Add iptables role

Co-Authored-By: James E. Blair <corvus@inaugust.com>
Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c
Depends-On: https://review.openstack.org/596503
This commit is contained in:
Monty Taylor 2018-08-20 18:31:33 -05:00 committed by James E. Blair
parent dde24421d0
commit 15663daaf7
54 changed files with 816 additions and 373 deletions

View File

@ -6,68 +6,6 @@ elasticsearch_nodes:
- elasticsearch05.openstack.org
- elasticsearch06.openstack.org
- elasticsearch07.openstack.org
elasticsearch_iptables_rule_data:
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
logstash_iptables_rule_data:
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze11.openstack.org'}
infra_apache_serveradmin: noc@openstack.org
statusbot_channels:
- airshipit

View File

@ -2,6 +2,7 @@ plugin: constructed
groups:
adns: inventory_hostname.startswith('adns')
afs: inventory_hostname is match('afs\d+.*openstack.org')
afs-client: inventory_hostname is match('(review-dev\d*|mirror\d*\..*|files\d*|ze\d+|afsdb.*|afs.*\..*)\.openstack\.org')
afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org')
afsdb: inventory_hostname is match('afsdb.*openstack.org')
ask: inventory_hostname.startswith('ask')
@ -11,21 +12,31 @@ groups:
eavesdrop: inventory_hostname.startswith('eavesdrop')
elasticsearch: inventory_hostname is match('elasticsearch0[1-7]\.openstack\.org')
ethercalc: inventory_hostname.startswith('ethercalc')
etherpad: inventory_hostname.startswith('etherpad')
files: inventory_hostname.startswith('files')
firehose: inventory_hostname.startswith('firehose')
futureparser: inventory_hostname is match('(review-dev\d*|groups\d*|groups-dev\d*|graphite\d*|etherpad-dev\d*|ask-staging\d*|codesearch\d*)\.openstack\.org')
gerrit: inventory_hostname is match('review.*\.openstack\.org')
git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org')
git-server: inventory_hostname is match('git\d+\.openstack\.org')
grafana: inventory_hostname.startswith('grafana')
groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org')
graphite: inventory_hostname.startswith('graphite')
groups: inventory_hostname is match('groups(-dev)?\d*\.openstack\.org')
health: inventory_hostname.startswith('health')
kdc: inventory_hostname.startswith('kdc')
logstash: inventory_hostname is match('logstash\d*\.openstack\.org')
logstash-worker: inventory_hostname.startswith('logstash-worker')
mailman: inventory_hostname.startswith('lists')
nodepool: inventory_hostname is match('^(nodepool|nb|nl)')
mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
nodepool: inventory_hostname is match('(nodepool|nb|nl)')
ns: inventory_hostname.startswith('ns')
paste: inventory_hostname.startswith('paste')
pbx: inventory_hostname.startswith('pbx')
puppet: not inventory_hostname.startswith('bridge')
refstack: inventory_hostname.startswith('refstack')
review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
review: inventory_hostname is match('review\d+\.openstack\.org')
static: inventory_hostname.startswith('static')
status: inventory_hostname.startswith('status')
storyboard: inventory_hostname.startswith('storyboard')
storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org')
@ -33,8 +44,10 @@ groups:
survey: inventory_hostname.startswith('survey')
translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org')
translate: inventory_hostname is match('translate\d+\.openstack\.org')
webservers: inventory_hostname is match('(grafana\d*|health\d*|graphite\d*|groups\d*|groups-dev\d*|eavesdrop\d*|paste\d*|ethercalc\d+|etherpad\d*|etherpad-dev\d*|files\d*|refstack\d*|static\d*|status\d*|survey\d+|nodepool|nl\d+|nb\d+|zm\d+|ask|ask-staging|translate.*|codesearch\d*|cacti\d+|wiki.*|storyboard.*|openstackid-dev|planet)\.openstack\.org|openstackid.org')
wiki-dev: inventory_hostname is match('wiki-dev\d+\.openstack\.org')
wiki: inventory_hostname is match('wiki\d+\.openstack\.org')
zookeeper: inventory_hostname.startswith('zk')
zuul-executor: inventory_hostname.startswith('ze')
zuul-merger: inventory_hostname is match('z[lm](static)?\d+\.openstack\.org')
zuul-scheduler: inventory_hostname.startswith('zuul')

View File

@ -20,13 +20,7 @@ node default {
#
# Node-OS: xenial
node 'review.openstack.org' {
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
}
class { 'openstack_project::server': }
class { 'openstack_project::review':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -66,13 +60,7 @@ node 'review.openstack.org' {
node 'review01.openstack.org' {
$group = "review"
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
}
class { 'openstack_project::server': }
class { 'openstack_project::review':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -112,12 +100,7 @@ node 'review01.openstack.org' {
node /^review-dev\d*\.openstack\.org$/ {
$group = "review-dev"
$iptables_rules =
['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
afs => true,
}
@ -148,9 +131,7 @@ node /^review-dev\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^grafana\d*\.openstack\.org$/ {
$group = "grafana"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::grafana':
admin_password => hiera('grafana_admin_password'),
admin_user => hiera('grafana_admin_user', 'username'),
@ -166,9 +147,7 @@ node /^grafana\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^health\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::openstack_health_api':
subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
}
@ -187,7 +166,6 @@ node /^cacti\d+\.openstack\.org$/ {
# Node-OS: trusty
node 'puppetmaster.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [8140],
pin_puppet => '3.6.',
}
class { 'openstack_project::puppetmaster':
@ -206,40 +184,7 @@ node 'puppetmaster.openstack.org' {
# Node-OS: trusty
# Node-OS: xenial
node /^graphite\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
iptables_allowed_hosts => [
{protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'mirror-update01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'nl04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
{protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::graphite':
graphite_admin_user => hiera('graphite_admin_user', 'username'),
@ -251,9 +196,7 @@ node /^graphite\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^groups\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::groups':
site_admin_password => hiera('groups_site_admin_password'),
site_mysql_host => hiera('groups_site_mysql_host', 'localhost'),
@ -268,9 +211,7 @@ node /^groups\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^groups-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::groups_dev':
site_admin_password => hiera('groups_dev_site_admin_password'),
site_mysql_host => hiera('groups_dev_site_mysql_host', 'localhost'),
@ -286,9 +227,7 @@ node /^groups-dev\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^lists\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
}
class { 'openstack_project::server': }
class { 'openstack_project::lists':
listpassword => hiera('listpassword'),
@ -297,9 +236,7 @@ node /^lists\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^lists\d*\.katacontainers\.io$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [25, 80, 465],
}
class { 'openstack_project::server': }
class { 'openstack_project::kata_lists':
listpassword => hiera('listpassword'),
@ -310,9 +247,7 @@ node /^lists\d*\.katacontainers\.io$/ {
node /^paste\d*\.openstack\.org$/ {
$group = "paste"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::paste':
db_password => hiera('paste_db_password'),
db_host => hiera('paste_db_host'),
@ -329,9 +264,7 @@ node /planet\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^eavesdrop\d*\.openstack\.org$/ {
$group = "eavesdrop"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::eavesdrop':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -368,9 +301,7 @@ node /^eavesdrop\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^ethercalc\d+\.openstack\.org$/ {
$group = "ethercalc"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ethercalc':
vhost_name => 'ethercalc.openstack.org',
@ -383,9 +314,7 @@ node /^ethercalc\d+\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^etherpad\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::etherpad':
ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'),
@ -400,9 +329,7 @@ node /^etherpad\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^etherpad-dev\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::etherpad_dev':
mysql_host => hiera('etherpad-dev_db_host', 'localhost'),
@ -454,10 +381,7 @@ node /^wiki-dev\d+\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^logstash\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 3306],
iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'),
}
class { 'openstack_project::server': }
class { 'openstack_project::logstash':
discover_nodes => [
@ -477,9 +401,7 @@ node /^logstash\d*\.openstack\.org$/ {
node /^logstash-worker\d+\.openstack\.org$/ {
$group = 'logstash-worker'
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
}
class { 'openstack_project::server': }
class { 'openstack_project::logstash_worker':
discover_node => 'elasticsearch03.openstack.org',
@ -492,9 +414,7 @@ node /^logstash-worker\d+\.openstack\.org$/ {
# Node-OS: xenial
node /^subunit-worker\d+\.openstack\.org$/ {
$group = "subunit-worker"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
}
class { 'openstack_project::server': }
class { 'openstack_project::subunit_worker':
subunit2sql_db_host => hiera('subunit2sql_db_host', ''),
subunit2sql_db_pass => hiera('subunit2sql_db_password', ''),
@ -506,10 +426,7 @@ node /^subunit-worker\d+\.openstack\.org$/ {
# Node-OS: xenial
node /^elasticsearch0[1-7]\.openstack\.org$/ {
$group = "elasticsearch"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22],
iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'),
}
class { 'openstack_project::server': }
class { 'openstack_project::elasticsearch_node':
discover_nodes => $elasticsearch_nodes,
}
@ -517,12 +434,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
# Node-OS: xenial
node /^firehose\d+\.openstack\.org$/ {
class { 'openstack_project::server':
# NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
# connections seem to crash mosquitto. Once this is fixed we should add
# them back
iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::firehose':
gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'),
@ -572,9 +484,7 @@ node /^git(-fe\d+)?\.openstack\.org$/ {
node /^git\d+\.openstack\.org$/ {
$group = "git-server"
include openstack_project
class { 'openstack_project::server':
iptables_public_tcp_ports => [4443, 8080, 29418],
}
class { 'openstack_project::server': }
class { 'openstack_project::git_backend':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
@ -621,7 +531,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
$group = "mirror"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
afs => true,
afs_cache_size => 50000000, # 50GB
}
@ -637,7 +546,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
node /^files\d*\.openstack\.org$/ {
$group = "files"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
afs => true,
afs_cache_size => 10000000, # 10GB
}
@ -666,9 +574,7 @@ node /^files\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^refstack\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'refstack':
mysql_host => hiera('refstack_mysql_host', 'localhost'),
mysql_database => hiera('refstack_mysql_db_name', 'refstack'),
@ -750,9 +656,7 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
# Node-OS: trusty
# Node-OS: xenial
node /^static\d*\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::static':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
@ -769,27 +673,7 @@ node /^static\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^zk\d+\.openstack\.org$/ {
class { 'openstack_project::server':
iptables_allowed_hosts => [
# Zookeeper clients
{protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
# Zookeeper election
{protocol => 'tcp', port => '2888', hostname => 'zk01.openstack.org'},
{protocol => 'tcp', port => '2888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '2888', hostname => 'zk03.openstack.org'},
# Zookeeper leader
{protocol => 'tcp', port => '3888', hostname => 'zk01.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
{protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::zookeeper':
# ID needs to be numeric, so we use regex to extra numbers from fqdn.
@ -810,9 +694,7 @@ node /^zk\d+\.openstack\.org$/ {
node /^status\d*\.openstack\.org$/ {
$group = 'status'
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::status':
gerrit_host => 'review.openstack.org',
@ -829,9 +711,7 @@ node /^status\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^survey\d+\.openstack\.org$/ {
$group = "survey"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::survey':
vhost_name => 'survey.openstack.org',
@ -853,12 +733,7 @@ node /^survey\d+\.openstack\.org$/ {
node /^adns\d+\.openstack\.org$/ {
$group = 'adns'
class { 'openstack_project::server':
iptables_allowed_hosts => [
{protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
{protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
],
}
class { 'openstack_project::server': }
class { 'openstack_project::master_nameserver':
tsig_key => hiera('tsig_key', {}),
@ -872,10 +747,7 @@ node /^adns\d+\.openstack\.org$/ {
node /^ns\d+\.openstack\.org$/ {
$group = 'ns'
class { 'openstack_project::server':
iptables_public_udp_ports => [53],
iptables_public_tcp_ports => [53],
}
class { 'openstack_project::server': }
$tsig_key = hiera('tsig_key', {})
if $tsig_key != {} {
@ -905,19 +777,7 @@ node /^ns\d+\.openstack\.org$/ {
node 'nodepool.openstack.org' {
$group = 'nodepool'
class { 'openstack_project::server':
iptables_allowed_hosts => [
{protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
{protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
],
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { '::zookeeper':
# The frequency in hours to look for and purge old snapshots,
@ -968,9 +828,7 @@ node /^nl\d+\.openstack\.org$/ {
$packethost_project = hiera('nodepool_packethost_project', 'project')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
include openstack_project
@ -1030,9 +888,7 @@ node /^nb\d+\.openstack\.org$/ {
$packethost_project = hiera('nodepool_packethost_project', 'project')
$clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb")
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
include openstack_project
@ -1085,7 +941,6 @@ node /^ze\d+\.openstack\.org$/ {
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 7900],
afs => true,
}
@ -1177,30 +1032,7 @@ node /^zuul\d+\.openstack\.org$/ {
$git_name = 'OpenStack Zuul'
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [79, 80, 443],
iptables_allowed_hosts => [
{protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'ze11.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
{protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
],
}
class { 'openstack_project::server': }
class { '::project_config':
url => 'https://git.openstack.org/openstack-infra/project-config',
@ -1288,9 +1120,7 @@ node /^zm\d+.openstack\.org$/ {
$git_name = 'OpenStack Zuul'
$revision = 'master'
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
# NOTE(pabelanger): We call ::zuul directly, so we can override all in one
# settings.
@ -1323,12 +1153,7 @@ node /^zm\d+.openstack\.org$/ {
# Node-OS: trusty
node 'pbx.openstack.org' {
class { 'openstack_project::server':
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports => [5060],
iptables_public_udp_ports => ['5060', '10000:20000'],
}
class { 'openstack_project::server': }
class { 'openstack_project::pbx':
sip_providers => [
{
@ -1346,9 +1171,7 @@ node 'pbx.openstack.org' {
# A backup machine. Don't run cron or puppet agent on it.
node /^backup\d+\..*\.ci\.openstack\.org$/ {
$group = "ci-backup"
class { 'openstack_project::server':
iptables_public_tcp_ports => [],
}
class { 'openstack_project::server': }
include openstack_project::backup_server
}
@ -1417,20 +1240,14 @@ node 'single-node-ci.test.only' {
# Node-OS: trusty
node 'kdc01.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
}
class { 'openstack_project::server': }
class { 'openstack_project::kdc': }
}
# Node-OS: xenial
node 'kdc04.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [88, 464, 749, 754],
iptables_public_udp_ports => [88, 464, 749],
}
class { 'openstack_project::server': }
class { 'openstack_project::kdc':
slave => true,
@ -1442,7 +1259,6 @@ node 'afsdb01.openstack.org' {
$group = "afsdb"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1455,7 +1271,6 @@ node /^afsdb.*\.openstack\.org$/ {
$group = "afsdb"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1467,7 +1282,6 @@ node /^afs.*\..*\.openstack\.org$/ {
$group = "afs"
class { 'openstack_project::server':
iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
afs => true,
}
@ -1477,9 +1291,7 @@ node /^afs.*\..*\.openstack\.org$/ {
# Node-OS: trusty
node 'ask.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ask':
db_user => hiera('ask_db_user', 'ask'),
@ -1493,9 +1305,7 @@ node 'ask.openstack.org' {
# Node-OS: trusty
node 'ask-staging.openstack.org' {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::ask_staging':
db_password => hiera('ask_staging_db_password'),
@ -1507,9 +1317,7 @@ node 'ask-staging.openstack.org' {
# Node-OS: xenial
node /^translate\d+\.openstack\.org$/ {
$group = "translate"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstack_project::translate':
admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
openid_url => 'https://openstackid.org',
@ -1555,9 +1363,7 @@ node /^translate-dev\d*\.openstack\.org$/ {
# Node-OS: xenial
node /^codesearch\d*\.openstack\.org$/ {
$group = "codesearch"
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
class { 'openstack_project::codesearch':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
}

