Composable firewall rules

Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services

Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
changes/85/344985/7
Dan Prince 7 years ago committed by Giulio Fidente
parent f00ed98048
commit 5195d7f891

@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
controller_classes: []
# firewall
tripleo::firewall::firewall_rules:
'101 mongodb_config':
dport: 27019
'102 mongodb_sharding':
dport: 27018
'103 mongod':
dport: 27017
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
'105 ntp':
dport: 123
proto: udp
'106 vrrp':
proto: vrrp
'107 haproxy stats':
dport: 1993
'108 redis':
dport:
- 6379
- 26379
'109 rabbitmq':
dport:
- 4369
- 5672
- 35672
'110 ceph':
dport:
- 6789
- '6800-6810'
'111 keystone':
dport:
- 5000
- 13000
- 35357
- 13357
'112 glance':
dport:
- 9292
- 9191
- 13292
'113 nova':
dport:
- 6080
- 13080
- 8773
- 3773
- 8774
- 13774
- 8775
'114 neutron server':
dport:
- 9696
- 13696
'115 neutron dhcp input':
proto: 'udp'
dport: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 cinder':
dport:
- 8776
- 13776
'120 iscsi initiator':
dport: 3260
'121 memcached':
dport: 11211
'122 swift proxy':
dport:
- 8080
- 13808
'123 swift storage':
dport:
- 873
- 6000
- 6001
- 6002
'124 ceilometer':
dport:
- 8777
- 13777
'125 heat':
dport:
- 8000
- 13800
- 8003
- 13003
- 8004
- 13004
'126 horizon':
dport:
- 80
- 443
'127 snmp':
dport: 161
proto: 'udp'
'128 aodh':
dport:
- 8042
- 13042
'129 gnocchi-api':
dport:
- 8041
- 13041
'130 pacemaker tcp':
proto: 'tcp'
dport:
- 2224
- 3121
- 21064
'131 pacemaker udp':
proto: 'udp'
dport: 5405
'132 sahara':
dport:
- 8386
- 13386

@ -23,6 +23,12 @@ outputs:
value:
service_name: ceilometer-api
config_settings:
get_attr: [CeilometerServiceBase, role_data, config_settings]
map_merge:
- get_attr: [CeilometerServiceBase, role_data, config_settings]
- tripleo.ceilometer_api.firewall_rules:
'124 ceilometer':
dport:
- 8777
- 13777
step_config: |
include ::tripleo::profile::base::ceilometer::api

@ -53,5 +53,10 @@ outputs:
- {get_param: NovaRbdPoolName}
- {get_param: GlanceRbdPoolName}
- {get_param: GnocchiRbdPoolName}
tripleo.ceph_mon.firewall_rules:
'110 ceph':
dport:
- 6789
- '6800-6810'
step_config: |
include ::tripleo::profile::base::ceph::mon

@ -39,5 +39,10 @@ outputs:
cinder::api::keystone_password: {get_param: CinderPassword}
cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
tripleo.cinder_api.firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
step_config: |
include ::tripleo::profile::base::cinder::api

@ -76,5 +76,8 @@ outputs:
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
tripleo.cinder_volume.firewall_rules:
'120 iscsi initiator':
dport: 3260
step_config: |
include ::tripleo::profile::base::cinder::volume

@ -25,5 +25,12 @@ outputs:
- get_attr: [MongoDbBase, role_data, config_settings]
- tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
mongodb::server::service_manage: True
tripleo.mongodb.firewall_rules:
'101 mongodb_config':
dport: 27019
'102 mongodb_sharding':
dport: 27018
'103 mongod':
dport: 27017
step_config: |
include ::tripleo::profile::base::database::mongodb
include ::tripleo::profile::base::database::mongodb

@ -17,5 +17,14 @@ outputs:
value:
service_name: mysql
config_settings:
tripleo.mysql.firewall_rules:
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
step_config: |
include ::tripleo::profile::base::database::mysql

@ -22,5 +22,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [RedisBase, role_data, config_settings]
- tripleo.redis.firewall_rules:
'108 redis':
dport:
- 6379
- 26379
step_config: |
include ::tripleo::profile::base::database::redis

@ -104,5 +104,10 @@ outputs:
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
tripleo.glance_api.firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
step_config: |
include ::tripleo::profile::base::glance::api

@ -49,5 +49,9 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
tripleo.glance_registry.firewall_rules:
'112 glance_registry':
dport:
- 9191
step_config: |
include ::tripleo::profile::base::glance::registry

@ -24,5 +24,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
- tripleo.gnocchi_api.firewall_rules:
'129 gnocchi-api':
dport:
- 8041
- 13041
step_config: |
include ::tripleo::profile::base::gnocchi::api

@ -15,5 +15,9 @@ outputs:
description: Role data for the HAproxy role.
value:
service_name: haproxy
config_settings:
tripleo.haproxy.firewall_rules:
'107 haproxy stats':
dport: 1993
step_config: |
include ::tripleo::profile::base::haproxy

@ -40,5 +40,10 @@ outputs:
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
tripleo.heat_api_cfn.firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
step_config: |
include ::tripleo::profile::base::heat::api_cfn

@ -27,5 +27,10 @@ outputs:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- heat::api_cloudwatch::workers: {get_param: HeatWorkers}
tripleo.heat_api_cloudwatch.firewall_rules:
'125 heat_cloudwatch':
dport:
- 8003
- 13003
step_config: |
include ::tripleo::profile::base::heat::api_cloudwatch

@ -40,5 +40,10 @@ outputs:
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
tripleo.heat_api.firewall_rules:
'125 heat_api':
dport:
- 8004
- 13004
step_config: |
include ::tripleo::profile::base::heat::api

@ -31,5 +31,10 @@ outputs:
template: MECHANISMS
params:
MECHANISMS: {get_param: NeutronMechanismDrivers}
tripleo.horizon.firewall_rules:
'126 horizon':
dport:
- 80
- 443
step_config: |
include ::tripleo::profile::base::horizon

@ -136,5 +136,12 @@ outputs:
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
tripleo.keystone.firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- 35357
- 13357
step_config: |
include ::tripleo::profile::base::keystone

@ -16,5 +16,8 @@ outputs:
value:
service_name: memcached
config_settings:
tripleo.memcached.firewall_rules:
'121 memcached':
dport: 11211
step_config: |
include ::tripleo::profile::base::memcached

@ -28,5 +28,13 @@ outputs:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
tripleo.neutron_dhcp.firewall_rules:
'115 neutron dhcp input':
proto: 'udp'
dport: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
dport: 68
step_config: |
include tripleo::profile::base::neutron::dhcp

@ -72,5 +72,15 @@ outputs:
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
tripleo.neutron_server.firewall_rules:
'114 neutron server':
dport:
- 9696
- 13696
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'106 vrrp':
proto: vrrp
step_config: |
include tripleo::profile::base::neutron::server

@ -32,5 +32,15 @@ outputs:
nova::api::metadata_workers: {get_param: NovaWorkers}
nova::cron::archive_deleted_rows::hour: '"*/12"'
nova::cron::archive_deleted_rows::destination: '"/dev/null"'
tripleo.nova_api.firewall_rules:
'113 nova_api':
dport:
- 6080
- 13080
- 8773
- 3773
- 8774
- 13774
- 8775
step_config: |
include tripleo::profile::base::nova::api

@ -16,5 +16,15 @@ outputs:
value:
service_name: pacemaker
config_settings:
tripleo.pacemaker.firewall_rules:
'130 pacemaker tcp':
proto: 'tcp'
dport:
- 2224
- 3121
- 21064
'131 pacemaker udp':
proto: 'udp'
dport: 5405
step_config: |
include ::tripleo::profile::base::pacemaker

@ -36,5 +36,11 @@ outputs:
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {get_param: RabbitIPv6}
tripleo.rabbitmq.firewall_rules:
'109 rabbitmq':
dport:
- 4369
- 5672
- 35672
step_config: |
include ::tripleo::profile::base::rabbitmq

@ -49,5 +49,10 @@ outputs:
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
tripleo.sahara_api.firewall_rules:
'132 sahara':
dport:
- 8386
- 13386
step_config: |
include ::tripleo::profile::base::sahara::api

@ -28,5 +28,9 @@ outputs:
config_settings:
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
tripleo.snmp.firewall_rules:
'127 snmp':
dport: 161
proto: 'udp'
step_config: |
include ::tripleo::profile::base::snmp

@ -51,5 +51,10 @@ outputs:
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
tripleo.swift_proxy.firewall_rules:
'122 swift proxy':
dport:
- 8080
- 13808
step_config: |
include ::tripleo::profile::base::swift::proxy

@ -41,5 +41,12 @@ outputs:
# Swift
swift::storage::all::mount_check: {get_param: SwiftMountCheck}
tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
tripleo.swift_storage.firewall_rules:
'123 swift storage':
dport:
- 873
- 6000
- 6001
- 6002
step_config: |
include ::tripleo::profile::base::swift::storage

@ -24,5 +24,9 @@ outputs:
service_name: ntp
config_settings:
ntp::ntpservers: {get_param: NtpServer}
tripleo.ntp.firewall_rules:
'105 ntp':
dport: 123
proto: udp
step_config: |
include ::ntp

Loading…
Cancel
Save