summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorDan Prince <dprince@redhat.com>2016-07-20 10:48:23 -0400
committerGiulio Fidente <gfidente@redhat.com>2016-07-25 15:24:16 +0200
commit5195d7f8910f7d1ce0895caa133b028a727f8622 (patch)
tree62ee234150359a79a0134df8dceb1d12a49f11c1 /puppet
parentf00ed98048a1a24e55dfea64171771ff73216335 (diff)
Composable firewall rules
Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
Diffstat (limited to 'puppet')
-rw-r--r--puppet/hieradata/controller.yaml122
-rw-r--r--puppet/services/ceilometer-api.yaml8
-rw-r--r--puppet/services/ceph-mon.yaml5
-rw-r--r--puppet/services/cinder-api.yaml5
-rw-r--r--puppet/services/cinder-volume.yaml3
-rw-r--r--puppet/services/database/mongodb.yaml9
-rw-r--r--puppet/services/database/mysql.yaml9
-rw-r--r--puppet/services/database/redis.yaml5
-rw-r--r--puppet/services/glance-api.yaml5
-rw-r--r--puppet/services/glance-registry.yaml4
-rw-r--r--puppet/services/gnocchi-api.yaml5
-rw-r--r--puppet/services/haproxy.yaml4
-rw-r--r--puppet/services/heat-api-cfn.yaml5
-rw-r--r--puppet/services/heat-api-cloudwatch.yaml5
-rw-r--r--puppet/services/heat-api.yaml5
-rw-r--r--puppet/services/horizon.yaml5
-rw-r--r--puppet/services/keystone.yaml7
-rw-r--r--puppet/services/memcached.yaml3
-rw-r--r--puppet/services/neutron-dhcp.yaml8
-rw-r--r--puppet/services/neutron-server.yaml10
-rw-r--r--puppet/services/nova-api.yaml10
-rw-r--r--puppet/services/pacemaker.yaml10
-rw-r--r--puppet/services/rabbitmq.yaml6
-rw-r--r--puppet/services/sahara-api.yaml5
-rw-r--r--puppet/services/snmp.yaml4
-rw-r--r--puppet/services/swift-proxy.yaml5
-rw-r--r--puppet/services/swift-storage.yaml7
-rw-r--r--puppet/services/time/ntp.yaml4
28 files changed, 159 insertions, 124 deletions
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index 072c7c0d..3ec656dc 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
controller_classes: []
# firewall
tripleo::firewall::firewall_rules:
- '101 mongodb_config':
- dport: 27019
- '102 mongodb_sharding':
- dport: 27018
- '103 mongod':
- dport: 27017
- '104 mysql galera':
- dport:
- - 873
- - 3306
- - 4444
- - 4567
- - 4568
- - 9200
- '105 ntp':
- dport: 123
- proto: udp
- '106 vrrp':
- proto: vrrp
- '107 haproxy stats':
- dport: 1993
- '108 redis':
- dport:
- - 6379
- - 26379
- '109 rabbitmq':
- dport:
- - 4369
- - 5672
- - 35672
- '110 ceph':
- dport:
- - 6789
- - '6800-6810'
- '111 keystone':
- dport:
- - 5000
- - 13000
- - 35357
- - 13357
- '112 glance':
- dport:
- - 9292
- - 9191
- - 13292
- '113 nova':
- dport:
- - 6080
- - 13080
- - 8773
- - 3773
- - 8774
- - 13774
- - 8775
- '114 neutron server':
- dport:
- - 9696
- - 13696
- '115 neutron dhcp input':
- proto: 'udp'
- dport: 67
- '116 neutron dhcp output':
- proto: 'udp'
- chain: 'OUTPUT'
- dport: 68
- '118 neutron vxlan networks':
- proto: 'udp'
- dport: 4789
- '119 cinder':
- dport:
- - 8776
- - 13776
- '120 iscsi initiator':
- dport: 3260
- '121 memcached':
- dport: 11211
- '122 swift proxy':
- dport:
- - 8080
- - 13808
- '123 swift storage':
- dport:
- - 873
- - 6000
- - 6001
- - 6002
- '124 ceilometer':
- dport:
- - 8777
- - 13777
- '125 heat':
- dport:
- - 8000
- - 13800
- - 8003
- - 13003
- - 8004
- - 13004
- '126 horizon':
- dport:
- - 80
- - 443
- '127 snmp':
- dport: 161
- proto: 'udp'
'128 aodh':
dport:
- 8042
- 13042
- '129 gnocchi-api':
- dport:
- - 8041
- - 13041
- '130 pacemaker tcp':
- proto: 'tcp'
- dport:
- - 2224
- - 3121
- - 21064
- '131 pacemaker udp':
- proto: 'udp'
- dport: 5405
- '132 sahara':
- dport:
- - 8386
- - 13386
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
index 5dce7c3d..d0f3767d 100644
--- a/puppet/services/ceilometer-api.yaml
+++ b/puppet/services/ceilometer-api.yaml
