Enable firewalling by default on compute nodes

- Move VXLAN and VRRP rules from Neutron Server to the right services.
- Enable Firewall by default on Compute nodes.

Change-Id: I99d172dcedaf6be297aad184cc51fe9f292a57e1

diff --git a/puppet/services/keepalived.yaml b/puppet/services/keepalived.yaml
index 2b069d6..38cfbe2 100644 (file)
--- a/puppet/services/keepalived.yaml
+++ b/puppet/services/keepalived.yaml
@@ -41,5 +41,8 @@ outputs:
       config_settings:
         tripleo::keepalived::control_virtual_interface: {get_param: ControlVirtualInterface}
         tripleo::keepalived::public_virtual_interface: {get_param: PublicVirtualInterface}
+        tripleo.keepalived.firewall_rules:
+          '106 keepalived vrrp':
+            proto: vrrp
       step_config: |
         include ::tripleo::profile::base::keepalived

diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml
index af77dc0..c2b6b6f 100644 (file)
--- a/puppet/services/neutron-api.yaml
+++ b/puppet/services/neutron-api.yaml
@@ -150,11 +150,6 @@ outputs:
                 dport:
                   - 9696
                   - 13696
-              '118 neutron vxlan networks':
-                proto: 'udp'
-                dport: 4789
-              '106 vrrp':
-                proto: vrrp
             neutron::server::router_distributed: {get_param: NeutronEnableDVR}
             # NOTE: bind IP is found in Heat replacing the network name with the local node IP
             # for the given network; replacement examples (eg. for internal_api):

diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml
index 9e22337..a89e3d7 100644 (file)
--- a/puppet/services/neutron-l3.yaml
+++ b/puppet/services/neutron-l3.yaml
@@ -67,5 +67,8 @@ outputs:
           - neutron::agents::l3::external_network_bridge: {get_param: NeutronExternalNetworkBridge}
             neutron::agents::l3::router_delete_namespaces: True
             neutron::agents::l3::agent_mode : {get_param: NeutronL3AgentMode}
+            tripleo.neutron_l3.firewall_rules:
+              '106 neutron_l3 vrrp':
+                proto: vrrp
       step_config: |
         include tripleo::profile::base::neutron::l3

diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml
index cbe6563..cca0dee 100644 (file)
--- a/puppet/services/neutron-ovs-agent.yaml
+++ b/puppet/services/neutron-ovs-agent.yaml
@@ -117,5 +117,11 @@ outputs:
             # internal_api_subnet - > IP/CIDR
             neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
             neutron::agents::ml2::ovs::firewall_driver: {get_param: NeutronOVSFirewallDriver}
+            tripleo.neutron_ovs_agent.firewall_rules:
+              '118 neutron vxlan networks':
+                proto: 'udp'
+                dport: 4789
+              '136 neutron gre networks':
+                proto: 'gre'
       step_config: |
         include ::tripleo::profile::base::neutron::ovs

diff --git a/roles_data.yaml b/roles_data.yaml
index 23f8af4..f3b6447 100644 (file)
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -114,9 +114,7 @@
     - OS::TripleO::Services::ComputeNeutronL3Agent
     - OS::TripleO::Services::ComputeNeutronMetadataAgent
     - OS::TripleO::Services::TripleoPackages
-    # FIXME: This doesn't appear to have been enabled before
-    # so disabling it here until we can support it
-    #- OS::TripleO::Services::TripleoFirewall
+    - OS::TripleO::Services::TripleoFirewall
     - OS::TripleO::Services::NeutronSriovAgent
     - OS::TripleO::Services::OpenDaylightOvs
     - OS::TripleO::Services::SensuClient