Browse Source

Merge "Convert firewall rules to use TripleO-Ansible"

tags/12.0.0
Zuul 2 weeks ago
parent
commit
fb0dbebf9b
86 changed files with 832 additions and 675 deletions
  1. +5
    -6
      ci/environments/multinode-core.yaml
  2. +18
    -1
      common/services/role.role.j2.yaml
  3. +5
    -5
      deployment/aodh/aodh-api-container-puppet.yaml
  4. +5
    -5
      deployment/barbican/barbican-api-container-puppet.yaml
  5. +8
    -0
      deployment/ceph-ansible/ceph-grafana.yaml
  6. +9
    -12
      deployment/ceph-ansible/ceph-mds.yaml
  7. +9
    -12
      deployment/ceph-ansible/ceph-mgr.yaml
  8. +10
    -13
      deployment/ceph-ansible/ceph-mon.yaml
  9. +5
    -8
      deployment/ceph-ansible/ceph-nfs.yaml
  10. +9
    -12
      deployment/ceph-ansible/ceph-osd.yaml
  11. +4
    -7
      deployment/ceph-ansible/ceph-rbdmirror.yaml
  12. +9
    -12
      deployment/ceph-ansible/ceph-rgw.yaml
  13. +5
    -5
      deployment/cinder/cinder-api-container-puppet.yaml
  14. +3
    -3
      deployment/cinder/cinder-volume-container-puppet.yaml
  15. +9
    -9
      deployment/database/mysql-base.yaml
  16. +10
    -10
      deployment/database/mysql-pacemaker-puppet.yaml
  17. +6
    -6
      deployment/database/redis-container-puppet.yaml
  18. +6
    -6
      deployment/database/redis-pacemaker-puppet.yaml
  19. +5
    -7
      deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml
  20. +14
    -15
      deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml
  21. +18
    -20
      deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml
  22. +10
    -11
      deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
  23. +5
    -5
      deployment/etcd/etcd-container-puppet.yaml
  24. +5
    -5
      deployment/experimental/designate/designate-api-container-puppet.yaml
  25. +9
    -10
      deployment/experimental/designate/designate-mdns-container-puppet.yaml
  26. +11
    -11
      deployment/experimental/designate/designate-worker-container-puppet.yaml
  27. +5
    -5
      deployment/glance/glance-api-container-puppet.yaml
  28. +6
    -6
      deployment/gnocchi/gnocchi-api-container-puppet.yaml
  29. +5
    -7
      deployment/gnocchi/gnocchi-statsd-container-puppet.yaml
  30. +3
    -3
      deployment/haproxy/haproxy-container-puppet.yaml
  31. +5
    -5
      deployment/heat/heat-api-cfn-container-puppet.yaml
  32. +5
    -5
      deployment/heat/heat-api-container-puppet.yaml
  33. +5
    -5
      deployment/horizon/horizon-container-puppet.yaml
  34. +5
    -7
      deployment/image-serve/image-serve-baremetal-ansible.yaml
  35. +33
    -35
      deployment/ipsec/ipsec-baremetal-ansible.yaml
  36. +5
    -6
      deployment/ironic/ironic-api-container-puppet.yaml
  37. +6
    -6
      deployment/ironic/ironic-conductor-container-puppet.yaml
  38. +31
    -31
      deployment/ironic/ironic-inspector-container-puppet.yaml
  39. +3
    -3
      deployment/keepalived/keepalived-container-puppet.yaml
  40. +6
    -6
      deployment/keystone/keystone-container-puppet.yaml
  41. +5
    -5
      deployment/manila/manila-api-container-puppet.yaml
  42. +25
    -25
      deployment/memcached/memcached-container-puppet.yaml
  43. +9
    -10
      deployment/messaging/rpc-qdrouterd-container-puppet.yaml
  44. +5
    -5
      deployment/metrics/qdr-container-puppet.yaml
  45. +5
    -5
      deployment/mistral/mistral-api-container-puppet.yaml
  46. +5
    -5
      deployment/neutron/neutron-api-container-puppet.yaml
  47. +6
    -6
      deployment/neutron/neutron-compute-plugin-nuage.yaml
  48. +24
    -24
      deployment/neutron/neutron-dhcp-container-puppet.yaml
  49. +18
    -21
      deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml
  50. +3
    -3
      deployment/neutron/neutron-l3-container-puppet.yaml
  51. +6
    -6
      deployment/neutron/neutron-ovs-agent-container-puppet.yaml
  52. +1
    -4
      deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml
  53. +5
    -5
      deployment/nova/nova-api-container-puppet.yaml
  54. +6
    -6
      deployment/nova/nova-libvirt-container-puppet.yaml
  55. +6
    -6
      deployment/nova/nova-metadata-container-puppet.yaml
  56. +4
    -4
      deployment/nova/nova-migration-target-container-puppet.yaml
  57. +5
    -5
      deployment/nova/nova-vnc-proxy-container-puppet.yaml
  58. +4
    -4
      deployment/nova/novajoin-container-puppet.yaml
  59. +5
    -5
      deployment/octavia/octavia-api-container-puppet.yaml
  60. +5
    -5
      deployment/octavia/octavia-health-manager-container-puppet.yaml
  61. +7
    -7
      deployment/ovn/ovn-controller-container-puppet.yaml
  62. +6
    -6
      deployment/ovn/ovn-dbs-container-puppet.yaml
  63. +8
    -8
      deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
  64. +0
    -3
      deployment/pacemaker/clustercheck-container-puppet.yaml
  65. +5
    -5
      deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml
  66. +6
    -6
      deployment/placement/placement-api-container-puppet.yaml
  67. +4
    -4
      deployment/qdr/qdrouterd-container-puppet.yaml
  68. +6
    -6
      deployment/rabbitmq/rabbitmq-container-puppet.yaml
  69. +6
    -6
      deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
  70. +7
    -7
      deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
  71. +7
    -7
      deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
  72. +6
    -6
      deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
  73. +7
    -7
      deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
  74. +0
    -3
      deployment/rhsm/rhsm-baremetal-ansible.yaml
  75. +5
    -5
      deployment/sahara/sahara-api-container-puppet.yaml
  76. +6
    -11
      deployment/skydive/skydive-analyzer-baremetal-ansible.yaml
  77. +20
    -20
      deployment/snmp/snmp-baremetal-puppet.yaml
  78. +16
    -18
      deployment/sshd/sshd-baremetal-puppet.yaml
  79. +5
    -5
      deployment/swift/swift-proxy-container-puppet.yaml
  80. +7
    -7
      deployment/swift/swift-storage-container-puppet.yaml
  81. +7
    -9
      deployment/time/ptp-baremetal-puppet.yaml
  82. +4
    -6
      deployment/timesync/chrony-baremetal-ansible.yaml
  83. +177
    -0
      deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
  84. +7
    -7
      deployment/zaqar/zaqar-container-puppet.yaml
  85. +1
    -1
      overcloud-resource-registry-puppet.j2.yaml
  86. +15
    -0
      releasenotes/notes/tripleo-firewall-ansible-3928f04478a09668.yaml

