Browse Source

Add iptables role

Co-Authored-By: James E. Blair <corvus@inaugust.com>
Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c
Depends-On: https://review.openstack.org/596503
changes/73/593973/17
Monty Taylor 3 years ago
committed by James E. Blair
parent
commit
15663daaf7
  1. 62
      hiera/common.yaml
  2. 17
      inventory/groups.yaml
  3. 274
      manifests/site.pp
  4. 4
      modules/openstack_project/manifests/cacti.pp
  5. 4
      modules/openstack_project/manifests/git.pp
  6. 4
      modules/openstack_project/manifests/openstackid_dev.pp
  7. 4
      modules/openstack_project/manifests/openstackid_prod.pp
  8. 4
      modules/openstack_project/manifests/planet.pp
  9. 25
      modules/openstack_project/manifests/server.pp
  10. 4
      modules/openstack_project/manifests/storyboard.pp
  11. 8
      modules/openstack_project/manifests/summit.pp
  12. 4
      modules/openstack_project/manifests/translate_dev.pp
  13. 4
      modules/openstack_project/manifests/wiki.pp
  14. 10
      modules/openstack_project/spec/acceptance/basic_spec.rb
  15. 4
      modules/openstack_project/spec/acceptance/fixtures/default.pp
  16. 1
      playbooks/base.yaml
  17. 0
      playbooks/filter_plugins/__init__.py
  18. 41
      playbooks/filter_plugins/getaddrinfo.py
  19. 1
      playbooks/group_vars/afs.yaml
  20. 1
      playbooks/group_vars/afsdb.yaml
  21. 12
      playbooks/group_vars/all.yaml
  22. 2
      playbooks/group_vars/eavesdrop.yaml
  23. 82
      playbooks/group_vars/elasticsearch.yaml
  24. 6
      playbooks/group_vars/firehose.yaml
  25. 8
      playbooks/group_vars/gerrit.yaml
  26. 4
      playbooks/group_vars/git-loadbalancer.yaml
  27. 4
      playbooks/group_vars/git-server.yaml
  28. 88
      playbooks/group_vars/graphite.yaml
  29. 9
      playbooks/group_vars/kdc.yaml
  30. 103
      playbooks/group_vars/logstash.yaml
  31. 4
      playbooks/group_vars/mailman.yaml
  32. 5
      playbooks/group_vars/mirror.yaml
  33. 26
      playbooks/group_vars/nodepool.yaml
  34. 2
      playbooks/group_vars/ns.yaml
  35. 7
      playbooks/group_vars/pbx.yaml
  36. 2
      playbooks/group_vars/review-dev.yaml
  37. 2
      playbooks/group_vars/review.yaml
  38. 4
      playbooks/group_vars/webservers.yaml
  39. 17
      playbooks/group_vars/zookeeper.yaml
  40. 3
      playbooks/group_vars/zuul-executor.yaml
  41. 63
      playbooks/group_vars/zuul-scheduler.yaml
  42. 44
      playbooks/roles/iptables/README.rst
  43. 7
      playbooks/roles/iptables/defaults/main.yaml
  44. 11
      playbooks/roles/iptables/handlers/main.yaml
  45. 11
      playbooks/roles/iptables/tasks/RedHat.yaml
  46. 54
      playbooks/roles/iptables/tasks/main.yaml
  47. 2
      playbooks/roles/iptables/tasks/reload-debian.yaml
  48. 5
      playbooks/roles/iptables/tasks/reload-redhat.yaml
  49. 31
      playbooks/roles/iptables/templates/rules.v4.j2
  50. 30
      playbooks/roles/iptables/templates/rules.v6.j2
  51. 6
      playbooks/roles/iptables/vars/Debian.yaml
  52. 6
      playbooks/roles/iptables/vars/RedHat.yaml
  53. 6
      playbooks/roles/iptables/vars/Ubuntu.trusty.yaml
  54. 47
      testinfra/test_base.py

62
hiera/common.yaml

@ -6,68 +6,6 @@ elasticsearch_nodes:
- elasticsearch05.openstack.org
- elasticsearch06.openstack.org
- elasticsearch07.openstack.org
elasticsearch_iptables_rule_data:
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
logstash_iptables_rule_data:
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze11.openstack.org'}
infra_apache_serveradmin: noc@openstack.org
statusbot_channels:
- airshipit

