Merge "Generate port referece from source"

This commit is contained in:
Zuul 2024-09-12 14:53:47 +00:00 committed by Gerrit Code Review
commit 0a514733b7
8 changed files with 212 additions and 246 deletions

2
.gitignore vendored
View File

@ -70,7 +70,7 @@ tmp/
# templates/events.yaml
*-series-log-messages.rst
*-series-alarm-messages.rst
doc/source/dist_cloud/kubernetes/FW_PORTS.csv
# API Reference Guide
api-ref/build/

5
_p_columns.py Normal file
View File

@ -0,0 +1,5 @@
columns = ["Source", "Protocol", "Port", "Desc", "Context", "Network", "Endpoints","Hosts", "Note", "HTTPS", "_stx", "_pl", "_os", "_an"]
src_index = columns.index("Source")
port_index = columns.index("Port")
net_index = columns.index("Network")
COL_COUNT = len(columns)

View File

@ -4,6 +4,8 @@ openstackdocstheme>=2.2.1,<=2.3.1 # Apache-2.0
docutils==0.18.1
PyYAML==6.0
sphinx-tabs<=3.4.1
pandas
openpyxl
# API Reference Guide
os-api-ref>=1.5.0 # Apache-2.0

View File

@ -13,251 +13,9 @@ function correctly.
.. begin-dc-ports-table
.. table:: Table 1. |prod-dc| port requirements
:widths: auto
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| Protocol | Port | Network | Description | System Controller| Subcloud | Initiator | Destination | Notes |
+==========+=======+=========+==================+==================+==================+==================================================+=====================================+=========================================+
| tcp | 22 | oam | ssh | allowed | allowed | System Controller | Subclouds | For admin login |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | oam | ssh | allowed | allowed | Subclouds | System Controller | For admin login |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | mgmt | ssh | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | mgmt | ssh | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 123 | oam | ntp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 123 | mgmt | ntp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 161 | oam | snmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 161 | mgmt | snmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | oam | snmp trap | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | oam | snmp trap | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | mgmt | snmp trap | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | mgmt | snmp trap | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 162 | oam | snmp trap | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 162 | mgmt | snmp trap | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 389 | oam | openLDAP | blocked(by gnp) | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 389 | mgmt | openLDAP | allowed | NA | Subclouds | System Controller | LDAP service |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 636 | oam | openLDAP | blocked(by gnp) | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 636 | mgmt | openLDAP | allowed | NA | Subclouds | System Controller | LDAP service, https enable |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 873 | oam | rsyncd | blocked(by gnp) | blocked(by gnp) | Not used between System Controller and Subclouds | | Used for synchronizing patches among |
| | | | | | | | | nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 873 | mgmt | rsyncd | allowed | allowed | Not used between System Controller and Subclouds | | Used for synchronizing patches among |
| | | | | | | | | nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp/udp | 2049 | oam | nfs | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | Used for sharing data among nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp/udp | 2049 | mgmt | nfs | allowed | allowed | Not used between System Controller and Subclouds | | Used for sharing data among nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2222 | oam | sm | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2222 | mgmt | sm | allowed | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2223 | oam | sm | allowed | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 3300 | mgmt | ceph-mon | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4545 | oam | stx-nfv | allowed(service public endpoint) | Not used between System Controller and Subclouds | | vim-restapi public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4545 | mgmt | stx-nfv | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | vim-restapi public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4546 | mgmt | stx-nfv | allowed(service admin endpoint) | System Controller | Subclouds |vim-restapi admin endpoint, https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4546 | mgmt | stx-nfv | allowed(service admin endpoint) | Subclouds | System Controller |vim-restapi admin endpoint, https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5000 | oam | keystone-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5000 | mgmt | keystone-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5001 | mgmt | keystone-api | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5001 | mgmt | keystone-api | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5432 | oam | postgres | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | postgres db serving port |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5432 | mgmt | postgres | allowed(serving port) | Not used between System Controller and Subclouds | | postgres db serving port |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5491 | oam | patching-api | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5491 | mgmt | patching-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | patching-api internal endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5492 | mgmt | patching-api | allowed(service admin endpoint) | System Controller | Subclouds |patching-api admin endpoint,https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5492 | mgmt | patching-api | allowed(service admin endpoint) | Subclouds | System Controller |patching-api admin endpoint,https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 15491 | oam | patching-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | patching-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6385 | oam | sysinv-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6385 | mgmt | sysinv-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6386 | mgmt | sysinv-api | allowed(service public endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6386 | mgmt | sysinv-api | allowed(service public endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6443 | oam | K8s API server | allowed | allowed | Not used between System Controller and Subclouds | | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6443 | mgmt | K8s API server | allowed | allowed | Not used between System Controller and Subclouds | | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6789 | mgmt | ceph-mon | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6800 | mgmt | ceph-mgr | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6801 | mgmt | ceph-mgr | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6802 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6803 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6804 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6805 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7777 | oam | stx-ha (sm) | allowed(service public endpoint) | Not used between System Controller and Subclouds | | sm-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7777 | mgmt | stx-ha (sm) | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | sm-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7778 | mgmt | stx-ha (sm) | allowed(service admin endpoint) | Not used between System Controller and Subclouds | | sm-api admin endpoint, https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 7999 | mgmt | ceph-mgr | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | oam | horizon http | allowed | blocked(by gnp) | Not used between System Controller and Subclouds | | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | mgmt | horizon http | allowed | allowed | System Controller | Subclouds | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | mgmt | horizon http | allowed | allowed | Subclouds | System Controller | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8119 | oam | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8119 | mgmt | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8120 | mgmt | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api, https enabled |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8219 | mgmt | dcdbsync-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8220 | mgmt | dcdbsync-api | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8220 | mgmt | dcdbsync-api | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | oam | horizon https | allowed | blocked(by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | mgmt | horizon https | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | mgmt | horizon https | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | oam | Docker registry | allowed(serving port) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | oam | Docker registry | allowed(serving port) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | mgmt | Docker registry | allowed(serving port) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | mgmt | Docker registry | allowed(serving port) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | oam | Registry token | allowed(serving port) | System Controller | Subclouds | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | oam | Registry token | allowed(serving port) | Subclouds | System Controller | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | mgmt | Registry token | allowed(serving port) | System Controller | Subclouds | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | mgmt | Registry token | allowed(serving port) | Subclouds | System Controller | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9311 | oam | barbican-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9311 | mgmt | barbican-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9312 | mgmt | barbican-api | allowed(service admin endpoint) | System Controller |Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9312 | mgmt | barbican-api | allowed(service admin endpoint) | Subclouds |System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 11211 | mgmt | memcached | allowed(keystone cache backend) | Not used between System Controller and Subclouds | | keystone cache backend |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18002 | oam | stx-fault | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18002 | mgmt | stx-fault | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18003 | mgmt | stx-fault | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18003 | mgmt | stx-fault | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| icmp | NA | oam | icmp | allowed | allowed | Not used between System Controller and Subclouds | | |
| | | | | | | | | |
| | | | | | | **The only exception is when using ICMP during | | |
| | | | | | | subcloud installs**. | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| icmp | NA | mgmt | icmp | allowed | allowed | Not used between System Controller and Subclouds | | |
| | | | | | | | | |
| | | | | | | **The only exception is when using ICMP during | | |
| | | | | | | subcloud installs**. | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25491 | oam | dcorch-patch | allowed (service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy public endpoint |
| | | | -api-proxy | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25491 | mgmt | dcorch-patch |allowed(service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy internal endpoint|
| | | | -api-proxy |internal endpoint)| | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25492 | mgmt | dcorch-patch | allowed(service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy admin endpoint |
| | | | -api-proxy | admin endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30001-| mgmt | VIM | allowed | allowed | Not used between System Controller and Subclouds | | |
| | 30004 | | | | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30555 | oam | OIDC Client | blocked(by gnp) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30555 | mgmt | OIDC Client | allowed(serving port) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30556 | oam | DEX OIDC Provider| blocked(by gnp) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30556 | mgmt | DEX OIDC Provider| allowed(serving port) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | oam | Elastic Dashboard| allowed(NodePort)| NA | System Controller | Subclouds | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | oam | Elastic Dashboard| allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | mgmt | Elastic Dashboard| allowed(NodePort)| NA | System Controller | Subclouds | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | mgmt | Elastic Dashboard| allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31090-| oam | Kafka Brokers | allowed(NodePort)| NA | Not used between System Controller and Subclouds | | Only when Analytics is applied, https |
| | 31099 | | (NodePort) | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31090-| mgmt | Kafka Brokers | allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | 31099 | | (NodePort) | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32000 | oam | Kubernetes | allowed(NodePort)| allowed | Not used between System Controller and Subclouds | | Only when Kubernetes Dashboard |
| | | | dashboard | | | | | is installed |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32000 | mgmt | Kubernetes | allowed(NodePort)| allowed | Not used between System Controller and Subclouds | | Only when Kubernetes Dashboard |
| | | | dashboard | | | | | is installed |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32323 | oam | vim-webserver | blocked(by gnp) | blocked(by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
.. csv-table:: Table 1. |prod-dc| port requirements
:file: /dist_cloud/kubernetes/FW_PORTS.csv
:header-rows: 1
.. end-dc-ports-table

6
fetch-ports-files.sh Executable file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
# HTML
curl https://opendev.org/starlingx/config/raw/branch/master/sysinv/sysinv/sysinv/sysinv/common/platform_firewall.py --create-dirs -o tmp/platform_firewall.py
curl https://opendev.org/starlingx/config/raw/branch/master/sysinv/sysinv/sysinv/sysinv/common/constants.py --create-dirs -o tmp/constants.py

124
py_2_xlsx.py Executable file
View File

@ -0,0 +1,124 @@
import re
import os
import sys
import pandas as pd
from _p_columns import columns, port_index, src_index, net_index
df = pd.DataFrame(columns=columns)
def convert_to_uppercase(input_string):
return input_string.upper()
# Look up a port number assigned to a constant in another file
def find_port_number(filename, search_string):
found_port = None
with open(filename, 'r') as file:
for line in file:
match = re.search(rf'{search_string}\s*=\s*(\d+)', line)
if match:
found_port = int(match.group(1))
break
return found_port
def remove_prefix(input_string):
# Find the index of the first period
period_index = input_string.find('.')
if period_index != -1:
return input_string[period_index + 1:]
else:
# Return the original string
return input_string
def delete_file(file_path):
try:
# Check if the file exists
if os.path.exists(file_path):
# Delete the file
os.remove(file_path)
print(f"File '{file_path}' deleted successfully.")
else:
print(f"File '{file_path}' does not exist.")
except Exception as e:
print(f"An error occurred: {e}")
def is_numeric(array, index):
array = [element.strip() for element in array]
# Check if the array has an integer at the element to be tested
if len(array) > index:
return array[index].isnumeric()
else:
return False
def prepend_string(main_string, prepend_string):
return prepend_string + main_string
def append_string(*args, **kwargs):
return prepend_string(*args, **kwargs)
def extract_docu_comments(input_file, out_file):
sect = "N/A"
prot = "N/A"
with open(input_file, 'r') as file:
lines = file.readlines()
for line in lines:
match = re.search(r'^(\S+)\s*=\s*(\{|\\)', line)
if match:
sect = match.group(1).strip()
sect = append_string(',', sect)
prot = "N/A, "
match = re.search(r'("tcp":|"udp":)', line)
if match:
prot = match.group(1).strip()
prot = prot.replace(':', '').strip()
prot = convert_to_uppercase(prot)
prot = append_string(',', prot)
# Check if the line contains a comment starting with 'docu' followed by
# a colon
if '#' in line and 'docu:' in line.lstrip():
docu_line = re.sub(r',?\s*#\s*(noqa: E501)?\s+docu:\s*', ',', line).strip()
docu_line = docu_line.replace(':', ',').strip()
docu_line = prepend_string(docu_line, prot)
docu_line = prepend_string(docu_line, sect)
docu_line = docu_line.replace('"', '').strip()
column_values = docu_line.split(',')
if not is_numeric(column_values, port_index):
const = column_values[port_index]
column_values[port_index] = find_port_number(const_file, remove_prefix(column_values[port_index]))
print("Replaced " + const.strip() + " with " + str(column_values[port_index]))
if 'OAM' in column_values[src_index]:
column_values[net_index] = 'oam'
# print("Processing: " + line)
df.loc[len(df)] = column_values
ports_column_name = df.columns[port_index]
df[ports_column_name] = pd.to_numeric(df[ports_column_name], errors='coerce')
df.to_excel(excel_file, index=False)
print(f"Ports list successfully extracted to '{excel_file}'.")
if len(sys.argv) != 4:
print(f"""\
This script reads a python file to create an Excel sheet of firewall
port definitions.
Usage: {os.path.basename(__file__)} <ports_file> <constants_file> <excel_file>
Example: python ./py_2_xlsx.py platform_firewall.py constants.py FW_PORTS.xlsx
""")
sys.exit(1)
input_file = str(sys.argv[1])
const_file = str(sys.argv[2])
excel_file = str(sys.argv[3])
# Extract lines with docu comments
extract_docu_comments(input_file, excel_file)

View File

@ -23,6 +23,9 @@ commands =
python parser.py -l templates/logs_template.rst -e tmp/events.yaml -s 100,200,300,400,500,700,800,900 -ts = -type Log -outputPath doc/source/fault-mgmt/openstack/ -sort Yes -product openstack -replace "|,OR"
bash ./normalize-includes.sh
bash ./dup-abbr-check.sh
bash ./fetch-ports-files.sh
python py_2_xlsx.py tmp/platform_firewall.py tmp/constants.py tmp/FW_PORTS.xlsx
python xlst_2_csv.py tmp/FW_PORTS.xlsx doc/source/dist_cloud/kubernetes/FW_PORTS.csv --columns Source Port Protocol Network Desc HTTPS Note _stx --sort_orders Port=asc --filters _stx=y
[testenv:postbuild-docs]
commands =
@ -32,6 +35,7 @@ commands =
bash hide-empty-rows.sh doc/build/html
bash htmlChecks.sh doc/build/html
[testenv:docs]
deps =
# -c{env:TOX_CONSTRAINTS_FILE:doc/upper-constraints.txt}
@ -45,6 +49,9 @@ allowlist_externals = bash
./hide-empty-rows.sh
./htmlChecks.sh
./get-remote-files.sh
./fetch-ports-files.sh
./py_2_xlsx.py
./xlst_2_csv.py
git
# hw-updates.sh

64
xlst_2_csv.py Executable file
View File

@ -0,0 +1,64 @@
import pandas as pd
import argparse
import re
from _p_columns import columns, port_index
def export_to_csv(input_file, output_file, columns, filters, sort_orders):
# Load the Excel file
df = pd.read_excel(input_file)
# Filter columns
df = df[columns]
# Apply filters
for column, value in filters.items():
if isinstance(value, list):
df = df[df[column].isin(value)]
else:
df = df[df[column] == value]
# Apply sort orders
sort_columns = [col for col, order in sort_orders.items()]
sort_ascending = [order == 'asc' for order in sort_orders.values()]
df = df.sort_values(by=sort_columns, ascending=sort_ascending)
# Drop filter-only columns that begin with an underscore
pattern = re.compile("^_[a-z]+$")
for c in columns:
if pattern.match(c):
df.pop(c)
# Export to CSV
df.to_csv(output_file, index=False)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Export a CSV list of ports from Excel with specified columns, filters, and sort orders.")
parser.add_argument("input_file", help="Path to the input Excel file. Positioned BEFORE options.")
parser.add_argument("output_file", help="Path to the output CSV file. Positioned BEFORE options.")
parser.add_argument("--columns", nargs='+', required=True, help="Space separated list of columns to include in the CSV file")
parser.add_argument("--filters", nargs='*', required=True, action='append', help="Column filters in the format column=value or column=[value1,value2,...]")
parser.add_argument("--sort_orders", nargs='*', required=True, action='append', help="Sort orders in the format column=asc/desc")
args = parser.parse_args()
# Process filters argument
filters = {}
for filt in args.filters:
for f in filt:
column, value = f.split('=')
if value.startswith('[') and value.endswith(']'):
value = value.strip('[]').split(',')
filters[column] = value
# Process sort orders argument
sort_orders = {}
for sort in args.sort_orders:
for s in sort:
column, order = s.split('=')
sort_orders[column] = order
export_to_csv(args.input_file, args.output_file, args.columns, filters, sort_orders)
# Note that positional args are first. Hidden filter columns must be listed in --columns
# e.g: python3.10 xlst_2_csv.py FW_PORTS.xlsx FW_PORTS.csv --columns Source Port Protocol Network Desc HTTPS Note _pl --sort_orders Port=asc --filters _pl=y