Move firewall to a plugin-specific task

This removes dependency on fuel-library firewall task, which defines many firewall rules that are not needed by standalone-keystone nodes. Change-Id: I6ef56e64d53dfd86c5e151b2ba6924051b9916db Partial-Bug: #1528283
2015-12-21 20:00:59 +03:00 · 2015-12-21 20:00:59 +03:00 · 6047e1f3f9
parent 14aa54ba9c
commit 6047e1f3f9
2 changed files with 80 additions and 6 deletions
--- a/deployment_scripts/keystone_firewall.pp
+++ b/deployment_scripts/keystone_firewall.pp
@ -0,0 +1,63 @@
+notice('MODULAR: detach-keystone/keystone_firewall.pp')
+
+$network_scheme   = hiera_hash('network_scheme')
+$network_metadata = hiera_hash('network_metadata')
+
+$corosync_input_port          = 5404
+$corosync_output_port         = 5405
+$keystone_admin_port          = 35357
+$keystone_public_port         = 5000
+$memcached_port               = 11211
+$pcsd_port                    = 2224
+
+$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
+$memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
+$keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
+
+# allow connections from haproxy namespace
+firewall {'030 allow connections from haproxy namespace':
+  source => '240.0.0.2',
+  action => 'accept',
+}
+
+openstack::firewall::multi_net {'102 keystone':
+  port        => [$keystone_public_port, $keystone_admin_port],
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $keystone_networks,
+}
+
+openstack::firewall::multi_net {'107 memcache tcp':
+  port        => $memcached_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $memcache_networks,
+}
+
+openstack::firewall::multi_net {'107 memcache udp':
+  port        => $memcached_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $memcache_networks,
+}
+
+openstack::firewall::multi_net {'113 corosync-input':
+  port        => $corosync_input_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'114 corosync-output':
+  port        => $corosync_output_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'115 pcsd-server':
+  port        => $pcsd_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@ -4,8 +4,8 @@
  requires: [deploy_start, primary-standalone-database]
  required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
  tasks: [fuel_pkgs, hiera, globals, tools, logging,
-    netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
-    deploy_start, cluster, keystone-vip, cluster-haproxy,
+    netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
+    ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
    openstack-haproxy-stats, task-keystone-db, memcached, apache,
    task-keystone]
  parameters:
@ -18,8 +18,8 @@
  requires: [deploy_start, primary-standalone-keystone]
  required_for: [primary-controller, cinder-keystone, nova-keystone, deploy_end]
  tasks: [fuel_pkgs, hiera, globals, tools, logging,
-    netconfig, hosts, firewall, ssl-keys-saving, ssl-add-trust-chain,
-    deploy_start, cluster, keystone-vip, cluster-haproxy,
+    netconfig, hosts, firewall, keystone-firewall, ssl-keys-saving,
+    ssl-add-trust-chain, deploy_start, cluster, keystone-vip, cluster-haproxy,
    openstack-haproxy-stats, task-keystone-db, memcached, apache,
    task-keystone]
  parameters:
@ -60,8 +60,8 @@
 - id: task-keystone
  type: puppet
  role: [primary-standalone-keystone, standalone-keystone]
-  requires: [deploy_start, keystone-haproxy, keystone-vip, task-keystone-db,
-    memcached, apache]
+  requires: [deploy_start, firewall, keystone-firewall, keystone-haproxy, 
+    keystone-vip, task-keystone-db, memcached, apache]
  required_for: [openstack-controller]
  parameters:
    puppet_manifest: '/etc/puppet/modules/osnailyfacter/modular/keystone/keystone.pp'
@ -82,6 +82,17 @@
    puppet_modules: /etc/puppet/modules
    timeout: 1800

+- id: keystone-firewall
+  type: puppet
+  role: [primary-standalone-keystone, standalone-keystone]
+  requires: [keystone-hiera-override, firewall]
+  required_for: [cluster]
+  parameters:
+    puppet_manifest: 'keystone_firewall.pp'
+    puppet_modules: /etc/puppet/modules
+    timeout: 180
+    cwd: /
+
 - id: disable_standalone_keystone_service_token
  type: puppet
  role: [primary-standalone-keystone, standalone-keystone]