From b03ca71d751e9ac5a2f596c25338f3176229b268 Mon Sep 17 00:00:00 2001 From: Ivan Chavero Date: Thu, 19 Sep 2013 01:10:36 -0600 Subject: [PATCH] Adds Firewall rules for cinder access. Allows connection to cinder service only for nova compute hosts, This patch is for cinder only, rules for the other services are being developed since the bug addresses the entire openstack installation. Fixes (partially): rhbz#1002063 Change-Id: Ib1ee17810cf7993d1404a5eee80ddef7c2712135 --- packstack/plugins/cinder_250.py | 6 ++++++ packstack/puppet/templates/cinder.pp | 6 +----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/packstack/plugins/cinder_250.py b/packstack/plugins/cinder_250.py index 115e41542..5dba00317 100644 --- a/packstack/plugins/cinder_250.py +++ b/packstack/plugins/cinder_250.py @@ -363,4 +363,10 @@ def create_manifest(config): if config['CONFIG_CEILOMETER_INSTALL'] == 'y': manifestdata += getManifestTemplate('cinder_ceilometer.pp') + hosts = config['CONFIG_NOVA_COMPUTE_HOSTS'].split(",") + config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i.strip() for i in hosts if i.strip()]) + config['FIREWALL_SERVICE_NAME'] = "cinder" + config['FIREWALL_PORTS'] = "'3260', '8776'" + manifestdata += getManifestTemplate("firewall.pp") + appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/puppet/templates/cinder.pp b/packstack/puppet/templates/cinder.pp index 4f55fdce0..8e31197ce 100644 --- a/packstack/puppet/templates/cinder.pp +++ b/packstack/puppet/templates/cinder.pp @@ -31,8 +31,4 @@ class {'cinder::volume::iscsi': iscsi_ip_address => '%(CONFIG_CINDER_HOST)s' } -firewall { '001 cinder incoming': - proto => 'tcp', - dport => ['3260', '8776'], - action => 'accept', -} +