+ 5
- 6
ci/environments/multinode-core.yaml View File

@@ -30,9 +30,8 @@ outputs:
description: Role data for the multinode firewall configuration
value:
service_name: multinode_core
config_settings:
tripleo::core::firewall_rules:
'999 core':
proto: 'udp'
dport:
- 4789
firewall_rules:
'999 core':
proto: 'udp'
dport:
- 4789

+ 18
- 1
common/services/role.role.j2.yaml View File

@@ -341,6 +341,16 @@ resources:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}

FirewallRules:
type: OS::Heat::Value
properties:
type: json
value:
map_merge:
yaql:
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null))
data: {role_data: {get_attr: [ServiceChain, role_data]}}


outputs:
role_data:
@@ -381,4 +391,11 @@ outputs:
map_merge:
- {get_attr: [ContainerPuppetTasks, value]}
- {get_attr: [DockerPuppetTasks, value]}
host_prep_tasks: {get_attr: [HostPrepTasks, value]}
host_prep_tasks:
list_concat:
- - name: Run firewall role
include_role:
name: tripleo-firewall
vars:
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
- {get_attr: [HostPrepTasks, value]}

+ 5
- 5
deployment/aodh/aodh-api-container-puppet.yaml View File

@@ -91,6 +91,11 @@ outputs:
description: Role data for the aodh API role.
value:
service_name: aodh_api
firewall_rules:
'128 aodh-api':
dport:
- 8042
- 13042
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
config_settings:
map_merge:
@@ -109,11 +114,6 @@ outputs:
aodh::api::enable_proxy_headers_parsing: true
aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject}
aodh::policy::policies: {get_param: AodhApiPolicies}
tripleo::aodh_api::firewall_rules:
'128 aodh-api':
dport:
- 8042
- 13042
aodh::api::host:
str_replace:
template:

+ 5
- 5
deployment/barbican/barbican-api-container-puppet.yaml View File

@@ -187,6 +187,11 @@ outputs:
description: Role data for the Barbican API role.
value:
service_name: barbican_api
firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
@@ -245,11 +250,6 @@ outputs:
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo

tripleo::barbican_api::firewall_rules:
'117 barbican':
dport:
- 9311
- 13311
service_config_settings:
mysql:
barbican::db::mysql::password: {get_param: BarbicanPassword}

+ 8
- 0
deployment/ceph-ansible/ceph-grafana.yaml View File

@@ -103,6 +103,14 @@ outputs:
description: Role data for the Ceph Dashboard service.
value:
service_name: ceph_grafana
firewall_rules:
'123 ceph_dashboard':
dport:
- 3100
- 9090
- 9093
- 9094
- 9100
upgrade_tasks: []
puppet_config:
config_image: ''

+ 9
- 12
deployment/ceph-ansible/ceph-mds.yaml View File

@@ -66,6 +66,15 @@ outputs:
description: Role data for the Ceph Metadata service.
value:
service_name: ceph_mds
firewall_rules:
'112 ceph_mds':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@@ -88,15 +97,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mds::firewall_rules:
'112 ceph_mds':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
- {}

+ 9
- 12
deployment/ceph-ansible/ceph-mgr.yaml View File

@@ -76,6 +76,15 @@ outputs:
description: Role data for the Ceph Manager service.
value:
service_name: ceph_mgr
firewall_rules:
'113 ceph_mgr':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '8443'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@@ -98,15 +107,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mgr::firewall_rules:
'113 ceph_mgr':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '8443'
- []
- {}

+ 10
- 13
deployment/ceph-ansible/ceph-mon.yaml View File

@@ -80,6 +80,16 @@ outputs:
description: Role data for the Ceph Monitor service.
value:
service_name: ceph_mon
firewall_rules:
'110 ceph_mon':
dport:
list_concat:
- - 6789
- - 3300
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@@ -102,16 +112,3 @@ outputs:
content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_mon::firewall_rules:
'110 ceph_mon':
dport:
list_concat:
- - 6789
- - 3300
- if:
- dashboard_enabled
- - '9100'
- []
- {}

+ 5
- 8
deployment/ceph-ansible/ceph-nfs.yaml View File

@@ -66,6 +66,11 @@ outputs:
description: Role data for the Ceph NFS Ganesha service.
value:
service_name: ceph_nfs
firewall_rules:
'120 ceph_nfs':
dport:
# We support only NFS 4.1 to start
- 2049
upgrade_tasks: []
step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs'
puppet_config:
@@ -90,11 +95,3 @@ outputs:
content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_nfs::firewall_rules:
'120 ceph_nfs':
dport:
# We support only NFS 4.1 to start
- 2049
- {}

+ 9
- 12
deployment/ceph-ansible/ceph-osd.yaml View File

@@ -69,6 +69,15 @@ outputs:
description: Role data for the Ceph OSD service.
value:
service_name: ceph_osd
firewall_rules:
'111 ceph_osd':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks:
- name: Check legacy Ceph hieradata
tags: validation
@@ -95,15 +104,3 @@ outputs:
content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_osd::firewall_rules:
'111 ceph_osd':
dport:
list_concat:
- - '6800-7300'
- if:
- dashboard_enabled
- - '9100'
- []
- {}

