starlingx
/
config
Code Issues Proposed changes

Remove some firewall rules 

* Remove those firewalls rules managed by puppet for exposing platform
  services, because we have used Calico to create some rules to do the
  same thing.
* Remove system firewall-rule-related commands and controllers.

Passed tests:
* Fresh build
* Deployment(simplex, duplex, multi-node)
* System-level tests
  * firewall-rule-xxx commands was removed as expected.
  * puppet firewall rules have been removed as expected.
  * manually check iptable rules.
  * use the utility of uc to test exposed tcp ports and a few
    non-exposed tcp ports again.
  * create vms

Story: 2005066
Task: 29864

Depends-On: https://review.openstack.org/#/c/649217
Change-Id: Ie5df744598c75d45d21ce6585f31f6d8f1809f04
Signed-off-by: Yi Wang <yi.c.wang@intel.com>
This commit is contained in:
Yi Wang 2019-04-01 05:59:25 +08:00
parent f94e391003
commit 4445e0b337
29 changed files with 1 additions and 1014 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
api-ref/source/api-ref-sysinv-v1-config.rst
View File

@ -78,16 +78,6 @@ itemNotFound (404)
::
{
"firewallrules": [
{
"href": "http://10.10.10.2:6385/v1/firewallrules/",
"rel": "self"
},
{
"href": "http://10.10.10.2:6385/firewallrules/",
"rel": "bookmark"
}
],
"addresses": [
{
"href": "http://10.10.10.2:6385/v1/addresses/",
@ -10751,87 +10741,3 @@ itemNotFound (404)
}
This operation does not accept a request body.
----------------------
Custom Firewall Rules
----------------------
These APIs allow for the installation of custom firewall rules.
*******************************
Install custom firewall rules
*******************************
.. rest_method:: POST /v1/firewallrules
Accepts a file containing the custom OAM firewall rules compatible with
the Linux Netfilter framework.
**Normal response codes**
200
**Error response codes**
computeFault (400, 500, ...), serviceUnavailable (503), badRequest (400),
unauthorized (401), forbidden (403), badMethod (405), overLimit (413),
badMediaType (415)
**Request parameters**
.. csv-table::
:header: "Parameter", "Style", "Type", "Description"
:widths: 20, 20, 20, 60
"Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename"
*****************************
Shows custom firewall rules
*****************************
.. rest_method:: GET /v1/firewallrules
**Normal response codes**
200
**Error response codes**
computeFault (400, 500, ...), serviceUnavailable (503), badRequest (400),
unauthorized (401), forbidden (403), badMethod (405), overLimit (413),
itemNotFound (404)
**Response parameters**
.. csv-table::
:header: "Parameter", "Style", "Type", "Description"
:widths: 20, 20, 20, 60
"firewall_sig (Optional)", "plain", "xsd:string", "The signature of the custom firewall rules."
"uuid (Optional)", "plain", "csapi:UUID", "The universally unique identifier for this object."
"links (Optional)", "plain", "xsd:list", "For convenience, resources contain links to themselves. This allows a client to easily obtain rather than construct resource URIs. The following types of link relations are associated with resources: a self link containing a versioned link to the resource, and a bookmark link containing a permanent link to a resource that is appropriate for long term storage."
"created_at (Optional)", "plain", "xsd:dateTime", "The time when the object was created."
"updated_at (Optional)", "plain", "xsd:dateTime", "The time when the object was last updated."
::
{
"firewallrules": [
{
"firewall_sig": "ab9695c4ef143d72317a860c6db7f699",
"uuid": "bc276605-7ae2-476a-a8c0-01f097f5177e",
"updated_at": "2018-03-02T15:59:14.114812+00:00"
}
]
}
This operation does not accept a request body.

7
controllerconfig/controllerconfig/controllerconfig/backup_restore.py
View File

@ -376,13 +376,6 @@ def restore_configuration(archive, staging_dir):
# Restore certificate files
restore_etc_ssl_dir(archive)
# Restore firewall rules file if it is in the archive
if file_exists_in_archive(archive, 'config/iptables.rules'):
restore_config_file(
archive, constants.CONFIG_WORKDIR, 'iptables.rules')
restore_etc_file(archive, tsconfig.PLATFORM_CONF_PATH,
'platform/iptables.rules')
def filter_pxelinux(archive):
for tarinfo in archive:

9
controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py
View File

@ -34,7 +34,6 @@ from tsconfig.tsconfig import SW_VERSION
from tsconfig.tsconfig import PLATFORM_PATH
from tsconfig.tsconfig import KEYRING_PATH
from tsconfig.tsconfig import PLATFORM_CONF_FILE
from tsconfig.tsconfig import PLATFORM_CONF_PATH
from tsconfig.tsconfig import CGCS_PATH
from tsconfig.tsconfig import CONFIG_PATH
from tsconfig.tsconfig import CONTROLLER_UPGRADE_FLAG
@ -1129,14 +1128,6 @@ def extract_data_from_archive(archive, staging_dir, from_release, to_release):
backup_restore.restore_etc_ssl_dir(archive,
configpath=tmp_config_path)
# Restore firewall rules file if it is in the archive
if backup_restore.file_exists_in_archive(
archive, 'config/iptables.rules'):
extract_relative_file(archive, 'config/iptables.rules',
tmp_config_path)
extract_relative_file(archive, 'etc/platform/iptables.rules',
PLATFORM_CONF_PATH)
# Extract etc files
archive.extract('etc/hostname', '/')
archive.extract('etc/hosts', '/')

9
controllerconfig/controllerconfig/scripts/controller_config
View File

@ -314,15 +314,6 @@ start()
fi
fi
if [ -e $CONFIG_DIR/iptables.rules ]
then
cp $CONFIG_DIR/iptables.rules /etc/platform/iptables.rules
if [ $? -ne 0 ]
then
fatal_error "Unable to copy $CONFIG_DIR/iptables.rules"
fi
fi
# Copy over external_ceph config files
if [ -e $CONFIG_DIR/ceph-config ]
then

10
puppet-manifests/src/modules/openstack/manifests/barbican.pp
View File

@ -88,15 +88,6 @@ class openstack::barbican::service
}
}
class openstack::barbican::firewall
inherits ::openstack::barbican::params {
platform::firewall::rule { 'barbican-api':
service_name => 'barbican-api',
ports => $api_port,
}
}
class openstack::barbican::haproxy
inherits ::openstack::barbican::params {
@ -137,7 +128,6 @@ class openstack::barbican::api
if $service_enabled {
include ::openstack::barbican::service
include ::openstack::barbican::firewall
include ::openstack::barbican::haproxy
}
}

23
puppet-manifests/src/modules/openstack/manifests/horizon.pp
View File

@ -174,32 +174,9 @@ class openstack::horizon
user => 'root',
}
include ::openstack::horizon::firewall
}
}
class openstack::horizon::firewall
inherits ::openstack::horizon::params {
# horizon is run behind a proxy server, therefore
# set the dashboard access based on the configuration
# of HTTPS for external protocols. The horizon
# server runs on port 8080 behind the proxy server.
if $enable_https {
$firewall_port = $https_port
} else {
$firewall_port = $http_port
}
platform::firewall::rule { 'dashboard':
host => 'ALL',
service_name => 'horizon',
ports => $firewall_port,
}
}
class openstack::horizon::reload {
# Remove all active Horizon user sessions

14
puppet-manifests/src/modules/openstack/manifests/keystone.pp
View File

@ -133,19 +133,6 @@ class openstack::keystone (
}
}
class openstack::keystone::firewall
inherits ::openstack::keystone::params {
if !$::platform::params::region_config {
platform::firewall::rule { 'keystone-api':
service_name => 'keystone',
ports => $api_port,
}
}
}
class openstack::keystone::haproxy
inherits ::openstack::keystone::params {
@ -202,7 +189,6 @@ class openstack::keystone::api
}
}
include ::openstack::keystone::firewall
include ::openstack::keystone::haproxy
}

14
puppet-manifests/src/modules/platform/manifests/ceph.pp
View File

@ -364,19 +364,6 @@ class platform::ceph::osds(
create_resources('platform_ceph_journal', $journal_config)
}
class platform::ceph::firewall
inherits ::platform::ceph::params {
if $service_enabled {
platform::firewall::rule { 'ceph-radosgw':
service_name => 'ceph-radosgw',
ports => $rgw_port,
}
}
}
class platform::ceph::haproxy
inherits ::platform::ceph::params {
@ -434,7 +421,6 @@ class platform::ceph::rgw
}
}
include ::platform::ceph::firewall
include ::platform::ceph::haproxy
}

13
puppet-manifests/src/modules/platform/manifests/dcmanager.pp
View File

@ -34,18 +34,6 @@ class platform::dcmanager
}
}
class platform::dcmanager::firewall
inherits ::platform::dcmanager::params {
if $::platform::params::distributed_cloud_role =='systemcontroller' {
platform::firewall::rule { 'dcmanager-api':
service_name => 'dcmanager',
ports => $api_port,
}
}
}
class platform::dcmanager::haproxy
inherits ::platform::dcmanager::params {
if $::platform::params::distributed_cloud_role =='systemcontroller' {
@ -76,7 +64,6 @@ class platform::dcmanager::api
}
include ::platform::dcmanager::firewall
include ::platform::dcmanager::haproxy
}
}

12
puppet-manifests/src/modules/platform/manifests/dcorch.pp
View File

@ -51,10 +51,6 @@ class platform::dcorch::firewall
service_name => 'dcorch',
ports => $api_port,
}
platform::firewall::rule { 'dcorch-sysinv-api-proxy':
service_name => 'dcorch-sysinv-api-proxy',
ports => $sysinv_api_proxy_port,
}
platform::firewall::rule { 'dcorch-nova-api-proxy':
service_name => 'dcorch-nova-api-proxy',
ports => $nova_api_proxy_port,
@ -67,14 +63,6 @@ class platform::dcorch::firewall
service_name => 'dcorch-cinder-api-proxy',
ports => $cinder_api_proxy_port,
}
platform::firewall::rule { 'dcorch-patch-api-proxy':
service_name => 'dcorch-patch-api-proxy',
ports => $patch_api_proxy_port,
}
platform::firewall::rule { 'dcorch-identity-api-proxy':
service_name => 'dcorch-identity-api-proxy',
ports => $identity_api_proxy_port,
}
}
}

269
puppet-manifests/src/modules/platform/manifests/firewall.pp
View File

@ -76,275 +76,6 @@ define platform::firewall::rule (
}
}
define platform::firewall::common (
$version,
$interface,
) {
$provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
firewall { "000 platform accept non-oam ${version}":
proto => 'all',
iniface => "! ${$interface}",
action => 'accept',
provider => $provider,
}
firewall { "001 platform accept related ${version}":
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
provider => $provider,
}
# explicitly drop some types of traffic without logging
firewall { "800 platform drop tcf-agent udp ${version}":
proto => 'udp',
dport => 1534,
action => 'drop',
provider => $provider,
}
firewall { "800 platform drop tcf-agent tcp ${version}":
proto => 'tcp',
dport => 1534,
action => 'drop',
provider => $provider,
}
firewall { "800 platform drop all avahi-daemon ${version}":
proto => 'udp',
dport => 5353,
action => 'drop',
provider => $provider,
}
firewall { "999 platform log dropped ${version}":
proto => 'all',
limit => '2/min',
jump => 'LOG',
log_prefix => "${provider}-in-dropped: ",
log_level => 4,
provider => $provider,
}
firewall { "000 platform forward non-oam ${version}":
chain => 'FORWARD',
proto => 'all',
iniface => "! ${interface}",
action => 'accept',
provider => $provider,
}
firewall { "001 platform forward related ${version}":
chain => 'FORWARD',
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
provider => $provider,
}
firewall { "999 platform log dropped ${version} forwarded":
chain => 'FORWARD',
proto => 'all',
limit => '2/min',
jump => 'LOG',
log_prefix => "${provider}-fwd-dropped: ",
log_level => 4,
provider => $provider,
}
}
# Declare OAM service rules
define platform::firewall::services (
$version,
) {
# platform rules to be applied before custom rules
Firewall {
require => undef,
}
$provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'}
$proto_icmp = $version ? {'ipv4' => 'icmp', 'ipv6' => 'ipv6-icmp'}
# Provider specific service rules
firewall { "010 platform accept sm ${version}":
proto => 'udp',
dport => [2222, 2223],
action => 'accept',
provider => $provider,
}
firewall { "011 platform accept ssh ${version}":
proto => 'tcp',
dport => 22,
action => 'accept',
provider => $provider,
}
firewall { "200 platform accept icmp ${version}":
proto => $proto_icmp,
action => 'accept',
provider => $provider,
}
firewall { "201 platform accept ntp ${version}":
proto => 'udp',
dport => 123,
action => 'accept',
provider => $provider,
}
firewall { "202 platform accept snmp ${version}":
proto => 'udp',
dport => 161,
action => 'accept',
provider => $provider,
}
firewall { "202 platform accept snmp trap ${version}":
proto => 'udp',
dport => 162,
action => 'accept',
provider => $provider,
}
firewall { "203 platform accept ptp ${version}":
proto => 'udp',
dport => [319, 320],
action => 'accept',
provider => $provider,
}
# allow IGMP Query traffic if IGMP Snooping is
# enabled on the TOR switch
firewall { "204 platform accept igmp ${version}":
proto => 'igmp',
action => 'accept',
provider => $provider,
}
}
define platform::firewall::hooks (
$version = undef,
) {
$protocol = $version ? {'ipv4' => 'IPv4', 'ipv6' => 'IPv6'}
$input_pre_chain = 'INPUT-custom-pre'
$input_post_chain = 'INPUT-custom-post'
firewallchain { "${input_pre_chain}:filter:${protocol}":
ensure => present,
}
-> firewallchain { "${input_post_chain}:filter:${protocol}":
ensure => present,
}
-> firewall { "100 ${input_pre_chain} ${version}":
proto => 'all',
chain => 'INPUT',
jump => $input_pre_chain
}
-> firewall { "900 ${input_post_chain} ${version}":
proto => 'all',
chain => 'INPUT',
jump => $input_post_chain
}
}
class platform::firewall::custom (
$version = undef,
$rules_file = undef,
) {
$restore = $version ? {
'ipv4' => 'iptables-restore',
'ipv6' => 'ip6tables-restore'}
platform::firewall::hooks { '::platform:firewall:hooks':
version => $version,
}
-> exec { 'Flush firewall custom pre rules':
command => 'iptables --flush INPUT-custom-pre',
}
-> exec { 'Flush firewall custom post rules':
command => 'iptables --flush INPUT-custom-post',
}
-> exec { 'Apply firewall custom rules':
command => "${restore} --noflush ${rules_file}",
}
}
class platform::firewall::oam (
$rules_file = undef,
) {
include ::platform::network::oam::params
$interface_name = $::platform::network::oam::params::interface_name
$subnet_version = $::platform::network::oam::params::subnet_version
$version = $subnet_version ? {
4 => 'ipv4',
6 => 'ipv6',
}
platform::firewall::common { 'platform:firewall:ipv4':
interface => $interface_name,
version => 'ipv4',
}
-> platform::firewall::common { 'platform:firewall:ipv6':
interface => $interface_name,
version => 'ipv6',
}
-> platform::firewall::services { 'platform:firewall:services':
version => $version,
}
# Set default table policies
-> firewallchain { 'INPUT:filter:IPv4':
ensure => present,
policy => drop,
before => undef,
purge => false,
}
-> firewallchain { 'INPUT:filter:IPv6':
ensure => present,
policy => drop,
before => undef,
purge => false,
}
-> firewallchain { 'FORWARD:filter:IPv4':
ensure => present,
policy => drop,
before => undef,
purge => false,
}
-> firewallchain { 'FORWARD:filter:IPv6':
ensure => present,
policy => drop,
before => undef,
purge => false,
}
if $rules_file {
class { '::platform::firewall::custom':
version => $version,
rules_file => $rules_file,
}
}
}
class platform::firewall::calico::oam::services {
include ::platform::params
include ::platform::network::oam::params

10
puppet-manifests/src/modules/platform/manifests/fm.pp
View File

@ -35,15 +35,6 @@ class platform::fm
}
}
class platform::fm::firewall
inherits ::platform::fm::params {
platform::firewall::rule { 'fm-api':
service_name => 'fm',
ports => $api_port,
}
}
class platform::fm::haproxy
inherits ::platform::fm::params {
@ -84,7 +75,6 @@ class platform::fm::api
sync_db => $::platform::params::init_database,
}
include ::platform::fm::firewall
include ::platform::fm::haproxy
}
}

11
puppet-manifests/src/modules/platform/manifests/nfv.pp
View File

@ -52,16 +52,6 @@ class platform::nfv::runtime {
}
class platform::nfv::firewall
inherits ::platform::nfv::params {
platform::firewall::rule { 'nfv-vim-api':
service_name => 'nfv-vim',
ports => $api_port,
}
}
class platform::nfv::haproxy
inherits ::platform::nfv::params {
@ -81,6 +71,5 @@ class platform::nfv::api
include ::nfv::keystone::auth
}
include ::platform::nfv::firewall
include ::platform::nfv::haproxy
}

11
puppet-manifests/src/modules/platform/manifests/patching.pp
View File

@ -35,16 +35,6 @@ class platform::patching
}
class platform::patching::firewall
inherits ::platform::patching::params {
platform::firewall::rule { 'patching-api':
service_name => 'patching',
ports => $public_port,
}
}
class platform::patching::haproxy
inherits ::platform::patching::params {
@ -67,7 +57,6 @@ class platform::patching::api (
include ::patching::keystone::auth
}
include ::platform::patching::firewall
include ::platform::patching::haproxy
}

10
puppet-manifests/src/modules/platform/manifests/smapi.pp
View File

@ -10,15 +10,6 @@ class platform::smapi::params (
$region = undef,
) {}
class platform::smap::firewall
inherits ::platform::smapi::params {
platform::firewall::rule { 'sm-api':
service_name => 'sm-api',
ports => $port,
}
}
class platform::smapi::haproxy
inherits ::platform::smapi::params {
@ -47,7 +38,6 @@ class platform::smapi
}
include ::platform::params
include ::platform::smap::firewall
include ::platform::smapi::haproxy
$bind_host_name = $::platform::params::hostname
file { '/etc/sm-api/sm-api.conf':

11
puppet-manifests/src/modules/platform/manifests/sysinv.pp
View File

@ -120,16 +120,6 @@ class platform::sysinv::conductor {
}
class platform::sysinv::firewall
inherits ::platform::sysinv::params {
platform::firewall::rule { 'sysinv-api':
service_name => 'sysinv',
ports => $api_port,
}
}
class platform::sysinv::haproxy
inherits ::platform::sysinv::params {
@ -173,7 +163,6 @@ class platform::sysinv::api
'DEFAULT/sysinv_api_workers': value => $::platform::params::eng_workers_by_5;
}
include ::platform::sysinv::firewall
include ::platform::sysinv::haproxy
}

2
sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py
View File

@ -29,7 +29,6 @@ from cgtsclient.v1 import datanetwork
from cgtsclient.v1 import drbdconfig
from cgtsclient.v1 import ethernetport
from cgtsclient.v1 import fernet
from cgtsclient.v1 import firewallrules
from cgtsclient.v1 import health
from cgtsclient.v1 import helm
from cgtsclient.v1 import icommunity
@ -148,7 +147,6 @@ class Client(http.HTTPClient):
self.health = health.HealthManager(self)
self.remotelogging = remotelogging.RemoteLoggingManager(self)
self.sdn_controller = sdn_controller.SDNControllerManager(self)
self.firewallrules = firewallrules.FirewallRulesManager(self)
self.partition = partition.partitionManager(self)
self.license = license.LicenseManager(self)
self.certificate = certificate.CertificateManager(self)

