controller_classes: []
# firewall
tripleo::firewall::firewall_rules:
- '101 mongodb_config':
- dport: 27019
- '102 mongodb_sharding':
- dport: 27018
- '103 mongod':
- dport: 27017
- '104 mysql galera':
- dport:
- - 873
- - 3306
- - 4444
- - 4567
- - 4568
- - 9200
- '105 ntp':
- dport: 123
- proto: udp
- '106 vrrp':
- proto: vrrp
- '107 haproxy stats':
- dport: 1993
- '108 redis':
- dport:
- - 6379
- - 26379
- '109 rabbitmq':
- dport:
- - 4369
- - 5672
- - 35672
- '110 ceph':
- dport:
- - 6789
- - '6800-6810'
- '111 keystone':
- dport:
- - 5000
- - 13000
- - 35357
- - 13357
- '112 glance':
- dport:
- - 9292
- - 9191
- - 13292
- '113 nova':
- dport:
- - 6080
- - 13080
- - 8773
- - 3773
- - 8774
- - 13774
- - 8775
- '114 neutron server':
- dport:
- - 9696
- - 13696
- '115 neutron dhcp input':
- proto: 'udp'
- dport: 67
- '116 neutron dhcp output':
- proto: 'udp'
- chain: 'OUTPUT'
- dport: 68
- '118 neutron vxlan networks':
- proto: 'udp'
- dport: 4789
- '119 cinder':
- dport:
- - 8776
- - 13776
- '120 iscsi initiator':
- dport: 3260
- '121 memcached':
- dport: 11211
- '122 swift proxy':
- dport:
- - 8080
- - 13808
- '123 swift storage':
- dport:
- - 873
- - 6000
- - 6001
- - 6002
- '124 ceilometer':
- dport:
- - 8777
- - 13777
- '125 heat':
- dport:
- - 8000
- - 13800
- - 8003
- - 13003
- - 8004
- - 13004
- '126 horizon':
- dport:
- - 80
- - 443
- '127 snmp':
- dport: 161
- proto: 'udp'
'128 aodh':
dport:
- 8042
- 13042
- '129 gnocchi-api':
- dport:
- - 8041
- - 13041
- '130 pacemaker tcp':
- proto: 'tcp'
- dport:
- - 2224
- - 3121
- - 21064
- '131 pacemaker udp':
- proto: 'udp'
- dport: 5405
- '132 sahara':
- dport:
- - 8386
- - 13386
value:
service_name: ceilometer-api
config_settings:
- get_attr: [CeilometerServiceBase, role_data, config_settings]
+ map_merge:
+ - get_attr: [CeilometerServiceBase, role_data, config_settings]
+ - tripleo.ceilometer_api.firewall_rules:
+ '124 ceilometer':
+ dport:
+ - 8777
+ - 13777
step_config: |
include ::tripleo::profile::base::ceilometer::api
- {get_param: NovaRbdPoolName}
- {get_param: GlanceRbdPoolName}
- {get_param: GnocchiRbdPoolName}
+ tripleo.ceph_mon.firewall_rules:
+ '110 ceph':
+ dport:
+ - 6789
+ - '6800-6810'
step_config: |
include ::tripleo::profile::base::ceph::mon
cinder::api::keystone_password: {get_param: CinderPassword}
cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge}
+ tripleo.cinder_api.firewall_rules:
+ '119 cinder':
+ dport:
+ - 8776
+ - 13776
step_config: |
include ::tripleo::profile::base::cinder::api
tripleo::profile::base::cinder::volume::iscsi::cinder_iscsi_helper: {get_param: CinderISCSIHelper}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_pool_name: {get_param: CinderRbdPoolName}
tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name: {get_param: CephClientUserName}
+ tripleo.cinder_volume.firewall_rules:
+ '120 iscsi initiator':
+ dport: 3260
step_config: |
include ::tripleo::profile::base::cinder::volume
- get_attr: [MongoDbBase, role_data, config_settings]
- tripleo::profile::base::database::mongodb::mongodb_replset: {get_attr: [MongoDbBase, aux_parameters, rplset_name]}
mongodb::server::service_manage: True
+ tripleo.mongodb.firewall_rules:
+ '101 mongodb_config':
+ dport: 27019
+ '102 mongodb_sharding':
+ dport: 27018
+ '103 mongod':
+ dport: 27017
step_config: |
- include ::tripleo::profile::base::database::mongodb
\ No newline at end of file
+ include ::tripleo::profile::base::database::mongodb
value:
service_name: mysql
config_settings:
+ tripleo.mysql.firewall_rules:
+ '104 mysql galera':
+ dport:
+ - 873
+ - 3306
+ - 4444
+ - 4567
+ - 4568
+ - 9200
step_config: |
include ::tripleo::profile::base::database::mysql
config_settings:
map_merge:
- get_attr: [RedisBase, role_data, config_settings]
+ - tripleo.redis.firewall_rules:
+ '108 redis':
+ dport:
+ - 6379
+ - 26379
step_config: |
include ::tripleo::profile::base::database::redis
glance::keystone::auth::internal_url: {get_param: [EndpointMap, GlanceInternal, uri]}
glance::keystone::auth::admin_url: {get_param: [EndpointMap, GlanceAdmin, uri]}
glance::keystone::auth::password: {get_param: GlancePassword }
+ tripleo.glance_api.firewall_rules:
+ '112 glance_api':
+ dport:
+ - 9292
+ - 13292
step_config: |
include ::tripleo::profile::base::glance::api
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.glance_registry.firewall_rules:
+ '112 glance_registry':
+ dport:
+ - 9191
step_config: |
include ::tripleo::profile::base::glance::registry
config_settings:
map_merge:
- get_attr: [GnocchiServiceBase, role_data, config_settings]
+ - tripleo.gnocchi_api.firewall_rules:
+ '129 gnocchi-api':
+ dport:
+ - 8041
+ - 13041
step_config: |
include ::tripleo::profile::base::gnocchi::api
description: Role data for the HAproxy role.
value:
service_name: haproxy
+ config_settings:
+ tripleo.haproxy.firewall_rules:
+ '107 haproxy stats':
+ dport: 1993
step_config: |
include ::tripleo::profile::base::haproxy
heat::keystone::auth_cfn::admin_url: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
heat::keystone::auth_cfn::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api_cfn.firewall_rules:
+ '125 heat_cfn':
+ dport:
+ - 8000
+ - 13800
step_config: |
include ::tripleo::profile::base::heat::api_cfn
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- heat::api_cloudwatch::workers: {get_param: HeatWorkers}
+ tripleo.heat_api_cloudwatch.firewall_rules:
+ '125 heat_cloudwatch':
+ dport:
+ - 8003
+ - 13003
step_config: |
include ::tripleo::profile::base::heat::api_cloudwatch
heat::keystone::auth::admin_url: {get_param: [EndpointMap, HeatAdmin, uri]}
heat::keystone::auth::password: {get_param: HeatPassword}
heat::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.heat_api.firewall_rules:
+ '125 heat_api':
+ dport:
+ - 8004
+ - 13004
step_config: |
include ::tripleo::profile::base::heat::api
template: MECHANISMS
params:
MECHANISMS: {get_param: NeutronMechanismDrivers}
+ tripleo.horizon.firewall_rules:
+ '126 horizon':
+ dport:
+ - 80
+ - 443
step_config: |
include ::tripleo::profile::base::horizon
keystone::wsgi::apache::workers: {get_param: KeystoneWorkers}
# override via extraconfig:
keystone::wsgi::apache::threads: 1
+ tripleo.keystone.firewall_rules:
+ '111 keystone':
+ dport:
+ - 5000
+ - 13000
+ - 35357
+ - 13357
step_config: |
include ::tripleo::profile::base::keystone
value:
service_name: memcached
config_settings:
+ tripleo.memcached.firewall_rules:
+ '121 memcached':
+ dport: 11211
step_config: |
include ::tripleo::profile::base::memcached
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata}
+ tripleo.neutron_dhcp.firewall_rules:
+ '115 neutron dhcp input':
+ proto: 'udp'
+ dport: 67
+ '116 neutron dhcp output':
+ proto: 'udp'
+ chain: 'OUTPUT'
+ dport: 68
step_config: |
include tripleo::profile::base::neutron::dhcp
neutron::db::mysql::allowed_hosts:
- '%'
- "%{hiera('mysql_bind_host')}"
+ tripleo.neutron_server.firewall_rules:
+ '114 neutron server':
+ dport:
+ - 9696
+ - 13696
+ '118 neutron vxlan networks':
+ proto: 'udp'
+ dport: 4789
+ '106 vrrp':
+ proto: vrrp
step_config: |
include tripleo::profile::base::neutron::server
nova::api::metadata_workers: {get_param: NovaWorkers}
nova::cron::archive_deleted_rows::hour: '"*/12"'
nova::cron::archive_deleted_rows::destination: '"/dev/null"'
+ tripleo.nova_api.firewall_rules:
+ '113 nova_api':
+ dport:
+ - 6080
+ - 13080
+ - 8773
+ - 3773
+ - 8774
+ - 13774
+ - 8775
step_config: |
include tripleo::profile::base::nova::api
value:
service_name: pacemaker
config_settings:
+ tripleo.pacemaker.firewall_rules:
+ '130 pacemaker tcp':
+ proto: 'tcp'
+ dport:
+ - 2224
+ - 3121
+ - 21064
+ '131 pacemaker udp':
+ proto: 'udp'
+ dport: 5405
step_config: |
include ::tripleo::profile::base::pacemaker
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {get_param: RabbitIPv6}
+ tripleo.rabbitmq.firewall_rules:
+ '109 rabbitmq':
+ dport:
+ - 4369
+ - 5672
+ - 35672
step_config: |
include ::tripleo::profile::base::rabbitmq
sahara::keystone::auth::admin_url: {get_param: [EndpointMap, SaharaAdmin, uri]}
sahara::keystone::auth::password: {get_param: SaharaPassword }
sahara::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.sahara_api.firewall_rules:
+ '132 sahara':
+ dport:
+ - 8386
+ - 13386
step_config: |
include ::tripleo::profile::base::sahara::api
config_settings:
snmpd_readonly_user_name: {get_param: SnmpdReadonlyUserName}
snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
+ tripleo.snmp.firewall_rules:
+ '127 snmp':
+ dport: 161
+ proto: 'udp'
step_config: |
include ::tripleo::profile::base::snmp
swift::keystone::auth::admin_url_s3: {get_param: [EndpointMap, SwiftS3Admin, uri]}
swift::keystone::auth::password: {get_param: SwiftPassword}
swift::keystone::auth::region: {get_param: KeystoneRegion}
+ tripleo.swift_proxy.firewall_rules:
+ '122 swift proxy':
+ dport:
+ - 8080
+ - 13808
step_config: |
include ::tripleo::profile::base::swift::proxy
# Swift
swift::storage::all::mount_check: {get_param: SwiftMountCheck}
tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage}
+ tripleo.swift_storage.firewall_rules:
+ '123 swift storage':
+ dport:
+ - 873
+ - 6000
+ - 6001
+ - 6002
step_config: |
include ::tripleo::profile::base::swift::storage
service_name: ntp
config_settings:
ntp::ntpservers: {get_param: NtpServer}
+ tripleo.ntp.firewall_rules:
+ '105 ntp':
+ dport: 123
+ proto: udp
step_config: |
include ::ntp