Merge "Convert firewall rules to use TripleO-Ansible"
This commit is contained in:
commit
fb0dbebf9b
|
@ -30,8 +30,7 @@ outputs:
|
||||||
description: Role data for the multinode firewall configuration
|
description: Role data for the multinode firewall configuration
|
||||||
value:
|
value:
|
||||||
service_name: multinode_core
|
service_name: multinode_core
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::core::firewall_rules:
|
|
||||||
'999 core':
|
'999 core':
|
||||||
proto: 'udp'
|
proto: 'udp'
|
||||||
dport:
|
dport:
|
||||||
|
|
|
@ -341,6 +341,16 @@ resources:
|
||||||
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null))
|
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('ansible_group_vars')).where($ != null))
|
||||||
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||||
|
|
||||||
|
FirewallRules:
|
||||||
|
type: OS::Heat::Value
|
||||||
|
properties:
|
||||||
|
type: json
|
||||||
|
value:
|
||||||
|
map_merge:
|
||||||
|
yaql:
|
||||||
|
expression: list(coalesce($.data.role_data, []).where($ != null).select($.get('firewall_rules')).where($ != null))
|
||||||
|
data: {role_data: {get_attr: [ServiceChain, role_data]}}
|
||||||
|
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
|
@ -381,4 +391,11 @@ outputs:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [ContainerPuppetTasks, value]}
|
- {get_attr: [ContainerPuppetTasks, value]}
|
||||||
- {get_attr: [DockerPuppetTasks, value]}
|
- {get_attr: [DockerPuppetTasks, value]}
|
||||||
host_prep_tasks: {get_attr: [HostPrepTasks, value]}
|
host_prep_tasks:
|
||||||
|
list_concat:
|
||||||
|
- - name: Run firewall role
|
||||||
|
include_role:
|
||||||
|
name: tripleo-firewall
|
||||||
|
vars:
|
||||||
|
tripleo_firewall_rules: {get_attr: [FirewallRules, value]}
|
||||||
|
- {get_attr: [HostPrepTasks, value]}
|
||||||
|
|
|
@ -91,6 +91,11 @@ outputs:
|
||||||
description: Role data for the aodh API role.
|
description: Role data for the aodh API role.
|
||||||
value:
|
value:
|
||||||
service_name: aodh_api
|
service_name: aodh_api
|
||||||
|
firewall_rules:
|
||||||
|
'128 aodh-api':
|
||||||
|
dport:
|
||||||
|
- 8042
|
||||||
|
- 13042
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionAodhApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -109,11 +114,6 @@ outputs:
|
||||||
aodh::api::enable_proxy_headers_parsing: true
|
aodh::api::enable_proxy_headers_parsing: true
|
||||||
aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject}
|
aodh::api::gnocchi_external_project_owner: {get_param: GnocchiExternalProject}
|
||||||
aodh::policy::policies: {get_param: AodhApiPolicies}
|
aodh::policy::policies: {get_param: AodhApiPolicies}
|
||||||
tripleo::aodh_api::firewall_rules:
|
|
||||||
'128 aodh-api':
|
|
||||||
dport:
|
|
||||||
- 8042
|
|
||||||
- 13042
|
|
||||||
aodh::api::host:
|
aodh::api::host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -187,6 +187,11 @@ outputs:
|
||||||
description: Role data for the Barbican API role.
|
description: Role data for the Barbican API role.
|
||||||
value:
|
value:
|
||||||
service_name: barbican_api
|
service_name: barbican_api
|
||||||
|
firewall_rules:
|
||||||
|
'117 barbican':
|
||||||
|
dport:
|
||||||
|
- 9311
|
||||||
|
- 13311
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
|
@ -245,11 +250,6 @@ outputs:
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
read_default_group: tripleo
|
read_default_group: tripleo
|
||||||
|
|
||||||
tripleo::barbican_api::firewall_rules:
|
|
||||||
'117 barbican':
|
|
||||||
dport:
|
|
||||||
- 9311
|
|
||||||
- 13311
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
mysql:
|
mysql:
|
||||||
barbican::db::mysql::password: {get_param: BarbicanPassword}
|
barbican::db::mysql::password: {get_param: BarbicanPassword}
|
||||||
|
|
|
@ -103,6 +103,14 @@ outputs:
|
||||||
description: Role data for the Ceph Dashboard service.
|
description: Role data for the Ceph Dashboard service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_grafana
|
service_name: ceph_grafana
|
||||||
|
firewall_rules:
|
||||||
|
'123 ceph_dashboard':
|
||||||
|
dport:
|
||||||
|
- 3100
|
||||||
|
- 9090
|
||||||
|
- 9093
|
||||||
|
- 9094
|
||||||
|
- 9100
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
|
|
@ -66,6 +66,15 @@ outputs:
|
||||||
description: Role data for the Ceph Metadata service.
|
description: Role data for the Ceph Metadata service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_mds
|
service_name: ceph_mds
|
||||||
|
firewall_rules:
|
||||||
|
'112 ceph_mds':
|
||||||
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - '6800-7300'
|
||||||
|
- if:
|
||||||
|
- dashboard_enabled
|
||||||
|
- - '9100'
|
||||||
|
- []
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
@ -88,15 +97,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_mdss|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_mds::firewall_rules:
|
|
||||||
'112 ceph_mds':
|
|
||||||
dport:
|
|
||||||
list_concat:
|
|
||||||
- - '6800-7300'
|
|
||||||
- if:
|
|
||||||
- dashboard_enabled
|
|
||||||
- - '9100'
|
|
||||||
- []
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -76,6 +76,15 @@ outputs:
|
||||||
description: Role data for the Ceph Manager service.
|
description: Role data for the Ceph Manager service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_mgr
|
service_name: ceph_mgr
|
||||||
|
firewall_rules:
|
||||||
|
'113 ceph_mgr':
|
||||||
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - '6800-7300'
|
||||||
|
- if:
|
||||||
|
- dashboard_enabled
|
||||||
|
- - '8443'
|
||||||
|
- []
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
@ -98,15 +107,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_mgrs|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_mgr::firewall_rules:
|
|
||||||
'113 ceph_mgr':
|
|
||||||
dport:
|
|
||||||
list_concat:
|
|
||||||
- - '6800-7300'
|
|
||||||
- if:
|
|
||||||
- dashboard_enabled
|
|
||||||
- - '8443'
|
|
||||||
- []
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -80,6 +80,16 @@ outputs:
|
||||||
description: Role data for the Ceph Monitor service.
|
description: Role data for the Ceph Monitor service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_mon
|
service_name: ceph_mon
|
||||||
|
firewall_rules:
|
||||||
|
'110 ceph_mon':
|
||||||
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - 6789
|
||||||
|
- - 3300
|
||||||
|
- if:
|
||||||
|
- dashboard_enabled
|
||||||
|
- - '9100'
|
||||||
|
- []
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
@ -102,16 +112,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_mons|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_mon::firewall_rules:
|
|
||||||
'110 ceph_mon':
|
|
||||||
dport:
|
|
||||||
list_concat:
|
|
||||||
- - 6789
|
|
||||||
- - 3300
|
|
||||||
- if:
|
|
||||||
- dashboard_enabled
|
|
||||||
- - '9100'
|
|
||||||
- []
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -66,6 +66,11 @@ outputs:
|
||||||
description: Role data for the Ceph NFS Ganesha service.
|
description: Role data for the Ceph NFS Ganesha service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_nfs
|
service_name: ceph_nfs
|
||||||
|
firewall_rules:
|
||||||
|
'120 ceph_nfs':
|
||||||
|
dport:
|
||||||
|
# We support only NFS 4.1 to start
|
||||||
|
- 2049
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs'
|
step_config: 'include ::tripleo::profile::pacemaker::ceph_nfs'
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
@ -90,11 +95,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_nfss|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_nfs::firewall_rules:
|
|
||||||
'120 ceph_nfs':
|
|
||||||
dport:
|
|
||||||
# We support only NFS 4.1 to start
|
|
||||||
- 2049
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -69,6 +69,15 @@ outputs:
|
||||||
description: Role data for the Ceph OSD service.
|
description: Role data for the Ceph OSD service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_osd
|
service_name: ceph_osd
|
||||||
|
firewall_rules:
|
||||||
|
'111 ceph_osd':
|
||||||
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - '6800-7300'
|
||||||
|
- if:
|
||||||
|
- dashboard_enabled
|
||||||
|
- - '9100'
|
||||||
|
- []
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
- name: Check legacy Ceph hieradata
|
- name: Check legacy Ceph hieradata
|
||||||
tags: validation
|
tags: validation
|
||||||
|
@ -95,15 +104,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_osds|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_osd::firewall_rules:
|
|
||||||
'111 ceph_osd':
|
|
||||||
dport:
|
|
||||||
list_concat:
|
|
||||||
- - '6800-7300'
|
|
||||||
- if:
|
|
||||||
- dashboard_enabled
|
|
||||||
- - '9100'
|
|
||||||
- []
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -82,6 +82,10 @@ outputs:
|
||||||
description: Role data for the Ceph RBD Mirror service.
|
description: Role data for the Ceph RBD Mirror service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_rbdmirror
|
service_name: ceph_rbdmirror
|
||||||
|
firewall_rules:
|
||||||
|
'114 ceph_rbdmirror':
|
||||||
|
dport:
|
||||||
|
- '6800-7300'
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
@ -104,10 +108,3 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_rbdmirrors|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_rbdmirror::firewall_rules:
|
|
||||||
'114 ceph_rbdmirror':
|
|
||||||
dport:
|
|
||||||
- '6800-7300'
|
|
||||||
- {}
|
|
||||||
|
|
|
@ -76,6 +76,15 @@ outputs:
|
||||||
description: Role data for the Ceph RadosGW service.
|
description: Role data for the Ceph RadosGW service.
|
||||||
value:
|
value:
|
||||||
service_name: ceph_rgw
|
service_name: ceph_rgw
|
||||||
|
firewall_rules:
|
||||||
|
'122 ceph rgw':
|
||||||
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - {get_param: [EndpointMap, CephRgwInternal, port]}
|
||||||
|
- if:
|
||||||
|
- dashboard_enabled
|
||||||
|
- - '9100'
|
||||||
|
- []
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_image: ''
|
config_image: ''
|
||||||
|
@ -98,18 +107,6 @@ outputs:
|
||||||
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
|
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
|
||||||
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
|
||||||
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- tripleo::ceph_rgw::firewall_rules:
|
|
||||||
'122 ceph rgw':
|
|
||||||
dport:
|
|
||||||
list_concat:
|
|
||||||
- - {get_param: [EndpointMap, CephRgwInternal, port]}
|
|
||||||
- if:
|
|
||||||
- dashboard_enabled
|
|
||||||
- - '9100'
|
|
||||||
- []
|
|
||||||
- {}
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
keystone:
|
keystone:
|
||||||
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
|
ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]}
|
||||||
|
|
|
@ -118,6 +118,11 @@ outputs:
|
||||||
description: Role data for the Cinder API role.
|
description: Role data for the Cinder API role.
|
||||||
value:
|
value:
|
||||||
service_name: cinder_api
|
service_name: cinder_api
|
||||||
|
firewall_rules:
|
||||||
|
'119 cinder':
|
||||||
|
dport:
|
||||||
|
- 8776
|
||||||
|
- 13776
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionCinderApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -143,11 +148,6 @@ outputs:
|
||||||
DEFAULT/swift_catalog_info:
|
DEFAULT/swift_catalog_info:
|
||||||
value: 'object-store:swift:internalURL'
|
value: 'object-store:swift:internalURL'
|
||||||
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
|
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
|
||||||
tripleo::cinder_api::firewall_rules:
|
|
||||||
'119 cinder':
|
|
||||||
dport:
|
|
||||||
- 8776
|
|
||||||
- 13776
|
|
||||||
cinder::api::bind_host:
|
cinder::api::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -198,6 +198,9 @@ outputs:
|
||||||
description: Role data for the Cinder Volume role.
|
description: Role data for the Cinder Volume role.
|
||||||
value:
|
value:
|
||||||
service_name: cinder_volume
|
service_name: cinder_volume
|
||||||
|
firewall_rules:
|
||||||
|
'120 iscsi initiator':
|
||||||
|
dport: 3260
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume}
|
monitoring_subscription: {get_param: MonitoringSubscriptionCinderVolume}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -226,9 +229,6 @@ outputs:
|
||||||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID}
|
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_secret_uuid: {get_param: CephClusterFSID}
|
||||||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
|
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
|
||||||
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot}
|
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_flatten_volume_from_snapshot: {get_param: CinderRbdFlattenVolumeFromSnapshot}
|
||||||
tripleo::cinder_volume::firewall_rules:
|
|
||||||
'120 iscsi initiator':
|
|
||||||
dport: 3260
|
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
|
|
|
@ -68,6 +68,15 @@ outputs:
|
||||||
description: Service MySQL using composable services.
