Convert firewall rules to use TripleO-Ansible

This change converts our filewall deployment practice to use
the tripleo-ansible firewall role. This change creates a new
"firewall_rules" object which is queried using YAQL from the
"FirewallRules" resource.

A new parameter has been added allowing users to input
additional firewall rules as needed. The new parameter is
`ExtraFirewallRules` and will be merged on top of the YAQL
interface.

Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed
Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
Kevin Carter 2019-08-19 10:38:24 -05:00
parent c7f19f0bd2
commit 50367fbe35
86 changed files with 832 additions and 675 deletions

View File

@ -30,9 +30,8 @@ outputs:
description: Role data for the multinode firewall configuration
value:
service_name: multinode_core
config_settings:
tripleo::core::firewall_rules:
'999 core':
proto: 'udp'
dport:
- 4789
firewall_rules:
'999 core':
proto: 'udp'
dport:
- 4789

View File

@ -341,6 +341,16 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
FirewallRules:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}
outputs:
role_data:
@ -381,4 +391,11 @@ outputs:
map_merge:
- {get_attr: [ContainerPuppetTasks, value]}
- {get_attr: [DockerPuppetTasks, value]}
host_prep_tasks: {get_attr: [HostPrepTasks, value]}
host_prep_tasks:
list_concat:
- - name: Run firewall role
include_role:
name: tripleo-firewall
vars:
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
- {get_attr: [HostPrepTasks, value]}

View File

@ -91,6 +91,11 @@ outputs:
description: Role data for the aodh API role.
value:
service_name: aodh_api
firewall_rules:
'128 aodh-api':
dport:
- 8042
- 13042
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
config_settings:
map_merge:
@ -109,11 +114,6 @@ outputs:
aodh::api::enable_proxy_headers_parsing: true
aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject}
aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo::aodh_api::firewall_rules:
'128 aodh-api':
dport:
- 8042
- 13042
aodh::api::host:
str_replace:
template:

View File

@ -187,6 +187,11 @@ outputs:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -245,11 +250,6 @@ outputs:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
tripleo::barbican_api::firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
service_config_settings:
mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}

View File

@ -103,6 +103,14 @@ outputs:
description: Role data for the Ceph Dashboard service.
value:
service_name: ceph_grafana
firewall_rules:
'123 ceph_dashboard':
dport:
- 3100
- 9090
- 9093
- 9094
- 9100
upgrade_tasks: []
puppet_config:
config_image: ''

View File

@ -66,6 +66,15 @@ outputs:
description: Role data for the Ceph Metadata service.
value:
service_name: ceph_mds
firewall_rules:
'112 ceph_mds':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@ -88,15 +97,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mds::firewall_rules:
'112 ceph_mds':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
- {}

View File

@ -76,6 +76,15 @@ outputs:
description: Role data for the Ceph Manager service.
value:
service_name: ceph_mgr
firewall_rules:
'113 ceph_mgr':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '8443'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@ -98,15 +107,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mgr::firewall_rules:
'113 ceph_mgr':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '8443'
- []
- {}

View File

@ -80,6 +80,16 @@ outputs:
description: Role data for the Ceph Monitor service.
value:
service_name: ceph_mon
firewall_rules:
'110 ceph_mon':
dport:
list_concat:
- - 6789
- - 3300
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@ -102,16 +112,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mon::firewall_rules:
'110 ceph_mon':
dport:
list_concat:
- - 6789
- - 3300
- if:
- dashboard_enabled
- - '9100'
- []
- {}

View File

@ -66,6 +66,11 @@ outputs:
description: Role data for the Ceph NFS Ganesha service.
value:
service_name: ceph_nfs
firewall_rules:
'120 ceph_nfs':
dport:
# We support only NFS 4.1 to start
- 2049
upgrade_tasks: []
step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs'
puppet_config:
@ -90,11 +95,3 @@ outputs:
content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_nfs::firewall_rules:
'120 ceph_nfs':
dport:
# We support only NFS 4.1 to start
- 2049
- {}

View File

@ -69,6 +69,15 @@ outputs:
description: Role data for the Ceph OSD service.
value:
service_name: ceph_osd
firewall_rules:
'111 ceph_osd':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks:
- name: Check legacy Ceph hieradata
tags: validation
@ -95,15 +104,3 @@ outputs:
content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_osd::firewall_rules:
'111 ceph_osd':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
- {}

View File

@ -82,6 +82,10 @@ outputs:
description: Role data for the Ceph RBD Mirror service.
value:
service_name: ceph_rbdmirror
firewall_rules:
'114 ceph_rbdmirror':
dport:
- '6800-7300'
upgrade_tasks: []
puppet_config:
config_image: ''
@ -104,10 +108,3 @@ outputs:
content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_rbdmirror::firewall_rules:
'114 ceph_rbdmirror':
dport:
- '6800-7300'
- {}

View File

@ -76,6 +76,15 @@ outputs:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@ -98,18 +107,6 @@ outputs:
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_rgw::firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
- {}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}

View File

@ -118,6 +118,11 @@ outputs:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
@ -143,11 +148,6 @@ outputs:
DEFAULT/swift_catalog_info:
value: 'object-store:swift:internalURL'
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
tripleo::cinder_api::firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
cinder::api::bind_host:
str_replace:
template:

View File

@ -198,6 +198,9 @@ outputs:
description: Role data for the Cinder Volume role.
value:
service_name: cinder_volume
firewall_rules:
'120 iscsi initiator':
dport: 3260
monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume}
config_settings:
map_merge:
@ -226,9 +229,6 @@ outputs:
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot}
tripleo::cinder_volume::firewall_rules:
'120 iscsi initiator':
dport: 3260
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

View File

@ -68,6 +68,15 @@ outputs:
description: Service MySQL using composable services.
value:
service_name: mysql
firewall_rules:
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
config_settings:
map_merge:
-
@ -79,15 +88,6 @@ outputs:
mysql::server::package_name: 'mariadb-galera-server'
mysql::server::manage_config_file: true
mysql_ipv6: {get_param: MysqlIPv6}
tripleo::mysql::firewall_rules:
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql::server::root_password:
yaql:

View File

@ -99,6 +99,16 @@ outputs:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
firewall_rules:
'104 mysql galera-bundle':
dport:
- 873
- 3123
- 3306
- 4444
- 4567
- 4568
- 9200
config_settings:
map_merge:
- get_attr: [MysqlBase, role_data, config_settings]
@ -131,16 +141,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli}
tripleo::mysql::firewall_rules:
'104 mysql galera-bundle':
dport:
- 873
- 3123
- 3306
- 4444
- 4567
- 4568
- 9200
tripleo::profile::pacemaker::database::mysql_bundle::bind_address:
str_replace:
template:

View File

@ -62,18 +62,18 @@ outputs:
description: Role data for the Redis API role.
value:
service_name: redis
firewall_rules:
'108 redis':
dport:
- 6379
- 26379
config_settings:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
- redis::daemonize: false
tripleo::stunnel::manage_service: false
tripleo::stunnel::foreground: 'yes'
- tripleo::redis::firewall_rules:
'108 redis':
dport:
- 6379
- 26379
tripleo::profile::base::database::redis::tls_proxy_bind_ip:
- tripleo::profile::base::database::redis::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"

View File

@ -86,6 +86,12 @@ outputs:
description: Role data for the Redis API role.
value:
service_name: redis
firewall_rules:
'108 redis-bundle':
dport:
- 3124
- 6379
- 26379
config_settings:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
@ -101,12 +107,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli}
tripleo::redis::firewall_rules:
'108 redis-bundle':
dport:
- 3124
- 6379
- 26379
tripleo::stunnel::manage_service: false
tripleo::stunnel::foreground: 'yes'
tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip:

View File

@ -43,13 +43,11 @@ outputs:
description: Role data for the docker registry service
value:
service_name: docker_registry
config_settings:
tripleo::docker_registry::firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
step_config: ''
firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
host_prep_tasks:
- name: Install, Configure and Run Docker Distribution
block:

View File

@ -43,21 +43,20 @@ outputs:
description: Role data for the Kubernetes Service
value:
service_name: kubernetes_master
config_settings:
tripleo::kubernetes_master::firewall_rules:
'200 kubernetes-master api':
dport: 6443
proto: tcp
'200 kubernetes-master etcd':
dport:
- 2379
- 2380
proto: tcp
'200 kubernetes-master flannel':
dport:
- 8285
- 8472
proto: udp
firewall_rules:
'200 kubernetes-master api':
dport: 6443
proto: tcp
'200 kubernetes-master etcd':
dport:
- 2379
- 2380
proto: tcp
'200 kubernetes-master flannel':
dport:
- 8285
- 8472
proto: udp
upgrade_tasks: []
step_config: ''
external_deploy_tasks:

View File

@ -41,24 +41,22 @@ outputs:
# as workers. The actual installation is performed in
# kubernetes-master service template.
service_name: kubernetes_worker
config_settings:
tripleo::kubernetes_worker::firewall_rules:
'200 kubernetes-worker kubelet':
dport:
- 10250
- 10255
proto: tcp
'200 kubernetes-worker external services':
dport: '30000-32767'
'200 kubernetes-worker flannel':
dport:
- 8285
- 8472
proto: udp
'200 kubernetes-worker calico bgp':
dport: 179
proto: tcp
'200 kubernetes-worker calico ipv4-in-ip':
proto: ipv4
firewall_rules:
'200 kubernetes-worker kubelet':
dport:
- 10250
- 10255
proto: tcp
'200 kubernetes-worker external services':
dport: '30000-32767'
'200 kubernetes-worker flannel':
dport:
- 8285
- 8472
proto: udp
'200 kubernetes-worker calico bgp':
dport: 179
proto: tcp
'200 kubernetes-worker calico ipv4-in-ip':
proto: ipv4
upgrade_tasks: []
step_config: ''

View File

@ -50,20 +50,19 @@ outputs:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
firewall_rules:
map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
config_settings:
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
tripleo::tripleo_firewall::firewall_rules:
map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
step_config: |
include ::tripleo::firewall

View File

@ -55,6 +55,11 @@ outputs:
description: Role data for the etcd role.
value:
service_name: etcd
firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
config_settings:
map_merge:
@ -80,11 +85,6 @@ outputs:
tripleo::profile::base::etcd::peer_port: '2380'
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
etcd::manage_package: false
tripleo::etcd::firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
etcd::manage_service: false
-
if:

View File

@ -79,6 +79,11 @@ outputs:
description: Role data for the Designate API role.
value:
service_name: designate_api
firewall_rules:
'139 designate api':
dport:
- 9001
- 13001
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
config_settings:
map_merge:
@ -94,11 +99,6 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::profile::base::designate::api::listen_port: 9001
tripleo::designate_api::firewall_rules:
'139 designate api':
dport:
- 9001
- 13001
-
if:
- designate_workers_zero

