diff --git a/doc/source/install-guide/configure-fwaas.rst b/doc/source/install-guide/configure-fwaas.rst new file mode 100644 index 0000000000..7fc017740b --- /dev/null +++ b/doc/source/install-guide/configure-fwaas.rst @@ -0,0 +1,57 @@ +`Home `_ OpenStack-Ansible Installation Guide + +Configuring the Network Firewall Service (Optional) +--------------------------------------------------- + +The OpenStack Networking Service, Neutron, includes a Firewall as a +Service (FWaaS) offering. This service lets you configure a firewall that +runs outside of your instances and filters traffic from the router. + +The following procedure describes how to modify the +``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS. + +#. Override the default list of Neutron plugins to include + ``firewall``: + + .. code-block:: yaml + + neutron_plugin_base: + - firewall + - ... + +#. The complete `neutron_plugin_base`, at the time of this writing, is as follows: + + .. code-block:: yaml + + neutron_plugin_base: + - router + - firewall + - lbaas + - vpnaas + - metering + - qos + +#. Execute the Neutron install playbook in order to update the configuration: + + .. code-block:: shell-session + + # cd /opt/openstack-ansible/playbooks + # openstack-ansible os-neutron-install.yml + +#. Execute the Horizon install playbook in order to update the Horizon + configuration to show the FWaaS panels: + + .. code-block:: shell-session + + # cd /opt/openstack-ansible/playbooks + # openstack-ansible os-horizon-install.yml + +The FWaaS default configuration options may be changed through the +`conf override`_ mechanism using the ``neutron_neutron_conf_overrides`` +dict. + +.. _conf override: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html + +-------------- + +.. include:: navigation.txt diff --git a/doc/source/install-guide/configure.rst b/doc/source/install-guide/configure.rst index bec192459c..23c6dd7879 100644 --- a/doc/source/install-guide/configure.rst +++ b/doc/source/install-guide/configure.rst @@ -21,6 +21,7 @@ Chapter 4. Deployment configuration configure-aodh.rst configure-keystone.rst configure-lbaas.rst + configure-fwaas.rst configure-openstack.rst configure-sslcertificates.rst configure-configurationintegrity.rst diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index 8ff71a5b81..925e5ec6a2 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -229,6 +229,7 @@ horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is de # LBaaS panels are working only for LBaaS v1 at this time. #TODO(odyssey4me): Remove the classpath from this conditional in the Newton cycle. horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and ('lbaas' in neutron_plugin_base or 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin' in neutron_plugin_base) %}True{% else %}False{% endif %}" +horizon_enable_neutron_fwaas: "{% if neutron_plugin_base is defined and 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}" horizon_rabbitmq_userid: horizon horizon_rabbitmq_vhost: /horizon diff --git a/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml new file mode 100644 index 0000000000..3048dad9a6 --- /dev/null +++ b/releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml @@ -0,0 +1,15 @@ +--- +features: + - Neutron Firewall as a Service (FWaaS) can now optionally be deployed and + configured. Please see the `FWaaS Configuration Reference + `_ + for details about the what the service is and what it provides. See the + `FWaaS Install Guide `_ + for implementation details. +upgrade: + - Database migration tasks have been added for the FWaaS neutron plugin. +security: + - When enabled, Neutron Firewall as a Service (FWaaS) provides projects the + option to implement perimeter security (filtering at the router), adding to + filtering at the instance interfaces which is provided by 'Security + Groups'.