Create firewall rules with puppet
Replaces uses of add-rule with using the puppet-tripleo firewall class. This removes additional dependencies on scripts provided by the elements (add-rule). There is still one usage of iptables directly in 10-iptables that will be cleaned up in a subsequent patch. With this change, we can remove the iptables element from the json files. blueprint undercloud-elements Change-Id: I5d496efe22c1a5e17a2b688ba6dfbcfd403349db Depends-On: I0598007f90018f80a3266193bb24dbf112de49b7
This commit is contained in:
parent
ab4fa10c15
commit
06f98106e0
|
@ -2,8 +2,6 @@
|
|||
set -eux
|
||||
set -o pipefail
|
||||
|
||||
add-rule INPUT -p tcp --dport 8088 -j ACCEPT
|
||||
|
||||
# Create the apache vHOST for Ironic
|
||||
mkdir -p /etc/httpd/conf.d
|
||||
sudo cp -r $(dirname $0)/ipxe-vhost.template /etc/httpd/conf.d/10-ipxe_vhost.conf
|
||||
|
|
|
@ -30,6 +30,7 @@ subprocess.check_call(['generate-keystone-pki', '-d', keystone_pki_dir])
|
|||
|
||||
context = {
|
||||
'LOCAL_IP': os.environ.get('LOCAL_IP', '192.0.2.1'),
|
||||
'NETWORK_CIDR': os.environ.get('NETWORK_CIDR', '192.0.2.0/24'),
|
||||
'UNDERCLOUD_ADMIN_TOKEN': os.environ.get('UNDERCLOUD_ADMIN_TOKEN', 'unset'),
|
||||
'UNDERCLOUD_ADMIN_PASSWORD': os.environ.get('UNDERCLOUD_ADMIN_PASSWORD', 'unset'),
|
||||
'UNDERCLOUD_RABBIT_USERNAME': os.environ.get('UNDERCLOUD_RABBIT_USERNAME', 'guest'),
|
||||
|
|
|
@ -3,33 +3,5 @@
|
|||
set -eux
|
||||
set -o pipefail
|
||||
|
||||
add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8773,8774,8775,13773,13774,13775 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 5000,35357,13000,13357 -j ACCEPT
|
||||
add-rule INPUT -p tcp --dport 8585 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 9696,13696 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 6080,13080 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 9292,13292 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8989,13989 -j ACCEPT #mistral
|
||||
add-rule INPUT -p tcp -m multiport --dports 8888,13888 -j ACCEPT #zaqar
|
||||
add-rule INPUT -p tcp -m multiport --dports 9000 -j ACCEPT #zaqar websockets
|
||||
add-rule INPUT -p tcp --dport 9191 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 6385,13385 -j ACCEPT
|
||||
add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
|
||||
add-rule FORWARD -d 192.168.122.0/24 -j ACCEPT
|
||||
add-rule INPUT -p tcp --dport $(os-apply-config --key 'horizon.port' --type int --key-default 80) -j ACCEPT
|
||||
add-rule INPUT -p tcp --dport 5672 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8000,8003,8004,13800,13003,13004 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8080,13808 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
|
||||
add-rule INPUT -p tcp -m multiport --dports 8777,13777 -j ACCEPT
|
||||
add-rule INPUT -p tcp --dport 5050 -j ACCEPT
|
||||
add-rule INPUT -p tcp --dport 8787 -j ACCEPT
|
||||
|
||||
|
||||
EXTERNAL_BRIDGE=br-ctlplane
|
||||
iptables -w -t nat -C PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775 || iptables -w -t nat -I PREROUTING -d 169.254.169.254/32 -i $EXTERNAL_BRIDGE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
|
||||
|
||||
# Save metadata redirect rule
|
||||
iptables-save > /etc/sysconfig/iptables
|
||||
|
|
|
@ -18,6 +18,7 @@ if count(hiera('ntp::servers')) > 0 {
|
|||
}
|
||||
|
||||
include ::rabbitmq
|
||||
include ::tripleo::firewall
|
||||
|
||||
# TODO Galara
|
||||
class { '::mysql::server':
|
||||
|
@ -540,3 +541,7 @@ if str2bool(hiera('enable_monitoring', true)) {
|
|||
}
|
||||
Package['osops-tools-monitoring-oschecks'] -> Service['sensu-client']
|
||||
}
|
||||
|
||||
package{'firewalld':
|
||||
ensure => 'absent',
|
||||
}
|
||||
|
|
|
@ -469,3 +469,158 @@ enable_zaqar: {{ENABLE_ZAQAR}}
|
|||
enable_telemetry: {{ENABLE_TELEMETRY}}
|
||||
ipxe_deploy: {{IPXE_DEPLOY}}
|
||||
enable_monitoring: {{ENABLE_MONITORING}}
|
||||
|
||||
|
||||
# Firewall
|
||||
tripleo::firewall::manage_firewall: true
|
||||
tripleo::firewall::firewall_rules:
|
||||
'101 mongodb_config':
|
||||
dport: 27019
|
||||
'102 mongodb_sharding':
|
||||
dport: 27018
|
||||
'103 mongod':
|
||||
dport: 27017
|
||||
'104 mysql galera':
|
||||
dport:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
'105 ntp':
|
||||
dport: 123
|
||||
proto: udp
|
||||
'106 vrrp':
|
||||
proto: vrrp
|
||||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
'108 redis':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 5672
|
||||
- 35672
|
||||
'110 ceph':
|
||||
dport:
|
||||
- 6789
|
||||
- '6800-6810'
|
||||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- 35357
|
||||
- 13357
|
||||
'112 glance':
|
||||
dport:
|
||||
- 9292
|
||||
- 9191
|
||||
- 13292
|
||||
'113 nova':
|
||||
dport:
|
||||
- 6080
|
||||
- 13080
|
||||
- 8773
|
||||
- 13773
|
||||
- 8774
|
||||
- 13774
|
||||
- 8775
|
||||
- 13775
|
||||
'114 neutron server':
|
||||
dport:
|
||||
- 9696
|
||||
- 13696
|
||||
'115 neutron dhcp input':
|
||||
proto: 'udp'
|
||||
dport: 67
|
||||
'116 neutron dhcp output':
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
- 13776
|
||||
'120 iscsi initiator':
|
||||
dport: 3260
|
||||
'121 memcached':
|
||||
dport: 11211
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
- 13808
|
||||
'123 swift storage':
|
||||
dport:
|
||||
- 873
|
||||
- 6000
|
||||
- 6001
|
||||
- 6002
|
||||
'124 ceilometer':
|
||||
dport:
|
||||
- 8777
|
||||
- 13777
|
||||
'125 heat':
|
||||
dport:
|
||||
- 8000
|
||||
- 13800
|
||||
- 8003
|
||||
- 13003
|
||||
- 8004
|
||||
- 13004
|
||||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
- 443
|
||||
'127 snmp':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
'128 aodh':
|
||||
dport:
|
||||
- 8042
|
||||
- 13042
|
||||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
- 13041
|
||||
'130 tftp':
|
||||
dport: 69
|
||||
proto: udp
|
||||
'131 novnc':
|
||||
dport: 5900-5999
|
||||
proto: tcp
|
||||
'132 mistral':
|
||||
dport:
|
||||
- 8989
|
||||
- 13989
|
||||
'133 zaqar':
|
||||
dport:
|
||||
- 8888
|
||||
- 13888
|
||||
'134 zaqar websockets':
|
||||
dport: 9000
|
||||
'135 ironic':
|
||||
dport:
|
||||
- 6385
|
||||
- 13385
|
||||
'136 trove':
|
||||
dport:
|
||||
- 8779
|
||||
- 13779
|
||||
'137 ironic-inspector':
|
||||
dport: 5050
|
||||
'138 docker registry':
|
||||
dport: 8787
|
||||
'139 apache vhost':
|
||||
dport: 8088
|
||||
'140 network cidr nat':
|
||||
chain: FORWARD
|
||||
destination: {{NETWORK_CIDR}}
|
||||
# TODO: Do we still want this?
|
||||
'141 libvirt network nat':
|
||||
chain: FORWARD
|
||||
destination: 192.168.122.0/24
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -eux
|
||||
|
||||
# Needed for our iptables rules
|
||||
yum -y erase firewalld
|
||||
install-packages iptables-services
|
||||
# This does not happen automatically, but is required in the systemd service
|
||||
# file for iptables: ConditionPathExists=/etc/sysconfig/iptables
|
||||
touch /etc/sysconfig/iptables
|
||||
os-svc-enable -n iptables
|
||||
os-svc-restart -n iptables
|
|
@ -4,7 +4,6 @@
|
|||
"element": [
|
||||
"base",
|
||||
"yum",
|
||||
"iptables",
|
||||
"redhat-common",
|
||||
"undercloud-install",
|
||||
"undercloud-stack-config",
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
"element": [
|
||||
"base",
|
||||
"yum",
|
||||
"iptables",
|
||||
"redhat-common",
|
||||
"undercloud-install",
|
||||
"undercloud-stack-config",
|
||||
|
|
Loading…
Reference in New Issue