Move firewall to a plugin-specific task
This removes dependency on fuel-library firewall task, which defines many firewall rules that are not needed by standalone-rabbitmq nodes. Change-Id: I52d43a86aab6852f9cd50520533085cf8d9a9362 Partial-Bug: #1528283
This commit is contained in:
parent
f4de3f6f29
commit
739b379b07
|
@ -0,0 +1,73 @@
|
|||
notice('MODULAR: detach-rabbitmq/rabbitmq_firewall.pp')
|
||||
|
||||
$network_scheme = hiera_hash('network_scheme')
|
||||
$network_metadata = hiera_hash('network_metadata')
|
||||
|
||||
$corosync_input_port = 5404
|
||||
$corosync_output_port = 5405
|
||||
$erlang_epmd_port = 4369
|
||||
$erlang_inet_dist_port = 41055
|
||||
$erlang_rabbitmq_backend_port = 5673
|
||||
$erlang_rabbitmq_port = 5672
|
||||
$pcsd_port = 2224
|
||||
|
||||
$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
|
||||
$rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging')
|
||||
|
||||
|
||||
openstack::firewall::multi_net {'106 rabbitmq':
|
||||
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $rabbitmq_networks,
|
||||
}
|
||||
|
||||
# Workaround for fuel bug with firewall
|
||||
firewall {'003 remote rabbitmq ':
|
||||
sport => [ 4369, 5672, 41055, 55672, 61613 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# allow local rabbitmq admin traffic for LP#1383258
|
||||
firewall {'005 local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
iniface => 'lo',
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# reject all non-local rabbitmq admin traffic for LP#1450443
|
||||
firewall {'006 reject non-local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
proto => 'tcp',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
# allow connections from haproxy namespace
|
||||
firewall {'030 allow connections from haproxy namespace':
|
||||
source => '240.0.0.2',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
|
@ -17,7 +17,7 @@
|
|||
requires: [deploy_start]
|
||||
required_for: [deploy_end, primary-controller, controller]
|
||||
tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
|
||||
hosts, firewall, deploy_start, cluster, task-rabbitmq]
|
||||
hosts, firewall, rabbitmq-firewall, deploy_start, cluster, task-rabbitmq]
|
||||
parameters:
|
||||
strategy:
|
||||
type: parallel
|
||||
|
@ -26,7 +26,8 @@
|
|||
- id: task-rabbitmq
|
||||
type: puppet
|
||||
groups: [standalone-rabbitmq]
|
||||
requires: [hosts, firewall, globals, rabbitmq-hiera-override, cluster]
|
||||
requires: [hosts, firewall, rabbitmq-firewall, globals,
|
||||
rabbitmq-hiera-override, cluster]
|
||||
required_for: [deploy_end]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq.pp
|
||||
|
@ -37,3 +38,13 @@
|
|||
test_post:
|
||||
cmd: ruby /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq_post.rb
|
||||
|
||||
# Deployment tasks
|
||||
- id: rabbitmq-firewall
|
||||
type: puppet
|
||||
groups: [standalone-rabbitmq]
|
||||
requires: [hosts, globals, rabbitmq-hiera-override, firewall]
|
||||
required_for: [deploy_end]
|
||||
parameters:
|
||||
puppet_manifest: "rabbitmq_firewall.pp"
|
||||
puppet_modules: /etc/puppet/modules
|
||||
timeout: 3600
|
||||
|
|
Loading…
Reference in New Issue