[Docs] Firewall guide
Information about: - What we do about firewalling (i.e.: NOTHING) - How could deployer know what to do (i.e.: RTfancyManual) - How is the haproxy configuration generated in case someone wants to use a similar things for its firewalling. Change-Id: Ied5c1baa54f257639537942fabcc2f367c1651d8
This commit is contained in:
Jean-Philippe Evrard
parent
337fb6b004
commit
aa459b331d
@ -2,13 +2,54 @@
|
|||||||
Firewalls
|
Firewalls
|
||||||
=========
|
=========
|
||||||
|
|
||||||
This is a draft backups page for the proposed OpenStack-Ansible
|
|
||||||
operations guide.
|
|
||||||
|
|
||||||
.. TODO Describe general approaches to adding firewalls to OSA infrastructure.
|
OpenStack-Ansible does not configure firewalling for its
|
||||||
|
infrastructure. It is up to the deployer to define the perimeter
|
||||||
|
and its firewalling configuration.
|
||||||
|
|
||||||
Finding ports used by an external IP address
|
By default, OpenStack-Ansible relies on Ansible SSH connections,
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
and needs the TCP port 22 to be opened on all hosts
|
||||||
|
internally.
|
||||||
|
|
||||||
|
For more information on generic OpenStack firewalling, see the
|
||||||
|
`OpenStack default port documentation <https://docs.openstack.org/newton/config-reference/firewalls-default-ports.html>`_
|
||||||
|
|
||||||
|
You can find in each of the role's respective documentatione, the
|
||||||
|
default variables for the ports used within the scope of the role.
|
||||||
|
Reviewing the documentation allow you to find the variable names
|
||||||
|
if you want to use a different port.
|
||||||
|
|
||||||
|
.. note:: OpenStack-Ansible's group vars conveniently expose the vars outside of the
|
||||||
|
`role scope <https://github.com/openstack/openstack-ansible/blob/master/playbooks/inventory/group_vars/all.yml>`_
|
||||||
|
in case you are relying on the OpenStack-Ansible groups to
|
||||||
|
configure your firewall.
|
||||||
|
|
||||||
|
Finding ports for your external load balancer
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
As explained in the previous section, you can find (in each role
|
||||||
|
documentation) the default variables used for the public
|
||||||
|
interface endpoint ports.
|
||||||
|
|
||||||
|
For example, the
|
||||||
|
`os_glance documentation <https://docs.openstack.org/developer/openstack-ansible-os_glance/#default-variables>`_
|
||||||
|
lists the variable ``glance_service_publicuri``. This contains
|
||||||
|
the port used for the reaching the service externally. In
|
||||||
|
this example, it is equal to to ``glance_service_port``, whose
|
||||||
|
value is 9292.
|
||||||
|
|
||||||
|
As a hint, you could find the whole list of public URI defaults
|
||||||
|
by executing the following:
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
cd /etc/ansible/roles
|
||||||
|
grep -R -e publicuri -e port *
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
`Haproxy <https://github.com/openstack/openstack-ansible/blob/master/playbooks/vars/configs/haproxy_config.yml>`_
|
||||||
|
can be configured with OpenStack-Ansible.
|
||||||
|
The automatically generated ``/etc/haproxy/haproxy.cfg`` file have
|
||||||
|
enough information on the ports to open for your environment.
|
||||||
|
|
||||||
.. TODO explain how to find the ports used by the external IP
|
|
||||||
(whether you deploy haproxy or not), and what are the default ports
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user