@@ -23,6 +23,12 @@ outputs:
value:
service_name: ceilometer-api
config_settings:
- get_attr: [CeilometerServiceBase, role_data, config_settings]
+ map_merge:
+ - get_attr: [CeilometerServiceBase, role_data, config_settings]
+ - tripleo.ceilometer_api.firewall_rules:
+ '124 ceilometer':
+ dport:
+ - 8777
+ - 13777
step_config: |
include ::tripleo::profile::base::ceilometer::api
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
index 68a59450..257264ac 100644
--- a/puppet/services/ceph-mon.yaml
+++ b/puppet/services/ceph-mon.yaml
@@ -53,5 +53,10 @@ outputs:
- {get_param: NovaRbdPoolName}
- {get_param: GlanceRbdPoolName}
- {get_param: GnocchiRbdPoolName}
+ tripleo.ceph_mon.firewall_rules:
+ '110 ceph':
+ dport:
+ - 6789
+ - '6800-6810'
step_config: |
include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
index 0b4817ac..0cefb380 100644
--- a/puppet/services/cinder-api.yaml
+++ b/puppet/services/cinder-api.yaml
@@ -39,5 +39,10 @@ outputs:
cinder::api::keystone_password: {get_param: CinderPassword}
cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+ tripleo.cinder_api.firewall_rules:
+ '119 cinder':
+ dport:
+ - 8776
+ - 13776
step_config: |
include ::tripleo::profile::base::cinder::api
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
index 69a38b04..8f63ff6a 100644
--- a/puppet/services/cinder-volume.yaml
+++ b/puppet/services/cinder-volume.yaml
@@ -76,5 +76,8 @@ outputs:
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+ tripleo.cinder_volume.firewall_rules:
+ '120 iscsi initiator':
+ dport: 3260
step_config: |
include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
index c2d36fc7..6885cfd6 100644
--- a/puppet/services/database/mongodb.yaml
+++ b/puppet/services/database/mongodb.yaml
@@ -25,5 +25,12 @@ outputs:
- get_attr: [MongoDbBase, role_data, config_settings]
- tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
mongodb::server::service_manage: True
+ tripleo.mongodb.firewall_rules:
+ '101 mongodb_config':
+ dport: 27019
+ '102 mongodb_sharding':
+ dport: 27018
+ '103 mongod':
+ dport: 27017
step_config: |
- include ::tripleo::profile::base::database::mongodb \ No newline at end of file
+ include ::tripleo::profile::base::database::mongodb
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
index 992dc11e..0a19b2a7 100644
--- a/puppet/services/database/mysql.yaml
+++ b/puppet/services/database/mysql.yaml
@@ -17,5 +17,14 @@ outputs:
value:
service_name: mysql
config_settings:
+ tripleo.mysql.firewall_rules:
+ '104 mysql galera':
+ dport:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
step_config: |
include ::tripleo::profile::base::database::mysql
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index 080f72b6..ef005f77 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -22,5 +22,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [RedisBase, role_data, config_settings]
+ - tripleo.redis.firewall_rules:
+ '108 redis':
+ dport:
+ - 6379
+ - 26379
step_config: |
include ::tripleo::profile::base::database::redis
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
index 120c57ff..ee4c17c7 100644
--- a/puppet/services/glance-api.yaml
+++ b/puppet/services/glance-api.yaml
@@ -104,5 +104,10 @@ outputs:
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
+ tripleo.glance_api.firewall_rules:
+ '112 glance_api':
+ dport:
+ - 9292
+ - 13292
step_config: |
include ::tripleo::profile::base::glance::api
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
index 6d2144e1..f9d9dd6b 100644
--- a/puppet/services/glance-registry.yaml
+++ b/puppet/services/glance-registry.yaml
@@ -49,5 +49,9 @@ outputs:
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.glance_registry.firewall_rules:
+ '112 glance_registry':
+ dport:
+ - 9191
step_config: |
include ::tripleo::profile::base::glance::registry
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
index f6877632..bf23cda1 100644
--- a/puppet/services/gnocchi-api.yaml
+++ b/puppet/services/gnocchi-api.yaml
@@ -24,5 +24,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
+ - tripleo.gnocchi_api.firewall_rules:
+ '129 gnocchi-api':
+ dport:
+ - 8041
+ - 13041
step_config: |
include ::tripleo::profile::base::gnocchi::api
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 73b40003..1a629c1d 100644
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -15,5 +15,9 @@ outputs:
description: Role data for the HAproxy role.
value:
service_name: haproxy
+ config_settings:
+ tripleo.haproxy.firewall_rules:
+ '107 haproxy stats':
+ dport: 1993
step_config: |
include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
index 8d237330..67c89bb9 100644
--- a/puppet/services/heat-api-cfn.yaml
+++ b/puppet/services/heat-api-cfn.yaml
@@ -40,5 +40,10 @@ outputs:
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api_cfn.firewall_rules:
+ '125 heat_cfn':
+ dport:
+ - 8000
+ - 13800
step_config: |
include ::tripleo::profile::base::heat::api_cfn
diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml
index c996cf13..32a0a58d 100644
--- a/puppet/services/heat-api-cloudwatch.yaml
+++ b/puppet/services/heat-api-cloudwatch.yaml
@@ -27,5 +27,10 @@ outputs:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+ tripleo.heat_api_cloudwatch.firewall_rules:
+ '125 heat_cloudwatch':
+ dport:
+ - 8003
+ - 13003
step_config: |
include ::tripleo::profile::base::heat::api_cloudwatch
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
index 41c7d9a1..0bb208d1 100644
--- a/puppet/services/heat-api.yaml
+++ b/puppet/services/heat-api.yaml
@@ -40,5 +40,10 @@ outputs:
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api.firewall_rules:
+ '125 heat_api':
+ dport:
+ - 8004
+ - 13004
step_config: |
include ::tripleo::profile::base::heat::api
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 022e3fbf..dc7ba8c9 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -31,5 +31,10 @@ outputs:
template: MECHANISMS
params:
MECHANISMS: {get_param: NeutronMechanismDrivers}
+ tripleo.horizon.firewall_rules:
+ '126 horizon':
+ dport:
+ - 80
+ - 443
step_config: |
include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 83bab349..de920de3 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -136,5 +136,12 @@ outputs:
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
+ tripleo.keystone.firewall_rules:
+ '111 keystone':
+ dport:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
step_config: |
include ::tripleo::profile::base::keystone
diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml
index 55f8c08e..ceb29b55 100644
--- a/puppet/services/memcached.yaml
+++ b/puppet/services/memcached.yaml
@@ -16,5 +16,8 @@ outputs:
value:
service_name: memcached
config_settings:
+ tripleo.memcached.firewall_rules:
+ '121 memcached':
+ dport: 11211
step_config: |
include ::tripleo::profile::base::memcached
diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml
index 5b903eac..1c57aa45 100644
--- a/puppet/services/neutron-dhcp.yaml
+++ b/puppet/services/neutron-dhcp.yaml
@@ -28,5 +28,13 @@ outputs:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+ tripleo.neutron_dhcp.firewall_rules:
+ '115 neutron dhcp input':
+ proto: 'udp'
+ dport: 67
+ '116 neutron dhcp output':
+ proto: 'udp'
+ chain: 'OUTPUT'
+ dport: 68
step_config: |
include tripleo::profile::base::neutron::dhcp
diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml
index 61af11f9..253a6bfe 100644
--- a/puppet/services/neutron-server.yaml
+++ b/puppet/services/neutron-server.yaml
@@ -72,5 +72,15 @@ outputs:
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.neutron_server.firewall_rules:
+ '114 neutron server':
+ dport:
+ - 9696
+ - 13696
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '106 vrrp':
+ proto: vrrp
step_config: |
include tripleo::profile::base::neutron::server
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index f6c41052..0dd8fd51 100644
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -32,5 +32,15 @@ outputs:
nova::api::metadata_workers: {get_param: NovaWorkers}
nova::cron::archive_deleted_rows::hour: '"*/12"'
nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+ tripleo.nova_api.firewall_rules:
+ '113 nova_api':
+ dport:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
step_config: |
include tripleo::profile::base::nova::api
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
index 3b78befe..9520cb9c 100644
--- a/puppet/services/pacemaker.yaml
+++ b/puppet/services/pacemaker.yaml
@@ -16,5 +16,15 @@ outputs:
value:
service_name: pacemaker
config_settings:
+ tripleo.pacemaker.firewall_rules:
+ '130 pacemaker tcp':
+ proto: 'tcp'
+ dport:
+ - 2224
+ - 3121
+ - 21064
+ '131 pacemaker udp':
+ proto: 'udp'
+ dport: 5405
step_config: |
include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
index 7b4b10ef..3c5909ca 100644
--- a/puppet/services/rabbitmq.yaml
+++ b/puppet/services/rabbitmq.yaml
@@ -36,5 +36,11 @@ outputs:
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {get_param: RabbitIPv6}
+ tripleo.rabbitmq.firewall_rules:
+ '109 rabbitmq':
+ dport:
+ - 4369
+ - 5672
+ - 35672
step_config: |
include ::tripleo::profile::base::rabbitmq
diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml
index a0a98b17..c9112019 100644
--- a/puppet/services/sahara-api.yaml
+++ b/puppet/services/sahara-api.yaml
@@ -49,5 +49,10 @@ outputs:
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.sahara_api.firewall_rules:
+ '132 sahara':
+ dport:
+ - 8386
+ - 13386
step_config: |
include ::tripleo::profile::base::sahara::api
diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml
index 36e510b9..458f444b 100644
--- a/puppet/services/snmp.yaml
+++ b/puppet/services/snmp.yaml
@@ -28,5 +28,9 @@ outputs:
config_settings:
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+ tripleo.snmp.firewall_rules:
+ '127 snmp':
+ dport: 161
+ proto: 'udp'
step_config: |
include ::tripleo::profile::base::snmp
diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml
index 3ae1b01e..12165cc1 100644
--- a/puppet/services/swift-proxy.yaml
+++ b/puppet/services/swift-proxy.yaml
@@ -51,5 +51,10 @@ outputs:
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.swift_proxy.firewall_rules:
+ '122 swift proxy':
+ dport:
+ - 8080
+ - 13808
step_config: |
include ::tripleo::profile::base::swift::proxy
diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml
index 02746a95..d63dc87c 100644
--- a/puppet/services/swift-storage.yaml
+++ b/puppet/services/swift-storage.yaml
@@ -41,5 +41,12 @@ outputs:
# Swift
swift::storage::all::mount_check: {get_param: SwiftMountCheck}
tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
+ tripleo.swift_storage.firewall_rules:
+ '123 swift storage':
+ dport:
+ - 873
+ - 6000
+ - 6001
+ - 6002
step_config: |
include ::tripleo::profile::base::swift::storage
diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml
index a0e51fec..59d25dd2 100644
--- a/puppet/services/time/ntp.yaml
+++ b/puppet/services/time/ntp.yaml
@@ -24,5 +24,9 @@ outputs:
service_name: ntp
config_settings:
ntp::ntpservers: {get_param: NtpServer}
+ tripleo.ntp.firewall_rules:
+ '105 ntp':
+ dport: 123
+ proto: udp
step_config: |
include ::ntp