Create firewall rules with puppet

Replaces uses of add-rule with using the puppet-tripleo firewall class. This removes additional dependencies on scripts provided by the elements (add-rule). There is still one usage of iptables directly in 10-iptables that will be cleaned up in a subsequent patch. With this change, we can remove the iptables element from the json files. blueprint undercloud-elements Change-Id: I5d496efe22c1a5e17a2b688ba6dfbcfd403349db Depends-On: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-20 09:09:56 -04:00 · 2016-04-20 09:09:56 -04:00 · 06f98106e0
parent ab4fa10c15
commit 06f98106e0
8 changed files with 161 additions and 44 deletions
--- a/elements/ipxe/os-refresh-config/configure.d/88-httpd-vhost-port
+++ b/elements/ipxe/os-refresh-config/configure.d/88-httpd-vhost-port
@ -2,8 +2,6 @@
 set -eux
 set -o pipefail

-add-rule INPUT -p tcp --dport 8088 -j ACCEPT
-
 # Create the apache vHOST for Ironic
 mkdir -p /etc/httpd/conf.d
 sudo cp -r $(dirname $0)/ipxe-vhost.template /etc/httpd/conf.d/10-ipxe_vhost.conf
--- a/elements/puppet-stack-config/install.d/02-puppet-stack-config
+++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config
@ -30,6 +30,7 @@ subprocess.check_call(['generate-keystone-pki', '-d', keystone_pki_dir])

 context = {
    'LOCAL_IP': os.environ.get('LOCAL_IP', '192.0.2.1'),
+    'NETWORK_CIDR': os.environ.get('NETWORK_CIDR', '192.0.2.0/24'),
    'UNDERCLOUD_ADMIN_TOKEN': os.environ.get('UNDERCLOUD_ADMIN_TOKEN', 'unset'),
    'UNDERCLOUD_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_ADMIN_PASSWORD', 'unset'),
    'UNDERCLOUD_RABBIT_USERNAME': os.environ.get('UNDERCLOUD_RABBIT_USERNAME', 'guest'),
--- a/elements/puppet-stack-config/os-refresh-config/post-configure.d/10-iptables
+++ b/elements/puppet-stack-config/os-refresh-config/post-configure.d/10-iptables
@ -3,33 +3,5 @@
 set -eux
 set -o pipefail

-add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8773,8774,8775,13773,13774,13775 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 5000,35357,13000,13357 -j ACCEPT
-add-rule INPUT -p tcp --dport 8585 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 9696,13696 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 6080,13080 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 9292,13292 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8989,13989 -j ACCEPT #mistral
-add-rule INPUT -p tcp -m multiport --dports 8888,13888 -j ACCEPT #zaqar
-add-rule INPUT -p tcp -m multiport --dports 9000 -j ACCEPT #zaqar websockets
-add-rule INPUT -p tcp --dport 9191 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 6385,13385 -j ACCEPT
-add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
-add-rule FORWARD -d 192.168.122.0/24 -j ACCEPT
-add-rule INPUT -p tcp --dport $(os-apply-config --key 'horizon.port' --type int --key-default 80) -j ACCEPT
-add-rule INPUT -p tcp --dport 5672  -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8000,8003,8004,13800,13003,13004 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8080,13808 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
-add-rule INPUT -p tcp -m multiport --dports 8777,13777 -j ACCEPT
-add-rule INPUT -p tcp --dport 5050 -j ACCEPT
-add-rule INPUT -p tcp --dport 8787 -j ACCEPT
-
-
 EXTERNAL_BRIDGE=br-ctlplane
 iptables -w -t nat -C PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775 || iptables -w -t nat -I PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-
-# Save metadata redirect rule
-iptables-save > /etc/sysconfig/iptables
--- a/elements/puppet-stack-config/puppet-stack-config.pp
+++ b/elements/puppet-stack-config/puppet-stack-config.pp
@ -18,6 +18,7 @@ if count(hiera('ntp::servers')) > 0 {
 }

 include ::rabbitmq
+include ::tripleo::firewall

 # TODO Galara
 class { '::mysql::server':
@ -540,3 +541,7 @@ if str2bool(hiera('enable_monitoring', true)) {
  }
  Package['osops-tools-monitoring-oschecks'] -> Service['sensu-client']
 }
+
+package{'firewalld':
+  ensure => 'absent',
+}
--- a/elements/puppet-stack-config/puppet-stack-config.yaml.template
+++ b/elements/puppet-stack-config/puppet-stack-config.yaml.template
@ -469,3 +469,158 @@ enable_zaqar: {{ENABLE_ZAQAR}}
 enable_telemetry: {{ENABLE_TELEMETRY}}
 ipxe_deploy: {{IPXE_DEPLOY}}
 enable_monitoring: {{ENABLE_MONITORING}}
+
+
+# Firewall
+tripleo::firewall::manage_firewall: true
+tripleo::firewall::firewall_rules:
+  '101 mongodb_config':
+    dport: 27019
+  '102 mongodb_sharding':
+    dport: 27018
+  '103 mongod':
+    dport: 27017
+  '104 mysql galera':
+    dport:
+      - 873
+      - 3306
+      - 4444
+      - 4567
+      - 4568
+      - 9200
+  '105 ntp':
+    dport: 123
+    proto: udp
+  '106 vrrp':
+    proto: vrrp
+  '107 haproxy stats':
+    dport: 1993
+  '108 redis':
+    dport:
+      - 6379
+      - 26379
+  '109 rabbitmq':
+    dport:
+      - 5672
+      - 35672
+  '110 ceph':
+    dport:
+      - 6789
+      - '6800-6810'
+  '111 keystone':
+    dport:
+      - 5000
+      - 13000
+      - 35357
+      - 13357
+  '112 glance':
+    dport:
+      - 9292
+      - 9191
+      - 13292
+  '113 nova':
+    dport:
+      - 6080
+      - 13080
+      - 8773
+      - 13773
+      - 8774
+      - 13774
+      - 8775
+      - 13775
+  '114 neutron server':
+    dport:
+      - 9696
+      - 13696
+  '115 neutron dhcp input':
+    proto: 'udp'
+    dport: 67
+  '116 neutron dhcp output':
+    proto: 'udp'
+    chain: 'OUTPUT'
+    dport: 68
+  '118 neutron vxlan networks':
+    proto: 'udp'
+    dport: 4789
+  '119 cinder':
+    dport:
+      - 8776
+      - 13776
+  '120 iscsi initiator':
+    dport: 3260
+  '121 memcached':
+    dport: 11211
+  '122 swift proxy':
+    dport:
+      - 8080
+      - 13808
+  '123 swift storage':
+    dport:
+      - 873
+      - 6000
+      - 6001
+      - 6002
+  '124 ceilometer':
+    dport:
+      - 8777
+      - 13777
+  '125 heat':
+    dport:
+      - 8000
+      - 13800
+      - 8003
+      - 13003
+      - 8004
+      - 13004
+  '126 horizon':
+    dport:
+      - 80
+      - 443
+  '127 snmp':
+    dport: 161
+    proto: 'udp'
+  '128 aodh':
+    dport:
+      - 8042
+      - 13042
+  '129 gnocchi-api':
+    dport:
+      - 8041
+      - 13041
+  '130 tftp':
+    dport: 69
+    proto: udp
+  '131 novnc':
+    dport: 5900-5999
+    proto: tcp
+  '132 mistral':
+    dport:
+      - 8989
+      - 13989
+  '133 zaqar':
+    dport:
+      - 8888
+      - 13888
+  '134 zaqar websockets':
+    dport: 9000
+  '135 ironic':
+    dport:
+      - 6385
+      - 13385
+  '136 trove':
+    dport:
+      - 8779
+      - 13779
+  '137 ironic-inspector':
+    dport: 5050
+  '138 docker registry':
+    dport: 8787
+  '139 apache vhost':
+    dport: 8088
+  '140 network cidr nat':
+    chain: FORWARD
+    destination: {{NETWORK_CIDR}}
+  # TODO: Do we still want this?
+  '141 libvirt network nat':
+    chain: FORWARD
+    destination: 192.168.122.0/24
--- a/elements/undercloud-install/pre-install.d/01-iptables
+++ b/elements/undercloud-install/pre-install.d/01-iptables
@ -1,12 +0,0 @@
-#!/bin/bash
-
-set -eux
-
-# Needed for our iptables rules
-yum -y erase firewalld
-install-packages iptables-services
-# This does not happen automatically, but is required in the systemd service
-# file for iptables: ConditionPathExists=/etc/sysconfig/iptables
-touch /etc/sysconfig/iptables
-os-svc-enable -n iptables
-os-svc-restart -n iptables
--- a/json-files/centos-7-undercloud-packages.json
+++ b/json-files/centos-7-undercloud-packages.json
@ -4,7 +4,6 @@
    "element": [
      "base",
      "yum",
-      "iptables",
      "redhat-common",
      "undercloud-install",
      "undercloud-stack-config",
--- a/json-files/rhel-7-undercloud-packages.json
+++ b/json-files/rhel-7-undercloud-packages.json
@ -4,7 +4,6 @@
    "element": [
      "base",
      "yum",
-      "iptables",
      "redhat-common",
      "undercloud-install",
      "undercloud-stack-config",