17
inventory/groups.yaml

@ -2,6 +2,7 @@ plugin: constructed
groups:
adns: inventory_hostname.startswith('adns')
afs: inventory_hostname is match('afs\d+.*openstack.org')
afs-client: inventory_hostname is match('(review-dev\d*|mirror\d*\..*|files\d*|ze\d+|afsdb.*|afs.*\..*)\.openstack\.org')
afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org')
afsdb: inventory_hostname is match('afsdb.*openstack.org')
ask: inventory_hostname.startswith('ask')
@ -11,21 +12,31 @@ groups:
eavesdrop: inventory_hostname.startswith('eavesdrop')
elasticsearch: inventory_hostname is match('elasticsearch0[1-7]\.openstack\.org')
ethercalc: inventory_hostname.startswith('ethercalc')
etherpad: inventory_hostname.startswith('etherpad')
files: inventory_hostname.startswith('files')
firehose: inventory_hostname.startswith('firehose')
futureparser: inventory_hostname is match('(review-dev\d*|groups\d*|groups-dev\d*|graphite\d*|etherpad-dev\d*|ask-staging\d*|codesearch\d*)\.openstack\.org')
gerrit: inventory_hostname is match('review.*\.openstack\.org')
git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org')
git-server: inventory_hostname is match('git\d+\.openstack\.org')
grafana: inventory_hostname.startswith('grafana')
groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org')
graphite: inventory_hostname.startswith('graphite')
groups: inventory_hostname is match('groups(-dev)?\d*\.openstack\.org')
health: inventory_hostname.startswith('health')
kdc: inventory_hostname.startswith('kdc')
logstash: inventory_hostname is match('logstash\d*\.openstack\.org')
logstash-worker: inventory_hostname.startswith('logstash-worker')
mailman: inventory_hostname.startswith('lists')
nodepool: inventory_hostname is match('^(nodepool|nb|nl)')
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
ns: inventory_hostname.startswith('ns')
paste: inventory_hostname.startswith('paste')
pbx: inventory_hostname.startswith('pbx')
puppet: not inventory_hostname.startswith('bridge')
refstack: inventory_hostname.startswith('refstack')
review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
review: inventory_hostname is match('review\d+\.openstack\.org')
static: inventory_hostname.startswith('static')
status: inventory_hostname.startswith('status')
storyboard: inventory_hostname.startswith('storyboard')
storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org')
@ -33,8 +44,10 @@ groups:
survey: inventory_hostname.startswith('survey')
translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org')
translate: inventory_hostname is match('translate\d+\.openstack\.org')
webservers: inventory_hostname is match('(grafana\d*|health\d*|graphite\d*|groups\d*|groups-dev\d*|eavesdrop\d*|paste\d*|ethercalc\d+|etherpad\d*|etherpad-dev\d*|files\d*|refstack\d*|static\d*|status\d*|survey\d+|nodepool|nl\d+|nb\d+|zm\d+|ask|ask-staging|translate.*|codesearch\d*|cacti\d+|wiki.*|storyboard.*|openstackid-dev|planet)\.openstack\.org|openstackid.org')
wiki-dev: inventory_hostname is match('wiki-dev\d+\.openstack\.org')
wiki: inventory_hostname is match('wiki\d+\.openstack\.org')
zookeeper: inventory_hostname.startswith('zk')
zuul-executor: inventory_hostname.startswith('ze')
zuul-merger: inventory_hostname is match('z[lm](static)?\d+\.openstack\.org')
zuul-scheduler: inventory_hostname.startswith('zuul')

274
manifests/site.pp

@ -20,13 +20,7 @@ node default {
#
# Node-OS: xenial
node 'review.openstack.org' {
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
}
class { 'openstack_project::server': }
class { 'openstack_project::review':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -66,13 +60,7 @@ node 'review.openstack.org' {
node 'review01.openstack.org' {
$group = "review"
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
}
class { 'openstack_project::server': }
class { 'openstack_project::review':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -112,12 +100,7 @@ node 'review01.openstack.org' {
node /^review-dev\d*\.openstack\.org$/ {
$group = "review-dev"
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
afs => true,
}
@ -148,9 +131,7 @@ node /^review-dev\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^grafana\d*\.openstack\.org$/ {
$group = "grafana"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::grafana':
admin_password => hiera('grafana_admin_password'),
admin_user => hiera('grafana_admin_user', 'username'),
@ -166,9 +147,7 @@ node /^grafana\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^health\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
}
@ -187,7 +166,6 @@ node /^cacti\d+\.openstack\.org$/ {
# Node-OS: trusty
node 'puppetmaster.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [8140],
pin_puppet => '3.6.',
}
class { 'openstack_project::puppetmaster':
@ -206,40 +184,7 @@ node 'puppetmaster.openstack.org' {
# Node-OS: trusty
# Node-OS: xenial
node /^graphite\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
iptables_allowed_hosts => [
{protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'mirror-update01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::graphite':
graphite_admin_user => hiera('graphite_admin_user', 'username'),
@ -251,9 +196,7 @@ node /^graphite\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^groups\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::groups':
site_admin_password => hiera('groups_site_admin_password'),
site_mysql_host => hiera('groups_site_mysql_host', 'localhost'),
@ -268,9 +211,7 @@ node /^groups\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^groups-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::groups_dev':
site_admin_password => hiera('groups_dev_site_admin_password'),
site_mysql_host => hiera('groups_dev_site_mysql_host', 'localhost'),
@ -286,9 +227,7 @@ node /^groups-dev\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^lists\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
}
class { 'openstack_project::server': }
class { 'openstack_project::lists':
listpassword => hiera('listpassword'),
@ -297,9 +236,7 @@ node /^lists\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^lists\d*\.katacontainers\.io$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
}
class { 'openstack_project::server': }
class { 'openstack_project::kata_lists':
listpassword => hiera('listpassword'),
@ -310,9 +247,7 @@ node /^lists\d*\.katacontainers\.io$/ {
node /^paste\d*\.openstack\.org$/ {
$group = "paste"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::paste':
db_password => hiera('paste_db_password'),
db_host => hiera('paste_db_host'),
@ -329,9 +264,7 @@ node /planet\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^eavesdrop\d*\.openstack\.org$/ {
$group = "eavesdrop"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::eavesdrop':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -368,9 +301,7 @@ node /^eavesdrop\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^ethercalc\d+\.openstack\.org$/ {
$group = "ethercalc"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ethercalc':
vhost_name => 'ethercalc.openstack.org',
@ -383,9 +314,7 @@ node /^ethercalc\d+\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^etherpad\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::etherpad':
ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
@ -400,9 +329,7 @@ node /^etherpad\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^etherpad-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::etherpad_dev':
mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
@ -454,10 +381,7 @@ node /^wiki-dev\d+\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^logstash\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306],
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
}
class { 'openstack_project::server': }
class { 'openstack_project::logstash':
discover_nodes => [
@ -477,9 +401,7 @@ node /^logstash\d*\.openstack\.org$/ {
node /^logstash-worker\d+\.openstack\.org$/ {
$group = 'logstash-worker'
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
}
class { 'openstack_project::server': }
class { 'openstack_project::logstash_worker':
discover_node => 'elasticsearch03.openstack.org',
@ -492,9 +414,7 @@ node /^logstash-worker\d+\.openstack\.org$/ {
# Node-OS: xenial
node /^subunit-worker\d+\.openstack\.org$/ {
$group = "subunit-worker"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
}
class { 'openstack_project::server': }
class { 'openstack_project::subunit_worker':
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
@ -506,10 +426,7 @@ node /^subunit-worker\d+\.openstack\.org$/ {
# Node-OS: xenial
node /^elasticsearch0[1-7]\.openstack\.org$/ {
$group = "elasticsearch"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
}
class { 'openstack_project::server': }
class { 'openstack_project::elasticsearch_node':
discover_nodes => $elasticsearch_nodes,
}
@ -517,12 +434,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
# Node-OS: xenial
node /^firehose\d+\.openstack\.org$/ {
class { 'openstack_project::server':
# NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
# connections seem to crash mosquitto. Once this is fixed we should add
# them back
iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::firehose':
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
@ -572,9 +484,7 @@ node /^git(-fe\d+)?\.openstack\.org$/ {
node /^git\d+\.openstack\.org$/ {
$group = "git-server"
include openstack_project
class { 'openstack_project::server':
iptables_public_tcp_ports => [4443, 8080, 29418],
}
class { 'openstack_project::server': }
class { 'openstack_project::git_backend':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -621,7 +531,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
$group = "mirror"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
afs => true,
afs_cache_size => 50000000, # 50GB
}
@ -637,7 +546,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
node /^files\d*\.openstack\.org$/ {
$group = "files"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
afs => true,
afs_cache_size => 10000000, # 10GB
}
@ -666,9 +574,7 @@ node /^files\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^refstack\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'),
mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
@ -750,9 +656,7 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^static\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::static':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
@ -769,27 +673,7 @@ node /^static\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^zk\d+\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_allowed_hosts => [
# Zookeeper clients
{protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
# Zookeeper election
{protocol => 'tcp', port => '2888', hostname => 'zk01.openstack.org'},
{protocol => 'tcp', port => '2888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '2888', hostname => 'zk03.openstack.org'},
# Zookeeper leader
{protocol => 'tcp', port => '3888', hostname => 'zk01.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::zookeeper':
# ID needs to be numeric, so we use regex to extra numbers from fqdn.
@ -810,9 +694,7 @@ node /^zk\d+\.openstack\.org$/ {
node /^status\d*\.openstack\.org$/ {
$group = 'status'
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::status':
gerrit_host => 'review.openstack.org',
@ -829,9 +711,7 @@ node /^status\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^survey\d+\.openstack\.org$/ {
$group = "survey"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::survey':
vhost_name => 'survey.openstack.org',
@ -853,12 +733,7 @@ node /^survey\d+\.openstack\.org$/ {
node /^adns\d+\.openstack\.org$/ {
$group = 'adns'
class { 'openstack_project::server':
iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
{protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
],
}
class { 'openstack_project::server': }
class { 'openstack_project::master_nameserver':
tsig_key => hiera('tsig_key', {}),
@ -872,10 +747,7 @@ node /^adns\d+\.openstack\.org$/ {
node /^ns\d+\.openstack\.org$/ {
$group = 'ns'
class { 'openstack_project::server':
iptables_public_udp_ports => [53],
iptables_public_tcp_ports => [53],
}
class { 'openstack_project::server': }
$tsig_key = hiera('tsig_key', {})
if $tsig_key != {} {
@ -905,19 +777,7 @@ node /^ns\d+\.openstack\.org$/ {
node 'nodepool.openstack.org' {
$group = 'nodepool'
class { 'openstack_project::server':
iptables_allowed_hosts => [
{protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
],
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { '::zookeeper':
# The frequency in hours to look for and purge old snapshots,
@ -968,9 +828,7 @@ node /^nl\d+\.openstack\.org$/ {
$packethost_project = hiera('nodepool_packethost_project', 'project')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
include openstack_project
@ -1030,9 +888,7 @@ node /^nb\d+\.openstack\.org$/ {
$packethost_project = hiera('nodepool_packethost_project', 'project')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
include openstack_project
@ -1085,7 +941,6 @@ node /^ze\d+\.openstack\.org$/ {
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 7900],
afs => true,
}
@ -1177,30 +1032,7 @@ node /^zuul\d+\.openstack\.org$/ {
$git_name = 'OpenStack Zuul'
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 80, 443],
iptables_allowed_hosts => [
{protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze11.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::project_config':
url => 'https://git.openstack.org/openstack-infra/project-config',
@ -1288,9 +1120,7 @@ node /^zm\d+.openstack\.org$/ {
$git_name = 'OpenStack Zuul'
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
@ -1323,12 +1153,7 @@ node /^zm\d+.openstack\.org$/ {
# Node-OS: trusty
node 'pbx.openstack.org' {
class { 'openstack_project::server':
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports => [5060],
iptables_public_udp_ports => ['5060', '10000:20000'],
}
class { 'openstack_project::server': }
class { 'openstack_project::pbx':
sip_providers => [
{
@ -1346,9 +1171,7 @@ node 'pbx.openstack.org' {
# A backup machine. Don't run cron or puppet agent on it.
node /^backup\d+\..*\.ci\.openstack\.org$/ {
$group = "ci-backup"
class { 'openstack_project::server':
iptables_public_tcp_ports => [],
}
class { 'openstack_project::server': }
include openstack_project::backup_server
}
@ -1417,20 +1240,14 @@ node 'single-node-ci.test.only' {
# Node-OS: trusty
node 'kdc01.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
}
class { 'openstack_project::server': }
class { 'openstack_project::kdc': }
}
# Node-OS: xenial
node 'kdc04.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
}
class { 'openstack_project::server': }
class { 'openstack_project::kdc':
slave => true,
@ -1442,7 +1259,6 @@ node 'afsdb01.openstack.org' {
$group = "afsdb"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1455,7 +1271,6 @@ node /^afsdb.*\.openstack\.org$/ {
$group = "afsdb"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1467,7 +1282,6 @@ node /^afs.*\..*\.openstack\.org$/ {
$group = "afs"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1477,9 +1291,7 @@ node /^afs.*\..*\.openstack\.org$/ {
# Node-OS: trusty
node 'ask.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ask':
db_user => hiera('ask_db_user', 'ask'),
@ -1493,9 +1305,7 @@ node 'ask.openstack.org' {
# Node-OS: trusty
node 'ask-staging.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ask_staging':
db_password => hiera('ask_staging_db_password'),
@ -1507,9 +1317,7 @@ node 'ask-staging.openstack.org' {
# Node-OS: xenial
node /^translate\d+\.openstack\.org$/ {
$group = "translate"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::translate':
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid.org',
@ -1555,9 +1363,7 @@ node /^translate-dev\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^codesearch\d*\.openstack\.org$/ {
$group = "codesearch"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::codesearch':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
}

4
modules/openstack_project/manifests/cacti.pp

@ -8,9 +8,7 @@ class openstack_project::cacti (
fail("${::osfamily} is not supported.")
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { '::apache':
default_vhost => false,

4
modules/openstack_project/manifests/git.pp

@ -20,9 +20,7 @@ class openstack_project::git (
$balancer_member_ips = [],
$selinux_mode = 'enforcing'
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 9418],
}
class { 'openstack_project::server': }
if ($::osfamily == 'RedHat') {
class { 'selinux':

4
modules/openstack_project/manifests/openstackid_dev.pp

@ -61,9 +61,7 @@ class openstack_project::openstackid_dev (
$session_cookie_secure = false,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstackid':
site_admin_password => $site_admin_password,

4
modules/openstack_project/manifests/openstackid_prod.pp

@ -62,9 +62,7 @@ class openstack_project::openstackid_prod (
$session_cookie_secure = false,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstackid':
site_admin_password => $site_admin_password,

4
modules/openstack_project/manifests/planet.pp

@ -2,9 +2,7 @@
#
class openstack_project::planet (
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
include ::planet
planet::site { 'openstack':

25
modules/openstack_project/manifests/server.pp

@ -2,11 +2,6 @@
#
# A server that we expect to run for some time
class openstack_project::server (
$iptables_public_tcp_ports = [],
$iptables_public_udp_ports = [],
$iptables_rules4 = [],
$iptables_rules6 = [],
$iptables_allowed_hosts = [],
$pin_puppet = '3.',
$ca_server = undef,
$enable_unbound = true,
@ -49,10 +44,6 @@ class openstack_project::server (
'kdc04.openstack.org',
],
}
$all_udp = concat(
$iptables_public_udp_ports, [7001])
} else {
$all_udp = $iptables_public_udp_ports
}
class { 'openstack_project::automatic_upgrades':
@ -61,20 +52,4 @@ class openstack_project::server (
include snmpd
$snmp_v4hosts = [
'172.99.116.215', # cacti02.openstack.org
]
$snmp_v6hosts = [
'2001:4800:7821:105:be76:4eff:fe04:b9a5', # cacti02.opentsack.org
]
class { 'iptables':
public_tcp_ports => $iptables_public_tcp_ports,
public_udp_ports => $all_udp,
rules4 => $iptables_rules4,
rules6 => $iptables_rules6,
snmp_v4hosts => $snmp_v4hosts,
snmp_v6hosts => $snmp_v6hosts,
allowed_hosts => $iptables_allowed_hosts,
}
}

4
modules/openstack_project/manifests/storyboard.pp

@ -26,9 +26,7 @@ class openstack_project::storyboard(
url => $project_config_repo,
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
mysql_backup::backup_remote { 'storyboard':

8
modules/openstack_project/manifests/summit.pp

@ -1,8 +0,0 @@
class openstack_project::summit (
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80],
}
}
# vim:sw=2:ts=2:expandtab:textwidth=79

4
modules/openstack_project/manifests/translate_dev.pp

@ -35,9 +35,7 @@ class openstack_project::translate_dev(
$from_address,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'project_config':
url => $project_config_repo,

4
modules/openstack_project/manifests/wiki.pp

@ -23,9 +23,7 @@ class openstack_project::wiki (
ensure => present;
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'mediawiki':
role => 'all',

10
modules/openstack_project/spec/acceptance/basic_spec.rb

@ -79,14 +79,4 @@ describe 'openstack_project::server' do
end
end
describe command('iptables -S') do
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
end
end

