Merge "Add doc"

This commit is contained in:
Jenkins 2016-01-11 15:58:21 +00:00 committed by Gerrit Code Review
commit 0365d3587c
28 changed files with 933 additions and 0 deletions

181
doc/Makefile Normal file
View File

@ -0,0 +1,181 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = build
# User-friendly check for sphinx-build
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
endif
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext lifehtml
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " livehtml to run html server"
clean:
rm -rf $(BUILDDIR)/*
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/VPNaaSPluginforFuel.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/VPNaaSPluginforFuel.qhc"
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/VPNaaSPluginforFuel"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/VPNaaSPluginforFuel"
@echo "# devhelp"
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
livehtml:
sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html

Binary file not shown.

After

Width:  |  Height:  |  Size: 90 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 125 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 33 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 89 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 91 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 234 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 50 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 93 KiB

12
doc/source/appendix.rst Normal file
View File

@ -0,0 +1,12 @@
Appendix
--------
+----+----------------------------+-------------------------------------------------------------------------------------------------+
| # | Title of resource | Link on resource |
+====+============================+=================================================================================================+
| 1 | Fuel Plugins CLI | `Link <https://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#fuel-plugins-cli/>`_ |
+----+----------------------------+-------------------------------------------------------------------------------------------------+
| 2 | Mirantis OpenStack Express | `Link <https://www.mirantis.com/blog/mirantis-openstack-express-vpn-service-vpnaas-step-step/>`_|
| | VPN-as-a-Service (VPNaaS) | |
| | Step-By-Step | |
+----+----------------------------+-------------------------------------------------------------------------------------------------+

