From 247c2d02d24b311bbba6c2ae63720cb85be86daf Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Wed, 12 Dec 2018 20:48:06 +0000 Subject: [PATCH] Remove non-port-security templates OVB 2.0 won't support clouds that lack the port-security extension, so these are no longer needed. --- bin/test-job | 6 +- bin/test-job-v2 | 2 +- doc/source/deploy/baremetal.rst | 3 +- doc/source/deploy/environment-index.rst | 33 ----- doc/source/deploy/quintupleo.rst | 25 +--- doc/source/host-cloud/configuration.rst | 18 +-- doc/source/host-cloud/setup.rst | 3 - doc/source/troubleshooting.rst | 15 +- doc/source/usage/usage.rst | 9 +- environments/all-networks-port-security.yaml | 54 -------- ...ll-networks-public-bond-port-security.yaml | 56 -------- environments/base-extra-node.yaml | 2 +- environments/port-security.yaml | 14 -- .../tests/test_deploy.py | 6 +- sample-env-generator/environments.yaml | 40 +----- .../baremetal-ports-all-port-security.yaml | 115 ---------------- templates/baremetal-ports-all.yaml | 8 +- ...baremetal-ports-default-port-security.yaml | 30 ---- templates/baremetal-ports-default.yaml | 3 +- ...ml => baremetal-ports-extra-node-all.yaml} | 0 ...ml => baremetal-ports-extra-node-fip.yaml} | 0 ...y.yaml => baremetal-ports-extra-node.yaml} | 0 ...metal-ports-public-bond-port-security.yaml | 128 ------------------ templates/baremetal-ports-public-bond.yaml | 9 +- templates/bmc-port-port-security.yaml | 29 ---- templates/bmc-port.yaml | 3 +- templates/undercloud-ports-port-security.yaml | 72 ---------- templates/undercloud-ports.yaml | 4 +- 28 files changed, 49 insertions(+), 638 deletions(-) delete mode 100644 environments/all-networks-port-security.yaml delete mode 100644 environments/all-networks-public-bond-port-security.yaml delete mode 100644 environments/port-security.yaml delete mode 100644 templates/baremetal-ports-all-port-security.yaml delete mode 100644 templates/baremetal-ports-default-port-security.yaml rename templates/{baremetal-ports-extra-node-port-security-all.yaml => baremetal-ports-extra-node-all.yaml} (100%) rename templates/{baremetal-ports-extra-node-fip-port-security.yaml => baremetal-ports-extra-node-fip.yaml} (100%) rename templates/{baremetal-ports-extra-node-port-security.yaml => baremetal-ports-extra-node.yaml} (100%) delete mode 100644 templates/baremetal-ports-public-bond-port-security.yaml delete mode 100644 templates/bmc-port-port-security.yaml delete mode 100644 templates/undercloud-ports-port-security.yaml diff --git a/bin/test-job b/bin/test-job index 840d6ae..aef6216 100755 --- a/bin/test-job +++ b/bin/test-job @@ -49,9 +49,9 @@ then fi echo 'resource_registry:' >> env.yaml echo ' OS::OVB::UndercloudFloating: templates/undercloud-floating.yaml' >> env.yaml -echo ' OS::OVB::BaremetalPorts: templates/baremetal-ports-default-port-security.yaml' >> env.yaml -echo ' OS::OVB::BMCPort: templates/bmc-port-port-security.yaml' >> env.yaml -echo ' OS::OVB::UndercloudPorts: templates/undercloud-ports-port-security.yaml' >> env.yaml +echo ' OS::OVB::BaremetalPorts: templates/baremetal-ports-default.yaml' >> env.yaml +echo ' OS::OVB::BMCPort: templates/bmc-port.yaml' >> env.yaml +echo ' OS::OVB::UndercloudPorts: templates/undercloud-ports.yaml' >> env.yaml echo ' OS::OVB::PrivateNetwork: templates/private-net-create.yaml' >> env.yaml cp -r $BIN_DIR ./bin diff --git a/bin/test-job-v2 b/bin/test-job-v2 index e7fa6e3..0e6d3c9 100755 --- a/bin/test-job-v2 +++ b/bin/test-job-v2 @@ -52,7 +52,7 @@ fi cp -r $BIN_DIR ./bin cp -r $BIN_DIR/../openstack_virtual_baremetal . STACK_NAME=$MY_ID -$BIN_DIR/deploy.py --quintupleo --id $MY_ID --name $STACK_NAME --poll -e env.yaml -e environments/create-private-network.yaml -e environments/all-networks-port-security.yaml +$BIN_DIR/deploy.py --quintupleo --id $MY_ID --name $STACK_NAME --poll -e env.yaml -e environments/create-private-network.yaml -e environments/all-networks.yaml UNDERCLOUD_IP=$(heat output-show $STACK_NAME undercloud_host_floating_ip | sed -e 's/"//g') bin/build-nodes-json --env env-$MY_ID.yaml --driver ipmi SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=Verbose -o PasswordAuthentication=no -o ConnectionAttempts=32 " diff --git a/doc/source/deploy/baremetal.rst b/doc/source/deploy/baremetal.rst index 0ce9ac7..7c8f0f5 100644 --- a/doc/source/deploy/baremetal.rst +++ b/doc/source/deploy/baremetal.rst @@ -94,8 +94,7 @@ method, which creates most of the resources needed automatically. neutron port-list neutron floatingip-associate [floatingip uuid] [undercloud instance port id] -#. (Optional) If not using the Noop firewall driver, turn off port-security on - the undercloud provisioning port:: +#. Turn off port-security on the undercloud provisioning port:: neutron port-update [UUID of undercloud port on the provision network] --no-security-groups --port-security-enabled=False diff --git a/doc/source/deploy/environment-index.rst b/doc/source/deploy/environment-index.rst index eca7616..99c8c0f 100644 --- a/doc/source/deploy/environment-index.rst +++ b/doc/source/deploy/environment-index.rst @@ -1,30 +1,6 @@ Sample Environment Index ======================== -Deploy with All Networks Enabled --------------------------------- - -**File:** environments/all-networks-port-security.yaml - -**Description:** Deploy an OVB stack that adds interfaces for all the standard TripleO -network isolation networks. This version uses the port-security -Neutron extension to allow OVB to be run on clouds with security -groups enabled. - - -Deploy with All Networks Enabled and Two Public Interfaces ----------------------------------------------------------- - -**File:** environments/all-networks-public-bond-port-security.yaml - -**Description:** Deploy an OVB stack that adds interfaces for all the standard TripleO -network isolation networks. This version will deploy duplicate -public network interfaces on the baremetal instances so that the -public network can be configured as a bond. It will also use the -port-security Neutron extension to allow OVB to be run on clouds with -security groups enabled. - - Deploy with All Networks Enabled and Two Public Interfaces ---------------------------------------------------------- @@ -118,15 +94,6 @@ Create a Private Network existing one. -Deploy a Basic OVB Environment Using Neutron port-security ----------------------------------------------------------- - -**File:** environments/port-security.yaml - -**Description:** Deploy an OVB stack that uses the Neutron port-security extension to -allow OVB functionality in clouds with security groups enabled. - - Public Network External Router ------------------------------ diff --git a/doc/source/deploy/quintupleo.rst b/doc/source/deploy/quintupleo.rst index b0d6477..6994fe0 100644 --- a/doc/source/deploy/quintupleo.rst +++ b/doc/source/deploy/quintupleo.rst @@ -19,7 +19,7 @@ however. with some older clouds. See below for details on customizing an OVB deployment for your particular situation:: - bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks-port-security.yaml -e environments/create-private-network.yaml + bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks.yaml -e environments/create-private-network.yaml .. note:: There is a quintupleo-specific option ``--id`` in deploy.py. It appends the value passed in to the name of all resources @@ -97,10 +97,10 @@ There are also a number of advanced options that can be enabled for a QuintupleO deployment. For each such option there is a sample environment to be passed to the deploy command. -For example, to deploy using the Neutron port-security extension to allow -DHCP and PXE booting, the following command could be used:: +For example, to deploy all networks needed for TripleO network isolation, the +following command could be used:: - bin/deploy.py --quintupleo -e env.yaml -e environments/port-security.yaml + bin/deploy.py --quintupleo -e env.yaml -e environments/all-networks.yaml .. important:: When deploying with multiple environment files, ``env.yaml`` *must* be explicitly passed to the deploy command. @@ -110,7 +110,7 @@ DHCP and PXE booting, the following command could be used:: Some options may have additional configuration parameters. These parameters will be listed in the environment file. -A full list of the option environments available can be found at +A full list of the environments available can be found at :doc:`environment-index`. Network Isolation @@ -144,19 +144,6 @@ Three primary networking layouts are included: OVB environment. The ``bond-*`` overcloud templates must be used with this type of environment. -Each of the networking layouts has two variations: with and without the use of -Neutron's port-security extension. The reason for this is that older releases -of OpenStack did not support port-security, so those templates cannot be used. -However, use of the port-security extension allows OVB to work on a much larger -number of clouds because it does not require insecure Neutron settings. - -While the port-security extension existed as far back as the Liberty release, -it has only been successfully tested with OVB on Newton and above. - -The port-security environments can be recognized by the presence of -`port-security` somewhere in the filename. Network environments without that -substring are the standard ones that require the noop Neutron firewall driver. - QuintupleO and routed networks ------------------------------ @@ -195,7 +182,7 @@ OVB as well. ./bin/deploy.py --env env.yaml \ --quintupleo \ - --env environments/all-networks-port-security.yaml \ + --env environments/all-networks.yaml \ --env environments/routed-networks.yaml \ --env env-routed-networks.yaml \ --role env-leaf1.yaml diff --git a/doc/source/host-cloud/configuration.rst b/doc/source/host-cloud/configuration.rst index 4d461cb..d51c763 100644 --- a/doc/source/host-cloud/configuration.rst +++ b/doc/source/host-cloud/configuration.rst @@ -7,19 +7,8 @@ all of it will provide the optimal experience. The changes described in this document apply to compute nodes in the host cloud. -#. Neutron must be configured to use the NoopFirewallDriver. Edit - ``/etc/neutron/plugins/ml2/ml2_conf.ini`` and set the option - ``firewall_driver`` in the ``[securitygroup]`` section as follows:: - - firewall_driver = neutron.agent.firewall.NoopFirewallDriver - -#. In Liberty and later versions, arp spoofing must be disabled. Edit - ``/etc/neutron/plugins/ml2/ml2_conf.ini`` and set the option - ``prevent_arp_spoofing`` in the ``[agent]`` section as follows:: - - prevent_arp_spoofing = False - -#. The Nova option ``force_config_drive`` must _not_ be set. +#. The Nova option ``force_config_drive`` must _not_ be set. If you have to + change this option, restart ``nova-compute`` to apply it. #. Ideally, jumbo frames should be enabled on the host cloud. This avoids MTU problems when deploying to instances over tunneled @@ -33,6 +22,3 @@ host cloud. such a change on the host cloud), it will likely be necessary to configure a smaller MTU on the deployed virtual instances. Details on doing so can be found on the :doc:`../usage/usage` page. - -#. Restart ``nova-compute`` and ``neutron-openvswitch-agent`` to apply the - changes above. diff --git a/doc/source/host-cloud/setup.rst b/doc/source/host-cloud/setup.rst index 4a6fad7..df4a009 100644 --- a/doc/source/host-cloud/setup.rst +++ b/doc/source/host-cloud/setup.rst @@ -6,9 +6,6 @@ Instructions for setting up the host cloud[1]. 1: The host cloud is any OpenStack cloud providing the necessary functionality to run OVB. The host cloud must be running on real baremetal. -.. warning:: This process requires patches and configuration settings that - may not be appropriate for production clouds. - .. toctree:: patches diff --git a/doc/source/troubleshooting.rst b/doc/source/troubleshooting.rst index d110789..0b45bc4 100644 --- a/doc/source/troubleshooting.rst +++ b/doc/source/troubleshooting.rst @@ -49,10 +49,8 @@ VM, but responses never get to the baremetal instances. **Cause**: Neutron port security blocking DHCP from the undercloud. -**Solution**: Neutron either needs to be configured to use the Noop firewall -driver, or the port-security extension must be used to disable -port-security on the appropriate ports. As of this writing that -requires use of the port-security branch of OVB. +**Solution**: Ensure that the Neutron port-security extension is present in +the host cloud. It is required for OVB to function properly. The BMC does not respond to IPMI requests ----------------------------------------- @@ -62,11 +60,10 @@ on arbitrary addresses. The BMC deployment may have failed for some reason. **Solution**: Neutron must be configured to allow the BMC to listen on -arbitrary addresses. This requires use of the Noop firewall driver -or port-security extension as in the previous solution. If this -is already configured correctly, then the BMC may have failed to -deploy properly. This can usually be determined by looking at the -nova console-log of the BMC instance. A correctly working BMC will +arbitrary addresses. This requires the port-security extension as in the +previous solution. If this is already configured correctly, then the BMC may +have failed to deploy properly. This can usually be determined by looking at +the nova console-log of the BMC instance. A correctly working BMC will display 'Managing instance [uuid]' for each baremetal node in the environment. If those messages are not found, then the BMC has failed to start properly. The relevant error messages should be diff --git a/doc/source/usage/usage.rst b/doc/source/usage/usage.rst index eee475a..4ff5788 100644 --- a/doc/source/usage/usage.rst +++ b/doc/source/usage/usage.rst @@ -43,15 +43,12 @@ After an OVB environment has been deployed, there are a few things to know. this is a brief explanation of each: - **network-templates:** IPv4 multi-nic. Usable with the network layout - deployed by the ``all-networks.yaml`` and - ``all-networks-port-security.yaml`` environments. + deployed by the ``all-networks.yaml`` environment. - **ipv6-network-templates:** IPv6 multi-nic. Usable with the network layout - deployed by the ``all-networks.yaml`` and - ``all-networks-port-security.yaml`` environments. + deployed by the ``all-networks.yaml`` environment. - **bond-network-templates:** IPv4 multi-nic, with duplicate `public` interfaces for testing bonded nics. Usable with the network layout - deployed by the ``all-networks-public-bond.yaml`` and - ``all-networks-public-bond-port-security.yaml`` environments. + deployed by the ``all-networks-public-bond.yaml`` environment. The undercloud's ``public`` interface should be configured with the address of the default route from the templates in use. Firewall rules for diff --git a/environments/all-networks-port-security.yaml b/environments/all-networks-port-security.yaml deleted file mode 100644 index babf777..0000000 --- a/environments/all-networks-port-security.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# ******************************************************************* -# This file was created automatically by the sample environment -# generator. Developers should use `tox -e genconfig` to update it. -# Users are recommended to make changes to a copy of the file instead -# of the original, if any customizations are needed. -# ******************************************************************* -# title: Deploy with All Networks Enabled -# description: | -# Deploy an OVB stack that adds interfaces for all the standard TripleO -# network isolation networks. This version uses the port-security -# Neutron extension to allow OVB to be run on clouds with security -# groups enabled. -parameter_defaults: - # Name of internal API network - # Type: string - overcloud_internal_net: overcloud_internal - - # CIDR for internal API network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_internal_net_cidr: 172.17.0.0/24 - - # Name of storage management network - # Type: string - overcloud_storage_mgmt_net: overcloud_storage_mgmt - - # CIDR for storage management network subnet. This is typically irrelevant - # and does not need to be changed. - # Type: string - overcloud_storage_mgmt_net_cidr: 172.19.0.0/24 - - # Name of storage network - # Type: string - overcloud_storage_net: overcloud_storage - - # CIDR for storage network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_storage_net_cidr: 172.18.0.0/24 - - # Name of tenant network - # Type: string - overcloud_tenant_net: overcloud_tenant - - # CIDR for tenant network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_tenant_net_cidr: 172.16.0.0/24 - -resource_registry: - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml diff --git a/environments/all-networks-public-bond-port-security.yaml b/environments/all-networks-public-bond-port-security.yaml deleted file mode 100644 index 1118b4b..0000000 --- a/environments/all-networks-public-bond-port-security.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# ******************************************************************* -# This file was created automatically by the sample environment -# generator. Developers should use `tox -e genconfig` to update it. -# Users are recommended to make changes to a copy of the file instead -# of the original, if any customizations are needed. -# ******************************************************************* -# title: Deploy with All Networks Enabled and Two Public Interfaces -# description: | -# Deploy an OVB stack that adds interfaces for all the standard TripleO -# network isolation networks. This version will deploy duplicate -# public network interfaces on the baremetal instances so that the -# public network can be configured as a bond. It will also use the -# port-security Neutron extension to allow OVB to be run on clouds with -# security groups enabled. -parameter_defaults: - # Name of internal API network - # Type: string - overcloud_internal_net: overcloud_internal - - # CIDR for internal API network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_internal_net_cidr: 172.17.0.0/24 - - # Name of storage management network - # Type: string - overcloud_storage_mgmt_net: overcloud_storage_mgmt - - # CIDR for storage management network subnet. This is typically irrelevant - # and does not need to be changed. - # Type: string - overcloud_storage_mgmt_net_cidr: 172.19.0.0/24 - - # Name of storage network - # Type: string - overcloud_storage_net: overcloud_storage - - # CIDR for storage network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_storage_net_cidr: 172.18.0.0/24 - - # Name of tenant network - # Type: string - overcloud_tenant_net: overcloud_tenant - - # CIDR for tenant network subnet. This is typically irrelevant and - # does not need to be changed. - # Type: string - overcloud_tenant_net_cidr: 172.16.0.0/24 - -resource_registry: - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml diff --git a/environments/base-extra-node.yaml b/environments/base-extra-node.yaml index d71b91d..928584e 100644 --- a/environments/base-extra-node.yaml +++ b/environments/base-extra-node.yaml @@ -33,4 +33,4 @@ parameter_defaults: role: extra resource_registry: - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node-port-security.yaml + OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node.yaml diff --git a/environments/port-security.yaml b/environments/port-security.yaml deleted file mode 100644 index 5b019d6..0000000 --- a/environments/port-security.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# ******************************************************************* -# This file was created automatically by the sample environment -# generator. Developers should use `tox -e genconfig` to update it. -# Users are recommended to make changes to a copy of the file instead -# of the original, if any customizations are needed. -# ******************************************************************* -# title: Deploy a Basic OVB Environment Using Neutron port-security -# description: | -# Deploy an OVB stack that uses the Neutron port-security extension to -# allow OVB functionality in clouds with security groups enabled. -resource_registry: - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-default-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml diff --git a/openstack_virtual_baremetal/tests/test_deploy.py b/openstack_virtual_baremetal/tests/test_deploy.py index 56a9cf0..5695175 100755 --- a/openstack_virtual_baremetal/tests/test_deploy.py +++ b/openstack_virtual_baremetal/tests/test_deploy.py @@ -205,7 +205,7 @@ role_base_data = { 'OS::OVB::BaremetalNetworks': 'templates/baremetal-networks-all.yaml', 'OS::OVB::BaremetalPorts': 'templates/baremetal-ports-public-bond.yaml', - 'OS::OVB::BMCPort': 'templates/bmc-port-port-security.yaml' + 'OS::OVB::BMCPort': 'templates/bmc-port.yaml' } } role_specific_data = { @@ -251,7 +251,7 @@ role_original_data = { 'OS::OVB::BaremetalNetworks': 'templates/baremetal-networks-all.yaml', 'OS::OVB::BaremetalPorts': 'templates/baremetal-ports-public-bond.yaml', - 'OS::OVB::BMCPort': 'templates/bmc-port-port-security.yaml' + 'OS::OVB::BMCPort': 'templates/bmc-port.yaml' } } # end _process_role test data @@ -397,7 +397,7 @@ class TestDeploy(testtools.TestCase): 'templates/baremetal-ports-all.yaml', output['resource_registry']['OS::OVB::BaremetalPorts']) # This should be inherited from the base env - self.assertEqual('templates/bmc-port-port-security.yaml', + self.assertEqual('templates/bmc-port.yaml', output['resource_registry']['OS::OVB::BMCPort']) @mock.patch('openstack_virtual_baremetal.deploy._load_role_data') diff --git a/sample-env-generator/environments.yaml b/sample-env-generator/environments.yaml index 80086f7..085263f 100644 --- a/sample-env-generator/environments.yaml +++ b/sample-env-generator/environments.yaml @@ -63,7 +63,7 @@ environments: baremetal_image: CentOS-7-x86_64-GenericCloud node_count: 1 resource_registry: - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node-port-security.yaml + OS::OVB::BaremetalPorts: ../templates/baremetal-ports-extra-node.yaml - name: all-networks title: Deploy with All Networks Enabled @@ -77,18 +77,6 @@ environments: OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all.yaml children: - - - name: all-networks-port-security - description: | - Deploy an OVB stack that adds interfaces for all the standard TripleO - network isolation networks. This version uses the port-security - Neutron extension to allow OVB to be run on clouds with security - groups enabled. - resource_registry: - OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-all-port-security.yaml - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml - name: all-networks-public-bond title: Deploy with All Networks Enabled and Two Public Interfaces @@ -100,32 +88,6 @@ environments: resource_registry: OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond.yaml - - - name: all-networks-public-bond-port-security - title: Deploy with All Networks Enabled and Two Public Interfaces - description: | - Deploy an OVB stack that adds interfaces for all the standard TripleO - network isolation networks. This version will deploy duplicate - public network interfaces on the baremetal instances so that the - public network can be configured as a bond. It will also use the - port-security Neutron extension to allow OVB to be run on clouds with - security groups enabled. - resource_registry: - OS::OVB::BaremetalNetworks: ../templates/baremetal-networks-all.yaml - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-public-bond-port-security.yaml - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml - - - name: port-security - title: Deploy a Basic OVB Environment Using Neutron port-security - description: | - Deploy an OVB stack that uses the Neutron port-security extension to - allow OVB functionality in clouds with security groups enabled. - files: {} - resource_registry: - OS::OVB::BaremetalPorts: ../templates/baremetal-ports-default-port-security.yaml - OS::OVB::BMCPort: ../templates/bmc-port-port-security.yaml - OS::OVB::UndercloudPorts: ../templates/undercloud-ports-port-security.yaml - name: create-private-network title: Create a Private Network diff --git a/templates/baremetal-ports-all-port-security.yaml b/templates/baremetal-ports-all-port-security.yaml deleted file mode 100644 index 3ea7cef..0000000 --- a/templates/baremetal-ports-all-port-security.yaml +++ /dev/null @@ -1,115 +0,0 @@ -heat_template_version: 2015-10-15 - -parameters: - - baremetal_prefix: - type: string - - networks: - type: json - - suffix: - type: string - - overcloud_internal_net: - type: string - description: Name of internal API network - default: overcloud_internal - - overcloud_storage_net: - type: string - description: Name of storage network - default: overcloud_storage - - overcloud_storage_mgmt_net: - type: string - description: Name of storage management network - default: overcloud_storage_mgmt - - overcloud_tenant_net: - type: string - description: Name of tenant network - default: overcloud_tenant - -resources: - - provision_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, provision]} - port_security_enabled: False - - internal_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - internal_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_internal_net} - port_security_enabled: False - - storage_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - storage_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_storage_net} - port_security_enabled: False - - storage_mgmt_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - storage_mgmt_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_storage_mgmt_net} - port_security_enabled: False - - tenant_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - tenant_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_tenant_net} - port_security_enabled: False - - public_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - public_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, public]} - port_security_enabled: False - -outputs: - ports: - value: - - {port: {get_resource: provision_port}} - - {port: {get_resource: public_port}} - - {port: {get_resource: internal_port}} - - {port: {get_resource: storage_port}} - - {port: {get_resource: storage_mgmt_port}} - - {port: {get_resource: tenant_port}} diff --git a/templates/baremetal-ports-all.yaml b/templates/baremetal-ports-all.yaml index 5f9736e..3ea7cef 100644 --- a/templates/baremetal-ports-all.yaml +++ b/templates/baremetal-ports-all.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2014-10-16 +heat_template_version: 2015-10-15 parameters: @@ -42,6 +42,7 @@ resources: - - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, provision]} + port_security_enabled: False internal_port: type: OS::Neutron::Port @@ -53,6 +54,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_internal_net} + port_security_enabled: False storage_port: type: OS::Neutron::Port @@ -64,6 +66,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_storage_net} + port_security_enabled: False storage_mgmt_port: type: OS::Neutron::Port @@ -75,6 +78,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_storage_mgmt_net} + port_security_enabled: False tenant_port: type: OS::Neutron::Port @@ -86,6 +90,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_tenant_net} + port_security_enabled: False public_port: type: OS::Neutron::Port @@ -97,6 +102,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, public]} + port_security_enabled: False outputs: ports: diff --git a/templates/baremetal-ports-default-port-security.yaml b/templates/baremetal-ports-default-port-security.yaml deleted file mode 100644 index c9d19a0..0000000 --- a/templates/baremetal-ports-default-port-security.yaml +++ /dev/null @@ -1,30 +0,0 @@ -heat_template_version: 2015-10-15 - -parameters: - - baremetal_prefix: - type: string - - networks: - type: json - - suffix: - type: string - -resources: - - provision_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, provision]} - port_security_enabled: False - -outputs: - ports: - value: - - {port: {get_resource: provision_port}} diff --git a/templates/baremetal-ports-default.yaml b/templates/baremetal-ports-default.yaml index 3e7fbc7..c9d19a0 100644 --- a/templates/baremetal-ports-default.yaml +++ b/templates/baremetal-ports-default.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2014-10-16 +heat_template_version: 2015-10-15 parameters: @@ -22,6 +22,7 @@ resources: - - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, provision]} + port_security_enabled: False outputs: ports: diff --git a/templates/baremetal-ports-extra-node-port-security-all.yaml b/templates/baremetal-ports-extra-node-all.yaml similarity index 100% rename from templates/baremetal-ports-extra-node-port-security-all.yaml rename to templates/baremetal-ports-extra-node-all.yaml diff --git a/templates/baremetal-ports-extra-node-fip-port-security.yaml b/templates/baremetal-ports-extra-node-fip.yaml similarity index 100% rename from templates/baremetal-ports-extra-node-fip-port-security.yaml rename to templates/baremetal-ports-extra-node-fip.yaml diff --git a/templates/baremetal-ports-extra-node-port-security.yaml b/templates/baremetal-ports-extra-node.yaml similarity index 100% rename from templates/baremetal-ports-extra-node-port-security.yaml rename to templates/baremetal-ports-extra-node.yaml diff --git a/templates/baremetal-ports-public-bond-port-security.yaml b/templates/baremetal-ports-public-bond-port-security.yaml deleted file mode 100644 index 8e59a45..0000000 --- a/templates/baremetal-ports-public-bond-port-security.yaml +++ /dev/null @@ -1,128 +0,0 @@ -heat_template_version: 2015-10-15 - -parameters: - - baremetal_prefix: - type: string - - networks: - type: json - - suffix: - type: string - - overcloud_internal_net: - type: string - description: Name of internal API network - default: overcloud_internal - - overcloud_storage_net: - type: string - description: Name of storage network - default: overcloud_storage - - overcloud_storage_mgmt_net: - type: string - description: Name of storage management network - default: overcloud_storage_mgmt - - overcloud_tenant_net: - type: string - description: Name of tenant network - default: overcloud_tenant - -resources: - - provision_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, provision]} - port_security_enabled: False - - internal_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - internal_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_internal_net} - port_security_enabled: False - - storage_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - storage_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_storage_net} - port_security_enabled: False - - storage_mgmt_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - storage_mgmt_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_storage_mgmt_net} - port_security_enabled: False - - tenant_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - tenant_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: overcloud_tenant_net} - port_security_enabled: False - - public_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - public_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, public]} - port_security_enabled: False - - public_bond_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '' - - - public_ - - {get_param: baremetal_prefix} - - {get_param: suffix} - network: {get_param: [networks, public]} - port_security_enabled: False - -outputs: - ports: - value: - - {port: {get_resource: provision_port}} - - {port: {get_resource: public_port}} - - {port: {get_resource: public_bond_port}} - - {port: {get_resource: internal_port}} - - {port: {get_resource: storage_port}} - - {port: {get_resource: storage_mgmt_port}} - - {port: {get_resource: tenant_port}} diff --git a/templates/baremetal-ports-public-bond.yaml b/templates/baremetal-ports-public-bond.yaml index b93009a..8e59a45 100644 --- a/templates/baremetal-ports-public-bond.yaml +++ b/templates/baremetal-ports-public-bond.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2014-10-16 +heat_template_version: 2015-10-15 parameters: @@ -42,6 +42,7 @@ resources: - - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, provision]} + port_security_enabled: False internal_port: type: OS::Neutron::Port @@ -53,6 +54,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_internal_net} + port_security_enabled: False storage_port: type: OS::Neutron::Port @@ -64,6 +66,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_storage_net} + port_security_enabled: False storage_mgmt_port: type: OS::Neutron::Port @@ -75,6 +78,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_storage_mgmt_net} + port_security_enabled: False tenant_port: type: OS::Neutron::Port @@ -86,6 +90,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: overcloud_tenant_net} + port_security_enabled: False public_port: type: OS::Neutron::Port @@ -97,6 +102,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, public]} + port_security_enabled: False public_bond_port: type: OS::Neutron::Port @@ -108,6 +114,7 @@ resources: - {get_param: baremetal_prefix} - {get_param: suffix} network: {get_param: [networks, public]} + port_security_enabled: False outputs: ports: diff --git a/templates/bmc-port-port-security.yaml b/templates/bmc-port-port-security.yaml deleted file mode 100644 index dc9361e..0000000 --- a/templates/bmc-port-port-security.yaml +++ /dev/null @@ -1,29 +0,0 @@ -heat_template_version: 2015-10-15 - -parameters: - - bmc_prefix: - type: string - - private_net: - type: string - -resources: - - private_bmc_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '_' - - - 'utility' - - {get_param: bmc_prefix} - network: {get_param: private_net} - port_security_enabled: False - -outputs: - port: - value: - - {port: {get_resource: private_bmc_port}} - ip_address: - value: {get_attr: [private_bmc_port, fixed_ips, 0, ip_address]} diff --git a/templates/bmc-port.yaml b/templates/bmc-port.yaml index 402ea94..dc9361e 100644 --- a/templates/bmc-port.yaml +++ b/templates/bmc-port.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2014-10-16 +heat_template_version: 2015-10-15 parameters: @@ -19,6 +19,7 @@ resources: - - 'utility' - {get_param: bmc_prefix} network: {get_param: private_net} + port_security_enabled: False outputs: port: diff --git a/templates/undercloud-ports-port-security.yaml b/templates/undercloud-ports-port-security.yaml deleted file mode 100644 index 1cac893..0000000 --- a/templates/undercloud-ports-port-security.yaml +++ /dev/null @@ -1,72 +0,0 @@ -heat_template_version: 2015-10-15 - -parameters: - - undercloud_name: - type: string - - private_net: - type: string - - networks: - type: json - -resources: - undercloud_sg: - type: OS::Neutron::SecurityGroup - properties: - name: - list_join: - - '_' - - - {get_param: undercloud_name} - - 'sg' - description: Ping, SSH, and TripleO UI - rules: - - protocol: icmp - - protocol: tcp - port_range_min: 22 - port_range_max: 22 - - protocol: tcp - port_range_min: 3000 - port_range_max: 3000 - - private_undercloud_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '_' - - - {get_param: undercloud_name} - - 'private' - network: {get_param: private_net} - security_groups: - - {get_resource: undercloud_sg} - - provision_undercloud_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '_' - - - {get_param: undercloud_name} - - 'provision' - network: {get_param: [networks, provision]} - port_security_enabled: False - - public_undercloud_port: - type: OS::Neutron::Port - properties: - name: - list_join: - - '_' - - - {get_param: undercloud_name} - - 'public' - network: {get_param: [networks, public]} - port_security_enabled: False - -outputs: - ports: - value: - - {port: {get_resource: private_undercloud_port}} - - {port: {get_resource: provision_undercloud_port}} - - {port: {get_resource: public_undercloud_port}} diff --git a/templates/undercloud-ports.yaml b/templates/undercloud-ports.yaml index dc3f1ce..1cac893 100644 --- a/templates/undercloud-ports.yaml +++ b/templates/undercloud-ports.yaml @@ -1,4 +1,4 @@ -heat_template_version: 2014-10-16 +heat_template_version: 2015-10-15 parameters: @@ -51,6 +51,7 @@ resources: - - {get_param: undercloud_name} - 'provision' network: {get_param: [networks, provision]} + port_security_enabled: False public_undercloud_port: type: OS::Neutron::Port @@ -61,6 +62,7 @@ resources: - - {get_param: undercloud_name} - 'public' network: {get_param: [networks, public]} + port_security_enabled: False outputs: ports: