From 50367fbe3563d34976deb377ed32b6f26aeca44f Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 19 Aug 2019 10:38:24 -0500 Subject: [PATCH] Convert firewall rules to use TripleO-Ansible This change converts our filewall deployment practice to use the tripleo-ansible firewall role. This change creates a new "firewall_rules" object which is queried using YAQL from the "FirewallRules" resource. A new parameter has been added allowing users to input additional firewall rules as needed. The new parameter is `ExtraFirewallRules` and will be merged on top of the YAQL interface. Depends-On: Ie5d0f51d7efccd112847d3f1edf5fd9cdb1edeed Change-Id: I1be209a04f599d1d018e730c92f1fc8dd9bf884b Signed-off-by: Kevin Carter --- ci/environments/multinode-core.yaml | 11 +- common/services/role.role.j2.yaml | 19 +- .../aodh/aodh-api-container-puppet.yaml | 10 +- .../barbican-api-container-puppet.yaml | 10 +- deployment/ceph-ansible/ceph-grafana.yaml | 8 + deployment/ceph-ansible/ceph-mds.yaml | 21 +-- deployment/ceph-ansible/ceph-mgr.yaml | 21 +-- deployment/ceph-ansible/ceph-mon.yaml | 23 +-- deployment/ceph-ansible/ceph-nfs.yaml | 13 +- deployment/ceph-ansible/ceph-osd.yaml | 21 +-- deployment/ceph-ansible/ceph-rbdmirror.yaml | 11 +- deployment/ceph-ansible/ceph-rgw.yaml | 21 +-- .../cinder/cinder-api-container-puppet.yaml | 10 +- .../cinder-volume-container-puppet.yaml | 6 +- deployment/database/mysql-base.yaml | 18 +- .../database/mysql-pacemaker-puppet.yaml | 20 +- .../database/redis-container-puppet.yaml | 12 +- .../database/redis-pacemaker-puppet.yaml | 12 +- .../docker-registry-baremetal-ansible.yaml | 12 +- .../kubernetes-master-baremetal-ansible.yaml | 29 ++- .../kubernetes-worker-baremetal-ansible.yaml | 38 ++-- .../tripleo-firewall-baremetal-puppet.yaml | 21 +-- deployment/etcd/etcd-container-puppet.yaml | 10 +- .../designate-api-container-puppet.yaml | 10 +- .../designate-mdns-container-puppet.yaml | 19 +- .../designate-worker-container-puppet.yaml | 22 +-- .../glance/glance-api-container-puppet.yaml | 10 +- .../gnocchi/gnocchi-api-container-puppet.yaml | 12 +- .../gnocchi-statsd-container-puppet.yaml | 12 +- .../haproxy/haproxy-container-puppet.yaml | 6 +- .../heat/heat-api-cfn-container-puppet.yaml | 10 +- .../heat/heat-api-container-puppet.yaml | 10 +- .../horizon/horizon-container-puppet.yaml | 10 +- .../image-serve-baremetal-ansible.yaml | 12 +- deployment/ipsec/ipsec-baremetal-ansible.yaml | 68 ++++--- .../ironic/ironic-api-container-puppet.yaml | 11 +- .../ironic-conductor-container-puppet.yaml | 12 +- .../ironic-inspector-container-puppet.yaml | 62 +++--- .../keepalived-container-puppet.yaml | 6 +- .../keystone/keystone-container-puppet.yaml | 12 +- .../manila/manila-api-container-puppet.yaml | 10 +- .../memcached/memcached-container-puppet.yaml | 50 ++--- .../rpc-qdrouterd-container-puppet.yaml | 19 +- deployment/metrics/qdr-container-puppet.yaml | 10 +- .../mistral/mistral-api-container-puppet.yaml | 10 +- .../neutron/neutron-api-container-puppet.yaml | 10 +- .../neutron/neutron-compute-plugin-nuage.yaml | 12 +- .../neutron-dhcp-container-puppet.yaml | 48 ++--- .../neutron-l2gw-agent-baremetal-puppet.yaml | 39 ++-- .../neutron/neutron-l3-container-puppet.yaml | 6 +- .../neutron-ovs-agent-container-puppet.yaml | 12 +- ...utron-ovs-dpdk-agent-container-puppet.yaml | 5 +- .../nova/nova-api-container-puppet.yaml | 10 +- .../nova/nova-libvirt-container-puppet.yaml | 12 +- .../nova/nova-metadata-container-puppet.yaml | 12 +- ...ova-migration-target-container-puppet.yaml | 8 +- .../nova/nova-vnc-proxy-container-puppet.yaml | 10 +- .../nova/novajoin-container-puppet.yaml | 8 +- .../octavia/octavia-api-container-puppet.yaml | 10 +- ...tavia-health-manager-container-puppet.yaml | 10 +- .../ovn/ovn-controller-container-puppet.yaml | 14 +- deployment/ovn/ovn-dbs-container-puppet.yaml | 12 +- deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 16 +- .../clustercheck-container-puppet.yaml | 3 - .../pacemaker-remote-baremetal-puppet.yaml | 10 +- .../placement-api-container-puppet.yaml | 12 +- .../qdr/qdrouterd-container-puppet.yaml | 8 +- .../rabbitmq/rabbitmq-container-puppet.yaml | 12 +- ...tmq-messaging-notify-container-puppet.yaml | 12 +- ...tmq-messaging-notify-pacemaker-puppet.yaml | 14 +- .../rabbitmq-messaging-pacemaker-puppet.yaml | 14 +- ...bbitmq-messaging-rpc-container-puppet.yaml | 12 +- ...bbitmq-messaging-rpc-pacemaker-puppet.yaml | 14 +- deployment/rhsm/rhsm-baremetal-ansible.yaml | 3 - .../sahara/sahara-api-container-puppet.yaml | 10 +- .../skydive-analyzer-baremetal-ansible.yaml | 17 +- deployment/snmp/snmp-baremetal-puppet.yaml | 40 ++-- deployment/sshd/sshd-baremetal-puppet.yaml | 34 ++-- .../swift/swift-proxy-container-puppet.yaml | 10 +- .../swift/swift-storage-container-puppet.yaml | 14 +- deployment/time/ptp-baremetal-puppet.yaml | 16 +- .../timesync/chrony-baremetal-ansible.yaml | 10 +- .../tripleo-firewall-baremetal-ansible.yaml | 177 ++++++++++++++++++ deployment/zaqar/zaqar-container-puppet.yaml | 14 +- overcloud-resource-registry-puppet.j2.yaml | 2 +- ...leo-firewall-ansible-3928f04478a09668.yaml | 15 ++ 86 files changed, 832 insertions(+), 675 deletions(-) rename deployment/{ => deprecated}/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml (95%) create mode 100644 deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml create mode 100644 releasenotes/notes/tripleo-firewall-ansible-3928f04478a09668.yaml diff --git a/ci/environments/multinode-core.yaml b/ci/environments/multinode-core.yaml index f34cef3777..79063de14b 100644 --- a/ci/environments/multinode-core.yaml +++ b/ci/environments/multinode-core.yaml @@ -30,9 +30,8 @@ outputs: description: Role data for the multinode firewall configuration value: service_name: multinode_core - config_settings: - tripleo::core::firewall_rules: - '999 core': - proto: 'udp' - dport: - - 4789 + firewall_rules: + '999 core': + proto: 'udp' + dport: + - 4789 diff --git a/common/services/role.role.j2.yaml b/common/services/role.role.j2.yaml index a9aa5fe78e..d99fec6f1b 100644 --- a/common/services/role.role.j2.yaml +++ b/common/services/role.role.j2.yaml @@ -341,6 +341,16 @@ resources: expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null)) data: {role_data: {get_attr: [ServiceChain, role_data]}} + FirewallRules: + type: OS::Heat::Value + properties: + type: json + value: + map_merge: + yaql: + expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null)) + data: {role_data: {get_attr: [ServiceChain, role_data]}} + outputs: role_data: @@ -381,4 +391,11 @@ outputs: map_merge: - {get_attr: [ContainerPuppetTasks, value]} - {get_attr: [DockerPuppetTasks, value]} - host_prep_tasks: {get_attr: [HostPrepTasks, value]} + host_prep_tasks: + list_concat: + - - name: Run firewall role + include_role: + name: tripleo-firewall + vars: + tripleo_firewall_rules: {get_attr: [FirewallRules, value]} + - {get_attr: [HostPrepTasks, value]} diff --git a/deployment/aodh/aodh-api-container-puppet.yaml b/deployment/aodh/aodh-api-container-puppet.yaml index 6c0ce2079e..ff1d9d020a 100644 --- a/deployment/aodh/aodh-api-container-puppet.yaml +++ b/deployment/aodh/aodh-api-container-puppet.yaml @@ -91,6 +91,11 @@ outputs: description: Role data for the aodh API role. value: service_name: aodh_api + firewall_rules: + '128 aodh-api': + dport: + - 8042 + - 13042 monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi} config_settings: map_merge: @@ -109,11 +114,6 @@ outputs: aodh::api::enable_proxy_headers_parsing: true aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject} aodh::policy::policies: {get_param: AodhApiPolicies} - tripleo::aodh_api::firewall_rules: - '128 aodh-api': - dport: - - 8042 - - 13042 aodh::api::host: str_replace: template: diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index 0da6d48284..2261006150 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -187,6 +187,11 @@ outputs: description: Role data for the Barbican API role. value: service_name: barbican_api + firewall_rules: + '117 barbican': + dport: + - 9311 + - 13311 config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -245,11 +250,6 @@ outputs: read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - tripleo::barbican_api::firewall_rules: - '117 barbican': - dport: - - 9311 - - 13311 service_config_settings: mysql: barbican::db::mysql::password: {get_param: BarbicanPassword} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index f94df9fcf0..606424dfb8 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -103,6 +103,14 @@ outputs: description: Role data for the Ceph Dashboard service. value: service_name: ceph_grafana + firewall_rules: + '123 ceph_dashboard': + dport: + - 3100 + - 9090 + - 9093 + - 9094 + - 9100 upgrade_tasks: [] puppet_config: config_image: '' diff --git a/deployment/ceph-ansible/ceph-mds.yaml b/deployment/ceph-ansible/ceph-mds.yaml index 130e5ccdcd..1191798843 100644 --- a/deployment/ceph-ansible/ceph-mds.yaml +++ b/deployment/ceph-ansible/ceph-mds.yaml @@ -66,6 +66,15 @@ outputs: description: Role data for the Ceph Metadata service. value: service_name: ceph_mds + firewall_rules: + '112 ceph_mds': + dport: + list_concat: + - - '6800-7300' + - if: + - dashboard_enabled + - - '9100' + - [] upgrade_tasks: [] puppet_config: config_image: '' @@ -88,15 +97,3 @@ outputs: content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_mds::firewall_rules: - '112 ceph_mds': - dport: - list_concat: - - - '6800-7300' - - if: - - dashboard_enabled - - - '9100' - - [] - - {} diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index 857104a22f..c8e085bec9 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -76,6 +76,15 @@ outputs: description: Role data for the Ceph Manager service. value: service_name: ceph_mgr + firewall_rules: + '113 ceph_mgr': + dport: + list_concat: + - - '6800-7300' + - if: + - dashboard_enabled + - - '8443' + - [] upgrade_tasks: [] puppet_config: config_image: '' @@ -98,15 +107,3 @@ outputs: content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_mgr::firewall_rules: - '113 ceph_mgr': - dport: - list_concat: - - - '6800-7300' - - if: - - dashboard_enabled - - - '8443' - - [] - - {} diff --git a/deployment/ceph-ansible/ceph-mon.yaml b/deployment/ceph-ansible/ceph-mon.yaml index 07361a66e9..ce45d7ea1d 100644 --- a/deployment/ceph-ansible/ceph-mon.yaml +++ b/deployment/ceph-ansible/ceph-mon.yaml @@ -80,6 +80,16 @@ outputs: description: Role data for the Ceph Monitor service. value: service_name: ceph_mon + firewall_rules: + '110 ceph_mon': + dport: + list_concat: + - - 6789 + - - 3300 + - if: + - dashboard_enabled + - - '9100' + - [] upgrade_tasks: [] puppet_config: config_image: '' @@ -102,16 +112,3 @@ outputs: content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_mon::firewall_rules: - '110 ceph_mon': - dport: - list_concat: - - - 6789 - - - 3300 - - if: - - dashboard_enabled - - - '9100' - - [] - - {} diff --git a/deployment/ceph-ansible/ceph-nfs.yaml b/deployment/ceph-ansible/ceph-nfs.yaml index 88d3b21082..b31d3f10e3 100644 --- a/deployment/ceph-ansible/ceph-nfs.yaml +++ b/deployment/ceph-ansible/ceph-nfs.yaml @@ -66,6 +66,11 @@ outputs: description: Role data for the Ceph NFS Ganesha service. value: service_name: ceph_nfs + firewall_rules: + '120 ceph_nfs': + dport: + # We support only NFS 4.1 to start + - 2049 upgrade_tasks: [] step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs' puppet_config: @@ -90,11 +95,3 @@ outputs: content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_nfs::firewall_rules: - '120 ceph_nfs': - dport: - # We support only NFS 4.1 to start - - 2049 - - {} diff --git a/deployment/ceph-ansible/ceph-osd.yaml b/deployment/ceph-ansible/ceph-osd.yaml index e49a8dee61..9a7ea3ad08 100644 --- a/deployment/ceph-ansible/ceph-osd.yaml +++ b/deployment/ceph-ansible/ceph-osd.yaml @@ -69,6 +69,15 @@ outputs: description: Role data for the Ceph OSD service. value: service_name: ceph_osd + firewall_rules: + '111 ceph_osd': + dport: + list_concat: + - - '6800-7300' + - if: + - dashboard_enabled + - - '9100' + - [] upgrade_tasks: - name: Check legacy Ceph hieradata tags: validation @@ -95,15 +104,3 @@ outputs: content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_osd::firewall_rules: - '111 ceph_osd': - dport: - list_concat: - - - '6800-7300' - - if: - - dashboard_enabled - - - '9100' - - [] - - {} diff --git a/deployment/ceph-ansible/ceph-rbdmirror.yaml b/deployment/ceph-ansible/ceph-rbdmirror.yaml index b1cb3653b7..efeb4ebb4c 100644 --- a/deployment/ceph-ansible/ceph-rbdmirror.yaml +++ b/deployment/ceph-ansible/ceph-rbdmirror.yaml @@ -82,6 +82,10 @@ outputs: description: Role data for the Ceph RBD Mirror service. value: service_name: ceph_rbdmirror + firewall_rules: + '114 ceph_rbdmirror': + dport: + - '6800-7300' upgrade_tasks: [] puppet_config: config_image: '' @@ -104,10 +108,3 @@ outputs: content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_rbdmirror::firewall_rules: - '114 ceph_rbdmirror': - dport: - - '6800-7300' - - {} diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index ffc999c319..583d858188 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -76,6 +76,15 @@ outputs: description: Role data for the Ceph RadosGW service. value: service_name: ceph_rgw + firewall_rules: + '122 ceph rgw': + dport: + list_concat: + - - {get_param: [EndpointMap, CephRgwInternal, port]} + - if: + - dashboard_enabled + - - '9100' + - [] upgrade_tasks: [] puppet_config: config_image: '' @@ -98,18 +107,6 @@ outputs: content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} - config_settings: - map_merge: - - tripleo::ceph_rgw::firewall_rules: - '122 ceph rgw': - dport: - list_concat: - - - {get_param: [EndpointMap, CephRgwInternal, port]} - - if: - - dashboard_enabled - - - '9100' - - [] - - {} service_config_settings: keystone: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} diff --git a/deployment/cinder/cinder-api-container-puppet.yaml b/deployment/cinder/cinder-api-container-puppet.yaml index 0f43ce962e..45e2823529 100644 --- a/deployment/cinder/cinder-api-container-puppet.yaml +++ b/deployment/cinder/cinder-api-container-puppet.yaml @@ -118,6 +118,11 @@ outputs: description: Role data for the Cinder API role. value: service_name: cinder_api + firewall_rules: + '119 cinder': + dport: + - 8776 + - 13776 monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi} config_settings: map_merge: @@ -143,11 +148,6 @@ outputs: DEFAULT/swift_catalog_info: value: 'object-store:swift:internalURL' tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} - tripleo::cinder_api::firewall_rules: - '119 cinder': - dport: - - 8776 - - 13776 cinder::api::bind_host: str_replace: template: diff --git a/deployment/cinder/cinder-volume-container-puppet.yaml b/deployment/cinder/cinder-volume-container-puppet.yaml index 0a05894923..3dd7a69430 100644 --- a/deployment/cinder/cinder-volume-container-puppet.yaml +++ b/deployment/cinder/cinder-volume-container-puppet.yaml @@ -198,6 +198,9 @@ outputs: description: Role data for the Cinder Volume role. value: service_name: cinder_volume + firewall_rules: + '120 iscsi initiator': + dport: 3260 monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume} config_settings: map_merge: @@ -226,9 +229,6 @@ outputs: tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot} - tripleo::cinder_volume::firewall_rules: - '120 iscsi initiator': - dport: 3260 # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 12290b133d..7bfb6f86c0 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -68,6 +68,15 @@ outputs: description: Service MySQL using composable services. value: service_name: mysql + firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 config_settings: map_merge: - @@ -79,15 +88,6 @@ outputs: mysql::server::package_name: 'mariadb-galera-server' mysql::server::manage_config_file: true mysql_ipv6: {get_param: MysqlIPv6} - tripleo::mysql::firewall_rules: - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 mysql_max_connections: {get_param: MysqlMaxConnections} mysql::server::root_password: yaql: diff --git a/deployment/database/mysql-pacemaker-puppet.yaml b/deployment/database/mysql-pacemaker-puppet.yaml index 2d038d533e..693c46f8e6 100644 --- a/deployment/database/mysql-pacemaker-puppet.yaml +++ b/deployment/database/mysql-pacemaker-puppet.yaml @@ -99,6 +99,16 @@ outputs: description: Containerized service MySQL using composable services. value: service_name: {get_attr: [MysqlBase, role_data, service_name]} + firewall_rules: + '104 mysql galera-bundle': + dport: + - 873 + - 3123 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 config_settings: map_merge: - get_attr: [MysqlBase, role_data, config_settings] @@ -131,16 +141,6 @@ outputs: - 'pcmklatest' tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123 tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli} - tripleo::mysql::firewall_rules: - '104 mysql galera-bundle': - dport: - - 873 - - 3123 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 tripleo::profile::pacemaker::database::mysql_bundle::bind_address: str_replace: template: diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 479c172490..e6601560e5 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -62,18 +62,18 @@ outputs: description: Role data for the Redis API role. value: service_name: redis + firewall_rules: + '108 redis': + dport: + - 6379 + - 26379 config_settings: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} - redis::daemonize: false tripleo::stunnel::manage_service: false tripleo::stunnel::foreground: 'yes' - - tripleo::redis::firewall_rules: - '108 redis': - dport: - - 6379 - - 26379 - tripleo::profile::base::database::redis::tls_proxy_bind_ip: + - tripleo::profile::base::database::redis::tls_proxy_bind_ip: str_replace: template: "%{hiera('$NETWORK')}" diff --git a/deployment/database/redis-pacemaker-puppet.yaml b/deployment/database/redis-pacemaker-puppet.yaml index 3f730d7d89..b94a635324 100644 --- a/deployment/database/redis-pacemaker-puppet.yaml +++ b/deployment/database/redis-pacemaker-puppet.yaml @@ -86,6 +86,12 @@ outputs: description: Role data for the Redis API role. value: service_name: redis + firewall_rules: + '108 redis-bundle': + dport: + - 3124 + - 6379 + - 26379 config_settings: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} @@ -101,12 +107,6 @@ outputs: - 'pcmklatest' tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124 tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli} - tripleo::redis::firewall_rules: - '108 redis-bundle': - dport: - - 3124 - - 6379 - - 26379 tripleo::stunnel::manage_service: false tripleo::stunnel::foreground: 'yes' tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip: diff --git a/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml b/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml index b62e433015..2f98ad7f55 100644 --- a/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml +++ b/deployment/deprecated/docker/docker-registry-baremetal-ansible.yaml @@ -43,13 +43,11 @@ outputs: description: Role data for the docker registry service value: service_name: docker_registry - config_settings: - tripleo::docker_registry::firewall_rules: - '155 docker-registry': - dport: - - 8787 - - 13787 - step_config: '' + firewall_rules: + '155 docker-registry': + dport: + - 8787 + - 13787 host_prep_tasks: - name: Install, Configure and Run Docker Distribution block: diff --git a/deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml b/deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml index 3d8427a1b3..73edbae56e 100644 --- a/deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml +++ b/deployment/deprecated/kubernetes/kubernetes-master-baremetal-ansible.yaml @@ -43,21 +43,20 @@ outputs: description: Role data for the Kubernetes Service value: service_name: kubernetes_master - config_settings: - tripleo::kubernetes_master::firewall_rules: - '200 kubernetes-master api': - dport: 6443 - proto: tcp - '200 kubernetes-master etcd': - dport: - - 2379 - - 2380 - proto: tcp - '200 kubernetes-master flannel': - dport: - - 8285 - - 8472 - proto: udp + firewall_rules: + '200 kubernetes-master api': + dport: 6443 + proto: tcp + '200 kubernetes-master etcd': + dport: + - 2379 + - 2380 + proto: tcp + '200 kubernetes-master flannel': + dport: + - 8285 + - 8472 + proto: udp upgrade_tasks: [] step_config: '' external_deploy_tasks: diff --git a/deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml b/deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml index 1d14fecf01..5d1175879b 100644 --- a/deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml +++ b/deployment/deprecated/kubernetes/kubernetes-worker-baremetal-ansible.yaml @@ -41,24 +41,22 @@ outputs: # as workers. The actual installation is performed in # kubernetes-master service template. service_name: kubernetes_worker - config_settings: - tripleo::kubernetes_worker::firewall_rules: - '200 kubernetes-worker kubelet': - dport: - - 10250 - - 10255 - proto: tcp - '200 kubernetes-worker external services': - dport: '30000-32767' - '200 kubernetes-worker flannel': - dport: - - 8285 - - 8472 - proto: udp - '200 kubernetes-worker calico bgp': - dport: 179 - proto: tcp - '200 kubernetes-worker calico ipv4-in-ip': - proto: ipv4 + firewall_rules: + '200 kubernetes-worker kubelet': + dport: + - 10250 + - 10255 + proto: tcp + '200 kubernetes-worker external services': + dport: '30000-32767' + '200 kubernetes-worker flannel': + dport: + - 8285 + - 8472 + proto: udp + '200 kubernetes-worker calico bgp': + dport: 179 + proto: tcp + '200 kubernetes-worker calico ipv4-in-ip': + proto: ipv4 upgrade_tasks: [] - step_config: '' diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml similarity index 95% rename from deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml rename to deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml index 393c8c1dbd..c06507e8f3 100644 --- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml +++ b/deployment/deprecated/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml @@ -50,20 +50,19 @@ outputs: description: Role data for the TripleO firewall settings value: service_name: tripleo_firewall + firewall_rules: + map_merge: + repeat: + for_each: + <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]} + template: + '003 accept ssh from ctlplane subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: 22 config_settings: tripleo::firewall::manage_firewall: {get_param: ManageFirewall} tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} - tripleo::tripleo_firewall::firewall_rules: - map_merge: - repeat: - for_each: - <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]} - template: - '003 accept ssh from ctlplane subnet <%net_cidr%>': - source: <%net_cidr%> - proto: 'tcp' - dport: 22 - step_config: | include ::tripleo::firewall diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 8fb20bb0ee..2a219d6245 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -55,6 +55,11 @@ outputs: description: Role data for the etcd role. value: service_name: etcd + firewall_rules: + '141 etcd': + dport: + - 2379 + - 2380 monitoring_subscription: {get_param: MonitoringSubscriptionEtcd} config_settings: map_merge: @@ -80,11 +85,6 @@ outputs: tripleo::profile::base::etcd::peer_port: '2380' etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken} etcd::manage_package: false - tripleo::etcd::firewall_rules: - '141 etcd': - dport: - - 2379 - - 2380 etcd::manage_service: false - if: diff --git a/deployment/experimental/designate/designate-api-container-puppet.yaml b/deployment/experimental/designate/designate-api-container-puppet.yaml index 7e2ce04a62..5095269bf8 100644 --- a/deployment/experimental/designate/designate-api-container-puppet.yaml +++ b/deployment/experimental/designate/designate-api-container-puppet.yaml @@ -79,6 +79,11 @@ outputs: description: Role data for the Designate API role. value: service_name: designate_api + firewall_rules: + '139 designate api': + dport: + - 9001 + - 13001 monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi} config_settings: map_merge: @@ -94,11 +99,6 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]} tripleo::profile::base::designate::api::listen_port: 9001 - tripleo::designate_api::firewall_rules: - '139 designate api': - dport: - - 9001 - - 13001 - if: - designate_workers_zero diff --git a/deployment/experimental/designate/designate-mdns-container-puppet.yaml b/deployment/experimental/designate/designate-mdns-container-puppet.yaml index 76c94c9672..a6f3646f48 100644 --- a/deployment/experimental/designate/designate-mdns-container-puppet.yaml +++ b/deployment/experimental/designate/designate-mdns-container-puppet.yaml @@ -80,6 +80,15 @@ outputs: description: Role data for the Designate MDNS role. value: service_name: designate_mdns + firewall_rules: + '142 designate_mdns udp': + proto: 'udp' + dport: + - 5354 + '143 designate_mdns tcp': + proto: 'tcp' + dport: + - 5354 monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS} config_settings: map_merge: @@ -103,16 +112,6 @@ outputs: - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - - tripleo::designate_mdns::firewall_rules: - '142 designate_mdns udp': - proto: 'udp' - dport: - - 5354 - '143 designate_mdns tcp': - proto: 'tcp' - dport: - - 5354 - if: - designate_workers_zero diff --git a/deployment/experimental/designate/designate-worker-container-puppet.yaml b/deployment/experimental/designate/designate-worker-container-puppet.yaml index 4d1907a7d3..b5ff0fbd99 100644 --- a/deployment/experimental/designate/designate-worker-container-puppet.yaml +++ b/deployment/experimental/designate/designate-worker-container-puppet.yaml @@ -79,6 +79,17 @@ outputs: description: Role data for the Designate Worker role. value: service_name: designate_worker + firewall_rules: + '140 designate_worker udp': + proto: 'udp' + dport: + - 53 + - 953 + '141 designate_worker tcp': + proto: 'tcp' + dport: + - 53 + - 953 monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker} config_settings: map_merge: @@ -118,17 +129,6 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]} - tripleo::designate_worker::firewall_rules: - '140 designate_worker udp': - proto: 'udp' - dport: - - 53 - - 953 - '141 designate_worker tcp': - proto: 'tcp' - dport: - - 53 - - 953 - if: - designate_workers_zero diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 8627c9c70a..95f4946a97 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -294,6 +294,11 @@ outputs: description: Role data for the Glance API role. value: service_name: glance_api + firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi} config_settings: map_merge: @@ -331,11 +336,6 @@ outputs: - {get_param: Debug } - {get_param: GlanceDebug } glance::policy::policies: {get_param: GlanceApiPolicies} - tripleo::glance_api::firewall_rules: - '112 glance_api': - dport: - - 9292 - - 13292 glance::api::authtoken::project_name: 'service' glance::api::authtoken::region_name: {get_param: KeystoneRegion} glance::api::authtoken::user_domain_name: 'Default' diff --git a/deployment/gnocchi/gnocchi-api-container-puppet.yaml b/deployment/gnocchi/gnocchi-api-container-puppet.yaml index ee0c9a167d..763cabab62 100644 --- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml @@ -142,6 +142,11 @@ outputs: description: Role data for the gnocchi API role. value: service_name: gnocchi_api + firewall_rules: + '129 gnocchi-api': + dport: + - 8041 + - 13041 monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi} config_settings: map_merge: @@ -154,12 +159,7 @@ outputs: - {} - gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin} gnocchi::api::middlewares: 'oslo_middleware.cors.CORS' - - tripleo::gnocchi_api::firewall_rules: - '129 gnocchi-api': - dport: - - 8041 - - 13041 - gnocchi::api::enabled: true + - gnocchi::api::enabled: true gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::policy::policies: {get_param: GnocchiApiPolicies} diff --git a/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml b/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml index db76870211..1d4f55f6b2 100644 --- a/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml +++ b/deployment/gnocchi/gnocchi-statsd-container-puppet.yaml @@ -80,14 +80,12 @@ outputs: description: Role data for the Gnocchi API role. value: service_name: gnocchi_statsd + firewall_rules: + '140 gnocchi-statsd': + dport: 8125 + proto: 'udp' monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd} - config_settings: - map_merge: - - get_attr: [GnocchiServiceBase, role_data, config_settings] - - tripleo::gnocchi_statsd::firewall_rules: - '140 gnocchi-statsd': - dport: 8125 - proto: 'udp' + config_settings: {get_attr: [GnocchiServiceBase, role_data, config_settings]} service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/haproxy/haproxy-container-puppet.yaml b/deployment/haproxy/haproxy-container-puppet.yaml index 8f77dbd77b..f70a550caa 100644 --- a/deployment/haproxy/haproxy-container-puppet.yaml +++ b/deployment/haproxy/haproxy-container-puppet.yaml @@ -153,6 +153,9 @@ outputs: description: Role data for the HAproxy role. value: service_name: haproxy + firewall_rules: + '107 haproxy stats': + dport: 1993 monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: @@ -161,9 +164,6 @@ outputs: # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy # when this is updated tripleo::haproxy::crl_file: null - - tripleo::haproxy::firewall_rules: - '107 haproxy stats': - dport: 1993 tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} diff --git a/deployment/heat/heat-api-cfn-container-puppet.yaml b/deployment/heat/heat-api-cfn-container-puppet.yaml index 44ed018ca4..3a0592581c 100644 --- a/deployment/heat/heat-api-cfn-container-puppet.yaml +++ b/deployment/heat/heat-api-cfn-container-puppet.yaml @@ -100,17 +100,17 @@ outputs: description: Role data for the Heat API CFN role. value: service_name: heat_api_cfn + firewall_rules: + '125 heat_cfn': + dport: + - 8000 + - 13800 monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf} config_settings: map_merge: - get_attr: [HeatBase, role_data, config_settings] - get_attr: [HeatApiCfnLogging, config_settings] - apache::default_vhost: false - tripleo::heat_api_cfn::firewall_rules: - '125 heat_cfn': - dport: - - 8000 - - 13800 heat::api_cfn::bind_host: str_replace: template: diff --git a/deployment/heat/heat-api-container-puppet.yaml b/deployment/heat/heat-api-container-puppet.yaml index 97e87bcd63..1a852fbb22 100644 --- a/deployment/heat/heat-api-container-puppet.yaml +++ b/deployment/heat/heat-api-container-puppet.yaml @@ -114,6 +114,11 @@ outputs: description: Role data for the Heat API role. value: service_name: heat_api + firewall_rules: + '125 heat_api': + dport: + - 8004 + - 13004 monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi} config_settings: map_merge: @@ -121,11 +126,6 @@ outputs: - get_attr: [HeatApiLogging, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - apache::default_vhost: false - tripleo::heat_api::firewall_rules: - '125 heat_api': - dport: - - 8004 - - 13004 heat::api::bind_host: str_replace: template: diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml index 27c973a842..7db8eb3674 100644 --- a/deployment/horizon/horizon-container-puppet.yaml +++ b/deployment/horizon/horizon-container-puppet.yaml @@ -140,15 +140,15 @@ outputs: description: Role data for the Horizon API role. value: service_name: horizon + firewall_rules: + '126 horizon': + dport: + - 80 + - 443 monitoring_subscription: {get_param: MonitoringSubscriptionHorizon} config_settings: map_merge: - horizon::allowed_hosts: {get_param: HorizonAllowedHosts} - tripleo::horizon::firewall_rules: - '126 horizon': - dport: - - 80 - - 443 horizon::enable_secure_proxy_ssl_header: true horizon::disable_password_reveal: true horizon::enforce_password_check: true diff --git a/deployment/image-serve/image-serve-baremetal-ansible.yaml b/deployment/image-serve/image-serve-baremetal-ansible.yaml index 0675499ff6..f202f8b58c 100644 --- a/deployment/image-serve/image-serve-baremetal-ansible.yaml +++ b/deployment/image-serve/image-serve-baremetal-ansible.yaml @@ -43,13 +43,11 @@ outputs: description: Role data for the image serve registry service value: service_name: docker_registry - config_settings: - tripleo::docker_registry::firewall_rules: - '155 docker-registry': - dport: - - 8787 - - 13787 - step_config: '' + firewall_rules: + '155 docker-registry': + dport: + - 8787 + - 13787 host_prep_tasks: - name: authorize httpd to listen on registry ports seport: diff --git a/deployment/ipsec/ipsec-baremetal-ansible.yaml b/deployment/ipsec/ipsec-baremetal-ansible.yaml index ed8ad1cce7..547b66997d 100644 --- a/deployment/ipsec/ipsec-baremetal-ansible.yaml +++ b/deployment/ipsec/ipsec-baremetal-ansible.yaml @@ -44,42 +44,40 @@ outputs: description: Role data for the IPSEC service value: service_name: ipsec - config_settings: - tripleo::ipsec::firewall_rules: - '100 IPSEC IKE INPUT': - dport: 500 - sport: 500 - proto: udp - chain: INPUT - '100 IPSEC IKE OUTPUT': - dport: 500 - sport: 500 - proto: udp - chain: OUTPUT - '100 IPSEC IKE NAT-Traversal INPUT': - dport: 4500 - sport: 4500 - proto: udp - chain: INPUT - '100 IPSEC IKE NAT-Traversal OUTPUT': - dport: 4500 - sport: 4500 - proto: udp - chain: OUTPUT - '100 IPSEC ESP INPUT': - proto: esp - chain: INPUT - '100 IPSEC ESP OUTPUT': - proto: esp - chain: OUTPUT - '100 IPSEC Authentication Header INPUT': - proto: ah - chain: INPUT - '100 IPSEC Authentication Header OUTPUT': - proto: ah - chain: OUTPUT + firewall_rules: + '100 IPSEC IKE INPUT': + dport: 500 + sport: 500 + proto: udp + chain: INPUT + '100 IPSEC IKE OUTPUT': + dport: 500 + sport: 500 + proto: udp + chain: OUTPUT + '100 IPSEC IKE NAT-Traversal INPUT': + dport: 4500 + sport: 4500 + proto: udp + chain: INPUT + '100 IPSEC IKE NAT-Traversal OUTPUT': + dport: 4500 + sport: 4500 + proto: udp + chain: OUTPUT + '100 IPSEC ESP INPUT': + proto: esp + chain: INPUT + '100 IPSEC ESP OUTPUT': + proto: esp + chain: OUTPUT + '100 IPSEC Authentication Header INPUT': + proto: ah + chain: INPUT + '100 IPSEC Authentication Header OUTPUT': + proto: ah + chain: OUTPUT upgrade_tasks: [] - step_config: '' external_deploy_tasks: - name: IPSEC configuration on step 1 when: step|int == 1 diff --git a/deployment/ironic/ironic-api-container-puppet.yaml b/deployment/ironic/ironic-api-container-puppet.yaml index e06d1b5a86..b45c2ca65d 100644 --- a/deployment/ironic/ironic-api-container-puppet.yaml +++ b/deployment/ironic/ironic-api-container-puppet.yaml @@ -100,6 +100,11 @@ outputs: description: Role data for the Ironic API role. value: service_name: ironic_api + firewall_rules: + '133 ironic api': + dport: + - 6385 + - 13385 monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi} config_settings: map_merge: @@ -152,12 +157,6 @@ outputs: ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token' ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' - - tripleo::ironic_api::firewall_rules: - '133 ironic api': - dport: - - 6385 - - 13385 - apache::default_vhost: false service_config_settings: keystone: diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index d0db833df2..21e2edf564 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -275,6 +275,12 @@ outputs: description: Role data for the Ironic Conductor role. value: service_name: ironic_conductor + firewall_rules: + '134 ironic conductor TFTP': + dport: 69 + proto: udp + '135 ironic conductor HTTP': + dport: {get_param: IronicIPXEPort} monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor} config_settings: map_merge: @@ -367,12 +373,6 @@ outputs: ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces} ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface} ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface} - tripleo::ironic_conductor::firewall_rules: - '134 ironic conductor TFTP': - dport: 69 - proto: udp - '135 ironic conductor HTTP': - dport: {get_param: IronicIPXEPort} # NOTE(dtantsur): the my_ip parameter is heavily overloaded in # ironic. It's used as a default value for e.g. TFTP server IP, # glance and neutron endpoints, virtual console IP. We override diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 77b749b995..9e06258c3a 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -181,6 +181,37 @@ outputs: description: Role data for the Ironic Inspector role. value: service_name: ironic_inspector + firewall_rules: + '137 ironic-inspector': + dport: + - 5050 + '137 ironic-inspector dhcp input': + iniface: {get_param: IronicInspectorInterface} + ipversion: 'ipv4' + proto: 'udp' + chain: 'INPUT' + dport: 67 + '137 ironic-inspector dhcp output': + ipversion: 'ipv4' + proto: 'udp' + chain: 'OUTPUT' + dport: 68 + '137 ironic-inspector dhcpv6 input': + iniface: {get_param: IronicInspectorInterface} + ipversion: 'ipv6' + proto: 'udp' + chain: 'INPUT' + dport: 547 + '137 ironic-inspector dhcpv6 output': + ipversion: 'ipv6' + proto: 'udp' + chain: 'OUTPUT' + dport: 546 + '137 ironic-inspector dhcpv6 relay output': + ipversion: 'ipv6' + proto: 'udp' + chain: 'OUTPUT' + dport: 547 monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector} config_settings: map_merge: @@ -219,37 +250,6 @@ outputs: ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH' ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token' ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma' - tripleo::ironic_inspector::firewall_rules: - '137 ironic-inspector': - dport: - - 5050 - '137 ironic-inspector dhcp input': - iniface: {get_param: IronicInspectorInterface} - ipversion: 'ipv4' - proto: 'udp' - chain: 'INPUT' - dport: 67 - '137 ironic-inspector dhcp output': - ipversion: 'ipv4' - proto: 'udp' - chain: 'OUTPUT' - dport: 68 - '137 ironic-inspector dhcpv6 input': - iniface: {get_param: IronicInspectorInterface} - ipversion: 'ipv6' - proto: 'udp' - chain: 'INPUT' - dport: 547 - '137 ironic-inspector dhcpv6 output': - ipversion: 'ipv6' - proto: 'udp' - chain: 'OUTPUT' - dport: 546 - '137 ironic-inspector dhcpv6 relay output': - ipversion: 'ipv6' - proto: 'udp' - chain: 'OUTPUT' - dport: 547 ironic::inspector::ironic_username: 'ironic' ironic::inspector::ironic_password: {get_param: IronicPassword} ironic::inspector::ironic_tenant_name: 'service' diff --git a/deployment/keepalived/keepalived-container-puppet.yaml b/deployment/keepalived/keepalived-container-puppet.yaml index ed1ce1feaa..02378171b9 100644 --- a/deployment/keepalived/keepalived-container-puppet.yaml +++ b/deployment/keepalived/keepalived-container-puppet.yaml @@ -73,13 +73,13 @@ outputs: description: Role data for the Keepalived role. value: service_name: keepalived + firewall_rules: + '106 keepalived vrrp': + proto: vrrp monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived} config_settings: map_merge: - tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio' - - tripleo::keepalived::firewall_rules: - '106 keepalived vrrp': - proto: vrrp - if: - control_iface_empty diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index f5f137cb6f..a5d6c560af 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -355,6 +355,12 @@ outputs: description: Role data for the Keystone API role. value: service_name: keystone + firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - {get_param: [EndpointMap, KeystoneAdmin, port]} monitoring_subscription: {get_param: MonitoringSubscriptionKeystone} config_settings: map_merge: @@ -449,12 +455,6 @@ outputs: keystone::wsgi::apache::threads: 1 keystone::db::database_db_max_retries: -1 keystone::db::database_max_retries: -1 - tripleo::keystone::firewall_rules: - '111 keystone': - dport: - - 5000 - - 13000 - - {get_param: [EndpointMap, KeystoneAdmin, port]} keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples diff --git a/deployment/manila/manila-api-container-puppet.yaml b/deployment/manila/manila-api-container-puppet.yaml index 49cce77488..c67ce3346a 100644 --- a/deployment/manila/manila-api-container-puppet.yaml +++ b/deployment/manila/manila-api-container-puppet.yaml @@ -94,6 +94,11 @@ outputs: description: Role data for the Manila API role. value: service_name: manila_api + firewall_rules: + '150 manila': + dport: + - 8786 + - 13786 monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi} config_settings: map_merge: @@ -105,11 +110,6 @@ outputs: manila::keystone::authtoken::project_name: 'service' manila::keystone::authtoken::user_domain_name: 'Default' manila::keystone::authtoken::project_domain_name: 'Default' - tripleo::manila_api::firewall_rules: - '150 manila': - dport: - - 8786 - - 13786 # NOTE: bind IP is found in hiera replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index b5a5031c42..1e04cf999a 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -81,6 +81,31 @@ outputs: description: Role data for the Memcached API role. value: service_name: memcached + firewall_rules: + # https://access.redhat.com/security/cve/cve-2018-1000115 + # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. + # Memcached traffic shouldn't be open on the internet. + # Even if binding is configured on internal_api network, enforce it + # via firewall as well. + if: + - memcached_network_unset + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, MemcachedNetwork]} + template: + '121 memcached <%net_cidr%>': + dport: 11211 + proto: 'tcp' + source: <%net_cidr%> + - '121 memcached': + dport: 11211 + proto: 'tcp' + source: {get_param: MemcachedIpSubnet} monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} config_settings: # NOTE: bind IP is found in hiera replacing the network name with the local node IP @@ -113,31 +138,6 @@ outputs: - 'v' - '' memcached::disable_cachedump: true - tripleo::memcached::firewall_rules: - # https://access.redhat.com/security/cve/cve-2018-1000115 - # Only accept TCP to avoid spoofed traffic amplification DoS on UDP. - # Memcached traffic shouldn't be open on the internet. - # Even if binding is configured on internal_api network, enforce it - # via firewall as well. - if: - - memcached_network_unset - - map_merge: - repeat: - for_each: - <%net_cidr%>: - get_param: - - ServiceData - - net_cidr_map - - {get_param: [ServiceNetMap, MemcachedNetwork]} - template: - '121 memcached <%net_cidr%>': - dport: 11211 - proto: 'tcp' - source: <%net_cidr%> - - '121 memcached': - dport: 11211 - proto: 'tcp' - source: {get_param: MemcachedIpSubnet} service_config_settings: collectd: tripleo.collectd.plugins.memcached: diff --git a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml index 1be9e7ff39..30cfad85c6 100644 --- a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml +++ b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml @@ -65,6 +65,15 @@ outputs: description: Role data for the qdrouterd service. value: service_name: oslo_messaging_rpc + firewall_rules: + '109 qdrouterd': + dport: + - {get_param: RpcPort} + - 31459 + - 31460 + '109 qdr': + dport: + - {get_param: RpcPort} global_config_settings: oslo_messaging_rpc_scheme: amqp oslo_messaging_rpc_user_name: {get_param: RpcUserName} @@ -75,12 +84,6 @@ outputs: messaging_rpc_service_name: 'amqp' keystone::messaging::amqp::amqp_pre_settled: 'notify' config_settings: - tripleo::oslo_messaging_rpc::firewall_rules: - '109 qdrouterd': - dport: - - {get_param: RpcPort} - - 31459 - - 31460 qdr::listener_addr: str_replace: template: @@ -90,10 +93,6 @@ outputs: tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort} tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName} tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword} - tripleo::rabbitmq::firewall_rules: - '109 qdr': - dport: - - {get_param: RpcPort} service_config_settings: {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 02cc8e3c05..a3bfe9617d 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -149,6 +149,10 @@ outputs: description: Role data for the metrics Qdr role. value: service_name: metrics-qdr + firewall_rules: + '109 metrics qdr': + dport: + - {get_param: MetricsQdrPort} monitoring_subscription: {get_param: MonitoringSubscriptionQdr} service_config_settings: rsyslog: @@ -156,11 +160,7 @@ outputs: - {get_param: MetricsQdrLoggingSource} config_settings: map_merge: - - tripleo::metrics_qdr::firewall_rules: - '109 metrics qdr': - dport: - - {get_param: MetricsQdrPort} - tripleo::profile::base::metrics::qdr::listener_addr: + - tripleo::profile::base::metrics::qdr::listener_addr: str_replace: template: "%{hiera('$NETWORK')}" diff --git a/deployment/mistral/mistral-api-container-puppet.yaml b/deployment/mistral/mistral-api-container-puppet.yaml index dee5fadc8a..118547c81e 100644 --- a/deployment/mistral/mistral-api-container-puppet.yaml +++ b/deployment/mistral/mistral-api-container-puppet.yaml @@ -88,6 +88,11 @@ outputs: description: Role data for the Mistral API role. value: service_name: mistral_api + firewall_rules: + '133 mistral': + dport: + - 8989 + - 13989 config_settings: map_merge: - get_attr: [MistralBase, role_data, config_settings] @@ -109,11 +114,6 @@ outputs: mistral::policy::policies: {get_param: MistralApiPolicies} mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval} mistral::api::allow_action_execution_deletion: true - tripleo::mistral_api::firewall_rules: - '133 mistral': - dport: - - 8989 - - 13989 mistral::api::service_name: 'httpd' mistral::wsgi::apache::bind_host: str_replace: diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 0182b66ae0..1657a60502 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -224,6 +224,11 @@ outputs: description: Role data for the Neutron API role. value: service_name: neutron_api + firewall_rules: + '114 neutron api': + dport: + - 9696 + - 13696 monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer} config_settings: map_merge: @@ -270,11 +275,6 @@ outputs: neutron::server::sync_db: true neutron::server::notifications::region_name: {get_param: KeystoneRegion} neutron::server::placement::region_name: {get_param: KeystoneRegion} - tripleo::neutron_api::firewall_rules: - '114 neutron api': - dport: - - 9696 - - 13696 # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP diff --git a/deployment/neutron/neutron-compute-plugin-nuage.yaml b/deployment/neutron/neutron-compute-plugin-nuage.yaml index 95885f6a0f..fcd64f77e3 100644 --- a/deployment/neutron/neutron-compute-plugin-nuage.yaml +++ b/deployment/neutron/neutron-compute-plugin-nuage.yaml @@ -79,6 +79,12 @@ parameters: outputs: role_data: description: Role data for the Neutron Compute Nuage plugin + firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '100 metadata agent': + dport: {get_param: NuageMetadataPort} value: service_name: neutron_compute_plugin_nuage config_settings: @@ -96,11 +102,5 @@ outputs: tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service' tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword} tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]} - tripleo::neutron_compute_plugin_nuage::firewall_rules: - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '100 metadata agent': - dport: {get_param: NuageMetadataPort} step_config: | include ::tripleo::profile::base::neutron::agents::nuage diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index b4aa5e44ca..5a5895b04c 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -180,6 +180,30 @@ outputs: description: Role data for the Neutron DHCP role. value: service_name: neutron_dhcp + firewall_rules: + '115 neutron dhcp input': + ipversion: 'ipv4' + proto: 'udp' + dport: 67 + '116 neutron dhcp output': + ipversion: 'ipv4' + proto: 'udp' + chain: 'OUTPUT' + dport: 68 + '115 neutron dhcpv6 input': + ipversion: 'ipv6' + proto: 'udp' + dport: 547 + '116 neutron dhcpv6 output': + ipversion: 'ipv6' + proto: 'udp' + chain: 'OUTPUT' + dport: 546 + '116 neutron dhcpv6 relay output': + ipversion: 'ipv6' + proto: 'udp' + chain: 'OUTPUT' + dport: 547 monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp} config_settings: map_merge: @@ -209,30 +233,6 @@ outputs: - service_debug_unset - {get_param: Debug} - {get_param: NeutronDhcpAgentDebug} - tripleo::neutron_dhcp::firewall_rules: - '115 neutron dhcp input': - ipversion: 'ipv4' - proto: 'udp' - dport: 67 - '116 neutron dhcp output': - ipversion: 'ipv4' - proto: 'udp' - chain: 'OUTPUT' - dport: 68 - '115 neutron dhcpv6 input': - ipversion: 'ipv6' - proto: 'udp' - dport: 547 - '116 neutron dhcpv6 output': - ipversion: 'ipv6' - proto: 'udp' - chain: 'OUTPUT' - dport: 546 - '116 neutron dhcpv6 relay output': - ipversion: 'ipv6' - proto: 'udp' - chain: 'OUTPUT' - dport: 547 - if: - internal_tls_enabled - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key' diff --git a/deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml b/deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml index 82a2d4a60e..d9d961b157 100644 --- a/deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml +++ b/deployment/neutron/neutron-l2gw-agent-baremetal-puppet.yaml @@ -82,29 +82,26 @@ outputs: description: Role data for the L2 Gateway role. value: service_name: neutron_l2gw_agent + if: + - internal_manager_enabled + - firewall_rules: + '142 neutron l2gw agent input': + proto: 'tcp' + dport: {get_param: L2gwAgentManagerTableListeningPort} + - null monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent} config_settings: - map_merge: - - neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts} - neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager} - neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort} - neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval} - neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries} - neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout} - neutron::agents::l2gw::debug: - if: - - service_debug_unset - - {get_param: Debug} - - {get_param: NeutronL2gwAgentDebug} - - - if: - - internal_manager_enabled - - tripleo::neutron_l2gw_agent::firewall_rules: - '142 neutron l2gw agent input': - proto: 'tcp' - dport: {get_param: L2gwAgentManagerTableListeningPort} - - null - + neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts} + neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager} + neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort} + neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval} + neutron::agents::l2gw::max_connection_retries: {get_param: L2gwAgentMaxConnectionRetries} + neutron::agents::l2gw::socket_timeout: {get_param: L2gwAgentSocketTimeout} + neutron::agents::l2gw::debug: + if: + - service_debug_unset + - {get_param: Debug} + - {get_param: NeutronL2gwAgentDebug} service_config_settings: rsyslog: tripleo_logging_sources_neutron_l2gw_agent: diff --git a/deployment/neutron/neutron-l3-container-puppet.yaml b/deployment/neutron/neutron-l3-container-puppet.yaml index a9ebfad756..14c94729a8 100644 --- a/deployment/neutron/neutron-l3-container-puppet.yaml +++ b/deployment/neutron/neutron-l3-container-puppet.yaml @@ -179,6 +179,9 @@ outputs: description: Role data for Neutron L3 agent value: service_name: neutron_l3 + firewall_rules: + '106 neutron_l3 vrrp': + proto: vrrp monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3} config_settings: map_merge: @@ -210,9 +213,6 @@ outputs: - service_debug_unset - {get_param: Debug} - {get_param: NeutronL3AgentDebug} - tripleo::neutron_l3::firewall_rules: - '106 neutron_l3 vrrp': - proto: vrrp - - if: - az_unset diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml index 1a06f3fa4e..bde60ac41e 100644 --- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml @@ -173,6 +173,12 @@ outputs: description: Role data for Neutron openvswitch service value: service_name: neutron_ovs_agent + firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '136 neutron gre networks': + proto: 'gre' monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs} config_settings: map_merge: @@ -196,12 +202,6 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]} - tripleo::neutron_ovs_agent::firewall_rules: - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '136 neutron gre networks': - proto: 'gre' - if: - neutron_dvr_unset diff --git a/deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml index be17abdda2..8485cd33be 100644 --- a/deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-ovs-dpdk-agent-container-puppet.yaml @@ -116,10 +116,7 @@ outputs: service_name: neutron_ovs_dpdk_agent config_settings: map_merge: - - map_replace: - - get_attr: [NeutronOvsAgent, role_data, config_settings] - - keys: - tripleo::neutron_ovs_agent::firewall_rules: tripleo::neutron_ovs_dpdk_agent::firewall_rules + - get_attr: [NeutronOvsAgent, role_data, config_settings] - nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]} - get_attr: [RoleParametersValue, value] service_config_settings: diff --git a/deployment/nova/nova-api-container-puppet.yaml b/deployment/nova/nova-api-container-puppet.yaml index 4acd9527b5..74aefa65eb 100644 --- a/deployment/nova/nova-api-container-puppet.yaml +++ b/deployment/nova/nova-api-container-puppet.yaml @@ -146,17 +146,17 @@ outputs: description: Role data for the Nova API role. value: service_name: nova_api + firewall_rules: + '113 nova_api': + dport: + - 8774 + - 13774 monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi} config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - get_attr: [NovaApiLogging, config_settings] - apache::default_vhost: false - tripleo::nova_api::firewall_rules: - '113 nova_api': - dport: - - 8774 - - 13774 nova::keystone::authtoken::project_name: 'service' nova::keystone::authtoken::user_domain_name: 'Default' nova::keystone::authtoken::project_domain_name: 'Default' diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index b9e77e04b0..fdd9a09c42 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -351,6 +351,12 @@ outputs: description: Role data for the Libvirt service. value: service_name: nova_libvirt + firewall_rules: + '200 nova_libvirt': + dport: + - 16514 + - '61152-61215' + - '5900-6923' monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt} config_settings: map_merge: @@ -395,12 +401,6 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters} rbd_persistent_storage: {get_param: CinderEnableRbdBackend} - tripleo::nova_libvirt::firewall_rules: - '200 nova_libvirt': - dport: - - 16514 - - '61152-61215' - - '5900-6923' - if: - use_tls_for_live_migration diff --git a/deployment/nova/nova-metadata-container-puppet.yaml b/deployment/nova/nova-metadata-container-puppet.yaml index 08188d052c..20c50c5fbe 100644 --- a/deployment/nova/nova-metadata-container-puppet.yaml +++ b/deployment/nova/nova-metadata-container-puppet.yaml @@ -119,6 +119,11 @@ outputs: description: Role data for the Nova Metadata service. value: service_name: nova_metadata + firewall_rules: + '139 nova_metadata': + dport: + - 8775 + - 13775 monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata} config_settings: map_merge: @@ -126,12 +131,7 @@ outputs: - get_attr: [ApacheServiceBase, role_data, config_settings] - get_attr: [NovaMetadataLogging, config_settings] - apache::default_vhost: false - - tripleo::nova_metadata::firewall_rules: - '139 nova_metadata': - dport: - - 8775 - - 13775 - nova::keystone::authtoken::project_name: 'service' + - nova::keystone::authtoken::project_name: 'service' nova::keystone::authtoken::password: {get_param: NovaPassword} nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 0978dced40..c6ac2d359c 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -88,6 +88,10 @@ outputs: description: Role data for the Nova Migration Target service. value: service_name: nova_migration_target + firewall_rules: + '113 nova_migration_target': + dport: + - {get_param: MigrationSshPort} config_settings: map_merge: - get_attr: [SshdBase, role_data, config_settings] @@ -116,10 +120,6 @@ outputs: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} tripleo::profile::base::sshd::port: - 22 - tripleo::nova_migration_target::firewall_rules: - '113 nova_migration_target': - dport: - - {get_param: MigrationSshPort} puppet_config: config_volume: nova_libvirt step_config: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index aa5b3236f2..b730e6ba64 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -123,6 +123,11 @@ outputs: description: Role data for the Nova Vncproxy service. value: service_name: nova_vnc_proxy + firewall_rules: + '137 nova_vnc_proxy': + dport: + - 6080 + - 13080 config_settings: map_merge: - {get_attr: [NovaLogging, config_settings]} @@ -141,11 +146,6 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - tripleo::nova_vnc_proxy::firewall_rules: - '137 nova_vnc_proxy': - dport: - - 6080 - - 13080 - if: - use_tls_for_vnc diff --git a/deployment/nova/novajoin-container-puppet.yaml b/deployment/nova/novajoin-container-puppet.yaml index 9766a53a2b..35ddb3c380 100644 --- a/deployment/nova/novajoin-container-puppet.yaml +++ b/deployment/nova/novajoin-container-puppet.yaml @@ -94,6 +94,10 @@ outputs: description: Role data for the novajoin API role. value: service_name: novajoin + firewall_rules: + '119 novajoin': + dport: + - 9090 config_settings: tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword} tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort} @@ -118,10 +122,6 @@ outputs: nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword} nova::metadata::novajoin::authtoken::project_name: 'service' - tripleo::novajoin::firewall_rules: - '119 novajoin': - dport: - - 9090 nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies} service_config_settings: keystone: diff --git a/deployment/octavia/octavia-api-container-puppet.yaml b/deployment/octavia/octavia-api-container-puppet.yaml index 57124defd9..50c7693caa 100644 --- a/deployment/octavia/octavia-api-container-puppet.yaml +++ b/deployment/octavia/octavia-api-container-puppet.yaml @@ -119,6 +119,11 @@ outputs: description: Role data for the Octavia API role. value: service_name: octavia_api + firewall_rules: + '120 octavia api': + dport: + - 9876 + - 13876 monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} config_settings: map_merge: @@ -137,11 +142,6 @@ outputs: octavia::api::sync_db: true octavia::api::service_name: 'httpd' octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS} - tripleo::octavia_api::firewall_rules: - '120 octavia api': - dport: - - 9876 - - 13876 # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP diff --git a/deployment/octavia/octavia-health-manager-container-puppet.yaml b/deployment/octavia/octavia-health-manager-container-puppet.yaml index 52ee4dcac1..0e03f77ba8 100644 --- a/deployment/octavia/octavia-health-manager-container-puppet.yaml +++ b/deployment/octavia/octavia-health-manager-container-puppet.yaml @@ -78,16 +78,16 @@ outputs: description: Role data for the Octavia health-manager role. value: service_name: octavia_health_manager + firewall_rules: + '200 octavia health manager interface': + proto: udp + dport: 5555 + iniface: {get_param: OctaviaMgmtPortDevName} monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager} config_settings: map_merge: - get_attr: [OctaviaBase, role_data, config_settings] - octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey} - tripleo::octavia_health_manager::firewall_rules: - '200 octavia health manager interface': - proto: udp - dport: 5555 - iniface: {get_param: OctaviaMgmtPortDevName} service_config_settings: rsyslog: tripleo_logging_sources_octavia_health_manager: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index c24b887c8b..310f335ceb 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -125,6 +125,13 @@ outputs: description: Role data for the Ovn Controller agent. value: service_name: ovn_controller + firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '119 neutron geneve networks': + proto: 'udp' + dport: 6081 config_settings: map_merge: - get_attr: [RoleParametersValue, value] @@ -139,13 +146,6 @@ outputs: ovn::controller::hostname: "%{hiera('fqdn_canonical')}" ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval} ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval} - tripleo::ovn_controller::firewall_rules: - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '119 neutron geneve networks': - proto: 'udp' - dport: 6081 - if: - force_config_drive - nova::compute::force_config_drive: true diff --git a/deployment/ovn/ovn-dbs-container-puppet.yaml b/deployment/ovn/ovn-dbs-container-puppet.yaml index 1a533e1164..3bc906c053 100644 --- a/deployment/ovn/ovn-dbs-container-puppet.yaml +++ b/deployment/ovn/ovn-dbs-container-puppet.yaml @@ -58,6 +58,12 @@ outputs: description: Role data for the OVN Dbs role. value: service_name: ovn_dbs + firewall_rules: + '121 OVN DB server ports': + proto: 'tcp' + dport: + - {get_param: OVNNorthboundServerPort} + - {get_param: OVNSouthboundServerPort} config_settings: ovn::northbound::port: {get_param: OVNNorthboundServerPort} ovn::southbound::port: {get_param: OVNSouthboundServerPort} @@ -68,12 +74,6 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} tripleo::haproxy::ovn_dbs_manage_lb: true - tripleo::ovn_dbs::firewall_rules: - '121 OVN DB server ports': - proto: 'tcp' - dport: - - {get_param: OVNNorthboundServerPort} - - {get_param: OVNSouthboundServerPort} # BEGIN DOCKER SETTINGS # puppet_config is not required for this service since we configure # the NB and SB DB servers to listen on the proper IP address/port diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index 4ca89e5b37..371c8a94c1 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -101,6 +101,14 @@ outputs: description: Role data for the OVN Dbs HA role. value: service_name: ovn_dbs + firewall_rules: + '121 OVN DB server ports': + proto: 'tcp' + dport: + # Control port for pcmk remote bundle + - 3125 + - {get_param: OVNNorthboundServerPort} + - {get_param: OVNSouthboundServerPort} config_settings: map_merge: - get_attr: [OVNDbsBase, role_data, config_settings] @@ -116,14 +124,6 @@ outputs: - tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli} - tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout} - tripleo::haproxy::ovn_dbs_manage_lb: false - - tripleo::ovn_dbs::firewall_rules: - '121 OVN DB server ports': - proto: 'tcp' - dport: - # Control port for pcmk remote bundle - - 3125 - - {get_param: OVNNorthboundServerPort} - - {get_param: OVNSouthboundServerPort} - if: - internal_tls_enabled - generate_service_certificates: true diff --git a/deployment/pacemaker/clustercheck-container-puppet.yaml b/deployment/pacemaker/clustercheck-container-puppet.yaml index 489bc3522c..c5fda8003a 100644 --- a/deployment/pacemaker/clustercheck-container-puppet.yaml +++ b/deployment/pacemaker/clustercheck-container-puppet.yaml @@ -44,9 +44,6 @@ resources: ContainersCommon: type: ../containers-common.yaml -# We import from the corresponding docker service because otherwise we risk -# rewriting the tripleo::mysql::firewall_rules key with the baremetal firewall -# rules (see LP#1728918) MysqlPuppetBase: type: ../database/mysql-pacemaker-puppet.yaml properties: diff --git a/deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml b/deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml index 4e1f512065..69c4e01274 100644 --- a/deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml +++ b/deployment/pacemaker/pacemaker-remote-baremetal-puppet.yaml @@ -89,13 +89,13 @@ outputs: description: Role data for the Pacemaker remote role. value: service_name: pacemaker_remote + firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} config_settings: - tripleo::pacemaker_remote::firewall_rules: - '130 pacemaker_remote tcp': - proto: 'tcp' - dport: - - 3121 tripleo::fencing::config: {get_param: FencingConfig} tripleo::fencing::deep_compare: true enable_fencing: {get_param: EnableFencing} diff --git a/deployment/placement/placement-api-container-puppet.yaml b/deployment/placement/placement-api-container-puppet.yaml index e1e055f3cb..df730534ea 100644 --- a/deployment/placement/placement-api-container-puppet.yaml +++ b/deployment/placement/placement-api-container-puppet.yaml @@ -110,16 +110,16 @@ outputs: description: Role data for the Placement API role. value: service_name: placement + firewall_rules: + '138 placement': + dport: + - 8778 + - 13778 config_settings: map_merge: - get_attr: [PlacementLogging, config_settings] - apache::default_vhost: false - - tripleo::placement::firewall_rules: - '138 placement': - dport: - - 8778 - - 13778 - placement::keystone::authtoken::project_name: 'service' + - placement::keystone::authtoken::project_name: 'service' placement::keystone::authtoken::password: {get_param: PlacementPassword} placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} diff --git a/deployment/qdr/qdrouterd-container-puppet.yaml b/deployment/qdr/qdrouterd-container-puppet.yaml index 6735af2567..c4ea175552 100644 --- a/deployment/qdr/qdrouterd-container-puppet.yaml +++ b/deployment/qdr/qdrouterd-container-puppet.yaml @@ -62,16 +62,16 @@ outputs: description: Role data for the qdrouterd service. value: service_name: rabbitmq + firewall_rules: + '109 qdr': + dport: + - {get_param: RabbitClientPort} monitoring_subscription: {get_param: MonitoringSubscriptionQdr} global_config_settings: messaging_notify_service_name: 'amqp' messaging_rpc_service_name: 'amqp' keystone::messaging::amqp::amqp_pre_settled: 'notify' config_settings: - tripleo::rabbitmq::firewall_rules: - '109 qdr': - dport: - - {get_param: RabbitClientPort} qdr::listener_addr: str_replace: template: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index e2ad70ffa4..7e3a47fa8b 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -107,6 +107,12 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: rabbitmq + firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 25672 monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq} # RabbitMQ plugins initialization occurs on every node config_settings: @@ -116,12 +122,6 @@ outputs: rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_pass: {get_param: RabbitPassword} rabbit_ipv6: {get_param: RabbitIPv6} - tripleo::rabbitmq::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 25672 rabbitmq::delete_guest_user: false rabbitmq::wipe_db_on_cookie_change: true rabbitmq::port: 5672 diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 20975f2d94..bf040e940e 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -89,6 +89,12 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: oslo_messaging_notify + firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - {get_param: NotifyPort} + - 25672 monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} # RabbitMQ plugins initialization occurs on every node global_config_settings: @@ -104,12 +110,6 @@ outputs: - get_attr: [RabbitMQServiceBase, role_data, config_settings] - rabbitmq::default_user: {get_param: NotifyUserName} rabbitmq::default_pass: {get_param: NotifyPassword} - tripleo::oslo_messaging_notify::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - {get_param: NotifyPort} - - 25672 rabbitmq::port: {get_param: NotifyPort} rabbitmq::interface: str_replace: diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml index 4e77800b37..1640b33c9d 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml @@ -81,6 +81,13 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + firewall_rules: + '109 rabbitmq-bundle': + dport: + - 3122 + - 4369 + - 5672 + - 25672 global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]} config_settings: map_merge: @@ -95,13 +102,6 @@ outputs: - 'pcmklatest' tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122 tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli} - tripleo::oslo_messaging_notify::firewall_rules: - '109 rabbitmq-bundle': - dport: - - 3122 - - 4369 - - 5672 - - 25672 service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml index aa4e5d045d..02034cb6fe 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml @@ -81,6 +81,13 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: rabbitmq + firewall_rules: + '109 rabbitmq-bundle': + dport: + - 3122 + - 4369 + - 5672 + - 25672 monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} config_settings: map_merge: @@ -95,13 +102,6 @@ outputs: - 'pcmklatest' tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122 tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli} - tripleo::rabbitmq::firewall_rules: - '109 rabbitmq-bundle': - dport: - - 3122 - - 4369 - - 5672 - - 25672 service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index 041b3d4254..bab52cb22a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -90,6 +90,12 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: oslo_messaging_rpc + firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - {get_param: RpcPort} + - 25672 monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]} global_config_settings: map_merge: @@ -104,12 +110,6 @@ outputs: - get_attr: [RabbitMQServiceBase, role_data, config_settings] - rabbitmq::default_user: {get_param: RpcUserName} rabbitmq::default_pass: {get_param: RpcPassword} - tripleo::oslo_messaging_rpc::firewall_rules: - '109 rabbitmq': - dport: - - 4369 - - {get_param: RpcPort} - - 25672 rabbitmq::port: {get_param: RpcPort} rabbitmq::interface: str_replace: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml index 2b5ba1d60f..ebd094dafb 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml @@ -81,6 +81,13 @@ outputs: description: Role data for the Rabbitmq API role. value: service_name: {get_attr: [RabbitmqBase, role_data, service_name]} + firewall_rules: + '109 rabbitmq-bundle': + dport: + - 3122 + - 4369 + - 5672 + - 25672 global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]} config_settings: map_merge: @@ -95,13 +102,6 @@ outputs: - 'pcmklatest' tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122 tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli} - tripleo::oslo_messaging_rpc::firewall_rules: - '109 rabbitmq-bundle': - dport: - - 3122 - - 4369 - - 5672 - - 25672 service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rhsm/rhsm-baremetal-ansible.yaml b/deployment/rhsm/rhsm-baremetal-ansible.yaml index d74b18c251..2140d9da35 100644 --- a/deployment/rhsm/rhsm-baremetal-ansible.yaml +++ b/deployment/rhsm/rhsm-baremetal-ansible.yaml @@ -62,9 +62,6 @@ outputs: description: Role data for the RHSM service. value: service_name: rhsm - config_settings: - tripleo::rhsm::firewall_rules: {} - step_config: '' host_prep_tasks: - name: Red Hat Subscription Management configuration during deployment import_role: diff --git a/deployment/sahara/sahara-api-container-puppet.yaml b/deployment/sahara/sahara-api-container-puppet.yaml index a4717408ff..816a1179a4 100644 --- a/deployment/sahara/sahara-api-container-puppet.yaml +++ b/deployment/sahara/sahara-api-container-puppet.yaml @@ -86,6 +86,11 @@ outputs: description: Role data for the Sahara API role. value: service_name: sahara_api + firewall_rules: + '132 sahara': + dport: + - 8386 + - 13386 monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi} config_settings: map_merge: @@ -105,11 +110,6 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SaharaApiNetwork]} - tripleo::sahara_api::firewall_rules: - '132 sahara': - dport: - - 8386 - - 13386 service_config_settings: rsyslog: tripleo_logging_sources_sahara_api: diff --git a/deployment/skydive/skydive-analyzer-baremetal-ansible.yaml b/deployment/skydive/skydive-analyzer-baremetal-ansible.yaml index 0b99114fc5..14aa939ec0 100644 --- a/deployment/skydive/skydive-analyzer-baremetal-ansible.yaml +++ b/deployment/skydive/skydive-analyzer-baremetal-ansible.yaml @@ -56,19 +56,14 @@ outputs: description: Role data for Skydive services. value: service_name: skydive_analyzer + firewall_rules: + '150 skydive_analyzer': + dport: + - 8082 + - 12379 + - 12380 upgrade_tasks: [] - puppet_config: - config_image: '' - config_volume: '' - step_config: '' docker_config: {} - config_settings: - tripleo::skydive_analyzer::firewall_rules: - '150 skydive_analyzer': - dport: - - 8082 - - 12379 - - 12380 external_deploy_tasks: - name: Skydive deployment when: step|int == 5 diff --git a/deployment/snmp/snmp-baremetal-puppet.yaml b/deployment/snmp/snmp-baremetal-puppet.yaml index e3802eaaba..354b1f87b2 100644 --- a/deployment/snmp/snmp-baremetal-puppet.yaml +++ b/deployment/snmp/snmp-baremetal-puppet.yaml @@ -61,31 +61,31 @@ outputs: description: Role data for the SNMP services value: service_name: snmp + firewall_rules: + if: + - snmpd_network_unset + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, SnmpdNetwork]} + template: + '124 snmp <%net_cidr%>': + dport: 161 + proto: 'udp' + source: <%net_cidr%> + - '124 snmp': + dport: 161 + proto: 'udp' + source: {get_param: SnmpdIpSubnet} config_settings: tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName} tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword} snmp::agentaddress: {get_param: SnmpdBindHost} snmp::snmpd_options: {get_param: SnmpdOptions} - tripleo::snmp::firewall_rules: - if: - - snmpd_network_unset - - map_merge: - repeat: - for_each: - <%net_cidr%>: - get_param: - - ServiceData - - net_cidr_map - - {get_param: [ServiceNetMap, SnmpdNetwork]} - template: - '124 snmp <%net_cidr%>': - dport: 161 - proto: 'udp' - source: <%net_cidr%> - - '124 snmp': - dport: 161 - proto: 'udp' - source: {get_param: SnmpdIpSubnet} step_config: | include ::tripleo::profile::base::snmp upgrade_tasks: diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml index bbb49fa219..1b45be7d33 100644 --- a/deployment/sshd/sshd-baremetal-puppet.yaml +++ b/deployment/sshd/sshd-baremetal-puppet.yaml @@ -75,24 +75,22 @@ outputs: description: Role data for the ssh value: service_name: sshd + if: + - {get_param: SshFirewallAllowAll} + - firewall_rules: + '003 accept ssh from all': + proto: 'tcp' + dport: 22 + - firewall_rules: + '003 accept ssh from all': + proto: 'tcp' + dport: 22 + extras: + ensure: 'absent' config_settings: - map_merge: - - tripleo::profile::base::sshd::bannertext: {get_param: BannerText} - tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} - tripleo::profile::base::sshd::options: {get_param: SshServerOptions} - tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication} - - if: - - {get_param: SshFirewallAllowAll} - - tripleo::sshd::firewall_rules: - '003 accept ssh from all': - proto: 'tcp' - dport: 22 - - tripleo::sshd::firewall_rules: - '003 accept ssh from all': - proto: 'tcp' - dport: 22 - extras: - ensure: 'absent' - + tripleo::profile::base::sshd::bannertext: {get_param: BannerText} + tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay} + tripleo::profile::base::sshd::options: {get_param: SshServerOptions} + tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication} step_config: | include ::tripleo::profile::base::sshd diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index ce4a21ac08..248bce52b7 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -126,6 +126,11 @@ outputs: description: Role data for the swift proxy. value: service_name: swift_proxy + firewall_rules: + '122 swift proxy': + dport: + - 8080 + - 13808 monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy} config_settings: map_merge: @@ -160,11 +165,6 @@ outputs: - swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL} tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} - tripleo::swift_proxy::firewall_rules: - '122 swift proxy': - dport: - - 8080 - - 13808 swift::proxy::keystone::operator_roles: - admin - swiftoperator diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 1b1d54bdcf..e49e3efbbe 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -128,6 +128,13 @@ outputs: description: Role data for the swift storage services. value: service_name: swift_storage + firewall_rules: + '123 swift storage': + dport: + - 873 + - 6000 + - 6001 + - 6002 config_settings: map_merge: - {get_attr: [SwiftBase, role_data, config_settings]} @@ -135,13 +142,6 @@ outputs: # swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} - swift::storage::all::mount_check: false tripleo::profile::base::swift::storage::use_local_dir: {get_param: SwiftUseLocalDir} - tripleo::swift_storage::firewall_rules: - '123 swift storage': - dport: - - 873 - - 6000 - - 6001 - - 6002 swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' swift::storage::all::object_pipeline: diff --git a/deployment/time/ptp-baremetal-puppet.yaml b/deployment/time/ptp-baremetal-puppet.yaml index 6a2c8c50a8..a5fe18e00e 100644 --- a/deployment/time/ptp-baremetal-puppet.yaml +++ b/deployment/time/ptp-baremetal-puppet.yaml @@ -76,15 +76,13 @@ outputs: description: Role ptp using commposable services. value: service_name: ptp - config_settings: - map_merge: - - get_attr: [RoleParametersValue, value] - - tripleo::ptp::firewall_rules: - '151 ptp': - proto: udp - dport: - - 319 - - 320 + firewall_rules: + '151 ptp': + proto: udp + dport: + - 319 + - 320 + config_settings: {get_attr: [RoleParametersValue, value]} step_config: | include ::tripleo::profile::base::time::ptp upgrade_tasks: diff --git a/deployment/timesync/chrony-baremetal-ansible.yaml b/deployment/timesync/chrony-baremetal-ansible.yaml index 648f1645ce..5ef31fe5e2 100644 --- a/deployment/timesync/chrony-baremetal-ansible.yaml +++ b/deployment/timesync/chrony-baremetal-ansible.yaml @@ -101,12 +101,10 @@ outputs: description: Role chrony using composable timesync services. value: service_name: chrony - config_settings: - tripleo::ntp::firewall_rules: - '105 ntp': - dport: 123 - proto: udp - step_config: '' + firewall_rules: + '105 ntp': + dport: 123 + proto: udp host_prep_tasks: - name: Populate service facts (chrony) service_facts: # needed to make yaml happy diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml new file mode 100644 index 0000000000..834029186f --- /dev/null +++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml @@ -0,0 +1,177 @@ +heat_template_version: rocky + +description: > + TripleO Firewall settings + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ExtraFirewallRules: + default: {} + description: Mapping of firewall rules. + type: json + +conditions: + no_ctlplane: + equals: + - get_params: [ServiceData, net_cidr_map, ctlplane] + - Null + +outputs: + role_data: + description: Role data for the TripleO firewall settings + value: + service_name: tripleo_firewall + config_settings: + tripleo::firewall::manage_firewall: false + tripleo::firewall::purge_firewall_rules: false + firewall_rules: + map_merge: + - map_merge: + repeat: + for_each: + <%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]} + template: + '003 accept ssh from ctlplane subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: 22 + - {get_param: ExtraFirewallRules} + host_prep_tasks: + - if: + - no_ctlplane + - name: Failure - ctlplane subnet is unset + fail: + msg: | + No CIDRs found in the ctlplane network tags. + Please refer to the documentation in order to + set the correct network tags in DeployedServerPortMap. + - name: Notice - ctlplane subnet is set + debug: + msg: | + CIDRs found in the ctlplane network tags. + deploy_steps_tasks: + - when: + - (step|int) == 0 + block: + - name: create iptables service + copy: + dest: /etc/systemd/system/tripleo-iptables.service + content: | + [Unit] + Description=Initialize iptables + Before=iptables.service + AssertPathExists=/etc/sysconfig/iptables + + [Service] + Type=oneshot + ExecStart=/usr/sbin/iptables -t raw -nL + Environment=BOOTUP=serial + Environment=CONSOLETYPE=serial + StandardOutput=syslog + StandardError=syslog + [Install] + WantedBy=basic.target + - name: create ip6tables service + copy: + dest: /etc/systemd/system/tripleo-ip6tables.service + content: | + [Unit] + Description=Initialize ip6tables + Before=ip6tables.service + AssertPathExists=/etc/sysconfig/ip6tables + + [Service] + Type=oneshot + ExecStart=/usr/sbin/ip6tables -t raw -nL + Environment=BOOTUP=serial + Environment=CONSOLETYPE=serial + StandardOutput=syslog + StandardError=syslog + [Install] + WantedBy=basic.target + - name: enable tripleo-iptables service (and do a daemon-reload systemd) + systemd: + daemon_reload: yes + enabled: yes + name: tripleo-iptables.service + - name: enable tripleo-ip6tables service + systemd: + enabled: yes + name: tripleo-ip6tables.service + upgrade_tasks: + - when: + - (step | int) == 3 + block: + - name: blank ipv6 rule before activating ipv6 firewall. + shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat/etc/sysconfig/ip6tables + args: + creates: /etc/sysconfig/ip6tables.n-o-upgrade + - name: cleanup unmanaged rules pushed by iptables-services + shell: | + iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ + iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \ + iptables -D INPUT -p icmp -j ACCEPT + iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \ + iptables -D INPUT -i lo -j ACCEPT + iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ + iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT + iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ + iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited + iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \ + iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited + + sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables + sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables + sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables + sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables + sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables + sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables + + ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \ + ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \ + ip6tables -D INPUT -p ipv6-icmp -j ACCEPT + ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \ + ip6tables -D INPUT -i lo -j ACCEPT + ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \ + ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT + ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \ + ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT + ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ + ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited + ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \ + ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited + + sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables + sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables + sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables + sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables + sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables + sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables + sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables diff --git a/deployment/zaqar/zaqar-container-puppet.yaml b/deployment/zaqar/zaqar-container-puppet.yaml index b9ddfd4198..2871c40826 100644 --- a/deployment/zaqar/zaqar-container-puppet.yaml +++ b/deployment/zaqar/zaqar-container-puppet.yaml @@ -116,6 +116,13 @@ outputs: description: Role data for the Zaqar API role. value: service_name: zaqar_api + firewall_rules: + '113 zaqar_api': + dport: + - 9000 + - 8888 + - 3000 #SSL for websocket + - 13888 #SSL for api config_settings: map_merge: - get_attr: [ApacheServiceBase, role_data, config_settings] @@ -228,13 +235,6 @@ outputs: zaqar::keystone::auth_websocket::tenant: 'service' zaqar::keystone::trust::password: {get_param: ZaqarPassword} zaqar::keystone::trust::user_domain_name: 'Default' - tripleo::zaqar_api::firewall_rules: - '113 zaqar_api': - dport: - - 9000 - - 8888 - - 3000 #SSL for websocket - - 13888 #SSL for api - if: - zaqar_management_store_sqlalchemy diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 46f3ccde96..8e9b3a651e 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -271,7 +271,7 @@ resource_registry: OS::TripleO::Services::IronicPxe: OS::Heat::None OS::TripleO::Services::IronicNeutronAgent: OS::Heat::None OS::TripleO::Services::NovaIronic: OS::Heat::None - OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml + OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml OS::TripleO::Services::TripleoPackages: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml OS::TripleO::Services::OpenStackClients: OS::Heat::None OS::TripleO::Services::TLSProxyBase: OS::Heat::None diff --git a/releasenotes/notes/tripleo-firewall-ansible-3928f04478a09668.yaml b/releasenotes/notes/tripleo-firewall-ansible-3928f04478a09668.yaml new file mode 100644 index 0000000000..1b5ab058bb --- /dev/null +++ b/releasenotes/notes/tripleo-firewall-ansible-3928f04478a09668.yaml @@ -0,0 +1,15 @@ +--- +features: + - TripleO will now configure `iptables` using the TripleO-Ansible role, + **tripleo-firewall**. This role implements all of the same interfaces + and behaviors as the puppet manifest. + - A new parameter has been added, `ExtraFirewallRules`. This parameter + provides a user interface to configure additional `iptables` rules. +deprecations: + - The heat template `tripleo-firewall-baremetal-puppet.yaml` has been + deprecated. While this template can still be used to configure the + TripleO-Firewall service, it is no longer preferred and will be removed + in a future release. + - Configuring firewall rules with extraconfig is no longer being supported. + All firewall rules should be converted such that they're set within the + user defined parameter `ExtraFirewallRules`.