319 lines
10 KiB
Ruby
319 lines
10 KiB
Ruby
# ROLE: primary-mongo
|
|
# ROLE: primary-controller
|
|
# ROLE: mongo
|
|
# ROLE: ironic
|
|
# ROLE: controller
|
|
# ROLE: compute
|
|
# ROLE: cinder-block-device
|
|
# ROLE: cinder
|
|
# ROLE: ceph-osd
|
|
require 'spec_helper'
|
|
require 'shared-examples'
|
|
manifest = 'firewall/firewall.pp'
|
|
|
|
describe manifest do
|
|
shared_examples 'catalog' do
|
|
|
|
let(:network_scheme) do
|
|
Noop.hiera_hash 'network_scheme', {}
|
|
end
|
|
|
|
let(:prepare) do
|
|
Noop.puppet_function 'prepare_network_config', network_scheme
|
|
end
|
|
|
|
let(:admin_nets) do
|
|
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'fw-admin'
|
|
end
|
|
|
|
let(:management_nets) do
|
|
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'management'
|
|
end
|
|
|
|
let(:storage_nets) do
|
|
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'storage'
|
|
end
|
|
|
|
let(:database_network) do
|
|
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'mgmt/database'
|
|
end
|
|
|
|
let(:keystone_network) do
|
|
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'keystone/api'
|
|
end
|
|
|
|
let(:baremetal_network) do
|
|
prepare
|
|
Noop.puppet_function 'get_network_role_property', 'ironic/baremetal', 'network'
|
|
end
|
|
|
|
let(:baremetal_ipaddr) do
|
|
prepare
|
|
Noop.puppet_function 'get_network_role_property', 'ironic/baremetal', 'ipaddr'
|
|
end
|
|
|
|
node_name = Noop.hiera('node_name')
|
|
storage_hash = Noop.hiera 'storage'
|
|
network_metadata = Noop.hiera_hash 'network_metadata', {}
|
|
roles = network_metadata['nodes'][node_name]['node_roles']
|
|
mongodb_port = Noop.hiera('mongodb_port', '27017')
|
|
|
|
ssh_hash = Noop.hiera_hash 'ssh', {}
|
|
|
|
let(:ssh_brute_force) do
|
|
if ssh_hash['brute_force_protection']
|
|
'present'
|
|
else
|
|
'absent'
|
|
end
|
|
end
|
|
|
|
it 'should accept connections to the SSH service only from specified networks' do
|
|
|
|
if ssh_hash['security_enabled']
|
|
ssh_networks = Noop.puppet_function 'pick', ssh_hash['security_networks'], Noop.puppet_function, 'concat', admin_nets, management_nets, storage_nets
|
|
else
|
|
ssh_networks = Noop.puppet_function 'concat', admin_nets, management_nets, storage_nets
|
|
end
|
|
|
|
should contain_openstack__firewall__multi_net('020 ssh').with(
|
|
'port' => [ 22 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source_nets' => ssh_networks,
|
|
)
|
|
|
|
should contain_firewall('021 ssh: new pipe for a sessions').with_ensure(ssh_brute_force)
|
|
should contain_firewall('022 ssh: more than allowed attempts logged').with_ensure(ssh_brute_force)
|
|
should contain_firewall('023 ssh: block more than allowed attempts').with_ensure(ssh_brute_force)
|
|
should contain_firewall('024 ssh: accept allowed new session').with_ensure(ssh_brute_force)
|
|
|
|
end
|
|
|
|
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
|
it 'should properly restrict rabbitmq admin traffic' do
|
|
should contain_firewall('005 local rabbitmq admin').with(
|
|
'sport' => [ 15672 ],
|
|
'iniface' => 'lo',
|
|
'proto' => 'tcp',
|
|
'action' => 'accept'
|
|
)
|
|
should contain_firewall('006 reject non-local rabbitmq admin').with(
|
|
'sport' => [ 15672 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'drop'
|
|
)
|
|
end
|
|
|
|
it 'should accept connections to mysql using network with mgmt/database role' do
|
|
should contain_openstack__firewall__multi_net('101 mysql').with(
|
|
'port' => [ 3306, 3307, 4567, 4568, 4444, 49000 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source_nets' => database_network,
|
|
)
|
|
end
|
|
|
|
it 'should accept connections to keystone API using network with keystone/api role' do
|
|
should contain_openstack__firewall__multi_net('102 keystone').with(
|
|
'port' => [ 5000, 35357 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source_nets' => keystone_network,
|
|
)
|
|
end
|
|
|
|
it 'should accept connections to nova' do
|
|
should contain_firewall('105 nova').with(
|
|
'dport' => [ 8774, 8776, 6080 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
|
|
it 'should accept connections to nova without ssl' do
|
|
management_nets.each do |source|
|
|
should contain_firewall("105 nova internal - no ssl from #{source}").with(
|
|
'dport' => [ 8775, '5900-6900', 8778 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source' => source,
|
|
)
|
|
end
|
|
end
|
|
|
|
it 'should accept connections to iscsi' do
|
|
storage_nets.each do |source|
|
|
should contain_firewall("109 iscsi from #{source}").with(
|
|
'dport' => [ 3260 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source' => source,
|
|
)
|
|
end
|
|
end
|
|
|
|
it 'should create rules for murano rabbitmq port' do
|
|
should contain_firewall('203 murano-rabbitmq').with(
|
|
'dport' => [ 55572 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
|
|
it 'should create rules for heat' do
|
|
should contain_firewall('204 heat-api').with(
|
|
'dport' => [ 8004 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
should contain_firewall('205 heat-api-cfn').with(
|
|
'dport' => [ 8000 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
should contain_firewall('206 heat-api-cloudwatch').with(
|
|
'dport' => [ 8003 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
|
|
it 'should create rules for glance' do
|
|
should contain_firewall('104 glance').with(
|
|
'dport' => [ 9292, 9494, 9191, 8773 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
|
|
it 'should accept connections from 240.0.0.2' do
|
|
should contain_firewall('030 allow connections from haproxy namespace').with(
|
|
'source' => '240.0.0.2',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
elsif Noop.puppet_function 'member', roles, 'compute'
|
|
it 'should accept connections to nova without ssl' do
|
|
management_nets.each do |source|
|
|
should contain_firewall("105 nova vnc from #{source}").with(
|
|
'dport' => [ '5900-6900' ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source' => source,
|
|
)
|
|
end
|
|
end
|
|
|
|
it 'should accept connections to libvirt' do
|
|
management_nets.each do |source|
|
|
should contain_firewall("118 libvirt from #{source}").with(
|
|
'dport' => [ 16509 ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source' => source,
|
|
)
|
|
end
|
|
end
|
|
|
|
it 'should allow libvirt vm migration' do
|
|
management_nets.each do |source|
|
|
should contain_firewall("119 libvirt-migration from #{source}").with(
|
|
'dport' => [ '49152-49215' ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
'source' => source,
|
|
)
|
|
end
|
|
end
|
|
elsif Noop.puppet_function 'member', roles, 'primary-mongo' or Noop.puppet_function 'member', roles, 'mongo'
|
|
it 'should create firewall rules' do
|
|
should contain_firewall('120 mongodb').with('dport' => mongodb_port)
|
|
end
|
|
end
|
|
|
|
if Noop.hiera_structure 'ironic/enabled'
|
|
if Noop.hiera('role') == 'controller' or Noop.hiera('role') == 'primary-controller'
|
|
it 'should drop all traffic from baremetal network' do
|
|
should contain_firewall('999 drop all baremetal').with(
|
|
'chain' => 'baremetal',
|
|
'proto' => 'all',
|
|
'action' => 'drop',
|
|
)
|
|
end
|
|
it 'should enable 6385 ironic-api port' do
|
|
should contain_firewall('207 ironic-api').with(
|
|
'dport' => '6385',
|
|
'proto' => 'tcp',
|
|
'action' => 'accept'
|
|
)
|
|
end
|
|
end
|
|
|
|
if Noop.hiera('role') == 'ironic'
|
|
it 'should create rules for ironic on conductor' do
|
|
should contain_firewall('102 allow baremetal-rsyslog').with(
|
|
'chain' => 'baremetal',
|
|
'dport' => [ 514 ],
|
|
'proto' => 'udp',
|
|
'action' => 'accept',
|
|
'source' => baremetal_network,
|
|
'destination' => baremetal_ipaddr,
|
|
)
|
|
should contain_firewall('103 allow baremetal-TFTP').with(
|
|
'chain' => 'baremetal',
|
|
'dport' => [ 69 ],
|
|
'proto' => 'udp',
|
|
'action' => 'accept',
|
|
'source' => baremetal_network,
|
|
'destination' => baremetal_ipaddr,
|
|
)
|
|
end
|
|
end
|
|
end
|
|
|
|
if (storage_hash['volumes_ceph'] or
|
|
storage_hash['images_ceph'] or
|
|
storage_hash['objects_ceph'] or
|
|
storage_hash['ephemeral_ceph']
|
|
)
|
|
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
|
it 'should configure firewall' do
|
|
should contain_firewall('010 ceph-mon allow').with(
|
|
'chain' => 'INPUT',
|
|
'dport' => '6789',
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
end
|
|
|
|
if Noop.puppet_function 'member', roles, 'ceph-osd'
|
|
it 'should configure firewall' do
|
|
should contain_firewall('011 ceph-osd allow').with(
|
|
'chain' => 'INPUT',
|
|
'dport' => '6800-7100',
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
end
|
|
|
|
if storage_hash['objects_ceph']
|
|
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
|
it 'should configure firewall' do
|
|
should contain_firewall('012 RadosGW allow').with(
|
|
'chain' => 'INPUT',
|
|
'dport' => [ '6780', '8080' ],
|
|
'proto' => 'tcp',
|
|
'action' => 'accept',
|
|
)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
test_ubuntu_and_centos manifest
|
|
end
|