38
sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules.py
View File

@ -1,38 +0,0 @@
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# -*- encoding: utf-8 -*-
#
from cgtsclient.common import base
CREATION_ATTRIBUTES = ['firewall_path']
class FirewallRules(base.Resource):
def __repr__(self):
return "<firewallrules %s>" % self._info
class FirewallRulesManager(base.Manager):
resource_class = FirewallRules
@staticmethod
def _path(id=None):
return '/v1/firewallrules/%s' % id if id else '/v1/firewallrules'
def list(self):
return self._list(self._path(), "firewallrules")
def get(self, firewallrules_id):
try:
return self._list(self._path(firewallrules_id))[0]
except IndexError:
return None
def import_firewall_rules(self, file):
path = self._path("import_firewall_rules")
return self._upload(path, file)

54
sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules_shell.py
View File

@ -1,54 +0,0 @@
#!/usr/bin/env python
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# All Rights Reserved.
#
from cgtsclient.common import utils
from cgtsclient import exc
def _print_firewallrules_show(firewallrules):
fields = ['uuid', 'firewall_sig', 'updated_at']
if type(firewallrules) is dict:
data = [(f, firewallrules.get(f, '')) for f in fields]
else:
data = [(f, getattr(firewallrules, f, '')) for f in fields]
utils.print_tuple_list(data)
def do_firewall_rules_show(cc, args):
"""Show Firewall Rules attributes."""
firewallrules = cc.firewallrules.list()
_print_firewallrules_show(firewallrules[0])
@utils.arg('firewall_rules_path',
metavar='<firewall rules path>',
default=None,
help="Path to custom firewall rule file to install.")
def do_firewall_rules_install(cc, args):
"""Install firewall rules."""
filename = args.firewall_rules_path
try:
fw_file = open(filename, 'rb')
except Exception:
raise exc.CommandError("Error: Could not open file %s for read." %
filename)
try:
response = cc.firewallrules.import_firewall_rules(fw_file)
error = response.get('error')
if error:
raise exc.CommandError("%s" % error)
else:
_print_firewallrules_show(response.get('firewallrules'))
except exc.HTTPNotFound:
raise exc.CommandError('firewallrules not installed %s' %
filename)

2
sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py
View File

@ -16,7 +16,6 @@ from cgtsclient.v1 import controller_fs_shell
from cgtsclient.v1 import datanetwork_shell
from cgtsclient.v1 import drbdconfig_shell
from cgtsclient.v1 import ethernetport_shell
from cgtsclient.v1 import firewallrules_shell
from cgtsclient.v1 import health_shell
from cgtsclient.v1 import helm_shell
@ -111,7 +110,6 @@ COMMAND_MODULES = [
health_shell,
remotelogging_shell,
sdn_controller_shell,
firewallrules_shell,
partition_shell,
license_shell,
certificate_shell,

13
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/__init__.py
View File

@ -35,7 +35,6 @@ from sysinv.api.controllers.v1 import dns
from sysinv.api.controllers.v1 import drbdconfig
from sysinv.api.controllers.v1 import ethernet_port
from sysinv.api.controllers.v1 import fernet_repo
from sysinv.api.controllers.v1 import firewallrules
from sysinv.api.controllers.v1 import health
from sysinv.api.controllers.v1 import helm_charts
from sysinv.api.controllers.v1 import host
@ -234,9 +233,6 @@ class V1(base.APIBase):
sdn_controller = [link.Link]
"Links to the SDN controller resource"
firewallrules = [link.Link]
"Links to customer firewall rules"
license = [link.Link]
"Links to the license resource "
@ -719,14 +715,6 @@ class V1(base.APIBase):
bookmark=True)
]
v1.firewallrules = [link.Link.make_link('self',
pecan.request.host_url,
'firewallrules', ''),
link.Link.make_link('bookmark',
pecan.request.host_url,
'firewallrules', '',
bookmark=True)]
v1.license = [link.Link.make_link('self',
pecan.request.host_url,
'license', ''),
@ -835,7 +823,6 @@ class Controller(rest.RestController):
health = health.HealthController()
remotelogging = remotelogging.RemoteLoggingController()
sdn_controller = sdn_controller.SDNControllerController()
firewallrules = firewallrules.FirewallRulesController()
license = license.LicenseController()
labels = label.LabelController()
fernet_repo = fernet_repo.FernetKeyController()

221
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/firewallrules.py
View File

@ -1,221 +0,0 @@
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
import os
import pecan
from pecan import expose
from pecan import rest
import wsme
import wsmeext.pecan as wsme_pecan
from wsme import types as wtypes
from sysinv import objects
from sysinv.api.controllers.v1 import utils
from sysinv.api.controllers.v1 import base
from sysinv.api.controllers.v1 import collection
from sysinv.api.controllers.v1 import link
from sysinv.api.controllers.v1 import types
from sysinv.common import constants
from sysinv.common import exception
from sysinv.common import utils as cutils
from sysinv.openstack.common import log
from sysinv.openstack.common.gettextutils import _
LOG = log.getLogger(__name__)
LOCK_NAME = 'FirewallRulesController'
class FirewallRules(base.APIBase):
"""API representation of oam custom firewall rules.
This class enforces type checking and value constraints, and converts
between the internal object model and the API representation of
oam custom firewall rules.
"""
uuid = types.uuid
"Unique UUID for the firewall rules"
firewall_sig = wtypes.text
"Represents the signature of the custom firewall rules"
created_at = wtypes.datetime.datetime
updated_at = wtypes.datetime.datetime
def __init__(self, **kwargs):
self.fields = list(objects.firewallrules.fields.keys())
for k in self.fields:
if not hasattr(self, k):
continue
setattr(self, k, kwargs.get(k, wtypes.Unset))
self.fields.append('firewall_sig')
setattr(self, 'firewall_sig', kwargs.get('value', None))
@classmethod
def convert_with_links(cls, rpc_firewallrules, expand=True):
parm = FirewallRules(**rpc_firewallrules.as_dict())
if not expand:
parm.unset_fields_except(['uuid', 'firewall_sig', 'updated_at'])
parm.links = [link.Link.make_link('self', pecan.request.host_url,
'parameters', parm.uuid),
link.Link.make_link('bookmark',
pecan.request.host_url,
'parameters', parm.uuid,
bookmark=True)
]
return parm
def firewallrules_as_dict(sp_firewallrules):
sp_firewallrules_dict = sp_firewallrules.as_dict()
keys = objects.firewallrules.fields.keys()
for k, v in sp_firewallrules.as_dict().items():
if k == 'value':
sp_firewallrules_dict['firewall_sig'] = \
sp_firewallrules_dict.pop('value')
elif k not in keys:
sp_firewallrules_dict.pop(k)
return sp_firewallrules_dict
class FirewallRulesCollection(collection.Collection):
"""API representation of a collection of firewall rules."""
firewallrules = [FirewallRules]
"A list containing firewallrules objects"
def __init__(self, **kwargs):
self._type = 'firewallrules'
@classmethod
def convert_with_links(cls, rpc_firewallrules, limit, url=None,
expand=False,
**kwargs):
collection = FirewallRulesCollection()
collection.firewallrules = [FirewallRules.convert_with_links(p, expand)
for p in rpc_firewallrules]
collection.next = collection.get_next(limit, url=url, **kwargs)
return collection
class FirewallRulesController(rest.RestController):
"""REST controller for Custom Firewall Rules."""
_custom_actions = {
'import_firewall_rules': ['POST'],
}
def __init__(self):
self._api_token = None
@wsme_pecan.wsexpose(FirewallRules, types.uuid)
def get_one(self, firewallrules_uuid):
"""Retrieve information about the given firewall rules."""
try:
sp_firewallrules = objects.firewallrules.get_by_uuid(
pecan.request.context, firewallrules_uuid)
except exception.InvalidParameterValue:
raise wsme.exc.ClientSideError(
_("No firewall rules found for %s" % firewallrules_uuid))
return FirewallRules.convert_with_links(sp_firewallrules)
def _get_firewallrules_collection(self, marker, limit,
sort_key, sort_dir, expand=False,
resource_url=None):
limit = utils.validate_limit(limit)
sort_dir = utils.validate_sort_dir(sort_dir)
sp_firewallrules = pecan.request.dbapi.service_parameter_get_one(
service=constants.SERVICE_TYPE_PLATFORM,
section=constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV,
name=constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID)
sp_firewallrules.firewall_sig = sp_firewallrules.value
sp_firewallrules = [sp_firewallrules]
rules = FirewallRulesCollection.convert_with_links(
sp_firewallrules,
limit,
url=resource_url,
expand=expand,
sort_key=sort_key,
sort_dir=sort_dir)
return rules
@wsme_pecan.wsexpose(FirewallRulesCollection, types.uuid, types.uuid, int,
wtypes.text, wtypes.text)
def get_all(self, isystem_uuid=None, marker=None, limit=None,
sort_key='id', sort_dir='asc'):
"""Retrieve a list of firewallrules. Only one per system"""
sort_key = ['section', 'name']
return self._get_firewallrules_collection(marker, limit,
sort_key, sort_dir)
@expose('json')
@cutils.synchronized(LOCK_NAME)
def import_firewall_rules(self, file):
file = pecan.request.POST['file']
if not file.filename:
return dict(success="", error="Error: No firewall rules uploaded")
# Check if the firewallrules_file size is large
try:
_check_firewall_rules_file_size(file)
except Exception as e:
LOG.exception(e)
return dict(success="", error=e.message)
file.file.seek(0, os.SEEK_SET)
contents = file.file.read()
# Get OAM network ip version
oam_network = pecan.request.dbapi.network_get_by_type(
constants.NETWORK_TYPE_OAM)
oam_address_pool = pecan.request.dbapi.address_pool_get(
oam_network.pool_uuid)
try:
firewall_sig = pecan.request.rpcapi.update_firewall_config(
pecan.request.context, oam_address_pool.family, contents)
# push the updated firewall_sig into db
sp_firewallrules = pecan.request.dbapi.service_parameter_get_one(
service=constants.SERVICE_TYPE_PLATFORM,
section=constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV,
name=constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID)
sp_firewallrules = pecan.request.dbapi.service_parameter_update(
sp_firewallrules.uuid,
{'value': firewall_sig, 'personality': constants.CONTROLLER})
sp_firewallrules_dict = firewallrules_as_dict(sp_firewallrules)
LOG.info("import_firewallrules sp_firewallrules={}".format(
sp_firewallrules_dict))
except Exception as e:
return dict(success="", error=e.value)
return dict(success="", error="", body="",
firewallrules=sp_firewallrules_dict)
def _check_firewall_rules_file_size(firewallrules_file):
firewallrules_file.file.seek(0, os.SEEK_END)
size = firewallrules_file.file.tell()
if size > constants.FIREWALL_RULES_MAX_FILE_SIZE:
raise wsme.exc.ClientSideError(
_("Firewall rules file size exceeded maximum supported"
" size of %s bytes." % constants.FIREWALL_RULES_MAX_FILE_SIZE))