340
doc/source/conf.py Normal file
View File

@ -0,0 +1,340 @@
# -*- coding: utf-8 -*-
#
# fuel-plugin-vpnaas documentation build configuration file, created by
# sphinx-quickstart on Wed Oct 7 12:48:35 2015.
#
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
import sys
import os
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
#needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
# 'sphinx.ext.todo',
# 'sphinx.ext.coverage',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
# The encoding of source files.
#source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = u'The VPNaaS plugin for Fuel'
copyright = u'2015, Mirantis Inc.'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '2.0-2.0.0-2'
# The full version, including alpha/beta/rc tags.
release = '2.0-2.0.0-2'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
#today = ''
# Else, today_fmt is used as the format for a strftime call.
#today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = []
# The reST default role (used for this markup: `text`) to use for all
# documents.
#default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
#add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
#add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
#show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
#modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
#keep_warnings = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'default'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
#html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
#html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
#html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
#html_extra_path = []
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
#html_last_updated_fmt = '%b %d, %Y'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
#html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
#html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
#html_additional_pages = {}
# If false, no module index is generated.
#html_domain_indices = True
# If false, no index is generated.
#html_use_index = True
# If true, the index is split into individual pages for each letter.
#html_split_index = False
# If true, links to the reST sources are added to the pages.
#html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
#html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
#html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
#html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
#html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = 'fuel-plugin-vpnaas-doc'
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#'preamble': '',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
('index', 'fuel-plugin-vpnaas.tex', u'The VPNaaS Plugin for Fuel Documentation',
u'Mirantis Inc.', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
#latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
#latex_use_parts = False
# If true, show page references after internal links.
#latex_show_pagerefs = False
# If true, show URL addresses after external links.
#latex_show_urls = False
# Documents to append as an appendix to all manuals.
#latex_appendices = []
# If false, no module index is generated.
#latex_domain_indices = True
# make latex stop printing blank pages between sections
# http://stackoverflow.com/questions/5422997/sphinx-docs-remove-blank-pages-from-generated-pdfs
latex_elements = { 'classoptions': ',openany,oneside', 'babel' : '\\usepackage[english]{babel}' }
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
('index', 'fuel-plugin-vpnaas', u'Guide to the VPNaaS Plugin ver. 2.0-2.0.0-2 for Fuel',
[u'Mirantis Inc.'], 1)
]
# If true, show URL addresses after external links.
#man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
('index', 'fuel-plugin-vpnaas', u'The VPNaaS Plugin for Fuel Documentation',
u'Mirantis Inc.', 'fuel-plugin-vpnaas', 'The VPNaaS Plugin for Fuel Documentation',
'Miscellaneous'),
]
# Documents to append as an appendix to all manuals.
#texinfo_appendices = []
# If false, no module index is generated.
#texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
#texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
#texinfo_no_detailmenu = False
# Insert footnotes where they are defined instead of
# at the end.
pdf_inline_footnotes = True
# -- Options for Epub output ----------------------------------------------
# Bibliographic Dublin Core info.
epub_title = u'The VPNaaS Plugin for Fuel'
epub_author = u'Mirantis Inc.'
epub_publisher = u'Mirantis Inc.'
epub_copyright = u'2015, Mirantis Inc.'
# The basename for the epub file. It defaults to the project name.
#epub_basename = u'fuel-plugin-openbook'
# The HTML theme for the epub output. Since the default themes are not optimized
# for small screen space, using the same theme for HTML and epub output is
# usually not wise. This defaults to 'epub', a theme designed to save visual
# space.
#epub_theme = 'epub'
# The language of the text. It defaults to the language option
# or en if the language is not set.
#epub_language = ''
# The scheme of the identifier. Typical schemes are ISBN or URL.
#epub_scheme = ''
# The unique identifier of the text. This can be a ISBN number
# or the project homepage.
#epub_identifier = ''
# A unique identification for the text.
#epub_uid = ''
# A tuple containing the cover image and cover page html template filenames.
#epub_cover = ()
# A sequence of (type, uri, title) tuples for the guide element of content.opf.
#epub_guide = ()
# HTML files that should be inserted before the pages created by sphinx.
# The format is a list of tuples containing the path and title.
#epub_pre_files = []
# HTML files shat should be inserted after the pages created by sphinx.
# The format is a list of tuples containing the path and title.
#epub_post_files = []
# A list of files that should not be packed into the epub file.
epub_exclude_files = ['search.html']
# The depth of the table of contents in toc.ncx.
#epub_tocdepth = 3
# Allow duplicate toc entries.
#epub_tocdup = True
# Choose between 'default' and 'includehidden'.
#epub_tocscope = 'default'
# Fix unsupported image types using the PIL.
#epub_fix_images = False
# Scale large images.
#epub_max_image_width = 0
# How to display URL addresses: 'footnote', 'no', or 'inline'.
#epub_show_urls = 'inline'
# If false, no index is generated.
#epub_use_index = True

21
doc/source/index.rst Normal file
View File

@ -0,0 +1,21 @@
.. fuel-plugin-vpnaas-doc master file, created by
sphinx-quickstart on Mon Nov 16 09:11:57 2015.
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
Welcome to VPNaaS Plugin for Fuel's documentation!
=================================================
.. toctree::
:maxdepth: 4
overview
installation_guide
user_guide
appendix
Indices and tables
==================
* :ref:`search`

View File

@ -0,0 +1,51 @@
.. _installation:
Installation Guide
-------------------
Installing VPNaaS plugin
++++++++++++++++++++++++
#. Download the plug­in from `Fuel Plugins Catalog`_.
#. Copy the plug­in on already installed Fuel Master node::
[user@home ~]$ scp vpnaas-plugin-1.2-1.2.0-1.noarch.rpm root@:/
<the_Fuel_Master_node_IP>:~/
#. Log into the Fuel Master node. Install the plugin::
[root@fuel ~]# fuel plugins --install vpnaas-plugin-1.2-1.2.0-1.noarch.rpm
#. Verify that the plugin is installed correctly::
[root@fuel ~]# fuel plugins --list
id | name | version | package_version
---|---------------|---------|----------------
1 | vpnaas_plugin | 1.2.0 | 2.0.0
Creating Environment with VPNaaS
++++++++++++++++++++++++++++++++
#. After plug­in is installed, create a new OpenStack environment with Neutron.
#. `Configure your environment`_.
#. Open the Settings tab of the Fuel web UI and scroll down the page. Select
VPNaaS plugin checkbox:
.. image:: _static/vpnaas_in_fuel_ui.png
#. `Deploy your environment`_.
**********
References
**********
.. target-notes::
.. _Fuel Plugins Catalog: https://software.mirantis.com/download-mirantis-openstack-fuel-plug-ins
.. _Configure your environment: http://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#configure-your-environment
.. _Deploy your environment: http://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#deploy-changes

84
doc/source/overview.rst Normal file
View File

@ -0,0 +1,84 @@
.. _overview:
Document purpose
================
This document provides instructions for installing, configuring and using
Neutron Firewall-as-a-Service plugin for Fuel.
Key terms, acronyms and abbreviations
-------------------------------------
+----------------------------+------------------------------------------------+
| Term/abbreviation | Definition |
+============================+================================================+
| VPNaaS | VPN-as-a-Service. Neutron extension used to |
| | connect 2 private networks via Internet. |
+----------------------------+------------------------------------------------+
| IPSec | Internet Protocol Security (IPsec) is a |
| | protocol suite for securing Internet Protocol |
| | (IP) communications by authenticating and |
| | encrypting each IP packet of a communication |
| | session. |
+----------------------------+------------------------------------------------+
| OpenSwan | An IPsec implementation for Linux. It has |
| | support for most of the extensions (RFC + IETF |
| | drafts) related to IPsec, including IKEv2, |
| | X.509 Digital Certificates, NAT Traversal, and |
| | many others. |
+----------------------------+------------------------------------------------+
| IKE | Internet Key Exchange is the protocol used to |
| | set up a security association (SA) in the IPsec|
| | protocol suit. |
+----------------------------+------------------------------------------------+
| VM | Virtual Machine (Instance) |
+----------------------------+------------------------------------------------+
VPNaaS Plugin
-------------
VPNaaS (VPN-as-a-Service) Fuel plugin provides an opportunity to deploy and
configure a VPNaaS Neutron extension. VPNaaS Neutron extension introduces VPN
feature set in Neutron which is based on Openswan (opensource IPSec
implementation). The main goal is to provide VPN connection as a service
between 2 private networks over the public network (in general via Internet).
That means, you can build a VPN connection between 2 private subnets, which can
be placed in 2 different tenants and separate OpenStack clouds — for example,
premise and hosted clouds in a hybrid application.
Requirements
------------
+----------------------------+------------------------------------------------+
| Requirement | Version/Comment |
+============================+================================================+
| Fuel | 7.0 release |
+----------------------------+------------------------------------------------+
| OpenStack compatibility | 2015.1 Kilo |
+----------------------------+------------------------------------------------+
| Operating systems | Ubuntu 14.04 LTS |
+----------------------------+------------------------------------------------+
Limitations
-----------
VPNaaS plugin can be enabled only in environments with Neutron with ML2 plugin
with OpenVSwitch Mechanism driver (default configuration) as the networking
option and tested only with the OpenSwan driver.
Known issues
------------
* `[VPNaaS] Active VPN connection goes down after controller shutdown/start`_
.. target-notes::
.. _[VPNaaS] Active VPN connection goes down after controller shutdown/start: https://bugs.launchpad.net/mos/+bug/1500876

