From e4ad5936685ac460088ac9b2a7d827788c2a1c86 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Mon, 21 Dec 2015 19:52:10 +0300
Subject: [PATCH] Move firewall to a plugin-specific task

This removes dependency on fuel-library firewall task,
which defines many firewall rules that are not needed
by standalone-database nodes.

Change-Id: I484ac787a252637023bb5d0bc99a02821f38884e
Partial-Bug: #1528283
---
 deployment_scripts/database_firewall.pp | 51 +++++++++++++++++++++++++
 deployment_tasks.yaml                   | 24 ++++++++----
 2 files changed, 68 insertions(+), 7 deletions(-)
 create mode 100644 deployment_scripts/database_firewall.pp

diff --git a/deployment_scripts/database_firewall.pp b/deployment_scripts/database_firewall.pp
new file mode 100644
index 0000000..a7aa65a
--- /dev/null
+++ b/deployment_scripts/database_firewall.pp
@@ -0,0 +1,51 @@
+notice('MODULAR: detach-database/database_firewall.pp')
+
+$network_scheme   = hiera_hash('network_scheme')
+$network_metadata = hiera_hash('network_metadata')
+
+$corosync_input_port          = 5404
+$corosync_output_port         = 5405
+$galera_clustercheck_port     = 49000
+$galera_ist_port              = 4568
+$mysql_backend_port           = 3307
+$mysql_gcomm_port             = 4567
+$mysql_port                   = 3306
+$pcsd_port                    = 2224
+
+
+$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
+$database_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/database')
+
+# allow connections from haproxy namespace
+firewall {'030 allow connections from haproxy namespace':
+  source => '240.0.0.2',
+  action => 'accept',
+}
+
+openstack::firewall::multi_net {'101 mysql':
+  port        => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_clustercheck_port],
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $database_networks,
+}
+
+openstack::firewall::multi_net {'113 corosync-input':
+  port        => $corosync_input_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'114 corosync-output':
+  port        => $corosync_output_port,
+  proto       => 'udp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
+
+openstack::firewall::multi_net {'115 pcsd-server':
+  port        => $pcsd_port,
+  proto       => 'tcp',
+  action      => 'accept',
+  source_nets => $corosync_networks,
+}
diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml
index d96eedc..c41bfaa 100644
--- a/deployment_tasks.yaml
+++ b/deployment_tasks.yaml
@@ -6,8 +6,8 @@
   requires: [deploy_start]
   required_for: [deploy_end, primary-controller, controller]
   tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
-    hosts, firewall, deploy_start, cluster, database-virtual-ip, cluster-haproxy,
-    openstack-haproxy-stats, task-database]
+    hosts, firewall, database-firewall, deploy_start, cluster, 
+    database-virtual-ip, cluster-haproxy, openstack-haproxy-stats, task-database]
   parameters:
     strategy:
       type: one_by_one
@@ -18,8 +18,8 @@
   requires: [deploy_start, primary-standalone-database, primary-controller, controller]
   required_for: [deploy_end]
   tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
-    hosts, firewall, deploy_start, cluster, database-virtual-ip, cluster-haproxy,
-    openstack-haproxy-stats, task-database]
+    hosts, firewall, database-firewall, deploy_start, cluster,
+    database-virtual-ip, cluster-haproxy, openstack-haproxy-stats, task-database]
   parameters:
     strategy:
       type: parallel
@@ -40,7 +40,7 @@
   type: puppet
   groups: [primary-standalone-database, standalone-database]
   required_for: [deploy_end]
-  requires: [cluster]
+  requires: [database-firewall, cluster]
   parameters:
     puppet_manifest: "/etc/puppet/modules/osnailyfacter/modular/virtual_ips/virtual_ips.pp"
     puppet_modules: "/etc/puppet/modules"
@@ -49,8 +49,8 @@
 - id: task-database
   type: puppet
   role: [primary-standalone-database, standalone-database]
-  requires: [hosts, firewall]
-  requires: [database-haproxy, database-virtual-ip]
+  requires: [hosts, database-firewall, cluster, database-haproxy,
+    database-virtual-ip]
   parameters:
     puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/database/database.pp
     puppet_modules: /etc/puppet/modules
@@ -72,3 +72,13 @@
     puppet_modules: "/etc/puppet/modules"
     timeout: 120
 
+- id: database-firewall
+  type: puppet
+  role: [primary-standalone-database, standalone-database]
+  requires: [globals, firewall]
+  required_for: [cluster, task-database]
+  parameters:
+    puppet_manifest: "database_firewall.pp"
+    puppet_modules: "/etc/puppet/modules"
+    timeout: 120
+