From 5195d7f8910f7d1ce0895caa133b028a727f8622 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Wed, 20 Jul 2016 10:48:23 -0400 Subject: Composable firewall rules Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03 --- puppet/services/ceilometer-api.yaml | 8 +++++++- puppet/services/ceph-mon.yaml | 5 +++++ puppet/services/cinder-api.yaml | 5 +++++ puppet/services/cinder-volume.yaml | 3 +++ puppet/services/database/mongodb.yaml | 9 ++++++++- puppet/services/database/mysql.yaml | 9 +++++++++ puppet/services/database/redis.yaml | 5 +++++ puppet/services/glance-api.yaml | 5 +++++ puppet/services/glance-registry.yaml | 4 ++++ puppet/services/gnocchi-api.yaml | 5 +++++ puppet/services/haproxy.yaml | 4 ++++ puppet/services/heat-api-cfn.yaml | 5 +++++ puppet/services/heat-api-cloudwatch.yaml | 5 +++++ puppet/services/heat-api.yaml | 5 +++++ puppet/services/horizon.yaml | 5 +++++ puppet/services/keystone.yaml | 7 +++++++ puppet/services/memcached.yaml | 3 +++ puppet/services/neutron-dhcp.yaml | 8 ++++++++ puppet/services/neutron-server.yaml | 10 ++++++++++ puppet/services/nova-api.yaml | 10 ++++++++++ puppet/services/pacemaker.yaml | 10 ++++++++++ puppet/services/rabbitmq.yaml | 6 ++++++ puppet/services/sahara-api.yaml | 5 +++++ puppet/services/snmp.yaml | 4 ++++ puppet/services/swift-proxy.yaml | 5 +++++ puppet/services/swift-storage.yaml | 7 +++++++ puppet/services/time/ntp.yaml | 4 ++++ 27 files changed, 159 insertions(+), 2 deletions(-) (limited to 'puppet/services') diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 5dce7c3d..d0f3767d 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -23,6 +23,12 @@ outputs: value: service_name: ceilometer-api config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - tripleo.ceilometer_api.firewall_rules: + '124 ceilometer': + dport: + - 8777 + - 13777 step_config: | include ::tripleo::profile::base::ceilometer::api diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68a59450..257264ac 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -53,5 +53,10 @@ outputs: - {get_param: NovaRbdPoolName} - {get_param: GlanceRbdPoolName} - {get_param: GnocchiRbdPoolName} + tripleo.ceph_mon.firewall_rules: + '110 ceph': + dport: + - 6789 + - '6800-6810' step_config: | include ::tripleo::profile::base::ceph::mon diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 0b4817ac..0cefb380 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -39,5 +39,10 @@ outputs: cinder::api::keystone_password: {get_param: CinderPassword} cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} + tripleo.cinder_api.firewall_rules: + '119 cinder': + dport: + - 8776 + - 13776 step_config: | include ::tripleo::profile::base::cinder::api diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 69a38b04..8f63ff6a 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -76,5 +76,8 @@ outputs: tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName} tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName} + tripleo.cinder_volume.firewall_rules: + '120 iscsi initiator': + dport: 3260 step_config: | include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index c2d36fc7..6885cfd6 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -25,5 +25,12 @@ outputs: - get_attr: [MongoDbBase, role_data, config_settings] - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]} mongodb::server::service_manage: True + tripleo.mongodb.firewall_rules: + '101 mongodb_config': + dport: 27019 + '102 mongodb_sharding': + dport: 27018 + '103 mongod': + dport: 27017 step_config: | - include ::tripleo::profile::base::database::mongodb \ No newline at end of file + include ::tripleo::profile::base::database::mongodb diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 992dc11e..0a19b2a7 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -17,5 +17,14 @@ outputs: value: service_name: mysql config_settings: + tripleo.mysql.firewall_rules: + '104 mysql galera': + dport: + - 873 + - 3306 + - 4444 + - 4567 + - 4568 + - 9200 step_config: | include ::tripleo::profile::base::database::mysql diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index 080f72b6..ef005f77 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -22,5 +22,10 @@ outputs: config_settings: map_merge: - get_attr: [RedisBase, role_data, config_settings] + - tripleo.redis.firewall_rules: + '108 redis': + dport: + - 6379 + - 26379 step_config: | include ::tripleo::profile::base::database::redis diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 120c57ff..ee4c17c7 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -104,5 +104,10 @@ outputs: glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]} glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]} glance::keystone::auth::password: {get_param: GlancePassword } + tripleo.glance_api.firewall_rules: + '112 glance_api': + dport: + - 9292 + - 13292 step_config: | include ::tripleo::profile::base::glance::api diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml index 6d2144e1..f9d9dd6b 100644 --- a/puppet/services/glance-registry.yaml +++ b/puppet/services/glance-registry.yaml @@ -49,5 +49,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.glance_registry.firewall_rules: + '112 glance_registry': + dport: + - 9191 step_config: | include ::tripleo::profile::base::glance::registry diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index f6877632..bf23cda1 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -24,5 +24,10 @@ outputs: config_settings: map_merge: - get_attr: [GnocchiServiceBase, role_data, config_settings] + - tripleo.gnocchi_api.firewall_rules: + '129 gnocchi-api': + dport: + - 8041 + - 13041 step_config: | include ::tripleo::profile::base::gnocchi::api diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 73b40003..1a629c1d 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -15,5 +15,9 @@ outputs: description: Role data for the HAproxy role. value: service_name: haproxy + config_settings: + tripleo.haproxy.firewall_rules: + '107 haproxy stats': + dport: 1993 step_config: | include ::tripleo::profile::base::haproxy diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 8d237330..67c89bb9 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]} heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api_cfn.firewall_rules: + '125 heat_cfn': + dport: + - 8000 + - 13800 step_config: | include ::tripleo::profile::base::heat::api_cfn diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index c996cf13..32a0a58d 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -27,5 +27,10 @@ outputs: map_merge: - get_attr: [HeatBase, role_data, config_settings] - heat::api_cloudwatch::workers: {get_param: HeatWorkers} + tripleo.heat_api_cloudwatch.firewall_rules: + '125 heat_cloudwatch': + dport: + - 8003 + - 13003 step_config: | include ::tripleo::profile::base::heat::api_cloudwatch diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 41c7d9a1..0bb208d1 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -40,5 +40,10 @@ outputs: heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]} heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.heat_api.firewall_rules: + '125 heat_api': + dport: + - 8004 + - 13004 step_config: | include ::tripleo::profile::base::heat::api diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index 022e3fbf..dc7ba8c9 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -31,5 +31,10 @@ outputs: template: MECHANISMS params: MECHANISMS: {get_param: NeutronMechanismDrivers} + tripleo.horizon.firewall_rules: + '126 horizon': + dport: + - 80 + - 443 step_config: | include ::tripleo::profile::base::horizon diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 83bab349..de920de3 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -136,5 +136,12 @@ outputs: keystone::wsgi::apache::workers: {get_param: KeystoneWorkers} # override via extraconfig: keystone::wsgi::apache::threads: 1 + tripleo.keystone.firewall_rules: + '111 keystone': + dport: + - 5000 + - 13000 + - 35357 + - 13357 step_config: | include ::tripleo::profile::base::keystone diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index 55f8c08e..ceb29b55 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -16,5 +16,8 @@ outputs: value: service_name: memcached config_settings: + tripleo.memcached.firewall_rules: + '121 memcached': + dport: 11211 step_config: | include ::tripleo::profile::base::memcached diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 5b903eac..1c57aa45 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -28,5 +28,13 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} + tripleo.neutron_dhcp.firewall_rules: + '115 neutron dhcp input': + proto: 'udp' + dport: 67 + '116 neutron dhcp output': + proto: 'udp' + chain: 'OUTPUT' + dport: 68 step_config: | include tripleo::profile::base::neutron::dhcp diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml index 61af11f9..253a6bfe 100644 --- a/puppet/services/neutron-server.yaml +++ b/puppet/services/neutron-server.yaml @@ -72,5 +72,15 @@ outputs: neutron::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + tripleo.neutron_server.firewall_rules: + '114 neutron server': + dport: + - 9696 + - 13696 + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '106 vrrp': + proto: vrrp step_config: | include tripleo::profile::base::neutron::server diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index f6c41052..0dd8fd51 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -32,5 +32,15 @@ outputs: nova::api::metadata_workers: {get_param: NovaWorkers} nova::cron::archive_deleted_rows::hour: '"*/12"' nova::cron::archive_deleted_rows::destination: '"/dev/null"' + tripleo.nova_api.firewall_rules: + '113 nova_api': + dport: + - 6080 + - 13080 + - 8773 + - 3773 + - 8774 + - 13774 + - 8775 step_config: | include tripleo::profile::base::nova::api diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 3b78befe..9520cb9c 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -16,5 +16,15 @@ outputs: value: service_name: pacemaker config_settings: + tripleo.pacemaker.firewall_rules: + '130 pacemaker tcp': + proto: 'tcp' + dport: + - 2224 + - 3121 + - 21064 + '131 pacemaker udp': + proto: 'udp' + dport: 5405 step_config: | include ::tripleo::profile::base::pacemaker diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml index 7b4b10ef..3c5909ca 100644 --- a/puppet/services/rabbitmq.yaml +++ b/puppet/services/rabbitmq.yaml @@ -36,5 +36,11 @@ outputs: rabbitmq::default_user: {get_param: RabbitUserName} rabbitmq::default_pass: {get_param: RabbitPassword} rabbit_ipv6: {get_param: RabbitIPv6} + tripleo.rabbitmq.firewall_rules: + '109 rabbitmq': + dport: + - 4369 + - 5672 + - 35672 step_config: | include ::tripleo::profile::base::rabbitmq diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index a0a98b17..c9112019 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -49,5 +49,10 @@ outputs: sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]} sahara::keystone::auth::password: {get_param: SaharaPassword } sahara::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.sahara_api.firewall_rules: + '132 sahara': + dport: + - 8386 + - 13386 step_config: | include ::tripleo::profile::base::sahara::api diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index 36e510b9..458f444b 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -28,5 +28,9 @@ outputs: config_settings: snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName} snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} + tripleo.snmp.firewall_rules: + '127 snmp': + dport: 161 + proto: 'udp' step_config: | include ::tripleo::profile::base::snmp diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 3ae1b01e..12165cc1 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -51,5 +51,10 @@ outputs: swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]} swift::keystone::auth::password: {get_param: SwiftPassword} swift::keystone::auth::region: {get_param: KeystoneRegion} + tripleo.swift_proxy.firewall_rules: + '122 swift proxy': + dport: + - 8080 + - 13808 step_config: | include ::tripleo::profile::base::swift::proxy diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 02746a95..d63dc87c 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -41,5 +41,12 @@ outputs: # Swift swift::storage::all::mount_check: {get_param: SwiftMountCheck} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} + tripleo.swift_storage.firewall_rules: + '123 swift storage': + dport: + - 873 + - 6000 + - 6001 + - 6002 step_config: | include ::tripleo::profile::base::swift::storage diff --git a/puppet/services/time/ntp.yaml b/puppet/services/time/ntp.yaml index a0e51fec..59d25dd2 100644 --- a/puppet/services/time/ntp.yaml +++ b/puppet/services/time/ntp.yaml @@ -24,5 +24,9 @@ outputs: service_name: ntp config_settings: ntp::ntpservers: {get_param: NtpServer} + tripleo.ntp.firewall_rules: + '105 ntp': + dport: 123 + proto: udp step_config: | include ::ntp -- cgit 1.2.3-korg