Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup Openstack Havana with Neutron using VPNaaS (VPN as a Service), FWaaS (Firewall as a Service), LBaaS (Load Balancer as a Service).

Installing Openstack VPNaaS, LBaaS, and FWaaS

This brief overview assumes that Openstack Havana has been installed and setup with Neutron Networking. If you have not already done this, you could use "https://github.com/cloudnull/rcbops_allinone_inone" or devstack to setup a dev box and then perform the following actions.


  • install "openswan":

    # (apt-get install openswan neutron-plugin-vpn-agent) || (yum install openswan openstack-neutron-vpn-agent && chkconfig neutron-vpn-agent on)
    
  • Place vpnaas filters:

    # cat > /etc/neutron/rootwrap.d/vpnaas.filters << EOF
    [Filters]
    
    ip: IpFilter, ip, root
    ip_exec: IpNetnsExecFilter, ip, root
    openswan: CommandFilter, ipsec, root
    
    EOF
    
  • Place vpn_agent.ini:

    # cat > /etc/neutron/vpn_agent.ini << EOF
    [DEFAULT]
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    
    [vpnagent]
    vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
    
    [ipsec]
    ipsec_status_check_interval=60
    
    EOF
    
  • Place fwaas_driver.ini:

    # cat > /etc/neutron/fwaas_driver.ini << EOF
    [fwaas]
    driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
    enabled = True
    EOF
    
  • add to the service plugins to /etc/neutron/neutron.conf:

    # NOTE THIS IS A COMMA SEPARATED LIST
    service_plugins = neutron.services.vpn.plugin.VPNDriverPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin
    
  • Add some service_providers to /etc/neutron/neutron.conf:

    # Each provider on each line
    [SERVICE_PROVIDERS]
    service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
    service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
    service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
    
  • Place policy JSON:

    # cat > /etc/neutron/policy.json << EOF
    {
        "context_is_admin":  "role:admin",
        "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
        "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
        "admin_only": "rule:context_is_admin",
        "regular_user": "",
        "shared": "field:networks:shared=True",
        "shared_firewalls": "field:firewalls:shared=True",
        "external": "field:networks:router:external=True",
        "default": "rule:admin_or_owner",
    
        "subnets:private:read": "rule:admin_or_owner",
        "subnets:private:write": "rule:admin_or_owner",
        "subnets:shared:read": "rule:regular_user",
        "subnets:shared:write": "rule:admin_only",
    
        "create_subnet": "rule:admin_or_network_owner",
        "get_subnet": "rule:admin_or_owner or rule:shared",
        "update_subnet": "rule:admin_or_network_owner",
        "delete_subnet": "rule:admin_or_network_owner",
    
        "create_network": "",
        "get_network": "rule:admin_or_owner or rule:shared or rule:external",
        "get_network:router:external": "rule:regular_user",
        "get_network:segments": "rule:admin_only",
        "get_network:provider:network_type": "rule:admin_only",
        "get_network:provider:physical_network": "rule:admin_only",
        "get_network:provider:segmentation_id": "rule:admin_only",
        "get_network:queue_id": "rule:admin_only",
        "create_network:shared": "rule:admin_only",
        "create_network:router:external": "rule:admin_only",
        "create_network:segments": "rule:admin_only",
        "create_network:provider:network_type": "rule:admin_only",
        "create_network:provider:physical_network": "rule:admin_only",
        "create_network:provider:segmentation_id": "rule:admin_only",
        "update_network": "rule:admin_or_owner",
        "update_network:segments": "rule:admin_only",
        "update_network:provider:network_type": "rule:admin_only",
        "update_network:provider:physical_network": "rule:admin_only",
        "update_network:provider:segmentation_id": "rule:admin_only",
        "delete_network": "rule:admin_or_owner",
    
        "create_port": "",
        "create_port:mac_address": "rule:admin_or_network_owner",
        "create_port:fixed_ips": "rule:admin_or_network_owner",
        "create_port:port_security_enabled": "rule:admin_or_network_owner",
        "create_port:binding:host_id": "rule:admin_only",
        "create_port:binding:profile": "rule:admin_only",
        "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
        "get_port": "rule:admin_or_owner",
        "get_port:queue_id": "rule:admin_only",
        "get_port:binding:vif_type": "rule:admin_only",
        "get_port:binding:capabilities": "rule:admin_only",
        "get_port:binding:host_id": "rule:admin_only",
        "get_port:binding:profile": "rule:admin_only",
        "update_port": "rule:admin_or_owner",
        "update_port:fixed_ips": "rule:admin_or_network_owner",
        "update_port:port_security_enabled": "rule:admin_or_network_owner",
        "update_port:binding:host_id": "rule:admin_only",
        "update_port:binding:profile": "rule:admin_only",
        "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
        "delete_port": "rule:admin_or_owner",
    
        "create_router:external_gateway_info:enable_snat": "rule:admin_only",
        "update_router:external_gateway_info:enable_snat": "rule:admin_only",
    
        "create_firewall": "",
        "get_firewall": "rule:admin_or_owner",
        "create_firewall:shared": "rule:admin_only",
        "get_firewall:shared": "rule:admin_only",
        "update_firewall": "rule:admin_or_owner",
        "delete_firewall": "rule:admin_or_owner",
    
        "create_firewall_policy": "",
        "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
        "create_firewall_policy:shared": "rule:admin_or_owner",
        "update_firewall_policy": "rule:admin_or_owner",
        "delete_firewall_policy": "rule:admin_or_owner",
    
        "create_firewall_rule": "",
        "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
        "create_firewall_rule:shared": "rule:admin_or_owner",
        "get_firewall_rule:shared": "rule:admin_or_owner",
        "update_firewall_rule": "rule:admin_or_owner",
        "delete_firewall_rule": "rule:admin_or_owner",
    
        "create_qos_queue": "rule:admin_only",
        "get_qos_queue": "rule:admin_only",
    
        "update_agent": "rule:admin_only",
        "delete_agent": "rule:admin_only",
        "get_agent": "rule:admin_only",
    
        "create_dhcp-network": "rule:admin_only",
        "delete_dhcp-network": "rule:admin_only",
        "get_dhcp-networks": "rule:admin_only",
        "create_l3-router": "rule:admin_only",
        "delete_l3-router": "rule:admin_only",
        "get_l3-routers": "rule:admin_only",
        "get_dhcp-agents": "rule:admin_only",
        "get_l3-agents": "rule:admin_only",
        "get_loadbalancer-agent": "rule:admin_only",
        "get_loadbalancer-pools": "rule:admin_only",
    
        "create_router": "rule:regular_user",
        "get_router": "rule:admin_or_owner",
        "update_router:add_router_interface": "rule:admin_or_owner",
        "update_router:remove_router_interface": "rule:admin_or_owner",
        "delete_router": "rule:admin_or_owner",
    
        "create_floatingip": "rule:regular_user",
        "update_floatingip": "rule:admin_or_owner",
        "delete_floatingip": "rule:admin_or_owner",
        "get_floatingip": "rule:admin_or_owner",
    
        "create_network_profile": "rule:admin_only",
        "update_network_profile": "rule:admin_only",
        "delete_network_profile": "rule:admin_only",
        "get_network_profiles": "",
        "get_network_profile": "",
        "update_policy_profiles": "rule:admin_only",
        "get_policy_profiles": "",
        "get_policy_profile": "",
    
        "create_metering_label": "rule:admin_only",
        "delete_metering_label": "rule:admin_only",
        "get_metering_label": "rule:admin_only",
    
        "create_metering_label_rule": "rule:admin_only",
        "delete_metering_label_rule": "rule:admin_only",
        "get_metering_label_rule": "rule:admin_only",
    
        "get_service_provider": "rule:regular_user"
    }
    EOF
    
  • Restart all of the Neutron Services:

    # for i in /etc/init.d/*neutron-*;do $i restart; done
    
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.