base-test: iptables: allow zuul console streaming

This adds a group var which should normally be the empty list but
can be overridden by the test framework to inject additional iptables
rules.  It's used to add the zuul console streaming port.  To
accomplish this, the base+extras pattern is adopted for
iptables public tcp/udp ports.  This means all host/group vars should
use the "extra" form of the variable rather than the actual variable
defined by the role.

Change-Id: I33fe2b7de4a4ba79c25c0fb41a00e3437cee5463
This commit is contained in:
James E. Blair 2018-08-28 15:51:27 -07:00
parent 62a74b0630
commit 800397c3da
20 changed files with 35 additions and 21 deletions

View File

@ -1 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

View File

@ -1 +1 @@
iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

View File

@ -17,6 +17,17 @@ iptables_base_allowed_hosts:
iptables_extra_allowed_hosts: []
iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
iptables_base_public_tcp_ports: []
iptables_extra_public_tcp_ports: []
# iptables_test_public_tcp_ports is here only to allow the test
# framework to inject an iptables rule to allow zuul console
# streaming. Do not use it otherwise.
iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}"
iptables_base_public_udp_ports: []
iptables_extra_public_udp_ports: []
iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
# When adding new users, always pick a UID larger than the last UID, do not
# fill in holes in the middle of the range.
all_users:

View File

@ -1,2 +1,2 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80

View File

@ -17,7 +17,7 @@ exim_transports:
socket = /var/run/cyrus/socket/lmtp
user = cyrus
batch_max = 35
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 25
- 80
- 443

View File

@ -2,7 +2,7 @@ exim_extra_aliases:
gerrit2: root
iptables_rules:
- -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 443
- 29418

View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 443
- 9418

View File

@ -1,5 +1,5 @@
ansible_python_interpreter: python2
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 4443
- 8080
- 29418

View File

@ -1,9 +1,9 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 88
- 464
- 749
- 754
iptables_public_udp_ports:
iptables_extra_public_udp_ports:
- 88
- 464
- 749

View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 3306
iptables_extra_allowed_hosts:

View File

@ -2,7 +2,7 @@ exim_queue_interval: '1m'
exim_queue_run_max: '50'
exim_smtp_accept_max: '100'
exim_smtp_accept_max_per_host: '10'
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 25
- 80
- 465

View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 80
- 8080
- 8081

View File

@ -1,2 +1,4 @@
iptables_public_ports:
iptables_extra_public_tcp_ports:
- 53
iptables_extra_public_udp_ports:
- 53

View File

@ -1,7 +1,7 @@
# SIP signaling is either TCP or UDP port 5060.
# RTP media (audio/video) uses a range of UDP ports.
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 5060
iptables_public_udp_ports:
iptables_extra_public_udp_ports:
- 5060
- 10000:20000

View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 22
- 80
- 443

View File

@ -1,3 +1,3 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 79
- 7900

View File

@ -1,4 +1,4 @@
iptables_public_tcp_ports:
iptables_extra_public_tcp_ports:
- 79
- 80
- 443

View File

@ -36,6 +36,7 @@
bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
iptables_test_public_tcp_ports: [19885]
template:
src: "templates/{{ item }}.j2"
dest: "/etc/ansible/hosts/{{ item }}"

View File

@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }}
bastion_ipv6: {{ bastion_ipv6 }}
{% endif %}
bastion_public_key: {{ bastion_public_key }}
iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}

View File

@ -75,11 +75,10 @@ def test_iptables(host):
reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
assert reject in rules
# Make sure that the zuul console stream rule has been removed
# from the test node
# Make sure that the zuul console stream rule is still present
zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
' -m tcp --dport 19885 -j ACCEPT')
assert zuul not in rules
assert zuul in rules
# Ensure all IPv4 addresses for cacti are allowed
for ip in get_ips('cacti.openstack.org', socket.AF_INET):