4
modules/openstack_project/spec/acceptance/fixtures/default.pp

@ -1,12 +1,8 @@
$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
$manage_afs = $::operatingsystem ? {
'CentOS' => false,
default => true
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
afs => $manage_afs,
}

1
playbooks/base.yaml

@ -16,3 +16,4 @@
- hosts: "!ci-backup:!disabled"
roles:
- exim
- iptables

0
playbooks/filter_plugins/__init__.py

41
playbooks/filter_plugins/getaddrinfo.py

@ -0,0 +1,41 @@
# Copyright (c) 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import socket
class FilterModule(object):
def dns(self, value, family):
ret = set()
try:
addr_info = socket.getaddrinfo(value, None, family)
except socket.gaierror:
return ret
for addr in addr_info:
ret.add(addr[4][0])
return sorted(ret)
def dns_a(self, value):
return self.dns(value, socket.AF_INET)
def dns_aaaa(self, value):
return self.dns(value, socket.AF_INET6)
def filters(self):
return {
'dns_a': self.dns_a,
'dns_aaaa': self.dns_aaaa,
}

1
playbooks/group_vars/afs.yaml

@ -0,0 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

1
playbooks/group_vars/afsdb.yaml

@ -0,0 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

12
playbooks/group_vars/all.yaml

@ -12,6 +12,11 @@ exim_base_aliases:
root: "{{ exim_sysadmins }}"
exim_aliases: "{{ exim_base_aliases|combine(exim_extra_aliases) }}"
iptables_base_allowed_hosts:
- {'protocol': 'udp', 'port': 161, 'hostname': 'cacti.openstack.org'}
iptables_extra_allowed_hosts: []
iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
# When adding new users, always pick a UID larger than the last UID, do not
# fill in holes in the middle of the range.
all_users:
@ -161,3 +166,10 @@ disabled_users:
- elizabeth
- nibz
- slukjanov
iptables_snmp_v4_hosts:
# cacti02.openstack.org
- 172.99.116.215
iptables_snmp_v6_hosts:
# cacti02.openstack.org
- 2001:4800:7821:105:be76:4eff:fe04:b9a5

2
playbooks/group_vars/eavesdrop.yaml

@ -0,0 +1,2 @@
iptables_public_tcp_ports:
- 80

82
playbooks/group_vars/elasticsearch.yaml

@ -0,0 +1,82 @@
iptables_rule_data:
- protocol: tcp
port: 9200:9400
hostname: elasticsearch02.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch03.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch04.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch05.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch06.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch07.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker01.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker02.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker03.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker04.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker05.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker06.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker07.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker08.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker09.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker10.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker11.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker12.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker13.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker14.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker15.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker16.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker17.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker18.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker19.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker20.openstack.org

6
playbooks/group_vars/firehose.yaml

@ -17,3 +17,9 @@ exim_transports:
socket = /var/run/cyrus/socket/lmtp
user = cyrus
batch_max = 35
iptables_public_tcp_ports:
- 25
- 80
- 443
- 1883
- 8883

8
playbooks/group_vars/gerrit.yaml

@ -0,0 +1,8 @@
exim_extra_aliases:
gerrit2: root
iptables_rules:
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
iptables_public_tcp_ports:
- 80
- 443
- 29418

4
playbooks/group_vars/git-loadbalancer.yaml

@ -0,0 +1,4 @@
iptables_public_tcp_ports:
- 80
- 443
- 9418

4
playbooks/group_vars/git-server.yaml

@ -1 +1,5 @@
ansible_python_interpreter: python2
iptables_public_tcp_ports:
- 4443
- 8080
- 29418

88
playbooks/group_vars/graphite.yaml

@ -0,0 +1,88 @@
iptables_extra_allowed_hosts:
- hostname: git.openstack.org
port: 8125
protocol: udp
- hostname: firehose01.openstack.org
port: 8125
protocol: udp
- hostname: mirror-update01.openstack.org
port: 8125
protocol: udp
- hostname: logstash.openstack.org
port: 8125
protocol: udp
- hostname: nodepool.openstack.org
port: 8125
protocol: udp
- hostname: nl01.openstack.org
port: 8125
protocol: udp
- hostname: nl02.openstack.org
port: 8125
protocol: udp
- hostname: nl03.openstack.org
port: 8125
protocol: udp
- hostname: nl04.openstack.org
port: 8125
protocol: udp
- hostname: zuul01.openstack.org
port: 8125
protocol: udp
- hostname: zm01.openstack.org
port: 8125
protocol: udp
- hostname: zm02.openstack.org
port: 8125
protocol: udp
- hostname: zm03.openstack.org
port: 8125
protocol: udp
- hostname: zm04.openstack.org
port: 8125
protocol: udp
- hostname: zm05.openstack.org
port: 8125
protocol: udp
- hostname: zm06.openstack.org
port: 8125
protocol: udp
- hostname: zm07.openstack.org
port: 8125
protocol: udp
- hostname: zm08.openstack.org
port: 8125
protocol: udp
- hostname: ze01.openstack.org
port: 8125
protocol: udp
- hostname: ze02.openstack.org
port: 8125
protocol: udp
- hostname: ze03.openstack.org
port: 8125
protocol: udp
- hostname: ze04.openstack.org
port: 8125
protocol: udp
- hostname: ze05.openstack.org
port: 8125
protocol: udp
- hostname: ze06.openstack.org
port: 8125
protocol: udp
- hostname: ze07.openstack.org
port: 8125
protocol: udp
- hostname: ze08.openstack.org
port: 8125
protocol: udp
- hostname: ze09.openstack.org
port: 8125
protocol: udp
- hostname: ze10.openstack.org
port: 8125
protocol: udp
- hostname: ze11.openstack.org
port: 8125
protocol: udp

9
playbooks/group_vars/kdc.yaml

@ -0,0 +1,9 @@
iptables_public_tcp_ports:
- 88
- 464
- 749
- 754
iptables_public_udp_ports:
- 88
- 464
- 749

103
playbooks/group_vars/logstash.yaml

@ -0,0 +1,103 @@
iptables_public_tcp_ports:
- 80
- 3306
iptables_rule_data:
- protocol: tcp
port: '4730'
hostname: logstash-worker01.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker02.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker03.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker04.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker05.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker06.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker07.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker08.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker09.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker10.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker11.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker12.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker13.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker14.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker15.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker16.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker17.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker18.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker19.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker20.openstack.org
- protocol: tcp
port: '4730'
hostname: subunit-worker01.openstack.org
- protocol: tcp
port: '4730'
hostname: subunit-worker02.openstack.org
- protocol: tcp
port: '4730'
hostname: ze01.openstack.org
- protocol: tcp
port: '4730'
hostname: ze02.openstack.org
- protocol: tcp
port: '4730'
hostname: ze03.openstack.org
- protocol: tcp
port: '4730'
hostname: ze04.openstack.org
- protocol: tcp
port: '4730'
hostname: ze05.openstack.org
- protocol: tcp
port: '4730'
hostname: ze06.openstack.org
- protocol: tcp
port: '4730'
hostname: ze07.openstack.org
- protocol: tcp
port: '4730'
hostname: ze08.openstack.org
- protocol: tcp
port: '4730'
hostname: ze09.openstack.org
- protocol: tcp
port: '4730'
hostname: ze10.openstack.org
- protocol: tcp
port: '4730'
hostname: ze11.openstack.org

4
playbooks/group_vars/mailman.yaml

@ -2,3 +2,7 @@ exim_queue_interval: '1m'
exim_queue_run_max: '50'
exim_smtp_accept_max: '100'
exim_smtp_accept_max_per_host: '10'
iptables_public_tcp_ports:
- 25
- 80
- 465

5
playbooks/group_vars/mirror.yaml

@ -0,0 +1,5 @@
iptables_public_tcp_ports:
- 80
- 8080
- 8081
- 8082

26
playbooks/group_vars/nodepool.yaml

@ -0,0 +1,26 @@
iptables_extra_allowed_hosts:
- protocol: tcp
port: 2181
hostname: nb01.openstack.org
- protocol: tcp
port: 2181
hostname: nb02.openstack.org
- protocol: tcp
port: 2181
hostname: nb03.openstack.org
- protocol: tcp
port: 2181
hostname: nl01.openstack.org
- protocol: tcp
port: 2181
hostname: nl02.openstack.org
- protocol: tcp
port: 2181
hostname: nl03.openstack.org
- protocol: tcp
port: 2181
hostname: nl04.openstack.org
- protocol: tcp
port: 2181
hostname: zuul01.openstack.org

2
playbooks/group_vars/ns.yaml

@ -0,0 +1,2 @@
iptables_public_ports:
- 53