nova: add missing vnc console port in firewall

- Remove vncproxy firewall rules from nova-api service
- Add vncproxy firewall rules to nova-vncproxy service
- Add console port range firewall rules to nova-libvirt service

Change-Id: I421ae21c130cac6f25e7c0869b941ba77441172c

diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml
index bf47943..3cc238c 100644 (file)
--- a/puppet/services/nova-api.yaml
+++ b/puppet/services/nova-api.yaml
@@ -88,8 +88,6 @@ outputs:
           tripleo.nova_api.firewall_rules:
             '113 nova_api':
               dport:
-                - 6080
-                - 13080
                 - 8773
                 - 3773
                 - 8774

diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index 241e605..70774ba 100644 (file)
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -56,6 +56,7 @@ outputs:
                   - 16509
                   - 16514
                   - '49152-49215'
+                  - '5900-5999'
 
       step_config: |
         include tripleo::profile::base::nova::libvirt

diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml
index 85d59ae..e6b0703 100644 (file)
--- a/puppet/services/nova-vnc-proxy.yaml
+++ b/puppet/services/nova-vnc-proxy.yaml
@@ -57,5 +57,10 @@ outputs:
             # internal_api_uri -> [IP]
             # internal_api_subnet - > IP/CIDR
             nova::vncproxy::host: {get_param: [ServiceNetMap, NovaApiNetwork]}
+            tripleo.nova_vnc_proxy.firewall_rules:
+              '137 nova_vnc_proxy':
+                dport:
+                  - 6080
+                  - 13080
       step_config: |
         include tripleo::profile::base::nova::vncproxy