Add ssh tunneling for TripleO-UI

Add a systemd service that tunnels traffic between the virthost and the
undercloud.  We forward ports for the UI itself, and a few other Openstack
services, like Keystone, Heat, Mistral, etc.

This requires a change that sets up the tripleo-ui javascript
config with the proper settings and restarts the httpd service
https://gist.github.com/weshayutin/0af348fafd70cb56c96d6856f073d79b
Completed this change in Ie9d3e7d12c420b9b65c25692435c0457f1233a27

Access to the TripleO-UI is available from http://virthost:3000

Author:    Honza Pokorny <honza@redhat.com>
Co-Authored-By: Wes Hayutin <weshayutin@gmail.com>

Change-Id: Id53c5bd7f199c64bc9cb37df7e63f27c4673f415

config/environments/default_libvirt.yml

@@ -1 +1,8 @@
 environment_type: libvirt
+
+# This allows one to browse to the tripleo-ui on the undercloud
+# This is only required in libvirt based deployments
+enable_port_forward_for_tripleo_ui: true
+# Setup for SSL access to the tripleo-ui.
+# Please consult the tripleo-quickstart documentation prior to enabling this option
+tripleo_ui_secure_access: false

doc/source/accessing-overcloud.rst

@@ -85,6 +85,27 @@ that would look something like this::
     $ curl --socks5-hostname localhost:1080 http://overcloud.localdomain:5000/
     {"versions": {"values": [{"status": "stable", "updated": "2016-04-04T00:00:00Z",...
 
+Access to the overclouds horizon web interface
+----------------------------------------------
+
+With baremetal and ovb based deployments you can access horizon via the
+overclouds's controller public ip address http://<controller_ip>:80
+
+Deploying TripleO in a libvirt based environment presents an additional
+challenge of access the isolated ovs networks on the undercloud. By default
+an ssh-tunnel service has been setup on the virthost with the tripleo-quickstart
+for libvirt deployments.  Access horizon with the following.
+
+From the localhost::
+
+    http://<virthost>:8181
+
+Overcloud with SSL enabled
+
+    http://<virthost>:8443
+
+
+
 Using Firefox
 ^^^^^^^^^^^^^
 

doc/source/accessing-undercloud.rst

@@ -3,6 +3,9 @@
 Accessing the Undercloud
 ========================
 
+Access via the CLI
+-------------------
+
 When your deployment is complete, you will find a file named
 ``ssh.config.ansible`` located inside your ``local_working_dir`` (which
 defaults to ``$HOME/.quickstart``). This file contains configuration
@@ -40,3 +43,27 @@ the overcloud::
     | 6  | nova-conductor   | overcloud-controller-0              | internal | ...
     | 7  | nova-compute     | overcloud-novacompute-0.localdomain | nova     | ...
     +----+------------------+-------------------------------------+----------+-...
+
+Access via the TripleO-UI
+-------------------------
+
+With baremetal and ovb based deployments you can access the TripleO-UI via the
+undercloud's public ip address http://<virthost>:3000
+
+Deploying TripleO in a libvirt based environment presents the additional
+challenge of accessing the isolated ovs networks on the undercloud. By default
+an ssh-tunnel service has been setup on the virthost by the tripleo-quickstart
+`enable_port_forward_for_tripleo_ui` variable.  Access the TripleO-UI with the following.
+
+From your workstation::
+
+    http://<virthost>:3000
+
+By default an insecure connection the undercloud services has been configured
+in the /var/www/openstack-tripleo-ui-/dist/tripleo_ui_config.js file.  To use
+ssl connections change the default variable ``tripleo_ui_secure_access`` to true.
+
+    Note:: When using ssl a user must manually allow access due to the self
+    signed ssl certificate by accepting access to https://<virthost>/keystone/v3/auth/tokens
+    in a new browser window or tab.  Then one may return to http://virthost:3000
+    and continue.

roles/common/defaults/main.yml

@@ -142,6 +142,7 @@ networks:
     bridge:  brovc
 
 #Enable network isolation with single-nic-vlans for virtualized deployments
+undercloud_network_cidr: 192.168.24.0/24
 undercloud_external_network_cidr: 10.0.0.1/24
 undercloud_external_network_cidr6: 2001:db8:fd00:1000::1/64
 undercloud_networks:
@@ -204,3 +205,7 @@ libvirt_uri: qemu:///session
 # that they have sufficient privileges to connect to ovs bridges.
 non_root_chown: false
 
