aa459b331d
Information about: - What we do about firewalling (i.e.: NOTHING) - How could deployer know what to do (i.e.: RTfancyManual) - How is the haproxy configuration generated in case someone wants to use a similar things for its firewalling. Change-Id: Ied5c1baa54f257639537942fabcc2f367c1651d8
56 lines
2.0 KiB
ReStructuredText
56 lines
2.0 KiB
ReStructuredText
=========
|
|
Firewalls
|
|
=========
|
|
|
|
|
|
OpenStack-Ansible does not configure firewalling for its
|
|
infrastructure. It is up to the deployer to define the perimeter
|
|
and its firewalling configuration.
|
|
|
|
By default, OpenStack-Ansible relies on Ansible SSH connections,
|
|
and needs the TCP port 22 to be opened on all hosts
|
|
internally.
|
|
|
|
For more information on generic OpenStack firewalling, see the
|
|
`OpenStack default port documentation <https://docs.openstack.org/newton/config-reference/firewalls-default-ports.html>`_
|
|
|
|
You can find in each of the role's respective documentatione, the
|
|
default variables for the ports used within the scope of the role.
|
|
Reviewing the documentation allow you to find the variable names
|
|
if you want to use a different port.
|
|
|
|
.. note:: OpenStack-Ansible's group vars conveniently expose the vars outside of the
|
|
`role scope <https://github.com/openstack/openstack-ansible/blob/master/playbooks/inventory/group_vars/all.yml>`_
|
|
in case you are relying on the OpenStack-Ansible groups to
|
|
configure your firewall.
|
|
|
|
Finding ports for your external load balancer
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
As explained in the previous section, you can find (in each role
|
|
documentation) the default variables used for the public
|
|
interface endpoint ports.
|
|
|
|
For example, the
|
|
`os_glance documentation <https://docs.openstack.org/developer/openstack-ansible-os_glance/#default-variables>`_
|
|
lists the variable ``glance_service_publicuri``. This contains
|
|
the port used for the reaching the service externally. In
|
|
this example, it is equal to to ``glance_service_port``, whose
|
|
value is 9292.
|
|
|
|
As a hint, you could find the whole list of public URI defaults
|
|
by executing the following:
|
|
|
|
.. code::
|
|
|
|
cd /etc/ansible/roles
|
|
grep -R -e publicuri -e port *
|
|
|
|
.. note::
|
|
|
|
`Haproxy <https://github.com/openstack/openstack-ansible/blob/master/playbooks/vars/configs/haproxy_config.yml>`_
|
|
can be configured with OpenStack-Ansible.
|
|
The automatically generated ``/etc/haproxy/haproxy.cfg`` file have
|
|
enough information on the ports to open for your environment.
|
|
|