Implement Advanced Firewalling support

Consume puppet-tripleo to create/manage IPtables from Heat templates.

This review put in place the logic to enable and setup firewall rules.

A known set of rules are applied. More to come.

Change-Id: Ib79c23fb27fe3fc03bf223e6922d896cb33dad22
Co-Authored-By: Yanis Guenane <yguenane@redhat.com>
Depends-On: I144c60db2a568a94dce5b51257f1d10980173325

diff --git a/environments/manage-firewall.yaml b/environments/manage-firewall.yaml
new file mode 100644 (file)
index 0000000..071f410
--- /dev/null
+++ b/environments/manage-firewall.yaml
@@ -0,0 +1,2 @@
+parameters:
+  ManageFirewall: true

diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index f679c6b..8efdc17 100644 (file)
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -457,6 +457,14 @@ parameters:
     type: string
     constraints:
       - allowed_values: [ 'basic', 'cadf' ]
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the ones.
+    type: boolean
   MysqlInnodbBufferPoolSize:
     description: >
         Specifies the size of the buffer pool in megabytes. Setting to
@@ -811,6 +819,8 @@ resources:
           ControllerExtraConfig: {get_param: controllerExtraConfig}
           Debug: {get_param: Debug}
           EnableFencing: {get_param: EnableFencing}
+          ManageFirewall: {get_param: ManageFirewall}
+          PurgeFirewallRules: {get_param: PurgeFirewallRules}
           EnableGalera: {get_param: EnableGalera}
           EnableCephStorage: {get_param: ControllerEnableCephStorage}
           EnableSwiftStorage: {get_param: ControllerEnableSwiftStorage}

diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 2e8c312..d3a8a93 100644 (file)
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -278,6 +278,14 @@ parameters:
     type: string
     default: 'regionOne'
     description: Keystone region for endpoint
+  ManageFirewall:
+    default: false
+    description: Whether to manage IPtables rules.
+    type: boolean
+  PurgeFirewallRules:
+    default: false
+    description: Whether IPtables rules should be purged before setting up the new ones.
+    type: boolean
   MysqlClusterUniquePart:
     description: A unique identifier of the MySQL cluster the controller is in.
     type: string
@@ -819,6 +827,8 @@ resources:
         enable_galera: {get_param: EnableGalera}
         enable_ceph_storage: {get_param: EnableCephStorage}
         enable_swift_storage: {get_param: EnableSwiftStorage}
+        manage_firewall: {get_param: ManageFirewall}
+        purge_firewall_rules: {get_param: PurgeFirewallRules}
         mysql_innodb_buffer_pool_size: {get_param: MysqlInnodbBufferPoolSize}
         mysql_max_connections: {get_param: MysqlMaxConnections}
         mysql_root_password: {get_param: MysqlRootPassword}
@@ -1274,6 +1284,9 @@ resources:
                 # Redis
                 redis::bind: {get_input: redis_network}
                 redis_vip: {get_input: redis_vip}
+                # Firewall
+                tripleo::firewall::manage_firewall: {get_input: manage_firewall}
+                tripleo::firewall::purge_firewall_rules: {get_input: purge_firewall_rules}
                 # Misc
                 memcached::listen_ip: {get_input: memcached_network}
                 neutron_public_interface_ip: {get_input: neutron_public_interface_ip}

diff --git a/puppet/hieradata/controller.yaml b/puppet/hieradata/controller.yaml
index a4914c0..f42ddf6 100644 (file)
--- a/puppet/hieradata/controller.yaml
+++ b/puppet/hieradata/controller.yaml
@@ -127,3 +127,109 @@ tripleo::loadbalancer::heat_cfn: true
 tripleo::loadbalancer::horizon: true
 
 controller_classes: []
+# firewall
+tripleo::firewall::firewall_rules:
+  '101 mongodb_config':
+    port: 27019
+  '102 mongodb_sharding':
+    port: 27018
+  '103 mongod':
+    port: 27017
+  '104 mysql galera':
+    port:
+      - 873
+      - 3306
+      - 4444
+      - 4567
+      - 4568
+      - 9200
+  '105 ntp':
+    port: 123
+    proto: udp
+  '106 vrrp':
+    proto: vrrp
+  '107 haproxy stats':
+    port: 1993
+  '108 redis':
+    port:
+      - 6379
+      - 26379
+  '109 rabbitmq':
+    port:
+      - 5672
+      - 35672
+  '110 ceph':
+    port:
+      - 6789
+      - '6800-6810'
+  '111 keystone':
+    port:
+      - 5000
+      - 13000
+      - 35357
+      - 13357
+  '112 glance':
+    port:
+      - 9292
+      - 9191
+      - 13292
+  '113 nova':
+    port:
+      - 6080
+      - 13080
+      - 8773
+      - 3773
+      - 8774
+      - 13774
+      - 8775
+  '114 neutron server':
+    port:
+      - 9696
+      - 13696
+  '115 neutron dhcp input':
+    proto: 'udp'
+    port: 67
+  '116 neutron dhcp output':
+    proto: 'udp'
+    chain: 'OUTPUT'
+    port: 68
+  '118 neutron vxlan networks':
+    proto: 'udp'
+    port: 4789
+  '119 cinder':
+    port:
+      - 8776
+      - 13776
+  '120 iscsi initiator':
+    port: 3260
+  '121 memcached':
+    port: 11211
+  '122 swift proxy':
+    port:
+      - 8080
+      - 13808
+  '123 swift storage':
+    port:
+      - 873
+      - 6000
+      - 6001
+      - 6002
+  '124 ceilometer':
+    port:
+      - 8777
+      - 13777
+  '125 heat':
+    port:
+      - 8000
+      - 13800
+      - 8003
+      - 13003
+      - 8004
+      - 13004
+  '126 horizon':
+    port:
+      - 80
+      - 443
+  '127 snmp':
+    port: 161
+    proto: 'udp'

diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp
index 51f5e88..7f8970c 100644 (file)
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@@ -14,6 +14,7 @@
 # under the License.
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 create_resources(sysctl::value, hiera('sysctl_settings'), {})
 

diff --git a/puppet/manifests/overcloud_compute.pp b/puppet/manifests/overcloud_compute.pp
index cd41cc7..5818234 100644 (file)
--- a/puppet/manifests/overcloud_compute.pp
+++ b/puppet/manifests/overcloud_compute.pp
@@ -14,6 +14,7 @@
 # under the License.
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 create_resources(sysctl::value, hiera('sysctl_settings'), {})
 

diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 570c43b..f758c55 100644 (file)
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -14,6 +14,7 @@
 # under the License.
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 if hiera('step') >= 1 {
 

diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 2a3f1f9..95b7992 100644 (file)
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -19,6 +19,7 @@ Pcmk_resource <| |> {
 }
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 if $::hostname == downcase(hiera('bootstrap_nodeid')) {
   $pacemaker_master = true

diff --git a/puppet/manifests/overcloud_object.pp b/puppet/manifests/overcloud_object.pp
index 5f0b4c8..1eabddf 100644 (file)
--- a/puppet/manifests/overcloud_object.pp
+++ b/puppet/manifests/overcloud_object.pp
@@ -14,6 +14,7 @@
 # under the License.
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 create_resources(sysctl::value, hiera('sysctl_settings'), {})
 

diff --git a/puppet/manifests/overcloud_volume.pp b/puppet/manifests/overcloud_volume.pp
index 7f24959..2bdd8a9 100644 (file)
--- a/puppet/manifests/overcloud_volume.pp
+++ b/puppet/manifests/overcloud_volume.pp
@@ -14,6 +14,7 @@
 # under the License.
 
 include ::tripleo::packages
+include ::tripleo::firewall
 
 create_resources(sysctl::value, hiera('sysctl_settings'), {})