OpenStack组件安装配置测试之：FWaaS配置测试

运维扫盲人 2021-05-30

1527

一、FWaaS组件安装

yum install openstack-neutron-fwaas -y

二、FWaaS组件配置

2.1 FWaaS插件配置

[root@openstack-controller ~]# cat etc/neutron/fwaas_driver.ini 
[DEFAULT]
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True

2.2 neutron-l3-agent 配置

[root@openstack-controller ~]# cat  etc/neutron/l3_agent.ini | egrep -v "^$|^#"
[DEFAULT]
interface_driver = openvswitch
[AGENT]
extensions = fwaas_v2

2.3 ML2 插件配置

[root@openstack-controller ~]# cat etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
vni_ranges = 1:1000
enable_ipset = true
[ml2_type_vxlan]
vni_ranges = 1001:2000
[securitygroup]
enable_ipset = true


[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop

2.4 neutron-server配置

[DEFAULT]
service_plugins = router,firewall_v2
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default

2.5 添加必要的数据库表

neutron-db-manage --subproject neutron-fwaas upgrade head

2.6 重启部分服务

systemctl restart neutron-server.service
systemctl restart neutron-l3-agent.service
systemctl restart neutron-openvswitch-agent.service
systemctl restart httpd.service
systemctl restart memcached.service

三、使用测试FWaaS

3.1 查看默认rule

[root@openstack-controller ~]# openstack firewall group rule list
+--------------------------------------+----------------------+---------+------------------------------------------------+
| ID                                   | Name                 | Enabled | Summary                                        |
+--------------------------------------+----------------------+---------+------------------------------------------------+
| 48ee5653-d8d0-46c2-b607-906ac15ceb1b | default ingress ipv4 | True    | ANY,                                           |
|                                      |                      |         |  source(port): none specified(none specified), |
|                                      |                      |         |  dest(port): none specified(none specified),   |
|                                      |                      |         |  deny                                          |
| 9f024dc9-a1da-42a1-b633-8840a4a131ce | default ingress ipv6 | True    | ANY,                                           |
|                                      |                      |         |  source(port): none specified(none specified), |
|                                      |                      |         |  dest(port): none specified(none specified),   |
|                                      |                      |         |  deny                                          |
| b2bd89f1-87f9-4d04-ab62-2a1fa920cf5b | default egress ipv6  | True    | ANY,                                           |
|                                      |                      |         |  source(port): none specified(none specified), |
|                                      |                      |         |  dest(port): none specified(none specified),   |
|                                      |                      |         |  allow                                         |
| ce9348ad-91f5-445d-9b84-0123872b0f79 | default egress ipv4  | True    | ANY,                                           |
|                                      |                      |         |  source(port): none specified(none specified), |
|                                      |                      |         |  dest(port): none specified(none specified),   |
|                                      |                      |         |  allow                                         |
+--------------------------------------+----------------------+---------+------------------------------------------------+

3.2 查看默认policy

[root@openstack-controller ~]# openstack firewall group policy list
+--------------------------------------+-----------------+------------------------------------------------------------------------------------+
| ID                                   | Name            | Firewall Rules                                                                     |
+--------------------------------------+-----------------+------------------------------------------------------------------------------------+
| 9ef0e864-90c8-46d4-8829-0b1ad2b0e238 | default ingress | [u'48ee5653-d8d0-46c2-b607-906ac15ceb1b', u'9f024dc9-a1da-42a1-b633-8840a4a131ce'] |
| f17b454e-d427-4502-ad3a-d84142d7b181 | default egress  | [u'ce9348ad-91f5-445d-9b84-0123872b0f79', u'b2bd89f1-87f9-4d04-ab62-2a1fa920cf5b'] |
+--------------------------------------+-----------------+------------------------------------------------------------------------------------+

3.3 查看默认group

[root@openstack-controller ~]# openstack firewall group list
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| ID                                   | Name    | Ingress Policy ID                    | Egress Policy ID                     |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| 641140f0-725a-484f-9c96-373b7e074845 | default | 9ef0e864-90c8-46d4-8829-0b1ad2b0e238 | f17b454e-d427-4502-ad3a-d84142d7b181 |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+

3.4 新建rule

openstack firewall group rule create --protocol icmp --source-ip-address 192.0.2.8 --destination-ip-address 10.1.1.37 --action deny --name myrule

3.5 新建policy

openstack firewall group policy create --firewall-rule myrule myfirewallpolicy

3.6 新建group

[root@openstack-controller ~]# openstack firewall group create --ingress-firewall-policy myfirewallpolicy --port 620ea2e0-529e-471b-8b4d-494668165c65 --name myfirewallgroup
+-------------------+-------------------------------------------+
| Field             | Value                                     |
+-------------------+-------------------------------------------+
| Description       |                                           |
| Egress Policy ID  | None                                      |
| ID                | 1b0e0a1b-94f8-4cba-b51e-f6618017dcb8      |
| Ingress Policy ID | b55bd0e3-630c-43fb-aeaf-3ca5df1eb385      |
| Name              | myfirewallgroup                           |
| Ports             | [u'620ea2e0-529e-471b-8b4d-494668165c65'] |
| Project           | 15b1010426194e309cd8f3de6bf63e1a          |
| Shared            | False                                     |
| State             | UP                                        |
| Status            | PENDING_CREATE                            |
| project_id        | 15b1010426194e309cd8f3de6bf63e1a          |
+-------------------+-------------------------------------------+

