Add ability to use the Neutron packet logging framework

* Enables the Neutron packet logging framework for OVS (https://docs.openstack.org/neutron/latest/admin/config-logging.html). * Adds a toggle variable "enable_neutron_packet_logging" Change-Id: Ica3594cdac634b496949a06ed813dccd18090af4 Implements: blueprint neutron-log-service-plugin
2020-01-02 14:14:10 +01:00 · 2020-01-02 14:14:10 +01:00 · e923236001
commit e923236001
parent 35488ecc4b
5 changed files with 62 additions and 0 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -657,6 +657,7 @@ enable_neutron_agent_ha: "no"
 enable_neutron_bgp_dragent: "no"
 enable_neutron_provider_networks: "no"
 enable_neutron_segments: "no"
+enable_neutron_packet_logging: "no"
 enable_neutron_sfc: "no"
 enable_neutron_trunk: "no"
 enable_neutron_metering: "no"
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@ -628,6 +628,8 @@ service_plugins:
    enabled: "{{ enable_neutron_port_forwarding | bool }}"
  - name: "ovn-router"
    enabled: "{{ neutron_plugin_agent == 'ovn' }}"
+  - name: "log"
+    enabled: "{{ enable_neutron_packet_logging | bool }}"

 neutron_service_plugins: "{{ service_plugins | selectattr('enabled', 'equalto', true) | list }}"

@ -654,6 +656,8 @@ agent_extensions:
    enabled: "{{ enable_neutron_sfc | bool }}"
  - name: "fdb"
    enabled: "{{ enable_neutron_sriov | bool }}"
+  - name: "log"
+    enabled: "{{ enable_neutron_packet_logging | bool }}"

 neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}"

--- a/doc/source/reference/networking/neutron-extensions.rst
+++ b/doc/source/reference/networking/neutron-extensions.rst
@ -91,3 +91,51 @@ Modify the ``/etc/kolla/globals.yml`` file as the following example shows:
 .. code-block:: yaml

   enable_neutron_trunk: "yes"
+
+Neutron Logging Framework
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Preparation and deployment
+--------------------------
+
+Modify the ``/etc/kolla/globals.yml`` file as the following example shows:
+
+.. code-block:: yaml
+
+   enable_neutron_packet_logging: "yes"
+
+For OVS deployment, you need to override the firewall driver in
+`openvswitch_agent.ini` to:
+
+.. code-block:: ini
+
+   [security_group]
+   firewall_driver = openvswitch
+
+Verification
+------------
+
+Verify that loggable resources are properly registered:
+
+.. code-block:: console
+
+   # openstack network loggable resources list
+   +-----------------+
+   | Supported types |
+   +-----------------+
+   | security_group  |
+   +-----------------+
+
+The output shows security groups logging is now enabled.
+
+You may now create a network logging rule to log all events based on a
+security group object:
+
+.. code-block:: console
+
+   # openstack network log create --resource-type security_group \
+   --description "Collecting all security events" \
+   --event ALL Log_Created
+
+More examples and information can be found at:
+https://docs.openstack.org/neutron/latest/admin/config-logging.html
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -150,6 +150,10 @@
 # Neutron rolling upgrade were enable by default
 #neutron_enable_rolling_upgrade: "yes"

+# Configure neutron logging framework to log ingress/egress connections to instances
+# for security groups rules. More information can be found here:
+# https://docs.openstack.org/neutron/latest/admin/config-logging.html
+#enable_neutron_packet_logging: "no"

 ####################
 # keepalived options
--- a/releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml
+++ b/releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml
@ -0,0 +1,5 @@
+---
+features:
+  -
+    Add ability to use and enable the neutron packet logging
+    framework.