6
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py
View File

@ -197,12 +197,6 @@ class ServiceParameterController(rest.RestController):
p.section == constants.SERVICE_PARAM_SECTION_CINDER_DEFAULT and
p.name == constants.SERVICE_PARAM_CINDER_DEFAULT_MULTIPATH_STATE)]
# filter out firewall_rules_id
parms = [p for p in parms if not (
p.service == constants.SERVICE_TYPE_PLATFORM and p.section ==
constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV and p.name ==
constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID)]
# Before we can return the service parameter collection,
# we need to ensure that the list does not contain any
# "protected" service parameters which may need to be

5
sysinv/sysinv/sysinv/sysinv/common/constants.py
View File

@ -1044,7 +1044,6 @@ SERVICE_PARAM_NAME_DEFAULT_DNS_DOMAIN = 'dns_domain'
# Platform Service Parameters
SERVICE_PARAM_SECTION_PLATFORM_MAINTENANCE = 'maintenance'
SERVICE_PARAM_SECTION_PLATFORM_SYSINV = 'sysinv'
SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID = 'firewall_rules_id'
SERVICE_PARAM_PLAT_MTCE_WORKER_BOOT_TIMEOUT = 'worker_boot_timeout'
SERVICE_PARAM_PLAT_MTCE_CONTROLLER_BOOT_TIMEOUT = 'controller_boot_timeout'
@ -1395,10 +1394,6 @@ WARNING_ROOT_PV_CINDER_CEPH_MSG = (
PV_WARNINGS = {WARN_CINDER_ON_ROOT_WITH_LVM: WARNING_ROOT_PV_CINDER_LVM_MSG,
WARN_CINDER_ON_ROOT_WITH_CEPH: WARNING_ROOT_PV_CINDER_CEPH_MSG}
# Custom firewall rule file
FIREWALL_RULES_FILE = 'iptables.rules'
FIREWALL_RULES_MAX_FILE_SIZE = 102400
# License file
LICENSE_FILE = ".license"

83
sysinv/sysinv/sysinv/sysinv/conductor/manager.py
View File

@ -32,7 +32,6 @@ collection of inventory data for each host.
import errno
import filecmp
import glob
import hashlib
import math
import os
import re
@ -513,10 +512,6 @@ class ConductorManager(service.PeriodicService):
'name': constants.SERVICE_PARAM_NAME_AODH_DATABASE_ALARM_HISTORY_TIME_TO_LIVE,
'value': constants.SERVICE_PARAM_AODH_DATABASE_ALARM_HISTORY_TIME_TO_LIVE_DEFAULT,
},
{'service': constants.SERVICE_TYPE_PLATFORM,
'section': constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV,
'name': constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID,
'value': None},
{'service': constants.SERVICE_TYPE_SWIFT,
'section': constants.SERVICE_PARAM_SECTION_SWIFT_CONFIG,
'name': constants.SERVICE_PARAM_NAME_SWIFT_SERVICE_ENABLED,
@ -7303,7 +7298,7 @@ class ConductorManager(service.PeriodicService):
"personalities": personalities,
"classes": ['openstack::lighttpd::runtime',
'platform::helm::runtime',
'openstack::horizon::firewall',
'platform::firewall::runtime',
'platform::patching::runtime']
}
self._config_apply_runtime_manifest(context, config_uuid,
@ -9962,31 +9957,6 @@ class ConductorManager(service.PeriodicService):
pass
return upgrade
@staticmethod
def _validate_firewall_rules(rules_file,
ip_version=constants.IPV4_FAMILY):
"""
Validate the content of the custom firewall rules
:param rules_file: file path of the custom firewall rules
:param ip_version: IP version
:return:
"""
try:
if ip_version == constants.IPV4_FAMILY:
cmd = "iptables-restore"
else:
cmd = "ip6tables-restore"
with open(os.devnull, "w"):
subprocess.check_output(
[cmd, "--test", "--noflush", rules_file],
stderr=subprocess.STDOUT)
return True
except subprocess.CalledProcessError as e:
LOG.error("iptables-restore failed, output: %s" % e.output)
LOG.exception(e)
return False
def distribute_ceph_external_config(self, context, ceph_conf_filename):
"""Notify agent to distribute Ceph configuration file for external
cluster.
@ -10049,57 +10019,6 @@ class ConductorManager(service.PeriodicService):
tsc.PLATFORM_CEPH_CONF_PATH)
raise exception.SysinvException(msg)
def update_firewall_config(self, context, ip_version, contents):
"""Notify agent to configure firewall rules with the supplied data.
Apply firewall manifest changes.
:param context: an admin context.
:param ip_version: IPV4_VERSION or IPV6_VERSION
:param contents: custom firewall rules contents
"""
firewall_rules_file = os.path.join(tsc.PLATFORM_CONF_PATH,
constants.FIREWALL_RULES_FILE)
temp_firewall_rules_file = firewall_rules_file + '.temp'
firewall_sig = hashlib.md5(contents).hexdigest()
LOG.info("update_firewall_config firewall_sig=%s" % firewall_sig)
with open(temp_firewall_rules_file, 'w') as f:
f.write(contents)
f.close()
if not self._validate_firewall_rules(
temp_firewall_rules_file, ip_version):
os.remove(temp_firewall_rules_file)
raise exception.SysinvException(_(
"Error in custom firewall rule file"))
# Copy firewall rules file
os.rename(temp_firewall_rules_file, firewall_rules_file)
# Copy the updated file to shared storage
shutil.copy(firewall_rules_file,
os.path.join(tsc.CONFIG_PATH,
constants.FIREWALL_RULES_FILE))
personalities = [constants.CONTROLLER]
config_uuid = self._config_update_hosts(context, personalities)
config_dict = {
'personalities': personalities,
'file_names': [firewall_rules_file],
'file_content': contents,
}
self._config_update_file(context, config_uuid, config_dict)
config_uuid = self._config_update_hosts(context, personalities)
config_dict = {
"personalities": personalities,
"classes": ['platform::firewall::runtime']
}
self._config_apply_runtime_manifest(context,
config_uuid,
config_dict)
return firewall_sig
def install_license_file(self, context, contents):
"""Notify agent to install license file with the supplied data.

14
sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py
View File

@ -1569,20 +1569,6 @@ class ConductorAPI(sysinv.openstack.common.rpc.proxy.RpcProxy):
return self.call(context,
self.make_msg('get_software_upgrade_status'))
def update_firewall_config(self, context, ip_version, contents):
"""Synchronously, have the conductor update the firewall config
and manifest.
:param context: request context.
:param ip_version: IP version.
:param contents: file content of custom firewall rules.
"""
return self.call(context,
self.make_msg('update_firewall_config',
ip_version=ip_version,
contents=contents))
def distribute_ceph_external_config(self, context, ceph_conf_filename):
"""Synchronously, have the conductor update the Ceph configuration
file for external cluster.

3
sysinv/sysinv/sysinv/sysinv/objects/__init__.py
View File

@ -29,7 +29,6 @@ from sysinv.objects import controller_fs
from sysinv.objects import cpu
from sysinv.objects import datanetwork
from sysinv.objects import disk
from sysinv.objects import firewallrules
from sysinv.objects import partition
from sysinv.objects import dns
from sysinv.objects import drbdconfig
@ -135,7 +134,6 @@ port = port.Port
ethernet_port = port_ethernet.EthernetPort
disk = disk.Disk
partition = partition.Partition
firewallrules = firewallrules.FirewallRules
storage = storage.Storage
journal = journal.Journal
lvg = lvg.LVG
@ -247,7 +245,6 @@ __all__ = (system,
tpmconfig,
tpmdevice,
certificate,
firewallrules,
objectify,
storage_file,
storage_external,

34
sysinv/sysinv/sysinv/sysinv/objects/firewallrules.py
View File

@ -1,34 +0,0 @@
# Copyright (c) 2015-2016 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# coding=utf-8
#
from sysinv.db import api as db_api
from sysinv.objects import base
from sysinv.objects import utils
def _get_firewall_sig(field, db_object):
return db_object.value
class FirewallRules(base.SysinvObject):
# VERSION 1.0: Initial version
VERSION = '1.0'
dbapi = db_api.get_instance()
fields = {'uuid': utils.uuid_or_none, # uuid of service_parameter
'firewall_sig': _get_firewall_sig
}
@base.remotable_classmethod
def get_by_uuid(cls, context, uuid):
return cls.dbapi.service_parameter_get(uuid)
def save_changes(self, context, updates):
self.dbapi.service_parameter_update(self.uuid, updates)

13
sysinv/sysinv/sysinv/sysinv/puppet/platform.py
View File

@ -4,8 +4,6 @@
# SPDX-License-Identifier: Apache-2.0
#
import os
from sysinv.common import constants
from sysinv.common import exception
from sysinv.common import utils
@ -43,7 +41,6 @@ class PlatformPuppet(base.BasePuppet):
config.update(self._get_region_config())
config.update(self._get_distributed_cloud_role())
config.update(self._get_sm_config())
config.update(self._get_firewall_config())
config.update(self._get_drbd_sync_config())
config.update(self._get_remotelogging_config())
config.update(self._get_snmp_config())
@ -326,16 +323,6 @@ class PlatformPuppet(base.BasePuppet):
multicast_address.address,
}
def _get_firewall_config(self):
config = {}
rules_filepath = os.path.join(tsconfig.PLATFORM_CONF_PATH,
'iptables.rules')
if os.path.isfile(rules_filepath):
config.update({
'platform::firewall::oam::rules_file': rules_filepath
})
return config
def _get_host_platform_config(self, host, config_uuid):
if not config_uuid:
config_uuid = host.config_target