opendev/system-config
Code Issues Proposed changes

base-test: iptables: allow zuul console streaming

Browse Source 
This adds a group var which should normally be the empty list but
can be overridden by the test framework to inject additional iptables
rules.  It's used to add the zuul console streaming port.  To
accomplish this, the base+extras pattern is adopted for
iptables public tcp/udp ports.  This means all host/group vars should
use the "extra" form of the variable rather than the actual variable
defined by the role.

Change-Id: I33fe2b7de4a4ba79c25c0fb41a00e3437cee5463
This commit is contained in:
James E. Blair 2018-08-28 15:51:27 -07:00
parent 62a74b0630
commit 800397c3da
20 changed files with 35 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/group_vars/afs.yaml
View File

@ -1 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

2
playbooks/group_vars/afsdb.yaml
View File

@ -1 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

11
playbooks/group_vars/all.yaml
View File

@ -17,6 +17,17 @@ iptables_base_allowed_hosts:
iptables_extra_allowed_hosts: []
iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
iptables_base_public_tcp_ports: []
iptables_extra_public_tcp_ports: []
# iptables_test_public_tcp_ports is here only to allow the test
# framework to inject an iptables rule to allow zuul console
# streaming. Do not use it otherwise.
iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}"
iptables_base_public_udp_ports: []
iptables_extra_public_udp_ports: []
iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
# When adding new users, always pick a UID larger than the last UID, do not
# fill in holes in the middle of the range.
all_users:

2
playbooks/group_vars/eavesdrop.yaml
View File

@ -1,2 +1,2 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80

2
playbooks/group_vars/firehose.yaml
View File

@ -17,7 +17,7 @@ exim_transports:
socket = /var/run/cyrus/socket/lmtp
user = cyrus
batch_max = 35
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 25
- 80
- 443

2
playbooks/group_vars/gerrit.yaml
View File

@ -2,7 +2,7 @@ exim_extra_aliases:
gerrit2: root
iptables_rules:
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 443
- 29418

2
playbooks/group_vars/git-loadbalancer.yaml
View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 443
- 9418

2
playbooks/group_vars/git-server.yaml
View File

@ -1,5 +1,5 @@
ansible_python_interpreter: python2
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 4443
- 8080
- 29418

4
playbooks/group_vars/kdc.yaml
View File

@ -1,9 +1,9 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 88
- 464
- 749
- 754
iptables_public_udp_ports:
iptables_extra_public_udp_ports:
- 88
- 464
- 749

2
playbooks/group_vars/logstash.yaml
View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 3306
iptables_extra_allowed_hosts:

2
playbooks/group_vars/mailman.yaml
View File

@ -2,7 +2,7 @@ exim_queue_interval: '1m'
exim_queue_run_max: '50'
exim_smtp_accept_max: '100'
exim_smtp_accept_max_per_host: '10'
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 25
- 80
- 465

2
playbooks/group_vars/mirror.yaml
View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 8080
- 8081

4
playbooks/group_vars/ns.yaml
View File

@ -1,2 +1,4 @@
iptables_public_ports:
iptables_extra_public_tcp_ports:
- 53
iptables_extra_public_udp_ports:
- 53

4
playbooks/group_vars/pbx.yaml
View File

@ -1,7 +1,7 @@
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 5060
iptables_public_udp_ports:
iptables_extra_public_udp_ports:
- 5060
- 10000:20000

2
playbooks/group_vars/webservers.yaml
View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 22
- 80
- 443

2
playbooks/group_vars/zuul-executor.yaml
View File

@ -1,3 +1,3 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 79
- 7900

2
playbooks/group_vars/zuul-scheduler.yaml
View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 79
- 80
- 443

1
playbooks/zuul/run-base.yaml
View File

@ -36,6 +36,7 @@
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
iptables_test_public_tcp_ports: [19885]
template:
src: "templates/{{ item }}.j2"
dest: "/etc/ansible/hosts/{{ item }}"

1
playbooks/zuul/templates/group_vars/all.yaml.j2
View File

@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }}
bastion_ipv6: {{ bastion_ipv6 }}
{% endif %}
bastion_public_key: {{ bastion_public_key }}
iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}

5
testinfra/test_base.py
View File

@ -75,11 +75,10 @@ def test_iptables(host):
reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
assert reject in rules
# Make sure that the zuul console stream rule has been removed
# from the test node
# Make sure that the zuul console stream rule is still present
zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
' -m tcp --dport 19885 -j ACCEPT')
assert zuul not in rules
assert zuul in rules
# Ensure all IPv4 addresses for cacti are allowed
for ip in get_ips('cacti.openstack.org', socket.AF_INET):