Decomposition of rabbitmq tasks
Implements: blueprint role-decomposition
(cherry picked from commit b1fc7b7859)
Change-Id: Ia7d65762f2fe9db6d1ec5acff188241cebc3f519
This commit is contained in:
Ivan Ponomarev
Valyavskiy Viacheslav
parent
0af9d63ff2
commit
2fb156acc8
|
|
@ -22,8 +22,7 @@
|
|||
cross-depends:
|
||||
- name: glance-db
|
||||
- name: glance-keystone
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/glance/glance.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
|
|
|
|||
|
|
@ -87,8 +87,7 @@
|
|||
requires: [primary-openstack-controller, openstack-controller, ironic-api]
|
||||
refresh_on: [nova_config, nova_paste_api_ini]
|
||||
cross-depends:
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
- name: /(primary-)?openstack-controller/
|
||||
role: self
|
||||
- name: ironic-api
|
||||
|
|
|
|||
|
|
@ -32,13 +32,12 @@
|
|||
version: 2.1.0
|
||||
groups: [primary-controller]
|
||||
required_for: [primary-openstack-controller, openstack-controller]
|
||||
requires: [openstack-haproxy, database, primary-rabbitmq, rabbitmq, primary-database]
|
||||
requires: [openstack-haproxy, database, primary-database]
|
||||
condition:
|
||||
yaql_exp: *keystone_changed
|
||||
refresh_on: [keystone_config]
|
||||
cross-depends:
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
- name: keystone-db
|
||||
- name: memcached
|
||||
parameters:
|
||||
|
|
@ -55,13 +54,12 @@
|
|||
groups: [controller]
|
||||
version: 2.1.0
|
||||
required_for: [primary-openstack-controller, openstack-controller]
|
||||
requires: [openstack-haproxy, database, primary-rabbitmq, rabbitmq, primary-database]
|
||||
requires: [openstack-haproxy, database, primary-database]
|
||||
condition:
|
||||
yaql_exp: *keystone_changed
|
||||
refresh_on: [keystone_config]
|
||||
cross-depends:
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
- name: keystone-db
|
||||
- name: primary-keystone
|
||||
parameters:
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
version: 2.1.0
|
||||
groups: [primary-controller, controller]
|
||||
required_for: [deploy_end, openstack-controller]
|
||||
requires: [primary-rabbitmq, rabbitmq, primary-keystone, keystone, hosts, firewall]
|
||||
requires: [primary-keystone, keystone, hosts, firewall]
|
||||
condition:
|
||||
yaql_exp: >
|
||||
changedAny($.network_scheme, $.cinder, $.network_metadata.vips,
|
||||
|
|
@ -20,6 +20,7 @@
|
|||
$.get('cinder_rate_limits'),
|
||||
$.configuration.get('cinder_api_paste_ini'), $.configuration.get('cinder'))
|
||||
cross-depends:
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
- name: cinder-db
|
||||
- name: cinder-keystone
|
||||
parameters:
|
||||
|
|
|
|||
|
|
@ -22,8 +22,7 @@
|
|||
$.get('mgmt/messaging')),
|
||||
$.get('amqp_hosts'), $.debug, $.use_cow_images, $.get('nova_endpoint'))
|
||||
cross-depends:
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
- name: nova-db
|
||||
- name: nova-keystone
|
||||
- name: memcached
|
||||
|
|
@ -43,8 +42,7 @@
|
|||
yaql_exp: *nova_controller
|
||||
cross-depends:
|
||||
- name: primary-openstack-controller
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
refresh_on: [nova_config, nova_paste_api_ini]
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/openstack_tasks/examples/openstack-controller/openstack-controller.pp
|
||||
|
|
|
|||
|
|
@ -46,8 +46,7 @@
|
|||
- name: openstack-haproxy
|
||||
role: primary-controller
|
||||
- name: neutron-db
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /^(primary-)?rabbitmq$/
|
||||
|
||||
- id: openstack-network-common-config
|
||||
type: puppet
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
version: 2.1.0
|
||||
groups: [primary-controller, controller]
|
||||
required_for: [deploy_end, controller_remaining_tasks]
|
||||
requires: [openstack-controller, primary-rabbitmq, rabbitmq, memcached]
|
||||
requires: [openstack-controller, memcached]
|
||||
condition:
|
||||
yaql_exp: &swift_enabled >
|
||||
((not $.storage.objects_ceph and not $.storage.images_ceph) and
|
||||
|
|
@ -25,7 +25,6 @@
|
|||
$.get('swift_partition'), $.get('deploy_swift_storage')))
|
||||
cross-depends:
|
||||
- name: /(primary-)?rabbitmq/
|
||||
role: self