View File

@ -80,6 +80,15 @@ outputs:
description: Role data for the Designate MDNS role.
value:
service_name: designate_mdns
firewall_rules:
'142 designate_mdns udp':
proto: 'udp'
dport:
- 5354
'143 designate_mdns tcp':
proto: 'tcp'
dport:
- 5354
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS}
config_settings:
map_merge:
@ -103,16 +112,6 @@ outputs:
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo
tripleo::designate_mdns::firewall_rules:
'142 designate_mdns udp':
proto: 'udp'
dport:
- 5354
'143 designate_mdns tcp':
proto: 'tcp'
dport:
- 5354
-
if:
- designate_workers_zero

View File

@ -79,6 +79,17 @@ outputs:
description: Role data for the Designate Worker role.
value:
service_name: designate_worker
firewall_rules:
'140 designate_worker udp':
proto: 'udp'
dport:
- 53
- 953
'141 designate_worker tcp':
proto: 'tcp'
dport:
- 53
- 953
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
config_settings:
map_merge:
@ -118,17 +129,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::designate_worker::firewall_rules:
'140 designate_worker udp':
proto: 'udp'
dport:
- 53
- 953
'141 designate_worker tcp':
proto: 'tcp'
dport:
- 53
- 953
-
if:
- designate_workers_zero

View File

@ -294,6 +294,11 @@ outputs:
description: Role data for the Glance API role.
value:
service_name: glance_api
firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
@ -331,11 +336,6 @@ outputs:
- {get_param: Debug }
- {get_param: GlanceDebug }
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo::glance_api::firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
glance::api::authtoken::user_domain_name: 'Default'

View File

@ -142,6 +142,11 @@ outputs:
description: Role data for the gnocchi API role.
value:
service_name: gnocchi_api
firewall_rules:
'129 gnocchi-api':
dport:
- 8041
- 13041
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
@ -154,12 +159,7 @@ outputs:
- {}
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
- tripleo::gnocchi_api::firewall_rules:
'129 gnocchi-api':
dport:
- 8041
- 13041
gnocchi::api::enabled: true
- gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}

View File

@ -80,14 +80,12 @@ outputs:
description: Role data for the Gnocchi API role.
value:
service_name: gnocchi_statsd
firewall_rules:
'140 gnocchi-statsd':
dport: 8125
proto: 'udp'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd}
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
- tripleo::gnocchi_statsd::firewall_rules:
'140 gnocchi-statsd':
dport: 8125
proto: 'udp'
config_settings: {get_attr: [GnocchiServiceBase, role_data, config_settings]}
service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -153,6 +153,9 @@ outputs:
description: Role data for the HAproxy role.
value:
service_name: haproxy
firewall_rules:
'107 haproxy stats':
dport: 1993
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
@ -161,9 +164,6 @@ outputs:
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
# when this is updated
tripleo::haproxy::crl_file: null
- tripleo::haproxy::firewall_rules:
'107 haproxy stats':
dport: 1993
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}

View File

@ -100,17 +100,17 @@ outputs:
description: Role data for the Heat API CFN role.
value:
service_name: heat_api_cfn
firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- get_attr: [HeatApiCfnLogging, config_settings]
- apache::default_vhost: false
tripleo::heat_api_cfn::firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
heat::api_cfn::bind_host:
str_replace:
template:

View File

@ -114,6 +114,11 @@ outputs:
description: Role data for the Heat API role.
value:
service_name: heat_api
firewall_rules:
'125 heat_api':
dport:
- 8004
- 13004
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
@ -121,11 +126,6 @@ outputs:
- get_attr: [HeatApiLogging, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- apache::default_vhost: false
tripleo::heat_api::firewall_rules:
'125 heat_api':
dport:
- 8004
- 13004
heat::api::bind_host:
str_replace:
template:

View File

@ -140,15 +140,15 @@ outputs:
description: Role data for the Horizon API role.
value:
service_name: horizon
firewall_rules:
'126 horizon':
dport:
- 80
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true

View File

@ -43,13 +43,11 @@ outputs:
description: Role data for the image serve registry service
value:
service_name: docker_registry
config_settings:
tripleo::docker_registry::firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
step_config: ''
firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
host_prep_tasks:
- name: authorize httpd to listen on registry ports
seport:

View File

@ -44,42 +44,40 @@ outputs:
description: Role data for the IPSEC service
value:
service_name: ipsec
config_settings:
tripleo::ipsec::firewall_rules:
'100 IPSEC IKE INPUT':
dport: 500
sport: 500
proto: udp
chain: INPUT
'100 IPSEC IKE OUTPUT':
dport: 500
sport: 500
proto: udp
chain: OUTPUT
'100 IPSEC IKE NAT-Traversal INPUT':
dport: 4500
sport: 4500
proto: udp
chain: INPUT
'100 IPSEC IKE NAT-Traversal OUTPUT':
dport: 4500
sport: 4500
proto: udp
chain: OUTPUT
'100 IPSEC ESP INPUT':
proto: esp
chain: INPUT
'100 IPSEC ESP OUTPUT':
proto: esp
chain: OUTPUT
'100 IPSEC Authentication Header INPUT':
proto: ah
chain: INPUT
'100 IPSEC Authentication Header OUTPUT':
proto: ah
chain: OUTPUT
firewall_rules:
'100 IPSEC IKE INPUT':
dport: 500
sport: 500
proto: udp
chain: INPUT
'100 IPSEC IKE OUTPUT':
dport: 500
sport: 500
proto: udp
chain: OUTPUT
'100 IPSEC IKE NAT-Traversal INPUT':
dport: 4500
sport: 4500
proto: udp
chain: INPUT
'100 IPSEC IKE NAT-Traversal OUTPUT':
dport: 4500
sport: 4500
proto: udp
chain: OUTPUT
'100 IPSEC ESP INPUT':
proto: esp
chain: INPUT
'100 IPSEC ESP OUTPUT':
proto: esp
chain: OUTPUT
'100 IPSEC Authentication Header INPUT':
proto: ah
chain: INPUT
'100 IPSEC Authentication Header OUTPUT':
proto: ah
chain: OUTPUT
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: IPSEC configuration on step 1
when: step|int == 1

