openstack(Queens版) 安装FWaaS

首先，我的环境是ubuntu16.04

网上我看到只有这一篇博客讲了安装步骤，不过我按这篇博客的方法走下来发现dashboard与fwaas都有问题.........简直了，然后就自己按照官方文档配了一遍，发现官方文档也有问题。。

1.关于安装dashboard

开始我是按照neutron-fwaas-dashboard的官方文档安装的，结果在下面这个地方遇到问题，无法汉化，在此记录

./manage.py compilemessages

下面的编译还是好的，建议使用

cd /usr/share/openstack-dashboard

$ DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py collectstatic --noinput
$ DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py compress --force

2.配置FWAAS (v1)

不建议直接看官方文档，对于ubuntu16.04来说，官方文档有个地方错了

2.0.直接从ubuntu源下载

git clone -b stable/queens https://www.github.com/openstack/neutron-fwaas

2.1.配置/etc/neutron/neutron.conf下面这行,在 service_plugins 这行最后面新增 firewall

[DEFAULT]

.......

service_plugins = ...,...,...,firewall

........

2.2.修改l3_agent.ini

[AGENT]
extensions = fwaas

2.3.修改/etc/neutron/fwaas_driver.ini，我的修改之后是这样的，注意，这里官方文档又是错的！[service_providers]应该放在fwaas_driver.ini里面，而不是neutron.conf里面！按官方文档那么弄的话就是错的

[DEFAULT]


[fwaas]

#
# From firewall.agent
#

# Name of the FWaaS Driver (string value)
driver = iptables

# Enable FWaaS (boolean value)
enabled = true

# Firewall agent class (string value)
agent_version = v1

# Name of the FWaaS Conntrack Driver (string value)
conntrack_driver = conntrack

# Name of the firewall l2 driver (string value)
#firewall_l2_driver = noop

[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default

2.4.修改数据库

neutron-db-manage --subproject neutron-fwaas upgrade head

2.5 修改/etc/openstack-dashboard/local_settings.py

在大约325行左右

修改为

OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': True,
    'enable_quotas': True,
    'enable_ipv6': True,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_fip_topology_check': True,
    'enable_firewall': True,
........
........
}

注意，这个地方官方文档写的是"="号，又是错的

6.重启

service neutron-server restart
service neutron-l3-agent restart

3.命令行的使用

注意：

FWAAS的使用遵循"创建rule->创建policy->创建防火墙"的顺序，顺序不能颠倒！！

0.使用防火墙前

1.创建rule

neutron  firewall-rule-create  --name rule1  --protocol  any \
 --destination-ip-address  10.171.103.152  --action deny

结果

Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field                  | Value                                |
+------------------------+--------------------------------------+
| action                 | deny                                 |
| description            |                                      |
| destination_ip_address | 10.171.103.152                       |
| destination_port       |                                      |
| enabled                | True                                 |
| firewall_policy_id     |                                      |
| id                     | 8bf03eb3-1bb8-4084-b566-a93a6281d2fc |
| ip_version             | 4                                    |
| name                   | rule1                                |
| position               |                                      |
| project_id             | 94b35ccc09164772a833e433b81c3e25     |
| protocol               |                                      |
| shared                 | False                                |
| source_ip_address      |                                      |
| source_port            |                                      |
| tenant_id              | 94b35ccc09164772a833e433b81c3e25     |
+------------------------+--------------------------------------+

2.创建policy，注意，--firewall-rules后跟的是规则名称

neutron  firewall-policy-create  --firewall-rules  "rule1"  mypolicy

结果：

Created a new firewall_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| audited        | False                                |
| description    |                                      |
| firewall_rules | 8bf03eb3-1bb8-4084-b566-a93a6281d2fc |
| id             | f503d232-5bcb-44b5-a864-8f93c01ddd6e |
| name           | mypolicy                             |
| project_id     | 94b35ccc09164772a833e433b81c3e25     |
| shared         | False                                |
| tenant_id      | 94b35ccc09164772a833e433b81c3e25     |
+----------------+--------------------------------------+

3.创建firewall并将上面创建的policy绑定到firewall,注意，“firewall-create”后面跟的是policy的id,比如上面的policy的id "f503d232-5bcb-44b5-a864-8f93c01ddd6e"

neutron firewall-create f503d232-5bcb-44b5-a864-8f93c01ddd6e

结果

Created a new firewall:
+--------------------+--------------------------------------+
| Field              | Value                                |
+--------------------+--------------------------------------+
| admin_state_up     | True                                 |
| description        |                                      |
| firewall_policy_id | f503d232-5bcb-44b5-a864-8f93c01ddd6e |
| id                 | c5c0fb90-e41f-4ec6-b257-5bf55b7cbac4 |
| name               |                                      |
| project_id         | 94b35ccc09164772a833e433b81c3e25     |
| router_ids         | b83802c4-801a-4ff1-b8c7-8c585ed25669 |
| status             | PENDING_CREATE                       |
| tenant_id          | 94b35ccc09164772a833e433b81c3e25     |
+--------------------+--------------------------------------+

5.现在ping 不通了~

root@computer:/home# ping 10.171.103.152
PING 10.171.103.152 (10.171.103.152) 56(84) bytes of data.
^C
--- 10.171.103.152 ping statistics ---
17 packets transmitted, 0 received, 100% packet loss, time 16009ms

root@computer:/home#

如有任何问题，欢迎交流~~

__fool__

发布了48 篇原创文章 · 获赞 4 · 访问量 3万+

私信关注