Add ability to configure Neutron FWaaS
This patch adds a release note, documentation and an automated determination of whether the Horizon panel for FWaaS should be enabled. Re-Implementation-Of: https://review.openstack.org/#/c/275894/9 Depends-On: I682171333328e42895ec1a4d2d0cc5d2b2fcdcd9 Depends-On: Ic046cc9815f7b9c86a52fd75e7c796ecacc9e083 Change-Id: Iabfaa3d755bc2badae85325e3c6d477f4f2d620c Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter
parent
249861b247
commit
6b7e78e104
57
doc/source/install-guide/configure-fwaas.rst
Normal file
57
doc/source/install-guide/configure-fwaas.rst
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
`Home <index.html>`_ OpenStack-Ansible Installation Guide
|
||||||
|
|
||||||
|
Configuring the Network Firewall Service (Optional)
|
||||||
|
---------------------------------------------------
|
||||||
|
|
||||||
|
The OpenStack Networking Service, Neutron, includes a Firewall as a
|
||||||
|
Service (FWaaS) offering. This service lets you configure a firewall that
|
||||||
|
runs outside of your instances and filters traffic from the router.
|
||||||
|
|
||||||
|
The following procedure describes how to modify the
|
||||||
|
``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.
|
||||||
|
|
||||||
|
#. Override the default list of Neutron plugins to include
|
||||||
|
``firewall``:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
neutron_plugin_base:
|
||||||
|
- firewall
|
||||||
|
- ...
|
||||||
|
|
||||||
|
#. The complete `neutron_plugin_base`, at the time of this writing, is as follows:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
neutron_plugin_base:
|
||||||
|
- router
|
||||||
|
- firewall
|
||||||
|
- lbaas
|
||||||
|
- vpnaas
|
||||||
|
- metering
|
||||||
|
- qos
|
||||||
|
|
||||||
|
#. Execute the Neutron install playbook in order to update the configuration:
|
||||||
|
|
||||||
|
.. code-block:: shell-session
|
||||||
|
|
||||||
|
# cd /opt/openstack-ansible/playbooks
|
||||||
|
# openstack-ansible os-neutron-install.yml
|
||||||
|
|
||||||
|
#. Execute the Horizon install playbook in order to update the Horizon
|
||||||
|
configuration to show the FWaaS panels:
|
||||||
|
|
||||||
|
.. code-block:: shell-session
|
||||||
|
|
||||||
|
# cd /opt/openstack-ansible/playbooks
|
||||||
|
# openstack-ansible os-horizon-install.yml
|
||||||
|
|
||||||
|
The FWaaS default configuration options may be changed through the
|
||||||
|
`conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
|
||||||
|
dict.
|
||||||
|
|
||||||
|
.. _conf override: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html
|
||||||
|
|
||||||
|
--------------
|
||||||
|
|
||||||
|
.. include:: navigation.txt
|
||||||
@ -21,6 +21,7 @@ Chapter 4. Deployment configuration
|
|||||||
configure-aodh.rst
|
configure-aodh.rst
|
||||||
configure-keystone.rst
|
configure-keystone.rst
|
||||||
configure-lbaas.rst
|
configure-lbaas.rst
|
||||||
|
configure-fwaas.rst
|
||||||
configure-openstack.rst
|
configure-openstack.rst
|
||||||
configure-sslcertificates.rst
|
configure-sslcertificates.rst
|
||||||
configure-configurationintegrity.rst
|
configure-configurationintegrity.rst
|
||||||
|
|||||||
@ -229,6 +229,7 @@ horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is de
|
|||||||
# LBaaS panels are working only for LBaaS v1 at this time.
|
# LBaaS panels are working only for LBaaS v1 at this time.
|
||||||
#TODO(odyssey4me): Remove the classpath from this conditional in the Newton cycle.
|
#TODO(odyssey4me): Remove the classpath from this conditional in the Newton cycle.
|
||||||
horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and ('lbaas' in neutron_plugin_base or 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin' in neutron_plugin_base) %}True{% else %}False{% endif %}"
|
horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and ('lbaas' in neutron_plugin_base or 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin' in neutron_plugin_base) %}True{% else %}False{% endif %}"
|
||||||
|
horizon_enable_neutron_fwaas: "{% if neutron_plugin_base is defined and 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
|
||||||
horizon_rabbitmq_userid: horizon
|
horizon_rabbitmq_userid: horizon
|
||||||
horizon_rabbitmq_vhost: /horizon
|
horizon_rabbitmq_vhost: /horizon
|
||||||
|
|
||||||
|
|||||||
15
releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
Normal file
15
releasenotes/notes/neutron-fwaas-5c7c6508f2cc05c3.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- Neutron Firewall as a Service (FWaaS) can now optionally be deployed and
|
||||||
|
configured. Please see the `FWaaS Configuration Reference
|
||||||
|
<http://docs.openstack.org/admin-guide-cloud/networking_introduction.html#firewall-as-a-service-fwaas-overview>`_
|
||||||
|
for details about the what the service is and what it provides. See the
|
||||||
|
`FWaaS Install Guide <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-fwaas.html>`_
|
||||||
|
for implementation details.
|
||||||
|
upgrade:
|
||||||
|
- Database migration tasks have been added for the FWaaS neutron plugin.
|
||||||
|
security:
|
||||||
|
- When enabled, Neutron Firewall as a Service (FWaaS) provides projects the
|
||||||
|
option to implement perimeter security (filtering at the router), adding to
|
||||||
|
filtering at the instance interfaces which is provided by 'Security
|
||||||
|
Groups'.
|
||||||
Loading…
x
Reference in New Issue
Block a user