|
||||
- name: /glance/
|
||||
role: self
|
||||
- name: swift-keystone
|
||||
|
|
|
|||
|
|
@ -145,9 +145,10 @@ class osnailyfacter::firewall::firewall {
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
# Role-related rules
|
||||
if member($roles, 'primary-controller') or member($roles, 'controller') {
|
||||
|
||||
# Role-related rules
|
||||
$amqp_role = intersection($roles, hiera('amqp_roles'))
|
||||
if $amqp_role {
|
||||
# Workaround for fuel bug with firewall
|
||||
firewall {'003 remote rabbitmq ':
|
||||
sport => [ 4369, 5672, 41055, 55672, 61613 ],
|
||||
|
|
@ -156,13 +157,6 @@ class osnailyfacter::firewall::firewall {
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'004 remote puppet ':
|
||||
sport => [ 8140 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# allow local rabbitmq admin traffic for LP#1383258
|
||||
firewall {'005 local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
|
|
@ -178,6 +172,48 @@ class osnailyfacter::firewall::firewall {
|
|||
action => 'drop',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'106 rabbitmq':
|
||||
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $rabbitmq_networks,
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$corosync_role = intersection($roles, hiera('corosync_roles'))
|
||||
if $corosync_role {
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
}
|
||||
|
||||
$controller_role = intersection($roles, ['primary-controller', 'controller'])
|
||||
if $controller_role {
|
||||
firewall {'004 remote puppet ':
|
||||
sport => [ 8140 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# allow connections from haproxy namespace
|
||||
firewall {'030 allow connections from haproxy namespace':
|
||||
source => '240.0.0.2',
|
||||
|
|
@ -229,13 +265,6 @@ class osnailyfacter::firewall::firewall {
|
|||
source_nets => $nova_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'106 rabbitmq':
|
||||
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $rabbitmq_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache tcp':
|
||||
port => $memcached_port,
|
||||
proto => 'tcp',
|
||||
|
|
@ -284,27 +313,6 @@ class osnailyfacter::firewall::firewall {
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'116 openvswitch db':
|
||||
port => $openvswitch_db_port,
|
||||
proto => 'udp',
|
||||
|
|
@ -351,7 +359,6 @@ class osnailyfacter::firewall::firewall {
|
|||
}
|
||||
|
||||
if member($roles, 'compute') {
|
||||
|
||||
openstack::firewall::multi_net {'105 nova vnc':
|
||||
port => $nova_api_vnc_ports,
|
||||
proto => 'tcp',
|
||||
|
|
@ -374,7 +381,7 @@ class osnailyfacter::firewall::firewall {
|
|||
}
|
||||
}
|
||||
|
||||
if member($roles, 'primary-mongo') or member($roles, 'mongo') {
|
||||
if intersection($roles, hiera('mongo_roles')) {
|
||||
firewall {'120 mongodb':
|
||||
port => $mongodb_port,
|
||||
proto => 'tcp',
|
||||
|
|
@ -403,7 +410,7 @@ class osnailyfacter::firewall::firewall {
|
|||
jump => 'baremetal',
|
||||
}
|
||||
|
||||
if member($roles, 'controller') or member($roles, 'primary-controller') {
|
||||
if $controller_role {
|
||||
firewall { '100 allow baremetal ping from VIP':
|
||||
chain => 'baremetal',
|
||||
source => $baremetal_vip,
|
||||
|
|
@ -459,7 +466,7 @@ class osnailyfacter::firewall::firewall {
|
|||
}
|
||||
|
||||
# Additional ddos-protection rules
|
||||
if $assign_to_all_nodes or member($roles, 'primary-controller') or member($roles, 'controller') {
|
||||
if $assign_to_all_nodes or $controller_role {
|
||||
firewall {'010 block invalid packets':
|
||||
chain => 'PREROUTING',
|
||||
table => 'mangle',
|
||||
|
|
|
|||
|
|
@ -295,6 +295,7 @@ class osnailyfacter::globals::globals {
|
|||
$mountpoints = filter_hash($mp_hash, 'point')
|
||||
|
||||
# AMQP configuration
|
||||
$amqp_roles = ['primary-rabbitmq', 'rabbitmq']
|
||||
$queue_provider = hiera('queue_provider','rabbitmq')
|
||||
$rabbit_ha_queues = true
|
||||
|
||||
|
|
@ -309,12 +310,11 @@ class osnailyfacter::globals::globals {
|
|||
# using pre-defined in astute.yaml RabbitMQ servers
|
||||
$amqp_hosts = hiera('amqp_hosts')
|
||||
} else {
|
||||
# using RabbitMQ servers on controllers
|
||||