244
doc/source/user_guide.rst Normal file
View File

@ -0,0 +1,244 @@
.. _user-guide:
User Guide
==========
Configuring VPNaaS service
-------------------------
Once OpenStack has been deployed, we can start configuring VPNaaS.
This section provides an example of configuration and step-by-step instructions
for configuring the plugin.
Here is an example task. Lets imagine that we have 2 Clouds, Public and Private
(Cloud A and B). Each cloud has a Project with a private network which is
connected to the Internet via router. In real life, Private networks are very
often placed behind the NAT just like in our case.
Project:
.. figure:: _static/net_arch.png
:scale: 100 %
:align: center
In this network topology, we have a public Cloud A, directly connected to the
real public network and private Cloud B, connected to the corporate private
network and placed behind NAT (Bastion router).
Lets get started.
Please, note the following when configuring VPNaaS plugin:
1. This is important for setting up VPNaaS, since router gateway IP addresses
and other settings made to configure the VPN connection are only visible to
the user who has an admin role.
.. figure:: _static/admin_role.png
:scale: 100 %
:align: center
2. Once your VPN is connected, youll probably want to use a range of apps and
methods to communicate across it. So, you need to be aware that every Project
in OpenStack is assigned the default security group for the cluster in its
default form, which is usually restrictive. So youll probably need to create
a few additional rules in each Projects default security group: like a
general ICMP rule, enabling pings, and a port 22 TCP rule, enabling SSH.
.. figure:: _static/security_groups.png
:scale: 100 %
:align: center
Configure VPNaaS on Cloud A
+++++++++++++++++++++++++++
1. Lets configure VPN. To do that, please select *Network* option in the
left-hand menu and click *VPN*.
.. figure:: _static/a_select_vpn.png
:scale: 100 %
:align: center
2. Create **IKE Policy**
#. Enter *KE Policies* tab and click *Add IKE Policy* button (see the
screenshot above).
#. We would recommend that you changed the Encryption algorithm, which should
be set to **aes-256** and IKE version which should be **v2**.
.. figure:: _static/a_create_ike_policy.png
:scale: 100 %
:align: center
3. Create **IPsec Policy**
#. Enter *IPSec Policies* tab and click *Add IPSec Policy* button (see the
screenshot in step 1 of this section).
#. The defaults are fine, though its recommended to use **aes-256** encryption.
Please pay attention that we should keep **tunnel** *Encapsulation mode*,
because this mode allows to build tunnel between 2 private networks over
public (**transport** is used only for the host-to-host VPN connection)
and **esp** *Transform protocol* which provides encryption for the payload
data.
.. figure:: _static/a_create_ipsec_policy.png
:scale: 100 %
:align: center
4. Create the **VPN Service**.
#. Enter *VPN Service* tab and click *Add VPN Service* button (see the
screenshot in step 1 of this section).
#. Here select a router that will work as our VPN gateway — thats the
local router; You should also pick up a subnet to make visible at the
other end: thats our local subnet. As noted, the main thing to
**remember is that VPN will not work if the subnets at both ends
overlap**
.. figure:: _static/a_create_vpn_service.png
:scale: 100 %
:align: center
5. Create **IPSec Site Connection**.
#. Enter *IPSec Site Connection* tab and click *Add IPSec Site Connection*
button.
#. This is the only mildly-tricky thing about setting up a VPN using VPNaaS.
We start by identifying our **VPN Service**, our **IKE Policy** and our
**IPSec Policy**, defined just a moment before — thats easy.
.. figure:: _static/a_create_ipsec_site_connection.png
:scale: 100 %
:align: center
#. To finish, however, well need to get some information about the
**network architecture** in **Cloud_B**. Cloud_B has the **Bastion**,
which is connected to the public network and also is used as NAT for
the corporate network. For the building VPN connection through the NAT,
IPSec has NAT-Traversal mechanism which is enabled by default.
.. figure:: _static/a_bastion_arch.png
:scale: 100 %
:align: center
#. So lets flip to Project_Bs Horizon, making sure were logged in as the
admin, so we can see the info we need to know. Here we need to specify
**Bastions public IP address** in *Peer gateway public IPv4/IPv6 Address
or FQDN* slot (see step 5):
.. figure:: _static/a_fill_bastion_parameters.png
:scale: 100 %
:align: center
#. Further we specify Peer gateway public IPV4 address or fully-qualified
domain name for Project_Bs router. This can be found by going to
Project_Bs *Network* tab, clicking on Router_B, the router name, and
copying the **IP address shown for the External gateway interface:** in
our case, its 172.24.4.45. This is the thing you wont be able to see
if youre not in the admin role for this project.
.. figure:: _static/a_router_b_details.png
:scale: 100 %
:align: center
#. This IP address goes into *Peer router identity for authentication
*(Peer ID)* slots in the *IPSec Site Connection* edit dialog for
Project_A (see step 5):
.. figure:: _static/a_fill_router_b_parameters.png
:scale: 100 %
:align: center
#. The second piece of info is the *CIDR range* for Project_Bs subnet.
Again, go to Project_Bs Horizon, click the *Network* tab, click on
network, and copy the subnet CIDR range, which is 22.0.0.0/24.
.. figure:: _static/a_get_b_network_parameters.png
:scale: 100 %
:align: center
#. Well put that into the *Remote Peer Subnet* slot on Project_As *IPSec
Site Connection* dialog. Then to finish setting up Project_As IPSec
Site Connection, well provide a **pre-shared key password** — same on
both sides — for authentication. The rest of the parameters can be left
as defaults — if you change them, they should match on both sides of the
connection (see step 5):
.. figure:: _static/a_fill_subnet_and_key.png
:scale: 100 %
:align: center
Configure VPNaaS on Cloud B
+++++++++++++++++++++++++++
Now lets quickly set up the other end of the VPNaaS connection, over on
Project_B. Well make sure protocol details and policies match.
1. On Project_Bs *PSec Site Connection* tab, well provide — in two places —
the peer **gateway public IP address** for Project_As router and **subnet
IP address range**.
2. Now we set up the same components on Project_B. Setting up **IKE Policy**,
**IPSec Policy** and **VPN Service** are simple. For the IPSec Site
Connection, well need the same two pieces of info from Project_A that we
needed for Project_B. Here, were grabbing Project_As **external router IP**
address.
.. figure:: _static/b_router_a_details.png
:scale: 100 %
:align: center
3. And here, were grabbing Project_As **local network IP address range**.
.. figure:: _static/b_subnet_a_details.png
:scale: 100 %
:align: center
4. Create **Sec Site Connection**
* Since Cloud_A is connected to the public network directly we just drop the
**router IP** into two slots of Project_Bs *IPSec Site Connection*
dialog, and supply the **Pre-shared password**.
* Then we click Add, and the VPN sets itself up.
.. figure:: _static/b_add_ipsec_site_connection.png
:scale: 100 %
:align: center
5. Once you click *Add* on the *IPSec Site Connection* tab, youll have to wait
a little bit for your VPN to go to **Active** status (see *Status* column in
the *IPSec Site Connections* tab). If that doesnt happen within a few
minutes, theres probably something wrong with your settings. If this
happens, check to make sure that protocol details on both sides match, that
correct router gateway and subnet address range info for each side has been
provided in the other sides *IPSec Site Connection* tab, that PSK passwords
match, and that subnet IP address ranges dont overlap. Were connected!
The IPSec Site Connection shows as **Active** at both ends.
.. figure:: _static/b_vpn_is_active.png
:scale: 100 %
:align: center
Testing connectivity
++++++++++++++++++++
Lets open console of VM A on the Cloud_A,log into and try to ping VM B
using their internal (not public) IP addresses.
.. figure:: _static/a_test_vpn.png
:scale: 100 %
:align: center
Then do the same from console of VM B.
.. figure:: _static/b_test_vpn.png
:scale: 100 %
:align: center
So it works!!! Now we have VPN connection between 2 private networks Net_70
(placed in Cloud_A/Project_A) and Net_22 (placed in Cloud_B/Project_B) and the
virtual machines connected to these networks have secure direct connectivity.