View File

@ -8,9 +8,7 @@ class openstack_project::cacti (
fail("${::osfamily} is not supported.")
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { '::apache':
default_vhost => false,

View File

@ -20,9 +20,7 @@ class openstack_project::git (
$balancer_member_ips = [],
$selinux_mode = 'enforcing'
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 9418],
}
class { 'openstack_project::server': }
if ($::osfamily == 'RedHat') {
class { 'selinux':

View File

@ -61,9 +61,7 @@ class openstack_project::openstackid_dev (
$session_cookie_secure = false,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstackid':
site_admin_password => $site_admin_password,

View File

@ -62,9 +62,7 @@ class openstack_project::openstackid_prod (
$session_cookie_secure = false,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'openstackid':
site_admin_password => $site_admin_password,

View File

@ -2,9 +2,7 @@
#
class openstack_project::planet (
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80],
}
class { 'openstack_project::server': }
include ::planet
planet::site { 'openstack':

View File

@ -2,11 +2,6 @@
#
# A server that we expect to run for some time
class openstack_project::server (
$iptables_public_tcp_ports = [],
$iptables_public_udp_ports = [],
$iptables_rules4 = [],
$iptables_rules6 = [],
$iptables_allowed_hosts = [],
$pin_puppet = '3.',
$ca_server = undef,
$enable_unbound = true,
@ -49,10 +44,6 @@ class openstack_project::server (
'kdc04.openstack.org',
],
}
$all_udp = concat(
$iptables_public_udp_ports, [7001])
} else {
$all_udp = $iptables_public_udp_ports
}
class { 'openstack_project::automatic_upgrades':
@ -61,20 +52,4 @@ class openstack_project::server (
include snmpd
$snmp_v4hosts = [
'172.99.116.215', # cacti02.openstack.org
]
$snmp_v6hosts = [
'2001:4800:7821:105:be76:4eff:fe04:b9a5', # cacti02.opentsack.org
]
class { 'iptables':
public_tcp_ports => $iptables_public_tcp_ports,
public_udp_ports => $all_udp,
rules4 => $iptables_rules4,
rules6 => $iptables_rules6,
snmp_v4hosts => $snmp_v4hosts,
snmp_v6hosts => $snmp_v6hosts,
allowed_hosts => $iptables_allowed_hosts,
}
}

View File

@ -26,9 +26,7 @@ class openstack_project::storyboard(
url => $project_config_repo,
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
mysql_backup::backup_remote { 'storyboard':

View File

@ -1,8 +0,0 @@
class openstack_project::summit (
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80],
}
}
# vim:sw=2:ts=2:expandtab:textwidth=79

View File

@ -35,9 +35,7 @@ class openstack_project::translate_dev(
$from_address,
) {
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'project_config':
url => $project_config_repo,

View File

@ -23,9 +23,7 @@ class openstack_project::wiki (
ensure => present;
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443],
}
class { 'openstack_project::server': }
class { 'mediawiki':
role => 'all',

View File

@ -79,14 +79,4 @@ describe 'openstack_project::server' do
end
end
describe command('iptables -S') do
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
end
end

View File

@ -1,12 +1,8 @@
$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
$manage_afs = $::operatingsystem ? {
'CentOS' => false,
default => true
}
class { 'openstack_project::server':
iptables_public_tcp_ports => [80, 443, 29418],
iptables_rules6 => $iptables_rules,
iptables_rules4 => $iptables_rules,
afs => $manage_afs,
}

View File

@ -16,3 +16,4 @@
- hosts: "!ci-backup:!disabled"
roles:
- exim
- iptables

View File

View File

@ -0,0 +1,41 @@
# Copyright (c) 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import socket
class FilterModule(object):
def dns(self, value, family):
ret = set()
try:
addr_info = socket.getaddrinfo(value, None, family)
except socket.gaierror:
return ret
for addr in addr_info:
ret.add(addr[4][0])
return sorted(ret)
def dns_a(self, value):
return self.dns(value, socket.AF_INET)
def dns_aaaa(self, value):
return self.dns(value, socket.AF_INET6)
def filters(self):
return {
'dns_a': self.dns_a,
'dns_aaaa': self.dns_aaaa,
}

View File

@ -0,0 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

View File

@ -0,0 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

View File

@ -12,6 +12,11 @@ exim_base_aliases:
root: "{{ exim_sysadmins }}"
exim_aliases: "{{ exim_base_aliases|combine(exim_extra_aliases) }}"
iptables_base_allowed_hosts:
- {'protocol': 'udp', 'port': 161, 'hostname': 'cacti.openstack.org'}
iptables_extra_allowed_hosts: []
iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
# When adding new users, always pick a UID larger than the last UID, do not
# fill in holes in the middle of the range.
all_users:
@ -161,3 +166,10 @@ disabled_users:
- elizabeth
- nibz
- slukjanov
iptables_snmp_v4_hosts:
# cacti02.openstack.org
- 172.99.116.215
iptables_snmp_v6_hosts:
# cacti02.openstack.org
- 2001:4800:7821:105:be76:4eff:fe04:b9a5

View File

@ -0,0 +1,2 @@
iptables_public_tcp_ports:
- 80

View File

@ -0,0 +1,82 @@
iptables_rule_data:
- protocol: tcp
port: 9200:9400
hostname: elasticsearch02.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch03.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch04.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch05.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch06.openstack.org
- protocol: tcp
port: 9200:9400
hostname: elasticsearch07.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker01.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker02.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker03.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker04.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker05.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker06.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker07.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker08.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker09.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker10.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker11.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker12.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker13.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker14.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker15.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker16.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker17.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker18.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker19.openstack.org
- protocol: tcp
port: 9200:9400
hostname: logstash-worker20.openstack.org

View File

@ -17,3 +17,9 @@ exim_transports:
socket = /var/run/cyrus/socket/lmtp
user = cyrus
batch_max = 35
iptables_public_tcp_ports:
- 25
- 80
- 443
- 1883
- 8883

View File

@ -0,0 +1,8 @@
exim_extra_aliases:
gerrit2: root
iptables_rules:
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
iptables_public_tcp_ports:
- 80
- 443
- 29418

View File

@ -0,0 +1,4 @@
iptables_public_tcp_ports:
- 80
- 443
- 9418

View File

@ -1 +1,5 @@
ansible_python_interpreter: python2
iptables_public_tcp_ports:
- 4443
- 8080
- 29418