# todo(sv): switch from 'controller' nodes to 'rmq' nodes as soon as it was implemented as additional node-role
|
||||
$controllers_with_amqp_server = get_node_to_ipaddr_map_by_network_role($controller_nodes, 'mgmt/messaging')
|
||||
$amqp_nodes = ipsort(values($controllers_with_amqp_server))
|
||||
# choose RabbitMQ servers by role
|
||||
$amqp_nodes = get_nodes_hash_by_roles($network_metadata, $amqp_roles)
|
||||
$amqp_ips = values(get_node_to_ipaddr_map_by_network_role($amqp_nodes, 'mgmt/messaging'))
|
||||
# amqp_hosts() randomize order of RMQ endpoints and put local one first
|
||||
$amqp_hosts = amqp_hosts($amqp_nodes, $amqp_port, get_network_role_property('mgmt/messaging', 'ipaddr'))
|
||||
$amqp_hosts = amqp_hosts($amqp_ips, $amqp_port, get_network_role_property('mgmt/messaging', 'ipaddr'))
|
||||
}
|
||||
|
||||
# Generic workers limits by RAM
|
||||
|
|
@ -400,7 +400,8 @@ class osnailyfacter::globals::globals {
|
|||
$memcache_roles = hiera('memcache_roles', ['primary-controller', 'controller'])
|
||||
|
||||
# Define node roles, that will carry corosync/pacemaker
|
||||
$corosync_roles = hiera('corosync_roles', ['primary-controller', 'controller'])
|
||||
$corosync_roles = hiera('corosync_roles', ['primary-controller', 'controller',
|
||||
'primary-rabbitmq', 'rabbitmq'])
|
||||
|
||||
# Define cinder-related variables
|
||||
# todo: use special node-roles instead controllers in the future
|
||||
|
|
|
|||
|
|
@ -291,8 +291,8 @@
|
|||
|
||||
- id: dump_rabbitmq_definitions
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
role: [primary-controller, controller]
|
||||
version: 2.2.0
|
||||
tags: [primary-rabbitmq, rabbitmq]
|
||||
requires: [post_deployment_start]
|
||||
required_for: [post_deployment_end]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -17,15 +17,16 @@
|
|||
|
||||
- id: cluster
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [controller]
|
||||
version: 2.2.0
|
||||
tags: [controller, primary-rabbitmq, rabbitmq]
|
||||
cross-depends:
|
||||
yaql_exp: >
|
||||
[{name=>'primary-cluster', role=>$.roles.select('primary-' + $)}]
|
||||
- name: primary-cluster
|
||||
required_for: [deploy_end]
|
||||
requires: [hosts, firewall, deploy_start]
|
||||
condition:
|
||||
yaql_exp: *cluster
|
||||
yaql_exp: >
|
||||
changedAny($.network_scheme, $.get('cluster_recheck_interval', '190s'),
|
||||
$.network_metadata, $.get('corosync_roles')) and not ('primary-controller' in $.roles)
|
||||
parameters:
|
||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/cluster/cluster.pp
|
||||
puppet_modules: /etc/puppet/modules
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
- id: firewall
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, ironic, primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [netconfig]
|
||||
reexecute_on: [deploy_changes]
|
||||
|
|
|
|||
|
|
@ -13,8 +13,9 @@
|
|||
|
||||
- id: fuel_pkgs
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, ironic, primary-rabbitmq, rabbitmq]
|
||||
requires: [setup_repositories]
|
||||
required_for: [globals]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -1,9 +1,10 @@
|
|||
- id: globals
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller,
|
||||
cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, virt, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller,
|
||||
cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, virt, ironic,
|
||||
primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [hiera]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
- id: hiera
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device,
|
||||
cinder-vmware, compute, ceph-osd, primary-mongo, mongo, virt, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware,
|
||||
compute, ceph-osd, primary-mongo, mongo, virt, ironic,
|
||||
primary-rabbitmq, rabbitmq]
|
||||
requires: [deploy_start, rsync_core_puppet]
|
||||
required_for: [setup_repositories]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
- id: hosts
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, ironic, primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [netconfig]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
- id: logging
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, virt, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, virt, ironic, primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [globals,setup_repositories]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -48,8 +48,9 @@
|
|||
|
||||
- id: netconfig
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, virt, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, virt, ironic, primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [tools]
|
||||
reexecute_on: [deploy_changes]
|
||||
|
|
|
|||
|
|
@ -1,10 +1,15 @@
|
|||
- id: rabbitmq
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [controller]
|
||||
version: 2.2.0
|
||||
tags: [rabbitmq]
|
||||
cross-depends:
|
||||
- name: primary-rabbitmq
|
||||
required_for: [deploy_end, openstack-controller, primary-openstack-controller, glance]
|
||||
- name: /^(primary-)?cluster$/
|
||||
role: self
|
||||
cross-depended-by: &rabbitmq_depends
|
||||
- name: /^(primary-)?openstack-controller$/
|
||||
- name: glance
|
||||
required_for: [deploy_end]
|
||||
requires: [netconfig, cluster]
|
||||
condition:
|
||||
yaql_exp: &rabbitmq >
|
||||
|
|
@ -35,9 +40,13 @@
|
|||
|
||||
- id: primary-rabbitmq
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller]
|
||||
required_for: [deploy_end, openstack-controller, primary-openstack-controller, glance]
|
||||
version: 2.2.0
|
||||
tags: [primary-rabbitmq]
|
||||
cross-depends:
|
||||
- name: /^(primary-)?cluster$/
|
||||
role: self
|
||||
cross-depended-by: *rabbitmq_depends
|
||||
required_for: [deploy_end]
|
||||
requires: [netconfig, primary-cluster]
|
||||
condition:
|
||||
yaql_exp: *rabbitmq
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
- id: tools
|
||||
type: puppet
|
||||
version: 2.1.0
|
||||
groups: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd, primary-mongo, mongo, virt, ironic]
|
||||
version: 2.2.0
|
||||
tags: [primary-controller, controller, cinder, cinder-block-device, cinder-vmware, compute, ceph-osd,
|
||||
primary-mongo, mongo, virt, ironic, primary-rabbitmq, rabbitmq]
|
||||
required_for: [deploy_end]
|
||||
requires: [logging]
|
||||
condition:
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
<% globals.store "access", @access_hash -%>
|
||||
<% globals.store "amqp_hosts", @amqp_hosts -%>
|
||||
<% globals.store "amqp_port", @amqp_port -%>
|
||||
<% globals.store "amqp_roles", @amqp_roles -%>
|
||||
<% globals.store "aodh_hash", @aodh -%>
|
||||
<% globals.store "aodh_nodes", @aodh_nodes -%>
|
||||
<% globals.store "apache_api_proxy_address", @apache_api_proxy_address -%>
|
||||
|
|
|
|||
|
|
@ -55,20 +55,6 @@ describe manifest do
|
|||
mongodb_port = Noop.hiera('mongodb_port', '27017')
|
||||
|
||||
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'iniface' => 'lo',
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept'
|
||||
)
|
||||
should contain_firewall('006 reject non-local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'drop'
|
||||
)
|
||||
end
|
||||
|
||||
it 'should accept connections to mysql using network with mgmt/database role' do
|
||||
should contain_openstack__firewall__multi_net('101 mysql').with(
|
||||
'port' => [ 3306, 3307, 4567, 4568, 4444, 49000 ],
|
||||
|
|
@ -157,6 +143,20 @@ describe manifest do
|
|||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
elsif Noop.puppet_function 'member', roles, 'primary-rabbitmq' or Noop.puppet_function 'member', roles, 'rabbitmq'
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'iniface' => 'lo',
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept'
|
||||
)
|
||||
should contain_firewall('006 reject non-local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'drop'
|
||||
)
|
||||
end
|
||||
elsif Noop.puppet_function 'member', roles, 'compute'
|
||||
it 'should accept connections to nova without ssl' do
|
||||
management_nets.each do |source|
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ROLE: primary-controller
|
||||
# ROLE: controller
|
||||
# ROLE: primary-rabbitmq
|
||||
# ROLE: rabbitmq
|
||||
|
||||
require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
|
|
|
|||
Loading…
Reference in New Issue