From e9232360012012360c5177cac59cca12553faad8 Mon Sep 17 00:00:00 2001 From: Florian LEDUC Date: Thu, 2 Jan 2020 14:14:10 +0100 Subject: [PATCH] Add ability to use the Neutron packet logging framework * Enables the Neutron packet logging framework for OVS (https://docs.openstack.org/neutron/latest/admin/config-logging.html). * Adds a toggle variable "enable_neutron_packet_logging" Change-Id: Ica3594cdac634b496949a06ed813dccd18090af4 Implements: blueprint neutron-log-service-plugin --- ansible/group_vars/all.yml | 1 + ansible/roles/neutron/defaults/main.yml | 4 ++ .../networking/neutron-extensions.rst | 48 +++++++++++++++++++ etc/kolla/globals.yml | 4 ++ ...n-log-service-plugin-049ce93906386435.yaml | 5 ++ 5 files changed, 62 insertions(+) create mode 100644 releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 360117927f..bb713fe0dd 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -657,6 +657,7 @@ enable_neutron_agent_ha: "no" enable_neutron_bgp_dragent: "no" enable_neutron_provider_networks: "no" enable_neutron_segments: "no" +enable_neutron_packet_logging: "no" enable_neutron_sfc: "no" enable_neutron_trunk: "no" enable_neutron_metering: "no" diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml index f449844f57..5d9252b4d4 100644 --- a/ansible/roles/neutron/defaults/main.yml +++ b/ansible/roles/neutron/defaults/main.yml @@ -628,6 +628,8 @@ service_plugins: enabled: "{{ enable_neutron_port_forwarding | bool }}" - name: "ovn-router" enabled: "{{ neutron_plugin_agent == 'ovn' }}" + - name: "log" + enabled: "{{ enable_neutron_packet_logging | bool }}" neutron_service_plugins: "{{ service_plugins | selectattr('enabled', 'equalto', true) | list }}" @@ -654,6 +656,8 @@ agent_extensions: enabled: "{{ enable_neutron_sfc | bool }}" - name: "fdb" enabled: "{{ enable_neutron_sriov | bool }}" + - name: "log" + enabled: "{{ enable_neutron_packet_logging | bool }}" neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}" diff --git a/doc/source/reference/networking/neutron-extensions.rst b/doc/source/reference/networking/neutron-extensions.rst index 33b9262811..3a66333bd3 100644 --- a/doc/source/reference/networking/neutron-extensions.rst +++ b/doc/source/reference/networking/neutron-extensions.rst @@ -91,3 +91,51 @@ Modify the ``/etc/kolla/globals.yml`` file as the following example shows: .. code-block:: yaml enable_neutron_trunk: "yes" + +Neutron Logging Framework +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Preparation and deployment +-------------------------- + +Modify the ``/etc/kolla/globals.yml`` file as the following example shows: + +.. code-block:: yaml + + enable_neutron_packet_logging: "yes" + +For OVS deployment, you need to override the firewall driver in +`openvswitch_agent.ini` to: + +.. code-block:: ini + + [security_group] + firewall_driver = openvswitch + +Verification +------------ + +Verify that loggable resources are properly registered: + +.. code-block:: console + + # openstack network loggable resources list + +-----------------+ + | Supported types | + +-----------------+ + | security_group | + +-----------------+ + +The output shows security groups logging is now enabled. + +You may now create a network logging rule to log all events based on a +security group object: + +.. code-block:: console + + # openstack network log create --resource-type security_group \ + --description "Collecting all security events" \ + --event ALL Log_Created + +More examples and information can be found at: +https://docs.openstack.org/neutron/latest/admin/config-logging.html diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 3a4ea5c17a..5b67bfa4ef 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -150,6 +150,10 @@ # Neutron rolling upgrade were enable by default #neutron_enable_rolling_upgrade: "yes" +# Configure neutron logging framework to log ingress/egress connections to instances +# for security groups rules. More information can be found here: +# https://docs.openstack.org/neutron/latest/admin/config-logging.html +#enable_neutron_packet_logging: "no" #################### # keepalived options diff --git a/releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml b/releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml new file mode 100644 index 0000000000..119fe1986f --- /dev/null +++ b/releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml @@ -0,0 +1,5 @@ +--- +features: + - + Add ability to use and enable the neutron packet logging + framework.