diff --git a/defaults/main.yml b/defaults/main.yml
index b0eaf423..f1ea5a5b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -209,8 +209,6 @@ octavia_loadbalancer_topology: SINGLE
octavia_glance_image_tag: octavia-amphora-image
# add here the id of the image owner to avoid faked images being used
octavia_amp_image_owner_id:
-# Name of the Octavia management network
-octavia_neutron_management_network_name: mgmt
# Name of the Octavia security group
octavia_security_group_name: octavia_sec_grp
# Restrict access to only authorized hosts
@@ -262,8 +260,78 @@ octavia_enable_anti_affinity: False
# for amphora creation
#octavia_amp_availability_zone:
+# Name of the Octavia management network in Neutron
+octavia_neutron_management_network_name: lbaas-mgmt
+# Name of the provider net in the system
+octavia_provider_network_name: lbaas
+# This sets it to the container managment network based on how you setup
+# the provider net
+octavia_container_network_name: "{{ octavia_provider_network_name }}_address"
+octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_network_name)|list|first }}"
octavia_hm_group: "octavia-health-manager"
-octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['ansible_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
+# Note: We use some heuritsics here but if you do anyhting special make sure to use the
+# ip addresses on the right network. This will use the container newtorking to figure out the ip
+octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}"
+# Set this to the right container port aka the eth you connect to the octavia
+# management network
+octavia_container_interface: "{{ octavia_provider_network.container_interface }}"
+# Set this to true to drop the iptables rules
+octavia_ip_tables_fw: True
+# The iptable rules
+octavia_iptables_rules:
+ - # Allow icmp
+ chain: INPUT
+ protocol: icmp
+ ctstate: NEW
+ icmp_type: 8
+ jump: ACCEPT
+ - # Allow existing connections:
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ ctstate: RELATED,ESTABLISHED
+ jump: ACCEPT
+ - # Allow heartbeat:
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ protocol: udp
+ destination_port: "{{ octavia_health_manager_port }}"
+ jump: ACCEPT
+ - # Reject INPUT:
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ reject_with: icmp-port-unreachable
+ - # Reject FORWARD:
+ chain: FORWARD
+ in_interface: "{{ octavia_container_interface }}"
+ reject_with: icmp-port-unreachable
+ - # Allow icmp6
+ chain: INPUT
+ protocol: icmpv6
+ jump: ACCEPT
+ ip_version: ipv6
+ - # Allow existing connections
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ ctstate: RELATED,ESTABLISHED
+ jump: ACCEPT
+ ip_version: ipv6
+ - # Allow heartbeat
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ protocol: udp
+ destination_port: "{{ octavia_health_manager_port }}"
+ jump: ACCEPT
+ ip_version: ipv6
+ - # Reject INPUT
+ chain: INPUT
+ in_interface: "{{ octavia_container_interface }}"
+ reject_with: icmp6-port-unreachable
+ ip_version: ipv6
+ - # Reject FORWARD
+ chain: FORWARD
+ in_interface: "{{ octavia_container_interface }}"
+ reject_with: icmp6-port-unreachable
+ ip_version: ipv6
# Set up the drivers
octavia_amphora_driver: amphora_haproxy_rest_driver
@@ -273,9 +341,4 @@ octavia_network_driver: allowed_address_pairs_driver
## Tunable overrides
octavia_octavia_conf_overrides: {}
octavia_api_paste_ini_overrides: {}
-octavia_policy_overrides: {}
-
-
-
-
-
+octavia_policy_overrides: {}
\ No newline at end of file
diff --git a/doc/source/configure-octavia.rst b/doc/source/configure-octavia.rst
index c5245276..fb0b6912 100644
--- a/doc/source/configure-octavia.rst
+++ b/doc/source/configure-octavia.rst
@@ -25,27 +25,63 @@ Setup a neutron network for use by octavia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Octavia needs connectivity between the control plane and the
-load balancing VMs. For this purpose a provide rnetwork should be
-created which bridges containers (if the control plane is installed
-in a container) or hosts with vms. Refer to the appropriate documentation
+load balancing VMs. For this purpose a provider network should be
+created which bridges the octavia containers (if the control plane is installed
+in a container) or hosts with VMs. Refer to the appropriate documentation
and consult the tests in this project. In a general case, neutron networking
can be a simple flat network. However in a complex case, this can be whatever
-you need and want. Ensure you adjust the deployment accordingly. The following
-is an example how to set it up in neutron:
+you need and want. Ensure you adjust the deployment accordingly. An example
+entry into ``openstack_user_config.yml`` is shown below:
+
+.. code-block:: yaml
+
+ - network:
+ container_bridge: "br-lbaas"
+ container_type: "veth"
+ container_interface: "eth14"
+ host_bind_override: "eth14"
+ ip_from_q: "octavia"
+ type: "flat"
+ net_name: "octavia"
+ group_binds:
+ - neutron_linuxbridge_agent
+ - octavia-worker
+ - octavia-housekeeping
+ - octavia-health-manager
+
+Make sure to modify the other entries in this file as well.
