Convert firewall rules to use TripleO-Ansible
This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
Kevin Carter
@@ -0,0 +1,179 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
TripleO Firewall settings
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
ManageFirewall:
|
||||
default: true
|
||||
description: Whether to manage IPtables rules.
|
||||
type: boolean
|
||||
PurgeFirewallRules:
|
||||
default: false
|
||||
description: Whether IPtables rules should be purged before setting up the new ones.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
no_ctlplane:
|
||||
equals:
|
||||
- get_params: [ServiceData, net_cidr_map, ctlplane]
|
||||
- Null
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the TripleO firewall settings
|
||||
value:
|
||||
service_name: tripleo_firewall
|
||||
firewall_rules:
|
||||
map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||
template:
|
||||
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
config_settings:
|
||||
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
||||
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||
step_config: |
|
||||
include ::tripleo::firewall
|
||||
|
||||
host_prep_tasks:
|
||||
if:
|
||||
- no_ctlplane
|
||||
-
|
||||
name: Ensure ctlplane subnet is set
|
||||
fail:
|
||||
msg: |
|
||||
No CIDRs found in the ctlplane network tags.
|
||||
Please refer to the documentation in order to
|
||||
set the correct network tags in DeployedServerPortMap.
|
||||
- null
|
||||
|
||||
deploy_steps_tasks:
|
||||
- when: step|int == 0
|
||||
block:
|
||||
- name: create iptables service
|
||||
copy:
|
||||
dest: /etc/systemd/system/tripleo-iptables.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Initialize iptables
|
||||
Before=iptables.service
|
||||
AssertPathExists=/etc/sysconfig/iptables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/iptables -t raw -nL
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
- name: create ip6tables service
|
||||
copy:
|
||||
dest: /etc/systemd/system/tripleo-ip6tables.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Initialize ip6tables
|
||||
Before=ip6tables.service
|
||||
AssertPathExists=/etc/sysconfig/ip6tables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/ip6tables -t raw -nL
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
name: tripleo-iptables.service
|
||||
- name: enable tripleo-ip6tables service
|
||||
systemd:
|
||||
enabled: yes
|
||||
name: tripleo-ip6tables.service
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
- name: blank ipv6 rule before activating ipv6 firewall.
|
||||
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
||||
args:
|
||||
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
||||
- name: cleanup unmanaged rules pushed by iptables-services
|
||||
shell: |
|
||||
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -p icmp -j ACCEPT
|
||||
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -i lo -j ACCEPT
|
||||
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
|
||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||
|
||||
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
||||
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -i lo -j ACCEPT
|
||||
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
||||
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
||||
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||
|
||||
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
||||
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
||||
Reference in New Issue
Block a user