openstack
/
puppet-tripleo
Code Issues Proposed changes
puppet-tripleo/manifests
History
Emilien Macchi f6d398a7da firewall: add IPv6 support 
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.

1) Default firewal rules 'source' parameter to undef.
   It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
   support ipv6 rules. undef will create empty source, which is the same as
   0.0.0.0/0 or ::/0.

2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.

3) Automatically create IPv6 rules like it's for IPv4.

4) Only create rules that can be created, depending on
   source/destination ip version.

This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.

Note: the code had to be partially rewritten because of Puppet3 vs
Puppet4.

Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
(cherry picked from commit 8c99073890)
 		2018-04-25 10:44:02 -07:00
..
certmonger Extract local CA if it expired 2018-03-20 08:18:58 +02:00
cluster Modify cassandra dependency 2015-12-14 14:15:15 +00:00
firewall firewall: add IPv6 support 2018-04-25 10:44:02 -07:00
glance NFS mounting for Glance file backend 2016-11-01 13:34:13 +01:00
haproxy Remove extra keystone admin haproxy listen and allow TLS 2017-10-10 11:39:02 +00:00
host Repair immediate VF configuration for PCI SR-IOV 2017-08-26 10:57:34 -02:30
network Ensure keepalived is restarted when necessary. 2016-11-11 18:49:15 +00:00
pacemaker Ensure presence of pacemaker restart directory. 2016-10-13 15:41:57 +00:00
packages packages: run upgrade at 'setup' stage 2016-10-17 14:06:18 +00:00
profile Allow vhost socket directory user/group as configurable from template 2018-04-16 10:00:22 +02:00
fencing.pp Configure fencing devices 2015-06-12 18:40:50 +02:00
firewall.pp firewall: don't reload IPtables after cleanup 2018-03-12 16:38:12 +00:00
haproxy.pp Disallow TLS v1.0 from HAProxy 2018-03-20 08:27:56 +02:00
init.pp Implement firewalling in tripleo::firewall 2015-07-15 11:58:46 +02:00
keepalived.pp Better way to ensure keepalived before haproxy. 2016-11-09 14:05:03 +00:00
noop.pp Add class to set noop on various puppet resources 2015-07-03 17:16:07 -04:00
packages.pp packages: run upgrade at 'setup' stage 2016-10-17 14:06:18 +00:00
redis_notification.pp Loadbalancer: Add support for Redis 2015-04-16 21:13:40 +02:00
selinux.pp Add tripleo::selinux 2016-05-05 13:19:20 -04:00
trusted_ca.pp Add manifests to inject and trust CA certificates 2016-08-23 14:36:20 +00:00
trusted_cas.pp Add manifests to inject and trust CA certificates 2016-08-23 14:36:20 +00:00
ui.pp Enable communication between UI and the Undercloud by making HAProxy 2016-11-08 10:09:51 +00:00
vip_hosts.pp Add class to write overcloud VIPs into /etc/hosts 2016-09-06 17:15:26 +03:00