Run iptables in service playbooks instead of base

It's the only part of base that's important to run when we run a
service. Run it in the service playbooks and get rid of the
dependency on infra-prod-base.

Continue running it in base so that new nodes are brought up
with iptables in place.

Bump the timeout for the mirror job, because the iptables addition
seems to have just bumped it over the edge.

Change-Id: I4608216f7a59cfa96d3bdb191edd9bc7bb9cca39

playbooks/roles/iptables/README.rst

@@ -0,0 +1,63 @@
+Install and configure iptables
+
+**Role Variables**
+
+.. zuul:rolevar:: iptables_allowed_hosts
+   :default: []
+
+   A list of dictionaries, each item in the list is a rule to add for
+   a host/port combination.  The format of the dictionary is:
+
+   .. zuul:rolevar:: hostname
+
+      The hostname to allow.  It will automatically be resolved, and
+      the inventory IP address will be added to the firewall.
+
+   .. zuul:rolevar:: protocol
+
+      One of "tcp" or "udp".
+
+   .. zuul:rolevar:: port
+
+      The port number.
+
+.. zuul:rolevar:: iptables_allowed_groups
+   :default: []
+
+   A list of dictionaries, each item in the list is a rule to add for
+   a host/port combination.  The format of the dictionary is:
+
+   .. zuul:rolevar:: group
+
+      The ansible inventory group to add.  Every host in the group will
+      be added to the firewall.
+
+   .. zuul:rolevar:: protocol
+
+      One of "tcp" or "udp".
+
+   .. zuul:rolevar:: port
+
+      The port number.
+
+.. zuul:rolevar:: iptables_public_tcp_ports
+   :default: []
+
+   A list of public TCP ports to open.
+
+.. zuul:rolevar:: iptables_public_udp_ports
+   :default: []
+
+   A list of public UDP ports to open.
+
+.. zuul:rolevar:: iptables_rules_v4
+   :default: []
+
+   A list of iptables v4 rules.  Each item is a string containing the
+   iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_rules_v6
+   :default: []
+
+   A list of iptables v6 rules.  Each item is a string containing the
+   iptables command line options for the rule.

playbooks/roles/iptables/defaults/main.yaml

@@ -0,0 +1,7 @@
+iptables_allowed_hosts: []
+iptables_public_ports: []
+iptables_public_tcp_ports: '{{ iptables_public_ports }}'
+iptables_public_udp_ports: '{{ iptables_public_ports }}'
+iptables_rules: []
+iptables_rules_v4: '{{ iptables_rules }}'
+iptables_rules_v6: '{{ iptables_rules }}'

playbooks/roles/iptables/handlers/main.yaml

@@ -0,0 +1,20 @@
+- name: Reload iptables (Debian)
+  command: '{{ reload_command }}'
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'Debian'
+  listen: "Reload iptables"
+
+- name: Reload iptables (RedHat)
+  command: 'systemctl reload iptables'
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'RedHat'
+  listen: "Reload iptables"
+
+- name: Reload ip6tables (Red Hat)
+  command: 'systemctl reload ip6tables'
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'RedHat'
+  listen: "Reload iptables"

playbooks/roles/iptables/tasks/RedHat.yaml

@@ -0,0 +1,11 @@
+- name: Disable firewalld
+  service:
+    name: firewalld
+    enabled: no
+    state: stopped
+  failed_when: false
+
+- name: Ensure firewalld is removed
+  package:
+    name: firewalld
+    state: absent

playbooks/roles/iptables/tasks/main.yaml

@@ -0,0 +1,51 @@
+- name: Include OS-specific variables
+  include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      paths:
+        - 'vars'
+
+- name: Install iptables
+  package:
+    name: '{{ package_name }}'
+    state: present
+
+- name: Ensure iptables rules directory
+  file:
+    state: directory
+    path: '{{ rules_dir }}'
+
+- name: Install IPv4 rules files
+  template:
+    src: rules.v4.j2
+    dest: '{{ ipv4_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables
+
+- name: Install IPv6 rules files
+  template:
+    src: rules.v6.j2
+    dest: '{{ ipv6_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables
+
+- name: Include OS specific tasks
+  include_tasks: "{{ item }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+  loop: "{{ query('first_found', params, errors='ignore') }}"
+
+- name: Enable iptables service
+  service:
+    name: '{{ service_name }}'
+    enabled: true

playbooks/roles/iptables/templates/rules.v4.j2

@@ -0,0 +1,38 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
+#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v4 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_a -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+{% for group in iptables_allowed_groups -%}
+{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v4') -%}
+{% if addr -%}
+-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
+{% endif -%}
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT

playbooks/roles/iptables/templates/rules.v6.j2

@@ -0,0 +1,37 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmpv6 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v6 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_aaaa -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+{% for group in iptables_allowed_groups -%}
+{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v6') -%}
+{% if addr -%}
+-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
+{% endif -%}
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

playbooks/roles/iptables/vars/Debian.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: netfilter-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /usr/sbin/netfilter-persistent start

playbooks/roles/iptables/vars/RedHat.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-services
+service_name: iptables
+rules_dir: /etc/sysconfig
+ipv4_rules: /etc/sysconfig/iptables
+ipv6_rules: /etc/sysconfig/ip6tables
+setype: 'etc_t'

playbooks/roles/iptables/vars/Ubuntu.trusty.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: iptables-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /etc/init.d/iptables-persistent reload