into ``openstack_user_config.yml`` is shown below:
.. code-block:: yaml
- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
host_bind_override: "eth14"
ip_from_q: "octavia"
type: "flat"
net_name: "octavia"
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager
Make sure to modify the other entries in this file as well.
There are a couple of variables which need to be adjusted if you don't use
``lbaas`` for the provider network name and ``lbaas-mgmt`` for the neutron
name. Furthermore, the system tries to infer certain values based on the
inventory which might not always work and hence might need to be explicitly
declared. Review the file ``defaults\main.yml`` for more information.
The following is an example how to set up a provider network in neutron:
.. code-block:: bash
neutron net-create mgmt-net --shared \
neutron net-create lbaas-mgmt --shared \
--provider:network_type flat \
--provider:physical_network mgmt
--provider:physical_network lbaas
neutron subnet-create mgmt-net 172.19.0.0/22 --name mgmt-subnet
neutron subnet-create mgmt-net 172.19.0.0/22 --name lbaas-subnet
--ip-version=4 \
--allocation-pool start=172.19.1.100,end=172.19.1.200 \
--enable-dhcp \
--dns-nameservers list=true 8.8.4.4 8.8.8.8
Special attention needs to be applied to the ``--allocation-pool`` to not have
ips which overlap with ips assigned to hosts or containers (see the ``used_ips``
variable in ``openstack_user_config.yml``)
.. note::
The system will deploy an iptables firewall if ``octavia_ip_tables_fw`` is set
to ``True`` (the default). This adds additional protection to the control plane
in the rare instance a load balancing vm is compromised. Please review carefully
the rules and adjust them for your installation. Please be aware that logging
of dropped packages is not enabled and you will need to add those rules manually.
Building Octavia images
~~~~~~~~~~~~~~~~~~~~~~~
@ -182,3 +218,4 @@ The variable ``octavia_spare_amphora_pool_size`` controls
the size of the pool. The system will try
to prebuild this number so using too big a number will
consumes a lot of unnecessary resources.

8
releasenotes/notes/add-iptables-5ff8c4317e2e8498.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- Simplifies configuration of lbaas-mgmt network.
- Adds iptables rules to block taffic from the octavia managment network to
the octavia container for both ipv4 and ipv6.

2
tasks/main.yml
View File

@ -55,6 +55,7 @@
- octavia_neutron_management_network_name is defined
tags:
- octavia-install
- octavia-config
- include: octavia_security_group.yml
tags:
@ -65,6 +66,7 @@
- octavia_nova_flavor_uuid is not defined
tags:
- octavia-install
- octavia-config
- include: octavia_post_install.yml
tags:

26
tasks/octavia_post_install.yml
View File

@ -13,6 +13,27 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# iptables module doesn't see empty string as a null value so this is the only
# way to get a configurable rule definition in right now
- name: iptables rules
iptables: "{{ item }}"
with_items: "{{ octavia_iptables_rules }}"
when: octavia_ip_tables_fw|bool == true
# This is totally odd: If you run the commands via run-parts (as the script
# in the distro does) they return 1; but do their job. If you run them
# directly they work. Ignoring errors for now --
- name: save iptables rules (Ubuntu 16.04)
command: netfilter-persistent save
ignore_errors: yes
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '16.04'
- name: save iptables rules (CentOS & RHEL)
command: service iptables save
args:
warn: False # since we use save service module doesn't apply
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
- name: Create certs directory
file: path=/etc/octavia/certs/ state=directory
@ -58,7 +79,4 @@
# config_overrides: "{{ octavia_policy_overrides }}"
# config_type: "json"
notify:
- Restart octavia services
- Restart octavia services

6
tests/host_vars/localhost.yml
View File

@ -19,9 +19,6 @@ ansible_python_interpreter: "/usr/bin/python2"
bridges:
- name: "br-mgmt"
ip_addr: "10.1.1.1"
# Use container mgmt as Octavia mgmt net
# set up veth pair to connect with Neutron
veth_peer: "eth14"
- name: "br-vxlan"
ip_addr: "10.1.2.1"
- name: "br-vlan"
@ -29,3 +26,6 @@ bridges:
veth_peer: "eth12"
- name: "br-storage"
ip_addr: "10.1.5.1"
- name: "br-lbaas"
ip_addr: "10.1.7.1"
veth_peer: "eth14"

9
tests/host_vars/octavia1.yml
View File

@ -16,8 +16,7 @@
ansible_host: 10.1.1.104
ansible_become: True
ansible_user: root
ipmi_address: 10.1.4.104
container_name: "{{ inventory_hostname }}"
lbaas_address: 10.1.7.104
container_networks:
management_address:
address: "{{ ansible_host }}"
@ -25,3 +24,9 @@ container_networks:
interface: "eth1"
netmask: "255.255.255.0"
type: "veth"
lbaas_address:
address: "{{ lbaas_address }}"
bridge: "br-lbaas"
interface: "eth14"
netmask: "255.255.255.0"
type: "veth"

9
tests/os_octavia-overrides.yml
View File

@ -66,8 +66,11 @@ nova_console_type: novnc
neutron_provider_networks:
network_types: "vxlan,flat"
network_vxlan_ranges: "1:1000"
network_flat_networks: "flat,mgmt"
network_mappings: "flat:eth12,mgmt:eth14"
network_flat_networks: "flat,lbaas"
network_mappings: "flat:eth12,lbaas:eth14"
#couldn't find provider_networks inventory var?
octavia_container_interface: "eth14"
# Must be set to a normal MTU
neutron_network_device_mtu: 1500
@ -80,7 +83,7 @@ neutron_metadata: True
octavia_pip_package_state: latest
octavia_package_state: latest
octavia_neutron_management_network_name: mgmt
octavia_neutron_management_network_name: lbaas-mgmt
octavia_git_install_branch: stable/ocata

6
tests/test-configure-octavia.yml
View File

@ -87,15 +87,15 @@
openrc_path: /root/openrc
net_name: "{{ octavia_neutron_management_network_name }}"
provider_network_type: flat
provider_physical_network: mgmt
provider_physical_network: lbaas
insecure: "{{ keystone_service_internaluri_insecure }}"
- name: Ensure mgmt subnet exists
neutron:
command: create_subnet
openrc_path: /root/openrc
net_name: "{{ octavia_neutron_management_network_name }}"
subnet_name: "mgmt-subnet"
cidr: "10.1.1.0/24"
subnet_name: "lbaas-mgmt-subnet"
cidr: "10.1.7.0/24"
insecure: "{{ keystone_service_internaluri_insecure }}"
vars_files:

3
vars/ubuntu-16.04.yml
View File

@ -17,4 +17,5 @@
cache_timeout: 600
octavia_distro_packages:
- haproxy
- iptables-persistent
- netfilter-persistent