base-test: iptables: allow zuul console streaming

This adds a group var which should normally be the empty list but
can be overridden by the test framework to inject additional iptables
rules.  It's used to add the zuul console streaming port.  To
accomplish this, the base+extras pattern is adopted for
iptables public tcp/udp ports.  This means all host/group vars should
use the "extra" form of the variable rather than the actual variable
defined by the role.

Change-Id: I33fe2b7de4a4ba79c25c0fb41a00e3437cee5463

playbooks/group_vars/afs.yaml

@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/afsdb.yaml

@@ -1 +1 @@
-iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/all.yaml

@@ -17,6 +17,17 @@ iptables_base_allowed_hosts:
 iptables_extra_allowed_hosts: []
 iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
 
+iptables_base_public_tcp_ports: []
+iptables_extra_public_tcp_ports: []
+# iptables_test_public_tcp_ports is here only to allow the test
+# framework to inject an iptables rule to allow zuul console
+# streaming.  Do not use it otherwise.
+iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}"
+
+iptables_base_public_udp_ports: []
+iptables_extra_public_udp_ports: []
+iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}"
+
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:

playbooks/group_vars/eavesdrop.yaml

@@ -1,2 +1,2 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80

playbooks/group_vars/firehose.yaml

@@ -17,7 +17,7 @@ exim_transports:
       socket = /var/run/cyrus/socket/lmtp
       user = cyrus
       batch_max = 35
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 443

playbooks/group_vars/gerrit.yaml

@@ -2,7 +2,7 @@ exim_extra_aliases:
   gerrit2: root
 iptables_rules:
   - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 29418

playbooks/group_vars/git-loadbalancer.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 443
   - 9418

playbooks/group_vars/git-server.yaml

@@ -1,5 +1,5 @@
 ansible_python_interpreter: python2
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 4443
   - 8080
   - 29418

playbooks/group_vars/kdc.yaml

@@ -1,9 +1,9 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 88
   - 464
   - 749
   - 754
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 88
   - 464
   - 749

playbooks/group_vars/logstash.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 3306
 iptables_extra_allowed_hosts:

playbooks/group_vars/mailman.yaml

@@ -2,7 +2,7 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 25
   - 80
   - 465

playbooks/group_vars/mirror.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 80
   - 8080
   - 8081

playbooks/group_vars/ns.yaml

@@ -1,2 +1,4 @@
-iptables_public_ports:
+iptables_extra_public_tcp_ports:
+  - 53
+iptables_extra_public_udp_ports:
   - 53

playbooks/group_vars/pbx.yaml

@@ -1,7 +1,7 @@
 # SIP signaling is either TCP or UDP port 5060.
 # RTP media (audio/video) uses a range of UDP ports.
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 5060
-iptables_public_udp_ports:
+iptables_extra_public_udp_ports:
   - 5060
   - 10000:20000

playbooks/group_vars/webservers.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 22
   - 80
   - 443

playbooks/group_vars/zuul-executor.yaml

@@ -1,3 +1,3 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 7900

playbooks/group_vars/zuul-scheduler.yaml

@@ -1,4 +1,4 @@
-iptables_public_tcp_ports:
+iptables_extra_public_tcp_ports:
   - 79
   - 80
   - 443

playbooks/zuul/run-base.yaml

@@ -36,6 +36,7 @@
         bastion_ipv4: "{{ nodepool['public_ipv4'] }}"
         bastion_ipv6: "{{ nodepool['public_ipv6'] }}"
         bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}"
+        iptables_test_public_tcp_ports: [19885]
       template:
         src: "templates/{{ item }}.j2"
         dest: "/etc/ansible/hosts/{{ item }}"

playbooks/zuul/templates/group_vars/all.yaml.j2

@@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }}
 bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
+iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}

testinfra/test_base.py

@@ -75,11 +75,10 @@ def test_iptables(host):
     reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
     assert reject in rules
 
-    # Make sure that the zuul console stream rule has been removed
+    # Make sure that the zuul console stream rule is still present
-    # from the test node
     zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
             ' -m tcp --dport 19885 -j ACCEPT')
-    assert zuul not in rules
+    assert zuul in rules
 
     # Ensure all IPv4 addresses for cacti are allowed
     for ip in get_ips('cacti.openstack.org', socket.AF_INET):