View File

@ -0,0 +1,88 @@
iptables_extra_allowed_hosts:
- hostname: git.openstack.org
port: 8125
protocol: udp
- hostname: firehose01.openstack.org
port: 8125
protocol: udp
- hostname: mirror-update01.openstack.org
port: 8125
protocol: udp
- hostname: logstash.openstack.org
port: 8125
protocol: udp
- hostname: nodepool.openstack.org
port: 8125
protocol: udp
- hostname: nl01.openstack.org
port: 8125
protocol: udp
- hostname: nl02.openstack.org
port: 8125
protocol: udp
- hostname: nl03.openstack.org
port: 8125
protocol: udp
- hostname: nl04.openstack.org
port: 8125
protocol: udp
- hostname: zuul01.openstack.org
port: 8125
protocol: udp
- hostname: zm01.openstack.org
port: 8125
protocol: udp
- hostname: zm02.openstack.org
port: 8125
protocol: udp
- hostname: zm03.openstack.org
port: 8125
protocol: udp
- hostname: zm04.openstack.org
port: 8125
protocol: udp
- hostname: zm05.openstack.org
port: 8125
protocol: udp
- hostname: zm06.openstack.org
port: 8125
protocol: udp
- hostname: zm07.openstack.org
port: 8125
protocol: udp
- hostname: zm08.openstack.org
port: 8125
protocol: udp
- hostname: ze01.openstack.org
port: 8125
protocol: udp
- hostname: ze02.openstack.org
port: 8125
protocol: udp
- hostname: ze03.openstack.org
port: 8125
protocol: udp
- hostname: ze04.openstack.org
port: 8125
protocol: udp
- hostname: ze05.openstack.org
port: 8125
protocol: udp
- hostname: ze06.openstack.org
port: 8125
protocol: udp
- hostname: ze07.openstack.org
port: 8125
protocol: udp
- hostname: ze08.openstack.org
port: 8125
protocol: udp
- hostname: ze09.openstack.org
port: 8125
protocol: udp
- hostname: ze10.openstack.org
port: 8125
protocol: udp
- hostname: ze11.openstack.org
port: 8125
protocol: udp

View File

@ -0,0 +1,9 @@
iptables_public_tcp_ports:
- 88
- 464
- 749
- 754
iptables_public_udp_ports:
- 88
- 464
- 749

View File

@ -0,0 +1,103 @@
iptables_public_tcp_ports:
- 80
- 3306
iptables_rule_data:
- protocol: tcp
port: '4730'
hostname: logstash-worker01.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker02.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker03.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker04.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker05.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker06.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker07.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker08.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker09.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker10.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker11.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker12.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker13.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker14.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker15.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker16.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker17.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker18.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker19.openstack.org
- protocol: tcp
port: '4730'
hostname: logstash-worker20.openstack.org
- protocol: tcp
port: '4730'
hostname: subunit-worker01.openstack.org
- protocol: tcp
port: '4730'
hostname: subunit-worker02.openstack.org
- protocol: tcp
port: '4730'
hostname: ze01.openstack.org
- protocol: tcp
port: '4730'
hostname: ze02.openstack.org
- protocol: tcp
port: '4730'
hostname: ze03.openstack.org
- protocol: tcp
port: '4730'
hostname: ze04.openstack.org
- protocol: tcp
port: '4730'
hostname: ze05.openstack.org
- protocol: tcp
port: '4730'
hostname: ze06.openstack.org
- protocol: tcp
port: '4730'
hostname: ze07.openstack.org
- protocol: tcp
port: '4730'
hostname: ze08.openstack.org
- protocol: tcp
port: '4730'
hostname: ze09.openstack.org
- protocol: tcp
port: '4730'
hostname: ze10.openstack.org
- protocol: tcp
port: '4730'
hostname: ze11.openstack.org

View File

@ -2,3 +2,7 @@ exim_queue_interval: '1m'
exim_queue_run_max: '50'
exim_smtp_accept_max: '100'
exim_smtp_accept_max_per_host: '10'
iptables_public_tcp_ports:
- 25
- 80
- 465

View File

@ -0,0 +1,5 @@
iptables_public_tcp_ports:
- 80
- 8080
- 8081
- 8082

View File

@ -0,0 +1,26 @@
iptables_extra_allowed_hosts:
- protocol: tcp
port: 2181
hostname: nb01.openstack.org
- protocol: tcp
port: 2181
hostname: nb02.openstack.org
- protocol: tcp
port: 2181
hostname: nb03.openstack.org
- protocol: tcp
port: 2181
hostname: nl01.openstack.org
- protocol: tcp
port: 2181
hostname: nl02.openstack.org
- protocol: tcp
port: 2181
hostname: nl03.openstack.org
- protocol: tcp
port: 2181
hostname: nl04.openstack.org
- protocol: tcp
port: 2181
hostname: zuul01.openstack.org

