Moving iptables rules to the relevant elements
This patch moves the iptables rules from elements/boot-stack to an os-refresh-config/pre-configure.d directory within the element that is relevant to the rule. This patch relies on the add-rule script. Change-Id: Idf0eca03f104829896b07693f1f22f31270c91c5
This commit is contained in:
parent
f8a3e98314
commit
8fb20e22ce
|
@ -1,31 +1,6 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# Openstack services
|
||||
add-rule INPUT -p tcp --dport 8774 -j ACCEPT # nova-api
|
||||
add-rule INPUT -p tcp --dport 8775 -j ACCEPT # nova-api-metadata
|
||||
add-rule INPUT -p tcp --dport 9292 -j ACCEPT # glance
|
||||
add-rule INPUT -p tcp --dport 5000 -j ACCEPT # keystone service
|
||||
add-rule INPUT -p tcp --dport 35357 -j ACCEPT # keystone admin
|
||||
add-rule INPUT -p tcp --dport 8000 -j ACCEPT # heat-api-cfn
|
||||
add-rule INPUT -p tcp --dport 8003 -j ACCEPT # heat-api-cloudwatch
|
||||
add-rule INPUT -p tcp --dport 8004 -j ACCEPT # heat-api
|
||||
add-rule INPUT -p tcp --dport 9696 -j ACCEPT # neutron
|
||||
add-rule INPUT -p tcp --dport 6385 -j ACCEPT # ironic
|
||||
add-rule INPUT -p tcp --dport 8777 -j ACCEPT # ceilometer
|
||||
|
||||
# Horizon
|
||||
add-rule INPUT -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# AMQP
|
||||
add-rule INPUT -p tcp --dport 5672 -j ACCEPT
|
||||
|
||||
# DHCP, TFTP
|
||||
add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
|
||||
|
||||
# ISCSI
|
||||
add-rule INPUT -p tcp --dport 10000 -j ACCEPT
|
||||
|
||||
# Forward packets to the private ctlplane network
|
||||
add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
|
||||
# Forward packets to the hosts libvirt network
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
ceilometer
|
||||
iptables
|
||||
os-refresh-config
|
||||
os-svc-install
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
add-rule INPUT -p tcp --dport 8777 -j ACCEPT
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
iptables
|
||||
os-svc-install
|
||||
os-refresh-config
|
||||
os-apply-config
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
add-rule INPUT -p tcp --dport 9292 -j ACCEPT
|
|
@ -1 +1,2 @@
|
|||
heat
|
||||
iptables
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# heat-api-cfn, heat-api-cloudwatch, heat-api
|
||||
add-rule INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT
|
|
@ -1,4 +1,5 @@
|
|||
apache2
|
||||
iptables
|
||||
os-apply-config
|
||||
os-refresh-config
|
||||
os-svc-install
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
add-rule INPUT -p tcp --dport 80 -j ACCEPT
|
|
@ -1,3 +1,4 @@
|
|||
iptables
|
||||
ironic
|
||||
os-apply-config
|
||||
os-refresh-config
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
add-rule INPUT -p tcp --dport 6385 -j ACCEPT
|
|
@ -1,3 +1,4 @@
|
|||
iptables
|
||||
os-apply-config
|
||||
os-refresh-config
|
||||
os-svc-install
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# keystone service, keystone admin
|
||||
add-rule INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
|
|
@ -1,3 +1,4 @@
|
|||
iptables
|
||||
os-svc-install
|
||||
os-apply-config
|
||||
os-refresh-config
|
||||
|
|
|
@ -1,23 +1,14 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# Exit if not Fedora
|
||||
DISTRO=`lsb_release -si` || true
|
||||
[ "Fedora" != "$DISTRO" ] && exit 0
|
||||
add-rule INPUT -p tcp --dport 9696 -j ACCEPT
|
||||
|
||||
# Check if the iptables service is active
|
||||
if systemctl is-active iptables.service ; then
|
||||
IPT_FILE=/etc/sysconfig/iptables
|
||||
if [ -f $IPT_FILE ]; then
|
||||
iptables-restore < $IPT_FILE
|
||||
fi
|
||||
# DHCP, TFTP
|
||||
add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
|
||||
|
||||
# Need to allow gre where used (on overcloud)
|
||||
if ! iptables -C INPUT -p gre -j ACCEPT ; then
|
||||
if [ "$(os-apply-config --key neutron.ovs.tenant_network_type)" = 'gre' ] ; then
|
||||
iptables -I INPUT -p gre -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
iptables-save > $IPT_FILE
|
||||
# Need to allow gre where used (on overcloud)
|
||||
if [ "$(os-apply-config --key neutron.ovs.tenant_network_type)" = 'gre' ] ; then
|
||||
add-rule INPUT -p gre -j ACCEPT
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
iptables
|
||||
nova
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# nova-api, nova-api-metadata
|
||||
add-rule INPUT -p tcp -m multiport --dports 8774,8775 -j ACCEPT
|
|
@ -1,2 +1,3 @@
|
|||
iptables
|
||||
nova-compute
|
||||
os-refresh-config
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# ISCSI
|
||||
add-rule INPUT -p tcp --dport 10000 -j ACCEPT
|
|
@ -1,2 +1,3 @@
|
|||
iptables
|
||||
os-refresh-config
|
||||
os-apply-config
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# AMQP
|
||||
add-rule INPUT -p tcp --dport 5672 -j ACCEPT
|
Loading…
Reference in New Issue