Adds iptables rules to protect octavia server container

- Adds iptables rules
 - Makes sure that health manager ip is the one
   on the management interface
 - Reworks variables
 - Improves documentation
 - Tests now run with an extra octavia network
 - renamed mgmt network to lbaas-mgmt
 - added ubuntu/centos specific iptables save/restore
   commands/packages

Change-Id: I761ce0d2dce73d018c2ba2022798a3962e44b235

defaults/main.yml

@@ -209,8 +209,6 @@ octavia_loadbalancer_topology: SINGLE
 octavia_glance_image_tag: octavia-amphora-image
 # add here the id of the image owner to avoid faked images being used
 octavia_amp_image_owner_id:
-# Name of the Octavia management network
-octavia_neutron_management_network_name: mgmt
 # Name of the Octavia security group
 octavia_security_group_name: octavia_sec_grp
 # Restrict access to only authorized hosts
@@ -262,8 +260,78 @@ octavia_enable_anti_affinity: False
 # for amphora creation
 #octavia_amp_availability_zone:
 
+# Name of the Octavia management network in Neutron
+octavia_neutron_management_network_name: lbaas-mgmt
+# Name of the provider net in the system
+octavia_provider_network_name: lbaas
+# This sets it to the container managment network based on how you setup
+# the provider net
+octavia_container_network_name: "{{ octavia_provider_network_name }}_address"
+octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_network_name)|list|first }}"
 octavia_hm_group: "octavia-health-manager"
-octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['ansible_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
+# Note: We use some heuritsics here but if you do anyhting special make sure to use the
+# ip addresses on the right network. This will use the container newtorking to figure out the ip
+octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}"
+# Set this to the right container port aka the eth you connect to the octavia
+# management network
+octavia_container_interface: "{{ octavia_provider_network.container_interface }}"
+# Set this to true to drop the iptables rules
+octavia_ip_tables_fw: True
+# The iptable rules
+octavia_iptables_rules:
+  - # Allow icmp
+    chain: INPUT
+    protocol: icmp
+    ctstate: NEW
+    icmp_type: 8
+    jump: ACCEPT
+  - # Allow existing connections:
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    ctstate:  RELATED,ESTABLISHED
+    jump: ACCEPT
+  - # Allow heartbeat:
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    protocol: udp
+    destination_port: "{{ octavia_health_manager_port }}"
+    jump: ACCEPT
+  - # Reject INPUT:
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    reject_with: icmp-port-unreachable
+  - # Reject FORWARD:
+    chain: FORWARD
+    in_interface: "{{ octavia_container_interface }}"
+    reject_with: icmp-port-unreachable
+  - # Allow icmp6
+    chain: INPUT
+    protocol: icmpv6
+    jump: ACCEPT
+    ip_version: ipv6
+  - # Allow existing connections
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    ctstate:  RELATED,ESTABLISHED
+    jump: ACCEPT
+    ip_version: ipv6
+  - # Allow heartbeat
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    protocol: udp
+    destination_port: "{{ octavia_health_manager_port }}"
+    jump: ACCEPT
+    ip_version: ipv6
+  - # Reject INPUT
+    chain: INPUT
+    in_interface: "{{ octavia_container_interface }}"
+    reject_with: icmp6-port-unreachable
+    ip_version: ipv6
+  - # Reject FORWARD
+    chain: FORWARD
+    in_interface: "{{ octavia_container_interface }}"
+    reject_with: icmp6-port-unreachable
+    ip_version: ipv6
 
 # Set up the drivers
 octavia_amphora_driver: amphora_haproxy_rest_driver
@@ -273,9 +341,4 @@ octavia_network_driver: allowed_address_pairs_driver
 ## Tunable overrides
 octavia_octavia_conf_overrides: {}
 octavia_api_paste_ini_overrides: {}
-octavia_policy_overrides: {}
+octavia_policy_overrides: {}
-
-
-
-
-

