puppet-tripleo/manifests/firewall.pp
Emilien Macchi 950caffea8 Revert "Replace hiera('service_names') by hiera('enabled_services')"
This reverts commit 7970733cf1.

Depends-On: I7339b8791817bdaffa65c928d424796114efdf57
Change-Id: I380f631de03eb3baddac80661e4c7632180b1d64

Closes-Bug: #1855138
2019-12-05 00:54:42 +00:00

204 lines
7.3 KiB
Puppet

#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo
#
# Configure the TripleO firewall
#
# === Parameters:
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_chains*]
# (optional) Manage firewall chains
# Default to {}
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_chains*]
# (optional) Boolean, purge all firewalli rules in a given chain
# Defaults to false
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class tripleo::firewall(
$manage_firewall = false,
$firewall_chains = {},
$firewall_rules = {},
$purge_firewall_chains = false,
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
if $manage_firewall {
if $purge_firewall_chains {
resources { 'firewallchain':
purge => true
}
}
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# To manage the chains they must be named in specific ways
# https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
# Example Hiera:
# tripleo::firewall::firewall_chains:
# 'FORWARD:filter:IPv4':
# ensure: present
# policy: accept
# purge: false
#
create_resources('firewallchain', $firewall_chains)
# anyone can add your own rules
# example with Hiera:
#
# tripleo::firewall::firewall_rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('tripleo::firewall::rule', $firewall_rules)
ensure_resource('class', 'tripleo::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
})
ensure_resource('class', 'tripleo::firewall::post', {
'firewall_settings' => $firewall_post_extras,
})
# Ensure we don't get any unmanaged rules in the firewall.
#
# iptables-services package pushes some rules we don't want to see in the
# firewall, as they conflict with the ones we are actually managing:
# - opens ssh to the world (see https://review.openstack.org/632468)
# - reject connections (and this reject happens before the logging we push,
# preventing logging to happen)
# - some repetitions like RELATED,ESTABLISHED, and ICMP related rules
#
# See https://bugzilla.redhat.com/show_bug.cgi?id=1667887
# for more context and detail.
exec {'save ipv4 rules':
command => '/usr/sbin/iptables-save > /etc/sysconfig/iptables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
exec {'save ipv6 rules':
command => '/usr/sbin/ip6tables-save > /etc/sysconfig/ip6tables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
Class['tripleo::firewall::pre']
-> Firewall<|tag == 'tripleo-firewall-rule'|>
-> Class['tripleo::firewall::post']
Service<||> -> Class['tripleo::firewall::post']
# Allow composable services to load their own custom
# example with Hiera.
# NOTE(dprince): In the future when we have a better hiera
# heat hook we might refactor this to use hiera's merging
# capabilities instead. Until then rolling up the flat service
# keys and dynamically creating firewall rules for each service
# will allow us to compose and should work fine.
#
# Each service can load its rules by using this form:
#
# tripleo.<service name with underscores>.firewall_rules:
# '300 allow custom application 1':
# dport: 999
# proto: udp
# action: accept
$service_names = hiera('service_names', [])
tripleo::firewall::service_rules { $service_names: }
# puppetlabs-firewall only manages the current state of iptables
# rules and writes out the rules to a file to ensure they are
# persisted. We are specifically running the following commands after the
# iptables rules to ensure the persisted file does not contain any
# ephemeral neutron rules. Neutron assumes the iptables rules are not
# persisted so it may cause an issue if the rule is loaded on boot
# (or via iptables restart). If an operator needs to reload iptables
# for any reason, they may need to manually reload the appropriate
# neutron agent to restore these iptables rules.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
exec { 'nonpersistent_v4_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
}
exec { 'nonpersistent_v6_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
}
# Do not persist ephemeral firewall rules mananged by ironic-inspector
# pxe_filter 'iptables' driver.
# https://bugs.launchpad.net/tripleo/+bug/1765700
# https://storyboard.openstack.org/#!/story/2001890
exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables',
onlyif => [
'/bin/test -f /etc/sysconfig/iptables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
]
}
exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
onlyif => [
'/bin/test -f /etc/sysconfig/ip6tables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
]
}
Exec['save ipv4 rules'] -> Firewall<| |>
Exec['save ipv6 rules'] -> Firewall<| |>
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
}
}