Move firewall to a plugin-specific task

This removes dependency on fuel-library firewall task, which defines many firewall rules that are not needed by standalone-rabbitmq nodes. Change-Id: I52d43a86aab6852f9cd50520533085cf8d9a9362 Partial-Bug: #1528283
2015-12-21 19:43:07 +03:00 · 2015-12-21 19:43:07 +03:00 · 739b379b07
parent f4de3f6f29
commit 739b379b07
2 changed files with 86 additions and 2 deletions
--- a/deployment_scripts/rabbitmq_firewall.pp
+++ b/deployment_scripts/rabbitmq_firewall.pp
@ -0,0 +1,73 @@
+notice('MODULAR: detach-rabbitmq/rabbitmq_firewall.pp')
+
+$network_scheme   = hiera_hash('network_scheme')
+$network_metadata = hiera_hash('network_metadata')
+
+$corosync_input_port          = 5404
+$corosync_output_port         = 5405
+$erlang_epmd_port             = 4369
+$erlang_inet_dist_port        = 41055
+$erlang_rabbitmq_backend_port = 5673
+$erlang_rabbitmq_port         = 5672
+$pcsd_port                    = 2224
+
+$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
+$rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging')
+
+
+openstack::firewall::multi_net {'106 rabbitmq':
+  port        => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $rabbitmq_networks,
+}
+
+# Workaround for fuel bug with firewall
+firewall {'003 remote rabbitmq ':
+  sport  => [ 4369, 5672, 41055, 55672, 61613 ],
+  source => hiera('master_ip'),
+  proto  => 'tcp',
+  action => 'accept',
+}
+
+# allow local rabbitmq admin traffic for LP#1383258
+firewall {'005 local rabbitmq admin':
+  sport   => [ 15672 ],
+  iniface => 'lo',
+  proto   => 'tcp',
+  action  => 'accept',
+}
+
+# reject all non-local rabbitmq admin traffic for LP#1450443
+firewall {'006 reject non-local rabbitmq admin':
+  sport  => [ 15672 ],
+  proto  => 'tcp',
+  action => 'drop',
+}
+
+# allow connections from haproxy namespace
+firewall {'030 allow connections from haproxy namespace':
+  source => '240.0.0.2',
+  action => 'accept',
+}
+
+openstack::firewall::multi_net {'113 corosync-input':
+  port        => $corosync_input_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'114 corosync-output':
+  port        => $corosync_output_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'115 pcsd-server':
+  port        => $pcsd_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@ -17,7 +17,7 @@
  requires: [deploy_start]
  required_for: [deploy_end, primary-controller, controller]
  tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
-    hosts, firewall, deploy_start, cluster, task-rabbitmq]
+    hosts, firewall, rabbitmq-firewall, deploy_start, cluster, task-rabbitmq]
  parameters:
    strategy:
      type: parallel
@ -26,7 +26,8 @@
 - id: task-rabbitmq
  type: puppet
  groups: [standalone-rabbitmq]
-  requires: [hosts, firewall, globals, rabbitmq-hiera-override, cluster]
+  requires: [hosts, firewall, rabbitmq-firewall, globals,
+    rabbitmq-hiera-override, cluster]
  required_for: [deploy_end]
  parameters:
    puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq.pp
@ -37,3 +38,13 @@
  test_post:
    cmd: ruby /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq_post.rb

+# Deployment tasks
+- id: rabbitmq-firewall
+  type: puppet
+  groups: [standalone-rabbitmq]
+  requires: [hosts, globals, rabbitmq-hiera-override, firewall]
+  required_for: [deploy_end]
+  parameters:
+    puppet_manifest: "rabbitmq_firewall.pp"
+    puppet_modules: /etc/puppet/modules
+    timeout: 3600