doc/source/configure-octavia.rst

@@ -25,27 +25,63 @@ Setup a neutron network for use by octavia
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Octavia needs connectivity between the control plane and the
-load balancing VMs. For this purpose a provide rnetwork should be
+load balancing VMs. For this purpose a provider network should be
-created which bridges containers (if the control plane is installed
+created which bridges the octavia containers (if the control plane is installed
-in a container) or hosts with vms. Refer to the appropriate documentation
+in a container) or hosts with VMs. Refer to the appropriate documentation
 and consult the tests in this project. In a general case, neutron networking
 can be a simple flat network. However in a complex case, this can be whatever
-you need and want. Ensure you adjust the deployment accordingly. The following
+you need and want. Ensure you adjust the deployment accordingly. An example
-is an example how to set it up in neutron:
+entry into ``openstack_user_config.yml`` is shown below:
+
+.. code-block:: yaml
+
+     - network:
+        container_bridge: "br-lbaas"
+        container_type: "veth"
+        container_interface: "eth14"
+        host_bind_override: "eth14"
+        ip_from_q: "octavia"
+        type: "flat"
+        net_name: "octavia"
+        group_binds:
+          - neutron_linuxbridge_agent
+          - octavia-worker
+          - octavia-housekeeping
+          - octavia-health-manager
+
+Make sure to modify the other entries in this file as well.
+
+There are a couple of variables which need to be adjusted if you don't use
+``lbaas`` for the provider network name and ``lbaas-mgmt`` for the neutron
+name. Furthermore, the system tries to infer certain values based on the
+inventory which might not always work and hence might need to be explicitly
+declared. Review the file ``defaults\main.yml`` for more information.
+
+The following is an example how to set up a provider network in neutron:
 
 
 .. code-block:: bash
 
-    neutron net-create mgmt-net --shared \
+    neutron net-create lbaas-mgmt --shared \
                                     --provider:network_type flat \
-                                    --provider:physical_network mgmt
+                                    --provider:physical_network lbaas
 
-    neutron subnet-create mgmt-net 172.19.0.0/22 --name mgmt-subnet
+    neutron subnet-create mgmt-net 172.19.0.0/22 --name lbaas-subnet
                           --ip-version=4 \
                           --allocation-pool start=172.19.1.100,end=172.19.1.200 \
                           --enable-dhcp \
                           --dns-nameservers list=true 8.8.4.4 8.8.8.8
 
+Special attention needs to be applied to the ``--allocation-pool`` to not have
+ips which overlap with ips assigned to hosts or containers (see the ``used_ips``
+variable in ``openstack_user_config.yml``)
+
+.. note::
+    The system will deploy an iptables firewall if ``octavia_ip_tables_fw`` is set
+    to ``True`` (the default). This adds additional protection to the control plane
+    in the rare instance a load balancing vm is compromised. Please review carefully
+    the rules and adjust them for your installation. Please be aware that logging
+    of dropped packages is not enabled and you will need to add those rules manually.
 
 Building Octavia images
 ~~~~~~~~~~~~~~~~~~~~~~~
@@ -182,3 +218,4 @@ The variable ``octavia_spare_amphora_pool_size`` controls
 the size of the pool. The system will try
 to prebuild this number so using too big a number will
 consumes a lot of unnecessary resources.
+

releasenotes/notes/add-iptables-5ff8c4317e2e8498.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - Simplifies configuration of lbaas-mgmt network.
+
+  - Adds iptables rules to block taffic from the octavia managment network to
+    the octavia container for both ipv4 and ipv6.
+
+

tasks/main.yml

@@ -55,6 +55,7 @@
     - octavia_neutron_management_network_name is defined
   tags:
     - octavia-install
+    - octavia-config
 
 - include: octavia_security_group.yml
   tags:
@@ -65,6 +66,7 @@
     - octavia_nova_flavor_uuid is not defined
   tags:
     - octavia-install
+    - octavia-config
 
 - include: octavia_post_install.yml
   tags:

tasks/octavia_post_install.yml

@@ -13,6 +13,27 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# iptables module doesn't see empty string as a null value so this is the only
+# way to get a configurable rule definition in right now
+- name: iptables rules
+  iptables: "{{ item }}"
+  with_items: "{{ octavia_iptables_rules }}"
+  when: octavia_ip_tables_fw|bool == true
+
+# This is totally odd: If you run the commands via run-parts (as the script
+# in the distro does) they return 1; but do their job. If you run them
+# directly they work. Ignoring errors for now --
+- name: save iptables rules (Ubuntu 16.04)
+  command: netfilter-persistent save
+  ignore_errors: yes
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '16.04'
+
+- name: save iptables rules (CentOS & RHEL)
+  command: service iptables save
+  args:
+    warn: False # since we use save service module doesn't apply
+  when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
+
 - name: Create certs directory
   file: path=/etc/octavia/certs/ state=directory
 
@@ -58,7 +79,4 @@
 #      config_overrides: "{{ octavia_policy_overrides }}"
 #      config_type: "json"
   notify:
-    - Restart octavia services
+    - Restart octavia services
-
-
-

tests/host_vars/localhost.yml

@@ -19,9 +19,6 @@ ansible_python_interpreter: "/usr/bin/python2"
 bridges:
   - name: "br-mgmt"
     ip_addr: "10.1.1.1"
-    # Use container mgmt as Octavia mgmt net
-    # set up veth pair to connect with Neutron
-    veth_peer: "eth14"
   - name: "br-vxlan"
     ip_addr: "10.1.2.1"
   - name: "br-vlan"
@@ -29,3 +26,6 @@ bridges:
     veth_peer: "eth12"
   - name: "br-storage"
     ip_addr: "10.1.5.1"
+  - name: "br-lbaas"
+    ip_addr: "10.1.7.1"
+    veth_peer: "eth14"

tests/host_vars/octavia1.yml

@@ -16,8 +16,7 @@
 ansible_host: 10.1.1.104
 ansible_become: True
 ansible_user: root
-ipmi_address: 10.1.4.104
+lbaas_address: 10.1.7.104
-container_name: "{{ inventory_hostname }}"
 container_networks:
   management_address:
     address: "{{ ansible_host }}"
@@ -25,3 +24,9 @@ container_networks:
     interface: "eth1"
     netmask: "255.255.255.0"
     type: "veth"
+  lbaas_address:
+    address: "{{ lbaas_address }}"
+    bridge: "br-lbaas"
+    interface: "eth14"
+    netmask: "255.255.255.0"
+    type: "veth"

tests/os_octavia-overrides.yml

@@ -66,8 +66,11 @@ nova_console_type: novnc
 neutron_provider_networks:
   network_types: "vxlan,flat"
   network_vxlan_ranges: "1:1000"
-  network_flat_networks: "flat,mgmt"
+  network_flat_networks: "flat,lbaas"
-  network_mappings: "flat:eth12,mgmt:eth14"
+  network_mappings: "flat:eth12,lbaas:eth14"
+
+#couldn't find provider_networks inventory var?
+octavia_container_interface: "eth14"
 
 # Must be set to a normal MTU
 neutron_network_device_mtu: 1500
@@ -80,7 +83,7 @@ neutron_metadata: True
 
 octavia_pip_package_state: latest
 octavia_package_state: latest
-octavia_neutron_management_network_name: mgmt
+octavia_neutron_management_network_name: lbaas-mgmt
 
 octavia_git_install_branch: stable/ocata
 

tests/test-configure-octavia.yml

@@ -87,15 +87,15 @@
         openrc_path: /root/openrc
         net_name: "{{ octavia_neutron_management_network_name }}"
         provider_network_type: flat
-        provider_physical_network: mgmt
+        provider_physical_network: lbaas
         insecure: "{{ keystone_service_internaluri_insecure }}"
     - name: Ensure mgmt subnet exists
       neutron:
         command: create_subnet
         openrc_path: /root/openrc
         net_name: "{{ octavia_neutron_management_network_name }}"
-        subnet_name: "mgmt-subnet"
+        subnet_name: "lbaas-mgmt-subnet"
-        cidr: "10.1.1.0/24"
+        cidr: "10.1.7.0/24"
         insecure: "{{ keystone_service_internaluri_insecure }}"
 
   vars_files:

vars/ubuntu-16.04.yml

@@ -17,4 +17,5 @@
 cache_timeout: 600
 
 octavia_distro_packages:
-  - haproxy
+  - iptables-persistent
+  - netfilter-persistent