首先,我的环境是ubuntu16.04
网上我看到只有这一篇博客讲了安装步骤,不过我按这篇博客的方法走下来发现dashboard与fwaas都有问题.........简直了,然后就自己按照官方文档配了一遍,发现官方文档也有问题。。
1.关于安装dashboard
开始我是按照neutron-fwaas-dashboard的官方文档安装的,结果在下面这个地方遇到问题,无法汉化,在此记录
./manage.py compilemessages
下面的编译还是好的,建议使用
cd /usr/share/openstack-dashboard
$ DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py collectstatic --noinput
$ DJANGO_SETTINGS_MODULE=openstack_dashboard.settings python manage.py compress --force
2.配置FWAAS (v1)
不建议直接看官方文档,对于ubuntu16.04来说,官方文档有个地方错了
2.0.直接从ubuntu源下载
git clone -b stable/queens https://www.github.com/openstack/neutron-fwaas
2.1.配置/etc/neutron/neutron.conf下面这行,在 service_plugins 这行最后面新增 firewall
[DEFAULT]
.......
service_plugins = ...,...,...,firewall
........
2.2.修改l3_agent.ini
[AGENT]
extensions = fwaas
2.3.修改/etc/neutron/fwaas_driver.ini,我的修改之后是这样的,注意,这里官方文档又是错的![service_providers]应该放在fwaas_driver.ini里面,而不是neutron.conf里面!按官方文档那么弄的话就是错的
[DEFAULT]
[fwaas]
#
# From firewall.agent
#
# Name of the FWaaS Driver (string value)
driver = iptables
# Enable FWaaS (boolean value)
enabled = true
# Firewall agent class (string value)
agent_version = v1
# Name of the FWaaS Conntrack Driver (string value)
conntrack_driver = conntrack
# Name of the firewall l2 driver (string value)
#firewall_l2_driver = noop
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
2.4.修改数据库
neutron-db-manage --subproject neutron-fwaas upgrade head
2.5 修改/etc/openstack-dashboard/local_settings.py
在大约325行左右
修改为
OPENSTACK_NEUTRON_NETWORK = {
'enable_router': True,
'enable_quotas': True,
'enable_ipv6': True,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_fip_topology_check': True,
'enable_firewall': True,
........
........
}
注意,这个地方官方文档写的是"="号,又是错的
6.重启
service neutron-server restart
service neutron-l3-agent restart
3.命令行的使用
注意:
FWAAS的使用遵循"创建rule->创建policy->创建防火墙"的顺序,顺序不能颠倒!!
0.使用防火墙前
1.创建rule
neutron firewall-rule-create --name rule1 --protocol any \
--destination-ip-address 10.171.103.152 --action deny
结果
Created a new firewall_rule:
+------------------------+--------------------------------------+
| Field | Value |
+------------------------+--------------------------------------+
| action | deny |
| description | |
| destination_ip_address | 10.171.103.152 |
| destination_port | |
| enabled | True |
| firewall_policy_id | |
| id | 8bf03eb3-1bb8-4084-b566-a93a6281d2fc |
| ip_version | 4 |
| name | rule1 |
| position | |
| project_id | 94b35ccc09164772a833e433b81c3e25 |
| protocol | |
| shared | False |
| source_ip_address | |
| source_port | |
| tenant_id | 94b35ccc09164772a833e433b81c3e25 |
+------------------------+--------------------------------------+
2.创建policy,注意,--firewall-rules后跟的是规则名称
neutron firewall-policy-create --firewall-rules "rule1" mypolicy
结果:
Created a new firewall_policy:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| audited | False |
| description | |
| firewall_rules | 8bf03eb3-1bb8-4084-b566-a93a6281d2fc |
| id | f503d232-5bcb-44b5-a864-8f93c01ddd6e |
| name | mypolicy |
| project_id | 94b35ccc09164772a833e433b81c3e25 |
| shared | False |
| tenant_id | 94b35ccc09164772a833e433b81c3e25 |
+----------------+--------------------------------------+
3.创建firewall并将上面创建的policy绑定到firewall,注意,“firewall-create”后面跟的是policy的id,比如上面的policy的id "f503d232-5bcb-44b5-a864-8f93c01ddd6e"
neutron firewall-create f503d232-5bcb-44b5-a864-8f93c01ddd6e
结果
Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | f503d232-5bcb-44b5-a864-8f93c01ddd6e |
| id | c5c0fb90-e41f-4ec6-b257-5bf55b7cbac4 |
| name | |
| project_id | 94b35ccc09164772a833e433b81c3e25 |
| router_ids | b83802c4-801a-4ff1-b8c7-8c585ed25669 |
| status | PENDING_CREATE |
| tenant_id | 94b35ccc09164772a833e433b81c3e25 |
+--------------------+--------------------------------------+
5.现在ping 不通了~
root@computer:/home# ping 10.171.103.152
PING 10.171.103.152 (10.171.103.152) 56(84) bytes of data.
^C
--- 10.171.103.152 ping statistics ---
17 packets transmitted, 0 received, 100% packet loss, time 16009ms
root@computer:/home#
如有任何问题,欢迎交流~~