|
description: Service MySQL using composable services.
|
||||||
value:
|
value:
|
||||||
service_name: mysql
|
service_name: mysql
|
||||||
|
firewall_rules:
|
||||||
|
'104 mysql galera':
|
||||||
|
dport:
|
||||||
|
- 873
|
||||||
|
- 3306
|
||||||
|
- 4444
|
||||||
|
- 4567
|
||||||
|
- 4568
|
||||||
|
- 9200
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
-
|
-
|
||||||
|
@ -79,15 +88,6 @@ outputs:
|
||||||
mysql::server::package_name: 'mariadb-galera-server'
|
mysql::server::package_name: 'mariadb-galera-server'
|
||||||
mysql::server::manage_config_file: true
|
mysql::server::manage_config_file: true
|
||||||
mysql_ipv6: {get_param: MysqlIPv6}
|
mysql_ipv6: {get_param: MysqlIPv6}
|
||||||
tripleo::mysql::firewall_rules:
|
|
||||||
'104 mysql galera':
|
|
||||||
dport:
|
|
||||||
- 873
|
|
||||||
- 3306
|
|
||||||
- 4444
|
|
||||||
- 4567
|
|
||||||
- 4568
|
|
||||||
- 9200
|
|
||||||
mysql_max_connections: {get_param: MysqlMaxConnections}
|
mysql_max_connections: {get_param: MysqlMaxConnections}
|
||||||
mysql::server::root_password:
|
mysql::server::root_password:
|
||||||
yaql:
|
yaql:
|
||||||
|
|
|
@ -99,6 +99,16 @@ outputs:
|
||||||
description: Containerized service MySQL using composable services.
|
description: Containerized service MySQL using composable services.
|
||||||
value:
|
value:
|
||||||
service_name: {get_attr: [MysqlBase, role_data, service_name]}
|
service_name: {get_attr: [MysqlBase, role_data, service_name]}
|
||||||
|
firewall_rules:
|
||||||
|
'104 mysql galera-bundle':
|
||||||
|
dport:
|
||||||
|
- 873
|
||||||
|
- 3123
|
||||||
|
- 3306
|
||||||
|
- 4444
|
||||||
|
- 4567
|
||||||
|
- 4568
|
||||||
|
- 9200
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [MysqlBase, role_data, config_settings]
|
- get_attr: [MysqlBase, role_data, config_settings]
|
||||||
|
@ -131,16 +141,6 @@ outputs:
|
||||||
- 'pcmklatest'
|
- 'pcmklatest'
|
||||||
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
|
tripleo::profile::pacemaker::database::mysql_bundle::control_port: 3123
|
||||||
tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli}
|
tripleo::profile::pacemaker::database::mysql_bundle::container_backend: {get_param: ContainerCli}
|
||||||
tripleo::mysql::firewall_rules:
|
|
||||||
'104 mysql galera-bundle':
|
|
||||||
dport:
|
|
||||||
- 873
|
|
||||||
- 3123
|
|
||||||
- 3306
|
|
||||||
- 4444
|
|
||||||
- 4567
|
|
||||||
- 4568
|
|
||||||
- 9200
|
|
||||||
tripleo::profile::pacemaker::database::mysql_bundle::bind_address:
|
tripleo::profile::pacemaker::database::mysql_bundle::bind_address:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -62,18 +62,18 @@ outputs:
|
||||||
description: Role data for the Redis API role.
|
description: Role data for the Redis API role.
|
||||||
value:
|
value:
|
||||||
service_name: redis
|
service_name: redis
|
||||||
|
firewall_rules:
|
||||||
|
'108 redis':
|
||||||
|
dport:
|
||||||
|
- 6379
|
||||||
|
- 26379
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||||
- redis::daemonize: false
|
- redis::daemonize: false
|
||||||
tripleo::stunnel::manage_service: false
|
tripleo::stunnel::manage_service: false
|
||||||
tripleo::stunnel::foreground: 'yes'
|
tripleo::stunnel::foreground: 'yes'
|
||||||
- tripleo::redis::firewall_rules:
|
- tripleo::profile::base::database::redis::tls_proxy_bind_ip:
|
||||||
'108 redis':
|
|
||||||
dport:
|
|
||||||
- 6379
|
|
||||||
- 26379
|
|
||||||
tripleo::profile::base::database::redis::tls_proxy_bind_ip:
|
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
|
|
|
@ -86,6 +86,12 @@ outputs:
|
||||||
description: Role data for the Redis API role.
|
description: Role data for the Redis API role.
|
||||||
value:
|
value:
|
||||||
service_name: redis
|
service_name: redis
|
||||||
|
firewall_rules:
|
||||||
|
'108 redis-bundle':
|
||||||
|
dport:
|
||||||
|
- 3124
|
||||||
|
- 6379
|
||||||
|
- 26379
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [RedisBase, role_data, config_settings]}
|
- {get_attr: [RedisBase, role_data, config_settings]}
|
||||||
|
@ -101,12 +107,6 @@ outputs:
|
||||||
- 'pcmklatest'
|
- 'pcmklatest'
|
||||||
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
|
tripleo::profile::pacemaker::database::redis_bundle::control_port: 3124
|
||||||
tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli}
|
tripleo::profile::pacemaker::database::redis_bundle::container_backend: {get_param: ContainerCli}
|
||||||
tripleo::redis::firewall_rules:
|
|
||||||
'108 redis-bundle':
|
|
||||||
dport:
|
|
||||||
- 3124
|
|
||||||
- 6379
|
|
||||||
- 26379
|
|
||||||
tripleo::stunnel::manage_service: false
|
tripleo::stunnel::manage_service: false
|
||||||
tripleo::stunnel::foreground: 'yes'
|
tripleo::stunnel::foreground: 'yes'
|
||||||
tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip:
|
tripleo::profile::pacemaker::database::redis_bundle::tls_proxy_bind_ip:
|
||||||
|
|
|
@ -43,13 +43,11 @@ outputs:
|
||||||
description: Role data for the docker registry service
|
description: Role data for the docker registry service
|
||||||
value:
|
value:
|
||||||
service_name: docker_registry
|
service_name: docker_registry
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::docker_registry::firewall_rules:
|
|
||||||
'155 docker-registry':
|
'155 docker-registry':
|
||||||
dport:
|
dport:
|
||||||
- 8787
|
- 8787
|
||||||
- 13787
|
- 13787
|
||||||
step_config: ''
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: Install, Configure and Run Docker Distribution
|
- name: Install, Configure and Run Docker Distribution
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -43,8 +43,7 @@ outputs:
|
||||||
description: Role data for the Kubernetes Service
|
description: Role data for the Kubernetes Service
|
||||||
value:
|
value:
|
||||||
service_name: kubernetes_master
|
service_name: kubernetes_master
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::kubernetes_master::firewall_rules:
|
|
||||||
'200 kubernetes-master api':
|
'200 kubernetes-master api':
|
||||||
dport: 6443
|
dport: 6443
|
||||||
proto: tcp
|
proto: tcp
|
||||||
|
|
|
@ -41,8 +41,7 @@ outputs:
|
||||||
# as workers. The actual installation is performed in
|
# as workers. The actual installation is performed in
|
||||||
# kubernetes-master service template.
|
# kubernetes-master service template.
|
||||||
service_name: kubernetes_worker
|
service_name: kubernetes_worker
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::kubernetes_worker::firewall_rules:
|
|
||||||
'200 kubernetes-worker kubelet':
|
'200 kubernetes-worker kubelet':
|
||||||
dport:
|
dport:
|
||||||
- 10250
|
- 10250
|
||||||
|
@ -61,4 +60,3 @@ outputs:
|
||||||
'200 kubernetes-worker calico ipv4-in-ip':
|
'200 kubernetes-worker calico ipv4-in-ip':
|
||||||
proto: ipv4
|
proto: ipv4
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
step_config: ''
|
|
||||||
|
|
|
@ -50,10 +50,7 @@ outputs:
|
||||||
description: Role data for the TripleO firewall settings
|
description: Role data for the TripleO firewall settings
|
||||||
value:
|
value:
|
||||||
service_name: tripleo_firewall
|
service_name: tripleo_firewall
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
|
||||||
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
|
||||||
tripleo::tripleo_firewall::firewall_rules:
|
|
||||||
map_merge:
|
map_merge:
|
||||||
repeat:
|
repeat:
|
||||||
for_each:
|
for_each:
|
||||||
|
@ -63,7 +60,9 @@ outputs:
|
||||||
source: <%net_cidr%>
|
source: <%net_cidr%>
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
dport: 22
|
dport: 22
|
||||||
|
config_settings:
|
||||||
|
tripleo::firewall::manage_firewall: {get_param: ManageFirewall}
|
||||||
|
tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::firewall
|
include ::tripleo::firewall
|
||||||
|
|
|
@ -55,6 +55,11 @@ outputs:
|
||||||
description: Role data for the etcd role.
|
description: Role data for the etcd role.
|
||||||
value:
|
value:
|
||||||
service_name: etcd
|
service_name: etcd
|
||||||
|
firewall_rules:
|
||||||
|
'141 etcd':
|
||||||
|
dport:
|
||||||
|
- 2379
|
||||||
|
- 2380
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
monitoring_subscription: {get_param: MonitoringSubscriptionEtcd}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -80,11 +85,6 @@ outputs:
|
||||||
tripleo::profile::base::etcd::peer_port: '2380'
|
tripleo::profile::base::etcd::peer_port: '2380'
|
||||||
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
|
etcd::initial_cluster_token: {get_param: EtcdInitialClusterToken}
|
||||||
etcd::manage_package: false
|
etcd::manage_package: false
|
||||||
tripleo::etcd::firewall_rules:
|
|
||||||
'141 etcd':
|
|
||||||
dport:
|
|
||||||
- 2379
|
|
||||||
- 2380
|
|
||||||
etcd::manage_service: false
|
etcd::manage_service: false
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
|
|
|
@ -79,6 +79,11 @@ outputs:
|
||||||
description: Role data for the Designate API role.
|
description: Role data for the Designate API role.
|
||||||
value:
|
value:
|
||||||
service_name: designate_api
|
service_name: designate_api
|
||||||
|
firewall_rules:
|
||||||
|
'139 designate api':
|
||||||
|
dport:
|
||||||
|
- 9001
|
||||||
|
- 13001
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -94,11 +99,6 @@ outputs:
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||||
tripleo::profile::base::designate::api::listen_port: 9001
|
tripleo::profile::base::designate::api::listen_port: 9001
|
||||||
tripleo::designate_api::firewall_rules:
|
|
||||||
'139 designate api':
|
|
||||||
dport:
|
|
||||||
- 9001
|
|
||||||
- 13001
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- designate_workers_zero
|
- designate_workers_zero
|
||||||
|
|
|
@ -80,6 +80,15 @@ outputs:
|
||||||
description: Role data for the Designate MDNS role.
|
description: Role data for the Designate MDNS role.
|
||||||
value:
|
value:
|
||||||
service_name: designate_mdns
|
service_name: designate_mdns
|
||||||
|
firewall_rules:
|
||||||
|
'142 designate_mdns udp':
|
||||||
|
proto: 'udp'
|
||||||
|
dport:
|
||||||
|
- 5354
|
||||||
|
'143 designate_mdns tcp':
|
||||||
|
proto: 'tcp'
|
||||||
|
dport:
|
||||||
|
- 5354
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS}
|
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateMiniDNS}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -103,16 +112,6 @@ outputs:
|
||||||
-
|
-
|
||||||
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
read_default_group: tripleo
|
read_default_group: tripleo
|
||||||
|
|
||||||
tripleo::designate_mdns::firewall_rules:
|
|
||||||
'142 designate_mdns udp':
|
|
||||||
proto: 'udp'
|
|
||||||
dport:
|
|
||||||
- 5354
|
|
||||||
'143 designate_mdns tcp':
|
|
||||||
proto: 'tcp'
|
|
||||||
dport:
|
|
||||||
- 5354
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- designate_workers_zero
|
- designate_workers_zero
|
||||||
|
|
|
@ -79,6 +79,17 @@ outputs:
|
||||||
description: Role data for the Designate Worker role.
|
description: Role data for the Designate Worker role.
|
||||||
value:
|
value:
|
||||||
service_name: designate_worker
|
service_name: designate_worker
|
||||||
|
firewall_rules:
|
||||||
|
'140 designate_worker udp':
|
||||||
|
proto: 'udp'
|
||||||
|
dport:
|
||||||
|
- 53
|
||||||
|
- 953
|
||||||
|
'141 designate_worker tcp':
|
||||||
|
proto: 'tcp'
|
||||||
|
dport:
|
||||||
|
- 53
|
||||||
|
- 953
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
|
monitoring_subscription: {get_param: MonitoringSubscriptionDesignateWorker}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -118,17 +129,6 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||||
tripleo::designate_worker::firewall_rules:
|
|
||||||
'140 designate_worker udp':
|
|
||||||
proto: 'udp'
|
|
||||||
dport:
|
|
||||||
- 53
|
|
||||||
- 953
|
|
||||||
'141 designate_worker tcp':
|
|
||||||
proto: 'tcp'
|
|
||||||
dport:
|
|
||||||
- 53
|
|
||||||
- 953
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- designate_workers_zero
|
- designate_workers_zero
|
||||||
|
|
|
@ -294,6 +294,11 @@ outputs:
|
||||||
description: Role data for the Glance API role.
|
description: Role data for the Glance API role.
|
||||||
value:
|
value:
|
||||||
service_name: glance_api
|
service_name: glance_api
|
||||||
|
firewall_rules:
|
||||||
|
'112 glance_api':
|
||||||
|
dport:
|
||||||
|
- 9292
|
||||||
|
- 13292
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionGlanceApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -331,11 +336,6 @@ outputs:
|
||||||
- {get_param: Debug }
|
- {get_param: Debug }
|
||||||
- {get_param: GlanceDebug }
|
- {get_param: GlanceDebug }
|
||||||
glance::policy::policies: {get_param: GlanceApiPolicies}
|
glance::policy::policies: {get_param: GlanceApiPolicies}
|
||||||
tripleo::glance_api::firewall_rules:
|
|
||||||
'112 glance_api':
|
|
||||||
dport:
|
|
||||||
- 9292
|
|
||||||
- 13292
|
|
||||||
glance::api::authtoken::project_name: 'service'
|
glance::api::authtoken::project_name: 'service'
|
||||||
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
|
glance::api::authtoken::region_name: {get_param: KeystoneRegion}
|
||||||
glance::api::authtoken::user_domain_name: 'Default'
|
glance::api::authtoken::user_domain_name: 'Default'
|
||||||
|
|
|
@ -142,6 +142,11 @@ outputs:
|
||||||
description: Role data for the gnocchi API role.
|
description: Role data for the gnocchi API role.
|
||||||
value:
|
value:
|
||||||
service_name: gnocchi_api
|
service_name: gnocchi_api
|
||||||
|
firewall_rules:
|
||||||
|
'129 gnocchi-api':
|
||||||
|
dport:
|
||||||
|
- 8041
|
||||||
|
- 13041
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -154,12 +159,7 @@ outputs:
|
||||||
- {}
|
- {}
|
||||||
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
|
- gnocchi::cors::allowed_origin: {get_param: GnocchiCorsAllowedOrigin}
|
||||||
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
|
gnocchi::api::middlewares: 'oslo_middleware.cors.CORS'
|
||||||
- tripleo::gnocchi_api::firewall_rules:
|
- gnocchi::api::enabled: true
|
||||||
'129 gnocchi-api':
|
|
||||||
dport:
|
|
||||||
- 8041
|
|
||||||
- 13041
|
|
||||||
gnocchi::api::enabled: true
|
|
||||||
gnocchi::api::enable_proxy_headers_parsing: true
|
gnocchi::api::enable_proxy_headers_parsing: true
|
||||||
gnocchi::api::service_name: 'httpd'
|
gnocchi::api::service_name: 'httpd'
|
||||||
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
|
gnocchi::policy::policies: {get_param: GnocchiApiPolicies}
|
||||||
|
|
|
@ -80,14 +80,12 @@ outputs:
|
||||||
description: Role data for the Gnocchi API role.
|
description: Role data for the Gnocchi API role.
|
||||||
value:
|
value:
|
||||||
service_name: gnocchi_statsd
|
service_name: gnocchi_statsd
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd}
|
firewall_rules:
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- get_attr: [GnocchiServiceBase, role_data, config_settings]
|
|
||||||
- tripleo::gnocchi_statsd::firewall_rules:
|
|
||||||
'140 gnocchi-statsd':
|
'140 gnocchi-statsd':
|
||||||
dport: 8125
|
dport: 8125
|
||||||
proto: 'udp'
|
proto: 'udp'
|
||||||
|
monitoring_subscription: {get_param: MonitoringSubscriptionGnocchiStatsd}
|
||||||
|
config_settings: {get_attr: [GnocchiServiceBase, role_data, config_settings]}
|
||||||
service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]}
|
service_config_settings: {get_attr: [GnocchiServiceBase, role_data, service_config_settings]}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
|
|
@ -153,6 +153,9 @@ outputs:
|
||||||
description: Role data for the HAproxy role.
|
description: Role data for the HAproxy role.
|
||||||
value:
|
value:
|
||||||
service_name: haproxy
|
service_name: haproxy
|
||||||
|
firewall_rules:
|
||||||
|
'107 haproxy stats':
|
||||||
|
dport: 1993
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -161,9 +164,6 @@ outputs:
|
||||||
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
||||||
# when this is updated
|
# when this is updated
|
||||||
tripleo::haproxy::crl_file: null
|
tripleo::haproxy::crl_file: null
|
||||||
- tripleo::haproxy::firewall_rules:
|
|
||||||
'107 haproxy stats':
|
|
||||||
dport: 1993
|
|
||||||
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
||||||
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
|
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
|
||||||
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
||||||
|
|
|
@ -100,17 +100,17 @@ outputs:
|
||||||
description: Role data for the Heat API CFN role.
|
description: Role data for the Heat API CFN role.
|
||||||
value:
|
value:
|
||||||
service_name: heat_api_cfn
|
service_name: heat_api_cfn
|
||||||
|
firewall_rules:
|
||||||
|
'125 heat_cfn':
|
||||||
|
dport:
|
||||||
|
- 8000
|
||||||
|
- 13800
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
|
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [HeatBase, role_data, config_settings]
|
- get_attr: [HeatBase, role_data, config_settings]
|
||||||
- get_attr: [HeatApiCfnLogging, config_settings]
|
- get_attr: [HeatApiCfnLogging, config_settings]
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
tripleo::heat_api_cfn::firewall_rules:
|
|
||||||
'125 heat_cfn':
|
|
||||||
dport:
|
|
||||||
- 8000
|
|
||||||
- 13800
|
|
||||||
heat::api_cfn::bind_host:
|
heat::api_cfn::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -114,6 +114,11 @@ outputs:
|
||||||
description: Role data for the Heat API role.
|
description: Role data for the Heat API role.
|
||||||
value:
|
value:
|
||||||
service_name: heat_api
|
service_name: heat_api
|
||||||
|
firewall_rules:
|
||||||
|
'125 heat_api':
|
||||||
|
dport:
|
||||||
|
- 8004
|
||||||
|
- 13004
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -121,11 +126,6 @@ outputs:
|
||||||
- get_attr: [HeatApiLogging, config_settings]
|
- get_attr: [HeatApiLogging, config_settings]
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
tripleo::heat_api::firewall_rules:
|
|
||||||
'125 heat_api':
|
|
||||||
dport:
|
|
||||||
- 8004
|
|
||||||
- 13004
|
|
||||||
heat::api::bind_host:
|
heat::api::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -140,15 +140,15 @@ outputs:
|
||||||
description: Role data for the Horizon API role.
|
description: Role data for the Horizon API role.
|
||||||
value:
|
value:
|
||||||
service_name: horizon
|
service_name: horizon
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
firewall_rules:
|
||||||
config_settings:
|
|
||||||
map_merge:
|
|
||||||
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
|
||||||
tripleo::horizon::firewall_rules:
|
|
||||||
'126 horizon':
|
'126 horizon':
|
||||||
dport:
|
dport:
|
||||||
- 80
|
- 80
|
||||||
- 443
|
- 443
|
||||||
|
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
|
||||||
|
config_settings:
|
||||||
|
map_merge:
|
||||||
|
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
|
||||||
horizon::enable_secure_proxy_ssl_header: true
|
horizon::enable_secure_proxy_ssl_header: true
|
||||||
horizon::disable_password_reveal: true
|
horizon::disable_password_reveal: true
|
||||||
horizon::enforce_password_check: true
|
horizon::enforce_password_check: true
|
||||||
|
|
|
@ -43,13 +43,11 @@ outputs:
|
||||||
description: Role data for the image serve registry service
|
description: Role data for the image serve registry service
|
||||||
value:
|
value:
|
||||||
service_name: docker_registry
|
service_name: docker_registry
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::docker_registry::firewall_rules:
|
|
||||||
'155 docker-registry':
|
'155 docker-registry':
|
||||||
dport:
|
dport:
|
||||||
- 8787
|
- 8787
|
||||||
- 13787
|
- 13787
|
||||||
step_config: ''
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: authorize httpd to listen on registry ports
|
- name: authorize httpd to listen on registry ports
|
||||||
seport:
|
seport:
|
||||||
|
|
|
@ -44,8 +44,7 @@ outputs:
|
||||||
description: Role data for the IPSEC service
|
description: Role data for the IPSEC service
|
||||||
value:
|
value:
|
||||||
service_name: ipsec
|
service_name: ipsec
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::ipsec::firewall_rules:
|
|
||||||
'100 IPSEC IKE INPUT':
|
'100 IPSEC IKE INPUT':
|
||||||
dport: 500
|
dport: 500
|
||||||
sport: 500
|
sport: 500
|
||||||
|
@ -79,7 +78,6 @@ outputs:
|
||||||
proto: ah
|
proto: ah
|
||||||
chain: OUTPUT
|
chain: OUTPUT
|
||||||
upgrade_tasks: []
|
upgrade_tasks: []
|
||||||
step_config: ''
|
|
||||||
external_deploy_tasks:
|
external_deploy_tasks:
|
||||||
- name: IPSEC configuration on step 1
|
- name: IPSEC configuration on step 1
|
||||||
when: step|int == 1
|
when: step|int == 1
|
||||||
|
|
|
@ -100,6 +100,11 @@ outputs:
|
||||||
description: Role data for the Ironic API role.
|
description: Role data for the Ironic API role.
|
||||||
value:
|
value:
|
||||||
service_name: ironic_api
|
service_name: ironic_api
|
||||||
|
firewall_rules:
|
||||||
|
'133 ironic api':
|
||||||
|
dport:
|
||||||
|
- 6385
|
||||||
|
- 13385
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -152,12 +157,6 @@ outputs:
|
||||||
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
ironic::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||||
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
ironic::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||||
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
ironic::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||||
|
|
||||||
tripleo::ironic_api::firewall_rules:
|
|
||||||
'133 ironic api':
|
|
||||||
dport:
|
|
||||||
- 6385
|
|
||||||
- 13385
|
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
keystone:
|
keystone:
|
||||||
|
|
|
@ -275,6 +275,12 @@ outputs:
|
||||||
description: Role data for the Ironic Conductor role.
|
description: Role data for the Ironic Conductor role.
|
||||||
value:
|
value:
|
||||||
service_name: ironic_conductor
|
service_name: ironic_conductor
|
||||||
|
firewall_rules:
|
||||||
|
'134 ironic conductor TFTP':
|
||||||
|
dport: 69
|
||||||
|
proto: udp
|
||||||
|
'135 ironic conductor HTTP':
|
||||||
|
dport: {get_param: IronicIPXEPort}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicConductor}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -367,12 +373,6 @@ outputs:
|
||||||
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
|
ironic::drivers::interfaces::enabled_vendor_interfaces: {get_param: IronicEnabledVendorInterfaces}
|
||||||
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
|
ironic::drivers::interfaces::default_network_interface: {get_param: IronicDefaultNetworkInterface}
|
||||||
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
|
ironic::drivers::interfaces::default_rescue_interface: {get_param: IronicDefaultRescueInterface}
|
||||||
tripleo::ironic_conductor::firewall_rules:
|
|
||||||
'134 ironic conductor TFTP':
|
|
||||||
dport: 69
|
|
||||||
proto: udp
|
|
||||||
'135 ironic conductor HTTP':
|
|
||||||
dport: {get_param: IronicIPXEPort}
|
|
||||||
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
|
# NOTE(dtantsur): the my_ip parameter is heavily overloaded in
|
||||||
# ironic. It's used as a default value for e.g. TFTP server IP,
|
# ironic. It's used as a default value for e.g. TFTP server IP,
|
||||||
# glance and neutron endpoints, virtual console IP. We override
|
# glance and neutron endpoints, virtual console IP. We override
|
||||||
|
|
|
@ -181,6 +181,37 @@ outputs:
|
||||||
description: Role data for the Ironic Inspector role.
|
description: Role data for the Ironic Inspector role.
|
||||||
value:
|
value:
|
||||||
service_name: ironic_inspector
|
service_name: ironic_inspector
|
||||||
|
firewall_rules:
|
||||||
|
'137 ironic-inspector':
|
||||||
|
dport:
|
||||||
|
- 5050
|
||||||
|
'137 ironic-inspector dhcp input':
|
||||||
|
iniface: {get_param: IronicInspectorInterface}
|
||||||
|
ipversion: 'ipv4'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'INPUT'
|
||||||
|
dport: 67
|
||||||
|
'137 ironic-inspector dhcp output':
|
||||||
|
ipversion: 'ipv4'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 68
|
||||||
|
'137 ironic-inspector dhcpv6 input':
|
||||||
|
iniface: {get_param: IronicInspectorInterface}
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'INPUT'
|
||||||
|
dport: 547
|
||||||
|
'137 ironic-inspector dhcpv6 output':
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 546
|
||||||
|
'137 ironic-inspector dhcpv6 relay output':
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 547
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
|
monitoring_subscription: {get_param: MonitoringSubscriptionIronicInspector}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -219,37 +250,6 @@ outputs:
|
||||||
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
ironic::inspector::cors::allow_methods: 'GET,POST,PUT,DELETE,OPTIONS,PATCH'
|
||||||
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
ironic::inspector::cors::allow_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Auth-Token'
|
||||||
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
ironic::inspector::cors::expose_headers: 'Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma'
|
||||||
tripleo::ironic_inspector::firewall_rules:
|
|
||||||
'137 ironic-inspector':
|
|
||||||
dport:
|
|
||||||
- 5050
|
|
||||||
'137 ironic-inspector dhcp input':
|
|
||||||
iniface: {get_param: IronicInspectorInterface}
|
|
||||||
ipversion: 'ipv4'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'INPUT'
|
|
||||||
dport: 67
|
|
||||||
'137 ironic-inspector dhcp output':
|
|
||||||
ipversion: 'ipv4'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 68
|
|
||||||
'137 ironic-inspector dhcpv6 input':
|
|
||||||
iniface: {get_param: IronicInspectorInterface}
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'INPUT'
|
|
||||||
dport: 547
|
|
||||||
'137 ironic-inspector dhcpv6 output':
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 546
|
|
||||||
'137 ironic-inspector dhcpv6 relay output':
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 547
|
|
||||||
ironic::inspector::ironic_username: 'ironic'
|
ironic::inspector::ironic_username: 'ironic'
|
||||||
ironic::inspector::ironic_password: {get_param: IronicPassword}
|
ironic::inspector::ironic_password: {get_param: IronicPassword}
|
||||||
ironic::inspector::ironic_tenant_name: 'service'
|
ironic::inspector::ironic_tenant_name: 'service'
|
||||||
|
|
|
@ -73,13 +73,13 @@ outputs:
|
||||||
description: Role data for the Keepalived role.
|
description: Role data for the Keepalived role.
|
||||||
value:
|
value:
|
||||||
service_name: keepalived
|
service_name: keepalived
|
||||||
|
firewall_rules:
|
||||||
|
'106 keepalived vrrp':
|
||||||
|
proto: vrrp
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived}
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeepalived}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio'
|
- tripleo::keepalived:custom_vrrp_script: 'test -S /var/lib/haproxy/stats && echo "show info" | socat /var/lib/haproxy/stats stdio'
|
||||||
- tripleo::keepalived::firewall_rules:
|
|
||||||
'106 keepalived vrrp':
|
|
||||||
proto: vrrp
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- control_iface_empty
|
- control_iface_empty
|
||||||
|
|
|
@ -355,6 +355,12 @@ outputs:
|
||||||
description: Role data for the Keystone API role.
|
description: Role data for the Keystone API role.
|
||||||
value:
|
value:
|
||||||
service_name: keystone
|
service_name: keystone
|
||||||
|
firewall_rules:
|
||||||
|
'111 keystone':
|
||||||
|
dport:
|
||||||
|
- 5000
|
||||||
|
- 13000
|
||||||
|
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
monitoring_subscription: {get_param: MonitoringSubscriptionKeystone}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -449,12 +455,6 @@ outputs:
|
||||||
keystone::wsgi::apache::threads: 1
|
keystone::wsgi::apache::threads: 1
|
||||||
keystone::db::database_db_max_retries: -1
|
keystone::db::database_db_max_retries: -1
|
||||||
keystone::db::database_max_retries: -1
|
keystone::db::database_max_retries: -1
|
||||||
tripleo::keystone::firewall_rules:
|
|
||||||
'111 keystone':
|
|
||||||
dport:
|
|
||||||
- 5000
|
|
||||||
- 13000
|
|
||||||
- {get_param: [EndpointMap, KeystoneAdmin, port]}
|
|
||||||
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||||
# local node IP for the given network; replacement examples
|
# local node IP for the given network; replacement examples
|
||||||
|
|
|
@ -94,6 +94,11 @@ outputs:
|
||||||
description: Role data for the Manila API role.
|
description: Role data for the Manila API role.
|
||||||
value:
|
value:
|
||||||
service_name: manila_api
|
service_name: manila_api
|
||||||
|
firewall_rules:
|
||||||
|
'150 manila':
|
||||||
|
dport:
|
||||||
|
- 8786
|
||||||
|
- 13786
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionManilaApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -105,11 +110,6 @@ outputs:
|
||||||
manila::keystone::authtoken::project_name: 'service'
|
manila::keystone::authtoken::project_name: 'service'
|
||||||
manila::keystone::authtoken::user_domain_name: 'Default'
|
manila::keystone::authtoken::user_domain_name: 'Default'
|
||||||
manila::keystone::authtoken::project_domain_name: 'Default'
|
manila::keystone::authtoken::project_domain_name: 'Default'
|
||||||
tripleo::manila_api::firewall_rules:
|
|
||||||
'150 manila':
|
|
||||||
dport:
|
|
||||||
- 8786
|
|
||||||
- 13786
|
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the
|
# NOTE: bind IP is found in hiera replacing the network name with the
|
||||||
# local node IP for the given network; replacement examples
|
# local node IP for the given network; replacement examples
|
||||||
# (eg. for internal_api):
|
# (eg. for internal_api):
|
||||||
|
|
|
@ -81,6 +81,31 @@ outputs:
|
||||||
description: Role data for the Memcached API role.
|
description: Role data for the Memcached API role.
|
||||||
value:
|
value:
|
||||||
service_name: memcached
|
service_name: memcached
|
||||||
|
firewall_rules:
|
||||||
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||||
|
# Memcached traffic shouldn't be open on the internet.
|
||||||
|
# Even if binding is configured on internal_api network, enforce it
|
||||||
|
# via firewall as well.
|
||||||
|
if:
|
||||||
|
- memcached_network_unset
|
||||||
|
- map_merge:
|
||||||
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>:
|
||||||
|
get_param:
|
||||||
|
- ServiceData
|
||||||
|
- net_cidr_map
|
||||||
|
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
template:
|
||||||
|
'121 memcached <%net_cidr%>':
|
||||||
|
dport: 11211
|
||||||
|
proto: 'tcp'
|
||||||
|
source: <%net_cidr%>
|
||||||
|
- '121 memcached':
|
||||||
|
dport: 11211
|
||||||
|
proto: 'tcp'
|
||||||
|
source: {get_param: MemcachedIpSubnet}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||||
config_settings:
|
config_settings:
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
|
@ -113,31 +138,6 @@ outputs:
|
||||||
- 'v'
|
- 'v'
|
||||||
- ''
|
- ''
|
||||||
memcached::disable_cachedump: true
|
memcached::disable_cachedump: true
|
||||||
tripleo::memcached::firewall_rules:
|
|
||||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
|
||||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
|
||||||
# Memcached traffic shouldn't be open on the internet.
|
|
||||||
# Even if binding is configured on internal_api network, enforce it
|
|
||||||
# via firewall as well.
|
|
||||||
if:
|
|
||||||
- memcached_network_unset
|
|
||||||
- map_merge:
|
|
||||||
repeat:
|
|
||||||
for_each:
|
|
||||||
<%net_cidr%>:
|
|
||||||
get_param:
|
|
||||||
- ServiceData
|
|
||||||
- net_cidr_map
|
|
||||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
|
||||||
template:
|
|
||||||
'121 memcached <%net_cidr%>':
|
|
||||||
dport: 11211
|
|
||||||
proto: 'tcp'
|
|
||||||
source: <%net_cidr%>
|
|
||||||
- '121 memcached':
|
|
||||||
dport: 11211
|
|
||||||
proto: 'tcp'
|
|
||||||
source: {get_param: MemcachedIpSubnet}
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
collectd:
|
collectd:
|
||||||
tripleo.collectd.plugins.memcached:
|
tripleo.collectd.plugins.memcached:
|
||||||
|
|
|
@ -65,6 +65,15 @@ outputs:
|
||||||
description: Role data for the qdrouterd service.
|
description: Role data for the qdrouterd service.
|
||||||
value:
|
value:
|
||||||
service_name: oslo_messaging_rpc
|
service_name: oslo_messaging_rpc
|
||||||
|
firewall_rules:
|
||||||
|
'109 qdrouterd':
|
||||||
|
dport:
|
||||||
|
- {get_param: RpcPort}
|
||||||
|
- 31459
|
||||||
|
- 31460
|
||||||
|
'109 qdr':
|
||||||
|
dport:
|
||||||
|
- {get_param: RpcPort}
|
||||||
global_config_settings:
|
global_config_settings:
|
||||||
oslo_messaging_rpc_scheme: amqp
|
oslo_messaging_rpc_scheme: amqp
|
||||||
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
|
oslo_messaging_rpc_user_name: {get_param: RpcUserName}
|
||||||
|
@ -75,12 +84,6 @@ outputs:
|
||||||
messaging_rpc_service_name: 'amqp'
|
messaging_rpc_service_name: 'amqp'
|
||||||
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
||||||
config_settings:
|
config_settings:
|
||||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
|
||||||
'109 qdrouterd':
|
|
||||||
dport:
|
|
||||||
- {get_param: RpcPort}
|
|
||||||
- 31459
|
|
||||||
- 31460
|
|
||||||
qdr::listener_addr:
|
qdr::listener_addr:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
@ -90,10 +93,6 @@ outputs:
|
||||||
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
|
tripleo::profile::base::qdr::qdr_listener_port: {get_param: RpcPort}
|
||||||
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
|
tripleo::profile::base::qdr::qdr_username: {get_param: RpcUserName}
|
||||||
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
|
tripleo::profile::base::qdr::qdr_password: {get_param: RpcPassword}
|
||||||
tripleo::rabbitmq::firewall_rules:
|
|
||||||
'109 qdr':
|
|
||||||
dport:
|
|
||||||
- {get_param: RpcPort}
|
|
||||||
service_config_settings: {}
|
service_config_settings: {}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
|
|
@ -149,6 +149,10 @@ outputs:
|
||||||
description: Role data for the metrics Qdr role.
|
description: Role data for the metrics Qdr role.
|
||||||
value:
|
value:
|
||||||
service_name: metrics-qdr
|
service_name: metrics-qdr
|
||||||
|
firewall_rules:
|
||||||
|
'109 metrics qdr':
|
||||||
|
dport:
|
||||||
|
- {get_param: MetricsQdrPort}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
rsyslog:
|
rsyslog:
|
||||||
|
@ -156,11 +160,7 @@ outputs:
|
||||||
- {get_param: MetricsQdrLoggingSource}
|
- {get_param: MetricsQdrLoggingSource}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- tripleo::metrics_qdr::firewall_rules:
|
- tripleo::profile::base::metrics::qdr::listener_addr:
|
||||||
'109 metrics qdr':
|
|
||||||
dport:
|
|
||||||
- {get_param: MetricsQdrPort}
|
|
||||||
tripleo::profile::base::metrics::qdr::listener_addr:
|
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
|
|
|
@ -88,6 +88,11 @@ outputs:
|
||||||
description: Role data for the Mistral API role.
|
description: Role data for the Mistral API role.
|
||||||
value:
|
value:
|
||||||
service_name: mistral_api
|
service_name: mistral_api
|
||||||
|
firewall_rules:
|
||||||
|
'133 mistral':
|
||||||
|
dport:
|
||||||
|
- 8989
|
||||||
|
- 13989
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [MistralBase, role_data, config_settings]
|
- get_attr: [MistralBase, role_data, config_settings]
|
||||||
|
@ -109,11 +114,6 @@ outputs:
|
||||||
mistral::policy::policies: {get_param: MistralApiPolicies}
|
mistral::policy::policies: {get_param: MistralApiPolicies}
|
||||||
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
|
mistral::cron_trigger::execution_interval: {get_param: MistralExecutionInterval}
|
||||||
mistral::api::allow_action_execution_deletion: true
|
mistral::api::allow_action_execution_deletion: true
|
||||||
tripleo::mistral_api::firewall_rules:
|
|
||||||
'133 mistral':
|
|
||||||
dport:
|
|
||||||
- 8989
|
|
||||||
- 13989
|
|
||||||
mistral::api::service_name: 'httpd'
|
mistral::api::service_name: 'httpd'
|
||||||
mistral::wsgi::apache::bind_host:
|
mistral::wsgi::apache::bind_host:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
|
|
@ -224,6 +224,11 @@ outputs:
|
||||||
description: Role data for the Neutron API role.
|
description: Role data for the Neutron API role.
|
||||||
value:
|
value:
|
||||||
service_name: neutron_api
|
service_name: neutron_api
|
||||||
|
firewall_rules:
|
||||||
|
'114 neutron api':
|
||||||
|
dport:
|
||||||
|
- 9696
|
||||||
|
- 13696
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronServer}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -270,11 +275,6 @@ outputs:
|
||||||
neutron::server::sync_db: true
|
neutron::server::sync_db: true
|
||||||
neutron::server::notifications::region_name: {get_param: KeystoneRegion}
|
neutron::server::notifications::region_name: {get_param: KeystoneRegion}
|
||||||
neutron::server::placement::region_name: {get_param: KeystoneRegion}
|
neutron::server::placement::region_name: {get_param: KeystoneRegion}
|
||||||
tripleo::neutron_api::firewall_rules:
|
|
||||||
'114 neutron api':
|
|
||||||
dport:
|
|
||||||
- 9696
|
|
||||||
- 13696
|
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
|
|
|
@ -79,6 +79,12 @@ parameters:
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the Neutron Compute Nuage plugin
|
description: Role data for the Neutron Compute Nuage plugin
|
||||||
|
firewall_rules:
|
||||||
|
'118 neutron vxlan networks':
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 4789
|
||||||
|
'100 metadata agent':
|
||||||
|
dport: {get_param: NuageMetadataPort}
|
||||||
value:
|
value:
|
||||||
service_name: neutron_compute_plugin_nuage
|
service_name: neutron_compute_plugin_nuage
|
||||||
config_settings:
|
config_settings:
|
||||||
|
@ -96,11 +102,5 @@ outputs:
|
||||||
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
|
tripleo::profile::base::neutron::agents::nuage::nova_os_tenant_name: 'service'
|
||||||
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
|
tripleo::profile::base::neutron::agents::nuage::nova_os_password: {get_param: NovaPassword}
|
||||||
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
|
tripleo::profile::base::neutron::agents::nuage::nova_auth_ip: {get_param: [EndpointMap, KeystoneInternal, host]}
|
||||||
tripleo::neutron_compute_plugin_nuage::firewall_rules:
|
|
||||||
'118 neutron vxlan networks':
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 4789
|
|
||||||
'100 metadata agent':
|
|
||||||
dport: {get_param: NuageMetadataPort}
|
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::neutron::agents::nuage
|
include ::tripleo::profile::base::neutron::agents::nuage
|
||||||
|
|
|
@ -180,6 +180,30 @@ outputs:
|
||||||
description: Role data for the Neutron DHCP role.
|
description: Role data for the Neutron DHCP role.
|
||||||
value:
|
value:
|
||||||
service_name: neutron_dhcp
|
service_name: neutron_dhcp
|
||||||
|
firewall_rules:
|
||||||
|
'115 neutron dhcp input':
|
||||||
|
ipversion: 'ipv4'
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 67
|
||||||
|
'116 neutron dhcp output':
|
||||||
|
ipversion: 'ipv4'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 68
|
||||||
|
'115 neutron dhcpv6 input':
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 547
|
||||||
|
'116 neutron dhcpv6 output':
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 546
|
||||||
|
'116 neutron dhcpv6 relay output':
|
||||||
|
ipversion: 'ipv6'
|
||||||
|
proto: 'udp'
|
||||||
|
chain: 'OUTPUT'
|
||||||
|
dport: 547
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronDhcp}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -209,30 +233,6 @@ outputs:
|
||||||
- service_debug_unset
|
- service_debug_unset
|
||||||
- {get_param: Debug}
|
- {get_param: Debug}
|
||||||
- {get_param: NeutronDhcpAgentDebug}
|
- {get_param: NeutronDhcpAgentDebug}
|
||||||
tripleo::neutron_dhcp::firewall_rules:
|
|
||||||
'115 neutron dhcp input':
|
|
||||||
ipversion: 'ipv4'
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 67
|
|
||||||
'116 neutron dhcp output':
|
|
||||||
ipversion: 'ipv4'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 68
|
|
||||||
'115 neutron dhcpv6 input':
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 547
|
|
||||||
'116 neutron dhcpv6 output':
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 546
|
|
||||||
'116 neutron dhcpv6 relay output':
|
|
||||||
ipversion: 'ipv6'
|
|
||||||
proto: 'udp'
|
|
||||||
chain: 'OUTPUT'
|
|
||||||
dport: 547
|
|
||||||
- if:
|
- if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
|
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
|
||||||
|
|
|
@ -82,10 +82,16 @@ outputs:
|
||||||
description: Role data for the L2 Gateway role.
|
description: Role data for the L2 Gateway role.
|
||||||
value:
|
value:
|
||||||
service_name: neutron_l2gw_agent
|
service_name: neutron_l2gw_agent
|
||||||
|
if:
|
||||||
|
- internal_manager_enabled
|
||||||
|
- firewall_rules:
|
||||||
|
'142 neutron l2gw agent input':
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: {get_param: L2gwAgentManagerTableListeningPort}
|
||||||
|
- null
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL2gwAgent}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
|
||||||
- neutron::agents::l2gw::ovsdb_hosts: {get_param: L2gwAgentOvsdbHosts}
|
|
||||||
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
|
neutron::agents::l2gw::enable_manager: {get_param: L2gwAgentEnableManager}
|
||||||
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
|
neutron::agents::l2gw::manager_table_listening_port: {get_param: L2gwAgentManagerTableListeningPort}
|
||||||
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
|
neutron::agents::l2gw::periodic_interval: {get_param: L2gwAgentPeriodicInterval}
|
||||||
|
@ -96,15 +102,6 @@ outputs:
|
||||||
- service_debug_unset
|
- service_debug_unset
|
||||||
- {get_param: Debug}
|
- {get_param: Debug}
|
||||||
- {get_param: NeutronL2gwAgentDebug}
|
- {get_param: NeutronL2gwAgentDebug}
|
||||||
-
|
|
||||||
if:
|
|
||||||
- internal_manager_enabled
|
|
||||||
- tripleo::neutron_l2gw_agent::firewall_rules:
|
|
||||||
'142 neutron l2gw agent input':
|
|
||||||
proto: 'tcp'
|
|
||||||
dport: {get_param: L2gwAgentManagerTableListeningPort}
|
|
||||||
- null
|
|
||||||
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
rsyslog:
|
rsyslog:
|
||||||
tripleo_logging_sources_neutron_l2gw_agent:
|
tripleo_logging_sources_neutron_l2gw_agent:
|
||||||
|
|
|
@ -179,6 +179,9 @@ outputs:
|
||||||
description: Role data for Neutron L3 agent
|
description: Role data for Neutron L3 agent
|
||||||
value:
|
value:
|
||||||
service_name: neutron_l3
|
service_name: neutron_l3
|
||||||
|
firewall_rules:
|
||||||
|
'106 neutron_l3 vrrp':
|
||||||
|
proto: vrrp
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronL3}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -210,9 +213,6 @@ outputs:
|
||||||
- service_debug_unset
|
- service_debug_unset
|
||||||
- {get_param: Debug}
|
- {get_param: Debug}
|
||||||
- {get_param: NeutronL3AgentDebug}
|
- {get_param: NeutronL3AgentDebug}
|
||||||
tripleo::neutron_l3::firewall_rules:
|
|
||||||
'106 neutron_l3 vrrp':
|
|
||||||
proto: vrrp
|
|
||||||
-
|
-
|
||||||
- if:
|
- if:
|
||||||
- az_unset
|
- az_unset
|
||||||
|
|
|
@ -173,6 +173,12 @@ outputs:
|
||||||
description: Role data for Neutron openvswitch service
|
description: Role data for Neutron openvswitch service
|
||||||
value:
|
value:
|
||||||
service_name: neutron_ovs_agent
|
service_name: neutron_ovs_agent
|
||||||
|
firewall_rules:
|
||||||
|
'118 neutron vxlan networks':
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 4789
|
||||||
|
'136 neutron gre networks':
|
||||||
|
proto: 'gre'
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNeutronOvs}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -196,12 +202,6 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
||||||
tripleo::neutron_ovs_agent::firewall_rules:
|
|
||||||
'118 neutron vxlan networks':
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 4789
|
|
||||||
'136 neutron gre networks':
|
|
||||||
proto: 'gre'
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- neutron_dvr_unset
|
- neutron_dvr_unset
|
||||||
|
|
|
@ -116,10 +116,7 @@ outputs:
|
||||||
service_name: neutron_ovs_dpdk_agent
|
service_name: neutron_ovs_dpdk_agent
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- map_replace:
|
|
||||||
- get_attr: [NeutronOvsAgent, role_data, config_settings]
|
- get_attr: [NeutronOvsAgent, role_data, config_settings]
|
||||||
- keys:
|
|
||||||
tripleo::neutron_ovs_agent::firewall_rules: tripleo::neutron_ovs_dpdk_agent::firewall_rules
|
|
||||||
- nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
|
- nova::compute::libvirt::qemu::group: {get_attr: [RoleParametersValue, value, vhostuser_socket_group]}
|
||||||
- get_attr: [RoleParametersValue, value]
|
- get_attr: [RoleParametersValue, value]
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
|
|
|
@ -146,17 +146,17 @@ outputs:
|
||||||
description: Role data for the Nova API role.
|
description: Role data for the Nova API role.
|
||||||
value:
|
value:
|
||||||
service_name: nova_api
|
service_name: nova_api
|
||||||
|
firewall_rules:
|
||||||
|
'113 nova_api':
|
||||||
|
dport:
|
||||||
|
- 8774
|
||||||
|
- 13774
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [NovaBase, role_data, config_settings]
|
- get_attr: [NovaBase, role_data, config_settings]
|
||||||
- get_attr: [NovaApiLogging, config_settings]
|
- get_attr: [NovaApiLogging, config_settings]
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
tripleo::nova_api::firewall_rules:
|
|
||||||
'113 nova_api':
|
|
||||||
dport:
|
|
||||||
- 8774
|
|
||||||
- 13774
|
|
||||||
nova::keystone::authtoken::project_name: 'service'
|
nova::keystone::authtoken::project_name: 'service'
|
||||||
nova::keystone::authtoken::user_domain_name: 'Default'
|
nova::keystone::authtoken::user_domain_name: 'Default'
|
||||||
nova::keystone::authtoken::project_domain_name: 'Default'
|
nova::keystone::authtoken::project_domain_name: 'Default'
|
||||||
|
|
|
@ -351,6 +351,12 @@ outputs:
|
||||||
description: Role data for the Libvirt service.
|
description: Role data for the Libvirt service.
|
||||||
value:
|
value:
|
||||||
service_name: nova_libvirt
|
service_name: nova_libvirt
|
||||||
|
firewall_rules:
|
||||||
|
'200 nova_libvirt':
|
||||||
|
dport:
|
||||||
|
- 16514
|
||||||
|
- '61152-61215'
|
||||||
|
- '5900-6923'
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaLibvirt}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -395,12 +401,6 @@ outputs:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
|
nova::compute::libvirt::log_filters: {get_param: LibvirtLogFilters}
|
||||||
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
|
rbd_persistent_storage: {get_param: CinderEnableRbdBackend}
|
||||||
tripleo::nova_libvirt::firewall_rules:
|
|
||||||
'200 nova_libvirt':
|
|
||||||
dport:
|
|
||||||
- 16514
|
|
||||||
- '61152-61215'
|
|
||||||
- '5900-6923'
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
|
|
|
@ -119,6 +119,11 @@ outputs:
|
||||||
description: Role data for the Nova Metadata service.
|
description: Role data for the Nova Metadata service.
|
||||||
value:
|
value:
|
||||||
service_name: nova_metadata
|
service_name: nova_metadata
|
||||||
|
firewall_rules:
|
||||||
|
'139 nova_metadata':
|
||||||
|
dport:
|
||||||
|
- 8775
|
||||||
|
- 13775
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -126,12 +131,7 @@ outputs:
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
- get_attr: [NovaMetadataLogging, config_settings]
|
- get_attr: [NovaMetadataLogging, config_settings]
|
||||||
- apache::default_vhost: false
|
- apache::default_vhost: false
|
||||||
- tripleo::nova_metadata::firewall_rules:
|
- nova::keystone::authtoken::project_name: 'service'
|
||||||
'139 nova_metadata':
|
|
||||||
dport:
|
|
||||||
- 8775
|
|
||||||
- 13775
|
|
||||||
nova::keystone::authtoken::project_name: 'service'
|
|
||||||
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
nova::keystone::authtoken::password: {get_param: NovaPassword}
|
||||||
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||||
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
|
||||||
|
|
|
@ -88,6 +88,10 @@ outputs:
|
||||||
description: Role data for the Nova Migration Target service.
|
description: Role data for the Nova Migration Target service.
|
||||||
value:
|
value:
|
||||||
service_name: nova_migration_target
|
service_name: nova_migration_target
|
||||||
|
firewall_rules:
|
||||||
|
'113 nova_migration_target':
|
||||||
|
dport:
|
||||||
|
- {get_param: MigrationSshPort}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [SshdBase, role_data, config_settings]
|
- get_attr: [SshdBase, role_data, config_settings]
|
||||||
|
@ -116,10 +120,6 @@ outputs:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||||
tripleo::profile::base::sshd::port:
|
tripleo::profile::base::sshd::port:
|
||||||
- 22
|
- 22
|
||||||
tripleo::nova_migration_target::firewall_rules:
|
|
||||||
'113 nova_migration_target':
|
|
||||||
dport:
|
|
||||||
- {get_param: MigrationSshPort}
|
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: nova_libvirt
|
config_volume: nova_libvirt
|
||||||
step_config:
|
step_config:
|
||||||
|
|
|
@ -123,6 +123,11 @@ outputs:
|
||||||
description: Role data for the Nova Vncproxy service.
|
description: Role data for the Nova Vncproxy service.
|
||||||
value:
|
value:
|
||||||
service_name: nova_vnc_proxy
|
service_name: nova_vnc_proxy
|
||||||
|
firewall_rules:
|
||||||
|
'137 nova_vnc_proxy':
|
||||||
|
dport:
|
||||||
|
- 6080
|
||||||
|
- 13080
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [NovaLogging, config_settings]}
|
- {get_attr: [NovaLogging, config_settings]}
|
||||||
|
@ -141,11 +146,6 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||||
tripleo::nova_vnc_proxy::firewall_rules:
|
|
||||||
'137 nova_vnc_proxy':
|
|
||||||
dport:
|
|
||||||
- 6080
|
|
||||||
- 13080
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- use_tls_for_vnc
|
- use_tls_for_vnc
|
||||||
|
|
|
@ -94,6 +94,10 @@ outputs:
|
||||||
description: Role data for the novajoin API role.
|
description: Role data for the novajoin API role.
|
||||||
value:
|
value:
|
||||||
service_name: novajoin
|
service_name: novajoin
|
||||||
|
firewall_rules:
|
||||||
|
'119 novajoin':
|
||||||
|
dport:
|
||||||
|
- 9090
|
||||||
config_settings:
|
config_settings:
|
||||||
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
|
tripleo::profile::base::novajoin::oslomsg_rpc_password: {get_param: RpcPassword}
|
||||||
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
|
tripleo::profile::base::novajoin::oslomsg_rpc_port: {get_param: RabbitClientPort}
|
||||||
|
@ -118,10 +122,6 @@ outputs:
|
||||||
nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
nova::metadata::novajoin::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||||
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
|
nova::metadata::novajoin::authtoken::password: {get_param: NovajoinPassword}
|
||||||
nova::metadata::novajoin::authtoken::project_name: 'service'
|
nova::metadata::novajoin::authtoken::project_name: 'service'
|
||||||
tripleo::novajoin::firewall_rules:
|
|
||||||
'119 novajoin':
|
|
||||||
dport:
|
|
||||||
- 9090
|
|
||||||
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
|
nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
keystone:
|
keystone:
|
||||||
|
|
|
@ -119,6 +119,11 @@ outputs:
|
||||||
description: Role data for the Octavia API role.
|
description: Role data for the Octavia API role.
|
||||||
value:
|
value:
|
||||||
service_name: octavia_api
|
service_name: octavia_api
|
||||||
|
firewall_rules:
|
||||||
|
'120 octavia api':
|
||||||
|
dport:
|
||||||
|
- 9876
|
||||||
|
- 13876
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -137,11 +142,6 @@ outputs:
|
||||||
octavia::api::sync_db: true
|
octavia::api::sync_db: true
|
||||||
octavia::api::service_name: 'httpd'
|
octavia::api::service_name: 'httpd'
|
||||||
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
octavia::wsgi::apache::ssl: {get_param: EnableInternalTLS}
|
||||||
tripleo::octavia_api::firewall_rules:
|
|
||||||
'120 octavia api':
|
|
||||||
dport:
|
|
||||||
- 9876
|
|
||||||
- 13876
|
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
|
|
|
@ -78,16 +78,16 @@ outputs:
|
||||||
description: Role data for the Octavia health-manager role.
|
description: Role data for the Octavia health-manager role.
|
||||||
value:
|
value:
|
||||||
service_name: octavia_health_manager
|
service_name: octavia_health_manager
|
||||||
|
firewall_rules:
|
||||||
|
'200 octavia health manager interface':
|
||||||
|
proto: udp
|
||||||
|
dport: 5555
|
||||||
|
iniface: {get_param: OctaviaMgmtPortDevName}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager}
|
monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [OctaviaBase, role_data, config_settings]
|
- get_attr: [OctaviaBase, role_data, config_settings]
|
||||||
- octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
|
- octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
|
||||||
tripleo::octavia_health_manager::firewall_rules:
|
|
||||||
'200 octavia health manager interface':
|
|
||||||
proto: udp
|
|
||||||
dport: 5555
|
|
||||||
iniface: {get_param: OctaviaMgmtPortDevName}
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
rsyslog:
|
rsyslog:
|
||||||
tripleo_logging_sources_octavia_health_manager:
|
tripleo_logging_sources_octavia_health_manager:
|
||||||
|
|
|
@ -125,6 +125,13 @@ outputs:
|
||||||
description: Role data for the Ovn Controller agent.
|
description: Role data for the Ovn Controller agent.
|
||||||
value:
|
value:
|
||||||
service_name: ovn_controller
|
service_name: ovn_controller
|
||||||
|
firewall_rules:
|
||||||
|
'118 neutron vxlan networks':
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 4789
|
||||||
|
'119 neutron geneve networks':
|
||||||
|
proto: 'udp'
|
||||||
|
dport: 6081
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [RoleParametersValue, value]
|
- get_attr: [RoleParametersValue, value]
|
||||||
|
@ -139,13 +146,6 @@ outputs:
|
||||||
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
|
ovn::controller::hostname: "%{hiera('fqdn_canonical')}"
|
||||||
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
ovn::controller::ovn_remote_probe_interval: {get_param: OVNRemoteProbeInterval}
|
||||||
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
|
ovn::controller::ovn_openflow_probe_interval: {get_param: OVNOpenflowProbeInterval}
|
||||||
tripleo::ovn_controller::firewall_rules:
|
|
||||||
'118 neutron vxlan networks':
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 4789
|
|
||||||
'119 neutron geneve networks':
|
|
||||||
proto: 'udp'
|
|
||||||
dport: 6081
|
|
||||||
- if:
|
- if:
|
||||||
- force_config_drive
|
- force_config_drive
|
||||||
- nova::compute::force_config_drive: true
|
- nova::compute::force_config_drive: true
|
||||||
|
|
|
@ -58,6 +58,12 @@ outputs:
|
||||||
description: Role data for the OVN Dbs role.
|
description: Role data for the OVN Dbs role.
|
||||||
value:
|
value:
|
||||||
service_name: ovn_dbs
|
service_name: ovn_dbs
|
||||||
|
firewall_rules:
|
||||||
|
'121 OVN DB server ports':
|
||||||
|
proto: 'tcp'
|
||||||
|
dport:
|
||||||
|
- {get_param: OVNNorthboundServerPort}
|
||||||
|
- {get_param: OVNSouthboundServerPort}
|
||||||
config_settings:
|
config_settings:
|
||||||
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
ovn::northbound::port: {get_param: OVNNorthboundServerPort}
|
||||||
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
ovn::southbound::port: {get_param: OVNSouthboundServerPort}
|
||||||
|
@ -68,12 +74,6 @@ outputs:
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||||
tripleo::haproxy::ovn_dbs_manage_lb: true
|
tripleo::haproxy::ovn_dbs_manage_lb: true
|
||||||
tripleo::ovn_dbs::firewall_rules:
|
|
||||||
'121 OVN DB server ports':
|
|
||||||
proto: 'tcp'
|
|
||||||
dport:
|
|
||||||
- {get_param: OVNNorthboundServerPort}
|
|
||||||
- {get_param: OVNSouthboundServerPort}
|
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
# puppet_config is not required for this service since we configure
|
# puppet_config is not required for this service since we configure
|
||||||
# the NB and SB DB servers to listen on the proper IP address/port
|
# the NB and SB DB servers to listen on the proper IP address/port
|
||||||
|
|
|
@ -101,6 +101,14 @@ outputs:
|
||||||
description: Role data for the OVN Dbs HA role.
|
description: Role data for the OVN Dbs HA role.
|
||||||
value:
|
value:
|
||||||
service_name: ovn_dbs
|
service_name: ovn_dbs
|
||||||
|
firewall_rules:
|
||||||
|
'121 OVN DB server ports':
|
||||||
|
proto: 'tcp'
|
||||||
|
dport:
|
||||||
|
# Control port for pcmk remote bundle
|
||||||
|
- 3125
|
||||||
|
- {get_param: OVNNorthboundServerPort}
|
||||||
|
- {get_param: OVNSouthboundServerPort}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [OVNDbsBase, role_data, config_settings]
|
- get_attr: [OVNDbsBase, role_data, config_settings]
|
||||||
|
@ -116,14 +124,6 @@ outputs:
|
||||||
- tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli}
|
- tripleo::profile::pacemaker::ovn_dbs_bundle::container_backend: {get_param: ContainerCli}
|
||||||
- tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout}
|
- tripleo::profile::pacemaker::ovn_dbs_bundle::dbs_timeout: {get_param: OVNDBSPacemakerTimeout}
|
||||||
- tripleo::haproxy::ovn_dbs_manage_lb: false
|
- tripleo::haproxy::ovn_dbs_manage_lb: false
|
||||||
- tripleo::ovn_dbs::firewall_rules:
|
|
||||||
'121 OVN DB server ports':
|
|
||||||
proto: 'tcp'
|
|
||||||
dport:
|
|
||||||
# Control port for pcmk remote bundle
|
|
||||||
- 3125
|
|
||||||
- {get_param: OVNNorthboundServerPort}
|
|
||||||
- {get_param: OVNSouthboundServerPort}
|
|
||||||
- if:
|
- if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
- generate_service_certificates: true
|
- generate_service_certificates: true
|
||||||
|
|
|
@ -44,9 +44,6 @@ resources:
|
||||||
ContainersCommon:
|
ContainersCommon:
|
||||||
type: ../containers-common.yaml
|
type: ../containers-common.yaml
|
||||||
|
|
||||||
# We import from the corresponding docker service because otherwise we risk
|
|
||||||
# rewriting the tripleo::mysql::firewall_rules key with the baremetal firewall
|
|
||||||
# rules (see LP#1728918)
|
|
||||||
MysqlPuppetBase:
|
MysqlPuppetBase:
|
||||||
type: ../database/mysql-pacemaker-puppet.yaml
|
type: ../database/mysql-pacemaker-puppet.yaml
|
||||||
properties:
|
properties:
|
||||||
|
|
|
@ -89,13 +89,13 @@ outputs:
|
||||||
description: Role data for the Pacemaker remote role.
|
description: Role data for the Pacemaker remote role.
|
||||||
value:
|
value:
|
||||||
service_name: pacemaker_remote
|
service_name: pacemaker_remote
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
|
firewall_rules:
|
||||||
config_settings:
|
|
||||||
tripleo::pacemaker_remote::firewall_rules:
|
|
||||||
'130 pacemaker_remote tcp':
|
'130 pacemaker_remote tcp':
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
dport:
|
dport:
|
||||||
- 3121
|
- 3121
|
||||||
|
monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote}
|
||||||
|
config_settings:
|
||||||
tripleo::fencing::config: {get_param: FencingConfig}
|
tripleo::fencing::config: {get_param: FencingConfig}
|
||||||
tripleo::fencing::deep_compare: true
|
tripleo::fencing::deep_compare: true
|
||||||
enable_fencing: {get_param: EnableFencing}
|
enable_fencing: {get_param: EnableFencing}
|
||||||
|
|
|
@ -110,16 +110,16 @@ outputs:
|
||||||
description: Role data for the Placement API role.
|
description: Role data for the Placement API role.
|
||||||
value:
|
value:
|
||||||
service_name: placement
|
service_name: placement
|
||||||
config_settings:
|
firewall_rules:
|
||||||
map_merge:
|
|
||||||
- get_attr: [PlacementLogging, config_settings]
|
|
||||||
- apache::default_vhost: false
|
|
||||||
- tripleo::placement::firewall_rules:
|
|
||||||
'138 placement':
|
'138 placement':
|
||||||
dport:
|
dport:
|
||||||
- 8778
|
- 8778
|
||||||
- 13778
|
- 13778
|
||||||
placement::keystone::authtoken::project_name: 'service'
|
config_settings:
|
||||||
|
map_merge:
|
||||||
|
- get_attr: [PlacementLogging, config_settings]
|
||||||
|
- apache::default_vhost: false
|
||||||
|
- placement::keystone::authtoken::project_name: 'service'
|
||||||
placement::keystone::authtoken::password: {get_param: PlacementPassword}
|
placement::keystone::authtoken::password: {get_param: PlacementPassword}
|
||||||
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
placement::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||||
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
|
||||||
|
|
|
@ -62,16 +62,16 @@ outputs:
|
||||||
description: Role data for the qdrouterd service.
|
description: Role data for the qdrouterd service.
|
||||||
value:
|
value:
|
||||||
service_name: rabbitmq
|
service_name: rabbitmq
|
||||||
|
firewall_rules:
|
||||||
|
'109 qdr':
|
||||||
|
dport:
|
||||||
|
- {get_param: RabbitClientPort}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
monitoring_subscription: {get_param: MonitoringSubscriptionQdr}
|
||||||
global_config_settings:
|
global_config_settings:
|
||||||
messaging_notify_service_name: 'amqp'
|
messaging_notify_service_name: 'amqp'
|
||||||
messaging_rpc_service_name: 'amqp'
|
messaging_rpc_service_name: 'amqp'
|
||||||
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
keystone::messaging::amqp::amqp_pre_settled: 'notify'
|
||||||
config_settings:
|
config_settings:
|
||||||
tripleo::rabbitmq::firewall_rules:
|
|
||||||
'109 qdr':
|
|
||||||
dport:
|
|
||||||
- {get_param: RabbitClientPort}
|
|
||||||
qdr::listener_addr:
|
qdr::listener_addr:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -107,6 +107,12 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: rabbitmq
|
service_name: rabbitmq
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq':
|
||||||
|
dport:
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
|
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
|
||||||
# RabbitMQ plugins initialization occurs on every node
|
# RabbitMQ plugins initialization occurs on every node
|
||||||
config_settings:
|
config_settings:
|
||||||
|
@ -116,12 +122,6 @@ outputs:
|
||||||
rabbitmq::default_user: {get_param: RabbitUserName}
|
rabbitmq::default_user: {get_param: RabbitUserName}
|
||||||
rabbitmq::default_pass: {get_param: RabbitPassword}
|
rabbitmq::default_pass: {get_param: RabbitPassword}
|
||||||
rabbit_ipv6: {get_param: RabbitIPv6}
|
rabbit_ipv6: {get_param: RabbitIPv6}
|
||||||
tripleo::rabbitmq::firewall_rules:
|
|
||||||
'109 rabbitmq':
|
|
||||||
dport:
|
|
||||||
- 4369
|
|
||||||
- 5672
|
|
||||||
- 25672
|
|
||||||
rabbitmq::delete_guest_user: false
|
rabbitmq::delete_guest_user: false
|
||||||
rabbitmq::wipe_db_on_cookie_change: true
|
rabbitmq::wipe_db_on_cookie_change: true
|
||||||
rabbitmq::port: 5672
|
rabbitmq::port: 5672
|
||||||
|
|
|
@ -89,6 +89,12 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: oslo_messaging_notify
|
service_name: oslo_messaging_notify
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq':
|
||||||
|
dport:
|
||||||
|
- 4369
|
||||||
|
- {get_param: NotifyPort}
|
||||||
|
- 25672
|
||||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||||
# RabbitMQ plugins initialization occurs on every node
|
# RabbitMQ plugins initialization occurs on every node
|
||||||
global_config_settings:
|
global_config_settings:
|
||||||
|
@ -104,12 +110,6 @@ outputs:
|
||||||
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
||||||
- rabbitmq::default_user: {get_param: NotifyUserName}
|
- rabbitmq::default_user: {get_param: NotifyUserName}
|
||||||
rabbitmq::default_pass: {get_param: NotifyPassword}
|
rabbitmq::default_pass: {get_param: NotifyPassword}
|
||||||
tripleo::oslo_messaging_notify::firewall_rules:
|
|
||||||
'109 rabbitmq':
|
|
||||||
dport:
|
|
||||||
- 4369
|
|
||||||
- {get_param: NotifyPort}
|
|
||||||
- 25672
|
|
||||||
rabbitmq::port: {get_param: NotifyPort}
|
rabbitmq::port: {get_param: NotifyPort}
|
||||||
rabbitmq::interface:
|
rabbitmq::interface:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq-bundle':
|
||||||
|
dport:
|
||||||
|
- 3122
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -95,13 +102,6 @@ outputs:
|
||||||
- 'pcmklatest'
|
- 'pcmklatest'
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||||
tripleo::oslo_messaging_notify::firewall_rules:
|
|
||||||
'109 rabbitmq-bundle':
|
|
||||||
dport:
|
|
||||||
- 3122
|
|
||||||
- 4369
|
|
||||||
- 5672
|
|
||||||
- 25672
|
|
||||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: rabbitmq
|
service_name: rabbitmq
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq-bundle':
|
||||||
|
dport:
|
||||||
|
- 3122
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -95,13 +102,6 @@ outputs:
|
||||||
- 'pcmklatest'
|
- 'pcmklatest'
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||||
tripleo::rabbitmq::firewall_rules:
|
|
||||||
'109 rabbitmq-bundle':
|
|
||||||
dport:
|
|
||||||
- 3122
|
|
||||||
- 4369
|
|
||||||
- 5672
|
|
||||||
- 25672
|
|
||||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
|
|
@ -90,6 +90,12 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: oslo_messaging_rpc
|
service_name: oslo_messaging_rpc
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq':
|
||||||
|
dport:
|
||||||
|
- 4369
|
||||||
|
- {get_param: RpcPort}
|
||||||
|
- 25672
|
||||||
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
monitoring_subscription: {get_attr: [RabbitMQServiceBase, role_data, monitoring_subscription]}
|
||||||
global_config_settings:
|
global_config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -104,12 +110,6 @@ outputs:
|
||||||
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
- get_attr: [RabbitMQServiceBase, role_data, config_settings]
|
||||||
- rabbitmq::default_user: {get_param: RpcUserName}
|
- rabbitmq::default_user: {get_param: RpcUserName}
|
||||||
rabbitmq::default_pass: {get_param: RpcPassword}
|
rabbitmq::default_pass: {get_param: RpcPassword}
|
||||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
|
||||||
'109 rabbitmq':
|
|
||||||
dport:
|
|
||||||
- 4369
|
|
||||||
- {get_param: RpcPort}
|
|
||||||
- 25672
|
|
||||||
rabbitmq::port: {get_param: RpcPort}
|
rabbitmq::port: {get_param: RpcPort}
|
||||||
rabbitmq::interface:
|
rabbitmq::interface:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
|
|
@ -81,6 +81,13 @@ outputs:
|
||||||
description: Role data for the Rabbitmq API role.
|
description: Role data for the Rabbitmq API role.
|
||||||
value:
|
value:
|
||||||
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
service_name: {get_attr: [RabbitmqBase, role_data, service_name]}
|
||||||
|
firewall_rules:
|
||||||
|
'109 rabbitmq-bundle':
|
||||||
|
dport:
|
||||||
|
- 3122
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
global_config_settings: {get_attr: [RabbitmqBase, role_data, global_config_settings]}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -95,13 +102,6 @@ outputs:
|
||||||
- 'pcmklatest'
|
- 'pcmklatest'
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
tripleo::profile::pacemaker::rabbitmq_bundle::control_port: 3122
|
||||||
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
tripleo::profile::pacemaker::rabbitmq_bundle::container_backend: {get_param: ContainerCli}
|
||||||
tripleo::oslo_messaging_rpc::firewall_rules:
|
|
||||||
'109 rabbitmq-bundle':
|
|
||||||
dport:
|
|
||||||
- 3122
|
|
||||||
- 4369
|
|
||||||
- 5672
|
|
||||||
- 25672
|
|
||||||
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
|
|
|
@ -62,9 +62,6 @@ outputs:
|
||||||
description: Role data for the RHSM service.
|
description: Role data for the RHSM service.
|
||||||
value:
|
value:
|
||||||
service_name: rhsm
|
service_name: rhsm
|
||||||
config_settings:
|
|
||||||
tripleo::rhsm::firewall_rules: {}
|
|
||||||
step_config: ''
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: Red Hat Subscription Management configuration during deployment
|
- name: Red Hat Subscription Management configuration during deployment
|
||||||
import_role:
|
import_role:
|
||||||
|
|
|
@ -86,6 +86,11 @@ outputs:
|
||||||
description: Role data for the Sahara API role.
|
description: Role data for the Sahara API role.
|
||||||
value:
|
value:
|
||||||
service_name: sahara_api
|
service_name: sahara_api
|
||||||
|
firewall_rules:
|
||||||
|
'132 sahara':
|
||||||
|
dport:
|
||||||
|
- 8386
|
||||||
|
- 13386
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
|
monitoring_subscription: {get_param: MonitoringSubscriptionSaharaApi}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -105,11 +110,6 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, SaharaApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, SaharaApiNetwork]}
|
||||||
tripleo::sahara_api::firewall_rules:
|
|
||||||
'132 sahara':
|
|
||||||
dport:
|
|
||||||
- 8386
|
|
||||||
- 13386
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
rsyslog:
|
rsyslog:
|
||||||
tripleo_logging_sources_sahara_api:
|
tripleo_logging_sources_sahara_api:
|
||||||
|
|
|
@ -56,19 +56,14 @@ outputs:
|
||||||
description: Role data for Skydive services.
|
description: Role data for Skydive services.
|
||||||
value:
|
value:
|
||||||
service_name: skydive_analyzer
|
service_name: skydive_analyzer
|
||||||
upgrade_tasks: []
|
firewall_rules:
|
||||||
puppet_config:
|
|
||||||
config_image: ''
|
|
||||||
config_volume: ''
|
|
||||||
step_config: ''
|
|
||||||
docker_config: {}
|
|
||||||
config_settings:
|
|
||||||
tripleo::skydive_analyzer::firewall_rules:
|
|
||||||
'150 skydive_analyzer':
|
'150 skydive_analyzer':
|
||||||
dport:
|
dport:
|
||||||
- 8082
|
- 8082
|
||||||
- 12379
|
- 12379
|
||||||
- 12380
|
- 12380
|
||||||
|
upgrade_tasks: []
|
||||||
|
docker_config: {}
|
||||||
external_deploy_tasks:
|
external_deploy_tasks:
|
||||||
- name: Skydive deployment
|
- name: Skydive deployment
|
||||||
when: step|int == 5
|
when: step|int == 5
|
||||||
|
|
|
@ -61,12 +61,7 @@ outputs:
|
||||||
description: Role data for the SNMP services
|
description: Role data for the SNMP services
|
||||||
value:
|
value:
|
||||||
service_name: snmp
|
service_name: snmp
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
|
|
||||||
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
|
||||||
snmp::agentaddress: {get_param: SnmpdBindHost}
|
|
||||||
snmp::snmpd_options: {get_param: SnmpdOptions}
|
|
||||||
tripleo::snmp::firewall_rules:
|
|
||||||
if:
|
if:
|
||||||
- snmpd_network_unset
|
- snmpd_network_unset
|
||||||
- map_merge:
|
- map_merge:
|
||||||
|
@ -86,6 +81,11 @@ outputs:
|
||||||
dport: 161
|
dport: 161
|
||||||
proto: 'udp'
|
proto: 'udp'
|
||||||
source: {get_param: SnmpdIpSubnet}
|
source: {get_param: SnmpdIpSubnet}
|
||||||
|
config_settings:
|
||||||
|
tripleo::profile::base::snmp::snmpd_user: {get_param: SnmpdReadonlyUserName}
|
||||||
|
tripleo::profile::base::snmp::snmpd_password: {get_param: SnmpdReadonlyUserPassword}
|
||||||
|
snmp::agentaddress: {get_param: SnmpdBindHost}
|
||||||
|
snmp::snmpd_options: {get_param: SnmpdOptions}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::snmp
|
include ::tripleo::profile::base::snmp
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
|
|
|
@ -75,24 +75,22 @@ outputs:
|
||||||
description: Role data for the ssh
|
description: Role data for the ssh
|
||||||
value:
|
value:
|
||||||
service_name: sshd
|
service_name: sshd
|
||||||
config_settings:
|
if:
|
||||||
map_merge:
|
|
||||||
- tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
|
||||||
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
|
||||||
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
|
||||||
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
|
||||||
- if:
|
|
||||||
- {get_param: SshFirewallAllowAll}
|
- {get_param: SshFirewallAllowAll}
|
||||||
- tripleo::sshd::firewall_rules:
|
- firewall_rules:
|
||||||
'003 accept ssh from all':
|
'003 accept ssh from all':
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
dport: 22
|
dport: 22
|
||||||
- tripleo::sshd::firewall_rules:
|
- firewall_rules:
|
||||||
'003 accept ssh from all':
|
'003 accept ssh from all':
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
dport: 22
|
dport: 22
|
||||||
extras:
|
extras:
|
||||||
ensure: 'absent'
|
ensure: 'absent'
|
||||||
|
config_settings:
|
||||||
|
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
||||||
|
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
||||||
|
tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
|
||||||
|
tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::sshd
|
include ::tripleo::profile::base::sshd
|
||||||
|
|
|
@ -126,6 +126,11 @@ outputs:
|
||||||
description: Role data for the swift proxy.
|
description: Role data for the swift proxy.
|
||||||
value:
|
value:
|
||||||
service_name: swift_proxy
|
service_name: swift_proxy
|
||||||
|
firewall_rules:
|
||||||
|
'122 swift proxy':
|
||||||
|
dport:
|
||||||
|
- 8080
|
||||||
|
- 13808
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
|
monitoring_subscription: {get_param: MonitoringSubscriptionSwiftProxy}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
|
@ -160,11 +165,6 @@ outputs:
|
||||||
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
|
- swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]}
|
||||||
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL}
|
tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RpcUseSSL}
|
||||||
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
|
tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled}
|
||||||
tripleo::swift_proxy::firewall_rules:
|
|
||||||
'122 swift proxy':
|
|
||||||
dport:
|
|
||||||
- 8080
|
|
||||||
- 13808
|
|
||||||
swift::proxy::keystone::operator_roles:
|
swift::proxy::keystone::operator_roles:
|
||||||
- admin
|
- admin
|
||||||
- swiftoperator
|
- swiftoperator
|
||||||
|
|
|
@ -128,6 +128,13 @@ outputs:
|
||||||
description: Role data for the swift storage services.
|
description: Role data for the swift storage services.
|
||||||
value:
|
value:
|
||||||
service_name: swift_storage
|
service_name: swift_storage
|
||||||
|
firewall_rules:
|
||||||
|
'123 swift storage':
|
||||||
|
dport:
|
||||||
|
- 873
|
||||||
|
- 6000
|
||||||
|
- 6001
|
||||||
|
- 6002
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- {get_attr: [SwiftBase, role_data, config_settings]}
|
- {get_attr: [SwiftBase, role_data, config_settings]}
|
||||||
|
@ -135,13 +142,6 @@ outputs:
|
||||||
# swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
|
# swift::storage::all::mount_check: {if: [swift_mount_check, true, false]}
|
||||||
- swift::storage::all::mount_check: false
|
- swift::storage::all::mount_check: false
|
||||||
tripleo::profile::base::swift::storage::use_local_dir: {get_param: SwiftUseLocalDir}
|
tripleo::profile::base::swift::storage::use_local_dir: {get_param: SwiftUseLocalDir}
|
||||||
tripleo::swift_storage::firewall_rules:
|
|
||||||
'123 swift storage':
|
|
||||||
dport:
|
|
||||||
- 873
|
|
||||||
- 6000
|
|
||||||
- 6001
|
|
||||||
- 6002
|
|
||||||
swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
swift::storage::all::incoming_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
||||||
swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
swift::storage::all::outgoing_chmod: 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
|
||||||
swift::storage::all::object_pipeline:
|
swift::storage::all::object_pipeline:
|
||||||
|
|
|
@ -76,15 +76,13 @@ outputs:
|
||||||
description: Role ptp using commposable services.
|
description: Role ptp using commposable services.
|
||||||
value:
|
value:
|
||||||
service_name: ptp
|
service_name: ptp
|
||||||
config_settings:
|
firewall_rules:
|
||||||
map_merge:
|
|
||||||
- get_attr: [RoleParametersValue, value]
|
|
||||||
- tripleo::ptp::firewall_rules:
|
|
||||||
'151 ptp':
|
'151 ptp':
|
||||||
proto: udp
|
proto: udp
|
||||||
dport:
|
dport:
|
||||||
- 319
|
- 319
|
||||||
- 320
|
- 320
|
||||||
|
config_settings: {get_attr: [RoleParametersValue, value]}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::time::ptp
|
include ::tripleo::profile::base::time::ptp
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
|
|
|
@ -101,12 +101,10 @@ outputs:
|
||||||
description: Role chrony using composable timesync services.
|
description: Role chrony using composable timesync services.
|
||||||
value:
|
value:
|
||||||
service_name: chrony
|
service_name: chrony
|
||||||
config_settings:
|
firewall_rules:
|
||||||
tripleo::ntp::firewall_rules:
|
|
||||||
'105 ntp':
|
'105 ntp':
|
||||||
dport: 123
|
dport: 123
|
||||||
proto: udp
|
proto: udp
|
||||||
step_config: ''
|
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: Populate service facts (chrony)
|
- name: Populate service facts (chrony)
|
||||||
service_facts: # needed to make yaml happy
|
service_facts: # needed to make yaml happy
|
||||||
|
|
|
@ -0,0 +1,177 @@
|
||||||
|
heat_template_version: rocky
|
||||||
|
|
||||||
|
description: >
|
||||||
|
TripleO Firewall settings
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
ServiceData:
|
||||||
|
default: {}
|
||||||
|
description: Dictionary packing service data
|
||||||
|
type: json
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. This
|
||||||
|
mapping overrides those in ServiceNetMapDefaults.
|
||||||
|
type: json
|
||||||
|
DefaultPasswords:
|
||||||
|
default: {}
|
||||||
|
type: json
|
||||||
|
RoleName:
|
||||||
|
default: ''
|
||||||
|
description: Role name on which the service is applied
|
||||||
|
type: string
|
||||||
|
RoleParameters:
|
||||||
|
default: {}
|
||||||
|
description: Parameters specific to the role
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
ExtraFirewallRules:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of firewall rules.
|
||||||
|
type: json
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
no_ctlplane:
|
||||||
|
equals:
|
||||||
|
- get_params: [ServiceData, net_cidr_map, ctlplane]
|
||||||
|
- Null
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the TripleO firewall settings
|
||||||
|
value:
|
||||||
|
service_name: tripleo_firewall
|
||||||
|
config_settings:
|
||||||
|
tripleo::firewall::manage_firewall: false
|
||||||
|
tripleo::firewall::purge_firewall_rules: false
|
||||||
|
firewall_rules:
|
||||||
|
map_merge:
|
||||||
|
- map_merge:
|
||||||
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
||||||
|
template:
|
||||||
|
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
||||||
|
source: <%net_cidr%>
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: 22
|
||||||
|
- {get_param: ExtraFirewallRules}
|
||||||
|
host_prep_tasks:
|
||||||
|
- if:
|
||||||
|
- no_ctlplane
|
||||||
|
- name: Failure - ctlplane subnet is unset
|
||||||
|
fail:
|
||||||
|
msg: |
|
||||||
|
No CIDRs found in the ctlplane network tags.
|
||||||
|
Please refer to the documentation in order to
|
||||||
|
set the correct network tags in DeployedServerPortMap.
|
||||||
|
- name: Notice - ctlplane subnet is set
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
CIDRs found in the ctlplane network tags.
|
||||||
|
deploy_steps_tasks:
|
||||||
|
- when:
|
||||||
|
- (step|int) == 0
|
||||||
|
block:
|
||||||
|
- name: create iptables service
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/tripleo-iptables.service
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Initialize iptables
|
||||||
|
Before=iptables.service
|
||||||
|
AssertPathExists=/etc/sysconfig/iptables
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/sbin/iptables -t raw -nL
|
||||||
|
Environment=BOOTUP=serial
|
||||||
|
Environment=CONSOLETYPE=serial
|
||||||
|
StandardOutput=syslog
|
||||||
|
StandardError=syslog
|
||||||
|
[Install]
|
||||||
|
WantedBy=basic.target
|
||||||
|
- name: create ip6tables service
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/tripleo-ip6tables.service
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Initialize ip6tables
|
||||||
|
Before=ip6tables.service
|
||||||
|
AssertPathExists=/etc/sysconfig/ip6tables
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/sbin/ip6tables -t raw -nL
|
||||||
|
Environment=BOOTUP=serial
|
||||||
|
Environment=CONSOLETYPE=serial
|
||||||
|
StandardOutput=syslog
|
||||||
|
StandardError=syslog
|
||||||
|
[Install]
|
||||||
|
WantedBy=basic.target
|
||||||
|
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
|
||||||
|
systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
enabled: yes
|
||||||
|
name: tripleo-iptables.service
|
||||||
|
- name: enable tripleo-ip6tables service
|
||||||
|
systemd:
|
||||||
|
enabled: yes
|
||||||
|
name: tripleo-ip6tables.service
|
||||||
|
upgrade_tasks:
|
||||||
|
- when:
|
||||||
|
- (step | int) == 3
|
||||||
|
block:
|
||||||
|
- name: blank ipv6 rule before activating ipv6 firewall.
|
||||||
|
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
||||||
|
args:
|
||||||
|
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
||||||
|
- name: cleanup unmanaged rules pushed by iptables-services
|
||||||
|
shell: |
|
||||||
|
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||||
|
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
||||||
|
iptables -D INPUT -p icmp -j ACCEPT
|
||||||
|
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||||
|
iptables -D INPUT -i lo -j ACCEPT
|
||||||
|
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||||
|
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||||
|
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||||
|
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
||||||
|
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
|
||||||
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||||
|
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||||
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||||
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
||||||
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||||
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
||||||
|
|
||||||
|
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
||||||
|
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -i lo -j ACCEPT
|
||||||
|
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||||
|
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
||||||
|
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||||
|
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
|
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
||||||
|
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
|
|
||||||
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
||||||
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
@ -116,6 +116,13 @@ outputs:
|
||||||
description: Role data for the Zaqar API role.
|
description: Role data for the Zaqar API role.
|
||||||
value:
|
value:
|
||||||
service_name: zaqar_api
|
service_name: zaqar_api
|
||||||
|
firewall_rules:
|
||||||
|
'113 zaqar_api':
|
||||||
|
dport:
|
||||||
|
- 9000
|
||||||
|
- 8888
|
||||||
|
- 3000 #SSL for websocket
|
||||||
|
- 13888 #SSL for api
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
- get_attr: [ApacheServiceBase, role_data, config_settings]
|
||||||
|
@ -228,13 +235,6 @@ outputs:
|
||||||
zaqar::keystone::auth_websocket::tenant: 'service'
|
zaqar::keystone::auth_websocket::tenant: 'service'
|
||||||
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
|
zaqar::keystone::trust::password: {get_param: ZaqarPassword}
|
||||||
zaqar::keystone::trust::user_domain_name: 'Default'
|
zaqar::keystone::trust::user_domain_name: 'Default'
|
||||||
tripleo::zaqar_api::firewall_rules:
|
|
||||||
'113 zaqar_api':
|
|
||||||
dport:
|
|
||||||
- 9000
|
|
||||||
- 8888
|
|
||||||
- 3000 #SSL for websocket
|
|
||||||
- 13888 #SSL for api
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- zaqar_management_store_sqlalchemy
|
- zaqar_management_store_sqlalchemy
|
||||||
|
|
|
@ -271,7 +271,7 @@ resource_registry:
|
||||||
OS::TripleO::Services::IronicPxe: OS::Heat::None
|
OS::TripleO::Services::IronicPxe: OS::Heat::None
|
||||||
OS::TripleO::Services::IronicNeutronAgent: OS::Heat::None
|
OS::TripleO::Services::IronicNeutronAgent: OS::Heat::None
|
||||||
OS::TripleO::Services::NovaIronic: OS::Heat::None
|
OS::TripleO::Services::NovaIronic: OS::Heat::None
|
||||||
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
|
OS::TripleO::Services::TripleoFirewall: deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml
|
||||||
OS::TripleO::Services::TripleoPackages: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml
|
OS::TripleO::Services::TripleoPackages: deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml
|
||||||
OS::TripleO::Services::OpenStackClients: OS::Heat::None
|
OS::TripleO::Services::OpenStackClients: OS::Heat::None
|
||||||
OS::TripleO::Services::TLSProxyBase: OS::Heat::None
|
OS::TripleO::Services::TLSProxyBase: OS::Heat::None
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- TripleO will now configure `iptables` using the TripleO-Ansible role,
|
||||||
|
**tripleo-firewall**. This role implements all of the same interfaces
|
||||||
|
and behaviors as the puppet manifest.
|
||||||
|
- A new parameter has been added, `ExtraFirewallRules`. This parameter
|
||||||
|
provides a user interface to configure additional `iptables` rules.
|
||||||
|
deprecations:
|
||||||
|
- The heat template `tripleo-firewall-baremetal-puppet.yaml` has been
|
||||||
|
deprecated. While this template can still be used to configure the
|
||||||
|
TripleO-Firewall service, it is no longer preferred and will be removed
|
||||||
|
in a future release.
|
||||||
|
- Configuring firewall rules with extraconfig is no longer being supported.
|
||||||
|
All firewall rules should be converted such that they're set within the
|
||||||
|
user defined parameter `ExtraFirewallRules`.
|
Loading…
Reference in New Issue