From patchwork Tue Oct 24 14:10:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Michelson <mmichels@redhat.com>
X-Patchwork-Id: 829911
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yLwCZ69wWz9t3p
	for <incoming@patchwork.ozlabs.org>;
	Wed, 25 Oct 2017 01:10:34 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 279DBAC9;
	Tue, 24 Oct 2017 14:10:13 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id EC66FAB5
	for <dev@openvswitch.org>; Tue, 24 Oct 2017 14:10:11 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 73D1D545
	for <dev@openvswitch.org>; Tue, 24 Oct 2017 14:10:11 +0000 (UTC)
Received: from smtp.corp.redhat.com
	(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id B5AFB25B9B
	for <dev@openvswitch.org>; Tue, 24 Oct 2017 14:10:10 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B5AFB25B9B
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=mmichels@redhat.com
Received: from monae.redhat.com (ovpn-122-209.rdu2.redhat.com
	[10.10.122.209])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7092A7C019
	for <dev@openvswitch.org>; Tue, 24 Oct 2017 14:10:10 +0000 (UTC)
From: Mark Michelson <mmichels@redhat.com>
To: dev@openvswitch.org
Date: Tue, 24 Oct 2017 09:10:09 -0500
Message-Id: <20171024141009.11077-1-mmichels@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.39]);
	Tue, 24 Oct 2017 14:10:10 +0000 (UTC)
X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH] OVN: Document how to use firewalld service files
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Firewalld service files for OVN have been in the source for several
months. This adds instructions for how to use these service files with
firewalld.

Signed-off-by: Mark Michelson <mmichels@redhat.com>
---
 Documentation/automake.mk         |   1 +
 Documentation/howto/firewalld.rst | 110 ++++++++++++++++++++++++++++++++++++++
 Documentation/howto/index.rst     |   1 +
 3 files changed, 112 insertions(+)
 create mode 100644 Documentation/howto/firewalld.rst

diff --git a/Documentation/automake.mk b/Documentation/automake.mk
index 6f38912f2..5f4d5e85d 100644
--- a/Documentation/automake.mk
+++ b/Documentation/automake.mk
@@ -46,6 +46,7 @@ DOC_SOURCE = \
 	Documentation/howto/index.rst \
 	Documentation/howto/docker.rst \
 	Documentation/howto/dpdk.rst \
+	Documentation/howto/firewalld.rst \
 	Documentation/howto/kvm.rst \
 	Documentation/howto/libvirt.rst \
 	Documentation/howto/selinux.rst \
diff --git a/Documentation/howto/firewalld.rst b/Documentation/howto/firewalld.rst
new file mode 100644
index 000000000..b78d8e3b4
--- /dev/null
+++ b/Documentation/howto/firewalld.rst
@@ -0,0 +1,110 @@
+..
+      Licensed under the Apache License, Version 2.0 (the "License"); you may
+      not use this file except in compliance with the License. You may obtain
+      a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+      License for the specific language governing permissions and limitations
+      under the License.
+
+      Convention for heading levels in Open vSwitch documentation:
+
+      =======  Heading 0 (reserved for the title in a document)
+      -------  Heading 1
+      ~~~~~~~  Heading 2
+      +++++++  Heading 3
+      '''''''  Heading 4
+
+      Avoid deeper levels because they do not render well.
+
+===================================
+Open Virtual Network With firewalld
+===================================
+
+firewalld is a service that allows for easy administration of firewalls. OVN
+ships with a set of service files that can be used with firewalld to allow
+for remote connections to the northbound and southbound databases.
+
+This guide will describe how you can use these files with your existing
+firewalld setup. Setup and administration of firewalld is outside the scope
+of this document.
+
+Installation
+------------
+
+If you have installed OVN from an RPM, then the service files for firewalld
+will automatically be installed in /usr/lib/firewalld/services. Installation
+from RPM includes installation from the yum or dnf package managers.
+
+If you have installed OVN from source, then from the top level source
+directory, issue the following commands to copy the firewalld service files:
+
+::
+
+    $ cp rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
+    /etc/firewalld/services/
+    $ cp rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \
+    /etc/firewalld/services/
+
+
+Activation
+----------
+
+Assuming you are already running firewalld, you can issue the following
+commands to enable the OVN services.
+
+On the central server (the one running ovn-northd), issue the following
+
+::
+
+$ firewall-cmd --zone=public --add-service=ovn-central-firewall-service
+
+This will open TCP ports 6641 and 6642, allowing for remote connections to the
+northbound and southbound databases.
+
+On the OVN hosts (the ones running ovn-controller), issue the following
+
+::
+
+$ firewall-cmd --zone=public --add-service=ovn-host-firewall-service
+
+This will open UDP port 6081, allowing for geneve traffic to flow between the
+controllers.
+
+Variations
+----------
+
+When installing the XML service files, you have the choice of copying them to
+/etc/firewalld/services or /usr/lib/firewalld/services. The former is
+recommened since the latter can be overwritten if firewalld is upgraded.
+
+The above commands assumed your underlay network interfaces are in the
+"public" firewalld zone. If your underlay network interfaces are in a separate
+zone, then adjust the above commands accordingly.
+
+The \-\-permanent option may be passed to the above firewall-cmd invocations
+in order for the services to be permanently added to the firewalld
+configuration. This way it is not necessary to re-issue the commands eaach
+time the firewalld service restarts.
+
+The ovn-host-firewall-service only opens port 6081. This is because the
+default protocol for OVN tunnels is geneve. If you are using a different
+encapsulation protocol, you will need to modify the XML service file to open
+the appropriate port(s). For VXLAN, open port 4789. For STT, open port 7471.
+
+Recommendations
+---------------
+
+The firewalld service files included with the OVS repo are meant as a
+convenience for firewalld users. All that the service files do is to open
+the common ports used by OVN. No additional security is provided. To ensure a
+more secure environment, it is a good idea to do the following
+
+* Use tools such as iptables or nftables to restrict access to known hosts.
+* Use SSL for all remote connections to OVN databases.
+* Use role based access control for connections to the OVN southbound
+  database.
diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst
index 5859a33dc..201d6936b 100644
--- a/Documentation/howto/index.rst
+++ b/Documentation/howto/index.rst
@@ -57,3 +57,4 @@ OVN
 
    docker
    openstack-containers
+   firewalld