summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorEmilien Macchi <emilien@redhat.com>2016-10-06 11:18:14 -0400
committerEmilien Macchi <emilien@redhat.com>2016-10-06 12:07:35 -0400
commit7322d60610764f728ce58d4e8a39a6c54c652643 (patch)
tree0d58f2bc7b8b4e9328806c1d8ff6217b64ef409d /puppet
parentddd4d3cd9f5012b505c1ed2c4ee6a62dde37dbaf (diff)
Enable firewalling by default on compute nodes
- Move VXLAN and VRRP rules from Neutron Server to the right services. - Enable Firewall by default on Compute nodes. Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/keepalived.yaml3
-rw-r--r--puppet/services/neutron-api.yaml5
-rw-r--r--puppet/services/neutron-l3.yaml3
-rw-r--r--puppet/services/neutron-ovs-agent.yaml6
4 files changed, 12 insertions, 5 deletions
diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml
index 2b069d67..38cfbe22 100644
--- a/puppet/services/keepalived.yaml
+++ b/puppet/services/keepalived.yaml
@@ -41,5 +41,8 @@ outputs:
config_settings:
tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface}
tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface}
+ tripleo.keepalived.firewall_rules:
+ '106 keepalived vrrp':
+ proto: vrrp
step_config: |
include ::tripleo::profile::base::keepalived
diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index af77dc05..c2b6b6f7 100644
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -150,11 +150,6 @@ outputs:
dport:
- 9696
- 13696
- '118 neutron vxlan networks':
- proto: 'udp'
- dport: 4789
- '106 vrrp':
- proto: vrrp
neutron::server::router_distributed: {get_param: NeutronEnableDVR}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml
index 9e223374..a89e3d75 100644
--- a/puppet/services/neutron-l3.yaml
+++ b/puppet/services/neutron-l3.yaml
@@ -67,5 +67,8 @@ outputs:
- neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
neutron::agents::l3::router_delete_namespaces: True
neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode}
+ tripleo.neutron_l3.firewall_rules:
+ '106 neutron_l3 vrrp':
+ proto: vrrp
step_config: |
include tripleo::profile::base::neutron::l3
diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml
index cbe65638..cca0deee 100644
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@@ -117,5 +117,11 @@ outputs:
# internal_api_subnet - > IP/CIDR
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+ tripleo.neutron_ovs_agent.firewall_rules:
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '136 neutron gre networks':
+ proto: 'gre'
step_config: |
include ::tripleo::profile::base::neutron::ovs