Information about: - What we do about firewalling (i.e.: NOTHING) - How could deployer know what to do (i.e.: RTfancyManual) - How is the haproxy configuration generated in case someone wants to use a similar things for its firewalling. Change-Id: Ied5c1baa54f257639537942fabcc2f367c1651d8
2.0 KiB
Firewalls
OpenStack-Ansible does not configure firewalling for its infrastructure. It is up to the deployer to define the perimeter and its firewalling configuration.
By default, OpenStack-Ansible relies on Ansible SSH connections, and needs the TCP port 22 to be opened on all hosts internally.
For more information on generic OpenStack firewalling, see the OpenStack default port documentation
You can find in each of the role's respective documentatione, the default variables for the ports used within the scope of the role. Reviewing the documentation allow you to find the variable names if you want to use a different port.
Note
OpenStack-Ansible's group vars conveniently expose the vars outside of the role scope in case you are relying on the OpenStack-Ansible groups to configure your firewall.
Finding ports for your external load balancer
As explained in the previous section, you can find (in each role documentation) the default variables used for the public interface endpoint ports.
For example, the os_glance
documentation lists the variable
glance_service_publicuri
. This contains the port used for
the reaching the service externally. In this example, it is equal to to
glance_service_port
, whose value is 9292.
As a hint, you could find the whole list of public URI defaults by executing the following:
cd /etc/ansible/roles
grep -R -e publicuri -e port *
Note
Haproxy
can be configured with OpenStack-Ansible. The automatically generated
/etc/haproxy/haproxy.cfg
file have enough information on
the ports to open for your environment.