Move firewall to a plugin-specific task
This removes dependency on fuel-library firewall task, which defines many firewall rules that are not needed by standalone-database nodes. Change-Id: I484ac787a252637023bb5d0bc99a02821f38884e Partial-Bug: #1528283
This commit is contained in:
parent
a4eba32c31
commit
e4ad593668
|
@ -0,0 +1,51 @@
|
||||||
|
notice('MODULAR: detach-database/database_firewall.pp')
|
||||||
|
|
||||||
|
$network_scheme = hiera_hash('network_scheme')
|
||||||
|
$network_metadata = hiera_hash('network_metadata')
|
||||||
|
|
||||||
|
$corosync_input_port = 5404
|
||||||
|
$corosync_output_port = 5405
|
||||||
|
$galera_clustercheck_port = 49000
|
||||||
|
$galera_ist_port = 4568
|
||||||
|
$mysql_backend_port = 3307
|
||||||
|
$mysql_gcomm_port = 4567
|
||||||
|
$mysql_port = 3306
|
||||||
|
$pcsd_port = 2224
|
||||||
|
|
||||||
|
|
||||||
|
$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync')
|
||||||
|
$database_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/database')
|
||||||
|
|
||||||
|
# allow connections from haproxy namespace
|
||||||
|
firewall {'030 allow connections from haproxy namespace':
|
||||||
|
source => '240.0.0.2',
|
||||||
|
action => 'accept',
|
||||||
|
}
|
||||||
|
|
||||||
|
openstack::firewall::multi_net {'101 mysql':
|
||||||
|
port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_clustercheck_port],
|
||||||
|
proto => 'tcp',
|
||||||
|
action => 'accept',
|
||||||
|
source_nets => $database_networks,
|
||||||
|
}
|
||||||
|
|
||||||
|
openstack::firewall::multi_net {'113 corosync-input':
|
||||||
|
port => $corosync_input_port,
|
||||||
|
proto => 'udp',
|
||||||
|
action => 'accept',
|
||||||
|
source_nets => $corosync_networks,
|
||||||
|
}
|
||||||
|
|
||||||
|
openstack::firewall::multi_net {'114 corosync-output':
|
||||||
|
port => $corosync_output_port,
|
||||||
|
proto => 'udp',
|
||||||
|
action => 'accept',
|
||||||
|
source_nets => $corosync_networks,
|
||||||
|
}
|
||||||
|
|
||||||
|
openstack::firewall::multi_net {'115 pcsd-server':
|
||||||
|
port => $pcsd_port,
|
||||||
|
proto => 'tcp',
|
||||||
|
action => 'accept',
|
||||||
|
source_nets => $corosync_networks,
|
||||||
|
}
|
|
@ -6,8 +6,8 @@
|
||||||
requires: [deploy_start]
|
requires: [deploy_start]
|
||||||
required_for: [deploy_end, primary-controller, controller]
|
required_for: [deploy_end, primary-controller, controller]
|
||||||
tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
|
tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
|
||||||
hosts, firewall, deploy_start, cluster, database-virtual-ip, cluster-haproxy,
|
hosts, firewall, database-firewall, deploy_start, cluster,
|
||||||
openstack-haproxy-stats, task-database]
|
database-virtual-ip, cluster-haproxy, openstack-haproxy-stats, task-database]
|
||||||
parameters:
|
parameters:
|
||||||
strategy:
|
strategy:
|
||||||
type: one_by_one
|
type: one_by_one
|
||||||
|
@ -18,8 +18,8 @@
|
||||||
requires: [deploy_start, primary-standalone-database, primary-controller, controller]
|
requires: [deploy_start, primary-standalone-database, primary-controller, controller]
|
||||||
required_for: [deploy_end]
|
required_for: [deploy_end]
|
||||||
tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
|
tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig,
|
||||||
hosts, firewall, deploy_start, cluster, database-virtual-ip, cluster-haproxy,
|
hosts, firewall, database-firewall, deploy_start, cluster,
|
||||||
openstack-haproxy-stats, task-database]
|
database-virtual-ip, cluster-haproxy, openstack-haproxy-stats, task-database]
|
||||||
parameters:
|
parameters:
|
||||||
strategy:
|
strategy:
|
||||||
type: parallel
|
type: parallel
|
||||||
|
@ -40,7 +40,7 @@
|
||||||
type: puppet
|
type: puppet
|
||||||
groups: [primary-standalone-database, standalone-database]
|
groups: [primary-standalone-database, standalone-database]
|
||||||
required_for: [deploy_end]
|
required_for: [deploy_end]
|
||||||
requires: [cluster]
|
requires: [database-firewall, cluster]
|
||||||
parameters:
|
parameters:
|
||||||
puppet_manifest: "/etc/puppet/modules/osnailyfacter/modular/virtual_ips/virtual_ips.pp"
|
puppet_manifest: "/etc/puppet/modules/osnailyfacter/modular/virtual_ips/virtual_ips.pp"
|
||||||
puppet_modules: "/etc/puppet/modules"
|
puppet_modules: "/etc/puppet/modules"
|
||||||
|
@ -49,8 +49,8 @@
|
||||||
- id: task-database
|
- id: task-database
|
||||||
type: puppet
|
type: puppet
|
||||||
role: [primary-standalone-database, standalone-database]
|
role: [primary-standalone-database, standalone-database]
|
||||||
requires: [hosts, firewall]
|
requires: [hosts, database-firewall, cluster, database-haproxy,
|
||||||
requires: [database-haproxy, database-virtual-ip]
|
database-virtual-ip]
|
||||||
parameters:
|
parameters:
|
||||||
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/database/database.pp
|
puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/database/database.pp
|
||||||
puppet_modules: /etc/puppet/modules
|
puppet_modules: /etc/puppet/modules
|
||||||
|
@ -72,3 +72,13 @@
|
||||||
puppet_modules: "/etc/puppet/modules"
|
puppet_modules: "/etc/puppet/modules"
|
||||||
timeout: 120
|
timeout: 120
|
||||||
|
|
||||||
|
- id: database-firewall
|
||||||
|
type: puppet
|
||||||
|
role: [primary-standalone-database, standalone-database]
|
||||||
|
requires: [globals, firewall]
|
||||||
|
required_for: [cluster, task-database]
|
||||||
|
parameters:
|
||||||
|
puppet_manifest: "database_firewall.pp"
|
||||||
|
puppet_modules: "/etc/puppet/modules"
|
||||||
|
timeout: 120
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue