puppet-tripleo/manifests/firewall.pp
Cédric Jeanneret f25c27aa2c Ensure we get a clean firewall
The iptables-services package pushes a bunch of default rules, activated as soon
as we start the "iptables" systemd unit.

This patch intends to remove those default rules, in order to ensure we get
only managed firewall rules (either by puppet, or by any openstack service like
neutron).

In order to prevent any issue, instead of erasing the file, we actually save the
current state prior the iptables-services installation and subsequent service startup.

The iptables-services installation and activation is done at the "include ::firewall"
step.
Prior that, iptables is empty, meaning if we save, and pre-create the
/etc/sysconfig/iptables and /etc/sysconfig/ip6tables files before we include the
"::firewall" class, we will get an empty, clean ruleset.

Please note, this won't correct already deployed infrastructure though - that will
probably requires an upgrade_tasks directly in tripleo-heat-templates.

SecurityImpact
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1667887
Partial-Bug: #1812695
Change-Id: I74d15b8de216984ac42a0839430ae9afe2554d16
2019-01-23 15:40:16 +01:00

204 lines
7.3 KiB
Puppet

#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo
#
# Configure the TripleO firewall
#
# === Parameters:
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_chains*]
# (optional) Manage firewall chains
# Default to {}
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_chains*]
# (optional) Boolean, purge all firewalli rules in a given chain
# Defaults to false
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class tripleo::firewall(
$manage_firewall = false,
$firewall_chains = {},
$firewall_rules = {},
$purge_firewall_chains = false,
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
if $manage_firewall {
if $purge_firewall_chains {
resources { 'firewallchain':
purge => true
}
}
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# To manage the chains they must be named in specific ways
# https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
# Example Hiera:
# tripleo::firewall::firewall_chains:
# 'FORWARD:filter:IPv4':
# ensure: present
# policy: accept
# purge: false
#
create_resources('firewallchain', $firewall_chains)
# anyone can add your own rules
# example with Hiera:
#
# tripleo::firewall::firewall_rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('tripleo::firewall::rule', $firewall_rules)
ensure_resource('class', 'tripleo::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
})
ensure_resource('class', 'tripleo::firewall::post', {
'firewall_settings' => $firewall_post_extras,
})
# Ensure we don't get any unmanaged rules in the firewall.
#
# iptables-services package pushes some rules we don't want to see in the
# firewall, as they conflict with the ones we are actually managing:
# - opens ssh to the world (see https://review.openstack.org/632468)
# - reject connections (and this reject happens before the logging we push,
# preventing logging to happen)
# - some repetitions like RELATED,ESTABLISHED, and ICMP related rules
#
# See https://bugzilla.redhat.com/show_bug.cgi?id=1667887
# for more context and detail.
exec {'save ipv4 rules':
command => '/usr/sbin/iptables-save > /etc/sysconfig/iptables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
exec {'save ipv6 rules':
command => '/usr/sbin/ip6tables-save > /etc/sysconfig/ip6tables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
Class['tripleo::firewall::pre']
-> Firewall<|tag == 'tripleo-firewall-rule'|>
-> Class['tripleo::firewall::post']
Service<||> -> Class['tripleo::firewall::post']
# Allow composable services to load their own custom
# example with Hiera.
# NOTE(dprince): In the future when we have a better hiera
# heat hook we might refactor this to use hiera's merging
# capabilities instead. Until then rolling up the flat service
# keys and dynamically creating firewall rules for each service
# will allow us to compose and should work fine.
#
# Each service can load its rules by using this form:
#
# tripleo.<service name with underscores>.firewall_rules:
# '300 allow custom application 1':
# dport: 999
# proto: udp
# action: accept
$service_names = hiera('service_names', [])
tripleo::firewall::service_rules { $service_names: }
# puppetlabs-firewall only manages the current state of iptables
# rules and writes out the rules to a file to ensure they are
# persisted. We are specifically running the following commands after the
# iptables rules to ensure the persisted file does not contain any
# ephemeral neutron rules. Neutron assumes the iptables rules are not
# persisted so it may cause an issue if the rule is loaded on boot
# (or via iptables restart). If an operator needs to reload iptables
# for any reason, they may need to manually reload the appropriate
# neutron agent to restore these iptables rules.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
exec { 'nonpersistent_v4_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
}
exec { 'nonpersistent_v6_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
}
# Do not persist ephemeral firewall rules mananged by ironic-inspector
# pxe_filter 'iptables' driver.
# https://bugs.launchpad.net/tripleo/+bug/1765700
# https://storyboard.openstack.org/#!/story/2001890
exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables',
onlyif => [
'/bin/test -f /etc/sysconfig/iptables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
]
}
exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
onlyif => [
'/bin/test -f /etc/sysconfig/ip6tables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
]
}
Exec['save ipv4 rules'] -> Firewall<| |>
Exec['save ipv6 rules'] -> Firewall<| |>
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
}
}