From 4445e0b337838ed21d74b8f472e9db272df13204 Mon Sep 17 00:00:00 2001 From: Yi Wang Date: Mon, 1 Apr 2019 05:59:25 +0800 Subject: [PATCH] Remove some firewall rules * Remove those firewalls rules managed by puppet for exposing platform services, because we have used Calico to create some rules to do the same thing. * Remove system firewall-rule-related commands and controllers. Passed tests: * Fresh build * Deployment(simplex, duplex, multi-node) * System-level tests * firewall-rule-xxx commands was removed as expected. * puppet firewall rules have been removed as expected. * manually check iptable rules. * use the utility of uc to test exposed tcp ports and a few non-exposed tcp ports again. * create vms Story: 2005066 Task: 29864 Depends-On: https://review.openstack.org/#/c/649217 Change-Id: Ie5df744598c75d45d21ce6585f31f6d8f1809f04 Signed-off-by: Yi Wang --- api-ref/source/api-ref-sysinv-v1-config.rst | 94 ------ .../controllerconfig/backup_restore.py | 7 - .../controllerconfig/upgrades/controller.py | 9 - .../scripts/controller_config | 9 - .../modules/openstack/manifests/barbican.pp | 10 - .../modules/openstack/manifests/horizon.pp | 23 -- .../modules/openstack/manifests/keystone.pp | 14 - .../src/modules/platform/manifests/ceph.pp | 14 - .../modules/platform/manifests/dcmanager.pp | 13 - .../src/modules/platform/manifests/dcorch.pp | 12 - .../modules/platform/manifests/firewall.pp | 269 ------------------ .../src/modules/platform/manifests/fm.pp | 10 - .../src/modules/platform/manifests/nfv.pp | 11 - .../modules/platform/manifests/patching.pp | 11 - .../src/modules/platform/manifests/smapi.pp | 10 - .../src/modules/platform/manifests/sysinv.pp | 11 - .../cgts-client/cgtsclient/v1/client.py | 2 - .../cgtsclient/v1/firewallrules.py | 38 --- .../cgtsclient/v1/firewallrules_shell.py | 54 ---- .../cgts-client/cgtsclient/v1/shell.py | 2 - .../sysinv/api/controllers/v1/__init__.py | 13 - .../api/controllers/v1/firewallrules.py | 221 -------------- .../api/controllers/v1/service_parameter.py | 6 - .../sysinv/sysinv/sysinv/common/constants.py | 5 - .../sysinv/sysinv/sysinv/conductor/manager.py | 83 +----- .../sysinv/sysinv/sysinv/conductor/rpcapi.py | 14 - .../sysinv/sysinv/sysinv/objects/__init__.py | 3 - .../sysinv/sysinv/objects/firewallrules.py | 34 --- .../sysinv/sysinv/sysinv/puppet/platform.py | 13 - 29 files changed, 1 insertion(+), 1014 deletions(-) delete mode 100644 sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules.py delete mode 100644 sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules_shell.py delete mode 100644 sysinv/sysinv/sysinv/sysinv/api/controllers/v1/firewallrules.py delete mode 100644 sysinv/sysinv/sysinv/sysinv/objects/firewallrules.py diff --git a/api-ref/source/api-ref-sysinv-v1-config.rst b/api-ref/source/api-ref-sysinv-v1-config.rst index 1e63712f70..44fe9d7c29 100644 --- a/api-ref/source/api-ref-sysinv-v1-config.rst +++ b/api-ref/source/api-ref-sysinv-v1-config.rst @@ -78,16 +78,6 @@ itemNotFound (404) :: { - "firewallrules": [ - { - "href": "http://10.10.10.2:6385/v1/firewallrules/", - "rel": "self" - }, - { - "href": "http://10.10.10.2:6385/firewallrules/", - "rel": "bookmark" - } - ], "addresses": [ { "href": "http://10.10.10.2:6385/v1/addresses/", @@ -10751,87 +10741,3 @@ itemNotFound (404) } This operation does not accept a request body. - ----------------------- -Custom Firewall Rules ----------------------- - -These APIs allow for the installation of custom firewall rules. - -******************************* -Install custom firewall rules -******************************* - -.. rest_method:: POST /v1/firewallrules - -Accepts a file containing the custom OAM firewall rules compatible with -the Linux Netfilter framework. - -**Normal response codes** - -200 - -**Error response codes** - -computeFault (400, 500, ...), serviceUnavailable (503), badRequest (400), -unauthorized (401), forbidden (403), badMethod (405), overLimit (413), -badMediaType (415) - -**Request parameters** - -.. csv-table:: - :header: "Parameter", "Style", "Type", "Description" - :widths: 20, 20, 20, 60 - - "Content-Type multipart/form-data", "plain", "xsd:string", "The content of a file. e.g. if using curl, this would be specified as: curl -F name=@full_path_of_filename" - -***************************** -Shows custom firewall rules -***************************** - -.. rest_method:: GET /v1/firewallrules - -**Normal response codes** - -200 - -**Error response codes** - -computeFault (400, 500, ...), serviceUnavailable (503), badRequest (400), -unauthorized (401), forbidden (403), badMethod (405), overLimit (413), -itemNotFound (404) - -**Response parameters** - -.. csv-table:: - :header: "Parameter", "Style", "Type", "Description" - :widths: 20, 20, 20, 60 - - "firewall_sig (Optional)", "plain", "xsd:string", "The signature of the custom firewall rules." - "uuid (Optional)", "plain", "csapi:UUID", "The universally unique identifier for this object." - "links (Optional)", "plain", "xsd:list", "For convenience, resources contain links to themselves. This allows a client to easily obtain rather than construct resource URIs. The following types of link relations are associated with resources: a self link containing a versioned link to the resource, and a bookmark link containing a permanent link to a resource that is appropriate for long term storage." - "created_at (Optional)", "plain", "xsd:dateTime", "The time when the object was created." - "updated_at (Optional)", "plain", "xsd:dateTime", "The time when the object was last updated." - -:: - - { - "firewallrules": [ - { - "firewall_sig": "ab9695c4ef143d72317a860c6db7f699", - "uuid": "bc276605-7ae2-476a-a8c0-01f097f5177e", - "updated_at": "2018-03-02T15:59:14.114812+00:00" - } - ] - } - -This operation does not accept a request body. - - - - - - - - - diff --git a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py index 127bccb73a..f10c385feb 100644 --- a/controllerconfig/controllerconfig/controllerconfig/backup_restore.py +++ b/controllerconfig/controllerconfig/controllerconfig/backup_restore.py @@ -376,13 +376,6 @@ def restore_configuration(archive, staging_dir): # Restore certificate files restore_etc_ssl_dir(archive) - # Restore firewall rules file if it is in the archive - if file_exists_in_archive(archive, 'config/iptables.rules'): - restore_config_file( - archive, constants.CONFIG_WORKDIR, 'iptables.rules') - restore_etc_file(archive, tsconfig.PLATFORM_CONF_PATH, - 'platform/iptables.rules') - def filter_pxelinux(archive): for tarinfo in archive: diff --git a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py index c3aef41fcb..29b15673cc 100644 --- a/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py +++ b/controllerconfig/controllerconfig/controllerconfig/upgrades/controller.py @@ -34,7 +34,6 @@ from tsconfig.tsconfig import SW_VERSION from tsconfig.tsconfig import PLATFORM_PATH from tsconfig.tsconfig import KEYRING_PATH from tsconfig.tsconfig import PLATFORM_CONF_FILE -from tsconfig.tsconfig import PLATFORM_CONF_PATH from tsconfig.tsconfig import CGCS_PATH from tsconfig.tsconfig import CONFIG_PATH from tsconfig.tsconfig import CONTROLLER_UPGRADE_FLAG @@ -1129,14 +1128,6 @@ def extract_data_from_archive(archive, staging_dir, from_release, to_release): backup_restore.restore_etc_ssl_dir(archive, configpath=tmp_config_path) - # Restore firewall rules file if it is in the archive - if backup_restore.file_exists_in_archive( - archive, 'config/iptables.rules'): - extract_relative_file(archive, 'config/iptables.rules', - tmp_config_path) - extract_relative_file(archive, 'etc/platform/iptables.rules', - PLATFORM_CONF_PATH) - # Extract etc files archive.extract('etc/hostname', '/') archive.extract('etc/hosts', '/') diff --git a/controllerconfig/controllerconfig/scripts/controller_config b/controllerconfig/controllerconfig/scripts/controller_config index d90bf55d44..f3ce3d4524 100755 --- a/controllerconfig/controllerconfig/scripts/controller_config +++ b/controllerconfig/controllerconfig/scripts/controller_config @@ -314,15 +314,6 @@ start() fi fi - if [ -e $CONFIG_DIR/iptables.rules ] - then - cp $CONFIG_DIR/iptables.rules /etc/platform/iptables.rules - if [ $? -ne 0 ] - then - fatal_error "Unable to copy $CONFIG_DIR/iptables.rules" - fi - fi - # Copy over external_ceph config files if [ -e $CONFIG_DIR/ceph-config ] then diff --git a/puppet-manifests/src/modules/openstack/manifests/barbican.pp b/puppet-manifests/src/modules/openstack/manifests/barbican.pp index dd1a5d14b7..0e4a57a606 100644 --- a/puppet-manifests/src/modules/openstack/manifests/barbican.pp +++ b/puppet-manifests/src/modules/openstack/manifests/barbican.pp @@ -88,15 +88,6 @@ class openstack::barbican::service } } -class openstack::barbican::firewall - inherits ::openstack::barbican::params { - - platform::firewall::rule { 'barbican-api': - service_name => 'barbican-api', - ports => $api_port, - } -} - class openstack::barbican::haproxy inherits ::openstack::barbican::params { @@ -137,7 +128,6 @@ class openstack::barbican::api if $service_enabled { include ::openstack::barbican::service - include ::openstack::barbican::firewall include ::openstack::barbican::haproxy } } diff --git a/puppet-manifests/src/modules/openstack/manifests/horizon.pp b/puppet-manifests/src/modules/openstack/manifests/horizon.pp index ded50fe504..91b9ed0561 100755 --- a/puppet-manifests/src/modules/openstack/manifests/horizon.pp +++ b/puppet-manifests/src/modules/openstack/manifests/horizon.pp @@ -174,32 +174,9 @@ class openstack::horizon user => 'root', } - include ::openstack::horizon::firewall } } - -class openstack::horizon::firewall - inherits ::openstack::horizon::params { - - # horizon is run behind a proxy server, therefore - # set the dashboard access based on the configuration - # of HTTPS for external protocols. The horizon - # server runs on port 8080 behind the proxy server. - if $enable_https { - $firewall_port = $https_port - } else { - $firewall_port = $http_port - } - - platform::firewall::rule { 'dashboard': - host => 'ALL', - service_name => 'horizon', - ports => $firewall_port, - } -} - - class openstack::horizon::reload { # Remove all active Horizon user sessions diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index 2a516b71b4..ba1f790402 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -133,19 +133,6 @@ class openstack::keystone ( } } - -class openstack::keystone::firewall - inherits ::openstack::keystone::params { - - if !$::platform::params::region_config { - platform::firewall::rule { 'keystone-api': - service_name => 'keystone', - ports => $api_port, - } - } -} - - class openstack::keystone::haproxy inherits ::openstack::keystone::params { @@ -202,7 +189,6 @@ class openstack::keystone::api } } - include ::openstack::keystone::firewall include ::openstack::keystone::haproxy } diff --git a/puppet-manifests/src/modules/platform/manifests/ceph.pp b/puppet-manifests/src/modules/platform/manifests/ceph.pp index b40c3c8839..cac6f3795f 100644 --- a/puppet-manifests/src/modules/platform/manifests/ceph.pp +++ b/puppet-manifests/src/modules/platform/manifests/ceph.pp @@ -364,19 +364,6 @@ class platform::ceph::osds( create_resources('platform_ceph_journal', $journal_config) } - -class platform::ceph::firewall - inherits ::platform::ceph::params { - - if $service_enabled { - platform::firewall::rule { 'ceph-radosgw': - service_name => 'ceph-radosgw', - ports => $rgw_port, - } - } -} - - class platform::ceph::haproxy inherits ::platform::ceph::params { @@ -434,7 +421,6 @@ class platform::ceph::rgw } } - include ::platform::ceph::firewall include ::platform::ceph::haproxy } diff --git a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp index 2cac526308..6f32803ea0 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcmanager.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcmanager.pp @@ -34,18 +34,6 @@ class platform::dcmanager } } - -class platform::dcmanager::firewall - inherits ::platform::dcmanager::params { - if $::platform::params::distributed_cloud_role =='systemcontroller' { - platform::firewall::rule { 'dcmanager-api': - service_name => 'dcmanager', - ports => $api_port, - } - } -} - - class platform::dcmanager::haproxy inherits ::platform::dcmanager::params { if $::platform::params::distributed_cloud_role =='systemcontroller' { @@ -76,7 +64,6 @@ class platform::dcmanager::api } - include ::platform::dcmanager::firewall include ::platform::dcmanager::haproxy } } diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp index c5846e08a6..3ea5d87d72 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -51,10 +51,6 @@ class platform::dcorch::firewall service_name => 'dcorch', ports => $api_port, } - platform::firewall::rule { 'dcorch-sysinv-api-proxy': - service_name => 'dcorch-sysinv-api-proxy', - ports => $sysinv_api_proxy_port, - } platform::firewall::rule { 'dcorch-nova-api-proxy': service_name => 'dcorch-nova-api-proxy', ports => $nova_api_proxy_port, @@ -67,14 +63,6 @@ class platform::dcorch::firewall service_name => 'dcorch-cinder-api-proxy', ports => $cinder_api_proxy_port, } - platform::firewall::rule { 'dcorch-patch-api-proxy': - service_name => 'dcorch-patch-api-proxy', - ports => $patch_api_proxy_port, - } - platform::firewall::rule { 'dcorch-identity-api-proxy': - service_name => 'dcorch-identity-api-proxy', - ports => $identity_api_proxy_port, - } } } diff --git a/puppet-manifests/src/modules/platform/manifests/firewall.pp b/puppet-manifests/src/modules/platform/manifests/firewall.pp index b812e09aee..0c3dd7100e 100644 --- a/puppet-manifests/src/modules/platform/manifests/firewall.pp +++ b/puppet-manifests/src/modules/platform/manifests/firewall.pp @@ -76,275 +76,6 @@ define platform::firewall::rule ( } } - -define platform::firewall::common ( - $version, - $interface, -) { - - $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'} - - firewall { "000 platform accept non-oam ${version}": - proto => 'all', - iniface => "! ${$interface}", - action => 'accept', - provider => $provider, - } - - firewall { "001 platform accept related ${version}": - proto => 'all', - state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - provider => $provider, - } - - # explicitly drop some types of traffic without logging - firewall { "800 platform drop tcf-agent udp ${version}": - proto => 'udp', - dport => 1534, - action => 'drop', - provider => $provider, - } - - firewall { "800 platform drop tcf-agent tcp ${version}": - proto => 'tcp', - dport => 1534, - action => 'drop', - provider => $provider, - } - - firewall { "800 platform drop all avahi-daemon ${version}": - proto => 'udp', - dport => 5353, - action => 'drop', - provider => $provider, - } - - firewall { "999 platform log dropped ${version}": - proto => 'all', - limit => '2/min', - jump => 'LOG', - log_prefix => "${provider}-in-dropped: ", - log_level => 4, - provider => $provider, - } - - firewall { "000 platform forward non-oam ${version}": - chain => 'FORWARD', - proto => 'all', - iniface => "! ${interface}", - action => 'accept', - provider => $provider, - } - - firewall { "001 platform forward related ${version}": - chain => 'FORWARD', - proto => 'all', - state => ['RELATED', 'ESTABLISHED'], - action => 'accept', - provider => $provider, - } - - firewall { "999 platform log dropped ${version} forwarded": - chain => 'FORWARD', - proto => 'all', - limit => '2/min', - jump => 'LOG', - log_prefix => "${provider}-fwd-dropped: ", - log_level => 4, - provider => $provider, - } -} - -# Declare OAM service rules -define platform::firewall::services ( - $version, -) { - # platform rules to be applied before custom rules - Firewall { - require => undef, - } - - $provider = $version ? {'ipv4' => 'iptables', 'ipv6' => 'ip6tables'} - - $proto_icmp = $version ? {'ipv4' => 'icmp', 'ipv6' => 'ipv6-icmp'} - - # Provider specific service rules - firewall { "010 platform accept sm ${version}": - proto => 'udp', - dport => [2222, 2223], - action => 'accept', - provider => $provider, - } - - firewall { "011 platform accept ssh ${version}": - proto => 'tcp', - dport => 22, - action => 'accept', - provider => $provider, - } - - firewall { "200 platform accept icmp ${version}": - proto => $proto_icmp, - action => 'accept', - provider => $provider, - } - - firewall { "201 platform accept ntp ${version}": - proto => 'udp', - dport => 123, - action => 'accept', - provider => $provider, - } - - firewall { "202 platform accept snmp ${version}": - proto => 'udp', - dport => 161, - action => 'accept', - provider => $provider, - } - - firewall { "202 platform accept snmp trap ${version}": - proto => 'udp', - dport => 162, - action => 'accept', - provider => $provider, - } - - firewall { "203 platform accept ptp ${version}": - proto => 'udp', - dport => [319, 320], - action => 'accept', - provider => $provider, - } - - # allow IGMP Query traffic if IGMP Snooping is - # enabled on the TOR switch - firewall { "204 platform accept igmp ${version}": - proto => 'igmp', - action => 'accept', - provider => $provider, - } -} - - -define platform::firewall::hooks ( - $version = undef, -) { - $protocol = $version ? {'ipv4' => 'IPv4', 'ipv6' => 'IPv6'} - - $input_pre_chain = 'INPUT-custom-pre' - $input_post_chain = 'INPUT-custom-post' - - firewallchain { "${input_pre_chain}:filter:${protocol}": - ensure => present, - } - -> firewallchain { "${input_post_chain}:filter:${protocol}": - ensure => present, - } - -> firewall { "100 ${input_pre_chain} ${version}": - proto => 'all', - chain => 'INPUT', - jump => $input_pre_chain - } - -> firewall { "900 ${input_post_chain} ${version}": - proto => 'all', - chain => 'INPUT', - jump => $input_post_chain - } -} - - -class platform::firewall::custom ( - $version = undef, - $rules_file = undef, -) { - - $restore = $version ? { - 'ipv4' => 'iptables-restore', - 'ipv6' => 'ip6tables-restore'} - - platform::firewall::hooks { '::platform:firewall:hooks': - version => $version, - } - - -> exec { 'Flush firewall custom pre rules': - command => 'iptables --flush INPUT-custom-pre', - } - -> exec { 'Flush firewall custom post rules': - command => 'iptables --flush INPUT-custom-post', - } - -> exec { 'Apply firewall custom rules': - command => "${restore} --noflush ${rules_file}", - } -} - - -class platform::firewall::oam ( - $rules_file = undef, -) { - - include ::platform::network::oam::params - $interface_name = $::platform::network::oam::params::interface_name - $subnet_version = $::platform::network::oam::params::subnet_version - - $version = $subnet_version ? { - 4 => 'ipv4', - 6 => 'ipv6', - } - - platform::firewall::common { 'platform:firewall:ipv4': - interface => $interface_name, - version => 'ipv4', - } - - -> platform::firewall::common { 'platform:firewall:ipv6': - interface => $interface_name, - version => 'ipv6', - } - - -> platform::firewall::services { 'platform:firewall:services': - version => $version, - } - - # Set default table policies - -> firewallchain { 'INPUT:filter:IPv4': - ensure => present, - policy => drop, - before => undef, - purge => false, - } - - -> firewallchain { 'INPUT:filter:IPv6': - ensure => present, - policy => drop, - before => undef, - purge => false, - } - - -> firewallchain { 'FORWARD:filter:IPv4': - ensure => present, - policy => drop, - before => undef, - purge => false, - } - - -> firewallchain { 'FORWARD:filter:IPv6': - ensure => present, - policy => drop, - before => undef, - purge => false, - } - - if $rules_file { - - class { '::platform::firewall::custom': - version => $version, - rules_file => $rules_file, - } - } -} - class platform::firewall::calico::oam::services { include ::platform::params include ::platform::network::oam::params diff --git a/puppet-manifests/src/modules/platform/manifests/fm.pp b/puppet-manifests/src/modules/platform/manifests/fm.pp index 2807dac0f2..20066cebfd 100644 --- a/puppet-manifests/src/modules/platform/manifests/fm.pp +++ b/puppet-manifests/src/modules/platform/manifests/fm.pp @@ -35,15 +35,6 @@ class platform::fm } } -class platform::fm::firewall - inherits ::platform::fm::params { - - platform::firewall::rule { 'fm-api': - service_name => 'fm', - ports => $api_port, - } -} - class platform::fm::haproxy inherits ::platform::fm::params { @@ -84,7 +75,6 @@ class platform::fm::api sync_db => $::platform::params::init_database, } - include ::platform::fm::firewall include ::platform::fm::haproxy } } diff --git a/puppet-manifests/src/modules/platform/manifests/nfv.pp b/puppet-manifests/src/modules/platform/manifests/nfv.pp index 09a2a69b28..3ddcc7dc0d 100644 --- a/puppet-manifests/src/modules/platform/manifests/nfv.pp +++ b/puppet-manifests/src/modules/platform/manifests/nfv.pp @@ -52,16 +52,6 @@ class platform::nfv::runtime { } -class platform::nfv::firewall - inherits ::platform::nfv::params { - - platform::firewall::rule { 'nfv-vim-api': - service_name => 'nfv-vim', - ports => $api_port, - } -} - - class platform::nfv::haproxy inherits ::platform::nfv::params { @@ -81,6 +71,5 @@ class platform::nfv::api include ::nfv::keystone::auth } - include ::platform::nfv::firewall include ::platform::nfv::haproxy } diff --git a/puppet-manifests/src/modules/platform/manifests/patching.pp b/puppet-manifests/src/modules/platform/manifests/patching.pp index 0089db087e..e6b3864abd 100644 --- a/puppet-manifests/src/modules/platform/manifests/patching.pp +++ b/puppet-manifests/src/modules/platform/manifests/patching.pp @@ -35,16 +35,6 @@ class platform::patching } -class platform::patching::firewall - inherits ::platform::patching::params { - - platform::firewall::rule { 'patching-api': - service_name => 'patching', - ports => $public_port, - } -} - - class platform::patching::haproxy inherits ::platform::patching::params { @@ -67,7 +57,6 @@ class platform::patching::api ( include ::patching::keystone::auth } - include ::platform::patching::firewall include ::platform::patching::haproxy } diff --git a/puppet-manifests/src/modules/platform/manifests/smapi.pp b/puppet-manifests/src/modules/platform/manifests/smapi.pp index eacd9a50fb..9a0a21df74 100644 --- a/puppet-manifests/src/modules/platform/manifests/smapi.pp +++ b/puppet-manifests/src/modules/platform/manifests/smapi.pp @@ -10,15 +10,6 @@ class platform::smapi::params ( $region = undef, ) {} -class platform::smap::firewall - inherits ::platform::smapi::params { - - platform::firewall::rule { 'sm-api': - service_name => 'sm-api', - ports => $port, - } -} - class platform::smapi::haproxy inherits ::platform::smapi::params { @@ -47,7 +38,6 @@ class platform::smapi } include ::platform::params - include ::platform::smap::firewall include ::platform::smapi::haproxy $bind_host_name = $::platform::params::hostname file { '/etc/sm-api/sm-api.conf': diff --git a/puppet-manifests/src/modules/platform/manifests/sysinv.pp b/puppet-manifests/src/modules/platform/manifests/sysinv.pp index cf9a79ce2e..af67e2ee98 100644 --- a/puppet-manifests/src/modules/platform/manifests/sysinv.pp +++ b/puppet-manifests/src/modules/platform/manifests/sysinv.pp @@ -120,16 +120,6 @@ class platform::sysinv::conductor { } -class platform::sysinv::firewall - inherits ::platform::sysinv::params { - - platform::firewall::rule { 'sysinv-api': - service_name => 'sysinv', - ports => $api_port, - } -} - - class platform::sysinv::haproxy inherits ::platform::sysinv::params { @@ -173,7 +163,6 @@ class platform::sysinv::api 'DEFAULT/sysinv_api_workers': value => $::platform::params::eng_workers_by_5; } - include ::platform::sysinv::firewall include ::platform::sysinv::haproxy } diff --git a/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py b/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py index e702ace96c..97414fe923 100644 --- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py +++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py @@ -29,7 +29,6 @@ from cgtsclient.v1 import datanetwork from cgtsclient.v1 import drbdconfig from cgtsclient.v1 import ethernetport from cgtsclient.v1 import fernet -from cgtsclient.v1 import firewallrules from cgtsclient.v1 import health from cgtsclient.v1 import helm from cgtsclient.v1 import icommunity @@ -148,7 +147,6 @@ class Client(http.HTTPClient): self.health = health.HealthManager(self) self.remotelogging = remotelogging.RemoteLoggingManager(self) self.sdn_controller = sdn_controller.SDNControllerManager(self) - self.firewallrules = firewallrules.FirewallRulesManager(self) self.partition = partition.partitionManager(self) self.license = license.LicenseManager(self) self.certificate = certificate.CertificateManager(self) diff --git a/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules.py b/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules.py deleted file mode 100644 index f37fb797fa..0000000000 --- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules.py +++ /dev/null @@ -1,38 +0,0 @@ -# -# Copyright (c) 2017 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -# -*- encoding: utf-8 -*- -# - -from cgtsclient.common import base - -CREATION_ATTRIBUTES = ['firewall_path'] - - -class FirewallRules(base.Resource): - def __repr__(self): - return "" % self._info - - -class FirewallRulesManager(base.Manager): - resource_class = FirewallRules - - @staticmethod - def _path(id=None): - return '/v1/firewallrules/%s' % id if id else '/v1/firewallrules' - - def list(self): - return self._list(self._path(), "firewallrules") - - def get(self, firewallrules_id): - try: - return self._list(self._path(firewallrules_id))[0] - except IndexError: - return None - - def import_firewall_rules(self, file): - path = self._path("import_firewall_rules") - return self._upload(path, file) diff --git a/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules_shell.py b/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules_shell.py deleted file mode 100644 index 71fb556f84..0000000000 --- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/firewallrules_shell.py +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/env python -# -# Copyright (c) 2017 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -# vim: tabstop=4 shiftwidth=4 softtabstop=4 -# All Rights Reserved. -# - -from cgtsclient.common import utils -from cgtsclient import exc - - -def _print_firewallrules_show(firewallrules): - fields = ['uuid', 'firewall_sig', 'updated_at'] - if type(firewallrules) is dict: - data = [(f, firewallrules.get(f, '')) for f in fields] - else: - data = [(f, getattr(firewallrules, f, '')) for f in fields] - utils.print_tuple_list(data) - - -def do_firewall_rules_show(cc, args): - """Show Firewall Rules attributes.""" - - firewallrules = cc.firewallrules.list() - - _print_firewallrules_show(firewallrules[0]) - - -@utils.arg('firewall_rules_path', - metavar='', - default=None, - help="Path to custom firewall rule file to install.") -def do_firewall_rules_install(cc, args): - """Install firewall rules.""" - filename = args.firewall_rules_path - try: - fw_file = open(filename, 'rb') - except Exception: - raise exc.CommandError("Error: Could not open file %s for read." % - filename) - try: - response = cc.firewallrules.import_firewall_rules(fw_file) - error = response.get('error') - if error: - raise exc.CommandError("%s" % error) - else: - _print_firewallrules_show(response.get('firewallrules')) - except exc.HTTPNotFound: - raise exc.CommandError('firewallrules not installed %s' % - filename) diff --git a/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py b/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py index 2521930b59..9c540a5ba7 100644 --- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py +++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py @@ -16,7 +16,6 @@ from cgtsclient.v1 import controller_fs_shell from cgtsclient.v1 import datanetwork_shell from cgtsclient.v1 import drbdconfig_shell from cgtsclient.v1 import ethernetport_shell -from cgtsclient.v1 import firewallrules_shell from cgtsclient.v1 import health_shell from cgtsclient.v1 import helm_shell @@ -111,7 +110,6 @@ COMMAND_MODULES = [ health_shell, remotelogging_shell, sdn_controller_shell, - firewallrules_shell, partition_shell, license_shell, certificate_shell, diff --git a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/__init__.py b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/__init__.py index 70a67b8ad7..cfe4616559 100644 --- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/__init__.py +++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/__init__.py @@ -35,7 +35,6 @@ from sysinv.api.controllers.v1 import dns from sysinv.api.controllers.v1 import drbdconfig from sysinv.api.controllers.v1 import ethernet_port from sysinv.api.controllers.v1 import fernet_repo -from sysinv.api.controllers.v1 import firewallrules from sysinv.api.controllers.v1 import health from sysinv.api.controllers.v1 import helm_charts from sysinv.api.controllers.v1 import host @@ -234,9 +233,6 @@ class V1(base.APIBase): sdn_controller = [link.Link] "Links to the SDN controller resource" - firewallrules = [link.Link] - "Links to customer firewall rules" - license = [link.Link] "Links to the license resource " @@ -719,14 +715,6 @@ class V1(base.APIBase): bookmark=True) ] - v1.firewallrules = [link.Link.make_link('self', - pecan.request.host_url, - 'firewallrules', ''), - link.Link.make_link('bookmark', - pecan.request.host_url, - 'firewallrules', '', - bookmark=True)] - v1.license = [link.Link.make_link('self', pecan.request.host_url, 'license', ''), @@ -835,7 +823,6 @@ class Controller(rest.RestController): health = health.HealthController() remotelogging = remotelogging.RemoteLoggingController() sdn_controller = sdn_controller.SDNControllerController() - firewallrules = firewallrules.FirewallRulesController() license = license.LicenseController() labels = label.LabelController() fernet_repo = fernet_repo.FernetKeyController() diff --git a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/firewallrules.py b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/firewallrules.py deleted file mode 100644 index 0988ddf22f..0000000000 --- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/firewallrules.py +++ /dev/null @@ -1,221 +0,0 @@ -# Copyright (c) 2017 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -import os -import pecan -from pecan import expose -from pecan import rest -import wsme -import wsmeext.pecan as wsme_pecan -from wsme import types as wtypes -from sysinv import objects - -from sysinv.api.controllers.v1 import utils -from sysinv.api.controllers.v1 import base -from sysinv.api.controllers.v1 import collection -from sysinv.api.controllers.v1 import link -from sysinv.api.controllers.v1 import types - -from sysinv.common import constants -from sysinv.common import exception -from sysinv.common import utils as cutils -from sysinv.openstack.common import log -from sysinv.openstack.common.gettextutils import _ - - -LOG = log.getLogger(__name__) - - -LOCK_NAME = 'FirewallRulesController' - - -class FirewallRules(base.APIBase): - """API representation of oam custom firewall rules. - - This class enforces type checking and value constraints, and converts - between the internal object model and the API representation of - oam custom firewall rules. - """ - - uuid = types.uuid - "Unique UUID for the firewall rules" - - firewall_sig = wtypes.text - "Represents the signature of the custom firewall rules" - - created_at = wtypes.datetime.datetime - updated_at = wtypes.datetime.datetime - - def __init__(self, **kwargs): - self.fields = list(objects.firewallrules.fields.keys()) - for k in self.fields: - if not hasattr(self, k): - continue - setattr(self, k, kwargs.get(k, wtypes.Unset)) - - self.fields.append('firewall_sig') - setattr(self, 'firewall_sig', kwargs.get('value', None)) - - @classmethod - def convert_with_links(cls, rpc_firewallrules, expand=True): - parm = FirewallRules(**rpc_firewallrules.as_dict()) - if not expand: - parm.unset_fields_except(['uuid', 'firewall_sig', 'updated_at']) - - parm.links = [link.Link.make_link('self', pecan.request.host_url, - 'parameters', parm.uuid), - link.Link.make_link('bookmark', - pecan.request.host_url, - 'parameters', parm.uuid, - bookmark=True) - ] - return parm - - -def firewallrules_as_dict(sp_firewallrules): - sp_firewallrules_dict = sp_firewallrules.as_dict() - keys = objects.firewallrules.fields.keys() - for k, v in sp_firewallrules.as_dict().items(): - if k == 'value': - sp_firewallrules_dict['firewall_sig'] = \ - sp_firewallrules_dict.pop('value') - elif k not in keys: - sp_firewallrules_dict.pop(k) - return sp_firewallrules_dict - - -class FirewallRulesCollection(collection.Collection): - """API representation of a collection of firewall rules.""" - - firewallrules = [FirewallRules] - "A list containing firewallrules objects" - - def __init__(self, **kwargs): - self._type = 'firewallrules' - - @classmethod - def convert_with_links(cls, rpc_firewallrules, limit, url=None, - expand=False, - **kwargs): - collection = FirewallRulesCollection() - collection.firewallrules = [FirewallRules.convert_with_links(p, expand) - for p in rpc_firewallrules] - collection.next = collection.get_next(limit, url=url, **kwargs) - return collection - - -class FirewallRulesController(rest.RestController): - """REST controller for Custom Firewall Rules.""" - - _custom_actions = { - 'import_firewall_rules': ['POST'], - } - - def __init__(self): - self._api_token = None - - @wsme_pecan.wsexpose(FirewallRules, types.uuid) - def get_one(self, firewallrules_uuid): - """Retrieve information about the given firewall rules.""" - - try: - sp_firewallrules = objects.firewallrules.get_by_uuid( - pecan.request.context, firewallrules_uuid) - except exception.InvalidParameterValue: - raise wsme.exc.ClientSideError( - _("No firewall rules found for %s" % firewallrules_uuid)) - - return FirewallRules.convert_with_links(sp_firewallrules) - - def _get_firewallrules_collection(self, marker, limit, - sort_key, sort_dir, expand=False, - resource_url=None): - - limit = utils.validate_limit(limit) - sort_dir = utils.validate_sort_dir(sort_dir) - - sp_firewallrules = pecan.request.dbapi.service_parameter_get_one( - service=constants.SERVICE_TYPE_PLATFORM, - section=constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV, - name=constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID) - sp_firewallrules.firewall_sig = sp_firewallrules.value - - sp_firewallrules = [sp_firewallrules] - - rules = FirewallRulesCollection.convert_with_links( - sp_firewallrules, - limit, - url=resource_url, - expand=expand, - sort_key=sort_key, - sort_dir=sort_dir) - return rules - - @wsme_pecan.wsexpose(FirewallRulesCollection, types.uuid, types.uuid, int, - wtypes.text, wtypes.text) - def get_all(self, isystem_uuid=None, marker=None, limit=None, - sort_key='id', sort_dir='asc'): - """Retrieve a list of firewallrules. Only one per system""" - - sort_key = ['section', 'name'] - return self._get_firewallrules_collection(marker, limit, - sort_key, sort_dir) - - @expose('json') - @cutils.synchronized(LOCK_NAME) - def import_firewall_rules(self, file): - file = pecan.request.POST['file'] - if not file.filename: - return dict(success="", error="Error: No firewall rules uploaded") - - # Check if the firewallrules_file size is large - try: - _check_firewall_rules_file_size(file) - except Exception as e: - LOG.exception(e) - return dict(success="", error=e.message) - - file.file.seek(0, os.SEEK_SET) - contents = file.file.read() - - # Get OAM network ip version - oam_network = pecan.request.dbapi.network_get_by_type( - constants.NETWORK_TYPE_OAM) - oam_address_pool = pecan.request.dbapi.address_pool_get( - oam_network.pool_uuid) - - try: - firewall_sig = pecan.request.rpcapi.update_firewall_config( - pecan.request.context, oam_address_pool.family, contents) - - # push the updated firewall_sig into db - sp_firewallrules = pecan.request.dbapi.service_parameter_get_one( - service=constants.SERVICE_TYPE_PLATFORM, - section=constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV, - name=constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID) - - sp_firewallrules = pecan.request.dbapi.service_parameter_update( - sp_firewallrules.uuid, - {'value': firewall_sig, 'personality': constants.CONTROLLER}) - - sp_firewallrules_dict = firewallrules_as_dict(sp_firewallrules) - - LOG.info("import_firewallrules sp_firewallrules={}".format( - sp_firewallrules_dict)) - - except Exception as e: - return dict(success="", error=e.value) - - return dict(success="", error="", body="", - firewallrules=sp_firewallrules_dict) - - -def _check_firewall_rules_file_size(firewallrules_file): - firewallrules_file.file.seek(0, os.SEEK_END) - size = firewallrules_file.file.tell() - if size > constants.FIREWALL_RULES_MAX_FILE_SIZE: - raise wsme.exc.ClientSideError( - _("Firewall rules file size exceeded maximum supported" - " size of %s bytes." % constants.FIREWALL_RULES_MAX_FILE_SIZE)) diff --git a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py index b99b0a3971..a1c03c9923 100644 --- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py +++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/service_parameter.py @@ -197,12 +197,6 @@ class ServiceParameterController(rest.RestController): p.section == constants.SERVICE_PARAM_SECTION_CINDER_DEFAULT and p.name == constants.SERVICE_PARAM_CINDER_DEFAULT_MULTIPATH_STATE)] - # filter out firewall_rules_id - parms = [p for p in parms if not ( - p.service == constants.SERVICE_TYPE_PLATFORM and p.section == - constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV and p.name == - constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID)] - # Before we can return the service parameter collection, # we need to ensure that the list does not contain any # "protected" service parameters which may need to be diff --git a/sysinv/sysinv/sysinv/sysinv/common/constants.py b/sysinv/sysinv/sysinv/sysinv/common/constants.py index 15b0fc7f35..39915dc306 100644 --- a/sysinv/sysinv/sysinv/sysinv/common/constants.py +++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py @@ -1044,7 +1044,6 @@ SERVICE_PARAM_NAME_DEFAULT_DNS_DOMAIN = 'dns_domain' # Platform Service Parameters SERVICE_PARAM_SECTION_PLATFORM_MAINTENANCE = 'maintenance' SERVICE_PARAM_SECTION_PLATFORM_SYSINV = 'sysinv' -SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID = 'firewall_rules_id' SERVICE_PARAM_PLAT_MTCE_WORKER_BOOT_TIMEOUT = 'worker_boot_timeout' SERVICE_PARAM_PLAT_MTCE_CONTROLLER_BOOT_TIMEOUT = 'controller_boot_timeout' @@ -1395,10 +1394,6 @@ WARNING_ROOT_PV_CINDER_CEPH_MSG = ( PV_WARNINGS = {WARN_CINDER_ON_ROOT_WITH_LVM: WARNING_ROOT_PV_CINDER_LVM_MSG, WARN_CINDER_ON_ROOT_WITH_CEPH: WARNING_ROOT_PV_CINDER_CEPH_MSG} -# Custom firewall rule file -FIREWALL_RULES_FILE = 'iptables.rules' -FIREWALL_RULES_MAX_FILE_SIZE = 102400 - # License file LICENSE_FILE = ".license" diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py index 2897083030..7e09763baf 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py @@ -32,7 +32,6 @@ collection of inventory data for each host. import errno import filecmp import glob -import hashlib import math import os import re @@ -513,10 +512,6 @@ class ConductorManager(service.PeriodicService): 'name': constants.SERVICE_PARAM_NAME_AODH_DATABASE_ALARM_HISTORY_TIME_TO_LIVE, 'value': constants.SERVICE_PARAM_AODH_DATABASE_ALARM_HISTORY_TIME_TO_LIVE_DEFAULT, }, - {'service': constants.SERVICE_TYPE_PLATFORM, - 'section': constants.SERVICE_PARAM_SECTION_PLATFORM_SYSINV, - 'name': constants.SERVICE_PARAM_NAME_SYSINV_FIREWALL_RULES_ID, - 'value': None}, {'service': constants.SERVICE_TYPE_SWIFT, 'section': constants.SERVICE_PARAM_SECTION_SWIFT_CONFIG, 'name': constants.SERVICE_PARAM_NAME_SWIFT_SERVICE_ENABLED, @@ -7303,7 +7298,7 @@ class ConductorManager(service.PeriodicService): "personalities": personalities, "classes": ['openstack::lighttpd::runtime', 'platform::helm::runtime', - 'openstack::horizon::firewall', + 'platform::firewall::runtime', 'platform::patching::runtime'] } self._config_apply_runtime_manifest(context, config_uuid, @@ -9962,31 +9957,6 @@ class ConductorManager(service.PeriodicService): pass return upgrade - @staticmethod - def _validate_firewall_rules(rules_file, - ip_version=constants.IPV4_FAMILY): - """ - Validate the content of the custom firewall rules - :param rules_file: file path of the custom firewall rules - :param ip_version: IP version - :return: - """ - try: - if ip_version == constants.IPV4_FAMILY: - cmd = "iptables-restore" - else: - cmd = "ip6tables-restore" - - with open(os.devnull, "w"): - subprocess.check_output( - [cmd, "--test", "--noflush", rules_file], - stderr=subprocess.STDOUT) - return True - except subprocess.CalledProcessError as e: - LOG.error("iptables-restore failed, output: %s" % e.output) - LOG.exception(e) - return False - def distribute_ceph_external_config(self, context, ceph_conf_filename): """Notify agent to distribute Ceph configuration file for external cluster. @@ -10049,57 +10019,6 @@ class ConductorManager(service.PeriodicService): tsc.PLATFORM_CEPH_CONF_PATH) raise exception.SysinvException(msg) - def update_firewall_config(self, context, ip_version, contents): - """Notify agent to configure firewall rules with the supplied data. - Apply firewall manifest changes. - - :param context: an admin context. - :param ip_version: IPV4_VERSION or IPV6_VERSION - :param contents: custom firewall rules contents - """ - firewall_rules_file = os.path.join(tsc.PLATFORM_CONF_PATH, - constants.FIREWALL_RULES_FILE) - temp_firewall_rules_file = firewall_rules_file + '.temp' - firewall_sig = hashlib.md5(contents).hexdigest() - LOG.info("update_firewall_config firewall_sig=%s" % firewall_sig) - - with open(temp_firewall_rules_file, 'w') as f: - f.write(contents) - f.close() - - if not self._validate_firewall_rules( - temp_firewall_rules_file, ip_version): - os.remove(temp_firewall_rules_file) - raise exception.SysinvException(_( - "Error in custom firewall rule file")) - - # Copy firewall rules file - os.rename(temp_firewall_rules_file, firewall_rules_file) - - # Copy the updated file to shared storage - shutil.copy(firewall_rules_file, - os.path.join(tsc.CONFIG_PATH, - constants.FIREWALL_RULES_FILE)) - - personalities = [constants.CONTROLLER] - config_uuid = self._config_update_hosts(context, personalities) - config_dict = { - 'personalities': personalities, - 'file_names': [firewall_rules_file], - 'file_content': contents, - } - self._config_update_file(context, config_uuid, config_dict) - - config_uuid = self._config_update_hosts(context, personalities) - config_dict = { - "personalities": personalities, - "classes": ['platform::firewall::runtime'] - } - self._config_apply_runtime_manifest(context, - config_uuid, - config_dict) - return firewall_sig - def install_license_file(self, context, contents): """Notify agent to install license file with the supplied data. diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py b/sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py index a7d947f779..b64a808e5c 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/rpcapi.py @@ -1569,20 +1569,6 @@ class ConductorAPI(sysinv.openstack.common.rpc.proxy.RpcProxy): return self.call(context, self.make_msg('get_software_upgrade_status')) - def update_firewall_config(self, context, ip_version, contents): - """Synchronously, have the conductor update the firewall config - and manifest. - - :param context: request context. - :param ip_version: IP version. - :param contents: file content of custom firewall rules. - - """ - return self.call(context, - self.make_msg('update_firewall_config', - ip_version=ip_version, - contents=contents)) - def distribute_ceph_external_config(self, context, ceph_conf_filename): """Synchronously, have the conductor update the Ceph configuration file for external cluster. diff --git a/sysinv/sysinv/sysinv/sysinv/objects/__init__.py b/sysinv/sysinv/sysinv/sysinv/objects/__init__.py index a7b754799b..a1ecb17881 100644 --- a/sysinv/sysinv/sysinv/sysinv/objects/__init__.py +++ b/sysinv/sysinv/sysinv/sysinv/objects/__init__.py @@ -29,7 +29,6 @@ from sysinv.objects import controller_fs from sysinv.objects import cpu from sysinv.objects import datanetwork from sysinv.objects import disk -from sysinv.objects import firewallrules from sysinv.objects import partition from sysinv.objects import dns from sysinv.objects import drbdconfig @@ -135,7 +134,6 @@ port = port.Port ethernet_port = port_ethernet.EthernetPort disk = disk.Disk partition = partition.Partition -firewallrules = firewallrules.FirewallRules storage = storage.Storage journal = journal.Journal lvg = lvg.LVG @@ -247,7 +245,6 @@ __all__ = (system, tpmconfig, tpmdevice, certificate, - firewallrules, objectify, storage_file, storage_external, diff --git a/sysinv/sysinv/sysinv/sysinv/objects/firewallrules.py b/sysinv/sysinv/sysinv/sysinv/objects/firewallrules.py deleted file mode 100644 index 1f17f11252..0000000000 --- a/sysinv/sysinv/sysinv/sysinv/objects/firewallrules.py +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright (c) 2015-2016 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -# vim: tabstop=4 shiftwidth=4 softtabstop=4 -# coding=utf-8 -# - -from sysinv.db import api as db_api -from sysinv.objects import base -from sysinv.objects import utils - - -def _get_firewall_sig(field, db_object): - return db_object.value - - -class FirewallRules(base.SysinvObject): - # VERSION 1.0: Initial version - VERSION = '1.0' - - dbapi = db_api.get_instance() - - fields = {'uuid': utils.uuid_or_none, # uuid of service_parameter - 'firewall_sig': _get_firewall_sig - } - - @base.remotable_classmethod - def get_by_uuid(cls, context, uuid): - return cls.dbapi.service_parameter_get(uuid) - - def save_changes(self, context, updates): - self.dbapi.service_parameter_update(self.uuid, updates) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/platform.py b/sysinv/sysinv/sysinv/sysinv/puppet/platform.py index f4bc1b69c2..35d4a9c6ea 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/platform.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/platform.py @@ -4,8 +4,6 @@ # SPDX-License-Identifier: Apache-2.0 # -import os - from sysinv.common import constants from sysinv.common import exception from sysinv.common import utils @@ -43,7 +41,6 @@ class PlatformPuppet(base.BasePuppet): config.update(self._get_region_config()) config.update(self._get_distributed_cloud_role()) config.update(self._get_sm_config()) - config.update(self._get_firewall_config()) config.update(self._get_drbd_sync_config()) config.update(self._get_remotelogging_config()) config.update(self._get_snmp_config()) @@ -326,16 +323,6 @@ class PlatformPuppet(base.BasePuppet): multicast_address.address, } - def _get_firewall_config(self): - config = {} - rules_filepath = os.path.join(tsconfig.PLATFORM_CONF_PATH, - 'iptables.rules') - if os.path.isfile(rules_filepath): - config.update({ - 'platform::firewall::oam::rules_file': rules_filepath - }) - return config - def _get_host_platform_config(self, host, config_uuid): if not config_uuid: config_uuid = host.config_target