+ 4
- 7
deployment/ceph-ansible/ceph-rbdmirror.yaml View File

@@ -82,6 +82,10 @@ outputs:
description: Role data for the Ceph RBD Mirror service.
value:
service_name: ceph_rbdmirror
firewall_rules:
'114 ceph_rbdmirror':
dport:
- '6800-7300'
upgrade_tasks: []
puppet_config:
config_image: ''
@@ -104,10 +108,3 @@ outputs:
content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_rbdmirror::firewall_rules:
'114 ceph_rbdmirror':
dport:
- '6800-7300'
- {}

+ 9
- 12
deployment/ceph-ansible/ceph-rgw.yaml View File

@@ -76,6 +76,15 @@ outputs:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
upgrade_tasks: []
puppet_config:
config_image: ''
@@ -98,18 +107,6 @@ outputs:
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- tripleo::ceph_rgw::firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
- {}
service_config_settings:
keystone:
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}

+ 5
- 5
deployment/cinder/cinder-api-container-puppet.yaml View File

@@ -118,6 +118,11 @@ outputs:
description: Role data for the Cinder API role.
value:
service_name: cinder_api
firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
config_settings:
map_merge:
@@ -143,11 +148,6 @@ outputs:
DEFAULT/swift_catalog_info:
value: 'object-store:swift:internalURL'
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
tripleo::cinder_api::firewall_rules:
'119 cinder':
dport:
- 8776
- 13776
cinder::api::bind_host:
str_replace:
template:

+ 3
- 3
deployment/cinder/cinder-volume-container-puppet.yaml View File

@@ -198,6 +198,9 @@ outputs:
description: Role data for the Cinder Volume role.
value:
service_name: cinder_volume
firewall_rules:
'120 iscsi initiator':
dport: 3260
monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume}
config_settings:
map_merge:
@@ -226,9 +229,6 @@ outputs:
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot}
tripleo::cinder_volume::firewall_rules:
'120 iscsi initiator':
dport: 3260
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

+ 9
- 9
deployment/database/mysql-base.yaml View File

@@ -68,6 +68,15 @@ outputs:
description: Service MySQL using composable services.
value:
service_name: mysql
firewall_rules:
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
config_settings:
map_merge:
-
@@ -79,15 +88,6 @@ outputs:
mysql::server::package_name: 'mariadb-galera-server'
mysql::server::manage_config_file: true
mysql_ipv6: {get_param: MysqlIPv6}
tripleo::mysql::firewall_rules:
'104 mysql galera':
dport:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql::server::root_password:
yaql:

+ 10
- 10
deployment/database/mysql-pacemaker-puppet.yaml View File

@@ -99,6 +99,16 @@ outputs:
description: Containerized service MySQL using composable services.
value:
service_name: {get_attr: [MysqlBase, role_data, service_name]}
firewall_rules:
'104 mysql galera-bundle':
dport:
- 873
- 3123
- 3306
- 4444
- 4567
- 4568
- 9200
config_settings:
map_merge:
- get_attr: [MysqlBase, role_data, config_settings]
@@ -131,16 +141,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli}
tripleo::mysql::firewall_rules:
'104 mysql galera-bundle':
dport:
- 873
- 3123
- 3306
- 4444
- 4567
- 4568
- 9200
tripleo::profile::pacemaker::database::mysql_bundle::bind_address:
str_replace:
template:

+ 6
- 6
deployment/database/redis-container-puppet.yaml View File

@@ -62,18 +62,18 @@ outputs:
description: Role data for the Redis API role.
value:
service_name: redis
firewall_rules:
'108 redis':
dport:
- 6379
- 26379
config_settings:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
- redis::daemonize: false
tripleo::stunnel::manage_service: false
tripleo::stunnel::foreground: 'yes'
- tripleo::redis::firewall_rules:
'108 redis':
dport:
- 6379
- 26379
tripleo::profile::base::database::redis::tls_proxy_bind_ip:
- tripleo::profile::base::database::redis::tls_proxy_bind_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"

+ 6
- 6
deployment/database/redis-pacemaker-puppet.yaml View File

@@ -86,6 +86,12 @@ outputs:
description: Role data for the Redis API role.
value:
service_name: redis
firewall_rules:
'108 redis-bundle':
dport:
- 3124
- 6379
- 26379
config_settings:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
@@ -101,12 +107,6 @@ outputs:
- 'pcmklatest'
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli}
tripleo::redis::firewall_rules:
'108 redis-bundle':
dport:
- 3124
- 6379
- 26379
tripleo::stunnel::manage_service: false
tripleo::stunnel::foreground: 'yes'
tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip:

+ 5
- 7
deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml View File

@@ -43,13 +43,11 @@ outputs:
description: Role data for the docker registry service
value:
service_name: docker_registry
config_settings:
tripleo::docker_registry::firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
step_config: ''
firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
host_prep_tasks:
- name: Install, Configure and Run Docker Distribution
block:

+ 14
- 15
deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml View File

@@ -43,21 +43,20 @@ outputs:
description: Role data for the Kubernetes Service
value:
service_name: kubernetes_master
config_settings:
tripleo::kubernetes_master::firewall_rules:
'200 kubernetes-master api':
dport: 6443
proto: tcp
'200 kubernetes-master etcd':
dport:
- 2379
- 2380
proto: tcp
'200 kubernetes-master flannel':
dport:
- 8285
- 8472
proto: udp
firewall_rules:
'200 kubernetes-master api':
dport: 6443
proto: tcp
'200 kubernetes-master etcd':
dport:
- 2379
- 2380
proto: tcp
'200 kubernetes-master flannel':
dport:
- 8285
- 8472
proto: udp
upgrade_tasks: []
step_config: ''
external_deploy_tasks:

+ 18
- 20
deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml View File

@@ -41,24 +41,22 @@ outputs:
# as workers. The actual installation is performed in
# kubernetes-master service template.
service_name: kubernetes_worker
config_settings:
tripleo::kubernetes_worker::firewall_rules:
'200 kubernetes-worker kubelet':
dport:
- 10250
- 10255
proto: tcp
'200 kubernetes-worker external services':
dport: '30000-32767'
'200 kubernetes-worker flannel':
dport:
- 8285
- 8472
proto: udp
'200 kubernetes-worker calico bgp':
dport: 179
proto: tcp
'200 kubernetes-worker calico ipv4-in-ip':
proto: ipv4
firewall_rules:
'200 kubernetes-worker kubelet':
dport:
- 10250
- 10255
proto: tcp
'200 kubernetes-worker external services':
dport: '30000-32767'
'200 kubernetes-worker flannel':
dport:
- 8285
- 8472
proto: udp
'200 kubernetes-worker calico bgp':
dport: 179
proto: tcp
'200 kubernetes-worker calico ipv4-in-ip':
proto: ipv4
upgrade_tasks: []
step_config: ''

deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml → deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml View File

