diff --git a/playbooks/bootstrap/roles/iptables/LICENSE b/playbooks/bootstrap/roles/iptables/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/playbooks/bootstrap/roles/iptables/README.rst b/playbooks/bootstrap/roles/iptables/README.rst new file mode 100644 index 0000000..2ef1d6e --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/README.rst @@ -0,0 +1,41 @@ +===================== +ansible-role-iptables +===================== + +Ansible role to manage iptables + +* License: Apache License, Version 2.0 +* Documentation: https://ansible-role-iptables.readthedocs.org +* Source: https://git.openstack.org/cgit/openstack/ansible-role-iptables +* Bugs: https://bugs.launchpad.net/ansible-role-iptables + +Description +----------- + +iptables is a command line utility for configuring Linux kernel +firewall. + +Requirements +------------ + +Packages +~~~~~~~~ + +Package repository index files should be up to date before using this role, we +do not manage them. + +Role Variables +-------------- + +Dependencies +------------ + +Example Playbook +---------------- + +.. code-block:: yaml + + - name: Install iptables + hosts: all + roles: + - ansible-role-iptables diff --git a/playbooks/bootstrap/roles/iptables/bindep.txt b/playbooks/bootstrap/roles/iptables/bindep.txt new file mode 100644 index 0000000..3e30527 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/bindep.txt @@ -0,0 +1,8 @@ +# This is a cross-platform list tracking distribution packages needed by tests; +# see http://docs.openstack.org/infra/bindep/ for additional information. + +libffi-dev [platform:dpkg] +libffi-devel [platform:rpm] +libselinux-python [platform:rpm] +libssl-dev [platform:dpkg] +openssl-devel [platform:rpm] diff --git a/playbooks/bootstrap/roles/iptables/defaults/main.yaml b/playbooks/bootstrap/roles/iptables/defaults/main.yaml new file mode 100644 index 0000000..6791c7b --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/defaults/main.yaml @@ -0,0 +1,53 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +# tasks/main.yaml +iptables_task_manager: + - install + - config + - service + +# tasks/install.yaml +iptables_package_state: present + +iptables_install_method: package + +# tasks/config.yaml +iptables_file_configdir_group: root +iptables_file_configdir_mode: 0755 +iptables_file_configdir_owner: root +iptables_file_configdir_path: /etc/iptables + +iptables_file_ipv4_rules_dest: "{{ iptables_file_configdir_path }}/rules.v4" +iptables_file_ipv4_rules_group: root +iptables_file_ipv4_rules_mode: 0644 +iptables_file_ipv4_rules_owner: root +iptables_file_ipv4_rules_src: etc/iptables/rules.v4.j2 + +iptables_file_ipv6_rules_dest: "{{ iptables_file_configdir_path }}/rules.v6" +iptables_file_ipv6_rules_group: root +iptables_file_ipv6_rules_mode: 0644 +iptables_file_ipv6_rules_owner: root +iptables_file_ipv6_rules_src: etc/iptables/rules.v6.j2 + +iptables_allowed_hosts: [] +iptables_public_tcp_ports: + - 22 +iptables_public_udp_ports: [] + +# tasks/service.yaml +iptables_service_iptables_enabled: true +iptables_service_iptables_manage: true +iptables_service_iptables_name: netfilter-persistent +iptables_service_iptables_state: started diff --git a/playbooks/bootstrap/roles/iptables/doc/source/conf.py b/playbooks/bootstrap/roles/iptables/doc/source/conf.py new file mode 100755 index 0000000..030a9ea --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/doc/source/conf.py @@ -0,0 +1,73 @@ +# -*- coding: utf-8 -*- +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +import sys + +sys.path.insert(0, os.path.abspath('../..')) +# -- General configuration ---------------------------------------------------- + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = [ + 'sphinx.ext.autodoc', +] + +# autodoc generation is a bit aggressive and a nuisance when doing heavy +# text edit cycles. +# execute "export SPHINX_DEBUG=1" in your terminal to disable + +# The suffix of source filenames. +source_suffix = '.rst' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'ansible-role-iptables' +copyright = u'2013, OpenStack Foundation' + +# If true, '()' will be appended to :func: etc. cross-reference text. +add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +add_module_names = True + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# -- Options for HTML output -------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. Major themes that come with +# Sphinx are currently 'default' and 'sphinxdoc'. +# html_theme_path = ["."] +# html_theme = '_theme' +# html_static_path = ['static'] + +# Output file base name for HTML help builder. +htmlhelp_basename = '%sdoc' % project + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass +# [howto/manual]). +latex_documents = [ + ('index', + '%s.tex' % project, + u'%s Documentation' % project, + u'OpenStack Foundation', 'manual'), +] + +# Example configuration for intersphinx: refer to the Python standard library. +# intersphinx_mapping = {'http://docs.python.org/': None} diff --git a/playbooks/bootstrap/roles/iptables/doc/source/index.rst b/playbooks/bootstrap/roles/iptables/doc/source/index.rst new file mode 100644 index 0000000..a6210d3 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/doc/source/index.rst @@ -0,0 +1 @@ +.. include:: ../../README.rst diff --git a/playbooks/bootstrap/roles/iptables/filter_plugins/getaddrinfo.py b/playbooks/bootstrap/roles/iptables/filter_plugins/getaddrinfo.py new file mode 100644 index 0000000..bb0cc63 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/filter_plugins/getaddrinfo.py @@ -0,0 +1,51 @@ +# Copyright (c) 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import subprocess + + +class FilterModule(object): + + def dns(self, value, family): + ret = set() + if family == '4': + match = 'has address' + elif family == '6': + match = 'has IPv6 address' + try: + # Note we use 'host' rather than something like + # getaddrinfo so we actually query DNS and don't get any + # local-only results from /etc/hosts + output = subprocess.check_output( + ['/usr/bin/host', value], universal_newlines=True) + for line in output.split('\n'): + if match in line: + address = line.split()[-1] + ret.add(address) + except Exception: + return ret + return sorted(ret) + + def dns_a(self, value): + return self.dns(value, '4') + + def dns_aaaa(self, value): + return self.dns(value, '6') + + def filters(self): + return { + 'dns_a': self.dns_a, + 'dns_aaaa': self.dns_aaaa, + } diff --git a/playbooks/bootstrap/roles/iptables/handlers/main.yaml b/playbooks/bootstrap/roles/iptables/handlers/main.yaml new file mode 100644 index 0000000..2958ccf --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/handlers/main.yaml @@ -0,0 +1,20 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- name: Reload iptables + become: true + shell: "service {{ iptables_service_iptables_name }} reload" + args: + warn: false + tags: skip_ansible_lint diff --git a/playbooks/bootstrap/roles/iptables/meta/main.yml b/playbooks/bootstrap/roles/iptables/meta/main.yml new file mode 100644 index 0000000..55bb693 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/meta/main.yml @@ -0,0 +1,28 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +galaxy_info: + author: Paul Belanger + description: | + iptables is a command line utility for configuring Linux kernel + firewall. + company: Red Hat, Inc. + license: Apache + min_ansible_version: 2.0 + platforms: + - name: Ubuntu + versions: + - 18.04 + galaxy_tags: [] +dependencies: [] diff --git a/playbooks/bootstrap/roles/iptables/requirements.txt b/playbooks/bootstrap/roles/iptables/requirements.txt new file mode 100644 index 0000000..1ab0ddd --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/requirements.txt @@ -0,0 +1 @@ +ansible>=2.0.0 diff --git a/playbooks/bootstrap/roles/iptables/setup.cfg b/playbooks/bootstrap/roles/iptables/setup.cfg new file mode 100644 index 0000000..a5b01f6 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/setup.cfg @@ -0,0 +1,23 @@ +[metadata] +name = ansible-role-iptables +summary = Ansible role to manage iptables +description-file = + README.rst +author = OpenStack +author-email = openstack-dev@lists.openstack.org +home-page = http://www.openstack.org/ +classifier = + Intended Audience :: System Administrators + License :: OSI Approved :: Apache Software License + Operating System :: POSIX :: Linux + +[build_sphinx] +source-dir = doc/source +build-dir = doc/build +all_files = 1 + +[pbr] +warnerrors = True + +[wheel] +universal = 1 diff --git a/playbooks/bootstrap/roles/iptables/setup.py b/playbooks/bootstrap/roles/iptables/setup.py new file mode 100644 index 0000000..bb3db27 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/setup.py @@ -0,0 +1,28 @@ +# Copyright (c) 2013 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import setuptools + +# In python < 2.7.4, a lazy loading of package `pbr` will break +# setuptools if some other modules registered functions in `atexit`. +# solution from: http://bugs.python.org/issue15881#msg170215 +try: + import multiprocessing # noqa +except ImportError: + pass + +setuptools.setup( + setup_requires=['pbr'], + pbr=True) diff --git a/playbooks/bootstrap/roles/iptables/tasks/config.yaml b/playbooks/bootstrap/roles/iptables/tasks/config.yaml new file mode 100644 index 0000000..3910b0a --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tasks/config.yaml @@ -0,0 +1,44 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- name: Create required directories + become: true + file: + group: "{{ iptables_file_configdir_group }}" + mode: "{{ iptables_file_configdir_mode }}" + owner: "{{ iptables_file_configdir_owner }}" + path: "{{ iptables_file_configdir_path }}" + state: directory + +- name: Install ipv4 rules + become: true + template: + dest: "{{ iptables_file_ipv4_rules_dest }}" + group: "{{ iptables_file_ipv4_rules_group }}" + mode: "{{ iptables_file_ipv4_rules_mode }}" + owner: "{{ iptables_file_ipv4_rules_owner }}" + src: "{{ iptables_file_ipv4_rules_src }}" + notify: Reload iptables + register: iptables_file_ipv4_rules + +- name: Install ipv6 rules + become: true + template: + dest: "{{ iptables_file_ipv6_rules_dest }}" + group: "{{ iptables_file_ipv6_rules_group }}" + mode: "{{ iptables_file_ipv6_rules_mode }}" + owner: "{{ iptables_file_ipv6_rules_owner }}" + src: "{{ iptables_file_ipv6_rules_src }}" + notify: Reload iptables + register: iptables_file_ipv6_rules diff --git a/playbooks/bootstrap/roles/iptables/tasks/install.yaml b/playbooks/bootstrap/roles/iptables/tasks/install.yaml new file mode 100644 index 0000000..8a2c8c8 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tasks/install.yaml @@ -0,0 +1,15 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- include: "install/{{ iptables_install_method }}.yaml" diff --git a/playbooks/bootstrap/roles/iptables/tasks/install/package.yaml b/playbooks/bootstrap/roles/iptables/tasks/install/package.yaml new file mode 100644 index 0000000..d8ebf70 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tasks/install/package.yaml @@ -0,0 +1,24 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- name: Define iptables_package_name + set_fact: + iptables_package_name: "{{ __iptables_package_name }}" + when: iptables_package_name is not defined + +- name: Ensure iptables is installed + become: true + package: + name: "{{ iptables_package_name }}" + state: "{{ iptables_package_state }}" diff --git a/playbooks/bootstrap/roles/iptables/tasks/main.yaml b/playbooks/bootstrap/roles/iptables/tasks/main.yaml new file mode 100644 index 0000000..f56039c --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tasks/main.yaml @@ -0,0 +1,21 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- name: Include OS-specific variables + include_vars: "{{ ansible_os_family }}.yaml" + +- include: "{{ iptables_task }}.yaml" + with_items: "{{ iptables_task_manager }}" + loop_control: + loop_var: iptables_task diff --git a/playbooks/bootstrap/roles/iptables/tasks/service.yaml b/playbooks/bootstrap/roles/iptables/tasks/service.yaml new file mode 100644 index 0000000..87fb8b5 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tasks/service.yaml @@ -0,0 +1,27 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- name: Define iptables_service_iptables_name + set_fact: + iptables_service_iptables_name: "{{ __iptables_service_iptables_name }}" + when: iptables_service_iptables_name is not defined + +- name: Enable iptables service + become: true + service: + enabled: "{{ iptables_service_iptables_enabled }}" + name: "{{ iptables_service_iptables_name }}" + state: "{{ iptables_service_iptables_state }}" + register: iptables_service_iptables + when: iptables_service_iptables_manage diff --git a/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v4.j2 b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v4.j2 new file mode 100644 index 0000000..b9e1221 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v4.j2 @@ -0,0 +1,32 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp --icmp-type any -j ACCEPT +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Public TCP ports +{% for port in iptables_public_tcp_ports %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# Public UDP ports +{% for port in iptables_public_udp_ports %} +-A INPUT -m state -m udp -p udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# Host specific rules +{% for host in iptables_allowed_hosts %} +{% for addr in host.hostname | dns_a %} +-A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ addr | ipv4 }} --dport {{ host['port'] }} -j ACCEPT +{% endfor %} +{% endfor %} + +-A INPUT -j REJECT --reject-with icmp-host-prohibited + +COMMIT diff --git a/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v6.j2 b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v6.j2 new file mode 100644 index 0000000..7386ec4 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/templates/etc/iptables/rules.v6.j2 @@ -0,0 +1,33 @@ +# This file is generated by Ansible +# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmpv6 -j ACCEPT +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Public TCP ports +{% for port in iptables_public_tcp_ports %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# Public UDP ports +{% for port in iptables_public_udp_ports %} +-A INPUT -m state -m udp -p udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# Host specific rules +{% for host in iptables_allowed_hosts %} +{% for addr in host.hostname | dns_aaaa %} +-A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ addr | ipv6 }} --dport {{ host['port'] }} -j ACCEPT +{% endfor %} +{% endfor %} + + +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited + +COMMIT diff --git a/playbooks/bootstrap/roles/iptables/test-requirements.txt b/playbooks/bootstrap/roles/iptables/test-requirements.txt new file mode 100644 index 0000000..9ea7158 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/test-requirements.txt @@ -0,0 +1,3 @@ +ansible-lint +hacking<0.11,>=0.10 +sphinx>=1.1.2,!=1.2.0,!=1.3b1,<1.3 diff --git a/playbooks/bootstrap/roles/iptables/tests/ansible.cfg b/playbooks/bootstrap/roles/iptables/tests/ansible.cfg new file mode 100644 index 0000000..6c8a344 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tests/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +roles_path = ../.. diff --git a/playbooks/bootstrap/roles/iptables/tests/inventory b/playbooks/bootstrap/roles/iptables/tests/inventory new file mode 100644 index 0000000..68b2dac --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tests/inventory @@ -0,0 +1,2 @@ +[all] +localhost diff --git a/playbooks/bootstrap/roles/iptables/tests/test.yaml b/playbooks/bootstrap/roles/iptables/tests/test.yaml new file mode 100644 index 0000000..ac5b270 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tests/test.yaml @@ -0,0 +1,38 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +- hosts: localhost + vars: + rolename: "{{ lookup('pipe', 'pwd') | dirname | basename }}" + pre_tasks: + # Make sure OS does not have a stale package cache. + - name: Update apt cache. + become: true + apt: + update_cache: true + when: ansible_os_family == 'Debian' + + roles: + - "{{ rolename }}" + + post_tasks: + - name: Assert results are registered + assert: + that: + - iptables_service_iptables + + - name: Ensure iptables is running + become: true + shell: /usr/sbin/service iptables status + tags: skip_ansible_lint diff --git a/playbooks/bootstrap/roles/iptables/tox.ini b/playbooks/bootstrap/roles/iptables/tox.ini new file mode 100644 index 0000000..60b7f91 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/tox.ini @@ -0,0 +1,48 @@ +[tox] +minversion = 1.4.2 +envlist = docs,linters +skipsdist = True + +[testenv] +deps = -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt + +[testenv:functional] +commands = + # NOTE(pabelanger): Because ansible default ansible_user to null now, we need to pass it via CLI. + ansible-playbook -i tests/inventory tests/test.yaml -e ansible_user={env:USER} +passenv = + HOME + USER +setenv = + ANSIBLE_CONFIG = {toxinidir}/tests/ansible.cfg + PYTHONUNBUFFERED = 1 + +[testenv:docs] +commands = python setup.py build_sphinx + +[testenv:venv] +commands = {posargs} + +[flake8] +# E123, E125 skipped as they are invalid PEP-8. + +show-source = True +ignore = E123,E125 +builtins = _ +exclude=.venv,.git,.tox,dist,doc,*openstack/common*,*lib/python*,*egg,build + +[testenv:linters] +setenv = + ANSIBLE_CONFIG = tests/ansible.cfg +whitelist_externals = bash +commands = + # PEP8 Lint Check + flake8 + # Ansible Lint Check + bash -c "find . -type f -regex '.*.y[a]?ml' -print0 | xargs -t -n1 -0 \ + ansible-lint" + # Ansible Syntax Check + bash -c "find tests -type f -regex '.*.y[a]?ml' -print | xargs -t -n1 \ + ansible-playbook --syntax-check -i tests/inventory \ + -e rolename=$(basename $(pwd)) > /dev/null" diff --git a/playbooks/bootstrap/roles/iptables/vars/Debian.yaml b/playbooks/bootstrap/roles/iptables/vars/Debian.yaml new file mode 100644 index 0000000..e33caa3 --- /dev/null +++ b/playbooks/bootstrap/roles/iptables/vars/Debian.yaml @@ -0,0 +1,17 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +--- +__iptables_package_name: iptables-persistent + +__iptables_service_iptables_name: netfilter-persistent diff --git a/playbooks/bootstrap/site.yaml b/playbooks/bootstrap/site.yaml index e6df345..d10a2b7 100644 --- a/playbooks/bootstrap/site.yaml +++ b/playbooks/bootstrap/site.yaml @@ -36,6 +36,13 @@ include_role: name: openstack.virtualenv + # NOTE(pabelanger): We currently only support debuntu, this needs to be + # fixed! + - name: Setup iptables role + include_role: + name: iptables + when: ansible_os_family == 'Debian' + - name: Bootstrap bastion hosts hosts: bastion:!disabled tasks: