Separate firewall rules per role
Apply different rules per different roles, as some nodes should not have some rules. Also delete some old unused rules. Change-Id: Ic862f083d76a8d624a52dde83bc048b6ed9aaf93 Closes-Bug: #1524864
This commit is contained in:
parent
66fd07dc0a
commit
102ec8466c
|
@ -3,6 +3,7 @@ notice('MODULAR: firewall.pp')
|
|||
$network_scheme = hiera_hash('network_scheme')
|
||||
$network_metadata = hiera_hash('network_metadata')
|
||||
$ironic_hash = hiera_hash('ironic', {})
|
||||
$roles = hiera('roles')
|
||||
|
||||
$ceilometer_port = 8777
|
||||
$corosync_input_port = 5404
|
||||
|
@ -53,6 +54,14 @@ $swift_proxy_check_port = 49001
|
|||
$swift_proxy_port = 8080
|
||||
$vxlan_udp_port = 4789
|
||||
|
||||
$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
|
||||
$memcache_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache')
|
||||
$database_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/database')
|
||||
$keystone_networks = get_routable_networks_for_network_role($network_scheme, 'keystone/api')
|
||||
$nova_networks = get_routable_networks_for_network_role($network_scheme, 'nova/api')
|
||||
$rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging')
|
||||
$neutron_networks = get_routable_networks_for_network_role($network_scheme, 'neutron/api')
|
||||
|
||||
$admin_nets = get_routable_networks_for_network_role($network_scheme, 'admin/pxe')
|
||||
$management_nets = get_routable_networks_for_network_role($network_scheme, 'mgmt/vip')
|
||||
$storage_nets = unique(
|
||||
|
@ -60,7 +69,6 @@ $storage_nets = unique(
|
|||
get_routable_networks_for_network_role($network_scheme, 'ceph/replication')
|
||||
)
|
||||
|
||||
prepare_network_config(hiera_hash('network_scheme'))
|
||||
|
||||
# Ordering
|
||||
Class['firewall'] -> Firewall<||>
|
||||
|
@ -69,6 +77,12 @@ Class['firewall'] -> Firewallchain<||>
|
|||
|
||||
class {'::firewall':}
|
||||
|
||||
# Default rule for INPUT is DROP
|
||||
firewallchain { 'INPUT:filter:IPv4':
|
||||
policy => 'drop',
|
||||
}
|
||||
|
||||
# Common rules
|
||||
firewall { '000 accept all icmp requests':
|
||||
proto => 'icmp',
|
||||
action => 'accept',
|
||||
|
@ -93,79 +107,6 @@ openstack::firewall::multi_net {'020 ssh':
|
|||
source_nets => concat($admin_nets, $management_nets, $storage_nets),
|
||||
}
|
||||
|
||||
firewall { '100 http':
|
||||
port => [$http_port, $https_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'101 mysql':
|
||||
port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_clustercheck_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/database'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'102 keystone':
|
||||
port => [$keystone_public_port, $keystone_admin_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'keystone/api'),
|
||||
}
|
||||
|
||||
firewall {'103 swift':
|
||||
port => [$swift_proxy_port, $swift_object_port, $swift_container_port, $swift_account_port, $swift_proxy_check_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'104 glance':
|
||||
port => [$glance_api_port, $glance_reg_port, $glance_nova_api_ec2_port,],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'105 nova':
|
||||
port => [$nova_api_compute_port, $nova_api_volume_port, $nova_vncproxy_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'105 nova internal - no ssl':
|
||||
port => [$nova_api_metadata_port, $nova_api_vnc_ports],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'nova/api'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'106 rabbitmq':
|
||||
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache tcp':
|
||||
port => $memcached_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache udp':
|
||||
port => $memcached_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/memcache'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'108 rsync':
|
||||
port => $rsync_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => concat($management_nets, $storage_nets),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'109 iscsi':
|
||||
port => $iscsi_port,
|
||||
proto => 'tcp',
|
||||
|
@ -173,33 +114,6 @@ openstack::firewall::multi_net {'109 iscsi':
|
|||
source_nets => get_routable_networks_for_network_role($network_scheme, 'cinder/iscsi'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'110 neutron':
|
||||
port => $neutron_api_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'neutron/api'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'111 dns-server udp':
|
||||
port => $dns_server_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'111 dns-server tcp':
|
||||
port => $dns_server_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
firewall {'111 dhcp-server':
|
||||
port => $dhcp_server_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'112 ntp-server':
|
||||
port => $ntp_server_port,
|
||||
proto => 'udp',
|
||||
|
@ -207,85 +121,6 @@ openstack::firewall::multi_net {'112 ntp-server':
|
|||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync'),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'116 openvswitch db':
|
||||
port => $openvswitch_db_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'117 nrpe-server':
|
||||
port => $nrpe_server_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => concat($admin_nets, $management_nets),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'118 libvirt':
|
||||
port => $libvirt_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'119 libvirt-migration':
|
||||
port => $libvirt_migration_ports,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
firewall {'121 ceilometer':
|
||||
port => $ceilometer_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '203 murano-rabbitmq' :
|
||||
dport => $murano_rabbitmq_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'204 heat-api':
|
||||
port => $heat_api_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'205 heat-api-cfn':
|
||||
port => $heat_api_cfn_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'206 heat-api-cloudwatch':
|
||||
port => $heat_api_cloudwatch_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '333 notrack gre':
|
||||
chain => 'PREROUTING',
|
||||
table => 'raw',
|
||||
|
@ -306,51 +141,224 @@ firewall {'340 vxlan_udp_port':
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '999 drop all other requests':
|
||||
proto => 'all',
|
||||
chain => 'INPUT',
|
||||
action => 'drop',
|
||||
# Role-related rules
|
||||
if member($roles, 'primary-controller') or member($roles, 'controller') {
|
||||
|
||||
# Workaround for fuel bug with firewall
|
||||
firewall {'003 remote rabbitmq ':
|
||||
sport => [ 4369, 5672, 41055, 55672, 61613 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'004 remote puppet ':
|
||||
sport => [ 8140 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# allow local rabbitmq admin traffic for LP#1383258
|
||||
firewall {'005 local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
iniface => 'lo',
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# reject all non-local rabbitmq admin traffic for LP#1450443
|
||||
firewall {'006 reject non-local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
proto => 'tcp',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
# allow connections from haproxy namespace
|
||||
firewall {'030 allow connections from haproxy namespace':
|
||||
source => '240.0.0.2',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '100 http':
|
||||
port => [$http_port, $https_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'101 mysql':
|
||||
port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_clustercheck_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $database_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'102 keystone':
|
||||
port => [$keystone_public_port, $keystone_admin_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $keystone_networks,
|
||||
}
|
||||
|
||||
firewall {'103 swift':
|
||||
port => [$swift_proxy_port, $swift_object_port, $swift_container_port, $swift_account_port, $swift_proxy_check_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'104 glance':
|
||||
port => [$glance_api_port, $glance_reg_port, $glance_nova_api_ec2_port,],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'105 nova':
|
||||
port => [$nova_api_compute_port, $nova_api_volume_port, $nova_vncproxy_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'105 nova internal - no ssl':
|
||||
port => [$nova_api_metadata_port, $nova_api_vnc_ports],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $nova_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'106 rabbitmq':
|
||||
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $rabbitmq_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache tcp':
|
||||
port => $memcached_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $memcache_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'107 memcache udp':
|
||||
port => $memcached_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $memcache_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'108 rsync':
|
||||
port => $rsync_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => concat($management_nets, $storage_nets),
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'110 neutron':
|
||||
port => $neutron_api_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $neutron_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'111 dns-server udp':
|
||||
port => $dns_server_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'111 dns-server tcp':
|
||||
port => $dns_server_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
firewall {'111 dhcp-server':
|
||||
port => $dhcp_server_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'113 corosync-input':
|
||||
port => $corosync_input_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'114 corosync-output':
|
||||
port => $corosync_output_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'115 pcsd-server':
|
||||
port => $pcsd_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $corosync_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'116 openvswitch db':
|
||||
port => $openvswitch_db_port,
|
||||
proto => 'udp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
firewall {'121 ceilometer':
|
||||
port => $ceilometer_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall { '203 murano-rabbitmq' :
|
||||
dport => $murano_rabbitmq_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'204 heat-api':
|
||||
port => $heat_api_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'205 heat-api-cfn':
|
||||
port => $heat_api_cfn_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
firewall {'206 heat-api-cloudwatch':
|
||||
port => $heat_api_cloudwatch_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# Workaround for fuel bug with firewall
|
||||
firewall {'003 remote rabbitmq ':
|
||||
sport => [ 4369, 5672, 41055, 55672, 61613 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
if member($roles, 'compute') {
|
||||
|
||||
firewall {'004 remote puppet ':
|
||||
sport => [ 8140 ],
|
||||
source => hiera('master_ip'),
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
openstack::firewall::multi_net {'118 libvirt':
|
||||
port => $libvirt_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
|
||||
# allow local rabbitmq admin traffic for LP#1383258
|
||||
firewall {'005 local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
iniface => 'lo',
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
}
|
||||
|
||||
# reject all non-local rabbitmq admin traffic for LP#1450443
|
||||
firewall {'006 reject non-local rabbitmq admin':
|
||||
sport => [ 15672 ],
|
||||
proto => 'tcp',
|
||||
action => 'drop',
|
||||
}
|
||||
|
||||
# allow connections from haproxy namespace
|
||||
firewall {'030 allow connections from haproxy namespace':
|
||||
source => '240.0.0.2',
|
||||
action => 'accept',
|
||||
openstack::firewall::multi_net {'119 libvirt-migration':
|
||||
port => $libvirt_migration_ports,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => $management_nets,
|
||||
}
|
||||
}
|
||||
|
||||
if $ironic_hash['enabled'] {
|
||||
$nodes_hash = hiera('nodes', {})
|
||||
$roles = node_roles($nodes_hash, hiera('uid'))
|
||||
prepare_network_config(hiera_hash('network_scheme'))
|
||||
$baremetal_int = get_network_role_property('ironic/baremetal', 'interface')
|
||||
$baremetal_vip = $network_metadata['vips']['baremetal']['ipaddr']
|
||||
$baremetal_ipaddr = get_network_role_property('ironic/baremetal', 'ipaddr')
|
||||
|
|
|
@ -35,75 +35,118 @@ describe manifest do
|
|||
Noop.puppet_function 'get_network_role_property', 'ironic/baremetal', 'ipaddr'
|
||||
end
|
||||
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'iniface' => 'lo',
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept'
|
||||
)
|
||||
should contain_firewall('006 reject non-local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'drop'
|
||||
)
|
||||
end
|
||||
node_name = Noop.hiera('node_name')
|
||||
network_metadata = Noop.hiera_hash 'network_metadata', {}
|
||||
roles = network_metadata['nodes'][node_name]['node_roles']
|
||||
|
||||
it 'should accept connections to keystone API using network with keystone/api role' do
|
||||
should contain_openstack__firewall__multi_net('102 keystone').with(
|
||||
'port' => [ 5000, 35357 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source_nets' => keystone_network,
|
||||
)
|
||||
end
|
||||
|
||||
it 'should accept connections to nova' do
|
||||
should contain_firewall('105 nova').with(
|
||||
'port' => [ 8774, 8776, 6080 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should accept connections to nova without ssl' do
|
||||
management_nets.each do |source|
|
||||
should contain_firewall("105 nova internal - no ssl from #{source}").with(
|
||||
'port' => [ 8775, '5900-6100' ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'iniface' => 'lo',
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept'
|
||||
)
|
||||
should contain_firewall('006 reject non-local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'drop'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
it 'should accept connections to iscsi' do
|
||||
storage_nets.each do |source|
|
||||
should contain_firewall("109 iscsi from #{source}").with(
|
||||
'port' => [ 3260 ],
|
||||
it 'should accept connections to keystone API using network with keystone/api role' do
|
||||
should contain_openstack__firewall__multi_net('102 keystone').with(
|
||||
'port' => [ 5000, 35357 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
'source_nets' => keystone_network,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
it 'should create rules for heat' do
|
||||
should contain_firewall('204 heat-api').with(
|
||||
'port' => [ 8004 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
should contain_firewall('205 heat-api-cfn').with(
|
||||
'port' => [ 8000 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
should contain_firewall('206 heat-api-cloudwatch').with(
|
||||
'port' => [ 8003 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
it 'should accept connections to nova' do
|
||||
should contain_firewall('105 nova').with(
|
||||
'port' => [ 8774, 8776, 6080 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should accept connections to nova without ssl' do
|
||||
management_nets.each do |source|
|
||||
should contain_firewall("105 nova internal - no ssl from #{source}").with(
|
||||
'port' => [ 8775, '5900-6100' ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
it 'should accept connections to iscsi' do
|
||||
storage_nets.each do |source|
|
||||
should contain_firewall("109 iscsi from #{source}").with(
|
||||
'port' => [ 3260 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
it 'should create rules for murano rabbitmq port' do
|
||||
should contain_firewall('203 murano-rabbitmq').with(
|
||||
'dport' => [ 55572 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should create rules for heat' do
|
||||
should contain_firewall('204 heat-api').with(
|
||||
'port' => [ 8004 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
should contain_firewall('205 heat-api-cfn').with(
|
||||
'port' => [ 8000 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
should contain_firewall('206 heat-api-cloudwatch').with(
|
||||
'port' => [ 8003 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
|
||||
it 'should accept connections from 240.0.0.2' do
|
||||
should contain_firewall('030 allow connections from haproxy namespace').with(
|
||||
'source' => '240.0.0.2',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
elsif Noop.puppet_function 'member', roles, 'compute'
|
||||
it 'should accept connections to libvirt' do
|
||||
management_nets.each do |source|
|
||||
should contain_firewall("118 libvirt from #{source}").with(
|
||||
'port' => [ 16509 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
it 'should allow libvirt vm migration' do
|
||||
management_nets.each do |source|
|
||||
should contain_firewall("119 libvirt-migration from #{source}").with(
|
||||
'port' => [ '49152-49215' ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => source,
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if Noop.hiera_structure 'ironic/enabled'
|
||||
|
@ -145,14 +188,6 @@ describe manifest do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
it 'should accept connections from 240.0.0.2' do
|
||||
should contain_firewall('030 allow connections from haproxy namespace').with(
|
||||
'source' => '240.0.0.2',
|
||||
'action' => 'accept',
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
test_ubuntu_and_centos manifest
|
||||
|
|
Loading…
Reference in New Issue