summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docker/compute-post.yaml2
-rw-r--r--environments/docker-rdo.yaml19
-rw-r--r--environments/manage-firewall.yaml2
-rw-r--r--environments/updates/README.md9
-rw-r--r--environments/updates/update-from-keystone-admin-internal-api.yaml33
-rw-r--r--overcloud-without-mergepy.yaml10
-rw-r--r--puppet/controller.yaml13
-rw-r--r--puppet/hieradata/controller.yaml106
-rw-r--r--puppet/manifests/overcloud_cephstorage.pp1
-rw-r--r--puppet/manifests/overcloud_compute.pp1
-rw-r--r--puppet/manifests/overcloud_controller.pp1
-rw-r--r--puppet/manifests/overcloud_controller_pacemaker.pp1
-rw-r--r--puppet/manifests/overcloud_object.pp1
-rw-r--r--puppet/manifests/overcloud_volume.pp1
14 files changed, 189 insertions, 11 deletions
diff --git a/docker/compute-post.yaml b/docker/compute-post.yaml
index 1dc7be16..a6607fd9 100644
--- a/docker/compute-post.yaml
+++ b/docker/compute-post.yaml
@@ -11,7 +11,7 @@ parameters:
description: Value which changes if the node configuration may need to be re-applied
DockerNamespace:
type: string
- default: kollaglue
+ default: tripleoupstream
DockerComputeImage:
type: string
DockerComputeDataImage:
diff --git a/environments/docker-rdo.yaml b/environments/docker-rdo.yaml
index 23f318bf..66824feb 100644
--- a/environments/docker-rdo.yaml
+++ b/environments/docker-rdo.yaml
@@ -7,18 +7,17 @@ resource_registry:
parameters:
NovaImage: atomic-image
-# FIXME: When Kolla cuts liberty tag we can use kollaglue registry
parameter_defaults:
- # Defaults to kollaglue. Specify a local docker registry
+ # Defaults to 'tripleoupstream'. Specify a local docker registry
# Example: 192.168.122.131:8787
- DockerNamespace: kollaglue
+ DockerNamespace: tripleoupstream
# Enable local Docker registry
DockerNamespaceIsRegistry: false
# Compute Node Images
- DockerComputeImage: centos-binary-nova-compute:liberty
- DockerComputeDataImage: centos-binary-data:liberty
- DockerLibvirtImage: centos-binary-nova-libvirt:liberty
- DockerNeutronAgentImage: centos-binary-neutron-agents:liberty
- DockerOpenvswitchImage: centos-binary-neutron-openvswitch-agent:liberty
- DockerOvsVswitchdImage: centos-binary-openvswitch-vswitchd:liberty
- DockerOpenvswitchDBImage: centos-binary-openvswitch-db-server:liberty
+ DockerComputeImage: centos-binary-nova-compute:latest
+ DockerComputeDataImage: centos-binary-data:latest
+ DockerLibvirtImage: centos-binary-nova-libvirt:latest
+ DockerNeutronAgentImage: centos-binary-neutron-agents:latest
+ DockerOpenvswitchImage: centos-binary-neutron-openvswitch-agent:latest
+ DockerOvsVswitchdImage: centos-binary-openvswitch-vswitchd:latest
+ DockerOpenvswitchDBImage: centos-binary-openvswitch-db-server:latest
diff --git a/environments/manage-firewall.yaml b/environments/manage-firewall.yaml
new file mode 100644
index 00000000..071f4108
--- /dev/null
+++ b/environments/manage-firewall.yaml
@@ -0,0 +1,2 @@
+parameters:
+ ManageFirewall: true
diff --git a/environments/updates/README.md b/environments/updates/README.md
new file mode 100644
index 00000000..8c03411d
--- /dev/null
+++ b/environments/updates/README.md
@@ -0,0 +1,9 @@
+This directory contains Heat environment file snippets which can
+be used to ensure smooth updates of the Overcloud.
+
+Contents
+--------
+
+**update-from-keystone-admin-internal-api.yaml**
+ To be used if the Keystone Admin API was originally deployed on the
+ Internal API network.
diff --git a/environments/updates/update-from-keystone-admin-internal-api.yaml b/environments/updates/update-from-keystone-admin-internal-api.yaml
new file mode 100644
index 00000000..3c71ef1b
--- /dev/null
+++ b/environments/updates/update-from-keystone-admin-internal-api.yaml
@@ -0,0 +1,33 @@
+# This environment file provides a default value for ServiceNetMap where
+# Keystone Admin API service is running on the Internal API network
+
+parameters:
+ ServiceNetMap:
+ NeutronTenantNetwork: tenant
+ CeilometerApiNetwork: internal_api
+ MongoDbNetwork: internal_api
+ CinderApiNetwork: internal_api
+ CinderIscsiNetwork: storage
+ GlanceApiNetwork: storage
+ GlanceRegistryNetwork: internal_api
+ KeystoneAdminApiNetwork: internal_api
+ KeystonePublicApiNetwork: internal_api
+ NeutronApiNetwork: internal_api
+ HeatApiNetwork: internal_api
+ NovaApiNetwork: internal_api
+ NovaMetadataNetwork: internal_api
+ NovaVncProxyNetwork: internal_api
+ SwiftMgmtNetwork: storage_mgmt
+ SwiftProxyNetwork: storage
+ HorizonNetwork: internal_api
+ MemcachedNetwork: internal_api
+ RabbitMqNetwork: internal_api
+ RedisNetwork: internal_api
+ MysqlNetwork: internal_api
+ CephClusterNetwork: storage_mgmt
+ CephPublicNetwork: storage
+ ControllerHostnameResolveNetwork: internal_api
+ ComputeHostnameResolveNetwork: internal_api
+ BlockStorageHostnameResolveNetwork: internal_api
+ ObjectStorageHostnameResolveNetwork: internal_api
+ CephStorageHostnameResolveNetwork: storage
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index f679c6bb..8efdc173 100644
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -457,6 +457,14 @@ parameters:
type: string
constraints:
- allowed_values: [ 'basic', 'cadf' ]
+ ManageFirewall:
+ default: false
+ description: Whether to manage IPtables rules.
+ type: boolean
+ PurgeFirewallRules:
+ default: false
+ description: Whether IPtables rules should be purged before setting up the ones.
+ type: boolean
MysqlInnodbBufferPoolSize:
description: >
Specifies the size of the buffer pool in megabytes. Setting to
@@ -811,6 +819,8 @@ resources:
ControllerExtraConfig: {get_param: controllerExtraConfig}
Debug: {get_param: Debug}
EnableFencing: {get_param: EnableFencing}
+ ManageFirewall: {get_param: ManageFirewall}
+ PurgeFirewallRules: {get_param: PurgeFirewallRules}
EnableGalera: {get_param: EnableGalera}
EnableCephStorage: {get_param: ControllerEnableCephStorage}
EnableSwiftStorage: {get_param: ControllerEnableSwiftStorage}
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 0c921eb6..d47e013e 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -278,6 +278,14 @@ parameters:
type: string
default: 'regionOne'
description: Keystone region for endpoint
+ ManageFirewall:
+ default: false
+ description: Whether to manage IPtables rules.
+ type: boolean
+ PurgeFirewallRules:
+ default: false
+ description: Whether IPtables rules should be purged before setting up the new ones.
+ type: boolean
MysqlClusterUniquePart:
description: A unique identifier of the MySQL cluster the controller is in.
type: string
@@ -825,6 +833,8 @@ resources:
enable_galera: {get_param: EnableGalera}
enable_ceph_storage: {get_param: EnableCephStorage}
enable_swift_storage: {get_param: EnableSwiftStorage}
+ manage_firewall: {get_param: ManageFirewall}
+ purge_firewall_rules: {get_param: PurgeFirewallRules}
mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
mysql_max_connections: {get_param: MysqlMaxConnections}
mysql_root_password: {get_param: MysqlRootPassword}
@@ -1280,6 +1290,9 @@ resources:
# Redis
redis::bind: {get_input: redis_network}
redis_vip: {get_input: redis_vip}
+ # Firewall
+ tripleo::firewall::manage_firewall: {get_input: manage_firewall}
+ tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
# Misc
memcached::listen_ip: {get_input: memcached_network}
neutron_public_interface_ip: {get_input: neutron_public_interface_ip}
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index a4914c0e..f42ddf6c 100644
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true
tripleo::loadbalancer::horizon: true
controller_classes: []
+# firewall
+tripleo::firewall::firewall_rules:
+ '101 mongodb_config':
+ port: 27019
+ '102 mongodb_sharding':
+ port: 27018
+ '103 mongod':
+ port: 27017
+ '104 mysql galera':
+ port:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
+ '105 ntp':
+ port: 123
+ proto: udp
+ '106 vrrp':
+ proto: vrrp
+ '107 haproxy stats':
+ port: 1993
+ '108 redis':
+ port:
+ - 6379
+ - 26379
+ '109 rabbitmq':
+ port:
+ - 5672
+ - 35672
+ '110 ceph':
+ port:
+ - 6789
+ - '6800-6810'
+ '111 keystone':
+ port:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
+ '112 glance':
+ port:
+ - 9292
+ - 9191
+ - 13292
+ '113 nova':
+ port:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
+ '114 neutron server':
+ port:
+ - 9696
+ - 13696
+ '115 neutron dhcp input':
+ proto: 'udp'
+ port: 67
+ '116 neutron dhcp output':
+ proto: 'udp'
+ chain: 'OUTPUT'
+ port: 68
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ port: 4789
+ '119 cinder':
+ port:
+ - 8776
+ - 13776
+ '120 iscsi initiator':
+ port: 3260
+ '121 memcached':
+ port: 11211
+ '122 swift proxy':
+ port:
+ - 8080
+ - 13808
+ '123 swift storage':
+ port:
+ - 873
+ - 6000
+ - 6001
+ - 6002
+ '124 ceilometer':
+ port:
+ - 8777
+ - 13777
+ '125 heat':
+ port:
+ - 8000
+ - 13800
+ - 8003
+ - 13003
+ - 8004
+ - 13004
+ '126 horizon':
+ port:
+ - 80
+ - 443
+ '127 snmp':
+ port: 161
+ proto: 'udp'
diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp
index 51f5e88d..7f8970cc 100644
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp
index cd41cc79..58182346 100644
--- a/puppet/manifests/overcloud_compute.pp
+++ b/puppet/manifests/overcloud_compute.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 570c43ba..f758c55a 100644
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
if hiera('step') >= 1 {
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 2a3f1f92..95b7992c 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -19,6 +19,7 @@ Pcmk_resource <| |> {
}
include ::tripleo::packages
+include ::tripleo::firewall
if $::hostname == downcase(hiera('bootstrap_nodeid')) {
$pacemaker_master = true
diff --git a/puppet/manifests/overcloud_object.pp b/puppet/manifests/overcloud_object.pp
index 5f0b4c82..1eabddf1 100644
--- a/puppet/manifests/overcloud_object.pp
+++ b/puppet/manifests/overcloud_object.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})
diff --git a/puppet/manifests/overcloud_volume.pp b/puppet/manifests/overcloud_volume.pp
index 7f24959a..2bdd8a9c 100644
--- a/puppet/manifests/overcloud_volume.pp
+++ b/puppet/manifests/overcloud_volume.pp
@@ -14,6 +14,7 @@
# under the License.
include ::tripleo::packages
+include ::tripleo::firewall
create_resources(sysctl::value, hiera('sysctl_settings'), {})