Enable DHCP ports on neutron-dhcp-agent hosts
Change-Id: I7ed387d4ac9a397554b24c3ac318a42af7ed2901 Fixes: rhbz#999695
This commit is contained in:
parent
0c4f70567a
commit
63d1b48115
|
@ -233,19 +233,13 @@ def createmanifest(config):
|
|||
|
||||
manifestdata = getManifestTemplate('amqp.pp')
|
||||
|
||||
|
||||
#All hosts should be able to talk to amqp
|
||||
hosts = ["'%s'" % i for i in filtered_hosts(config, exclude=False)]
|
||||
# if the rule already exists for one port puppet will fail
|
||||
# so i had to add always both amqp ports (plain and SSL) in order
|
||||
# to avoid rule changes, this is due some problematic behaviour of
|
||||
# the puppet firewall module
|
||||
# this is a temporary solution, as soon as the firewall module is
|
||||
# updated we'll go back to previous state in which we open just
|
||||
# the needed ports
|
||||
config['FIREWALL_ALLOWED'] = ','.join(hosts)
|
||||
config['FIREWALL_SERVICE_NAME'] = "amqp"
|
||||
config['FIREWALL_PORTS'] = "'5671', '5672'"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
for host in filtered_hosts(config, exclude=False):
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % host
|
||||
config['FIREWALL_SERVICE_ID'] = "amqp_%s" % host
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
|
||||
appendManifestFile(manifestfile, manifestdata, 'pre')
|
||||
|
|
|
@ -98,7 +98,9 @@ def create_manifest(config):
|
|||
manifestdata += getManifestTemplate("ceilometer.pp")
|
||||
config['FIREWALL_ALLOWED'] = "'ALL'"
|
||||
config['FIREWALL_SERVICE_NAME'] = 'ceilometer-api'
|
||||
config['FIREWALL_SERVICE_ID'] = 'ceilometer_api'
|
||||
config['FIREWALL_PORTS'] = "'8777'"
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
# Add a template that creates a group for nova because the ceilometer
|
||||
# class needs it
|
||||
|
|
|
@ -370,15 +370,18 @@ def create_manifest(config):
|
|||
config['CONFIG_SWIFT_PROXY'] = config['CONFIG_SWIFT_PROXY_HOSTS'].split(',')[0].strip()
|
||||
manifestdata += getManifestTemplate('cinder_backup.pp')
|
||||
|
||||
hosts = set()
|
||||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
|
||||
else:
|
||||
hosts.add('ALL',)
|
||||
|
||||
config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i.strip() for i in hosts if i.strip()])
|
||||
config['FIREWALL_SERVICE_NAME'] = "cinder"
|
||||
config['FIREWALL_PORTS'] = "'3260', '8776'"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
|
||||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']):
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % host
|
||||
config['FIREWALL_SERVICE_ID'] = "cinder_%s" % host
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
else:
|
||||
config['FIREWALL_ALLOWED'] = "'ALL'"
|
||||
config['FIREWALL_SERVICE_ID'] = "cinder_ALL"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
|
||||
appendManifestFile(manifestfile, manifestdata)
|
||||
|
|
|
@ -100,13 +100,17 @@ def createmanifest(config):
|
|||
if config['CONFIG_CEILOMETER_INSTALL'] == 'y':
|
||||
manifestdata += getManifestTemplate(get_mq(config, "glance_ceilometer"))
|
||||
|
||||
hosts = set()
|
||||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
|
||||
else:
|
||||
hosts.add('ALL',)
|
||||
config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
|
||||
config['FIREWALL_SERVICE_NAME'] = "glance"
|
||||
config['FIREWALL_PORTS'] = "'9292'"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']):
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % host
|
||||
config['FIREWALL_SERVICE_ID'] = "glance_%s" % host
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
else:
|
||||
config['FIREWALL_ALLOWED'] = "'ALL'"
|
||||
config['FIREWALL_SERVICE_ID'] = "glance_ALL"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
|
||||
appendManifestFile(manifestfile, manifestdata)
|
||||
|
|
|
@ -123,6 +123,8 @@ def create_manifest(config):
|
|||
manifestdata = getManifestTemplate("keystone.pp")
|
||||
config['FIREWALL_ALLOWED'] = "'ALL'"
|
||||
config['FIREWALL_SERVICE_NAME'] = "keystone"
|
||||
config['FIREWALL_SERVICE_ID'] = "keystone"
|
||||
config['FIREWALL_PORTS'] = "'5000', '35357'"
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
appendManifestFile(manifestfile, manifestdata)
|
||||
|
|
|
@ -127,9 +127,12 @@ def createmanifest(config):
|
|||
for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
|
||||
hosts.add(host.strip())
|
||||
|
||||
config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
|
||||
config['FIREWALL_SERVICE_NAME'] = "mysql"
|
||||
config['FIREWALL_PORTS'] = "'3306'"
|
||||
manifestdata.append(getManifestTemplate("firewall.pp"))
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
for host in hosts:
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % host
|
||||
config['FIREWALL_SERVICE_ID'] = "mysql_%s" % host
|
||||
manifestdata.append(getManifestTemplate("firewall.pp"))
|
||||
|
||||
appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
|
||||
|
|
|
@ -175,7 +175,9 @@ def createnrpemanifests(config):
|
|||
#Only the Nagios host is allowed to talk to nrpe
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % config['CONFIG_NAGIOS_HOST']
|
||||
config['FIREWALL_SERVICE_NAME'] = "nagios-nrpe"
|
||||
config['FIREWALL_SERVICE_ID'] = "nagios_nrpe"
|
||||
config['FIREWALL_PORTS'] = '5666'
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
appendManifestFile(manifestfile, manifestdata)
|
||||
|
||||
|
|
|
@ -653,6 +653,10 @@ def create_manifests(config):
|
|||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
allowed_hosts.add(config['CONFIG_NOVA_API_HOST'])
|
||||
|
||||
config['FIREWALL_SERVICE_NAME'] = "neutron server"
|
||||
config['FIREWALL_PORTS'] = "'9696'"
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
|
||||
for host in q_hosts:
|
||||
manifest_file = "%s_neutron.pp" % (host,)
|
||||
manifest_data = getManifestTemplate("neutron.pp")
|
||||
|
@ -663,11 +667,11 @@ def create_manifests(config):
|
|||
manifest_file = "%s_neutron.pp" % (host,)
|
||||
manifest_data = getManifestTemplate("neutron_api.pp")
|
||||
# Firewall Rules
|
||||
config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i
|
||||
for i in allowed_hosts])
|
||||
config['FIREWALL_SERVICE_NAME'] = "neutron"
|
||||
config['FIREWALL_PORTS'] = "'9696'"
|
||||
manifest_data += getManifestTemplate("firewall.pp")
|
||||
for f_host in q_hosts:
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % f_host
|
||||
config['FIREWALL_SERVICE_ID'] = "neutron_server_%s_%s" % (host, f_host)
|
||||
manifest_data += getManifestTemplate("firewall.pp")
|
||||
|
||||
appendManifestFile(manifest_file, manifest_data, 'neutron')
|
||||
|
||||
# Set up any l2 plugin configs we need anywhere we install neutron
|
||||
|
@ -712,13 +716,29 @@ def create_dhcp_manifests(config):
|
|||
global dhcp_hosts
|
||||
|
||||
plugin = config['CONFIG_NEUTRON_L2_PLUGIN']
|
||||
|
||||
for host in dhcp_hosts:
|
||||
config["CONFIG_NEUTRON_DHCP_HOST"] = host
|
||||
config['CONFIG_NEUTRON_DHCP_INTERFACE_DRIVER'] = get_if_driver(config)
|
||||
manifestdata = getManifestTemplate("neutron_dhcp.pp")
|
||||
manifestfile = "%s_neutron.pp" % (host,)
|
||||
manifest_data = getManifestTemplate("neutron_dhcp.pp")
|
||||
manifest_file = "%s_neutron.pp" % (host,)
|
||||
|
||||
# Firewall Rules
|
||||
for f_host in q_hosts:
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % f_host
|
||||
config['FIREWALL_SERVICE_NAME'] = "neutron dhcp in"
|
||||
config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_in_%s_%s" % (host, f_host)
|
||||
config['FIREWALL_PORTS'] = "'67'"
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
manifest_data += getManifestTemplate("firewall.pp")
|
||||
config['FIREWALL_SERVICE_NAME'] = "neutron dhcp out"
|
||||
config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_out_%s_%s" % (host, f_host)
|
||||
config['FIREWALL_PORTS'] = "'68'"
|
||||
config['FIREWALL_CHAIN'] = "OUTPUT"
|
||||
manifest_data += getManifestTemplate("firewall.pp")
|
||||
|
||||
appendManifestFile(manifest_file, manifest_data, 'neutron')
|
||||
|
||||
appendManifestFile(manifestfile, manifestdata + "\n")
|
||||
|
||||
|
||||
def create_lbaas_manifests(config):
|
||||
|
|
|
@ -473,7 +473,9 @@ def createcomputemanifest(config):
|
|||
# http://docs.openstack.org/developer/nova/nova.concepts.html#concept-system-architecture
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % (config['CONFIG_NOVA_SCHED_HOST'].strip())
|
||||
config['FIREWALL_SERVICE_NAME'] = "nova compute"
|
||||
config['FIREWALL_SERVICE_ID'] = "nova_compute"
|
||||
config['FIREWALL_PORTS'] = "'5900-5999'"
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
|
||||
manifestdata += "\n" + nova_config_options.getManifestEntry()
|
||||
|
|
|
@ -283,13 +283,19 @@ def createstoragemanifest(config):
|
|||
# set allowed hosts for firewall
|
||||
swift_hosts = get_swift_hosts(config)
|
||||
hosts = swift_hosts.copy()
|
||||
manifestdata = ""
|
||||
if config['CONFIG_NOVA_INSTALL'] == 'y':
|
||||
hosts |= split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS'])
|
||||
config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
|
||||
# firewall rules for storage and rsync
|
||||
|
||||
config['FIREWALL_SERVICE_NAME'] = "swift storage and rsync"
|
||||
config['FIREWALL_PORTS'] = "'6000', '6001', '6002', '873'"
|
||||
manifestdata = getManifestTemplate("firewall.pp")
|
||||
config['FIREWALL_CHAIN'] = "INPUT"
|
||||
|
||||
for host in hosts:
|
||||
config['FIREWALL_ALLOWED'] = "'%s'" % host
|
||||
config['FIREWALL_SERVICE_ID'] = "swift_storage_and_rsync_%s" % host
|
||||
manifestdata += getManifestTemplate("firewall.pp")
|
||||
|
||||
for host in swift_hosts:
|
||||
manifestfile = "%s_swift.pp" % host
|
||||
appendManifestFile(manifestfile, manifestdata)
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Create firewall rules to allow only the FIREWALL_ALLOWED
|
||||
# hosts that need to connect via FIREWALL_PORTS
|
||||
# using FIREWALL_CHAIN
|
||||
|
||||
define packstack::firewall($host, $service_name, $chain = "INPUT", $ports) {
|
||||
$source = $host ? {
|
||||
'ALL' => '0.0.0.0/0',
|
||||
default => $host,
|
||||
}
|
||||
$heading = $chain ? {
|
||||
'OUTPUT' => 'outgoing',
|
||||
default => 'incoming',
|
||||
}
|
||||
|
||||
firewall { "001 ${service_name} ${heading} ${title}":
|
||||
chain => $chain,
|
||||
proto => ['tcp', 'udp'],
|
||||
dport => $ports,
|
||||
action => 'accept',
|
||||
source => $source,
|
||||
}
|
||||
}
|
||||
|
|
@ -1,19 +1,11 @@
|
|||
# Create firewall rules to allow only the hosts that need to connect
|
||||
# to %(FIREWALL_SERVICE_NAME)s
|
||||
# Create firewall rules to allow only the FIREWALL_ALLOWED
|
||||
# hosts that need to connect via FIREWALL_PORTS
|
||||
# using FIREWALL_CHAIN
|
||||
|
||||
$hosts = [ %(FIREWALL_ALLOWED)s ]
|
||||
|
||||
define add_allow_host {
|
||||
$source = $title ? {
|
||||
'ALL' => '0.0.0.0/0',
|
||||
default => $title,
|
||||
}
|
||||
firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
|
||||
proto => 'tcp',
|
||||
dport => [%(FIREWALL_PORTS)s],
|
||||
action => 'accept',
|
||||
source => $source,
|
||||
}
|
||||
packstack::firewall {'%(FIREWALL_SERVICE_ID)s':
|
||||
host => %(FIREWALL_ALLOWED)s,
|
||||
service_name => '%(FIREWALL_SERVICE_NAME)s',
|
||||
chain => '%(FIREWALL_CHAIN)s',
|
||||
ports => [%(FIREWALL_PORTS)s],
|
||||
}
|
||||
|
||||
add_allow_host {$hosts:}
|
||||
|
|
Loading…
Reference in New Issue