diff options
author | Dan Prince <dprince@redhat.com> | 2016-07-20 10:48:23 -0400 |
---|---|---|
committer | Giulio Fidente <gfidente@redhat.com> | 2016-07-25 15:24:16 +0200 |
commit | 5195d7f8910f7d1ce0895caa133b028a727f8622 (patch) | |
tree | 62ee234150359a79a0134df8dceb1d12a49f11c1 | |
parent | f00ed98048a1a24e55dfea64171771ff73216335 (diff) |
Composable firewall rules
Split out the firewall rules in puppet/hieradata/controller.yaml
into the composable services
Depends-On: Id370362ab57347b75b1ab25afda877885b047263
Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
28 files changed, 159 insertions, 124 deletions
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml index 072c7c0d..3ec656dc 100644 --- a/puppet/hieradata/controller.yaml +++ b/puppet/hieradata/controller.yaml @@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true controller_classes: [] # firewall tripleo::firewall::firewall_rules: - '101 mongodb_config': - dport: 27019 - '102 mongodb_sharding': - dport: 27018 - '103 mongod': - dport: 27017 - '104 mysql galera': - dport: - - 873 - - 3306 - - 4444 - - 4567 - - 4568 - - 9200 - '105 ntp': - dport: 123 - proto: udp - '106 vrrp': - proto: vrrp - '107 haproxy stats': - dport: 1993 - '108 redis': - dport: - - 6379 - - 26379 - '109 rabbitmq': - dport: - - 4369 - - 5672 - - 35672 - '110 ceph': - dport: - - 6789 - - '6800-6810' - '111 keystone': - dport: - - 5000 - - 13000 - - 35357 - - 13357 - '112 glance': - dport: - - 9292 - - 9191 - - 13292 - '113 nova': - dport: - - 6080 - - 13080 - - 8773 - - 3773 - - 8774 - - 13774 - - 8775 - '114 neutron server': - dport: - - 9696 - - 13696 - '115 neutron dhcp input': - proto: 'udp' - dport: 67 - '116 neutron dhcp output': - proto: 'udp' - chain: 'OUTPUT' - dport: 68 - '118 neutron vxlan networks': - proto: 'udp' - dport: 4789 - '119 cinder': - dport: - - 8776 - - 13776 - '120 iscsi initiator': - dport: 3260 - '121 memcached': - dport: 11211 - '122 swift proxy': - dport: - - 8080 - - 13808 - '123 swift storage': - dport: - - 873 - - 6000 - - 6001 - - 6002 - '124 ceilometer': - dport: - - 8777 - - 13777 - '125 heat': - dport: - - 8000 - - 13800 - - 8003 - - 13003 - - 8004 - - 13004 - '126 horizon': - dport: - - 80 - - 443 - '127 snmp': - dport: 161 - proto: 'udp' '128 aodh': dport: - 8042 - 13042 - '129 gnocchi-api': - dport: - - 8041 - - 13041 - '130 pacemaker tcp': - proto: 'tcp' - dport: - - 2224 - - 3121 - - 21064 - '131 pacemaker udp': - proto: 'udp' - dport: 5405 - '132 sahara': - dport: - - 8386 - - 13386 diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 5dce7c3d..d0f3767d 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -23,6 +23,12 @@ outputs: value: service_name: ceilometer-api config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - tripleo.ceilometer_api.firewall_rules: + '124 ceilometer': + dport: + - 8777 + - 13777 step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68a59450..257264ac 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -53,5 +53,10 @@ outputs: - {get_param: NovaRbdPoolName} - {get_param: GlanceRbdPoolName} - {get_param: GnocchiRbdPoolName} + tripleo.ceph_mon.firewall_rules: + '110 ceph': + dport: + - 6789 + - '6800-6810' step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 0b4817ac..0cefb380 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -39,5 +39,10 @@ outputs: cinder::api::keystone_password: {get_param: CinderPassword} cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} + tripleo.cinder_api.firewall_rules: + '119 cinder': + dport: + - 8776 + - 13776 step_config: | include ::tripleo::profile::base::cinder::api diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 69a38b04..8f63ff6a 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -76,5 +76,8 @@ outputs: tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName} + tripleo.cinder_volume.firewall_rules: + '120 iscsi initiator': + dport: 3260 step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index c2d36fc7..6885cfd6 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -25,5 +25,12 @@ outputs: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} mongodb::server::service_manage: True + tripleo.mongodb.firewall_rules: + '101 mongodb_config': + dport: 27019 + '102 mongodb_sharding': + dport: 27018 + '103 mongod': + dport: 27017 step_config: | - include ::tripleo::profile::base::database::mongodb
\ No newline at end of file + include ::tripleo::profile::base::database::mongodb diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 992dc11e..0a19b2a7 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -17,5 +17,14 @@ outputs: value: service_name: mysql config_settings: + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index 080f72b6..ef005f77 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -22,5 +22,10 @@ outputs: config_settings: map_merge: - get_attr: [RedisBase, role_data, config_settings] + - tripleo.redis.firewall_rules: + '108 redis': + dport: + - 6379 + - 26379 step_config: | include ::tripleo::profile::base::database::redis diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 120c57ff..ee4c17c7 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -104,5 +104,10 @@ outputs: glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} glance::keystone::auth::password: {get_param: GlancePassword } + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 step_config: | include ::tripleo::profile::base::glance::api diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 6d2144e1..f9d9dd6b 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -49,5 +49,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 step_config: | include ::tripleo::profile::base::glance::registry diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f6877632..bf23cda1 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -24,5 +24,10 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_api.firewall_rules: + '129 gnocchi-api': + dport: + - 8041 + - 13041 step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 73b40003..1a629c1d 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -15,5 +15,9 @@ outputs: description: Role data for the HAproxy role. value: service_name: haproxy + config_settings: + tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 8d237330..67c89bb9 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api_cfn.firewall_rules: + '125 heat_cfn': + dport: + - 8000 + - 13800 step_config: | include ::tripleo::profile::base::heat::api_cfn diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index c996cf13..32a0a58d 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -27,5 +27,10 @@ outputs: map_merge: - get_attr: [HeatBase, role_data, config_settings] - heat::api_cloudwatch::workers: {get_param: HeatWorkers} + tripleo.heat_api_cloudwatch.firewall_rules: + '125 heat_cloudwatch': + dport: + - 8003 + - 13003 step_config: | include ::tripleo::profile::base::heat::api_cloudwatch diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 41c7d9a1..0bb208d1 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api.firewall_rules: + '125 heat_api': + dport: + - 8004 + - 13004 step_config: | include ::tripleo::profile::base::heat::api diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 022e3fbf..dc7ba8c9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -31,5 +31,10 @@ outputs: template: MECHANISMS params: MECHANISMS: {get_param: NeutronMechanismDrivers} + tripleo.horizon.firewall_rules: + '126 horizon': + dport: + - 80 + - 443 step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 83bab349..de920de3 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -136,5 +136,12 @@ outputs: keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 55f8c08e..ceb29b55 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -16,5 +16,8 @@ outputs: value: service_name: memcached config_settings: + tripleo.memcached.firewall_rules: + '121 memcached': + dport: 11211 step_config: | include ::tripleo::profile::base::memcached diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 5b903eac..1c57aa45 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -28,5 +28,13 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} + tripleo.neutron_dhcp.firewall_rules: + '115 neutron dhcp input': + proto: 'udp' + dport: 67 + '116 neutron dhcp output': + proto: 'udp' + chain: 'OUTPUT' + dport: 68 step_config: | include tripleo::profile::base::neutron::dhcp diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml index 61af11f9..253a6bfe 100644 --- a/puppet/services/neutron-server.yaml +++ b/puppet/services/neutron-server.yaml @@ -72,5 +72,15 @@ outputs: neutron::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.neutron_server.firewall_rules: + '114 neutron server': + dport: + - 9696 + - 13696 + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '106 vrrp': + proto: vrrp step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index f6c41052..0dd8fd51 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -32,5 +32,15 @@ outputs: nova::api::metadata_workers: {get_param: NovaWorkers} nova::cron::archive_deleted_rows::hour: '"*/12"' nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 3b78befe..9520cb9c 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -16,5 +16,15 @@ outputs: value: service_name: pacemaker config_settings: + tripleo.pacemaker.firewall_rules: + '130 pacemaker tcp': + proto: 'tcp' + dport: + - 2224 + - 3121 + - 21064 + '131 pacemaker udp': + proto: 'udp' + dport: 5405 step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 7b4b10ef..3c5909ca 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -36,5 +36,11 @@ outputs: rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_pass: {get_param: RabbitPassword} rabbit_ipv6: {get_param: RabbitIPv6} + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 35672 step_config: | include ::tripleo::profile::base::rabbitmq diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index a0a98b17..c9112019 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -49,5 +49,10 @@ outputs: sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} sahara::keystone::auth::password: {get_param: SaharaPassword } sahara::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.sahara_api.firewall_rules: + '132 sahara': + dport: + - 8386 + - 13386 step_config: | include ::tripleo::profile::base::sahara::api diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 36e510b9..458f444b 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -28,5 +28,9 @@ outputs: config_settings: snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} + tripleo.snmp.firewall_rules: + '127 snmp': + dport: 161 + proto: 'udp' step_config: | include ::tripleo::profile::base::snmp diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 3ae1b01e..12165cc1 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -51,5 +51,10 @@ outputs: swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} swift::keystone::auth::password: {get_param: SwiftPassword} swift::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.swift_proxy.firewall_rules: + '122 swift proxy': + dport: + - 8080 + - 13808 step_config: | include ::tripleo::profile::base::swift::proxy diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 02746a95..d63dc87c 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -41,5 +41,12 @@ outputs: # Swift swift::storage::all::mount_check: {get_param: SwiftMountCheck} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} + tripleo.swift_storage.firewall_rules: + '123 swift storage': + dport: + - 873 + - 6000 + - 6001 + - 6002 step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index a0e51fec..59d25dd2 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -24,5 +24,9 @@ outputs: service_name: ntp config_settings: ntp::ntpservers: {get_param: NtpServer} + tripleo.ntp.firewall_rules: + '105 ntp': + dport: 123 + proto: udp step_config: | include ::ntp |