Enable DHCP ports on neutron-dhcp-agent hosts

Change-Id: I7ed387d4ac9a397554b24c3ac318a42af7ed2901
Fixes: rhbz#999695

packstack/plugins/amqp_002.py

@@ -233,19 +233,13 @@ def createmanifest(config):
 
     manifestdata = getManifestTemplate('amqp.pp')
 
-
     #All hosts should be able to talk to amqp
-    hosts = ["'%s'" % i for i in filtered_hosts(config, exclude=False)]
-    # if the rule already exists for one port puppet will fail
-    # so i had to add always both amqp ports (plain and SSL) in order
-    # to avoid rule changes, this is due some problematic behaviour of
-    # the puppet firewall module
-    # this is a temporary solution, as soon as the firewall module is
-    # updated we'll go back to previous state in which we open just
-    # the needed ports
-    config['FIREWALL_ALLOWED'] = ','.join(hosts)
     config['FIREWALL_SERVICE_NAME'] = "amqp"
     config['FIREWALL_PORTS'] =  "'5671', '5672'"
-    manifestdata += getManifestTemplate("firewall.pp")
+    config['FIREWALL_CHAIN'] = "INPUT"
+    for host in filtered_hosts(config, exclude=False):
+        config['FIREWALL_ALLOWED'] = "'%s'" % host
+        config['FIREWALL_SERVICE_ID'] = "amqp_%s" % host
+        manifestdata += getManifestTemplate("firewall.pp")
 
     appendManifestFile(manifestfile, manifestdata, 'pre')

packstack/plugins/ceilometer_800.py

@@ -98,7 +98,9 @@ def create_manifest(config):
     manifestdata += getManifestTemplate("ceilometer.pp")
     config['FIREWALL_ALLOWED'] = "'ALL'"
     config['FIREWALL_SERVICE_NAME'] = 'ceilometer-api'
+    config['FIREWALL_SERVICE_ID'] = 'ceilometer_api'
     config['FIREWALL_PORTS'] = "'8777'"
+    config['FIREWALL_CHAIN'] = "INPUT"
     manifestdata += getManifestTemplate("firewall.pp")
     # Add a template that creates a group for nova because the ceilometer
     # class needs it

packstack/plugins/cinder_250.py

@@ -370,15 +370,18 @@ def create_manifest(config):
         config['CONFIG_SWIFT_PROXY'] = config['CONFIG_SWIFT_PROXY_HOSTS'].split(',')[0].strip()
         manifestdata += getManifestTemplate('cinder_backup.pp')
 
-    hosts = set()
-    if config['CONFIG_NOVA_INSTALL'] == 'y':
-        hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
-    else:
-        hosts.add('ALL',)
-
-    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i.strip() for i in hosts if i.strip()])
     config['FIREWALL_SERVICE_NAME'] = "cinder"
     config['FIREWALL_PORTS'] = "'3260', '8776'"
-    manifestdata += getManifestTemplate("firewall.pp")
+    config['FIREWALL_CHAIN'] = "INPUT"
+
+    if config['CONFIG_NOVA_INSTALL'] == 'y':
+        for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']):
+            config['FIREWALL_ALLOWED'] = "'%s'" % host
+            config['FIREWALL_SERVICE_ID'] = "cinder_%s" % host
+            manifestdata += getManifestTemplate("firewall.pp")
+    else:
+        config['FIREWALL_ALLOWED'] = "'ALL'"
+        config['FIREWALL_SERVICE_ID'] = "cinder_ALL"
+        manifestdata += getManifestTemplate("firewall.pp")
 
     appendManifestFile(manifestfile, manifestdata)

packstack/plugins/glance_200.py

@@ -100,13 +100,17 @@ def createmanifest(config):
     if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
         manifestdata += getManifestTemplate(get_mq(config, "glance_ceilometer"))
 
-    hosts = set()
-    if config['CONFIG_NOVA_INSTALL'] == 'y':
-        hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
-    else:
-        hosts.add('ALL',)
-    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
     config['FIREWALL_SERVICE_NAME'] = "glance"
     config['FIREWALL_PORTS'] = "'9292'"
-    manifestdata += getManifestTemplate("firewall.pp")
+    config['FIREWALL_CHAIN'] = "INPUT"
+    if config['CONFIG_NOVA_INSTALL'] == 'y':
+        for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']):
+            config['FIREWALL_ALLOWED'] = "'%s'" % host
+            config['FIREWALL_SERVICE_ID'] = "glance_%s" % host
+            manifestdata += getManifestTemplate("firewall.pp")
+    else:
+        config['FIREWALL_ALLOWED'] = "'ALL'"
+        config['FIREWALL_SERVICE_ID'] = "glance_ALL"
+        manifestdata += getManifestTemplate("firewall.pp")
+
     appendManifestFile(manifestfile, manifestdata)

packstack/plugins/keystone_100.py

@@ -123,6 +123,8 @@ def create_manifest(config):
     manifestdata = getManifestTemplate("keystone.pp")
     config['FIREWALL_ALLOWED'] = "'ALL'"
     config['FIREWALL_SERVICE_NAME'] = "keystone"
+    config['FIREWALL_SERVICE_ID'] = "keystone"
     config['FIREWALL_PORTS'] = "'5000', '35357'"
+    config['FIREWALL_CHAIN'] = "INPUT"
     manifestdata += getManifestTemplate("firewall.pp")
     appendManifestFile(manifestfile, manifestdata)

packstack/plugins/mysql_001.py

@@ -127,9 +127,12 @@ def createmanifest(config):
                 for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
                     hosts.add(host.strip())
 
-    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
     config['FIREWALL_SERVICE_NAME'] = "mysql"
     config['FIREWALL_PORTS'] = "'3306'"
-    manifestdata.append(getManifestTemplate("firewall.pp"))
+    config['FIREWALL_CHAIN'] = "INPUT"
+    for host in hosts:
+        config['FIREWALL_ALLOWED'] = "'%s'" % host
+        config['FIREWALL_SERVICE_ID'] = "mysql_%s" % host
+        manifestdata.append(getManifestTemplate("firewall.pp"))
 
     appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')

packstack/plugins/nagios_910.py

@@ -175,7 +175,9 @@ def createnrpemanifests(config):
         #Only the Nagios host is allowed to talk to nrpe
         config['FIREWALL_ALLOWED'] = "'%s'" % config['CONFIG_NAGIOS_HOST']
         config['FIREWALL_SERVICE_NAME'] = "nagios-nrpe"
+        config['FIREWALL_SERVICE_ID'] = "nagios_nrpe"
         config['FIREWALL_PORTS'] = '5666'
+        config['FIREWALL_CHAIN'] = "INPUT"
         manifestdata += getManifestTemplate("firewall.pp")
         appendManifestFile(manifestfile, manifestdata)
 

packstack/plugins/neutron_350.py

@@ -653,6 +653,10 @@ def create_manifests(config):
     if config['CONFIG_NOVA_INSTALL'] == 'y':
         allowed_hosts.add(config['CONFIG_NOVA_API_HOST'])
 
+    config['FIREWALL_SERVICE_NAME'] = "neutron server"
+    config['FIREWALL_PORTS'] = "'9696'"
+    config['FIREWALL_CHAIN'] = "INPUT"
+
     for host in q_hosts:
         manifest_file = "%s_neutron.pp" % (host,)
         manifest_data = getManifestTemplate("neutron.pp")
@@ -663,11 +667,11 @@ def create_manifests(config):
             manifest_file = "%s_neutron.pp" % (host,)
             manifest_data = getManifestTemplate("neutron_api.pp")
             # Firewall Rules
-            config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i
-                                                   for i in allowed_hosts])
-            config['FIREWALL_SERVICE_NAME'] = "neutron"
-            config['FIREWALL_PORTS'] = "'9696'"
-            manifest_data += getManifestTemplate("firewall.pp")
+            for f_host in q_hosts:
+                config['FIREWALL_ALLOWED'] = "'%s'" % f_host
+                config['FIREWALL_SERVICE_ID'] = "neutron_server_%s_%s" % (host, f_host)
+                manifest_data += getManifestTemplate("firewall.pp")
+
             appendManifestFile(manifest_file, manifest_data, 'neutron')
 
         # Set up any l2 plugin configs we need anywhere we install neutron
@@ -712,13 +716,29 @@ def create_dhcp_manifests(config):
     global dhcp_hosts
 
     plugin = config['CONFIG_NEUTRON_L2_PLUGIN']
+
     for host in dhcp_hosts:
         config["CONFIG_NEUTRON_DHCP_HOST"] = host
         config['CONFIG_NEUTRON_DHCP_INTERFACE_DRIVER'] = get_if_driver(config)
-        manifestdata = getManifestTemplate("neutron_dhcp.pp")
-        manifestfile = "%s_neutron.pp" % (host,)
+        manifest_data = getManifestTemplate("neutron_dhcp.pp")
+        manifest_file = "%s_neutron.pp" % (host,)
+
+        # Firewall Rules
+        for f_host in q_hosts:
+            config['FIREWALL_ALLOWED'] = "'%s'" % f_host
+            config['FIREWALL_SERVICE_NAME'] = "neutron dhcp in"
+            config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_in_%s_%s" % (host, f_host)
+            config['FIREWALL_PORTS'] = "'67'"
+            config['FIREWALL_CHAIN'] = "INPUT"
+            manifest_data += getManifestTemplate("firewall.pp")
+            config['FIREWALL_SERVICE_NAME'] = "neutron dhcp out"
+            config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_out_%s_%s" % (host, f_host)
+            config['FIREWALL_PORTS'] = "'68'"
+            config['FIREWALL_CHAIN'] = "OUTPUT"
+            manifest_data += getManifestTemplate("firewall.pp")
+
+        appendManifestFile(manifest_file, manifest_data, 'neutron')
 
-        appendManifestFile(manifestfile, manifestdata + "\n")
 
 
 def create_lbaas_manifests(config):

packstack/plugins/nova_300.py

@@ -473,7 +473,9 @@ def createcomputemanifest(config):
         # http://docs.openstack.org/developer/nova/nova.concepts.html#concept-system-architecture
         config['FIREWALL_ALLOWED'] = "'%s'" % (config['CONFIG_NOVA_SCHED_HOST'].strip())
         config['FIREWALL_SERVICE_NAME'] = "nova compute"
+        config['FIREWALL_SERVICE_ID'] = "nova_compute"
         config['FIREWALL_PORTS'] = "'5900-5999'"
+        config['FIREWALL_CHAIN'] = "INPUT"
         manifestdata += getManifestTemplate("firewall.pp")
 
         manifestdata += "\n" + nova_config_options.getManifestEntry()

packstack/plugins/swift_600.py

@@ -283,13 +283,19 @@ def createstoragemanifest(config):
     # set allowed hosts for firewall
     swift_hosts = get_swift_hosts(config)
     hosts = swift_hosts.copy()
+    manifestdata = ""
     if config['CONFIG_NOVA_INSTALL'] == 'y':
         hosts |= split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
-    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
-    # firewall rules for storage and rsync
+
     config['FIREWALL_SERVICE_NAME'] = "swift storage and rsync"
     config['FIREWALL_PORTS'] = "'6000', '6001', '6002', '873'"
-    manifestdata = getManifestTemplate("firewall.pp")
+    config['FIREWALL_CHAIN'] = "INPUT"
+
+    for host in hosts:
+        config['FIREWALL_ALLOWED'] = "'%s'" % host
+        config['FIREWALL_SERVICE_ID'] = "swift_storage_and_rsync_%s" % host
+        manifestdata += getManifestTemplate("firewall.pp")
+
     for host in swift_hosts:
         manifestfile = "%s_swift.pp" % host
         appendManifestFile(manifestfile, manifestdata)

packstack/puppet/modules/packstack/manifests/firewall.pp

@@ -0,0 +1,23 @@
+# Create firewall rules to allow only the FIREWALL_ALLOWED
+# hosts that need to connect via FIREWALL_PORTS
+# using FIREWALL_CHAIN
+
+define packstack::firewall($host, $service_name, $chain = "INPUT", $ports) {
+  $source = $host ? {
+    'ALL' => '0.0.0.0/0',
+    default => $host,
+  }
+  $heading = $chain ? {
+    'OUTPUT' => 'outgoing',
+    default => 'incoming',
+  }
+
+  firewall { "001 ${service_name} ${heading} ${title}":
+    chain => $chain,
+    proto  => ['tcp', 'udp'],
+    dport  => $ports,
+    action => 'accept',
+    source => $source,
+  }
+}
+

packstack/puppet/templates/firewall.pp

@@ -1,19 +1,11 @@
-# Create firewall rules to allow only the hosts that need to connect
-# to %(FIREWALL_SERVICE_NAME)s
+# Create firewall rules to allow only the FIREWALL_ALLOWED
+# hosts that need to connect via FIREWALL_PORTS
+# using FIREWALL_CHAIN
 
-$hosts = [ %(FIREWALL_ALLOWED)s ]
-
-define add_allow_host {
-    $source = $title ? {
-        'ALL' => '0.0.0.0/0',
-        default => $title,
-    }
-    firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
-        proto  => 'tcp',
-        dport  => [%(FIREWALL_PORTS)s],
-        action => 'accept',
-        source => $source,
-    }
+packstack::firewall {'%(FIREWALL_SERVICE_ID)s':
+  host => %(FIREWALL_ALLOWED)s,
+  service_name => '%(FIREWALL_SERVICE_NAME)s',
+  chain => '%(FIREWALL_CHAIN)s',
+  ports => [%(FIREWALL_PORTS)s],
 }
 
-add_allow_host {$hosts:}