View File

@ -100,6 +100,11 @@ outputs:
description: Role data for the Ironic API role.
value:
service_name: ironic_api
firewall_rules:
'133 ironic api':
dport:
- 6385
- 13385
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
@ -152,12 +157,6 @@ outputs:
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
tripleo::ironic_api::firewall_rules:
'133 ironic api':
dport:
- 6385
- 13385
- apache::default_vhost: false
service_config_settings:
keystone:

View File

@ -275,6 +275,12 @@ outputs:
description: Role data for the Ironic Conductor role.
value:
service_name: ironic_conductor
firewall_rules:
'134 ironic conductor TFTP':
dport: 69
proto: udp
'135 ironic conductor HTTP':
dport: {get_param: IronicIPXEPort}
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
config_settings:
map_merge:
@ -367,12 +373,6 @@ outputs:
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
tripleo::ironic_conductor::firewall_rules:
'134 ironic conductor TFTP':
dport: 69
proto: udp
'135 ironic conductor HTTP':
dport: {get_param: IronicIPXEPort}
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
# ironic. It's used as a default value for e.g. TFTP server IP,
# glance and neutron endpoints, virtual console IP. We override

View File

@ -181,6 +181,37 @@ outputs:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
@ -219,37 +250,6 @@ outputs:
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
tripleo::ironic_inspector::firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
ironic::inspector::ironic_username: 'ironic'
ironic::inspector::ironic_password: {get_param: IronicPassword}
ironic::inspector::ironic_tenant_name: 'service'

View File

@ -73,13 +73,13 @@ outputs:
description: Role data for the Keepalived role.
value:
service_name: keepalived
firewall_rules:
'106 keepalived vrrp':
proto: vrrp
monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived}
config_settings:
map_merge:
- tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio'
- tripleo::keepalived::firewall_rules:
'106 keepalived vrrp':
proto: vrrp
-
if:
- control_iface_empty

View File

@ -355,6 +355,12 @@ outputs:
description: Role data for the Keystone API role.
value:
service_name: keystone
firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- {get_param: [EndpointMap, KeystoneAdmin, port]}
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
config_settings:
map_merge:
@ -449,12 +455,6 @@ outputs:
keystone::wsgi::apache::threads: 1
keystone::db::database_db_max_retries: -1
keystone::db::database_max_retries: -1
tripleo::keystone::firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- {get_param: [EndpointMap, KeystoneAdmin, port]}
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples

View File

@ -94,6 +94,11 @@ outputs:
description: Role data for the Manila API role.
value:
service_name: manila_api
firewall_rules:
'150 manila':
dport:
- 8786
- 13786
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
config_settings:
map_merge:
@ -105,11 +110,6 @@ outputs:
manila::keystone::authtoken::project_name: 'service'
manila::keystone::authtoken::user_domain_name: 'Default'
manila::keystone::authtoken::project_domain_name: 'Default'
tripleo::manila_api::firewall_rules:
'150 manila':
dport:
- 8786
- 13786
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):

View File

@ -81,6 +81,31 @@ outputs:
description: Role data for the Memcached API role.
value:
service_name: memcached
firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
@ -113,31 +138,6 @@ outputs:
- 'v'
- ''
memcached::disable_cachedump: true
tripleo::memcached::firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
service_config_settings:
collectd:
tripleo.collectd.plugins.memcached:

View File

@ -65,6 +65,15 @@ outputs:
description: Role data for the qdrouterd service.
value:
service_name: oslo_messaging_rpc
firewall_rules:
'109 qdrouterd':
dport:
- {get_param: RpcPort}
- 31459
- 31460
'109 qdr':
dport:
- {get_param: RpcPort}
global_config_settings:
oslo_messaging_rpc_scheme: amqp
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
@ -75,12 +84,6 @@ outputs:
messaging_rpc_service_name: 'amqp'
keystone::messaging::amqp::amqp_pre_settled: 'notify'
config_settings:
tripleo::oslo_messaging_rpc::firewall_rules:
'109 qdrouterd':
dport:
- {get_param: RpcPort}
- 31459
- 31460
qdr::listener_addr:
str_replace:
template:
@ -90,10 +93,6 @@ outputs:
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
tripleo::rabbitmq::firewall_rules:
'109 qdr':
dport:
- {get_param: RpcPort}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -149,6 +149,10 @@ outputs:
description: Role data for the metrics Qdr role.
value:
service_name: metrics-qdr
firewall_rules:
'109 metrics qdr':
dport:
- {get_param: MetricsQdrPort}
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
service_config_settings:
rsyslog:
@ -156,11 +160,7 @@ outputs:
- {get_param: MetricsQdrLoggingSource}
config_settings:
map_merge:
- tripleo::metrics_qdr::firewall_rules:
'109 metrics qdr':
dport:
- {get_param: MetricsQdrPort}
tripleo::profile::base::metrics::qdr::listener_addr:
- tripleo::profile::base::metrics::qdr::listener_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"

View File

@ -88,6 +88,11 @@ outputs:
description: Role data for the Mistral API role.
value:
service_name: mistral_api
firewall_rules:
'133 mistral':
dport:
- 8989
- 13989
config_settings:
map_merge:
- get_attr: [MistralBase, role_data, config_settings]
@ -109,11 +114,6 @@ outputs:
mistral::policy::policies: {get_param: MistralApiPolicies}
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
mistral::api::allow_action_execution_deletion: true
tripleo::mistral_api::firewall_rules:
'133 mistral':
dport:
- 8989
- 13989
mistral::api::service_name: 'httpd'
mistral::wsgi::apache::bind_host:
str_replace:

View File

@ -224,6 +224,11 @@ outputs:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
firewall_rules:
'114 neutron api':
dport:
- 9696
- 13696
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
@ -270,11 +275,6 @@ outputs:
neutron::server::sync_db: true
neutron::server::notifications::region_name: {get_param: KeystoneRegion}
neutron::server::placement::region_name: {get_param: KeystoneRegion}
tripleo::neutron_api::firewall_rules:
'114 neutron api':
dport:
- 9696
- 13696
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

View File

@ -79,6 +79,12 @@ parameters:
outputs:
role_data:
description: Role data for the Neutron Compute Nuage plugin
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'100 metadata agent':
dport: {get_param: NuageMetadataPort}
value:
service_name: neutron_compute_plugin_nuage
config_settings:
@ -96,11 +102,5 @@ outputs:
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
tripleo::neutron_compute_plugin_nuage::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'100 metadata agent':
dport: {get_param: NuageMetadataPort}
step_config: |
include ::tripleo::profile::base::neutron::agents::nuage

View File

@ -180,6 +180,30 @@ outputs:
description: Role data for the Neutron DHCP role.
value:
service_name: neutron_dhcp
firewall_rules:
'115 neutron dhcp input':
ipversion: 'ipv4'
proto: 'udp'
dport: 67
'116 neutron dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'115 neutron dhcpv6 input':
ipversion: 'ipv6'
proto: 'udp'
dport: 547
'116 neutron dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'116 neutron dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
config_settings:
map_merge:
@ -209,30 +233,6 @@ outputs:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronDhcpAgentDebug}
tripleo::neutron_dhcp::firewall_rules:
'115 neutron dhcp input':
ipversion: 'ipv4'
proto: 'udp'
dport: 67
'116 neutron dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'115 neutron dhcpv6 input':
ipversion: 'ipv6'
proto: 'udp'
dport: 547
'116 neutron dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'116 neutron dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
- if:
- internal_tls_enabled
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'

View File

@ -82,29 +82,26 @@ outputs:
description: Role data for the L2 Gateway role.
value:
service_name: neutron_l2gw_agent
if:
- internal_manager_enabled
- firewall_rules:
'142 neutron l2gw agent input':
proto: 'tcp'
dport: {get_param: L2gwAgentManagerTableListeningPort}
- null
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent}
config_settings:
map_merge:
- neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
neutron::agents::l2gw::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL2gwAgentDebug}
-
if:
- internal_manager_enabled
- tripleo::neutron_l2gw_agent::firewall_rules:
'142 neutron l2gw agent input':
proto: 'tcp'
dport: {get_param: L2gwAgentManagerTableListeningPort}
- null
neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
neutron::agents::l2gw::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL2gwAgentDebug}
service_config_settings:
rsyslog:
tripleo_logging_sources_neutron_l2gw_agent:

View File

@ -179,6 +179,9 @@ outputs:
description: Role data for Neutron L3 agent
value:
service_name: neutron_l3
firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
config_settings:
map_merge:
@ -210,9 +213,6 @@ outputs:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL3AgentDebug}
tripleo::neutron_l3::firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
-
- if:
- az_unset

View File

@ -173,6 +173,12 @@ outputs:
description: Role data for Neutron openvswitch service
value:
service_name: neutron_ovs_agent
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'136 neutron gre networks':
proto: 'gre'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
config_settings:
map_merge:
@ -196,12 +202,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
tripleo::neutron_ovs_agent::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'136 neutron gre networks':
proto: 'gre'
-
if:
- neutron_dvr_unset

View File

@ -116,10 +116,7 @@ outputs:
service_name: neutron_ovs_dpdk_agent
config_settings:
map_merge:
- map_replace:
- get_attr: [NeutronOvsAgent, role_data, config_settings]
- keys:
tripleo::neutron_ovs_agent::firewall_rules: tripleo::neutron_ovs_dpdk_agent::firewall_rules
- get_attr: [NeutronOvsAgent, role_data, config_settings]
- nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
- get_attr: [RoleParametersValue, value]
service_config_settings:

View File

@ -146,17 +146,17 @@ outputs:
description: Role data for the Nova API role.
value:
service_name: nova_api
firewall_rules:
'113 nova_api':
dport:
- 8774
- 13774
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [NovaApiLogging, config_settings]
- apache::default_vhost: false
tripleo::nova_api::firewall_rules:
'113 nova_api':
dport:
- 8774
- 13774
nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::user_domain_name: 'Default'
nova::keystone::authtoken::project_domain_name: 'Default'

View File

@ -351,6 +351,12 @@ outputs:
description: Role data for the Libvirt service.
value:
service_name: nova_libvirt
firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
config_settings:
map_merge:
@ -395,12 +401,6 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
tripleo::nova_libvirt::firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
-
if:
- use_tls_for_live_migration

View File

@ -119,6 +119,11 @@ outputs:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
config_settings:
map_merge:
@ -126,12 +131,7 @@ outputs:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- tripleo::nova_metadata::firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
nova::keystone::authtoken::project_name: 'service'
- nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}

View File

@ -88,6 +88,10 @@ outputs:
description: Role data for the Nova Migration Target service.
value:
service_name: nova_migration_target
firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
config_settings:
map_merge:
- get_attr: [SshdBase, role_data, config_settings]
@ -116,10 +120,6 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::profile::base::sshd::port:
- 22
tripleo::nova_migration_target::firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
puppet_config:
config_volume: nova_libvirt
step_config:

View File

@ -123,6 +123,11 @@ outputs:
description: Role data for the Nova Vncproxy service.
value:
service_name: nova_vnc_proxy
firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
config_settings:
map_merge:
- {get_attr: [NovaLogging, config_settings]}
@ -141,11 +146,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::nova_vnc_proxy::firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
-
if:
- use_tls_for_vnc

View File

@ -94,6 +94,10 @@ outputs:
description: Role data for the novajoin API role.
value:
service_name: novajoin
firewall_rules:
'119 novajoin':
dport:
- 9090
config_settings:
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
@ -118,10 +122,6 @@ outputs:
nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::authtoken::project_name: 'service'
tripleo::novajoin::firewall_rules:
'119 novajoin':
dport:
- 9090
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
service_config_settings:
keystone:

View File

@ -119,6 +119,11 @@ outputs:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
@ -137,11 +142,6 @@ outputs:
octavia::api::sync_db: true
octavia::api::service_name: 'httpd'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
tripleo::octavia_api::firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

View File

@ -78,16 +78,16 @@ outputs:
description: Role data for the Octavia health-manager role.
value:
service_name: octavia_health_manager
firewall_rules:
'200 octavia health manager interface':
proto: udp
dport: 5555
iniface: {get_param: OctaviaMgmtPortDevName}
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager}
config_settings:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
tripleo::octavia_health_manager::firewall_rules:
'200 octavia health manager interface':
proto: udp
dport: 5555
iniface: {get_param: OctaviaMgmtPortDevName}
service_config_settings:
rsyslog:
tripleo_logging_sources_octavia_health_manager:

View File

@ -125,6 +125,13 @@ outputs:
description: Role data for the Ovn Controller agent.
value:
service_name: ovn_controller
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
config_settings:
map_merge:
- get_attr: [RoleParametersValue, value]
@ -139,13 +146,6 @@ outputs:
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
tripleo::ovn_controller::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
- if:
- force_config_drive
- nova::compute::force_config_drive: true

View File

@ -58,6 +58,12 @@ outputs:
description: Role data for the OVN Dbs role.
value:
service_name: ovn_dbs
firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
config_settings:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
@ -68,12 +74,6 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
tripleo::haproxy::ovn_dbs_manage_lb: true
tripleo::ovn_dbs::firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
# BEGIN DOCKER SETTINGS
# puppet_config is not required for this service since we configure
# the NB and SB DB servers to listen on the proper IP address/port

View File

@ -101,6 +101,14 @@ outputs:
description: Role data for the OVN Dbs HA role.
value:
service_name: ovn_dbs
firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
# Control port for pcmk remote bundle
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
config_settings:
map_merge:
- get_attr: [OVNDbsBase, role_data, config_settings]
@ -116,14 +124,6 @@ outputs:
- tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli}
- tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout}
- tripleo::haproxy::ovn_dbs_manage_lb: false
- tripleo::ovn_dbs::firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
# Control port for pcmk remote bundle
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
- if:
- internal_tls_enabled
- generate_service_certificates: true

View File

@ -44,9 +44,6 @@ resources:
ContainersCommon:
type: ../containers-common.yaml
# We import from the corresponding docker service because otherwise we risk
# rewriting the tripleo::mysql::firewall_rules key with the baremetal firewall
# rules (see LP#1728918)
MysqlPuppetBase:
type: ../database/mysql-pacemaker-puppet.yaml
properties:

View File

@ -89,13 +89,13 @@ outputs:
description: Role data for the Pacemaker remote role.
value:
service_name: pacemaker_remote
firewall_rules:
'130 pacemaker_remote tcp':
proto: 'tcp'
dport:
- 3121
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
config_settings:
tripleo::pacemaker_remote::firewall_rules:
'130 pacemaker_remote tcp':
proto: 'tcp'
dport:
- 3121
tripleo::fencing::config: {get_param: FencingConfig}
tripleo::fencing::deep_compare: true
enable_fencing: {get_param: EnableFencing}

View File

@ -110,16 +110,16 @@ outputs:
description: Role data for the Placement API role.
value:
service_name: placement
firewall_rules:
'138 placement':
dport:
- 8778
- 13778
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
- apache::default_vhost: false
- tripleo::placement::firewall_rules:
'138 placement':
dport:
- 8778
- 13778
placement::keystone::authtoken::project_name: 'service'
- placement::keystone::authtoken::project_name: 'service'
placement::keystone::authtoken::password: {get_param: PlacementPassword}
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

View File

@ -62,16 +62,16 @@ outputs:
description: Role data for the qdrouterd service.
value:
service_name: rabbitmq
firewall_rules:
'109 qdr':
dport:
- {get_param: RabbitClientPort}
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
global_config_settings:
messaging_notify_service_name: 'amqp'
messaging_rpc_service_name: 'amqp'
keystone::messaging::amqp::amqp_pre_settled: 'notify'
config_settings:
tripleo::rabbitmq::firewall_rules:
'109 qdr':
dport:
- {get_param: RabbitClientPort}
qdr::listener_addr:
str_replace:
template:

View File

@ -107,6 +107,12 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: rabbitmq
firewall_rules:
'109 rabbitmq':
dport:
- 4369
- 5672
- 25672
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
# RabbitMQ plugins initialization occurs on every node
config_settings:
@ -116,12 +122,6 @@ outputs:
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {get_param: RabbitIPv6}
tripleo::rabbitmq::firewall_rules:
'109 rabbitmq':
dport:
- 4369
- 5672
- 25672
rabbitmq::delete_guest_user: false
rabbitmq::wipe_db_on_cookie_change: true
rabbitmq::port: 5672

View File

@ -89,6 +89,12 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: oslo_messaging_notify
firewall_rules:
'109 rabbitmq':
dport:
- 4369
- {get_param: NotifyPort}
- 25672
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
# RabbitMQ plugins initialization occurs on every node
global_config_settings:
@ -104,12 +110,6 @@ outputs:
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
- rabbitmq::default_user: {get_param: NotifyUserName}
rabbitmq::default_pass: {get_param: NotifyPassword}
tripleo::oslo_messaging_notify::firewall_rules:
'109 rabbitmq':
dport:
- 4369
- {get_param: NotifyPort}
- 25672
rabbitmq::port: {get_param: NotifyPort}
rabbitmq::interface:
str_replace:

View File

@ -81,6 +81,13 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
config_settings:
map_merge:
@ -95,13 +102,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
tripleo::oslo_messaging_notify::firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -81,6 +81,13 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: rabbitmq
firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
config_settings:
map_merge:
@ -95,13 +102,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
tripleo::rabbitmq::firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -90,6 +90,12 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: oslo_messaging_rpc
firewall_rules:
'109 rabbitmq':
dport:
- 4369
- {get_param: RpcPort}
- 25672
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
global_config_settings:
map_merge:
@ -104,12 +110,6 @@ outputs:
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
- rabbitmq::default_user: {get_param: RpcUserName}
rabbitmq::default_pass: {get_param: RpcPassword}
tripleo::oslo_messaging_rpc::firewall_rules:
'109 rabbitmq':
dport:
- 4369
- {get_param: RpcPort}
- 25672
rabbitmq::port: {get_param: RpcPort}
rabbitmq::interface:
str_replace:

View File

@ -81,6 +81,13 @@ outputs:
description: Role data for the Rabbitmq API role.
value:
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
config_settings:
map_merge:
@ -95,13 +102,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
tripleo::oslo_messaging_rpc::firewall_rules:
'109 rabbitmq-bundle':
dport:
- 3122
- 4369
- 5672
- 25672
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -62,9 +62,6 @@ outputs:
description: Role data for the RHSM service.
value:
service_name: rhsm
config_settings:
tripleo::rhsm::firewall_rules: {}
step_config: ''
host_prep_tasks:
- name: Red Hat Subscription Management configuration during deployment
import_role:

View File

@ -86,6 +86,11 @@ outputs:
description: Role data for the Sahara API role.
value:
service_name: sahara_api
firewall_rules:
'132 sahara':
dport:
- 8386
- 13386
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
config_settings:
map_merge:
@ -105,11 +110,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SaharaApiNetwork]}
tripleo::sahara_api::firewall_rules:
'132 sahara':
dport:
- 8386
- 13386
service_config_settings:
rsyslog:
tripleo_logging_sources_sahara_api:

View File

@ -56,19 +56,14 @@ outputs:
description: Role data for Skydive services.
value:
service_name: skydive_analyzer
firewall_rules:
'150 skydive_analyzer':
dport:
- 8082
- 12379
- 12380
upgrade_tasks: []
puppet_config:
config_image: ''
config_volume: ''
step_config: ''
docker_config: {}
config_settings:
tripleo::skydive_analyzer::firewall_rules:
'150 skydive_analyzer':
dport:
- 8082
- 12379
- 12380
external_deploy_tasks:
- name: Skydive deployment
when: step|int == 5

View File

@ -61,31 +61,31 @@ outputs:
description: Role data for the SNMP services
value:
service_name: snmp
firewall_rules:
if:
- snmpd_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, SnmpdNetwork]}
template:
'124 snmp <%net_cidr%>':
dport: 161
proto: 'udp'
source: <%net_cidr%>
- '124 snmp':
dport: 161
proto: 'udp'
source: {get_param: SnmpdIpSubnet}
config_settings:
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
snmp::agentaddress: {get_param: SnmpdBindHost}
snmp::snmpd_options: {get_param: SnmpdOptions}
tripleo::snmp::firewall_rules:
if:
- snmpd_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, SnmpdNetwork]}
template:
'124 snmp <%net_cidr%>':
dport: 161
proto: 'udp'
source: <%net_cidr%>
- '124 snmp':
dport: 161
proto: 'udp'
source: {get_param: SnmpdIpSubnet}
step_config: |
include ::tripleo::profile::base::snmp
upgrade_tasks:

View File

@ -75,24 +75,22 @@ outputs:
description: Role data for the ssh
value:
service_name: sshd
if:
- {get_param: SshFirewallAllowAll}
- firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
- firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
extras:
ensure: 'absent'
config_settings:
map_merge:
- tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
- if:
- {get_param: SshFirewallAllowAll}
- tripleo::sshd::firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
- tripleo::sshd::firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
extras:
ensure: 'absent'
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
step_config: |
include ::tripleo::profile::base::sshd

View File

@ -126,6 +126,11 @@ outputs:
description: Role data for the swift proxy.
value:
service_name: swift_proxy
firewall_rules:
'122 swift proxy':
dport:
- 8080
- 13808
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
config_settings:
map_merge:
@ -160,11 +165,6 @@ outputs:
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL}
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
tripleo::swift_proxy::firewall_rules:
'122 swift proxy':
dport:
- 8080
- 13808
swift::proxy::keystone::operator_roles:
- admin
- swiftoperator

View File

@ -128,6 +128,13 @@ outputs:
description: Role data for the swift storage services.
value:
service_name: swift_storage
firewall_rules:
'123 swift storage':
dport:
- 873
- 6000
- 6001
- 6002
config_settings:
map_merge:
- {get_attr: [SwiftBase, role_data, config_settings]}
@ -135,13 +142,6 @@ outputs:
# swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
- swift::storage::all::mount_check: false
tripleo::profile::base::swift::storage::use_local_dir: {get_param: SwiftUseLocalDir}
tripleo::swift_storage::firewall_rules:
'123 swift storage':
dport:
- 873
- 6000
- 6001
- 6002
swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
swift::storage::all::object_pipeline:

View File

@ -76,15 +76,13 @@ outputs:
description: Role ptp using commposable services.
value:
service_name: ptp
config_settings:
map_merge:
- get_attr: [RoleParametersValue, value]
- tripleo::ptp::firewall_rules:
'151 ptp':
proto: udp
dport:
- 319
- 320
firewall_rules:
'151 ptp':
proto: udp
dport:
- 319
- 320
config_settings: {get_attr: [RoleParametersValue, value]}
step_config: |
include ::tripleo::profile::base::time::ptp
upgrade_tasks:

View File

@ -101,12 +101,10 @@ outputs:
description: Role chrony using composable timesync services.
value:
service_name: chrony
config_settings:
tripleo::ntp::firewall_rules:
'105 ntp':
dport: 123
proto: udp
step_config: ''
firewall_rules:
'105 ntp':
dport: 123
proto: udp
host_prep_tasks:
- name: Populate service facts (chrony)
service_facts: # needed to make yaml happy

View File

@ -0,0 +1,177 @@
heat_template_version: rocky
description: >
TripleO Firewall settings
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ExtraFirewallRules:
default: {}
description: Mapping of firewall rules.
type: json
conditions:
no_ctlplane:
equals:
- get_params: [ServiceData, net_cidr_map, ctlplane]
- Null
outputs:
role_data:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
config_settings:
tripleo::firewall::manage_firewall: false
tripleo::firewall::purge_firewall_rules: false
firewall_rules:
map_merge:
- map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
- {get_param: ExtraFirewallRules}
host_prep_tasks:
- if:
- no_ctlplane
- name: Failure - ctlplane subnet is unset
fail:
msg: |
No CIDRs found in the ctlplane network tags.
Please refer to the documentation in order to
set the correct network tags in DeployedServerPortMap.
- name: Notice - ctlplane subnet is set
debug:
msg: |
CIDRs found in the ctlplane network tags.
deploy_steps_tasks:
- when:
- (step|int) == 0
block:
- name: create iptables service
copy:
dest: /etc/systemd/system/tripleo-iptables.service
content: |
[Unit]
Description=Initialize iptables
Before=iptables.service
AssertPathExists=/etc/sysconfig/iptables
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -t raw -nL
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target
- name: create ip6tables service
copy:
dest: /etc/systemd/system/tripleo-ip6tables.service
content: |
[Unit]
Description=Initialize ip6tables
Before=ip6tables.service
AssertPathExists=/etc/sysconfig/ip6tables
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip6tables -t raw -nL
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
systemd:
daemon_reload: yes
enabled: yes
name: tripleo-iptables.service
- name: enable tripleo-ip6tables service
systemd:
enabled: yes
name: tripleo-ip6tables.service
upgrade_tasks:
- when:
- (step | int) == 3
block:
- name: blank ipv6 rule before activating ipv6 firewall.
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
args:
creates: /etc/sysconfig/ip6tables.n-o-upgrade
- name: cleanup unmanaged rules pushed by iptables-services
shell: |
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
iptables -D INPUT -p icmp -j ACCEPT
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
iptables -D INPUT -i lo -j ACCEPT
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -i lo -j ACCEPT
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables

View File

@ -116,6 +116,13 @@ outputs:
description: Role data for the Zaqar API role.
value:
service_name: zaqar_api
firewall_rules:
'113 zaqar_api':
dport:
- 9000
- 8888
- 3000 #SSL for websocket
- 13888 #SSL for api
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@ -228,13 +235,6 @@ outputs:
zaqar::keystone::auth_websocket::tenant: 'service'
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
zaqar::keystone::trust::user_domain_name: 'Default'
tripleo::zaqar_api::firewall_rules:
'113 zaqar_api':
dport:
- 9000
- 8888
- 3000 #SSL for websocket
- 13888 #SSL for api
-
if:
- zaqar_management_store_sqlalchemy

View File

@ -271,7 +271,7 @@ resource_registry:
OS::TripleO::Services::IronicPxe: OS::Heat::None
OS::TripleO::Services::IronicNeutronAgent: OS::Heat::None
OS::TripleO::Services::NovaIronic: OS::Heat::None
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
OS::TripleO::Services::TripleoPackages: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml
OS::TripleO::Services::OpenStackClients: OS::Heat::None
OS::TripleO::Services::TLSProxyBase: OS::Heat::None

View File

@ -0,0 +1,15 @@
---
features:
- TripleO will now configure `iptables` using the TripleO-Ansible role,
**tripleo-firewall**. This role implements all of the same interfaces
and behaviors as the puppet manifest.
- A new parameter has been added, `ExtraFirewallRules`. This parameter
provides a user interface to configure additional `iptables` rules.
deprecations:
- The heat template `tripleo-firewall-baremetal-puppet.yaml` has been
deprecated. While this template can still be used to configure the
TripleO-Firewall service, it is no longer preferred and will be removed
in a future release.
- Configuring firewall rules with extraconfig is no longer being supported.
All firewall rules should be converted such that they're set within the
user defined parameter `ExtraFirewallRules`.