+# Enable port forwarding for tripleo-ui access
+# It is safe to mark this as default true as it only runs on a virthost
+# This variable is set to true in config/environments/default_libvirt.yml
+enable_port_forward_for_tripleo_ui: false

roles/libvirt/setup/undercloud/defaults/main.yml

@@ -4,3 +4,6 @@ gating_repo_enabled: true
 undercloud_use_custom_boot_images: false
 undercloud_custom_vmlinuz: "{{ working_dir }}/overcloud-full.vmlinuz"
 undercloud_custom_initrd: "{{ working_dir }}/overcloud-full.initrd"
+
+ssh_tunnel_service_file: ssh-tunnel.service.j2
+ssh_tunnel_target_ip: "{{ undercloud_network_cidr|nthhost(1) }}"

roles/libvirt/setup/undercloud/tasks/main.yml

@@ -335,3 +335,50 @@
   template:
     src: ssh.config.j2
     dest: "{{ local_working_dir }}/ssh.config.ansible"
+
+- when: enable_port_forward_for_tripleo_ui|bool
+  block:
+
+# TO-DO weshayutin
+# In the upcoming release of ansible 2.4 this should be moved to
+# iptables_raw
+#  - name: ensure the required tcp ports are open on the virthost
+  - iptables:
+      table: filter
+      chain: IN_public_allow
+      protocol: tcp
+      match: tcp
+      ctstate: NEW
+      jump: ACCEPT
+      destination_port: "{{ item }}"
+    become: true
+    with_items:
+      - 6385
+      - 5000
+      - 8004
+      - 8080
+      - 9000
+      - 8989
+      - 8774
+      - 3000
+      - 8181
+      - 8443
+      - 443
+
+  - name: Create ssh tunnel systemd service
+    template:
+      src: "{{ ssh_tunnel_service_file }}"
+      dest: "/etc/systemd/system/ssh-tunnel.service"
+      mode: 0755
+    become: true
+
+  - name: reload the systemctl daemon after file update
+    shell: systemctl daemon-reload
+    become: true
+
+  - name: Enable ssh tunnel service
+    service:
+      name: ssh-tunnel
+      enabled: true
+      state: restarted
+    become: true

roles/libvirt/setup/undercloud/templates/ssh-tunnel.service.j2

@@ -0,0 +1,30 @@
+[Unit]
+Description=Set up ssh tunneling for TripleO
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/ssh -NT -o \
+   ServerAliveInterval=60 -o \
+   UserKnownHostsFile=/dev/null -o \
+   StrictHostKeyChecking=no -o \
+   ExitOnForwardFailure=no -i \
+   /home/{{ ssh_user }}/id_rsa_undercloud {{ ssh_user }}@{{ undercloud_ip }} \
+   -L 0.0.0.0:6385:{{ ssh_tunnel_target_ip }}:6385 \
+   -L 0.0.0.0:5000:{{ ssh_tunnel_target_ip }}:5000 \
+   -L 0.0.0.0:8004:{{ ssh_tunnel_target_ip }}:8004 \
+   -L 0.0.0.0:8080:{{ ssh_tunnel_target_ip }}:8080 \
+   -L 0.0.0.0:9000:{{ ssh_tunnel_target_ip }}:9000 \
+   -L 0.0.0.0:8989:{{ ssh_tunnel_target_ip }}:8989 \
+   -L 0.0.0.0:3000:{{ ssh_tunnel_target_ip }}:3000 \
+   -L 0.0.0.0:443:{{ ssh_tunnel_target_ip }}:443 \
+   -L 0.0.0.0:13000:{{ ssh_tunnel_target_ip }}:13000 \
+   -L 0.0.0.0:8181:overcloud.localdomain:80 \
+   -L 0.0.0.0:8443:overcloud.localdomain:443
+
+
+# Restart every >2 seconds to avoid StartLimitInterval failure
+RestartSec=5
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/libvirt/setup/user/tasks/main.yml

@@ -23,6 +23,15 @@
     - path: "{{ undercloud_key }}"
       comment: "ansible_generated_undercloud"
 
+# Copy the undercloud key to the virthost in the ssh_user directory
+- name: copy ssh keys to virthost
+  copy:
+    src: "{{ undercloud_key }}"
+    dest: "{{ working_dir }}"
+    owner: "{{ ssh_user }}"
+    group: "{{ ssh_user }}"
+    mode: 0600
+
 - name: Read virt_power private key
   no_log: True
   set_fact: