Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
parent
c7f19f0bd2
commit
50367fbe35
|
@ -30,9 +30,8 @@ outputs:
|
|||
description: Role data for the multinode firewall configuration
|
||||
value:
|
||||
service_name: multinode_core
|
||||
config_settings:
|
||||
tripleo::core::firewall_rules:
|
||||
'999 core':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 4789
|
||||
firewall_rules:
|
||||
'999 core':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 4789
|
||||
|
|
|
@ -341,6 +341,16 @@ resources:
|
|||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null))
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
FirewallRules:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
type: json
|
||||
value:
|
||||
map_merge:
|
||||
yaql:
|
||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null))
|
||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -381,4 +391,11 @@ outputs:
|
|||
map_merge:
|
||||
- {get_attr: [ContainerPuppetTasks, value]}
|
||||
- {get_attr: [DockerPuppetTasks, value]}
|
||||
host_prep_tasks: {get_attr: [HostPrepTasks, value]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- - name: Run firewall role
|
||||
include_role:
|
||||
name: tripleo-firewall
|
||||
vars:
|
||||
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
|
||||
- {get_attr: [HostPrepTasks, value]}
|
||||
|
|
|
@ -91,6 +91,11 @@ outputs:
|
|||
description: Role data for the aodh API role.
|
||||
value:
|
||||
service_name: aodh_api
|
||||
firewall_rules:
|
||||
'128 aodh-api':
|
||||
dport:
|
||||
- 8042
|
||||
- 13042
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -109,11 +114,6 @@ outputs:
|
|||
aodh::api::enable_proxy_headers_parsing: true
|
||||
aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject}
|
||||
aodh::policy::policies: {get_param: AodhApiPolicies}
|
||||
tripleo::aodh_api::firewall_rules:
|
||||
'128 aodh-api':
|
||||
dport:
|
||||
- 8042
|
||||
- 13042
|
||||
aodh::api::host:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -187,6 +187,11 @@ outputs:
|
|||
description: Role data for the Barbican API role.
|
||||
value:
|
||||
service_name: barbican_api
|
||||
firewall_rules:
|
||||
'117 barbican':
|
||||
dport:
|
||||
- 9311
|
||||
- 13311
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
|
@ -245,11 +250,6 @@ outputs:
|
|||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
|
||||
tripleo::barbican_api::firewall_rules:
|
||||
'117 barbican':
|
||||
dport:
|
||||
- 9311
|
||||
- 13311
|
||||
service_config_settings:
|
||||
mysql:
|
||||
barbican::db::mysql::password: {get_param: BarbicanPassword}
|
||||
|
|
|
@ -103,6 +103,14 @@ outputs:
|
|||
description: Role data for the Ceph Dashboard service.
|
||||
value:
|
||||
service_name: ceph_grafana
|
||||
firewall_rules:
|
||||
'123 ceph_dashboard':
|
||||
dport:
|
||||
- 3100
|
||||
- 9090
|
||||
- 9093
|
||||
- 9094
|
||||
- 9100
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
|
|
@ -66,6 +66,15 @@ outputs:
|
|||
description: Role data for the Ceph Metadata service.
|
||||
value:
|
||||
service_name: ceph_mds
|
||||
firewall_rules:
|
||||
'112 ceph_mds':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
@ -88,15 +97,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_mds::firewall_rules:
|
||||
'112 ceph_mds':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
- {}
|
||||
|
|
|
@ -76,6 +76,15 @@ outputs:
|
|||
description: Role data for the Ceph Manager service.
|
||||
value:
|
||||
service_name: ceph_mgr
|
||||
firewall_rules:
|
||||
'113 ceph_mgr':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '8443'
|
||||
- []
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
@ -98,15 +107,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_mgr::firewall_rules:
|
||||
'113 ceph_mgr':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '8443'
|
||||
- []
|
||||
- {}
|
||||
|
|
|
@ -80,6 +80,16 @@ outputs:
|
|||
description: Role data for the Ceph Monitor service.
|
||||
value:
|
||||
service_name: ceph_mon
|
||||
firewall_rules:
|
||||
'110 ceph_mon':
|
||||
dport:
|
||||
list_concat:
|
||||
- - 6789
|
||||
- - 3300
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
@ -102,16 +112,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_mon::firewall_rules:
|
||||
'110 ceph_mon':
|
||||
dport:
|
||||
list_concat:
|
||||
- - 6789
|
||||
- - 3300
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
- {}
|
||||
|
|
|
@ -66,6 +66,11 @@ outputs:
|
|||
description: Role data for the Ceph NFS Ganesha service.
|
||||
value:
|
||||
service_name: ceph_nfs
|
||||
firewall_rules:
|
||||
'120 ceph_nfs':
|
||||
dport:
|
||||
# We support only NFS 4.1 to start
|
||||
- 2049
|
||||
upgrade_tasks: []
|
||||
step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs'
|
||||
puppet_config:
|
||||
|
@ -90,11 +95,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_nfs::firewall_rules:
|
||||
'120 ceph_nfs':
|
||||
dport:
|
||||
# We support only NFS 4.1 to start
|
||||
- 2049
|
||||
- {}
|
||||
|
|
|
@ -69,6 +69,15 @@ outputs:
|
|||
description: Role data for the Ceph OSD service.
|
||||
value:
|
||||
service_name: ceph_osd
|
||||
firewall_rules:
|
||||
'111 ceph_osd':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
upgrade_tasks:
|
||||
- name: Check legacy Ceph hieradata
|
||||
tags: validation
|
||||
|
@ -95,15 +104,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_osd::firewall_rules:
|
||||
'111 ceph_osd':
|
||||
dport:
|
||||
list_concat:
|
||||
- - '6800-7300'
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
- {}
|
||||
|
|
|
@ -82,6 +82,10 @@ outputs:
|
|||
description: Role data for the Ceph RBD Mirror service.
|
||||
value:
|
||||
service_name: ceph_rbdmirror
|
||||
firewall_rules:
|
||||
'114 ceph_rbdmirror':
|
||||
dport:
|
||||
- '6800-7300'
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
@ -104,10 +108,3 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_rbdmirror::firewall_rules:
|
||||
'114 ceph_rbdmirror':
|
||||
dport:
|
||||
- '6800-7300'
|
||||
- {}
|
||||
|
|
|
@ -76,6 +76,15 @@ outputs:
|
|||
description: Role data for the Ceph RadosGW service.
|
||||
value:
|
||||
service_name: ceph_rgw
|
||||
firewall_rules:
|
||||
'122 ceph rgw':
|
||||
dport:
|
||||
list_concat:
|
||||
- - {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
|
@ -98,18 +107,6 @@ outputs:
|
|||
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
|
||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::ceph_rgw::firewall_rules:
|
||||
'122 ceph rgw':
|
||||
dport:
|
||||
list_concat:
|
||||
- - {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||
- if:
|
||||
- dashboard_enabled
|
||||
- - '9100'
|
||||
- []
|
||||
- {}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
|
||||
|
|
|
@ -118,6 +118,11 @@ outputs:
|
|||
description: Role data for the Cinder API role.
|
||||
value:
|
||||
service_name: cinder_api
|
||||
firewall_rules:
|
||||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
- 13776
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -143,11 +148,6 @@ outputs:
|
|||
DEFAULT/swift_catalog_info:
|
||||
value: 'object-store:swift:internalURL'
|
||||
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
|
||||
tripleo::cinder_api::firewall_rules:
|
||||
'119 cinder':
|
||||
dport:
|
||||
- 8776
|
||||
- 13776
|
||||
cinder::api::bind_host:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -198,6 +198,9 @@ outputs:
|
|||
description: Role data for the Cinder Volume role.
|
||||
value:
|
||||
service_name: cinder_volume
|
||||
firewall_rules:
|
||||
'120 iscsi initiator':
|
||||
dport: 3260
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -226,9 +229,6 @@ outputs:
|
|||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID}
|
||||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
|
||||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot}
|
||||
tripleo::cinder_volume::firewall_rules:
|
||||
'120 iscsi initiator':
|
||||
dport: 3260
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
|
|
|
@ -68,6 +68,15 @@ outputs:
|
|||
description: Service MySQL using composable services.
|
||||
value:
|
||||
service_name: mysql
|
||||
firewall_rules:
|
||||
'104 mysql galera':
|
||||
dport:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
config_settings:
|
||||
map_merge:
|
||||
-
|
||||
|
@ -79,15 +88,6 @@ outputs:
|
|||
mysql::server::package_name: 'mariadb-galera-server'
|
||||
mysql::server::manage_config_file: true
|
||||
mysql_ipv6: {get_param: MysqlIPv6}
|
||||
tripleo::mysql::firewall_rules:
|
||||
'104 mysql galera':
|
||||
dport:
|
||||
- 873
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
mysql_max_connections: {get_param: MysqlMaxConnections}
|
||||
mysql::server::root_password:
|
||||
yaql:
|
||||
|
|
|
@ -99,6 +99,16 @@ outputs:
|
|||
description: Containerized service MySQL using composable services.
|
||||
value:
|
||||
service_name: {get_attr: [MysqlBase, role_data, service_name]}
|
||||
firewall_rules:
|
||||
'104 mysql galera-bundle':
|
||||
dport:
|
||||
- 873
|
||||
- 3123
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [MysqlBase, role_data, config_settings]
|
||||
|
@ -131,16 +141,6 @@ outputs:
|
|||
- 'pcmklatest'
|
||||
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
|
||||
tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli}
|
||||
tripleo::mysql::firewall_rules:
|
||||
'104 mysql galera-bundle':
|
||||
dport:
|
||||
- 873
|
||||
- 3123
|
||||
- 3306
|
||||
- 4444
|
||||
- 4567
|
||||
- 4568
|
||||
- 9200
|
||||
tripleo::profile::pacemaker::database::mysql_bundle::bind_address:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -62,18 +62,18 @@ outputs:
|
|||
description: Role data for the Redis API role.
|
||||
value:
|
||||
service_name: redis
|
||||
firewall_rules:
|
||||
'108 redis':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||
- redis::daemonize: false
|
||||
tripleo::stunnel::manage_service: false
|
||||
tripleo::stunnel::foreground: 'yes'
|
||||
- tripleo::redis::firewall_rules:
|
||||
'108 redis':
|
||||
dport:
|
||||
- 6379
|
||||
- 26379
|
||||
tripleo::profile::base::database::redis::tls_proxy_bind_ip:
|
||||
- tripleo::profile::base::database::redis::tls_proxy_bind_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
|
|
|
@ -86,6 +86,12 @@ outputs:
|
|||
description: Role data for the Redis API role.
|
||||
value:
|
||||
service_name: redis
|
||||
firewall_rules:
|
||||
'108 redis-bundle':
|
||||
dport:
|
||||
- 3124
|
||||
- 6379
|
||||
- 26379
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||
|
@ -101,12 +107,6 @@ outputs:
|
|||
- 'pcmklatest'
|
||||
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
|
||||
tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli}
|
||||
tripleo::redis::firewall_rules:
|
||||
'108 redis-bundle':
|
||||
dport:
|
||||
- 3124
|
||||
- 6379
|
||||
- 26379
|
||||
tripleo::stunnel::manage_service: false
|
||||
tripleo::stunnel::foreground: 'yes'
|
||||
tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip:
|
||||
|
|
|
@ -43,13 +43,11 @@ outputs:
|
|||
description: Role data for the docker registry service
|
||||
value:
|
||||
service_name: docker_registry
|
||||
config_settings:
|
||||
tripleo::docker_registry::firewall_rules:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
- 13787
|
||||
step_config: ''
|
||||
firewall_rules:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
- 13787
|
||||
host_prep_tasks:
|
||||
- name: Install, Configure and Run Docker Distribution
|
||||
block:
|
||||
|
|
|
@ -43,21 +43,20 @@ outputs:
|
|||
description: Role data for the Kubernetes Service
|
||||
value:
|
||||
service_name: kubernetes_master
|
||||
config_settings:
|
||||
tripleo::kubernetes_master::firewall_rules:
|
||||
'200 kubernetes-master api':
|
||||
dport: 6443
|
||||
proto: tcp
|
||||
'200 kubernetes-master etcd':
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
proto: tcp
|
||||
'200 kubernetes-master flannel':
|
||||
dport:
|
||||
- 8285
|
||||
- 8472
|
||||
proto: udp
|
||||
firewall_rules:
|
||||
'200 kubernetes-master api':
|
||||
dport: 6443
|
||||
proto: tcp
|
||||
'200 kubernetes-master etcd':
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
proto: tcp
|
||||
'200 kubernetes-master flannel':
|
||||
dport:
|
||||
- 8285
|
||||
- 8472
|
||||
proto: udp
|
||||
upgrade_tasks: []
|
||||
step_config: ''
|
||||
external_deploy_tasks:
|
||||
|
|
|
@ -41,24 +41,22 @@ outputs:
|
|||
# as workers. The actual installation is performed in
|
||||
# kubernetes-master service template.
|
||||
service_name: kubernetes_worker
|
||||
config_settings:
|
||||
tripleo::kubernetes_worker::firewall_rules:
|
||||
'200 kubernetes-worker kubelet':
|
||||
dport:
|
||||
- 10250
|
||||
- 10255
|
||||
proto: tcp
|
||||
'200 kubernetes-worker external services':
|
||||
dport: '30000-32767'
|
||||
'200 kubernetes-worker flannel':
|
||||
dport:
|
||||
- 8285
|
||||
- 8472
|
||||
proto: udp
|
||||
'200 kubernetes-worker calico bgp':
|
||||
dport: 179
|
||||
proto: tcp
|
||||
'200 kubernetes-worker calico ipv4-in-ip':
|
||||
proto: ipv4
|
||||
firewall_rules:
|
||||
'200 kubernetes-worker kubelet':
|
||||
dport:
|
||||
- 10250
|
||||
- 10255
|
||||
proto: tcp
|
||||
'200 kubernetes-worker external services':
|
||||
dport: '30000-32767'
|
||||
'200 kubernetes-worker flannel':
|
||||
dport:
|
||||
- 8285
|
||||
- 8472
|
||||
proto: udp
|
||||
'200 kubernetes-worker calico bgp':
|
||||
dport: 179
|
||||
proto: tcp
|
||||
'200 kubernetes-worker calico ipv4-in-ip':
|
||||
proto: ipv4
|
||||
upgrade_tasks: []
|
||||
step_config: ''
|
||||
|
|
|
@ -50,20 +50,19 @@ outputs:
|
|||
description: Role data for the TripleO firewall settings
|
||||
value:
|
||||
service_name: tripleo_firewall
|
||||
firewall_rules:
|
||||
map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||
template:
|
||||
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
config_settings:
|
||||
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
||||
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||
tripleo::tripleo_firewall::firewall_rules:
|
||||
map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||
template:
|
||||
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
|
||||
step_config: |
|
||||
include ::tripleo::firewall
|
||||
|
|
@ -55,6 +55,11 @@ outputs:
|
|||
description: Role data for the etcd role.
|
||||
value:
|
||||
service_name: etcd
|
||||
firewall_rules:
|
||||
'141 etcd':
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -80,11 +85,6 @@ outputs:
|
|||
tripleo::profile::base::etcd::peer_port: '2380'
|
||||
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
|
||||
etcd::manage_package: false
|
||||
tripleo::etcd::firewall_rules:
|
||||
'141 etcd':
|
||||
dport:
|
||||
- 2379
|
||||
- 2380
|
||||
etcd::manage_service: false
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -79,6 +79,11 @@ outputs:
|
|||
description: Role data for the Designate API role.
|
||||
value:
|
||||
service_name: designate_api
|
||||
firewall_rules:
|
||||
'139 designate api':
|
||||
dport:
|
||||
- 9001
|
||||
- 13001
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -94,11 +99,6 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
tripleo::profile::base::designate::api::listen_port: 9001
|
||||
tripleo::designate_api::firewall_rules:
|
||||
'139 designate api':
|
||||
dport:
|
||||
- 9001
|
||||
- 13001
|
||||
-
|
||||
if:
|
||||
- designate_workers_zero
|
||||
|
|
|
@ -80,6 +80,15 @@ outputs:
|
|||
description: Role data for the Designate MDNS role.
|
||||
value:
|
||||
service_name: designate_mdns
|
||||
firewall_rules:
|
||||
'142 designate_mdns udp':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 5354
|
||||
'143 designate_mdns tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 5354
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -103,16 +112,6 @@ outputs:
|
|||
-
|
||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||
read_default_group: tripleo
|
||||
|
||||
tripleo::designate_mdns::firewall_rules:
|
||||
'142 designate_mdns udp':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 5354
|
||||
'143 designate_mdns tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 5354
|
||||
-
|
||||
if:
|
||||
- designate_workers_zero
|
||||
|
|
|
@ -79,6 +79,17 @@ outputs:
|
|||
description: Role data for the Designate Worker role.
|
||||
value:
|
||||
service_name: designate_worker
|
||||
firewall_rules:
|
||||
'140 designate_worker udp':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 53
|
||||
- 953
|
||||
'141 designate_worker tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 53
|
||||
- 953
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -118,17 +129,6 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
tripleo::designate_worker::firewall_rules:
|
||||
'140 designate_worker udp':
|
||||
proto: 'udp'
|
||||
dport:
|
||||
- 53
|
||||
- 953
|
||||
'141 designate_worker tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 53
|
||||
- 953
|
||||
-
|
||||
if:
|
||||
- designate_workers_zero
|
||||
|
|
|
@ -294,6 +294,11 @@ outputs:
|
|||
description: Role data for the Glance API role.
|
||||
value:
|
||||
service_name: glance_api
|
||||
firewall_rules:
|
||||
'112 glance_api':
|
||||
dport:
|
||||
- 9292
|
||||
- 13292
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -331,11 +336,6 @@ outputs:
|
|||
- {get_param: Debug }
|
||||
- {get_param: GlanceDebug }
|
||||
glance::policy::policies: {get_param: GlanceApiPolicies}
|
||||
tripleo::glance_api::firewall_rules:
|
||||
'112 glance_api':
|
||||
dport:
|
||||
- 9292
|
||||
- 13292
|
||||
glance::api::authtoken::project_name: 'service'
|
||||
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
|
||||
glance::api::authtoken::user_domain_name: 'Default'
|
||||
|
|
|
@ -142,6 +142,11 @@ outputs:
|
|||
description: Role data for the gnocchi API role.
|
||||
value:
|
||||
service_name: gnocchi_api
|
||||
firewall_rules:
|
||||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
- 13041
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -154,12 +159,7 @@ outputs:
|
|||
- {}
|
||||
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
|
||||
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
|
||||
- tripleo::gnocchi_api::firewall_rules:
|
||||
'129 gnocchi-api':
|
||||
dport:
|
||||
- 8041
|
||||
- 13041
|
||||
gnocchi::api::enabled: true
|
||||
- gnocchi::api::enabled: true
|
||||
gnocchi::api::enable_proxy_headers_parsing: true
|
||||
gnocchi::api::service_name: 'httpd'
|
||||
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
|
||||
|
|
|
@ -80,14 +80,12 @@ outputs:
|
|||
description: Role data for the Gnocchi API role.
|
||||
value:
|
||||
service_name: gnocchi_statsd
|
||||
firewall_rules:
|
||||
'140 gnocchi-statsd':
|
||||
dport: 8125
|
||||
proto: 'udp'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [GnocchiServiceBase, role_data, config_settings]
|
||||
- tripleo::gnocchi_statsd::firewall_rules:
|
||||
'140 gnocchi-statsd':
|
||||
dport: 8125
|
||||
proto: 'udp'
|
||||
config_settings: {get_attr: [GnocchiServiceBase, role_data, config_settings]}
|
||||
service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -153,6 +153,9 @@ outputs:
|
|||
description: Role data for the HAproxy role.
|
||||
value:
|
||||
service_name: haproxy
|
||||
firewall_rules:
|
||||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -161,9 +164,6 @@ outputs:
|
|||
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
||||
# when this is updated
|
||||
tripleo::haproxy::crl_file: null
|
||||
- tripleo::haproxy::firewall_rules:
|
||||
'107 haproxy stats':
|
||||
dport: 1993
|
||||
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
||||
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
|
||||
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
||||
|
|
|
@ -100,17 +100,17 @@ outputs:
|
|||
description: Role data for the Heat API CFN role.
|
||||
value:
|
||||
service_name: heat_api_cfn
|
||||
firewall_rules:
|
||||
'125 heat_cfn':
|
||||
dport:
|
||||
- 8000
|
||||
- 13800
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [HeatBase, role_data, config_settings]
|
||||
- get_attr: [HeatApiCfnLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
tripleo::heat_api_cfn::firewall_rules:
|
||||
'125 heat_cfn':
|
||||
dport:
|
||||
- 8000
|
||||
- 13800
|
||||
heat::api_cfn::bind_host:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -114,6 +114,11 @@ outputs:
|
|||
description: Role data for the Heat API role.
|
||||
value:
|
||||
service_name: heat_api
|
||||
firewall_rules:
|
||||
'125 heat_api':
|
||||
dport:
|
||||
- 8004
|
||||
- 13004
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -121,11 +126,6 @@ outputs:
|
|||
- get_attr: [HeatApiLogging, config_settings]
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
- apache::default_vhost: false
|
||||
tripleo::heat_api::firewall_rules:
|
||||
'125 heat_api':
|
||||
dport:
|
||||
- 8004
|
||||
- 13004
|
||||
heat::api::bind_host:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -140,15 +140,15 @@ outputs:
|
|||
description: Role data for the Horizon API role.
|
||||
value:
|
||||
service_name: horizon
|
||||
firewall_rules:
|
||||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
- 443
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
||||
tripleo::horizon::firewall_rules:
|
||||
'126 horizon':
|
||||
dport:
|
||||
- 80
|
||||
- 443
|
||||
horizon::enable_secure_proxy_ssl_header: true
|
||||
horizon::disable_password_reveal: true
|
||||
horizon::enforce_password_check: true
|
||||
|
|
|
@ -43,13 +43,11 @@ outputs:
|
|||
description: Role data for the image serve registry service
|
||||
value:
|
||||
service_name: docker_registry
|
||||
config_settings:
|
||||
tripleo::docker_registry::firewall_rules:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
- 13787
|
||||
step_config: ''
|
||||
firewall_rules:
|
||||
'155 docker-registry':
|
||||
dport:
|
||||
- 8787
|
||||
- 13787
|
||||
host_prep_tasks:
|
||||
- name: authorize httpd to listen on registry ports
|
||||
seport:
|
||||
|
|
|
@ -44,42 +44,40 @@ outputs:
|
|||
description: Role data for the IPSEC service
|
||||
value:
|
||||
service_name: ipsec
|
||||
config_settings:
|
||||
tripleo::ipsec::firewall_rules:
|
||||
'100 IPSEC IKE INPUT':
|
||||
dport: 500
|
||||
sport: 500
|
||||
proto: udp
|
||||
chain: INPUT
|
||||
'100 IPSEC IKE OUTPUT':
|
||||
dport: 500
|
||||
sport: 500
|
||||
proto: udp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC IKE NAT-Traversal INPUT':
|
||||
dport: 4500
|
||||
sport: 4500
|
||||
proto: udp
|
||||
chain: INPUT
|
||||
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
||||
dport: 4500
|
||||
sport: 4500
|
||||
proto: udp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC ESP INPUT':
|
||||
proto: esp
|
||||
chain: INPUT
|
||||
'100 IPSEC ESP OUTPUT':
|
||||
proto: esp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC Authentication Header INPUT':
|
||||
proto: ah
|
||||
chain: INPUT
|
||||
'100 IPSEC Authentication Header OUTPUT':
|
||||
proto: ah
|
||||
chain: OUTPUT
|
||||
firewall_rules:
|
||||
'100 IPSEC IKE INPUT':
|
||||
dport: 500
|
||||
sport: 500
|
||||
proto: udp
|
||||
chain: INPUT
|
||||
'100 IPSEC IKE OUTPUT':
|
||||
dport: 500
|
||||
sport: 500
|
||||
proto: udp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC IKE NAT-Traversal INPUT':
|
||||
dport: 4500
|
||||
sport: 4500
|
||||
proto: udp
|
||||
chain: INPUT
|
||||
'100 IPSEC IKE NAT-Traversal OUTPUT':
|
||||
dport: 4500
|
||||
sport: 4500
|
||||
proto: udp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC ESP INPUT':
|
||||
proto: esp
|
||||
chain: INPUT
|
||||
'100 IPSEC ESP OUTPUT':
|
||||
proto: esp
|
||||
chain: OUTPUT
|
||||
'100 IPSEC Authentication Header INPUT':
|
||||
proto: ah
|
||||
chain: INPUT
|
||||
'100 IPSEC Authentication Header OUTPUT':
|
||||
proto: ah
|
||||
chain: OUTPUT
|
||||
upgrade_tasks: []
|
||||
step_config: ''
|
||||
external_deploy_tasks:
|
||||
- name: IPSEC configuration on step 1
|
||||
when: step|int == 1
|
||||
|
|
|
@ -100,6 +100,11 @@ outputs:
|
|||
description: Role data for the Ironic API role.
|
||||
value:
|
||||
service_name: ironic_api
|
||||
firewall_rules:
|
||||
'133 ironic api':
|
||||
dport:
|
||||
- 6385
|
||||
- 13385
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -152,12 +157,6 @@ outputs:
|
|||
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
|
||||
tripleo::ironic_api::firewall_rules:
|
||||
'133 ironic api':
|
||||
dport:
|
||||
- 6385
|
||||
- 13385
|
||||
- apache::default_vhost: false
|
||||
service_config_settings:
|
||||
keystone:
|
||||
|
|
|
@ -275,6 +275,12 @@ outputs:
|
|||
description: Role data for the Ironic Conductor role.
|
||||
value:
|
||||
service_name: ironic_conductor
|
||||
firewall_rules:
|
||||
'134 ironic conductor TFTP':
|
||||
dport: 69
|
||||
proto: udp
|
||||
'135 ironic conductor HTTP':
|
||||
dport: {get_param: IronicIPXEPort}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -367,12 +373,6 @@ outputs:
|
|||
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
|
||||
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
|
||||
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
|
||||
tripleo::ironic_conductor::firewall_rules:
|
||||
'134 ironic conductor TFTP':
|
||||
dport: 69
|
||||
proto: udp
|
||||
'135 ironic conductor HTTP':
|
||||
dport: {get_param: IronicIPXEPort}
|
||||
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
|
||||
# ironic. It's used as a default value for e.g. TFTP server IP,
|
||||
# glance and neutron endpoints, virtual console IP. We override
|
||||
|
|
|
@ -181,6 +181,37 @@ outputs:
|
|||
description: Role data for the Ironic Inspector role.
|
||||
value:
|
||||
service_name: ironic_inspector
|
||||
firewall_rules:
|
||||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'INPUT'
|
||||
dport: 67
|
||||
'137 ironic-inspector dhcp output':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
'137 ironic-inspector dhcpv6 input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'INPUT'
|
||||
dport: 547
|
||||
'137 ironic-inspector dhcpv6 output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 546
|
||||
'137 ironic-inspector dhcpv6 relay output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -219,37 +250,6 @@ outputs:
|
|||
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||
tripleo::ironic_inspector::firewall_rules:
|
||||
'137 ironic-inspector':
|
||||
dport:
|
||||
- 5050
|
||||
'137 ironic-inspector dhcp input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'INPUT'
|
||||
dport: 67
|
||||
'137 ironic-inspector dhcp output':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
'137 ironic-inspector dhcpv6 input':
|
||||
iniface: {get_param: IronicInspectorInterface}
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'INPUT'
|
||||
dport: 547
|
||||
'137 ironic-inspector dhcpv6 output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 546
|
||||
'137 ironic-inspector dhcpv6 relay output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
ironic::inspector::ironic_username: 'ironic'
|
||||
ironic::inspector::ironic_password: {get_param: IronicPassword}
|
||||
ironic::inspector::ironic_tenant_name: 'service'
|
||||
|
|
|
@ -73,13 +73,13 @@ outputs:
|
|||
description: Role data for the Keepalived role.
|
||||
value:
|
||||
service_name: keepalived
|
||||
firewall_rules:
|
||||
'106 keepalived vrrp':
|
||||
proto: vrrp
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio'
|
||||
- tripleo::keepalived::firewall_rules:
|
||||
'106 keepalived vrrp':
|
||||
proto: vrrp
|
||||
-
|
||||
if:
|
||||
- control_iface_empty
|
||||
|
|
|
@ -355,6 +355,12 @@ outputs:
|
|||
description: Role data for the Keystone API role.
|
||||
value:
|
||||
service_name: keystone
|
||||
firewall_rules:
|
||||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -449,12 +455,6 @@ outputs:
|
|||
keystone::wsgi::apache::threads: 1
|
||||
keystone::db::database_db_max_retries: -1
|
||||
keystone::db::database_max_retries: -1
|
||||
tripleo::keystone::firewall_rules:
|
||||
'111 keystone':
|
||||
dport:
|
||||
- 5000
|
||||
- 13000
|
||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
|
|
|
@ -94,6 +94,11 @@ outputs:
|
|||
description: Role data for the Manila API role.
|
||||
value:
|
||||
service_name: manila_api
|
||||
firewall_rules:
|
||||
'150 manila':
|
||||
dport:
|
||||
- 8786
|
||||
- 13786
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -105,11 +110,6 @@ outputs:
|
|||
manila::keystone::authtoken::project_name: 'service'
|
||||
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||
tripleo::manila_api::firewall_rules:
|
||||
'150 manila':
|
||||
dport:
|
||||
- 8786
|
||||
- 13786
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||
# local node IP for the given network; replacement examples
|
||||
# (eg. for internal_api):
|
||||
|
|
|
@ -81,6 +81,31 @@ outputs:
|
|||
description: Role data for the Memcached API role.
|
||||
value:
|
||||
service_name: memcached
|
||||
firewall_rules:
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
# Memcached traffic shouldn't be open on the internet.
|
||||
# Even if binding is configured on internal_api network, enforce it
|
||||
# via firewall as well.
|
||||
if:
|
||||
- memcached_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
template:
|
||||
'121 memcached <%net_cidr%>':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: <%net_cidr%>
|
||||
- '121 memcached':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: {get_param: MemcachedIpSubnet}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||
config_settings:
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
|
@ -113,31 +138,6 @@ outputs:
|
|||
- 'v'
|
||||
- ''
|
||||
memcached::disable_cachedump: true
|
||||
tripleo::memcached::firewall_rules:
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
# Memcached traffic shouldn't be open on the internet.
|
||||
# Even if binding is configured on internal_api network, enforce it
|
||||
# via firewall as well.
|
||||
if:
|
||||
- memcached_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
template:
|
||||
'121 memcached <%net_cidr%>':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: <%net_cidr%>
|
||||
- '121 memcached':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: {get_param: MemcachedIpSubnet}
|
||||
service_config_settings:
|
||||
collectd:
|
||||
tripleo.collectd.plugins.memcached:
|
||||
|
|
|
@ -65,6 +65,15 @@ outputs:
|
|||
description: Role data for the qdrouterd service.
|
||||
value:
|
||||
service_name: oslo_messaging_rpc
|
||||
firewall_rules:
|
||||
'109 qdrouterd':
|
||||
dport:
|
||||
- {get_param: RpcPort}
|
||||
- 31459
|
||||
- 31460
|
||||
'109 qdr':
|
||||
dport:
|
||||
- {get_param: RpcPort}
|
||||
global_config_settings:
|
||||
oslo_messaging_rpc_scheme: amqp
|
||||
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
|
||||
|
@ -75,12 +84,6 @@ outputs:
|
|||
messaging_rpc_service_name: 'amqp'
|
||||
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
||||
config_settings:
|
||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
||||
'109 qdrouterd':
|
||||
dport:
|
||||
- {get_param: RpcPort}
|
||||
- 31459
|
||||
- 31460
|
||||
qdr::listener_addr:
|
||||
str_replace:
|
||||
template:
|
||||
|
@ -90,10 +93,6 @@ outputs:
|
|||
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
|
||||
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
|
||||
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
|
||||
tripleo::rabbitmq::firewall_rules:
|
||||
'109 qdr':
|
||||
dport:
|
||||
- {get_param: RpcPort}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -149,6 +149,10 @@ outputs:
|
|||
description: Role data for the metrics Qdr role.
|
||||
value:
|
||||
service_name: metrics-qdr
|
||||
firewall_rules:
|
||||
'109 metrics qdr':
|
||||
dport:
|
||||
- {get_param: MetricsQdrPort}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
@ -156,11 +160,7 @@ outputs:
|
|||
- {get_param: MetricsQdrLoggingSource}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::metrics_qdr::firewall_rules:
|
||||
'109 metrics qdr':
|
||||
dport:
|
||||
- {get_param: MetricsQdrPort}
|
||||
tripleo::profile::base::metrics::qdr::listener_addr:
|
||||
- tripleo::profile::base::metrics::qdr::listener_addr:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
|
|
|
@ -88,6 +88,11 @@ outputs:
|
|||
description: Role data for the Mistral API role.
|
||||
value:
|
||||
service_name: mistral_api
|
||||
firewall_rules:
|
||||
'133 mistral':
|
||||
dport:
|
||||
- 8989
|
||||
- 13989
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [MistralBase, role_data, config_settings]
|
||||
|
@ -109,11 +114,6 @@ outputs:
|
|||
mistral::policy::policies: {get_param: MistralApiPolicies}
|
||||
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
|
||||
mistral::api::allow_action_execution_deletion: true
|
||||
tripleo::mistral_api::firewall_rules:
|
||||
'133 mistral':
|
||||
dport:
|
||||
- 8989
|
||||
- 13989
|
||||
mistral::api::service_name: 'httpd'
|
||||
mistral::wsgi::apache::bind_host:
|
||||
str_replace:
|
||||
|
|
|
@ -224,6 +224,11 @@ outputs:
|
|||
description: Role data for the Neutron API role.
|
||||
value:
|
||||
service_name: neutron_api
|
||||
firewall_rules:
|
||||
'114 neutron api':
|
||||
dport:
|
||||
- 9696
|
||||
- 13696
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -270,11 +275,6 @@ outputs:
|
|||
neutron::server::sync_db: true
|
||||
neutron::server::notifications::region_name: {get_param: KeystoneRegion}
|
||||
neutron::server::placement::region_name: {get_param: KeystoneRegion}
|
||||
tripleo::neutron_api::firewall_rules:
|
||||
'114 neutron api':
|
||||
dport:
|
||||
- 9696
|
||||
- 13696
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
|
|
|
@ -79,6 +79,12 @@ parameters:
|
|||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Neutron Compute Nuage plugin
|
||||
firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'100 metadata agent':
|
||||
dport: {get_param: NuageMetadataPort}
|
||||
value:
|
||||
service_name: neutron_compute_plugin_nuage
|
||||
config_settings:
|
||||
|
@ -96,11 +102,5 @@ outputs:
|
|||
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
|
||||
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
|
||||
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
|
||||
tripleo::neutron_compute_plugin_nuage::firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'100 metadata agent':
|
||||
dport: {get_param: NuageMetadataPort}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::neutron::agents::nuage
|
||||
|
|
|
@ -180,6 +180,30 @@ outputs:
|
|||
description: Role data for the Neutron DHCP role.
|
||||
value:
|
||||
service_name: neutron_dhcp
|
||||
firewall_rules:
|
||||
'115 neutron dhcp input':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
dport: 67
|
||||
'116 neutron dhcp output':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
'115 neutron dhcpv6 input':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
dport: 547
|
||||
'116 neutron dhcpv6 output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 546
|
||||
'116 neutron dhcpv6 relay output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -209,30 +233,6 @@ outputs:
|
|||
- service_debug_unset
|
||||
- {get_param: Debug}
|
||||
- {get_param: NeutronDhcpAgentDebug}
|
||||
tripleo::neutron_dhcp::firewall_rules:
|
||||
'115 neutron dhcp input':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
dport: 67
|
||||
'116 neutron dhcp output':
|
||||
ipversion: 'ipv4'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
'115 neutron dhcpv6 input':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
dport: 547
|
||||
'116 neutron dhcpv6 output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 546
|
||||
'116 neutron dhcpv6 relay output':
|
||||
ipversion: 'ipv6'
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 547
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
|
||||
|
|
|
@ -82,29 +82,26 @@ outputs:
|
|||
description: Role data for the L2 Gateway role.
|
||||
value:
|
||||
service_name: neutron_l2gw_agent
|
||||
if:
|
||||
- internal_manager_enabled
|
||||
- firewall_rules:
|
||||
'142 neutron l2gw agent input':
|
||||
proto: 'tcp'
|
||||
dport: {get_param: L2gwAgentManagerTableListeningPort}
|
||||
- null
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
|
||||
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
|
||||
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
|
||||
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
|
||||
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
|
||||
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
|
||||
neutron::agents::l2gw::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug}
|
||||
- {get_param: NeutronL2gwAgentDebug}
|
||||
-
|
||||
if:
|
||||
- internal_manager_enabled
|
||||
- tripleo::neutron_l2gw_agent::firewall_rules:
|
||||
'142 neutron l2gw agent input':
|
||||
proto: 'tcp'
|
||||
dport: {get_param: L2gwAgentManagerTableListeningPort}
|
||||
- null
|
||||
|
||||
neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
|
||||
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
|
||||
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
|
||||
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
|
||||
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
|
||||
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
|
||||
neutron::agents::l2gw::debug:
|
||||
if:
|
||||
- service_debug_unset
|
||||
- {get_param: Debug}
|
||||
- {get_param: NeutronL2gwAgentDebug}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_neutron_l2gw_agent:
|
||||
|
|
|
@ -179,6 +179,9 @@ outputs:
|
|||
description: Role data for Neutron L3 agent
|
||||
value:
|
||||
service_name: neutron_l3
|
||||
firewall_rules:
|
||||
'106 neutron_l3 vrrp':
|
||||
proto: vrrp
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -210,9 +213,6 @@ outputs:
|
|||
- service_debug_unset
|
||||
- {get_param: Debug}
|
||||
- {get_param: NeutronL3AgentDebug}
|
||||
tripleo::neutron_l3::firewall_rules:
|
||||
'106 neutron_l3 vrrp':
|
||||
proto: vrrp
|
||||
-
|
||||
- if:
|
||||
- az_unset
|
||||
|
|
|
@ -173,6 +173,12 @@ outputs:
|
|||
description: Role data for Neutron openvswitch service
|
||||
value:
|
||||
service_name: neutron_ovs_agent
|
||||
firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'136 neutron gre networks':
|
||||
proto: 'gre'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -196,12 +202,6 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
||||
tripleo::neutron_ovs_agent::firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'136 neutron gre networks':
|
||||
proto: 'gre'
|
||||
-
|
||||
if:
|
||||
- neutron_dvr_unset
|
||||
|
|
|
@ -116,10 +116,7 @@ outputs:
|
|||
service_name: neutron_ovs_dpdk_agent
|
||||
config_settings:
|
||||
map_merge:
|
||||
- map_replace:
|
||||
- get_attr: [NeutronOvsAgent, role_data, config_settings]
|
||||
- keys:
|
||||
tripleo::neutron_ovs_agent::firewall_rules: tripleo::neutron_ovs_dpdk_agent::firewall_rules
|
||||
- get_attr: [NeutronOvsAgent, role_data, config_settings]
|
||||
- nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
service_config_settings:
|
||||
|
|
|
@ -146,17 +146,17 @@ outputs:
|
|||
description: Role data for the Nova API role.
|
||||
value:
|
||||
service_name: nova_api
|
||||
firewall_rules:
|
||||
'113 nova_api':
|
||||
dport:
|
||||
- 8774
|
||||
- 13774
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [NovaBase, role_data, config_settings]
|
||||
- get_attr: [NovaApiLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
tripleo::nova_api::firewall_rules:
|
||||
'113 nova_api':
|
||||
dport:
|
||||
- 8774
|
||||
- 13774
|
||||
nova::keystone::authtoken::project_name: 'service'
|
||||
nova::keystone::authtoken::user_domain_name: 'Default'
|
||||
nova::keystone::authtoken::project_domain_name: 'Default'
|
||||
|
|
|
@ -351,6 +351,12 @@ outputs:
|
|||
description: Role data for the Libvirt service.
|
||||
value:
|
||||
service_name: nova_libvirt
|
||||
firewall_rules:
|
||||
'200 nova_libvirt':
|
||||
dport:
|
||||
- 16514
|
||||
- '61152-61215'
|
||||
- '5900-6923'
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -395,12 +401,6 @@ outputs:
|
|||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
|
||||
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
|
||||
tripleo::nova_libvirt::firewall_rules:
|
||||
'200 nova_libvirt':
|
||||
dport:
|
||||
- 16514
|
||||
- '61152-61215'
|
||||
- '5900-6923'
|
||||
-
|
||||
if:
|
||||
- use_tls_for_live_migration
|
||||
|
|
|
@ -119,6 +119,11 @@ outputs:
|
|||
description: Role data for the Nova Metadata service.
|
||||
value:
|
||||
service_name: nova_metadata
|
||||
firewall_rules:
|
||||
'139 nova_metadata':
|
||||
dport:
|
||||
- 8775
|
||||
- 13775
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -126,12 +131,7 @@ outputs:
|
|||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
- get_attr: [NovaMetadataLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
- tripleo::nova_metadata::firewall_rules:
|
||||
'139 nova_metadata':
|
||||
dport:
|
||||
- 8775
|
||||
- 13775
|
||||
nova::keystone::authtoken::project_name: 'service'
|
||||
- nova::keystone::authtoken::project_name: 'service'
|
||||
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
||||
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
||||
|
|
|
@ -88,6 +88,10 @@ outputs:
|
|||
description: Role data for the Nova Migration Target service.
|
||||
value:
|
||||
service_name: nova_migration_target
|
||||
firewall_rules:
|
||||
'113 nova_migration_target':
|
||||
dport:
|
||||
- {get_param: MigrationSshPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [SshdBase, role_data, config_settings]
|
||||
|
@ -116,10 +120,6 @@ outputs:
|
|||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
tripleo::profile::base::sshd::port:
|
||||
- 22
|
||||
tripleo::nova_migration_target::firewall_rules:
|
||||
'113 nova_migration_target':
|
||||
dport:
|
||||
- {get_param: MigrationSshPort}
|
||||
puppet_config:
|
||||
config_volume: nova_libvirt
|
||||
step_config:
|
||||
|
|
|
@ -123,6 +123,11 @@ outputs:
|
|||
description: Role data for the Nova Vncproxy service.
|
||||
value:
|
||||
service_name: nova_vnc_proxy
|
||||
firewall_rules:
|
||||
'137 nova_vnc_proxy':
|
||||
dport:
|
||||
- 6080
|
||||
- 13080
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [NovaLogging, config_settings]}
|
||||
|
@ -141,11 +146,6 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
tripleo::nova_vnc_proxy::firewall_rules:
|
||||
'137 nova_vnc_proxy':
|
||||
dport:
|
||||
- 6080
|
||||
- 13080
|
||||
-
|
||||
if:
|
||||
- use_tls_for_vnc
|
||||
|
|
|
@ -94,6 +94,10 @@ outputs:
|
|||
description: Role data for the novajoin API role.
|
||||
value:
|
||||
service_name: novajoin
|
||||
firewall_rules:
|
||||
'119 novajoin':
|
||||
dport:
|
||||
- 9090
|
||||
config_settings:
|
||||
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
|
||||
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
|
||||
|
@ -118,10 +122,6 @@ outputs:
|
|||
nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
|
||||
nova::metadata::novajoin::authtoken::project_name: 'service'
|
||||
tripleo::novajoin::firewall_rules:
|
||||
'119 novajoin':
|
||||
dport:
|
||||
- 9090
|
||||
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
|
|
|
@ -119,6 +119,11 @@ outputs:
|
|||
description: Role data for the Octavia API role.
|
||||
value:
|
||||
service_name: octavia_api
|
||||
firewall_rules:
|
||||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
- 13876
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -137,11 +142,6 @@ outputs:
|
|||
octavia::api::sync_db: true
|
||||
octavia::api::service_name: 'httpd'
|
||||
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||
tripleo::octavia_api::firewall_rules:
|
||||
'120 octavia api':
|
||||
dport:
|
||||
- 9876
|
||||
- 13876
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
|
|
|
@ -78,16 +78,16 @@ outputs:
|
|||
description: Role data for the Octavia health-manager role.
|
||||
value:
|
||||
service_name: octavia_health_manager
|
||||
firewall_rules:
|
||||
'200 octavia health manager interface':
|
||||
proto: udp
|
||||
dport: 5555
|
||||
iniface: {get_param: OctaviaMgmtPortDevName}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OctaviaBase, role_data, config_settings]
|
||||
- octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
|
||||
tripleo::octavia_health_manager::firewall_rules:
|
||||
'200 octavia health manager interface':
|
||||
proto: udp
|
||||
dport: 5555
|
||||
iniface: {get_param: OctaviaMgmtPortDevName}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_octavia_health_manager:
|
||||
|
|
|
@ -125,6 +125,13 @@ outputs:
|
|||
description: Role data for the Ovn Controller agent.
|
||||
value:
|
||||
service_name: ovn_controller
|
||||
firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'119 neutron geneve networks':
|
||||
proto: 'udp'
|
||||
dport: 6081
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
|
@ -139,13 +146,6 @@ outputs:
|
|||
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
|
||||
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
||||
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
|
||||
tripleo::ovn_controller::firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
proto: 'udp'
|
||||
dport: 4789
|
||||
'119 neutron geneve networks':
|
||||
proto: 'udp'
|
||||
dport: 6081
|
||||
- if:
|
||||
- force_config_drive
|
||||
- nova::compute::force_config_drive: true
|
||||
|
|
|
@ -58,6 +58,12 @@ outputs:
|
|||
description: Role data for the OVN Dbs role.
|
||||
value:
|
||||
service_name: ovn_dbs
|
||||
firewall_rules:
|
||||
'121 OVN DB server ports':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
||||
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
||||
|
@ -68,12 +74,6 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
tripleo::haproxy::ovn_dbs_manage_lb: true
|
||||
tripleo::ovn_dbs::firewall_rules:
|
||||
'121 OVN DB server ports':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
# puppet_config is not required for this service since we configure
|
||||
# the NB and SB DB servers to listen on the proper IP address/port
|
||||
|
|
|
@ -101,6 +101,14 @@ outputs:
|
|||
description: Role data for the OVN Dbs HA role.
|
||||
value:
|
||||
service_name: ovn_dbs
|
||||
firewall_rules:
|
||||
'121 OVN DB server ports':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
# Control port for pcmk remote bundle
|
||||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OVNDbsBase, role_data, config_settings]
|
||||
|
@ -116,14 +124,6 @@ outputs:
|
|||
- tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli}
|
||||
- tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout}
|
||||
- tripleo::haproxy::ovn_dbs_manage_lb: false
|
||||
- tripleo::ovn_dbs::firewall_rules:
|
||||
'121 OVN DB server ports':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
# Control port for pcmk remote bundle
|
||||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
|
|
|
@ -44,9 +44,6 @@ resources:
|
|||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
# We import from the corresponding docker service because otherwise we risk
|
||||
# rewriting the tripleo::mysql::firewall_rules key with the baremetal firewall
|
||||
# rules (see LP#1728918)
|
||||
MysqlPuppetBase:
|
||||
type: ../database/mysql-pacemaker-puppet.yaml
|
||||
properties:
|
||||
|
|
|
@ -89,13 +89,13 @@ outputs:
|
|||
description: Role data for the Pacemaker remote role.
|
||||
value:
|
||||
service_name: pacemaker_remote
|
||||
firewall_rules:
|
||||
'130 pacemaker_remote tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 3121
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
|
||||
config_settings:
|
||||
tripleo::pacemaker_remote::firewall_rules:
|
||||
'130 pacemaker_remote tcp':
|
||||
proto: 'tcp'
|
||||
dport:
|
||||
- 3121
|
||||
tripleo::fencing::config: {get_param: FencingConfig}
|
||||
tripleo::fencing::deep_compare: true
|
||||
enable_fencing: {get_param: EnableFencing}
|
||||
|
|
|
@ -110,16 +110,16 @@ outputs:
|
|||
description: Role data for the Placement API role.
|
||||
value:
|
||||
service_name: placement
|
||||
firewall_rules:
|
||||
'138 placement':
|
||||
dport:
|
||||
- 8778
|
||||
- 13778
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [PlacementLogging, config_settings]
|
||||
- apache::default_vhost: false
|
||||
- tripleo::placement::firewall_rules:
|
||||
'138 placement':
|
||||
dport:
|
||||
- 8778
|
||||
- 13778
|
||||
placement::keystone::authtoken::project_name: 'service'
|
||||
- placement::keystone::authtoken::project_name: 'service'
|
||||
placement::keystone::authtoken::password: {get_param: PlacementPassword}
|
||||
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||
|
|
|
@ -62,16 +62,16 @@ outputs:
|
|||
description: Role data for the qdrouterd service.
|
||||
value:
|
||||
service_name: rabbitmq
|
||||
firewall_rules:
|
||||
'109 qdr':
|
||||
dport:
|
||||
- {get_param: RabbitClientPort}
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
||||
global_config_settings:
|
||||
messaging_notify_service_name: 'amqp'
|
||||
messaging_rpc_service_name: 'amqp'
|
||||
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
||||
config_settings:
|
||||
tripleo::rabbitmq::firewall_rules:
|
||||
'109 qdr':
|
||||
dport:
|
||||
- {get_param: RabbitClientPort}
|
||||
qdr::listener_addr:
|
||||
str_replace:
|
||||
template:
|
||||
|
|
|
@ -107,6 +107,12 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: rabbitmq
|
||||
firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
|
||||
# RabbitMQ plugins initialization occurs on every node
|
||||
config_settings:
|
||||
|
@ -116,12 +122,6 @@ outputs:
|
|||
rabbitmq::default_user: {get_param: RabbitUserName}
|
||||
rabbitmq::default_pass: {get_param: RabbitPassword}
|
||||
rabbit_ipv6: {get_param: RabbitIPv6}
|
||||
tripleo::rabbitmq::firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
rabbitmq::delete_guest_user: false
|
||||
rabbitmq::wipe_db_on_cookie_change: true
|
||||
rabbitmq::port: 5672
|
||||
|
|
|
@ -89,6 +89,12 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: oslo_messaging_notify
|
||||
firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- {get_param: NotifyPort}
|
||||
- 25672
|
||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||
# RabbitMQ plugins initialization occurs on every node
|
||||
global_config_settings:
|
||||
|
@ -104,12 +110,6 @@ outputs:
|
|||
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
||||
- rabbitmq::default_user: {get_param: NotifyUserName}
|
||||
rabbitmq::default_pass: {get_param: NotifyPassword}
|
||||
tripleo::oslo_messaging_notify::firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- {get_param: NotifyPort}
|
||||
- 25672
|
||||
rabbitmq::port: {get_param: NotifyPort}
|
||||
rabbitmq::interface:
|
||||
str_replace:
|
||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
||||
firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -95,13 +102,6 @@ outputs:
|
|||
- 'pcmklatest'
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||
tripleo::oslo_messaging_notify::firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: rabbitmq
|
||||
firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -95,13 +102,6 @@ outputs:
|
|||
- 'pcmklatest'
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||
tripleo::rabbitmq::firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -90,6 +90,12 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: oslo_messaging_rpc
|
||||
firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- {get_param: RpcPort}
|
||||
- 25672
|
||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||
global_config_settings:
|
||||
map_merge:
|
||||
|
@ -104,12 +110,6 @@ outputs:
|
|||
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
||||
- rabbitmq::default_user: {get_param: RpcUserName}
|
||||
rabbitmq::default_pass: {get_param: RpcPassword}
|
||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
||||
'109 rabbitmq':
|
||||
dport:
|
||||
- 4369
|
||||
- {get_param: RpcPort}
|
||||
- 25672
|
||||
rabbitmq::port: {get_param: RpcPort}
|
||||
rabbitmq::interface:
|
||||
str_replace:
|
||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
|||
description: Role data for the Rabbitmq API role.
|
||||
value:
|
||||
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
||||
firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -95,13 +102,6 @@ outputs:
|
|||
- 'pcmklatest'
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
||||
'109 rabbitmq-bundle':
|
||||
dport:
|
||||
- 3122
|
||||
- 4369
|
||||
- 5672
|
||||
- 25672
|
||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -62,9 +62,6 @@ outputs:
|
|||
description: Role data for the RHSM service.
|
||||
value:
|
||||
service_name: rhsm
|
||||
config_settings:
|
||||
tripleo::rhsm::firewall_rules: {}
|
||||
step_config: ''
|
||||
host_prep_tasks:
|
||||
- name: Red Hat Subscription Management configuration during deployment
|
||||
import_role:
|
||||
|
|
|
@ -86,6 +86,11 @@ outputs:
|
|||
description: Role data for the Sahara API role.
|
||||
value:
|
||||
service_name: sahara_api
|
||||
firewall_rules:
|
||||
'132 sahara':
|
||||
dport:
|
||||
- 8386
|
||||
- 13386
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -105,11 +110,6 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SaharaApiNetwork]}
|
||||
tripleo::sahara_api::firewall_rules:
|
||||
'132 sahara':
|
||||
dport:
|
||||
- 8386
|
||||
- 13386
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_sahara_api:
|
||||
|
|
|
@ -56,19 +56,14 @@ outputs:
|
|||
description: Role data for Skydive services.
|
||||
value:
|
||||
service_name: skydive_analyzer
|
||||
firewall_rules:
|
||||
'150 skydive_analyzer':
|
||||
dport:
|
||||
- 8082
|
||||
- 12379
|
||||
- 12380
|
||||
upgrade_tasks: []
|
||||
puppet_config:
|
||||
config_image: ''
|
||||
config_volume: ''
|
||||
step_config: ''
|
||||
docker_config: {}
|
||||
config_settings:
|
||||
tripleo::skydive_analyzer::firewall_rules:
|
||||
'150 skydive_analyzer':
|
||||
dport:
|
||||
- 8082
|
||||
- 12379
|
||||
- 12380
|
||||
external_deploy_tasks:
|
||||
- name: Skydive deployment
|
||||
when: step|int == 5
|
||||
|
|
|
@ -61,31 +61,31 @@ outputs:
|
|||
description: Role data for the SNMP services
|
||||
value:
|
||||
service_name: snmp
|
||||
firewall_rules:
|
||||
if:
|
||||
- snmpd_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, SnmpdNetwork]}
|
||||
template:
|
||||
'124 snmp <%net_cidr%>':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
source: <%net_cidr%>
|
||||
- '124 snmp':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
source: {get_param: SnmpdIpSubnet}
|
||||
config_settings:
|
||||
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
|
||||
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
snmp::agentaddress: {get_param: SnmpdBindHost}
|
||||
snmp::snmpd_options: {get_param: SnmpdOptions}
|
||||
tripleo::snmp::firewall_rules:
|
||||
if:
|
||||
- snmpd_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, SnmpdNetwork]}
|
||||
template:
|
||||
'124 snmp <%net_cidr%>':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
source: <%net_cidr%>
|
||||
- '124 snmp':
|
||||
dport: 161
|
||||
proto: 'udp'
|
||||
source: {get_param: SnmpdIpSubnet}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::snmp
|
||||
upgrade_tasks:
|
||||
|
|
|
@ -75,24 +75,22 @@ outputs:
|
|||
description: Role data for the ssh
|
||||
value:
|
||||
service_name: sshd
|
||||
if:
|
||||
- {get_param: SshFirewallAllowAll}
|
||||
- firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
config_settings:
|
||||
map_merge:
|
||||
- tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
||||
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
||||
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
||||
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
||||
- if:
|
||||
- {get_param: SshFirewallAllowAll}
|
||||
- tripleo::sshd::firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- tripleo::sshd::firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
|
||||
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
||||
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
||||
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
||||
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::sshd
|
||||
|
|
|
@ -126,6 +126,11 @@ outputs:
|
|||
description: Role data for the swift proxy.
|
||||
value:
|
||||
service_name: swift_proxy
|
||||
firewall_rules:
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
- 13808
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
|
||||
config_settings:
|
||||
map_merge:
|
||||
|
@ -160,11 +165,6 @@ outputs:
|
|||
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
|
||||
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL}
|
||||
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
|
||||
tripleo::swift_proxy::firewall_rules:
|
||||
'122 swift proxy':
|
||||
dport:
|
||||
- 8080
|
||||
- 13808
|
||||
swift::proxy::keystone::operator_roles:
|
||||
- admin
|
||||
- swiftoperator
|
||||
|
|
|
@ -128,6 +128,13 @@ outputs:
|
|||
description: Role data for the swift storage services.
|
||||
value:
|
||||
service_name: swift_storage
|
||||
firewall_rules:
|
||||
'123 swift storage':
|
||||
dport:
|
||||
- 873
|
||||
- 6000
|
||||
- 6001
|
||||
- 6002
|
||||
config_settings:
|
||||
map_merge:
|
||||
- {get_attr: [SwiftBase, role_data, config_settings]}
|
||||
|
@ -135,13 +142,6 @@ outputs:
|
|||
# swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
|
||||
- swift::storage::all::mount_check: false
|
||||
tripleo::profile::base::swift::storage::use_local_dir: {get_param: SwiftUseLocalDir}
|
||||
tripleo::swift_storage::firewall_rules:
|
||||
'123 swift storage':
|
||||
dport:
|
||||
- 873
|
||||
- 6000
|
||||
- 6001
|
||||
- 6002
|
||||
swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
||||
swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
||||
swift::storage::all::object_pipeline:
|
||||
|
|
|
@ -76,15 +76,13 @@ outputs:
|
|||
description: Role ptp using commposable services.
|
||||
value:
|
||||
service_name: ptp
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
- tripleo::ptp::firewall_rules:
|
||||
'151 ptp':
|
||||
proto: udp
|
||||
dport:
|
||||
- 319
|
||||
- 320
|
||||
firewall_rules:
|
||||
'151 ptp':
|
||||
proto: udp
|
||||
dport:
|
||||
- 319
|
||||
- 320
|
||||
config_settings: {get_attr: [RoleParametersValue, value]}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::time::ptp
|
||||
upgrade_tasks:
|
||||
|
|
|
@ -101,12 +101,10 @@ outputs:
|
|||
description: Role chrony using composable timesync services.
|
||||
value:
|
||||
service_name: chrony
|
||||
config_settings:
|
||||
tripleo::ntp::firewall_rules:
|
||||
'105 ntp':
|
||||
dport: 123
|
||||
proto: udp
|
||||
step_config: ''
|
||||
firewall_rules:
|
||||
'105 ntp':
|
||||
dport: 123
|
||||
proto: udp
|
||||
host_prep_tasks:
|
||||
- name: Populate service facts (chrony)
|
||||
service_facts: # needed to make yaml happy
|
||||
|
|
|
@ -0,0 +1,177 @@
|
|||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
TripleO Firewall settings
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
ExtraFirewallRules:
|
||||
default: {}
|
||||
description: Mapping of firewall rules.
|
||||
type: json
|
||||
|
||||
conditions:
|
||||
no_ctlplane:
|
||||
equals:
|
||||
- get_params: [ServiceData, net_cidr_map, ctlplane]
|
||||
- Null
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the TripleO firewall settings
|
||||
value:
|
||||
service_name: tripleo_firewall
|
||||
config_settings:
|
||||
tripleo::firewall::manage_firewall: false
|
||||
tripleo::firewall::purge_firewall_rules: false
|
||||
firewall_rules:
|
||||
map_merge:
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||
template:
|
||||
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- {get_param: ExtraFirewallRules}
|
||||
host_prep_tasks:
|
||||
- if:
|
||||
- no_ctlplane
|
||||
- name: Failure - ctlplane subnet is unset
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- name: Notice - ctlplane subnet is set
|
||||
debug:
|
||||
msg: |
|
||||
CIDRs found in the ctlplane network tags.
|
||||
deploy_steps_tasks:
|
||||
- when:
|
||||
- (step|int) == 0
|
||||
block:
|
||||
- name: create iptables service
|
||||
copy:
|
||||
dest: /etc/systemd/system/tripleo-iptables.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Initialize iptables
|
||||
Before=iptables.service
|
||||
AssertPathExists=/etc/sysconfig/iptables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/iptables -t raw -nL
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
- name: create ip6tables service
|
||||
copy:
|
||||
dest: /etc/systemd/system/tripleo-ip6tables.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Initialize ip6tables
|
||||
Before=ip6tables.service
|
||||
AssertPathExists=/etc/sysconfig/ip6tables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/ip6tables -t raw -nL
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
name: tripleo-iptables.service
|
||||
- name: enable tripleo-ip6tables service
|
||||
systemd:
|
||||
enabled: yes
|
||||
name: tripleo-ip6tables.service
|
||||
upgrade_tasks:
|
||||
- when:
|
||||
- (step | int) == 3
|
||||
block:
|
||||
- name: blank ipv6 rule before activating ipv6 firewall.
|
||||
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
||||
args:
|
||||
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
||||
- name: cleanup unmanaged rules pushed by iptables-services
|
||||
shell: |
|
||||
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -p icmp -j ACCEPT
|
||||
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -i lo -j ACCEPT
|
||||
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
|
||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||
|
||||
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
||||
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -i lo -j ACCEPT
|
||||
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
||||
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||
|
||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
@ -116,6 +116,13 @@ outputs:
|
|||
description: Role data for the Zaqar API role.
|
||||
value:
|
||||
service_name: zaqar_api
|
||||
firewall_rules:
|
||||
'113 zaqar_api':
|
||||
dport:
|
||||
- 9000
|
||||
- 8888
|
||||
- 3000 #SSL for websocket
|
||||
- 13888 #SSL for api
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||
|
@ -228,13 +235,6 @@ outputs:
|
|||
zaqar::keystone::auth_websocket::tenant: 'service'
|
||||
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
|
||||
zaqar::keystone::trust::user_domain_name: 'Default'
|
||||
tripleo::zaqar_api::firewall_rules:
|
||||
'113 zaqar_api':
|
||||
dport:
|
||||
- 9000
|
||||
- 8888
|
||||
- 3000 #SSL for websocket
|
||||
- 13888 #SSL for api
|
||||
-
|
||||
if:
|
||||
- zaqar_management_store_sqlalchemy
|
||||
|
|
|
@ -271,7 +271,7 @@ resource_registry:
|
|||
OS::TripleO::Services::IronicPxe: OS::Heat::None
|
||||
OS::TripleO::Services::IronicNeutronAgent: OS::Heat::None
|
||||
OS::TripleO::Services::NovaIronic: OS::Heat::None
|
||||
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
|
||||
OS::TripleO::Services::TripleoPackages: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml
|
||||
OS::TripleO::Services::OpenStackClients: OS::Heat::None
|
||||
OS::TripleO::Services::TLSProxyBase: OS::Heat::None
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
features:
|
||||
- TripleO will now configure `iptables` using the TripleO-Ansible role,
|
||||
**tripleo-firewall**. This role implements all of the same interfaces
|
||||
and behaviors as the puppet manifest.
|
||||
- A new parameter has been added, `ExtraFirewallRules`. This parameter
|
||||
provides a user interface to configure additional `iptables` rules.
|
||||
deprecations:
|
||||
- The heat template `tripleo-firewall-baremetal-puppet.yaml` has been
|
||||
deprecated. While this template can still be used to configure the
|
||||
TripleO-Firewall service, it is no longer preferred and will be removed
|
||||
in a future release.
|
||||
- Configuring firewall rules with extraconfig is no longer being supported.
|
||||
All firewall rules should be converted such that they're set within the
|
||||
user defined parameter `ExtraFirewallRules`.
|
Loading…
Reference in New Issue