From cfcb7b64cc16fb8203371829d1ae66cb2a83b5d3 Mon Sep 17 00:00:00 2001 From: Martin Magr Date: Mon, 3 Mar 2014 21:08:19 +0100 Subject: [PATCH] Enable DHCP ports on neutron-dhcp-agent hosts Conflicts: packstack/plugins/glance_200.py packstack/plugins/qpid_002.py Change-Id: I7ed387d4ac9a397554b24c3ac318a42af7ed2901 Fixes: rhbz#999695 (cherry picked from commit 63d1b4811590112e8a4d672cbb39338a313d4c84) --- packstack/plugins/ceilometer_800.py | 2 ++ packstack/plugins/cinder_250.py | 19 +++++----- packstack/plugins/glance_200.py | 19 ++++++---- packstack/plugins/keystone_100.py | 2 ++ packstack/plugins/mysql_001.py | 7 ++-- packstack/plugins/nagios_910.py | 2 ++ packstack/plugins/neutron_350.py | 36 ++++++++++++++----- packstack/plugins/nova_300.py | 2 ++ packstack/plugins/qpid_002.py | 15 +++----- packstack/plugins/swift_600.py | 12 +++++-- .../modules/packstack/manifests/firewall.pp | 23 ++++++++++++ packstack/puppet/templates/firewall.pp | 24 +++++-------- 12 files changed, 109 insertions(+), 54 deletions(-) create mode 100644 packstack/puppet/modules/packstack/manifests/firewall.pp diff --git a/packstack/plugins/ceilometer_800.py b/packstack/plugins/ceilometer_800.py index 051de241a..7ed75e013 100644 --- a/packstack/plugins/ceilometer_800.py +++ b/packstack/plugins/ceilometer_800.py @@ -96,7 +96,9 @@ def create_manifest(config): manifestdata = getManifestTemplate("ceilometer.pp") config['FIREWALL_ALLOWED'] = "'ALL'" config['FIREWALL_SERVICE_NAME'] = 'ceilometer-api' + config['FIREWALL_SERVICE_ID'] = 'ceilometer_api' config['FIREWALL_PORTS'] = "'8777'" + config['FIREWALL_CHAIN'] = "INPUT" manifestdata += getManifestTemplate("firewall.pp") # Add a template that creates a group for nova because the ceilometer # class needs it diff --git a/packstack/plugins/cinder_250.py b/packstack/plugins/cinder_250.py index ac05e3b5b..402d5f407 100644 --- a/packstack/plugins/cinder_250.py +++ b/packstack/plugins/cinder_250.py @@ -421,15 +421,18 @@ def create_manifest(config): config['CONFIG_SWIFT_PROXY'] = config['CONFIG_SWIFT_PROXY_HOSTS'].split(',')[0].strip() manifestdata += getManifestTemplate('cinder_backup.pp') - hosts = set() - if config['CONFIG_NOVA_INSTALL'] == 'y': - hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']) - else: - hosts.add('ALL',) - - config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i.strip() for i in hosts if i.strip()]) config['FIREWALL_SERVICE_NAME'] = "cinder" config['FIREWALL_PORTS'] = "'3260', '8776'" - manifestdata += getManifestTemplate("firewall.pp") + config['FIREWALL_CHAIN'] = "INPUT" + + if config['CONFIG_NOVA_INSTALL'] == 'y': + for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']): + config['FIREWALL_ALLOWED'] = "'%s'" % host + config['FIREWALL_SERVICE_ID'] = "cinder_%s" % host + manifestdata += getManifestTemplate("firewall.pp") + else: + config['FIREWALL_ALLOWED'] = "'ALL'" + config['FIREWALL_SERVICE_ID'] = "cinder_ALL" + manifestdata += getManifestTemplate("firewall.pp") appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/plugins/glance_200.py b/packstack/plugins/glance_200.py index bd0bf6532..ac2adc00f 100644 --- a/packstack/plugins/glance_200.py +++ b/packstack/plugins/glance_200.py @@ -98,13 +98,18 @@ def createmanifest(config): manifestdata = getManifestTemplate("glance.pp") if config['CONFIG_CEILOMETER_INSTALL'] == 'y': manifestdata += getManifestTemplate('glance_ceilometer.pp') - hosts = set() - if config['CONFIG_NOVA_INSTALL'] == 'y': - hosts = split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']) - else: - hosts.add('ALL',) - config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts]) + config['FIREWALL_SERVICE_NAME'] = "glance" config['FIREWALL_PORTS'] = "'9292'" - manifestdata += getManifestTemplate("firewall.pp") + config['FIREWALL_CHAIN'] = "INPUT" + if config['CONFIG_NOVA_INSTALL'] == 'y': + for host in split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']): + config['FIREWALL_ALLOWED'] = "'%s'" % host + config['FIREWALL_SERVICE_ID'] = "glance_%s" % host + manifestdata += getManifestTemplate("firewall.pp") + else: + config['FIREWALL_ALLOWED'] = "'ALL'" + config['FIREWALL_SERVICE_ID'] = "glance_ALL" + manifestdata += getManifestTemplate("firewall.pp") + appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py index c166466c6..a13d09d63 100644 --- a/packstack/plugins/keystone_100.py +++ b/packstack/plugins/keystone_100.py @@ -123,6 +123,8 @@ def create_manifest(config): manifestdata = getManifestTemplate("keystone.pp") config['FIREWALL_ALLOWED'] = "'ALL'" config['FIREWALL_SERVICE_NAME'] = "keystone" + config['FIREWALL_SERVICE_ID'] = "keystone" config['FIREWALL_PORTS'] = "'5000', '35357'" + config['FIREWALL_CHAIN'] = "INPUT" manifestdata += getManifestTemplate("firewall.pp") appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/plugins/mysql_001.py b/packstack/plugins/mysql_001.py index 392b4d906..4c4ec0a10 100644 --- a/packstack/plugins/mysql_001.py +++ b/packstack/plugins/mysql_001.py @@ -127,9 +127,12 @@ def createmanifest(config): for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','): hosts.add(host.strip()) - config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts]) config['FIREWALL_SERVICE_NAME'] = "mysql" config['FIREWALL_PORTS'] = "'3306'" - manifestdata.append(getManifestTemplate("firewall.pp")) + config['FIREWALL_CHAIN'] = "INPUT" + for host in hosts: + config['FIREWALL_ALLOWED'] = "'%s'" % host + config['FIREWALL_SERVICE_ID'] = "mysql_%s" % host + manifestdata.append(getManifestTemplate("firewall.pp")) appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre') diff --git a/packstack/plugins/nagios_910.py b/packstack/plugins/nagios_910.py index ab7313c55..aba02feba 100644 --- a/packstack/plugins/nagios_910.py +++ b/packstack/plugins/nagios_910.py @@ -176,7 +176,9 @@ def createnrpemanifests(config): #Only the Nagios host is allowed to talk to nrpe config['FIREWALL_ALLOWED'] = "'%s'" % config['CONFIG_NAGIOS_HOST'] config['FIREWALL_SERVICE_NAME'] = "nagios-nrpe" + config['FIREWALL_SERVICE_ID'] = "nagios_nrpe" config['FIREWALL_PORTS'] = '5666' + config['FIREWALL_CHAIN'] = "INPUT" manifestdata += getManifestTemplate("firewall.pp") appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/plugins/neutron_350.py b/packstack/plugins/neutron_350.py index 06a29f7c5..28af8bf74 100644 --- a/packstack/plugins/neutron_350.py +++ b/packstack/plugins/neutron_350.py @@ -655,6 +655,10 @@ def create_manifests(config): if config['CONFIG_NOVA_INSTALL'] == 'y': allowed_hosts.add(config['CONFIG_NOVA_API_HOST']) + config['FIREWALL_SERVICE_NAME'] = "neutron server" + config['FIREWALL_PORTS'] = "'9696'" + config['FIREWALL_CHAIN'] = "INPUT" + for host in q_hosts: manifest_file = "%s_neutron.pp" % (host,) manifest_data = getManifestTemplate("neutron.pp") @@ -664,11 +668,11 @@ def create_manifests(config): manifest_file = "%s_neutron.pp" % (host,) manifest_data = getManifestTemplate("neutron_api.pp") # Firewall Rules - config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i - for i in allowed_hosts]) - config['FIREWALL_SERVICE_NAME'] = "neutron" - config['FIREWALL_PORTS'] = "'9696'" - manifest_data += getManifestTemplate("firewall.pp") + for f_host in allowed_hosts: + config['FIREWALL_ALLOWED'] = "'%s'" % f_host + config['FIREWALL_SERVICE_ID'] = "neutron_server_%s_%s" % (host, f_host) + manifest_data += getManifestTemplate("firewall.pp") + appendManifestFile(manifest_file, manifest_data, 'neutron') # Set up any l2 plugin configs we need anywhere we install neutron @@ -713,13 +717,29 @@ def create_dhcp_manifests(config): global dhcp_hosts plugin = config['CONFIG_NEUTRON_L2_PLUGIN'] + for host in dhcp_hosts: config["CONFIG_NEUTRON_DHCP_HOST"] = host config['CONFIG_NEUTRON_DHCP_INTERFACE_DRIVER'] = get_if_driver(config) - manifestdata = getManifestTemplate("neutron_dhcp.pp") - manifestfile = "%s_neutron.pp" % (host,) + manifest_data = getManifestTemplate("neutron_dhcp.pp") + manifest_file = "%s_neutron.pp" % (host,) + + # Firewall Rules + for f_host in q_hosts: + config['FIREWALL_ALLOWED'] = "'%s'" % f_host + config['FIREWALL_SERVICE_NAME'] = "neutron dhcp in" + config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_in_%s_%s" % (host, f_host) + config['FIREWALL_PORTS'] = "'67'" + config['FIREWALL_CHAIN'] = "INPUT" + manifest_data += getManifestTemplate("firewall.pp") + config['FIREWALL_SERVICE_NAME'] = "neutron dhcp out" + config['FIREWALL_SERVICE_ID'] = "neutron_dhcp_out_%s_%s" % (host, f_host) + config['FIREWALL_PORTS'] = "'68'" + config['FIREWALL_CHAIN'] = "OUTPUT" + manifest_data += getManifestTemplate("firewall.pp") + + appendManifestFile(manifest_file, manifest_data, 'neutron') - appendManifestFile(manifestfile, manifestdata + "\n") def create_lbaas_manifests(config): diff --git a/packstack/plugins/nova_300.py b/packstack/plugins/nova_300.py index aa8b16ed2..f57ce042f 100644 --- a/packstack/plugins/nova_300.py +++ b/packstack/plugins/nova_300.py @@ -534,7 +534,9 @@ def createcomputemanifest(config): # http://docs.openstack.org/developer/nova/nova.concepts.html#concept-system-architecture config['FIREWALL_ALLOWED'] = "'%s'" % (config['CONFIG_NOVA_SCHED_HOST'].strip()) config['FIREWALL_SERVICE_NAME'] = "nova compute" + config['FIREWALL_SERVICE_ID'] = "nova_compute" config['FIREWALL_PORTS'] = "'5900-5999'" + config['FIREWALL_CHAIN'] = "INPUT" manifestdata += getManifestTemplate("firewall.pp") manifestdata += "\n" + nova_config_options.getManifestEntry() diff --git a/packstack/plugins/qpid_002.py b/packstack/plugins/qpid_002.py index 2325010f9..e979e96f6 100644 --- a/packstack/plugins/qpid_002.py +++ b/packstack/plugins/qpid_002.py @@ -236,17 +236,12 @@ def createmanifest(config): config['CONFIG_QPID_AUTH_USER'] = 'guest' #All hosts should be able to talk to qpid - hosts = ["'%s'" % i for i in filtered_hosts(config, exclude=False)] - # if the rule already exists for one port puppet will fail - # so i had to add always both qpid ports (plain and SSL) in order - # to avoid rule changes, this is due some problematic behaviour of - # the puppet firewall module - # this is a temporary solution, as soon as the firewall module is - # updated we'll go back to previous state in which we open just - # the needed ports - config['FIREWALL_ALLOWED'] = ','.join(hosts) config['FIREWALL_SERVICE_NAME'] = "qpid" config['FIREWALL_PORTS'] = "'5671', '5672'" - manifestdata += getManifestTemplate("firewall.pp") + config['FIREWALL_CHAIN'] = "INPUT" + for host in filtered_hosts(config, exclude=False): + config['FIREWALL_ALLOWED'] = "'%s'" % host + config['FIREWALL_SERVICE_ID'] = "qpid_%s" % host + manifestdata += getManifestTemplate("firewall.pp") appendManifestFile(manifestfile, manifestdata, 'pre') diff --git a/packstack/plugins/swift_600.py b/packstack/plugins/swift_600.py index 6e2bdcb03..24629d897 100644 --- a/packstack/plugins/swift_600.py +++ b/packstack/plugins/swift_600.py @@ -283,13 +283,19 @@ def createstoragemanifest(config): # set allowed hosts for firewall swift_hosts = get_swift_hosts(config) hosts = swift_hosts.copy() + manifestdata = "" if config['CONFIG_NOVA_INSTALL'] == 'y': hosts |= split_hosts(config['CONFIG_NOVA_COMPUTE_HOSTS']) - config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts]) - # firewall rules for storage and rsync + config['FIREWALL_SERVICE_NAME'] = "swift storage and rsync" config['FIREWALL_PORTS'] = "'6000', '6001', '6002', '873'" - manifestdata = getManifestTemplate("firewall.pp") + config['FIREWALL_CHAIN'] = "INPUT" + + for host in hosts: + config['FIREWALL_ALLOWED'] = "'%s'" % host + config['FIREWALL_SERVICE_ID'] = "swift_storage_and_rsync_%s" % host + manifestdata += getManifestTemplate("firewall.pp") + for host in swift_hosts: manifestfile = "%s_swift.pp" % host appendManifestFile(manifestfile, manifestdata) diff --git a/packstack/puppet/modules/packstack/manifests/firewall.pp b/packstack/puppet/modules/packstack/manifests/firewall.pp new file mode 100644 index 000000000..05429888f --- /dev/null +++ b/packstack/puppet/modules/packstack/manifests/firewall.pp @@ -0,0 +1,23 @@ +# Create firewall rules to allow only the FIREWALL_ALLOWED +# hosts that need to connect via FIREWALL_PORTS +# using FIREWALL_CHAIN + +define packstack::firewall($host, $service_name, $chain = "INPUT", $ports) { + $source = $host ? { + 'ALL' => '0.0.0.0/0', + default => $host, + } + $heading = $chain ? { + 'OUTPUT' => 'outgoing', + default => 'incoming', + } + + firewall { "001 ${service_name} ${heading} ${title}": + chain => $chain, + proto => ['tcp', 'udp'], + dport => $ports, + action => 'accept', + source => $source, + } +} + diff --git a/packstack/puppet/templates/firewall.pp b/packstack/puppet/templates/firewall.pp index 3868d9f75..2b2c13419 100644 --- a/packstack/puppet/templates/firewall.pp +++ b/packstack/puppet/templates/firewall.pp @@ -1,19 +1,11 @@ -# Create firewall rules to allow only the hosts that need to connect -# to %(FIREWALL_SERVICE_NAME)s +# Create firewall rules to allow only the FIREWALL_ALLOWED +# hosts that need to connect via FIREWALL_PORTS +# using FIREWALL_CHAIN -$hosts = [ %(FIREWALL_ALLOWED)s ] - -define add_allow_host { - $source = $title ? { - 'ALL' => '0.0.0.0/0', - default => $title, - } - firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}": - proto => 'tcp', - dport => [%(FIREWALL_PORTS)s], - action => 'accept', - source => $source, - } +packstack::firewall {'%(FIREWALL_SERVICE_ID)s': + host => %(FIREWALL_ALLOWED)s, + service_name => '%(FIREWALL_SERVICE_NAME)s', + chain => '%(FIREWALL_CHAIN)s', + ports => [%(FIREWALL_PORTS)s], } -add_allow_host {$hosts:}