This brief overview assumes that Openstack Havana has been installed and setup with Neutron Networking. If you have not already done this, you could use "https://github.com/cloudnull/rcbops_allinone_inone" or devstack to setup a dev box and then perform the following actions.
install "openswan":
# (apt-get install openswan neutron-plugin-vpn-agent) || (yum install openswan openstack-neutron-vpn-agent && chkconfig neutron-vpn-agent on)
Place vpnaas filters:
# cat > /etc/neutron/rootwrap.d/vpnaas.filters << EOF [Filters] ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root openswan: CommandFilter, ipsec, root EOF
Place vpn_agent.ini:
# cat > /etc/neutron/vpn_agent.ini << EOF [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver [vpnagent] vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver [ipsec] ipsec_status_check_interval=60 EOF
Place fwaas_driver.ini:
# cat > /etc/neutron/fwaas_driver.ini << EOF [fwaas] driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver enabled = True EOF
add to the service plugins to /etc/neutron/neutron.conf:
# NOTE THIS IS A COMMA SEPARATED LIST service_plugins = neutron.services.vpn.plugin.VPNDriverPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.firewall.fwaas_plugin.FirewallPlugin
Add some service_providers to /etc/neutron/neutron.conf:
# Each provider on each line [SERVICE_PROVIDERS] service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default service_provider = VPN:Vpn:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
Place policy JSON:
# cat > /etc/neutron/policy.json << EOF { "context_is_admin": "role:admin", "admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s", "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", "admin_only": "rule:context_is_admin", "regular_user": "", "shared": "field:networks:shared=True", "shared_firewalls": "field:firewalls:shared=True", "external": "field:networks:router:external=True", "default": "rule:admin_or_owner", "subnets:private:read": "rule:admin_or_owner", "subnets:private:write": "rule:admin_or_owner", "subnets:shared:read": "rule:regular_user", "subnets:shared:write": "rule:admin_only", "create_subnet": "rule:admin_or_network_owner", "get_subnet": "rule:admin_or_owner or rule:shared", "update_subnet": "rule:admin_or_network_owner", "delete_subnet": "rule:admin_or_network_owner", "create_network": "", "get_network": "rule:admin_or_owner or rule:shared or rule:external", "get_network:router:external": "rule:regular_user", "get_network:segments": "rule:admin_only", "get_network:provider:network_type": "rule:admin_only", "get_network:provider:physical_network": "rule:admin_only", "get_network:provider:segmentation_id": "rule:admin_only", "get_network:queue_id": "rule:admin_only", "create_network:shared": "rule:admin_only", "create_network:router:external": "rule:admin_only", "create_network:segments": "rule:admin_only", "create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only", "update_network": "rule:admin_or_owner", "update_network:segments": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", "delete_network": "rule:admin_or_owner", "create_port": "", "create_port:mac_address": "rule:admin_or_network_owner", "create_port:fixed_ips": "rule:admin_or_network_owner", "create_port:port_security_enabled": "rule:admin_or_network_owner", "create_port:binding:host_id": "rule:admin_only", "create_port:binding:profile": "rule:admin_only", "create_port:mac_learning_enabled": "rule:admin_or_network_owner", "get_port": "rule:admin_or_owner", "get_port:queue_id": "rule:admin_only", "get_port:binding:vif_type": "rule:admin_only", "get_port:binding:capabilities": "rule:admin_only", "get_port:binding:host_id": "rule:admin_only", "get_port:binding:profile": "rule:admin_only", "update_port": "rule:admin_or_owner", "update_port:fixed_ips": "rule:admin_or_network_owner", "update_port:port_security_enabled": "rule:admin_or_network_owner", "update_port:binding:host_id": "rule:admin_only", "update_port:binding:profile": "rule:admin_only", "update_port:mac_learning_enabled": "rule:admin_or_network_owner", "delete_port": "rule:admin_or_owner", "create_router:external_gateway_info:enable_snat": "rule:admin_only", "update_router:external_gateway_info:enable_snat": "rule:admin_only", "create_firewall": "", "get_firewall": "rule:admin_or_owner", "create_firewall:shared": "rule:admin_only", "get_firewall:shared": "rule:admin_only", "update_firewall": "rule:admin_or_owner", "delete_firewall": "rule:admin_or_owner", "create_firewall_policy": "", "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls", "create_firewall_policy:shared": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "create_firewall_rule:shared": "rule:admin_or_owner", "get_firewall_rule:shared": "rule:admin_or_owner", "update_firewall_rule": "rule:admin_or_owner", "delete_firewall_rule": "rule:admin_or_owner", "create_qos_queue": "rule:admin_only", "get_qos_queue": "rule:admin_only", "update_agent": "rule:admin_only", "delete_agent": "rule:admin_only", "get_agent": "rule:admin_only", "create_dhcp-network": "rule:admin_only", "delete_dhcp-network": "rule:admin_only", "get_dhcp-networks": "rule:admin_only", "create_l3-router": "rule:admin_only", "delete_l3-router": "rule:admin_only", "get_l3-routers": "rule:admin_only", "get_dhcp-agents": "rule:admin_only", "get_l3-agents": "rule:admin_only", "get_loadbalancer-agent": "rule:admin_only", "get_loadbalancer-pools": "rule:admin_only", "create_router": "rule:regular_user", "get_router": "rule:admin_or_owner", "update_router:add_router_interface": "rule:admin_or_owner", "update_router:remove_router_interface": "rule:admin_or_owner", "delete_router": "rule:admin_or_owner", "create_floatingip": "rule:regular_user", "update_floatingip": "rule:admin_or_owner", "delete_floatingip": "rule:admin_or_owner", "get_floatingip": "rule:admin_or_owner", "create_network_profile": "rule:admin_only", "update_network_profile": "rule:admin_only", "delete_network_profile": "rule:admin_only", "get_network_profiles": "", "get_network_profile": "", "update_policy_profiles": "rule:admin_only", "get_policy_profiles": "", "get_policy_profile": "", "create_metering_label": "rule:admin_only", "delete_metering_label": "rule:admin_only", "get_metering_label": "rule:admin_only", "create_metering_label_rule": "rule:admin_only", "delete_metering_label_rule": "rule:admin_only", "get_metering_label_rule": "rule:admin_only", "get_service_provider": "rule:regular_user" } EOFRestart all of the Neutron Services:
# for i in /etc/init.d/*neutron-*;do $i restart; done