@@ -50,20 +50,19 @@ outputs:
description: Role data for the TripleO firewall settings
value:
service_name: tripleo_firewall
firewall_rules:
map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22
config_settings:
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
tripleo::tripleo_firewall::firewall_rules:
map_merge:
repeat:
for_each:
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
template:
'003 accept ssh from ctlplane subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: 22

step_config: |
include ::tripleo::firewall


+ 5
- 5
deployment/etcd/etcd-container-puppet.yaml View File

@@ -55,6 +55,11 @@ outputs:
description: Role data for the etcd role.
value:
service_name: etcd
firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
config_settings:
map_merge:
@@ -80,11 +85,6 @@ outputs:
tripleo::profile::base::etcd::peer_port: '2380'
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
etcd::manage_package: false
tripleo::etcd::firewall_rules:
'141 etcd':
dport:
- 2379
- 2380
etcd::manage_service: false
-
if:

+ 5
- 5
deployment/experimental/designate/designate-api-container-puppet.yaml View File

@@ -79,6 +79,11 @@ outputs:
description: Role data for the Designate API role.
value:
service_name: designate_api
firewall_rules:
'139 designate api':
dport:
- 9001
- 13001
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
config_settings:
map_merge:
@@ -94,11 +99,6 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::profile::base::designate::api::listen_port: 9001
tripleo::designate_api::firewall_rules:
'139 designate api':
dport:
- 9001
- 13001
-
if:
- designate_workers_zero

+ 9
- 10
deployment/experimental/designate/designate-mdns-container-puppet.yaml View File

@@ -80,6 +80,15 @@ outputs:
description: Role data for the Designate MDNS role.
value:
service_name: designate_mdns
firewall_rules:
'142 designate_mdns udp':
proto: 'udp'
dport:
- 5354
'143 designate_mdns tcp':
proto: 'tcp'
dport:
- 5354
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS}
config_settings:
map_merge:
@@ -103,16 +112,6 @@ outputs:
-
read_default_file: /etc/my.cnf.d/tripleo.cnf
read_default_group: tripleo

tripleo::designate_mdns::firewall_rules:
'142 designate_mdns udp':
proto: 'udp'
dport:
- 5354
'143 designate_mdns tcp':
proto: 'tcp'
dport:
- 5354
-
if:
- designate_workers_zero

+ 11
- 11
deployment/experimental/designate/designate-worker-container-puppet.yaml View File

@@ -79,6 +79,17 @@ outputs:
description: Role data for the Designate Worker role.
value:
service_name: designate_worker
firewall_rules:
'140 designate_worker udp':
proto: 'udp'
dport:
- 53
- 953
'141 designate_worker tcp':
proto: 'tcp'
dport:
- 53
- 953
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
config_settings:
map_merge:
@@ -118,17 +129,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
tripleo::designate_worker::firewall_rules:
'140 designate_worker udp':
proto: 'udp'
dport:
- 53
- 953
'141 designate_worker tcp':
proto: 'tcp'
dport:
- 53
- 953
-
if:
- designate_workers_zero

+ 5
- 5
deployment/glance/glance-api-container-puppet.yaml View File

@@ -294,6 +294,11 @@ outputs:
description: Role data for the Glance API role.
value:
service_name: glance_api
firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
config_settings:
map_merge:
@@ -331,11 +336,6 @@ outputs:
- {get_param: Debug }
- {get_param: GlanceDebug }
glance::policy::policies: {get_param: GlanceApiPolicies}
tripleo::glance_api::firewall_rules:
'112 glance_api':
dport:
- 9292
- 13292
glance::api::authtoken::project_name: 'service'
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
glance::api::authtoken::user_domain_name: 'Default'

+ 6
- 6
deployment/gnocchi/gnocchi-api-container-puppet.yaml View File

@@ -142,6 +142,11 @@ outputs:
description: Role data for the gnocchi API role.
value:
service_name: gnocchi_api
firewall_rules:
'129 gnocchi-api':
dport:
- 8041
- 13041
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
config_settings:
map_merge:
@@ -154,12 +159,7 @@ outputs:
- {}
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
- tripleo::gnocchi_api::firewall_rules:
'129 gnocchi-api':
dport:
- 8041
- 13041
gnocchi::api::enabled: true
- gnocchi::api::enabled: true
gnocchi::api::enable_proxy_headers_parsing: true
gnocchi::api::service_name: 'httpd'
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}

+ 5
- 7
deployment/gnocchi/gnocchi-statsd-container-puppet.yaml View File

@@ -80,14 +80,12 @@ outputs:
description: Role data for the Gnocchi API role.
value:
service_name: gnocchi_statsd
firewall_rules:
'140 gnocchi-statsd':
dport: 8125
proto: 'udp'
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd}
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
- tripleo::gnocchi_statsd::firewall_rules:
'140 gnocchi-statsd':
dport: 8125
proto: 'udp'
config_settings: {get_attr: [GnocchiServiceBase, role_data, config_settings]}
service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:

+ 3
- 3
deployment/haproxy/haproxy-container-puppet.yaml View File

@@ -153,6 +153,9 @@ outputs:
description: Role data for the HAproxy role.
value:
service_name: haproxy
firewall_rules:
'107 haproxy stats':
dport: 1993
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
@@ -161,9 +164,6 @@ outputs:
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
# when this is updated
tripleo::haproxy::crl_file: null
- tripleo::haproxy::firewall_rules:
'107 haproxy stats':
dport: 1993
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}

+ 5
- 5
deployment/heat/heat-api-cfn-container-puppet.yaml View File

@@ -100,17 +100,17 @@ outputs:
description: Role data for the Heat API CFN role.
value:
service_name: heat_api_cfn
firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- get_attr: [HeatApiCfnLogging, config_settings]
- apache::default_vhost: false
tripleo::heat_api_cfn::firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
heat::api_cfn::bind_host:
str_replace:
template:

+ 5
- 5
deployment/heat/heat-api-container-puppet.yaml View File

@@ -114,6 +114,11 @@ outputs:
description: Role data for the Heat API role.
value:
service_name: heat_api
firewall_rules:
'125 heat_api':
dport:
- 8004
- 13004
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
config_settings:
map_merge:
@@ -121,11 +126,6 @@ outputs:
- get_attr: [HeatApiLogging, config_settings]
- get_attr: [ApacheServiceBase, role_data, config_settings]
- apache::default_vhost: false
tripleo::heat_api::firewall_rules:
'125 heat_api':
dport:
- 8004
- 13004
heat::api::bind_host:
str_replace:
template:

+ 5
- 5
deployment/horizon/horizon-container-puppet.yaml View File

@@ -140,15 +140,15 @@ outputs:
description: Role data for the Horizon API role.
value:
service_name: horizon
firewall_rules:
'126 horizon':
dport:
- 80
- 443
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':
dport:
- 80
- 443
horizon::enable_secure_proxy_ssl_header: true
horizon::disable_password_reveal: true
horizon::enforce_password_check: true

+ 5
- 7
deployment/image-serve/image-serve-baremetal-ansible.yaml View File

@@ -43,13 +43,11 @@ outputs:
description: Role data for the image serve registry service
value:
service_name: docker_registry
config_settings:
tripleo::docker_registry::firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
step_config: ''
firewall_rules:
'155 docker-registry':
dport:
- 8787
- 13787
host_prep_tasks:
- name: authorize httpd to listen on registry ports
seport:

+ 33
- 35
deployment/ipsec/ipsec-baremetal-ansible.yaml View File

@@ -44,42 +44,40 @@ outputs:
description: Role data for the IPSEC service
value:
service_name: ipsec
config_settings:
tripleo::ipsec::firewall_rules:
'100 IPSEC IKE INPUT':
dport: 500
sport: 500
proto: udp
chain: INPUT
'100 IPSEC IKE OUTPUT':
dport: 500
sport: 500
proto: udp
chain: OUTPUT
'100 IPSEC IKE NAT-Traversal INPUT':
dport: 4500
sport: 4500
proto: udp
chain: INPUT
'100 IPSEC IKE NAT-Traversal OUTPUT':
dport: 4500
sport: 4500
proto: udp
chain: OUTPUT
'100 IPSEC ESP INPUT':
proto: esp
chain: INPUT
'100 IPSEC ESP OUTPUT':
proto: esp
chain: OUTPUT
'100 IPSEC Authentication Header INPUT':
proto: ah
chain: INPUT
'100 IPSEC Authentication Header OUTPUT':
proto: ah
chain: OUTPUT
firewall_rules:
'100 IPSEC IKE INPUT':
dport: 500
sport: 500
proto: udp
chain: INPUT
'100 IPSEC IKE OUTPUT':
dport: 500
sport: 500
proto: udp
chain: OUTPUT
'100 IPSEC IKE NAT-Traversal INPUT':
dport: 4500
sport: 4500
proto: udp
chain: INPUT
'100 IPSEC IKE NAT-Traversal OUTPUT':
dport: 4500
sport: 4500
proto: udp
chain: OUTPUT
'100 IPSEC ESP INPUT':
proto: esp
chain: INPUT
'100 IPSEC ESP OUTPUT':
proto: esp
chain: OUTPUT
'100 IPSEC Authentication Header INPUT':
proto: ah
chain: INPUT
'100 IPSEC Authentication Header OUTPUT':
proto: ah
chain: OUTPUT
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
- name: IPSEC configuration on step 1
when: step|int == 1

+ 5
- 6
deployment/ironic/ironic-api-container-puppet.yaml View File

@@ -100,6 +100,11 @@ outputs:
description: Role data for the Ironic API role.
value:
service_name: ironic_api
firewall_rules:
'133 ironic api':
dport:
- 6385
- 13385
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
config_settings:
map_merge:
@@ -152,12 +157,6 @@ outputs:
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'

tripleo::ironic_api::firewall_rules:
'133 ironic api':
dport:
- 6385
- 13385
- apache::default_vhost: false
service_config_settings:
keystone:

+ 6
- 6
deployment/ironic/ironic-conductor-container-puppet.yaml View File

@@ -275,6 +275,12 @@ outputs:
description: Role data for the Ironic Conductor role.
value:
service_name: ironic_conductor
firewall_rules:
'134 ironic conductor TFTP':
dport: 69
proto: udp
'135 ironic conductor HTTP':
dport: {get_param: IronicIPXEPort}
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
config_settings:
map_merge:
@@ -367,12 +373,6 @@ outputs:
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
tripleo::ironic_conductor::firewall_rules:
'134 ironic conductor TFTP':
dport: 69
proto: udp
'135 ironic conductor HTTP':
dport: {get_param: IronicIPXEPort}
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
# ironic. It's used as a default value for e.g. TFTP server IP,
# glance and neutron endpoints, virtual console IP. We override

+ 31
- 31
deployment/ironic/ironic-inspector-container-puppet.yaml View File

@@ -181,6 +181,37 @@ outputs:
description: Role data for the Ironic Inspector role.
value:
service_name: ironic_inspector
firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
config_settings:
map_merge:
@@ -219,37 +250,6 @@ outputs:
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
tripleo::ironic_inspector::firewall_rules:
'137 ironic-inspector':
dport:
- 5050
'137 ironic-inspector dhcp input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv4'
proto: 'udp'
chain: 'INPUT'
dport: 67
'137 ironic-inspector dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'137 ironic-inspector dhcpv6 input':
iniface: {get_param: IronicInspectorInterface}
ipversion: 'ipv6'
proto: 'udp'
chain: 'INPUT'
dport: 547
'137 ironic-inspector dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'137 ironic-inspector dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
ironic::inspector::ironic_username: 'ironic'
ironic::inspector::ironic_password: {get_param: IronicPassword}
ironic::inspector::ironic_tenant_name: 'service'

+ 3
- 3
deployment/keepalived/keepalived-container-puppet.yaml View File

@@ -73,13 +73,13 @@ outputs:
description: Role data for the Keepalived role.
value:
service_name: keepalived
firewall_rules:
'106 keepalived vrrp':
proto: vrrp
monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived}
config_settings:
map_merge:
- tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio'
- tripleo::keepalived::firewall_rules:
'106 keepalived vrrp':
proto: vrrp
-
if:
- control_iface_empty

+ 6
- 6
deployment/keystone/keystone-container-puppet.yaml View File

@@ -355,6 +355,12 @@ outputs:
description: Role data for the Keystone API role.
value:
service_name: keystone
firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- {get_param: [EndpointMap, KeystoneAdmin, port]}
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
config_settings:
map_merge:
@@ -449,12 +455,6 @@ outputs:
keystone::wsgi::apache::threads: 1
keystone::db::database_db_max_retries: -1
keystone::db::database_max_retries: -1
tripleo::keystone::firewall_rules:
'111 keystone':
dport:
- 5000
- 13000
- {get_param: [EndpointMap, KeystoneAdmin, port]}
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples

+ 5
- 5
deployment/manila/manila-api-container-puppet.yaml View File

@@ -94,6 +94,11 @@ outputs:
description: Role data for the Manila API role.
value:
service_name: manila_api
firewall_rules:
'150 manila':
dport:
- 8786
- 13786
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
config_settings:
map_merge:
@@ -105,11 +110,6 @@ outputs:
manila::keystone::authtoken::project_name: 'service'
manila::keystone::authtoken::user_domain_name: 'Default'
manila::keystone::authtoken::project_domain_name: 'Default'
tripleo::manila_api::firewall_rules:
'150 manila':
dport:
- 8786
- 13786
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):

+ 25
- 25
deployment/memcached/memcached-container-puppet.yaml View File

@@ -81,6 +81,31 @@ outputs:
description: Role data for the Memcached API role.
value:
service_name: memcached
firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
@@ -113,31 +138,6 @@ outputs:
- 'v'
- ''
memcached::disable_cachedump: true
tripleo::memcached::firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
service_config_settings:
collectd:
tripleo.collectd.plugins.memcached:

+ 9
- 10
deployment/messaging/rpc-qdrouterd-container-puppet.yaml View File

@@ -65,6 +65,15 @@ outputs:
description: Role data for the qdrouterd service.
value:
service_name: oslo_messaging_rpc
firewall_rules:
'109 qdrouterd':
dport:
- {get_param: RpcPort}
- 31459
- 31460
'109 qdr':
dport:
- {get_param: RpcPort}
global_config_settings:
oslo_messaging_rpc_scheme: amqp
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
@@ -75,12 +84,6 @@ outputs:
messaging_rpc_service_name: 'amqp'
keystone::messaging::amqp::amqp_pre_settled: 'notify'
config_settings:
tripleo::oslo_messaging_rpc::firewall_rules:
'109 qdrouterd':
dport:
- {get_param: RpcPort}
- 31459
- 31460
qdr::listener_addr:
str_replace:
template:
@@ -90,10 +93,6 @@ outputs:
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
tripleo::rabbitmq::firewall_rules:
'109 qdr':
dport:
- {get_param: RpcPort}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:

+ 5
- 5
deployment/metrics/qdr-container-puppet.yaml View File

@@ -149,6 +149,10 @@ outputs:
description: Role data for the metrics Qdr role.
value:
service_name: metrics-qdr
firewall_rules:
'109 metrics qdr':
dport:
- {get_param: MetricsQdrPort}
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
service_config_settings:
rsyslog:
@@ -156,11 +160,7 @@ outputs:
- {get_param: MetricsQdrLoggingSource}
config_settings:
map_merge:
- tripleo::metrics_qdr::firewall_rules:
'109 metrics qdr':
dport:
- {get_param: MetricsQdrPort}
tripleo::profile::base::metrics::qdr::listener_addr:
- tripleo::profile::base::metrics::qdr::listener_addr:
str_replace:
template:
"%{hiera('$NETWORK')}"

+ 5
- 5
deployment/mistral/mistral-api-container-puppet.yaml View File

@@ -88,6 +88,11 @@ outputs:
description: Role data for the Mistral API role.
value:
service_name: mistral_api
firewall_rules:
'133 mistral':
dport:
- 8989
- 13989
config_settings:
map_merge:
- get_attr: [MistralBase, role_data, config_settings]
@@ -109,11 +114,6 @@ outputs:
mistral::policy::policies: {get_param: MistralApiPolicies}
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
mistral::api::allow_action_execution_deletion: true
tripleo::mistral_api::firewall_rules:
'133 mistral':
dport:
- 8989
- 13989
mistral::api::service_name: 'httpd'
mistral::wsgi::apache::bind_host:
str_replace:

+ 5
- 5
deployment/neutron/neutron-api-container-puppet.yaml View File

@@ -224,6 +224,11 @@ outputs:
description: Role data for the Neutron API role.
value:
service_name: neutron_api
firewall_rules:
'114 neutron api':
dport:
- 9696
- 13696
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
config_settings:
map_merge:
@@ -270,11 +275,6 @@ outputs:
neutron::server::sync_db: true
neutron::server::notifications::region_name: {get_param: KeystoneRegion}
neutron::server::placement::region_name: {get_param: KeystoneRegion}
tripleo::neutron_api::firewall_rules:
'114 neutron api':
dport:
- 9696
- 13696
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

+ 6
- 6
deployment/neutron/neutron-compute-plugin-nuage.yaml View File

@@ -79,6 +79,12 @@ parameters:
outputs:
role_data:
description: Role data for the Neutron Compute Nuage plugin
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'100 metadata agent':
dport: {get_param: NuageMetadataPort}
value:
service_name: neutron_compute_plugin_nuage
config_settings:
@@ -96,11 +102,5 @@ outputs:
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
tripleo::neutron_compute_plugin_nuage::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'100 metadata agent':
dport: {get_param: NuageMetadataPort}
step_config: |
include ::tripleo::profile::base::neutron::agents::nuage

+ 24
- 24
deployment/neutron/neutron-dhcp-container-puppet.yaml View File

@@ -180,6 +180,30 @@ outputs:
description: Role data for the Neutron DHCP role.
value:
service_name: neutron_dhcp
firewall_rules:
'115 neutron dhcp input':
ipversion: 'ipv4'
proto: 'udp'
dport: 67
'116 neutron dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'115 neutron dhcpv6 input':
ipversion: 'ipv6'
proto: 'udp'
dport: 547
'116 neutron dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'116 neutron dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
config_settings:
map_merge:
@@ -209,30 +233,6 @@ outputs:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronDhcpAgentDebug}
tripleo::neutron_dhcp::firewall_rules:
'115 neutron dhcp input':
ipversion: 'ipv4'
proto: 'udp'
dport: 67
'116 neutron dhcp output':
ipversion: 'ipv4'
proto: 'udp'
chain: 'OUTPUT'
dport: 68
'115 neutron dhcpv6 input':
ipversion: 'ipv6'
proto: 'udp'
dport: 547
'116 neutron dhcpv6 output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 546
'116 neutron dhcpv6 relay output':
ipversion: 'ipv6'
proto: 'udp'
chain: 'OUTPUT'
dport: 547
- if:
- internal_tls_enabled
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'

+ 18
- 21
deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml View File

@@ -82,29 +82,26 @@ outputs:
description: Role data for the L2 Gateway role.
value:
service_name: neutron_l2gw_agent
if:
- internal_manager_enabled
- firewall_rules:
'142 neutron l2gw agent input':
proto: 'tcp'
dport: {get_param: L2gwAgentManagerTableListeningPort}
- null
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent}
config_settings:
map_merge:
- neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
neutron::agents::l2gw::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL2gwAgentDebug}
-
if:
- internal_manager_enabled
- tripleo::neutron_l2gw_agent::firewall_rules:
'142 neutron l2gw agent input':
proto: 'tcp'
dport: {get_param: L2gwAgentManagerTableListeningPort}
- null

neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries}
neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout}
neutron::agents::l2gw::debug:
if:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL2gwAgentDebug}
service_config_settings:
rsyslog:
tripleo_logging_sources_neutron_l2gw_agent:

+ 3
- 3
deployment/neutron/neutron-l3-container-puppet.yaml View File

@@ -179,6 +179,9 @@ outputs:
description: Role data for Neutron L3 agent
value:
service_name: neutron_l3
firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
config_settings:
map_merge:
@@ -210,9 +213,6 @@ outputs:
- service_debug_unset
- {get_param: Debug}
- {get_param: NeutronL3AgentDebug}
tripleo::neutron_l3::firewall_rules:
'106 neutron_l3 vrrp':
proto: vrrp
-
- if:
- az_unset

+ 6
- 6
deployment/neutron/neutron-ovs-agent-container-puppet.yaml View File

@@ -173,6 +173,12 @@ outputs:
description: Role data for Neutron openvswitch service
value:
service_name: neutron_ovs_agent
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'136 neutron gre networks':
proto: 'gre'
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
config_settings:
map_merge:
@@ -196,12 +202,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
tripleo::neutron_ovs_agent::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'136 neutron gre networks':
proto: 'gre'
-
if:
- neutron_dvr_unset

+ 1
- 4
deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml View File

@@ -116,10 +116,7 @@ outputs:
service_name: neutron_ovs_dpdk_agent
config_settings:
map_merge:
- map_replace:
- get_attr: [NeutronOvsAgent, role_data, config_settings]
- keys:
tripleo::neutron_ovs_agent::firewall_rules: tripleo::neutron_ovs_dpdk_agent::firewall_rules
- get_attr: [NeutronOvsAgent, role_data, config_settings]
- nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
- get_attr: [RoleParametersValue, value]
service_config_settings:

+ 5
- 5
deployment/nova/nova-api-container-puppet.yaml View File

@@ -146,17 +146,17 @@ outputs:
description: Role data for the Nova API role.
value:
service_name: nova_api
firewall_rules:
'113 nova_api':
dport:
- 8774
- 13774
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
config_settings:
map_merge:
- get_attr: [NovaBase, role_data, config_settings]
- get_attr: [NovaApiLogging, config_settings]
- apache::default_vhost: false
tripleo::nova_api::firewall_rules:
'113 nova_api':
dport:
- 8774
- 13774
nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::user_domain_name: 'Default'
nova::keystone::authtoken::project_domain_name: 'Default'

+ 6
- 6
deployment/nova/nova-libvirt-container-puppet.yaml View File

@@ -351,6 +351,12 @@ outputs:
description: Role data for the Libvirt service.
value:
service_name: nova_libvirt
firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
config_settings:
map_merge:
@@ -395,12 +401,6 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
tripleo::nova_libvirt::firewall_rules:
'200 nova_libvirt':
dport:
- 16514
- '61152-61215'
- '5900-6923'
-
if:
- use_tls_for_live_migration

+ 6
- 6
deployment/nova/nova-metadata-container-puppet.yaml View File

@@ -119,6 +119,11 @@ outputs:
description: Role data for the Nova Metadata service.
value:
service_name: nova_metadata
firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
config_settings:
map_merge:
@@ -126,12 +131,7 @@ outputs:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- tripleo::nova_metadata::firewall_rules:
'139 nova_metadata':
dport:
- 8775
- 13775
nova::keystone::authtoken::project_name: 'service'
- nova::keystone::authtoken::project_name: 'service'
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}

+ 4
- 4
deployment/nova/nova-migration-target-container-puppet.yaml View File

@@ -88,6 +88,10 @@ outputs:
description: Role data for the Nova Migration Target service.
value:
service_name: nova_migration_target
firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
config_settings:
map_merge:
- get_attr: [SshdBase, role_data, config_settings]
@@ -116,10 +120,6 @@ outputs:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::profile::base::sshd::port:
- 22
tripleo::nova_migration_target::firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
puppet_config:
config_volume: nova_libvirt
step_config:

+ 5
- 5
deployment/nova/nova-vnc-proxy-container-puppet.yaml View File

@@ -123,6 +123,11 @@ outputs:
description: Role data for the Nova Vncproxy service.
value:
service_name: nova_vnc_proxy
firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
config_settings:
map_merge:
- {get_attr: [NovaLogging, config_settings]}
@@ -141,11 +146,6 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
tripleo::nova_vnc_proxy::firewall_rules:
'137 nova_vnc_proxy':
dport:
- 6080
- 13080
-
if:
- use_tls_for_vnc

+ 4
- 4
deployment/nova/novajoin-container-puppet.yaml View File

@@ -94,6 +94,10 @@ outputs:
description: Role data for the novajoin API role.
value:
service_name: novajoin
firewall_rules:
'119 novajoin':
dport:
- 9090
config_settings:
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
@@ -118,10 +122,6 @@ outputs:
nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
nova::metadata::novajoin::authtoken::project_name: 'service'
tripleo::novajoin::firewall_rules:
'119 novajoin':
dport:
- 9090
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
service_config_settings:
keystone:

+ 5
- 5
deployment/octavia/octavia-api-container-puppet.yaml View File

@@ -119,6 +119,11 @@ outputs:
description: Role data for the Octavia API role.
value:
service_name: octavia_api
firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
config_settings:
map_merge:
@@ -137,11 +142,6 @@ outputs:
octavia::api::sync_db: true
octavia::api::service_name: 'httpd'
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
tripleo::octavia_api::firewall_rules:
'120 octavia api':
dport:
- 9876
- 13876
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP

+ 5
- 5
deployment/octavia/octavia-health-manager-container-puppet.yaml View File

@@ -78,16 +78,16 @@ outputs:
description: Role data for the Octavia health-manager role.
value:
service_name: octavia_health_manager
firewall_rules:
'200 octavia health manager interface':
proto: udp
dport: 5555
iniface: {get_param: OctaviaMgmtPortDevName}
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager}
config_settings:
map_merge:
- get_attr: [OctaviaBase, role_data, config_settings]
- octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
tripleo::octavia_health_manager::firewall_rules:
'200 octavia health manager interface':
proto: udp
dport: 5555
iniface: {get_param: OctaviaMgmtPortDevName}
service_config_settings:
rsyslog:
tripleo_logging_sources_octavia_health_manager:

+ 7
- 7
deployment/ovn/ovn-controller-container-puppet.yaml View File

@@ -125,6 +125,13 @@ outputs:
description: Role data for the Ovn Controller agent.
value:
service_name: ovn_controller
firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
config_settings:
map_merge:
- get_attr: [RoleParametersValue, value]
@@ -139,13 +146,6 @@ outputs:
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
tripleo::ovn_controller::firewall_rules:
'118 neutron vxlan networks':
proto: 'udp'
dport: 4789
'119 neutron geneve networks':
proto: 'udp'
dport: 6081
- if:
- force_config_drive
- nova::compute::force_config_drive: true

+ 6
- 6
deployment/ovn/ovn-dbs-container-puppet.yaml View File

@@ -58,6 +58,12 @@ outputs:
description: Role data for the OVN Dbs role.
value:
service_name: ovn_dbs
firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
config_settings:
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
@@ -68,12 +74,6 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
tripleo::haproxy::ovn_dbs_manage_lb: true
tripleo::ovn_dbs::firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
# BEGIN DOCKER SETTINGS
# puppet_config is not required for this service since we configure
# the NB and SB DB servers to listen on the proper IP address/port

+ 8
- 8
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml View File

@@ -101,6 +101,14 @@ outputs:
description: Role data for the OVN Dbs HA role.
value:
service_name: ovn_dbs
firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
# Control port for pcmk remote bundle
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
config_settings:
map_merge:
- get_attr: [OVNDbsBase, role_data, config_settings]
@@ -116,14 +124,6 @@ outputs:
- tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli}
- tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout}
- tripleo::haproxy::ovn_dbs_manage_lb: false
- tripleo::ovn_dbs::firewall_rules:
'121 OVN DB server ports':
proto: 'tcp'
dport:
# Control port for pcmk remote bundle
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
- if:
- internal_tls_enabled
- generate_service_certificates: true

+ 0
- 3
deployment/pacemaker/clustercheck-container-puppet.yaml View File

@@ -44,9 +44,6 @@ resources:
ContainersCommon:
type: ../containers-common.yaml

# We import from the corresponding docker service because otherwise we risk
# rewriting the tripleo::mysql::firewall_rules key with the baremetal firewall
# rules (see LP#1728918)
MysqlPuppetBase:
type: ../database/mysql-pacemaker-puppet.yaml
properties:

+ 5
- 5
deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml View File

@@ -89,13 +89,13 @@ outputs:
description: Role data for the Pacemaker remote role.
value:
service_name: pacemaker_remote
firewall_rules:
'130 pacemaker_remote tcp':
proto: 'tcp'
dport:
- 3121
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
config_settings:
tripleo::pacemaker_remote::firewall_rules:
'130 pacemaker_remote tcp':
proto: 'tcp'
dport:
- 3121
tripleo::fencing::config: {get_param: FencingConfig}
tripleo::fencing::deep_compare: true
enable_fencing: {get_param: EnableFencing}

+ 6
- 6
deployment/placement/placement-api-container-puppet.yaml View File

@@ -110,16 +110,16 @@ outputs:
description: Role data for the Placement API role.
value:
service_name: placement
firewall_rules:
'138 placement':
dport:
- 8778
- 13778
config_settings:
map_merge:
- get_attr: [PlacementLogging, config_settings]
- apache::default_vhost: false
- tripleo::placement::firewall_rules:
'138 placement':
dport:
- 8778
- 13778
placement::keystone::authtoken::project_name: 'service'
- placement::keystone::authtoken::project_name: 'service'
placement::keystone::authtoken::password: {get_param: PlacementPassword}
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}

+ 4
- 4
deployment/qdr/qdrouterd-container-puppet.yaml View File

@@ -62,16 +62,16 @@ outputs:
description: Role data for the qdrouterd service.
value:
service_name: rabbitmq
firewall_rules:
'109 qdr':
dport:
- {get_param: RabbitClientPort}
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
global_config_settings:
messaging_notify_service_name: 'amqp'
messaging_rpc_service_name: 'amqp'
keystone::messaging::amqp::amqp_pre_settled: 'notify'
config_settings:
tripleo::rabbitmq::firewall_rules: