openstack-ansible/doc/source/draft-operations-guide/maintenance-tasks/firewalls.rst
Jean-Philippe Evrard aa459b331d [Docs] Firewall guide
Information about:
- What we do about firewalling (i.e.: NOTHING)
- How could deployer know what to do (i.e.: RTfancyManual)
- How is the haproxy configuration generated in case someone
wants to use a similar things for its firewalling.

Change-Id: Ied5c1baa54f257639537942fabcc2f367c1651d8
2017-04-05 15:14:59 +00:00

56 lines
2.0 KiB
ReStructuredText

=========
Firewalls
=========
OpenStack-Ansible does not configure firewalling for its
infrastructure. It is up to the deployer to define the perimeter
and its firewalling configuration.
By default, OpenStack-Ansible relies on Ansible SSH connections,
and needs the TCP port 22 to be opened on all hosts
internally.
For more information on generic OpenStack firewalling, see the
`OpenStack default port documentation <https://docs.openstack.org/newton/config-reference/firewalls-default-ports.html>`_
You can find in each of the role's respective documentatione, the
default variables for the ports used within the scope of the role.
Reviewing the documentation allow you to find the variable names
if you want to use a different port.
.. note:: OpenStack-Ansible's group vars conveniently expose the vars outside of the
`role scope <https://github.com/openstack/openstack-ansible/blob/master/playbooks/inventory/group_vars/all.yml>`_
in case you are relying on the OpenStack-Ansible groups to
configure your firewall.
Finding ports for your external load balancer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As explained in the previous section, you can find (in each role
documentation) the default variables used for the public
interface endpoint ports.
For example, the
`os_glance documentation <https://docs.openstack.org/developer/openstack-ansible-os_glance/#default-variables>`_
lists the variable ``glance_service_publicuri``. This contains
the port used for the reaching the service externally. In
this example, it is equal to to ``glance_service_port``, whose
value is 9292.
As a hint, you could find the whole list of public URI defaults
by executing the following:
.. code::
cd /etc/ansible/roles
grep -R -e publicuri -e port *
.. note::
`Haproxy <https://github.com/openstack/openstack-ansible/blob/master/playbooks/vars/configs/haproxy_config.yml>`_
can be configured with OpenStack-Ansible.
The automatically generated ``/etc/haproxy/haproxy.cfg`` file have
enough information on the ports to open for your environment.