Chapter 9: Running in OpenStack

The Clavister Firewall can be deployed in an OpenStack environment that uses KVM on Intel x86_64 as nova compute nodes. This section covers deployment and looks at the steps needed using the Horizon implementation of the OpenStack dashboard.

It is assumed that OpenStack has already been installed in a Linux environment and that the Horizon dashboard is also available.

OpenStack Prerequisites

To install the Clavister Firewall with Horizon, the following is required:

Setup Steps

The following steps are required for setup:

A. Create a Security Group.

B. Deploy an instance of cOS Stream.

C. Configure cOS Stream.

These steps will now be described in detail.

A. Create a Security Group

A Security Group needs to be created. This can be done through Horizon but here it is done with the OpenStack Neutron utility using the following steps:

  1. Define the security group:

    root@controller:~# neutron security-group-create
    		-description 'my security group'
    		netguard -security-group

  2. Add the rule:

    root@controller:~# neutron security-group-rule-create
    		-direction ingress -remote_ip_prefix

  3. Verify that the group exists:

    root@controller:~# neutron security-group-list

B. Deploy an instance

Before launching a new instance, a disk volume should be created from the imported image so it has permanency. This is done in Horizon with the following steps:

  1. Select Volumes under the Compute tab.

  2. Select Create Volume.

  3. Select the imported image as the Volume Source and press Create Volume.

  4. Now, cOS Stream can be started by pressing Launch Instance under the Instances tab.

  5. Select a suitable Name and Flavor and choose Boot from volume as the Boot Source.

  6. Under the Access & Security tab, select the previously create security group called netguard-security-group.

  7. Select which networks to use under Networking.

  8. Press Launch.

C. Configure the system

Once the system is up and running, cOS Stream will prompt for the activate and commit CLI commands to be entered. This will permanently add the detected Ethernet interfaces to the configuration.

Next, the CLI should be used to configure the IP addresses and networks assigned to these interfaces. These should then be visible in Horizon under Instance Overview.

The form of commands for configuring the interfaces can be found in the separate Clavister Firewall Administration Guide.

[Note] Note: Using GRE tunneling in OpenStack

If GRE tunneling is used in the OpenStack environment, the added overhead for the GRE headers may require a lower MTU size configuration on cOS Stream interfaces. Alternatively, OpenStack may require that jumbo frames are enabled.