Browse Source

Update PG Firewall rules for MOS

Change-Id: I0309dd9bf00a9d0f340653b977dfa8f05a54ceab
Ticket: [SOL-904]
Signed-off-by: Muhammad Shahzeb <mshahzeb@plumgrid.com>
Muhammad Shahzeb 2 years ago
parent
commit
41f19ebf86

+ 2
- 4
deployment_scripts/puppet/manifests/director.pp View File

@@ -70,17 +70,15 @@ class { 'plumgrid':
70 70
   fabric_dev   => $fabric_dev,
71 71
   lvm_keypath  => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
72 72
   md_ip        => $md_ip,
73
+  source_net   => $mgmt_net,
74
+  dest_net     => $mgmt_net,
73 75
 }
74 76
 
75 77
 class { 'sal':
76 78
   plumgrid_ip => $controller_ipaddresses,
77 79
   virtual_ip  => $plumgrid_vip,
78 80
   md_ip       => $md_ip,
79
-}
80
-
81
-class { plumgrid::firewall:
82 81
   source_net => $mgmt_net,
83
-  dest_net   => $mgmt_net,
84 82
 }
85 83
 
86 84
 # Setup Neutron PLUMgrid Configurations

+ 2
- 5
deployment_scripts/puppet/manifests/edge.pp View File

@@ -40,11 +40,8 @@ class { 'plumgrid':
40 40
   fabric_dev  => $fabric_dev,
41 41
   lvm_keypath => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
42 42
   md_ip       => $md_ip,
43
-}
44
-
45
-class { plumgrid::firewall:
46
-  source_net=> $mgmt_net,
47
-  dest_net=> $mgmt_net,
43
+  source_net  => $mgmt_net,
44
+  dest_net    => $mgmt_net,
48 45
 }
49 46
 
50 47
 package { 'nova-api':

+ 2
- 5
deployment_scripts/puppet/manifests/gateway.pp View File

@@ -36,11 +36,8 @@ class { 'plumgrid':
36 36
   gateway_devs => split($plumgrid_gw_devs, ','),
37 37
   lvm_keypath  => "/var/lib/plumgrid/zones/$plumgrid_zone/id_rsa.pub",
38 38
   md_ip        => $md_ip,
39
-}
40
-
41
-class { plumgrid::firewall:
42
-  source_net => $mgmt_net,
43
-  dest_net   => $mgmt_net,
39
+  source_net   => $mgmt_net,
40
+  dest_net     => $mgmt_net,
44 41
 }
45 42
 
46 43
 package { 'iptables-persistent':

+ 0
- 51
deployment_scripts/puppet/modules/plumgrid/manifests/firewall.pp View File

@@ -1,51 +0,0 @@
1
-#
2
-# Copyright (c) 2016, PLUMgrid Inc, http://plumgrid.com
3
-#
4
-# Licensed under the Apache License, Version 2.0 (the "License");
5
-# you may not use this file except in compliance with the License.
6
-# You may obtain a copy of the License at
7
-#
8
-#     http://www.apache.org/licenses/LICENSE-2.0
9
-#
10
-# Unless required by applicable law or agreed to in writing, software
11
-# distributed under the License is distributed on an "AS IS" BASIS,
12
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
-# See the License for the specific language governing permissions and
14
-# limitations under the License.
15
-
16
-class plumgrid::firewall (
17
-  $source_net = undef,
18
-  $dest_net = undef,
19
-) {
20
-
21
-  if $source_net != undef {
22
-    firewall { '001 plumgrid udp':
23
-      proto       => 'udp',
24
-      action      => 'accept',
25
-      state       => ['NEW'],
26
-      destination => $dest_net,
27
-      source      => $source_net,
28
-      before      => Class['plumgrid'],
29
-    }
30
-    firewall { '001 plumgrid rpc':
31
-      proto       => 'tcp',
32
-      action      => 'accept',
33
-      state       => ['NEW'],
34
-      destination => $dest_net,
35
-      source      => $source_net,
36
-      before      => Class['plumgrid'],
37
-    }
38
-    firewall { '040 allow vrrp':
39
-      proto       => 'vrrp',
40
-      action      => 'accept',
41
-      before      => Class['plumgrid'],
42
-    }
43
-    firewall { '040 keepalived':
44
-      proto       => 'all',
45
-      action      => 'accept',
46
-      destination => '224.0.0.18/32',
47
-      source      => $source_net,
48
-      before      => Class['plumgrid'],
49
-    }
50
-  }
51
-}

+ 21
- 0
deployment_scripts/puppet/modules/plumgrid/manifests/init.pp View File

@@ -31,6 +31,8 @@ class plumgrid (
31 31
   $repo_baseurl = '',
32 32
   $repo_component = '',
33 33
   $physical_location = '',
34
+  $source_net = undef,
35
+  $dest_net = undef,
34 36
 ) inherits plumgrid::params {
35 37
   Exec { path => [ '/bin', '/sbin' , '/usr/bin', '/usr/sbin', '/usr/local/bin', ] }
36 38
 
@@ -106,6 +108,25 @@ class plumgrid (
106 108
     notify => Service['plumgrid'],
107 109
   }
108 110
 
111
+  if $source_net != undef {
112
+    firewall { '001 plumgrid udp':
113
+      proto       => 'udp',
114
+      action      => 'accept',
115
+      state       => ['NEW'],
116
+      destination => $dest_net,
117
+      source      => $source_net,
118
+      before => Service['plumgrid'],
119
+    }
120
+    firewall { '001 plumgrid rpc':
121
+      proto       => 'tcp',
122
+      action      => 'accept',
123
+      state       => ['NEW'],
124
+      destination => $dest_net,
125
+      source      => $source_net,
126
+      before => Service['plumgrid'],
127
+    }
128
+  }
129
+
109 130
   service { 'plumgrid':
110 131
     ensure => running,
111 132
     enable => true,

+ 16
- 0
deployment_scripts/puppet/modules/sal/manifests/init.pp View File

@@ -17,6 +17,7 @@ class sal ($plumgrid_ip = '',
17 17
            $virtual_ip = '',
18 18
            $rest_port = '9180',
19 19
            $mgmt_dev = '%AUTO_DEV%',
20
+           $source_net = undef,
20 21
            $md_ip = '127.0.0.1',
21 22
            ) {
22 23
   $lxc_root_path = '/var/lib/libvirt/filesystems/plumgrid'
@@ -30,6 +31,21 @@ class sal ($plumgrid_ip = '',
30 31
     before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
31 32
   }
32 33
 
34
+  if $source_net != undef {
35
+    firewall { '040 allow vrrp':
36
+        proto       => 'vrrp',
37
+        action      => 'accept',
38
+        before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
39
+    }
40
+    firewall { '040 keepalived':
41
+        proto       => 'all',
42
+        action      => 'accept',
43
+        destination => '224.0.0.18/32',
44
+        source      => $source_net,
45
+        before => [ Class['sal::nginx'], Class['sal::keepalived'] ],
46
+    }
47
+  }
48
+
33 49
   class { 'sal::nginx':
34 50
     plumgrid_ip => $plumgrid_ip,
35 51
     md_ip => $md_ip,

Loading…
Cancel
Save