Merge "base-test: iptables: allow zuul console streaming"

playbooks/group_vars/afs.yaml

@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/afsdb.yaml

@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/all.yaml

@@ -17,6 +17,17 @@ iptables_base_allowed_hosts:
 iptables_extra_allowed_hosts: []
 iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
 
+iptables_base_public_tcp_ports: []
+iptables_extra_public_tcp_ports: []
+# iptables_test_public_tcp_ports is here only to allow the test
+# framework to inject an iptables rule to allow zuul console
+# streaming.  Do not use it otherwise.
+iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}"
+
+iptables_base_public_udp_ports: []
+iptables_extra_public_udp_ports: []
+iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
+
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:

playbooks/group_vars/eavesdrop.yaml

@@ -1,2 +1,2 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80

playbooks/group_vars/firehose.yaml

@@ -17,7 +17,7 @@ exim_transports:
       socket = /var/run/cyrus/socket/lmtp
       user = cyrus
       batch_max = 35
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 443

playbooks/group_vars/gerrit.yaml

@@ -2,7 +2,7 @@ exim_extra_aliases:
   gerrit2: root
 iptables_rules:
   - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 29418

playbooks/group_vars/git-loadbalancer.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 9418

playbooks/group_vars/git-server.yaml

@@ -1,5 +1,5 @@
 ansible_python_interpreter: python2
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 4443
   - 8080
   - 29418

playbooks/group_vars/kdc.yaml

@@ -1,9 +1,9 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 88
   - 464
   - 749
   - 754
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 88
   - 464
   - 749

playbooks/group_vars/logstash.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 3306
 iptables_extra_allowed_hosts:

playbooks/group_vars/mailman.yaml

@@ -2,7 +2,7 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 465

playbooks/group_vars/mirror.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 8080
   - 8081

playbooks/group_vars/ns.yaml

@@ -1,2 +1,4 @@
-iptables_public_ports:
+iptables_extra_public_tcp_ports:
+  - 53
+iptables_extra_public_udp_ports:
   - 53

playbooks/group_vars/pbx.yaml

@@ -1,7 +1,7 @@
 # SIP signaling is either TCP or UDP port 5060.
 # RTP media (audio/video) uses a range of UDP ports.
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 5060
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 5060
   - 10000:20000

playbooks/group_vars/webservers.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 22
   - 80
   - 443

playbooks/group_vars/zuul-executor.yaml

@@ -1,3 +1,3 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 7900

playbooks/group_vars/zuul-scheduler.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 80
   - 443

playbooks/zuul/run-base.yaml

@@ -36,6 +36,7 @@
         bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
         bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
         bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
+        iptables_test_public_tcp_ports: [19885]
       template:
         src: "templates/{{ item }}.j2"
         dest: "/etc/ansible/hosts/{{ item }}"

playbooks/zuul/templates/group_vars/all.yaml.j2

@@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }}
 bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
+iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}

testinfra/test_base.py

@@ -75,11 +75,10 @@ def test_iptables(host):
     reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
     assert reject in rules
 
-    # Make sure that the zuul console stream rule has been removed
-    # from the test node
+    # Make sure that the zuul console stream rule is still present
     zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
             ' -m tcp --dport 19885 -j ACCEPT')
-    assert zuul not in rules
+    assert zuul in rules
 
     # Ensure all IPv4 addresses for cacti are allowed
     for ip in get_ips('cacti.openstack.org', socket.AF_INET):