[root@openstack-controller ~]# openstack firewall group show myfirewallgroup
+-------------------+-------------------------------------------+
| Field             | Value                                     |
+-------------------+-------------------------------------------+
| Description       |                                           |
| Egress Policy ID  | None                                      |
| ID                | 1b0e0a1b-94f8-4cba-b51e-f6618017dcb8      |
| Ingress Policy ID | b55bd0e3-630c-43fb-aeaf-3ca5df1eb385      |
| Name              | myfirewallgroup                           |
| Ports             | [u'620ea2e0-529e-471b-8b4d-494668165c65'] |
| Project           | 15b1010426194e309cd8f3de6bf63e1a          |
| Shared            | False                                     |
| State             | UP                                        |
| Status            | ACTIVE                                    |
| project_id        | 15b1010426194e309cd8f3de6bf63e1a          |
+-------------------+-------------------------------------------+

3.7 通过instance测试

3.7.1 selfservice network

[root@openstack-controller ~]# openstack port list --router router1
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                          | Status |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------+--------+
| 079b7a7d-f99b-497b-932f-e6f0ebcd8f8b |      | fa:16:3e:52:d7:cc | ip_address='192.0.2.1', subnet_id='a463c01b-2c98-4253-93cf-56e3812429af'    | ACTIVE |
| 620ea2e0-529e-471b-8b4d-494668165c65 |      | fa:16:3e:22:fe:43 | ip_address='10.1.1.254', subnet_id='8543e3af-99de-496f-8599-52a367f8fc36'   | ACTIVE |
| aefbd66b-8133-4348-89eb-d18c4d342268 |      | fa:16:3e:eb:3f:8c | ip_address='10.1.112.114', subnet_id='d37c85b6-c2b4-469c-aacc-b1253596c540' | ACTIVE |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------+--------+

3.7.2 ICMP测试

3.7.3 vRouter查看规则

[root@openstack-controller ~]# ip netns exec qrouter-ab63f034-0a79-4041-b348-6e8bd0c40e64 iptables -vnL neutron-l3-agent-fwaas-defau
Chain neutron-l3-agent-fwaas-defau (2 references)
 pkts bytes target                     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-dropped   all  --  *      *       0.0.0.0/0            0.0.0.0/0

[root@openstack-controller ~]# ip netns exec qrouter-ab63f034-0a79-4041-b348-6e8bd0c40e64 iptables -vnL neutron-l3-agent-iv41b0e0a1b
Chain neutron-l3-agent-iv41b0e0a1b (1 references)
 pkts bytes target                     prot opt in     out     source               destination         
    0     0 neutron-l3-agent-dropped   all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    0     0 ACCEPT                     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  327 27468 neutron-l3-agent-dropped   icmp --  *      *       192.0.2.8            10.1.1.37

四、安装FWaaS dashboard

https://docs.openstack.org/neutron-fwaas-dashboard/latest/

4.1 下载源码

git clone -b stable/train https://github.com/openstack/neutron-fwaas-dashboard.git

4.2 安装python程序

cd neutron-fwaas-dashboard/
pip install

[root@openstack-controller ~]# pip -V
pip 8.1.2 from /usr/lib/python2.7/site-packages (python 2.7)

4.3 开启neutron-fwaas-dashboard

find / -name enabled | grep "openstack_dashboard/local/enabled"
cp neutron_fwaas_dashboard/enabled/_70*_*.py /usr/share/openstack-dashboard/openstack_dashboard/local/enabled

4.4 编辑loacl_settings

vim  /etc/openstack-dashboard/local_settings
POLICY_FILES_PATH = '/etc/openstack-dashboard'
POLICY_FILES = {
    'identity': 'keystone_policy.json',
    'compute': 'nova_policy.json',
    'volume': 'cinder_policy.json',
    'image': 'glance_policy.json',
    'orchestration': 'heat_policy.json',
    'network': 'neutron_policy.json',
    'telemetry': 'ceilometer_policy.json',
    'neutron-fwaas': 'neutron-fwaas-policy.json'
}

4.5 更新Django

cd neutron-fwaas-dashboard
pwd
/root/neutron-fwaas-dashboard
#汉化失败
./manage.py compilemessages
DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py collectstatic --noinput
DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py compress --force

4.6 重启Httpd

systemctl restart httpd

数据库

文章转载自运维扫盲人，如果涉嫌侵权，请发送邮件至：contact@modb.pro进行举报，并提供相关证据，一经查实，墨天轮将立刻删除相关内容。

OpenStack组件安装配置测试之：FWaaS配置测试

评论