Add ability to use the Neutron packet logging framework

* Enables the Neutron packet logging framework for OVS
(https://docs.openstack.org/neutron/latest/admin/config-logging.html).
* Adds a toggle variable "enable_neutron_packet_logging"

Change-Id: Ica3594cdac634b496949a06ed813dccd18090af4
Implements: blueprint neutron-log-service-plugin

ansible/group_vars/all.yml

@@ -657,6 +657,7 @@ enable_neutron_agent_ha: "no"
 enable_neutron_bgp_dragent: "no"
 enable_neutron_provider_networks: "no"
 enable_neutron_segments: "no"
+enable_neutron_packet_logging: "no"
 enable_neutron_sfc: "no"
 enable_neutron_trunk: "no"
 enable_neutron_metering: "no"

ansible/roles/neutron/defaults/main.yml

@@ -628,6 +628,8 @@ service_plugins:
     enabled: "{{ enable_neutron_port_forwarding | bool }}"
   - name: "ovn-router"
     enabled: "{{ neutron_plugin_agent == 'ovn' }}"
+  - name: "log"
+    enabled: "{{ enable_neutron_packet_logging | bool }}"
 
 neutron_service_plugins: "{{ service_plugins | selectattr('enabled', 'equalto', true) | list }}"
 
@@ -654,6 +656,8 @@ agent_extensions:
     enabled: "{{ enable_neutron_sfc | bool }}"
   - name: "fdb"
     enabled: "{{ enable_neutron_sriov | bool }}"
+  - name: "log"
+    enabled: "{{ enable_neutron_packet_logging | bool }}"
 
 neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}"
 

doc/source/reference/networking/neutron-extensions.rst

@@ -91,3 +91,51 @@ Modify the ``/etc/kolla/globals.yml`` file as the following example shows:
 .. code-block:: yaml
 
    enable_neutron_trunk: "yes"
+
+Neutron Logging Framework
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Preparation and deployment
+--------------------------
+
+Modify the ``/etc/kolla/globals.yml`` file as the following example shows:
+
+.. code-block:: yaml
+
+   enable_neutron_packet_logging: "yes"
+
+For OVS deployment, you need to override the firewall driver in
+`openvswitch_agent.ini` to:
+
+.. code-block:: ini
+
+   [security_group]
+   firewall_driver = openvswitch
+
+Verification
+------------
+
+Verify that loggable resources are properly registered:
+
+.. code-block:: console
+
+   # openstack network loggable resources list
+   +-----------------+
+   | Supported types |
+   +-----------------+
+   | security_group  |
+   +-----------------+
+
+The output shows security groups logging is now enabled.
+
+You may now create a network logging rule to log all events based on a
+security group object:
+
+.. code-block:: console
+
+   # openstack network log create --resource-type security_group \
+   --description "Collecting all security events" \
+   --event ALL Log_Created
+
+More examples and information can be found at:
+https://docs.openstack.org/neutron/latest/admin/config-logging.html

etc/kolla/globals.yml

@@ -150,6 +150,10 @@
 # Neutron rolling upgrade were enable by default
 #neutron_enable_rolling_upgrade: "yes"
 
+# Configure neutron logging framework to log ingress/egress connections to instances
+# for security groups rules. More information can be found here:
+# https://docs.openstack.org/neutron/latest/admin/config-logging.html
+#enable_neutron_packet_logging: "no"
 
 ####################
 # keepalived options

releasenotes/notes/neutron-log-service-plugin-049ce93906386435.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  -
+    Add ability to use and enable the neutron packet logging
+    framework.