Moving iptables rules to the relevant elements

This patch moves the iptables rules from elements/boot-stack to an os-refresh-config/pre-configure.d directory within the element that is relevant to the rule. This patch relies on the add-rule script. Change-Id: Idf0eca03f104829896b07693f1f22f31270c91c5
2014-01-21 06:06:40 -05:00 · 2014-01-21 06:06:40 -05:00 · 8fb20e22ce
parent f8a3e98314
commit 8fb20e22ce
21 changed files with 60 additions and 42 deletions
--- a/elements/boot-stack/os-refresh-config/pre-configure.d/97-fedora-iptables
+++ b/elements/boot-stack/os-refresh-config/pre-configure.d/97-fedora-iptables
@ -1,31 +1,6 @@
 #!/bin/bash
 set -eu

-# Openstack services
-add-rule INPUT -p tcp --dport 8774 -j ACCEPT  # nova-api
-add-rule INPUT -p tcp --dport 8775 -j ACCEPT  # nova-api-metadata
-add-rule INPUT -p tcp --dport 9292 -j ACCEPT  # glance
-add-rule INPUT -p tcp --dport 5000 -j ACCEPT  # keystone service
-add-rule INPUT -p tcp --dport 35357 -j ACCEPT # keystone admin
-add-rule INPUT -p tcp --dport 8000 -j ACCEPT  # heat-api-cfn
-add-rule INPUT -p tcp --dport 8003 -j ACCEPT  # heat-api-cloudwatch
-add-rule INPUT -p tcp --dport 8004 -j ACCEPT  # heat-api
-add-rule INPUT -p tcp --dport 9696  -j ACCEPT # neutron
-add-rule INPUT -p tcp --dport 6385 -j ACCEPT  # ironic
-add-rule INPUT -p tcp --dport 8777 -j ACCEPT  # ceilometer
-
-# Horizon
-add-rule INPUT -p tcp --dport 80 -j ACCEPT
-
-# AMQP
-add-rule INPUT -p tcp --dport 5672  -j ACCEPT
-
-# DHCP, TFTP
-add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT
-
-# ISCSI
-add-rule INPUT -p tcp --dport 10000 -j ACCEPT
-
 # Forward packets to the private ctlplane network
 add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
 # Forward packets to the hosts libvirt network
--- a/elements/ceilometer-api/element-deps
+++ b/elements/ceilometer-api/element-deps
@ -1,3 +1,4 @@
 ceilometer
+iptables
 os-refresh-config
 os-svc-install
--- a/elements/ceilometer-api/os-refresh-config/pre-configure.d/97-fedora-ceilometer-api-iptables
+++ b/elements/ceilometer-api/os-refresh-config/pre-configure.d/97-fedora-ceilometer-api-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+add-rule INPUT -p tcp --dport 8777 -j ACCEPT
+
--- a/elements/glance/element-deps
+++ b/elements/glance/element-deps
@ -1,3 +1,4 @@
+iptables
 os-svc-install
 os-refresh-config
 os-apply-config
--- a/elements/glance/os-refresh-config/pre-configure.d/97-glance-fedora-iptables
+++ b/elements/glance/os-refresh-config/pre-configure.d/97-glance-fedora-iptables
@ -0,0 +1,4 @@
+#!/bin/bash
+set -eu
+
+add-rule INPUT -p tcp --dport 9292 -j ACCEPT
--- a/elements/heat-api/element-deps
+++ b/elements/heat-api/element-deps
@ -1 +1,2 @@
 heat
+iptables
--- a/elements/heat-api/os-refresh-config/pre-configure.d/97-heat-api-fedora-iptables
+++ b/elements/heat-api/os-refresh-config/pre-configure.d/97-heat-api-fedora-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+# heat-api-cfn, heat-api-cloudwatch, heat-api
+add-rule INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT
--- a/elements/horizon/element-deps
+++ b/elements/horizon/element-deps
@ -1,4 +1,5 @@
 apache2
+iptables
 os-apply-config
 os-refresh-config
 os-svc-install
--- a/elements/horizon/os-refresh-config/pre-configure.d/97-horizon-fedora-iptables
+++ b/elements/horizon/os-refresh-config/pre-configure.d/97-horizon-fedora-iptables
@ -0,0 +1,4 @@
+#!/bin/bash
+set -eu
+
+add-rule INPUT -p tcp --dport 80 -j ACCEPT
--- a/elements/ironic-api/element-deps
+++ b/elements/ironic-api/element-deps
@ -1,3 +1,4 @@
+iptables
 ironic
 os-apply-config
 os-refresh-config
--- a/elements/ironic-api/os-refresh-config/pre-configure.d/97-fedora-ironic-api-iptables
+++ b/elements/ironic-api/os-refresh-config/pre-configure.d/97-fedora-ironic-api-iptables
@ -0,0 +1,4 @@
+#!/bin/bash
+set -eu
+
+add-rule INPUT -p tcp --dport 6385 -j ACCEPT
--- a/elements/keystone/element-deps
+++ b/elements/keystone/element-deps
@ -1,3 +1,4 @@
+iptables
 os-apply-config
 os-refresh-config
 os-svc-install
--- a/elements/keystone/os-refresh-config/pre-configure.d/97-keystone-fedora-iptables
+++ b/elements/keystone/os-refresh-config/pre-configure.d/97-keystone-fedora-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+# keystone service, keystone admin
+add-rule INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
--- a/elements/neutron/element-deps
+++ b/elements/neutron/element-deps
@ -1,3 +1,4 @@
+iptables
 os-svc-install
 os-apply-config
 os-refresh-config
--- a/elements/neutron/os-refresh-config/pre-configure.d/97-fedora-neutron-iptables
+++ b/elements/neutron/os-refresh-config/pre-configure.d/97-fedora-neutron-iptables
@ -1,23 +1,14 @@
 #!/bin/bash
 set -eu

-# Exit if not Fedora
-DISTRO=`lsb_release -si` || true
-[ "Fedora" != "$DISTRO" ] && exit 0
+add-rule INPUT -p tcp --dport 9696  -j ACCEPT

-# Check if the iptables service is active
-if systemctl is-active iptables.service ; then
-    IPT_FILE=/etc/sysconfig/iptables
-    if [ -f $IPT_FILE ]; then
-        iptables-restore < $IPT_FILE
-    fi
+# DHCP, TFTP
+add-rule INPUT -m udp -p udp --dport 69 -j ACCEPT

-    # Need to allow gre where used (on overcloud)
-    if ! iptables -C INPUT -p gre -j ACCEPT ; then
-        if [ "$(os-apply-config --key neutron.ovs.tenant_network_type)" = 'gre' ] ; then
-            iptables -I INPUT -p gre -j ACCEPT
-        fi
-    fi
-
-    iptables-save > $IPT_FILE
+# Need to allow gre where used (on overcloud)
+if [ "$(os-apply-config --key neutron.ovs.tenant_network_type)" = 'gre' ] ; then
+    add-rule INPUT -p gre -j ACCEPT
 fi
+
+
--- a/elements/nova-api/element-deps
+++ b/elements/nova-api/element-deps
@ -1 +1,2 @@
+iptables
 nova
--- a/elements/nova-api/os-refresh-config/pre-configure.d/97-nova-api-fedora-iptables
+++ b/elements/nova-api/os-refresh-config/pre-configure.d/97-nova-api-fedora-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+# nova-api, nova-api-metadata
+add-rule INPUT -p tcp -m multiport --dports 8774,8775 -j ACCEPT
--- a/elements/nova-baremetal/element-deps
+++ b/elements/nova-baremetal/element-deps
@ -1,2 +1,3 @@
+iptables
 nova-compute
 os-refresh-config
--- a/elements/nova-baremetal/os-refresh-config/pre-configure.d/97-fedora-nova-baremetal-iptables
+++ b/elements/nova-baremetal/os-refresh-config/pre-configure.d/97-fedora-nova-baremetal-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+# ISCSI
+add-rule INPUT -p tcp --dport 10000 -j ACCEPT
--- a/elements/rabbitmq-server/element-deps
+++ b/elements/rabbitmq-server/element-deps
@ -1,2 +1,3 @@
+iptables
 os-refresh-config
 os-apply-config
--- a/elements/rabbitmq-server/os-refresh-config/pre-configure.d/97-rabbitmq-server-fedora-iptables
+++ b/elements/rabbitmq-server/os-refresh-config/pre-configure.d/97-rabbitmq-server-fedora-iptables
@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu
+
+# AMQP
+add-rule INPUT -p tcp --dport 5672  -j ACCEPT