Enable firewalling by default on compute nodes

- Move VXLAN and VRRP rules from Neutron Server to the right services. - Enable Firewall by default on Compute nodes. Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
6 years ago · 7322d60610
5 changed files with 13 additions and 8 deletions
--- a/puppet/services/keepalived.yaml
+++ b/puppet/services/keepalived.yaml
@ -41,5 +41,8 @@ outputs:
      config_settings:
        tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface}
        tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface}
+        tripleo.keepalived.firewall_rules:
+          '106 keepalived vrrp':
+            proto: vrrp
      step_config: |
        include ::tripleo::profile::base::keepalived
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@ -150,11 +150,6 @@ outputs:
                dport:
                  - 9696
                  - 13696
-              '118 neutron vxlan networks':
-                proto: 'udp'
-                dport: 4789
-              '106 vrrp':
-                proto: vrrp
            neutron::server::router_distributed: {get_param: NeutronEnableDVR}
            # NOTE: bind IP is found in Heat replacing the network name with the local node IP
            # for the given network; replacement examples (eg. for internal_api):
--- a/puppet/services/neutron-l3.yaml
+++ b/puppet/services/neutron-l3.yaml
@ -67,5 +67,8 @@ outputs:
          - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
            neutron::agents::l3::router_delete_namespaces: True
            neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode}
+            tripleo.neutron_l3.firewall_rules:
+              '106 neutron_l3 vrrp':
+                proto: vrrp
      step_config: |
        include tripleo::profile::base::neutron::l3
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@ -117,5 +117,11 @@ outputs:
            # internal_api_subnet - > IP/CIDR
            neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
            neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+            tripleo.neutron_ovs_agent.firewall_rules:
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '136 neutron gre networks':
+                proto: 'gre'
      step_config: |
        include ::tripleo::profile::base::neutron::ovs
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -114,9 +114,7 @@
    - OS::TripleO::Services::ComputeNeutronL3Agent
    - OS::TripleO::Services::ComputeNeutronMetadataAgent
    - OS::TripleO::Services::TripleoPackages
-    # FIXME: This doesn't appear to have been enabled before
-    # so disabling it here until we can support it
-    #- OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::TripleoFirewall
    - OS::TripleO::Services::NeutronSriovAgent
    - OS::TripleO::Services::OpenDaylightOvs
    - OS::TripleO::Services::SensuClient