View File

@ -0,0 +1,2 @@
iptables_public_ports:
- 53

View File

@ -0,0 +1,7 @@
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports:
- 5060
iptables_public_udp_ports:
- 5060
- 10000:20000

View File

@ -1,2 +0,0 @@
exim_extra_aliases:
gerrit2: root

View File

@ -1,2 +0,0 @@
exim_extra_aliases:
gerrit2: root

View File

@ -0,0 +1,4 @@
iptables_public_tcp_ports:
- 22
- 80
- 443

View File

@ -0,0 +1,17 @@
iptables_extra_allowed_hosts:
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb03.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl01.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl02.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl03.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl04.openstack.org'}
- {'protocol': 'tcp', 'port': '2181', 'hostname': 'zuul01.openstack.org'}
# Zookeeper election
- {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk01.openstack.org'}
- {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk02.openstack.org'}
- {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk03.openstack.org'}
# Zookeeper leader
- {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk01.openstack.org'}
- {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk02.openstack.org'}
- {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk03.openstack.org'}

View File

@ -0,0 +1,3 @@
iptables_public_tcp_ports:
- 79
- 7900

View File

@ -0,0 +1,63 @@
iptables_public_tcp_ports:
- 79
- 80
- 443
iptables_extra_allowed_hosts:
- protocol: tcp
port: 4730
hostname: ze01.openstack.org
- protocol: tcp
port: 4730
hostname: ze02.openstack.org
- protocol: tcp
port: 4730
hostname: ze03.openstack.org
- protocol: tcp
port: 4730
hostname: ze04.openstack.org
- protocol: tcp
port: 4730
hostname: ze05.openstack.org
- protocol: tcp
port: 4730
hostname: ze06.openstack.org
- protocol: tcp
port: 4730
hostname: ze07.openstack.org
- protocol: tcp
port: 4730
hostname: ze08.openstack.org
- protocol: tcp
port: 4730
hostname: ze09.openstack.org
- protocol: tcp
port: 4730
hostname: ze10.openstack.org
- protocol: tcp
port: 4730
hostname: ze11.openstack.org
- protocol: tcp
port: 4730
hostname: zm01.openstack.org
- protocol: tcp
port: 4730
hostname: zm02.openstack.org
- protocol: tcp
port: 4730
hostname: zm03.openstack.org
- protocol: tcp
port: 4730
hostname: zm04.openstack.org
- protocol: tcp
port: 4730
hostname: zm05.openstack.org
- protocol: tcp
port: 4730
hostname: zm06.openstack.org
- protocol: tcp
port: 4730
hostname: zm07.openstack.org
- protocol: tcp
port: 4730
hostname: zm08.openstack.org

View File

@ -0,0 +1,44 @@
Install and configure iptables
**Role Variables**
.. zuul:rolevar:: iptables_allowed_hosts
:default: []
A list of dictionaries, each item in the list is a rule to add for
a host/port combination. The format of the dictionary is:
.. zuul:rolevar:: hostname
The hostname to allow. It will automatically be resolved, and
all IP addresses will be added to the firewall.
.. zuul:rolevar:: protocol
One of "tcp" or "udp".
.. zuul:rolevar:: port
The port number.
.. zuul:rolevar:: iptables_public_tcp_ports
:default: []
A list of public TCP ports to open.
.. zuul:rolevar:: iptables_public_udp_ports
:default: []
A list of public UDP ports to open.
.. zuul:rolevar:: iptables_rules_v4
:default: []
A list of iptables v4 rules. Each item is a string containing the
iptables command line options for the rule.
.. zuul:rolevar:: iptables_rules_v6
:default: []
A list of iptables v6 rules. Each item is a string containing the
iptables command line options for the rule.