+
+There are a couple of variables which need to be adjusted if you don't use
+``lbaas`` for the provider network name and ``lbaas-mgmt`` for the neutron
+name. Furthermore, the system tries to infer certain values based on the
+inventory which might not always work and hence might need to be explicitly
+declared. Review the file ``defaults\main.yml`` for more information.
+
+The following is an example how to set up a provider network in neutron:
.. code-block:: bash
- neutron net-create mgmt-net --shared \
+ neutron net-create lbaas-mgmt --shared \
--provider:network_type flat \
- --provider:physical_network mgmt
+ --provider:physical_network lbaas
- neutron subnet-create mgmt-net 172.19.0.0/22 --name mgmt-subnet
+ neutron subnet-create mgmt-net 172.19.0.0/22 --name lbaas-subnet
--ip-version=4 \
--allocation-pool start=172.19.1.100,end=172.19.1.200 \
--enable-dhcp \
--dns-nameservers list=true 8.8.4.4 8.8.8.8
+Special attention needs to be applied to the ``--allocation-pool`` to not have
+ips which overlap with ips assigned to hosts or containers (see the ``used_ips``
+variable in ``openstack_user_config.yml``)
+
+.. note::
+ The system will deploy an iptables firewall if ``octavia_ip_tables_fw`` is set
+ to ``True`` (the default). This adds additional protection to the control plane
+ in the rare instance a load balancing vm is compromised. Please review carefully
+ the rules and adjust them for your installation. Please be aware that logging
+ of dropped packages is not enabled and you will need to add those rules manually.
Building Octavia images
~~~~~~~~~~~~~~~~~~~~~~~
@@ -182,3 +218,4 @@ The variable ``octavia_spare_amphora_pool_size`` controls
the size of the pool. The system will try
to prebuild this number so using too big a number will
consumes a lot of unnecessary resources.
+
diff --git a/releasenotes/notes/add-iptables-5ff8c4317e2e8498.yaml b/releasenotes/notes/add-iptables-5ff8c4317e2e8498.yaml
new file mode 100644
index 00000000..4ea4242b
--- /dev/null
+++ b/releasenotes/notes/add-iptables-5ff8c4317e2e8498.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - Simplifies configuration of lbaas-mgmt network.
+
+ - Adds iptables rules to block taffic from the octavia managment network to
+ the octavia container for both ipv4 and ipv6.
+
+
diff --git a/tasks/main.yml b/tasks/main.yml
index 651bcb5c..5c995215 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -55,6 +55,7 @@
- octavia_neutron_management_network_name is defined
tags:
- octavia-install
+ - octavia-config
- include: octavia_security_group.yml
tags:
@@ -65,6 +66,7 @@
- octavia_nova_flavor_uuid is not defined
tags:
- octavia-install
+ - octavia-config
- include: octavia_post_install.yml
tags:
diff --git a/tasks/octavia_post_install.yml b/tasks/octavia_post_install.yml
index 68a85972..35aa29a9 100644
--- a/tasks/octavia_post_install.yml
+++ b/tasks/octavia_post_install.yml
@@ -13,6 +13,27 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+# iptables module doesn't see empty string as a null value so this is the only
+# way to get a configurable rule definition in right now
+- name: iptables rules
+ iptables: "{{ item }}"
+ with_items: "{{ octavia_iptables_rules }}"
+ when: octavia_ip_tables_fw|bool == true
+
+# This is totally odd: If you run the commands via run-parts (as the script
+# in the distro does) they return 1; but do their job. If you run them
+# directly they work. Ignoring errors for now --
+- name: save iptables rules (Ubuntu 16.04)
+ command: netfilter-persistent save
+ ignore_errors: yes
+ when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '16.04'
+
+- name: save iptables rules (CentOS & RHEL)
+ command: service iptables save
+ args:
+ warn: False # since we use save service module doesn't apply
+ when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
+
- name: Create certs directory
file: path=/etc/octavia/certs/ state=directory
@@ -58,7 +79,4 @@
# config_overrides: "{{ octavia_policy_overrides }}"
# config_type: "json"
notify:
- - Restart octavia services
-
-
-
+ - Restart octavia services
\ No newline at end of file
diff --git a/tests/host_vars/localhost.yml b/tests/host_vars/localhost.yml
index 61721f78..e546b378 100644
--- a/tests/host_vars/localhost.yml
+++ b/tests/host_vars/localhost.yml
@@ -19,9 +19,6 @@ ansible_python_interpreter: "/usr/bin/python2"
bridges:
- name: "br-mgmt"
ip_addr: "10.1.1.1"
- # Use container mgmt as Octavia mgmt net
- # set up veth pair to connect with Neutron
- veth_peer: "eth14"
- name: "br-vxlan"
ip_addr: "10.1.2.1"
- name: "br-vlan"
@@ -29,3 +26,6 @@ bridges:
veth_peer: "eth12"
- name: "br-storage"
ip_addr: "10.1.5.1"
+ - name: "br-lbaas"
+ ip_addr: "10.1.7.1"
+ veth_peer: "eth14"
\ No newline at end of file
diff --git a/tests/host_vars/octavia1.yml b/tests/host_vars/octavia1.yml
index 4392f62e..6cf6fbfb 100644
--- a/tests/host_vars/octavia1.yml
+++ b/tests/host_vars/octavia1.yml
@@ -16,8 +16,7 @@
ansible_host: 10.1.1.104
ansible_become: True
ansible_user: root
-ipmi_address: 10.1.4.104
-container_name: "{{ inventory_hostname }}"
+lbaas_address: 10.1.7.104
container_networks:
management_address:
address: "{{ ansible_host }}"
@@ -25,3 +24,9 @@ container_networks:
interface: "eth1"
netmask: "255.255.255.0"
type: "veth"
+ lbaas_address:
+ address: "{{ lbaas_address }}"
+ bridge: "br-lbaas"
+ interface: "eth14"
+ netmask: "255.255.255.0"
+ type: "veth"
diff --git a/tests/os_octavia-overrides.yml b/tests/os_octavia-overrides.yml
index 52492566..64ab6105 100644
--- a/tests/os_octavia-overrides.yml
+++ b/tests/os_octavia-overrides.yml
@@ -66,8 +66,11 @@ nova_console_type: novnc
neutron_provider_networks:
network_types: "vxlan,flat"
network_vxlan_ranges: "1:1000"
- network_flat_networks: "flat,mgmt"
- network_mappings: "flat:eth12,mgmt:eth14"
+ network_flat_networks: "flat,lbaas"
+ network_mappings: "flat:eth12,lbaas:eth14"
+
+#couldn't find provider_networks inventory var?
+octavia_container_interface: "eth14"
# Must be set to a normal MTU
neutron_network_device_mtu: 1500
@@ -80,7 +83,7 @@ neutron_metadata: True
octavia_pip_package_state: latest
octavia_package_state: latest
-octavia_neutron_management_network_name: mgmt
+octavia_neutron_management_network_name: lbaas-mgmt
octavia_git_install_branch: stable/ocata
diff --git a/tests/test-configure-octavia.yml b/tests/test-configure-octavia.yml
index 371840e5..a994447c 100644
--- a/tests/test-configure-octavia.yml
+++ b/tests/test-configure-octavia.yml
@@ -87,15 +87,15 @@
openrc_path: /root/openrc
net_name: "{{ octavia_neutron_management_network_name }}"
provider_network_type: flat
- provider_physical_network: mgmt
+ provider_physical_network: lbaas
insecure: "{{ keystone_service_internaluri_insecure }}"
- name: Ensure mgmt subnet exists
neutron:
command: create_subnet
openrc_path: /root/openrc
net_name: "{{ octavia_neutron_management_network_name }}"
- subnet_name: "mgmt-subnet"
- cidr: "10.1.1.0/24"
+ subnet_name: "lbaas-mgmt-subnet"
+ cidr: "10.1.7.0/24"
insecure: "{{ keystone_service_internaluri_insecure }}"
vars_files:
diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml
index 75f6a628..916f57a9 100644
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@@ -17,4 +17,5 @@
cache_timeout: 600
octavia_distro_packages:
- - haproxy
+ - iptables-persistent
+ - netfilter-persistent