Add support for Neutron FWaaS v2

This patch adds support for deploying Neutron FWaaS v2 with OpenStack Ansible Change-Id: I2eae414fba7ddfac44ad6f5125e08740dc7a80a2
2016-10-18 13:11:56 +00:00 · 2016-10-18 13:11:56 +00:00 · 7c64d5ea8e
commit 7c64d5ea8e
parent 213137468a
8 changed files with 95 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -243,7 +243,7 @@ neutron_notifications_designate: notifications_designate
 # Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.
 # neutron_plugin_base:
 #   - router
-#   - firewall
+#   - firewall/firewall_v2 either one or the other, not both
 #   - lbaas
 #   - neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
 #   - neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin
--- a/doc/source/configure-network-services.rst
+++ b/doc/source/configure-network-services.rst
@ -29,6 +29,9 @@ Firewall service (optional)
 The following procedure describes how to modify the
 ``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.
 Deploying FWaaS v1
 ------------------
 #. Override the default list of neutron plugins to include
   ``firewall``:
@ -68,6 +71,43 @@ The FWaaS default configuration options may be changed through the
 `conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
 dict.
 Deploying FWaaS v2
 ------------------
 FWaaS v2 is the next generation Neutron firewall service and will provide
 a rich set of APIs for securing OpenStack networks. It is still under
 active development.
 Refer to the `FWaaS 2.0 API specification
 <https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html>`_
 for more information on these FWaaS v2 features
 Follow the steps below to deploy FWaaS v2:
 .. note::
    FWaaS v1 and v2 cannot be deployed simultaneously.
 #. Add the FWaaS v2 plugin to the ``neutron_plugin_base`` variable
   in ``/etc/openstack_deploy/user_variables.yml``:
   .. code-block:: yaml
      neutron_plugin_base:
        - router
        - metering
        - firewall_v2
   Ensure that ``neutron_plugin_base`` includes all of the plugins that you
   want to deploy with neutron in addition to the firewall_v2 plugin.
 #. Run the neutron playbook to deploy the FWaaS v2 service plugin
   .. code-block:: console
       # cd /opt/openstack-ansible/playbooks
       # openstack-ansible os-neutron-install.yml
 Load balancing service (optional)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
+++ b/releasenotes/notes/fwaasv2-added-ab9ba18c8b98a83e.yaml
@ -0,0 +1,4 @@
 ---
 features:
  - FWaaS V2 has been added to neutron. To enable this service simply add
    "firewall_v2" to the "neutron_plugin_base" list.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 - include: neutron_check.yml
 - name: Gather variables for each operating system
  include_vars: "{{ item }}"
  with_first_found:
--- a/tasks/neutron_check.yml
+++ b/tasks/neutron_check.yml
@ -0,0 +1,23 @@
 ---
 # Copyright 2016
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 - name: Ensure FWaaS v1 and v2 are not enabled simultaneously
  fail:
    message: |
      FWaaS v1 and v2 cannot be enabled at the same time.
      Verify that your neutron_plugin_base variable is correct.
  when:
    - neutron_fwaas | bool
    - neutron_fwaas_v2 | bool
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@ -27,3 +27,25 @@ send_arp_for_ha = 3
 # Metadata
 enable_metadata_proxy = True
 {% if neutron_fwaas | bool %}
 [fwaas]
 enabled = true
 driver = iptables
 agent_version = v1
 [AGENT]
 extensions = fwaas
 {% elif neutron_fwaas_v2 | bool %}
 [fwaas]
 enabled = true
 driver = iptables_v2
 agent_version = v2
 [AGENT]
 extensions = fwaas_v2
 {% endif %}
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -206,12 +206,6 @@ auth_version = 3
 {% endif %}
 {% if neutron_fwaas | bool %}
 [fwaas]
 enabled = true
 driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
 {% endif %}
 # Agent
 [agent]
 polling_interval = {{ neutron_agent_polling_interval|default(5) }}
@ -241,5 +235,3 @@ transport_url = rabbit://{% for host in neutron_rabbitmq_telemetry_servers.split
 # Concurrency (locking mechanisms)
 [oslo_concurrency]
 lock_path = {{ neutron_lock_path }}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -265,7 +265,8 @@ neutron_metadata: "{% if neutron_plugin_type.split('.')[0] == 'ml2' %}True{% els
 ###
 # Please add the 'firewall' to the neutron_plugin_base list
-neutron_fwaas: "{% if 'firewall' in neutron_plugin_base %}True{% else %}False{% endif %}"
+neutron_fwaas: "{{ 'firewall' in neutron_plugin_base | ternary('True', 'False') }}"
 neutron_fwaas_v2: "{{ 'firewall_v2' in neutron_plugin_base | ternary('True', 'False') }}"
 ###
 ### LBaaS Plugin Configuration