Implement Advanced Firewalling support
Consume puppet-tripleo to create/manage IPtables from Heat templates. This review put in place the logic to enable and setup firewall rules. A known set of rules are applied. More to come. Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22 Co-Authored-By: Yanis Guenane <yguenane@redhat.com> Depends-On: I144c60db2a568a94dce5b51257f1d10980173325
This commit is contained in:
parent
f6ff1a8191
commit
4c9d0fc6da
|
@ -0,0 +1,2 @@
|
|||
parameters:
|
||||
ManageFirewall: true
|
|
@ -457,6 +457,14 @@ parameters:
|
|||
type: string
|
||||
constraints:
|
||||
- allowed_values: [ 'basic', 'cadf' ]
|
||||
ManageFirewall:
|
||||
default: false
|
||||
description: Whether to manage IPtables rules.
|
||||
type: boolean
|
||||
PurgeFirewallRules:
|
||||
default: false
|
||||
description: Whether IPtables rules should be purged before setting up the ones.
|
||||
type: boolean
|
||||
MysqlInnodbBufferPoolSize:
|
||||
description: >
|
||||
Specifies the size of the buffer pool in megabytes. Setting to
|
||||
|
@ -811,6 +819,8 @@ resources:
|
|||
ControllerExtraConfig: {get_param: controllerExtraConfig}
|
||||
Debug: {get_param: Debug}
|
||||
EnableFencing: {get_param: EnableFencing}
|
||||
ManageFirewall: {get_param: ManageFirewall}
|
||||
PurgeFirewallRules: {get_param: PurgeFirewallRules}
|
||||
EnableGalera: {get_param: EnableGalera}
|
||||
EnableCephStorage: {get_param: ControllerEnableCephStorage}
|
||||
EnableSwiftStorage: {get_param: ControllerEnableSwiftStorage}
|
||||
|
|
|
@ -278,6 +278,14 @@ parameters:
|
|||
type: string
|
||||
default: 'regionOne'
|
||||
description: Keystone region for endpoint
|
||||
ManageFirewall:
|
||||
default: false
|
||||
description: Whether to manage IPtables rules.
|
||||
type: boolean
|
||||
PurgeFirewallRules:
|
||||
default: false
|
||||
description: Whether IPtables rules should be purged before setting up the new ones.
|
||||
type: boolean
|
||||
MysqlClusterUniquePart:
|
||||
description: A unique identifier of the MySQL cluster the controller is in.
|
||||
type: string
|
||||
|
@ -819,6 +827,8 @@ resources:
|
|||
enable_galera: {get_param: EnableGalera}
|
||||
enable_ceph_storage: {get_param: EnableCephStorage}
|
||||
enable_swift_storage: {get_param: EnableSwiftStorage}
|
||||
manage_firewall: {get_param: ManageFirewall}
|
||||
purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||
mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
|
||||
mysql_max_connections: {get_param: MysqlMaxConnections}
|
||||
mysql_root_password: {get_param: MysqlRootPassword}
|
||||
|
@ -1274,6 +1284,9 @@ resources:
|
|||
# Redis
|
||||
redis::bind: {get_input: redis_network}
|
||||
redis_vip: {get_input: redis_vip}
|
||||
# Firewall
|
||||
tripleo::firewall::manage_firewall: {get_input: manage_firewall}
|
||||
tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
|
||||
# Misc
|
||||
memcached::listen_ip: {get_input: memcached_network}
|
||||
neutron_public_interface_ip: {get_input: neutron_public_interface_ip}
|
||||
|
|
|
@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true
|
|||
tripleo::loadbalancer::horizon: true
|
||||
|
||||
controller_classes: []
|
||||
# firewall
|
||||
tripleo::firewall::firewall_rules:
|
||||
'101 mongodb_config':
|
||||
port: 27019
|
||||
'102 mongodb_sharding':
|
||||
port: 27018
|
||||
'103 mongod':
|
||||
port: 27017
|
||||
'104 mysql galera':
|
||||
port:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
'105 ntp':
|
||||
port: 123
|
||||
proto: udp
|
||||
'106 vrrp':
|
||||
proto: vrrp
|
||||
'107 haproxy stats':
|
||||
port: 1993
|
||||
'108 redis':
|
||||
port:
|
||||
- 6379
|
||||
- 26379
|
||||
'109 rabbitmq':
|
||||
port:
|
||||
- 5672
|
||||
- 35672
|
||||
'110 ceph':
|
||||
port:
|
||||
- 6789
|
||||
- '6800-6810'
|
||||
'111 keystone':
|
||||
port:
|
||||
- 5000
|
||||
- 13000
|
||||
- 35357
|
||||
- 13357
|
||||
'112 glance':
|
||||
port:
|
||||
- 9292
|
||||
- 9191
|
||||
- 13292
|
||||
'113 nova':
|
||||
port:
|
||||
- 6080
|
||||
- 13080
|
||||
- 8773
|
||||
- 3773
|
||||
- 8774
|
||||
- 13774
|
||||
- 8775
|
||||
'114 neutron server':
|
||||
port:
|
||||
- 9696
|
||||
- 13696
|
||||
'115 neutron dhcp input':
|
||||
proto: 'udp'
|
||||
port: 67
|
||||
'116 neutron dhcp output':
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
port: 68
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
port: 4789
|
||||
'119 cinder':
|
||||
port:
|
||||
- 8776
|
||||
- 13776
|
||||
'120 iscsi initiator':
|
||||
port: 3260
|
||||
'121 memcached':
|
||||
port: 11211
|
||||
'122 swift proxy':
|
||||
port:
|
||||
- 8080
|
||||
- 13808
|
||||
'123 swift storage':
|
||||
port:
|
||||
- 873
|
||||
- 6000
|
||||
- 6001
|
||||
- 6002
|
||||
'124 ceilometer':
|
||||
port:
|
||||
- 8777
|
||||
- 13777
|
||||
'125 heat':
|
||||
port:
|
||||
- 8000
|
||||
- 13800
|
||||
- 8003
|
||||
- 13003
|
||||
- 8004
|
||||
- 13004
|
||||
'126 horizon':
|
||||
port:
|
||||
- 80
|
||||
- 443
|
||||
'127 snmp':
|
||||
port: 161
|
||||
proto: 'udp'
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
create_resources(sysctl::value, hiera('sysctl_settings'), {})
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
create_resources(sysctl::value, hiera('sysctl_settings'), {})
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
if hiera('step') >= 1 {
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@ Pcmk_resource <| |> {
|
|||
}
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
if $::hostname == downcase(hiera('bootstrap_nodeid')) {
|
||||
$pacemaker_master = true
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
create_resources(sysctl::value, hiera('sysctl_settings'), {})
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
include ::tripleo::packages
|
||||
include ::tripleo::firewall
|
||||
|
||||
create_resources(sysctl::value, hiera('sysctl_settings'), {})
|
||||
|
||||
|
|
Loading…
Reference in New Issue