Fuel Library
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

firewall_spec.rb 10KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318
  1. # ROLE: primary-mongo
  2. # ROLE: primary-controller
  3. # ROLE: mongo
  4. # ROLE: ironic
  5. # ROLE: controller
  6. # ROLE: compute
  7. # ROLE: cinder-block-device
  8. # ROLE: cinder
  9. # ROLE: ceph-osd
  10. require 'spec_helper'
  11. require 'shared-examples'
  12. manifest = 'firewall/firewall.pp'
  13. describe manifest do
  14. shared_examples 'catalog' do
  15. let(:network_scheme) do
  16. Noop.hiera_hash 'network_scheme', {}
  17. end
  18. let(:prepare) do
  19. Noop.puppet_function 'prepare_network_config', network_scheme
  20. end
  21. let(:admin_nets) do
  22. Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'fw-admin'
  23. end
  24. let(:management_nets) do
  25. Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'management'
  26. end
  27. let(:storage_nets) do
  28. Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'storage'
  29. end
  30. let(:database_network) do
  31. Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'mgmt/database'
  32. end
  33. let(:keystone_network) do
  34. Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'keystone/api'
  35. end
  36. let(:baremetal_network) do
  37. prepare
  38. Noop.puppet_function 'get_network_role_property', 'ironic/baremetal', 'network'
  39. end
  40. let(:baremetal_ipaddr) do
  41. prepare
  42. Noop.puppet_function 'get_network_role_property', 'ironic/baremetal', 'ipaddr'
  43. end
  44. node_name = Noop.hiera('node_name')
  45. storage_hash = Noop.hiera 'storage'
  46. network_metadata = Noop.hiera_hash 'network_metadata', {}
  47. roles = network_metadata['nodes'][node_name]['node_roles']
  48. mongodb_port = Noop.hiera('mongodb_port', '27017')
  49. ssh_hash = Noop.hiera_hash 'ssh', {}
  50. let(:ssh_brute_force) do
  51. if ssh_hash['brute_force_protection']
  52. 'present'
  53. else
  54. 'absent'
  55. end
  56. end
  57. it 'should accept connections to the SSH service only from specified networks' do
  58. if ssh_hash['security_enabled']
  59. ssh_networks = Noop.puppet_function 'pick', ssh_hash['security_networks'], Noop.puppet_function, 'concat', admin_nets, management_nets, storage_nets
  60. else
  61. ssh_networks = Noop.puppet_function 'concat', admin_nets, management_nets, storage_nets
  62. end
  63. should contain_openstack__firewall__multi_net('020 ssh').with(
  64. 'port' => [ 22 ],
  65. 'proto' => 'tcp',
  66. 'action' => 'accept',
  67. 'source_nets' => ssh_networks,
  68. )
  69. should contain_firewall('021 ssh: new pipe for a sessions').with_ensure(ssh_brute_force)
  70. should contain_firewall('022 ssh: more than allowed attempts logged').with_ensure(ssh_brute_force)
  71. should contain_firewall('023 ssh: block more than allowed attempts').with_ensure(ssh_brute_force)
  72. should contain_firewall('024 ssh: accept allowed new session').with_ensure(ssh_brute_force)
  73. end
  74. if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
  75. it 'should properly restrict rabbitmq admin traffic' do
  76. should contain_firewall('005 local rabbitmq admin').with(
  77. 'sport' => [ 15672 ],
  78. 'iniface' => 'lo',
  79. 'proto' => 'tcp',
  80. 'action' => 'accept'
  81. )
  82. should contain_firewall('006 reject non-local rabbitmq admin').with(
  83. 'sport' => [ 15672 ],
  84. 'proto' => 'tcp',
  85. 'action' => 'drop'
  86. )
  87. end
  88. it 'should accept connections to mysql using network with mgmt/database role' do
  89. should contain_openstack__firewall__multi_net('101 mysql').with(
  90. 'port' => [ 3306, 3307, 4567, 4568, 4444, 49000 ],
  91. 'proto' => 'tcp',
  92. 'action' => 'accept',
  93. 'source_nets' => database_network,
  94. )
  95. end
  96. it 'should accept connections to keystone API using network with keystone/api role' do
  97. should contain_openstack__firewall__multi_net('102 keystone').with(
  98. 'port' => [ 5000, 35357 ],
  99. 'proto' => 'tcp',
  100. 'action' => 'accept',
  101. 'source_nets' => keystone_network,
  102. )
  103. end
  104. it 'should accept connections to nova' do
  105. should contain_firewall('105 nova').with(
  106. 'dport' => [ 8774, 8776, 6080 ],
  107. 'proto' => 'tcp',
  108. 'action' => 'accept',
  109. )
  110. end
  111. it 'should accept connections to nova without ssl' do
  112. management_nets.each do |source|
  113. should contain_firewall("105 nova internal - no ssl from #{source}").with(
  114. 'dport' => [ 8775, '5900-6900', 8778 ],
  115. 'proto' => 'tcp',
  116. 'action' => 'accept',
  117. 'source' => source,
  118. )
  119. end
  120. end
  121. it 'should accept connections to iscsi' do
  122. storage_nets.each do |source|
  123. should contain_firewall("109 iscsi from #{source}").with(
  124. 'dport' => [ 3260 ],
  125. 'proto' => 'tcp',
  126. 'action' => 'accept',
  127. 'source' => source,
  128. )
  129. end
  130. end
  131. it 'should create rules for murano rabbitmq port' do
  132. should contain_firewall('203 murano-rabbitmq').with(
  133. 'dport' => [ 55572 ],
  134. 'proto' => 'tcp',
  135. 'action' => 'accept',
  136. )
  137. end
  138. it 'should create rules for heat' do
  139. should contain_firewall('204 heat-api').with(
  140. 'dport' => [ 8004 ],
  141. 'proto' => 'tcp',
  142. 'action' => 'accept',
  143. )
  144. should contain_firewall('205 heat-api-cfn').with(
  145. 'dport' => [ 8000 ],
  146. 'proto' => 'tcp',
  147. 'action' => 'accept',
  148. )
  149. should contain_firewall('206 heat-api-cloudwatch').with(
  150. 'dport' => [ 8003 ],
  151. 'proto' => 'tcp',
  152. 'action' => 'accept',
  153. )
  154. end
  155. it 'should create rules for glance' do
  156. should contain_firewall('104 glance').with(
  157. 'dport' => [ 9292, 9494, 9191, 8773 ],
  158. 'proto' => 'tcp',
  159. 'action' => 'accept',
  160. )
  161. end
  162. it 'should accept connections from 240.0.0.2' do
  163. should contain_firewall('030 allow connections from haproxy namespace').with(
  164. 'source' => '240.0.0.2',
  165. 'action' => 'accept',
  166. )
  167. end
  168. elsif Noop.puppet_function 'member', roles, 'compute'
  169. it 'should accept connections to nova without ssl' do
  170. management_nets.each do |source|
  171. should contain_firewall("105 nova vnc from #{source}").with(
  172. 'dport' => [ '5900-6900' ],
  173. 'proto' => 'tcp',
  174. 'action' => 'accept',
  175. 'source' => source,
  176. )
  177. end
  178. end
  179. it 'should accept connections to libvirt' do
  180. management_nets.each do |source|
  181. should contain_firewall("118 libvirt from #{source}").with(
  182. 'dport' => [ 16509 ],
  183. 'proto' => 'tcp',
  184. 'action' => 'accept',
  185. 'source' => source,
  186. )
  187. end
  188. end
  189. it 'should allow libvirt vm migration' do
  190. management_nets.each do |source|
  191. should contain_firewall("119 libvirt-migration from #{source}").with(
  192. 'dport' => [ '49152-49215' ],
  193. 'proto' => 'tcp',
  194. 'action' => 'accept',
  195. 'source' => source,
  196. )
  197. end
  198. end
  199. elsif Noop.puppet_function 'member', roles, 'primary-mongo' or Noop.puppet_function 'member', roles, 'mongo'
  200. it 'should create firewall rules' do
  201. should contain_firewall('120 mongodb').with('dport' => mongodb_port)
  202. end
  203. end
  204. if Noop.hiera_structure 'ironic/enabled'
  205. if Noop.hiera('role') == 'controller' or Noop.hiera('role') == 'primary-controller'
  206. it 'should drop all traffic from baremetal network' do
  207. should contain_firewall('999 drop all baremetal').with(
  208. 'chain' => 'baremetal',
  209. 'proto' => 'all',
  210. 'action' => 'drop',
  211. )
  212. end
  213. it 'should enable 6385 ironic-api port' do
  214. should contain_firewall('207 ironic-api').with(
  215. 'dport' => '6385',
  216. 'proto' => 'tcp',
  217. 'action' => 'accept'
  218. )
  219. end
  220. end
  221. if Noop.hiera('role') == 'ironic'
  222. it 'should create rules for ironic on conductor' do
  223. should contain_firewall('102 allow baremetal-rsyslog').with(
  224. 'chain' => 'baremetal',
  225. 'dport' => [ 514 ],
  226. 'proto' => 'udp',
  227. 'action' => 'accept',
  228. 'source' => baremetal_network,
  229. 'destination' => baremetal_ipaddr,
  230. )
  231. should contain_firewall('103 allow baremetal-TFTP').with(
  232. 'chain' => 'baremetal',
  233. 'dport' => [ 69 ],
  234. 'proto' => 'udp',
  235. 'action' => 'accept',
  236. 'source' => baremetal_network,
  237. 'destination' => baremetal_ipaddr,
  238. )
  239. end
  240. end
  241. end
  242. if (storage_hash['volumes_ceph'] or
  243. storage_hash['images_ceph'] or
  244. storage_hash['objects_ceph'] or
  245. storage_hash['ephemeral_ceph']
  246. )
  247. if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
  248. it 'should configure firewall' do
  249. should contain_firewall('010 ceph-mon allow').with(
  250. 'chain' => 'INPUT',
  251. 'dport' => '6789',
  252. 'proto' => 'tcp',
  253. 'action' => 'accept',
  254. )
  255. end
  256. end
  257. if Noop.puppet_function 'member', roles, 'ceph-osd'
  258. it 'should configure firewall' do
  259. should contain_firewall('011 ceph-osd allow').with(
  260. 'chain' => 'INPUT',
  261. 'dport' => '6800-7100',
  262. 'proto' => 'tcp',
  263. 'action' => 'accept',
  264. )
  265. end
  266. end
  267. if storage_hash['objects_ceph']
  268. if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
  269. it 'should configure firewall' do
  270. should contain_firewall('012 RadosGW allow').with(
  271. 'chain' => 'INPUT',
  272. 'dport' => [ '6780', '8080' ],
  273. 'proto' => 'tcp',
  274. 'action' => 'accept',
  275. )
  276. end
  277. end
  278. end
  279. end
  280. end
  281. test_ubuntu_and_centos manifest
  282. end