openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Implement Advanced Firewalling support 

Consume puppet-tripleo to create/manage IPtables from Heat templates.

This review put in place the logic to enable and setup firewall rules.

A known set of rules are applied. More to come.

Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
This commit is contained in:
Emilien Macchi 2015-06-12 15:20:17 -04:00
parent f6ff1a8191
commit 4c9d0fc6da
10 changed files with 137 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
environments/manage-firewall.yaml Normal file
View File

@ -0,0 +1,2 @@
parameters:
ManageFirewall: true

10
overcloud-without-mergepy.yaml
View File

@ -457,6 +457,14 @@ parameters:
type: string
constraints:
- allowed_values: [ 'basic', 'cadf' ]
ManageFirewall:
default: false
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules:
default: false
description: Whether IPtables rules should be purged before setting up the ones.
type: boolean
MysqlInnodbBufferPoolSize:
description: >
Specifies the size of the buffer pool in megabytes. Setting to
@ -811,6 +819,8 @@ resources:
ControllerExtraConfig: {get_param: controllerExtraConfig}
Debug: {get_param: Debug}
EnableFencing: {get_param: EnableFencing}
ManageFirewall: {get_param: ManageFirewall}
PurgeFirewallRules: {get_param: PurgeFirewallRules}
EnableGalera: {get_param: EnableGalera}
EnableCephStorage: {get_param: ControllerEnableCephStorage}
EnableSwiftStorage: {get_param: ControllerEnableSwiftStorage}

13
puppet/controller.yaml
View File

@ -278,6 +278,14 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
ManageFirewall:
default: false
description: Whether to manage IPtables rules.
type: boolean
PurgeFirewallRules:
default: false
description: Whether IPtables rules should be purged before setting up the new ones.
type: boolean
MysqlClusterUniquePart:
description: A unique identifier of the MySQL cluster the controller is in.
type: string
@ -819,6 +827,8 @@ resources:
enable_galera: {get_param: EnableGalera}
enable_ceph_storage: {get_param: EnableCephStorage}
enable_swift_storage: {get_param: EnableSwiftStorage}
manage_firewall: {get_param: ManageFirewall}
purge_firewall_rules: {get_param: PurgeFirewallRules}
mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql_root_password: {get_param: MysqlRootPassword}
@ -1274,6 +1284,9 @@ resources:
# Redis
redis::bind: {get_input: redis_network}
redis_vip: {get_input: redis_vip}
# Firewall
tripleo::firewall::manage_firewall: {get_input: manage_firewall}
tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
# Misc
memcached::listen_ip: {get_input: memcached_network}
neutron_public_interface_ip: {get_input: neutron_public_interface_ip}

106
puppet/hieradata/controller.yaml
View File

@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true
tripleo::loadbalancer::horizon: true
controller_classes: []
# firewall
tripleo::firewall::firewall_rules:
'101 mongodb_config':
port: 27019
'102 mongodb_sharding':
port: 27018
'103 mongod':
port: 27017
'104 mysql galera':
port:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
'105 ntp':
port: 123
proto: udp
'106 vrrp':
proto: vrrp
'107 haproxy stats':
port: 1993
'108 redis':
port:
- 6379
- 26379
'109 rabbitmq':
port:
- 5672
- 35672
'110 ceph':
port:
- 6789
- '6800-6810'
'111 keystone':
port:
- 5000
- 13000
- 35357
- 13357
'112 glance':
port:
- 9292
- 9191
- 13292
'113 nova':
port:
- 6080
- 13080
- 8773
- 3773
- 8774
- 13774
- 8775
'114 neutron server':
port:
- 9696
- 13696
'115 neutron dhcp input':
proto: 'udp'
port: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
port: 68
'118 neutron vxlan networks':
proto: 'udp'
port: 4789
'119 cinder':
port:
- 8776
- 13776
'120 iscsi initiator':
port: 3260
'121 memcached':
port: 11211
'122 swift proxy':
port:
- 8080
- 13808
'123 swift storage':
port:
- 873
- 6000
- 6001
- 6002
'124 ceilometer':
port:
- 8777
- 13777
'125 heat':
port:
- 8000
- 13800
- 8003
- 13003
- 8004
- 13004
'126 horizon':
port:
- 80
- 443
'127 snmp':
port: 161
proto: 'udp'

1
puppet/manifests/overcloud_cephstorage.pp
View File

@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})

1
puppet/manifests/overcloud_compute.pp
View File

@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})

1
puppet/manifests/overcloud_controller.pp
View File

@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
include ::tripleo::firewall
if hiera('step') >= 1 {

1
puppet/manifests/overcloud_controller_pacemaker.pp
View File

@ -19,6 +19,7 @@ Pcmk_resource <| |> {
}
include ::tripleo::packages
include ::tripleo::firewall
if $::hostname == downcase(hiera('bootstrap_nodeid')) {
$pacemaker_master = true

1
puppet/manifests/overcloud_object.pp
View File

@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})

1
puppet/manifests/overcloud_volume.pp
View File

@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})