View File

@ -0,0 +1,7 @@
iptables_allowed_hosts: []
iptables_public_ports: []
iptables_public_tcp_ports: '{{ iptables_public_ports }}'
iptables_public_udp_ports: '{{ iptables_public_ports }}'
iptables_rules: []
iptables_rules_v4: '{{ iptables_rules }}'
iptables_rules_v6: '{{ iptables_rules }}'

View File

@ -0,0 +1,11 @@
- name: Reload iptables Debian
import_tasks: tasks/reload-debian.yaml
when:
- not ansible_facts.is_chroot
- ansible_facts.os_family == 'Debian'
- name: Reload iptables RedHat
import_tasks: tasks/reload-redhat.yaml
when:
- not ansible_facts.is_chroot
- ansible_facts.os_family == 'RedHat'

View File

@ -0,0 +1,11 @@
- name: Disable firewalld
service:
name: firewalld
enabled: no
state: stopped
failed_when: false
- name: Ensure firewalld is removed
package:
name: firewalld
state: absent

View File

@ -0,0 +1,54 @@
- name: Include OS-specific variables
include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files: "{{ distro_lookup_path }}"
paths:
- 'vars'
- name: Install iptables
package:
name: '{{ package_name }}'
state: present
- name: Ensure iptables rules directory
file:
state: directory
path: '{{ rules_dir }}'
- name: Install IPv4 rules files
template:
src: rules.v4.j2
dest: '{{ ipv4_rules }}'
owner: root
group: root
mode: 0640
setype: '{{ setype | default(omit) }}'
notify:
- Reload iptables Debian
- Reload iptables RedHat
- name: Install IPv6 rules files
template:
src: rules.v6.j2
dest: '{{ ipv6_rules }}'
owner: root
group: root
mode: 0640
setype: '{{ setype | default(omit) }}'
notify:
- Reload iptables Debian
- Reload iptables RedHat
- name: Include OS specific tasks
include_tasks: "{{ item }}"
vars:
params:
files: "{{ distro_lookup_path }}"
skip: true
loop: "{{ query('first_found', params) }}"
- name: Enable iptables service
service:
name: '{{ service_name }}'
enabled: true

View File

@ -0,0 +1,2 @@
- name: Reload iptables (Debian)
command: '{{ reload_command }}'

View File

@ -0,0 +1,5 @@
- name: Reload iptables (Red Hat)
command: 'systemctl reload iptables'
- name: Reload ip6tables (Red Hat)
command: 'systemctl reload ip6tables'

View File

@ -0,0 +1,31 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
{% for rule in iptables_rules_v4 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_a -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

View File

@ -0,0 +1,30 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
{% for rule in iptables_rules_v6 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_aaaa -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

View File

@ -0,0 +1,6 @@
package_name: iptables-persistent
service_name: netfilter-persistent
rules_dir: /etc/iptables
ipv4_rules: /etc/iptables/rules.v4
ipv6_rules: /etc/iptables/rules.v6
reload_command: /usr/sbin/netfilter-persistent start

View File

@ -0,0 +1,6 @@
package_name: iptables-services
service_name: iptables
rules_dir: /etc/sysconfig
ipv4_rules: /etc/sysconfig/iptables
ipv6_rules: /etc/sysconfig/ip6tables
setype: 'etc_t'

View File

@ -0,0 +1,6 @@
package_name: iptables-persistent
service_name: iptables-persistent
rules_dir: /etc/iptables
ipv4_rules: /etc/iptables/rules.v4
ipv6_rules: /etc/iptables/rules.v6
reload_command: /etc/init.d/iptables-persistent reload

View File

@ -12,6 +12,20 @@
# License for the specific language governing permissions and limitations
# under the License.
import socket
def get_ips(value, family=None):
ret = set()
try:
addr_info = socket.getaddrinfo(value, None, family)
except socket.gaierror:
return ret
for addr in addr_info:
ret.add(addr[4][0])
return ret
def test_exim_is_installed(host):
if host.system_info.distribution in ['ubuntu', 'debian']:
exim = host.package("exim4-base")
@ -21,3 +35,36 @@ def test_exim_is_installed(host):
cmd = host.run("exim -bt root")
assert cmd.rc == 0
def test_iptables(host):
rules = host.iptables.rules()
rules = [x.strip() for x in rules]
start = [
'-P INPUT ACCEPT',
'-P FORWARD ACCEPT',
'-P OUTPUT ACCEPT',
'-N openstack-INPUT',
'-A INPUT -j openstack-INPUT',
'-A openstack-INPUT -i lo -j ACCEPT',
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
]
assert rules[:len(start)] == start
reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
assert reject in rules
# Make sure that the zuul console stream rule has been removed
# from the test node
zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
' -m tcp --dport 19885 -j ACCEPT')
assert zuul not in rules
# Ensure all IPv4 addresses for cacti are allowed
for ip in get_ips('cacti.openstack.org', socket.AF_INET):
snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
' --dport 161 -j ACCEPT' % ip)
assert snmp in rules