Composable firewall rules

Split out the firewall rules in puppet/hieradata/controller.yaml into the composable services Depends-On: Id370362ab57347b75b1ab25afda877885b047263 Change-Id: Icaecab100d3f278035fbbb3facb9bf6c62c76c03
openstack-archive · Jul 25, 2016 · 5195d7f · 5195d7f
1 parent f00ed98
commit 5195d7f
Show file tree

Hide file tree

Showing 28 changed files with 159 additions and 124 deletions.
diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
@@ -184,129 +184,7 @@ tripleo::haproxy::horizon: true
 controller_classes: []
 # firewall
 tripleo::firewall::firewall_rules:
-  '101 mongodb_config':
-    dport: 27019
-  '102 mongodb_sharding':
-    dport: 27018
-  '103 mongod':
-    dport: 27017
-  '104 mysql galera':
-    dport:
-      - 873
-      - 3306
-      - 4444
-      - 4567
-      - 4568
-      - 9200
-  '105 ntp':
-    dport: 123
-    proto: udp
-  '106 vrrp':
-    proto: vrrp
-  '107 haproxy stats':
-    dport: 1993
-  '108 redis':
-    dport:
-      - 6379
-      - 26379
-  '109 rabbitmq':
-    dport:
-      - 4369
-      - 5672
-      - 35672
-  '110 ceph':
-    dport:
-      - 6789
-      - '6800-6810'
-  '111 keystone':
-    dport:
-      - 5000
-      - 13000
-      - 35357
-      - 13357
-  '112 glance':
-    dport:
-      - 9292
-      - 9191
-      - 13292
-  '113 nova':
-    dport:
-      - 6080
-      - 13080
-      - 8773
-      - 3773
-      - 8774
-      - 13774
-      - 8775
-  '114 neutron server':
-    dport:
-      - 9696
-      - 13696
-  '115 neutron dhcp input':
-    proto: 'udp'
-    dport: 67
-  '116 neutron dhcp output':
-    proto: 'udp'
-    chain: 'OUTPUT'
-    dport: 68
-  '118 neutron vxlan networks':
-    proto: 'udp'
-    dport: 4789
-  '119 cinder':
-    dport:
-      - 8776
-      - 13776
-  '120 iscsi initiator':
-    dport: 3260
-  '121 memcached':
-    dport: 11211
-  '122 swift proxy':
-    dport:
-      - 8080
-      - 13808
-  '123 swift storage':
-    dport:
-      - 873
-      - 6000
-      - 6001
-      - 6002
-  '124 ceilometer':
-    dport:
-      - 8777
-      - 13777
-  '125 heat':
-    dport:
-      - 8000
-      - 13800
-      - 8003
-      - 13003
-      - 8004
-      - 13004
-  '126 horizon':
-    dport:
-      - 80
-      - 443
-  '127 snmp':
-    dport: 161
-    proto: 'udp'
   '128 aodh':
     dport:
       - 8042
       - 13042
-  '129 gnocchi-api':
-    dport:
-      - 8041
-      - 13041
-  '130 pacemaker tcp':
-    proto: 'tcp'
-    dport:
-      - 2224
-      - 3121
-      - 21064
-  '131 pacemaker udp':
-    proto: 'udp'
-    dport: 5405
-  '132 sahara':
-    dport:
-      - 8386
-      - 13386
diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml
@@ -23,6 +23,12 @@ outputs:
     value:
       service_name: ceilometer-api
       config_settings:
-        get_attr: [CeilometerServiceBase, role_data, config_settings]
+        map_merge:
+          - get_attr: [CeilometerServiceBase, role_data, config_settings]
+          - tripleo.ceilometer_api.firewall_rules:
+              '124 ceilometer':
+                dport:
+                  - 8777
+                  - 13777
       step_config: |
         include ::tripleo::profile::base::ceilometer::api
diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml
@@ -53,5 +53,10 @@ outputs:
               - {get_param: NovaRbdPoolName}
               - {get_param: GlanceRbdPoolName}
               - {get_param: GnocchiRbdPoolName}
+            tripleo.ceph_mon.firewall_rules:
+              '110 ceph':
+                dport:
+                  - 6789
+                  - '6800-6810'
       step_config: |
         include ::tripleo::profile::base::ceph::mon
diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml
@@ -39,5 +39,10 @@ outputs:
             cinder::api::keystone_password: {get_param: CinderPassword}
             cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
             tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+            tripleo.cinder_api.firewall_rules:
+              '119 cinder':
+                dport:
+                  - 8776
+                  - 13776
       step_config: |
         include ::tripleo::profile::base::cinder::api
diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml
@@ -76,5 +76,8 @@ outputs:
             tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
             tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+            tripleo.cinder_volume.firewall_rules:
+              '120 iscsi initiator':
+                dport: 3260
       step_config: |
         include ::tripleo::profile::base::cinder::volume
diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml
@@ -25,5 +25,12 @@ outputs:
           - get_attr: [MongoDbBase, role_data, config_settings]
           - tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
             mongodb::server::service_manage: True
+            tripleo.mongodb.firewall_rules:
+              '101 mongodb_config':
+                dport: 27019
+              '102 mongodb_sharding':
+                dport: 27018
+              '103 mongod':
+                dport: 27017
       step_config: |
-        include ::tripleo::profile::base::database::mongodb
+        include ::tripleo::profile::base::database::mongodb
diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml
@@ -17,5 +17,14 @@ outputs:
     value:
       service_name: mysql
       config_settings:
+        tripleo.mysql.firewall_rules:
+          '104 mysql galera':
+            dport:
+              - 873
+              - 3306
+              - 4444
+              - 4567
+              - 4568
+              - 9200
       step_config: |
         include ::tripleo::profile::base::database::mysql
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
@@ -22,5 +22,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [RedisBase, role_data, config_settings]
+          - tripleo.redis.firewall_rules:
+              '108 redis':
+                dport:
+                  - 6379
+                  - 26379
       step_config: |
         include ::tripleo::profile::base::database::redis
diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml
@@ -104,5 +104,10 @@ outputs:
         glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
         glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
         glance::keystone::auth::password: {get_param: GlancePassword }
+        tripleo.glance_api.firewall_rules:
+          '112 glance_api':
+            dport:
+              - 9292
+              - 13292
       step_config: |
         include ::tripleo::profile::base::glance::api
diff --git a/puppet/services/glance-registry.yaml b/puppet/services/glance-registry.yaml
@@ -49,5 +49,9 @@ outputs:
           - '%'
           - "%{hiera('mysql_bind_host')}"
 
+        tripleo.glance_registry.firewall_rules:
+          '112 glance_registry':
+            dport:
+              - 9191
       step_config: |
         include ::tripleo::profile::base::glance::registry
diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml
@@ -24,5 +24,10 @@ outputs:
       config_settings:
         map_merge:
           - get_attr: [GnocchiServiceBase, role_data, config_settings]
+          - tripleo.gnocchi_api.firewall_rules:
+              '129 gnocchi-api':
+                dport:
+                  - 8041
+                  - 13041
       step_config: |
         include ::tripleo::profile::base::gnocchi::api
diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
@@ -15,5 +15,9 @@ outputs:
     description: Role data for the HAproxy role.
     value:
       service_name: haproxy
+      config_settings:
+        tripleo.haproxy.firewall_rules:
+          '107 haproxy stats':
+            dport: 1993
       step_config: |
         include ::tripleo::profile::base::haproxy
diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml
@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
             heat::keystone::auth_cfn::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api_cfn.firewall_rules:
+              '125 heat_cfn':
+                dport:
+                  - 8000
+                  - 13800
       step_config: |
         include ::tripleo::profile::base::heat::api_cfn
diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml
@@ -27,5 +27,10 @@ outputs:
         map_merge:
           - get_attr: [HeatBase, role_data, config_settings]
           - heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+            tripleo.heat_api_cloudwatch.firewall_rules:
+              '125 heat_cloudwatch':
+                dport:
+                  - 8003
+                  - 13003
       step_config: |
         include ::tripleo::profile::base::heat::api_cloudwatch
diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml
@@ -40,5 +40,10 @@ outputs:
             heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
             heat::keystone::auth::password: {get_param: HeatPassword}
             heat::keystone::auth::region: {get_param: KeystoneRegion}
+            tripleo.heat_api.firewall_rules:
+              '125 heat_api':
+                dport:
+                  - 8004
+                  - 13004
       step_config: |
         include ::tripleo::profile::base::heat::api
diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
@@ -31,5 +31,10 @@ outputs:
             template: MECHANISMS
             params:
               MECHANISMS: {get_param: NeutronMechanismDrivers}
+        tripleo.horizon.firewall_rules:
+          '126 horizon':
+            dport:
+              - 80
+              - 443
       step_config: |
         include ::tripleo::profile::base::horizon
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
@@ -136,5 +136,12 @@ outputs:
         keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
         # override via extraconfig:
         keystone::wsgi::apache::threads: 1
+        tripleo.keystone.firewall_rules:
+          '111 keystone':
+            dport:
+              - 5000
+              - 13000
+              - 35357
+              - 13357
       step_config: |
         include ::tripleo::profile::base::keystone
diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml
@@ -16,5 +16,8 @@ outputs:
     value:
       service_name: memcached
       config_settings:
+        tripleo.memcached.firewall_rules:
+          '121 memcached':
+            dport: 11211
       step_config: |
         include ::tripleo::profile::base::memcached
diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml
@@ -28,5 +28,13 @@ outputs:
         map_merge:
           - get_attr: [NeutronBase, role_data, config_settings]
           - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+            tripleo.neutron_dhcp.firewall_rules:
+              '115 neutron dhcp input':
+                proto: 'udp'
+                dport: 67
+              '116 neutron dhcp output':
+                proto: 'udp'
+                chain: 'OUTPUT'
+                dport: 68
       step_config: |
         include tripleo::profile::base::neutron::dhcp
diff --git a/puppet/services/neutron-server.yaml b/puppet/services/neutron-server.yaml
@@ -72,5 +72,15 @@ outputs:
             neutron::db::mysql::allowed_hosts:
               - '%'
               - "%{hiera('mysql_bind_host')}"
+            tripleo.neutron_server.firewall_rules:
+              '114 neutron server':
+                dport:
+                  - 9696
+                  - 13696
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '106 vrrp':
+                proto: vrrp
       step_config: |
         include tripleo::profile::base::neutron::server
diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
@@ -32,5 +32,15 @@ outputs:
             nova::api::metadata_workers: {get_param: NovaWorkers}
             nova::cron::archive_deleted_rows::hour: '"*/12"'
             nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+            tripleo.nova_api.firewall_rules:
+              '113 nova_api':
+                dport:
+                  - 6080
+                  - 13080
+                  - 8773
+                  - 3773
+                  - 8774
+                  - 13774
+                  - 8775
       step_config: |
         include tripleo::profile::base::nova::api
diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml
@@ -16,5 +16,15 @@ outputs:
     value:
       service_name: pacemaker
       config_settings:
+        tripleo.pacemaker.firewall_rules:
+          '130 pacemaker tcp':
+            proto: 'tcp'
+            dport:
+              - 2224
+              - 3121
+              - 21064
+          '131 pacemaker udp':
+            proto: 'udp'
+            dport: 5405
       step_config: |
         include ::tripleo::profile::base::pacemaker
diff --git a/puppet/services/rabbitmq.yaml b/puppet/services/rabbitmq.yaml
@@ -36,5 +36,11 @@ outputs:
         rabbitmq::default_user: {get_param: RabbitUserName}
         rabbitmq::default_pass: {get_param: RabbitPassword}
         rabbit_ipv6: {get_param: RabbitIPv6}
+        tripleo.rabbitmq.firewall_rules:
+          '109 rabbitmq':
+            dport:
+              - 4369
+              - 5672
+              - 35672
       step_config: |
         include ::tripleo::profile::base::rabbitmq