From 739b379b07507605ee1be10cda1f04b7ed3df756 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Mon, 21 Dec 2015 19:43:07 +0300 Subject: [PATCH] Move firewall to a plugin-specific task This removes dependency on fuel-library firewall task, which defines many firewall rules that are not needed by standalone-rabbitmq nodes. Change-Id: I52d43a86aab6852f9cd50520533085cf8d9a9362 Partial-Bug: #1528283 --- deployment_scripts/rabbitmq_firewall.pp | 73 +++++++++++++++++++++++++ deployment_tasks.yaml | 15 ++++- 2 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 deployment_scripts/rabbitmq_firewall.pp diff --git a/deployment_scripts/rabbitmq_firewall.pp b/deployment_scripts/rabbitmq_firewall.pp new file mode 100644 index 0000000..e3d3e1a --- /dev/null +++ b/deployment_scripts/rabbitmq_firewall.pp @@ -0,0 +1,73 @@ +notice('MODULAR: detach-rabbitmq/rabbitmq_firewall.pp') + +$network_scheme = hiera_hash('network_scheme') +$network_metadata = hiera_hash('network_metadata') + +$corosync_input_port = 5404 +$corosync_output_port = 5405 +$erlang_epmd_port = 4369 +$erlang_inet_dist_port = 41055 +$erlang_rabbitmq_backend_port = 5673 +$erlang_rabbitmq_port = 5672 +$pcsd_port = 2224 + +$corosync_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/corosync') +$rabbitmq_networks = get_routable_networks_for_network_role($network_scheme, 'mgmt/messaging') + + +openstack::firewall::multi_net {'106 rabbitmq': + port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port], + proto => 'tcp', + action => 'accept', + source_nets => $rabbitmq_networks, +} + +# Workaround for fuel bug with firewall +firewall {'003 remote rabbitmq ': + sport => [ 4369, 5672, 41055, 55672, 61613 ], + source => hiera('master_ip'), + proto => 'tcp', + action => 'accept', +} + +# allow local rabbitmq admin traffic for LP#1383258 +firewall {'005 local rabbitmq admin': + sport => [ 15672 ], + iniface => 'lo', + proto => 'tcp', + action => 'accept', +} + +# reject all non-local rabbitmq admin traffic for LP#1450443 +firewall {'006 reject non-local rabbitmq admin': + sport => [ 15672 ], + proto => 'tcp', + action => 'drop', +} + +# allow connections from haproxy namespace +firewall {'030 allow connections from haproxy namespace': + source => '240.0.0.2', + action => 'accept', +} + +openstack::firewall::multi_net {'113 corosync-input': + port => $corosync_input_port, + proto => 'udp', + action => 'accept', + source_nets => $corosync_networks, +} + +openstack::firewall::multi_net {'114 corosync-output': + port => $corosync_output_port, + proto => 'udp', + action => 'accept', + source_nets => $corosync_networks, +} + +openstack::firewall::multi_net {'115 pcsd-server': + port => $pcsd_port, + proto => 'tcp', + action => 'accept', + source_nets => $corosync_networks, +} diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml index c4ef997..c7bb093 100644 --- a/deployment_tasks.yaml +++ b/deployment_tasks.yaml @@ -17,7 +17,7 @@ requires: [deploy_start] required_for: [deploy_end, primary-controller, controller] tasks: [fuel_pkgs, hiera, globals, tools, logging, netconfig, - hosts, firewall, deploy_start, cluster, task-rabbitmq] + hosts, firewall, rabbitmq-firewall, deploy_start, cluster, task-rabbitmq] parameters: strategy: type: parallel @@ -26,7 +26,8 @@ - id: task-rabbitmq type: puppet groups: [standalone-rabbitmq] - requires: [hosts, firewall, globals, rabbitmq-hiera-override, cluster] + requires: [hosts, firewall, rabbitmq-firewall, globals, + rabbitmq-hiera-override, cluster] required_for: [deploy_end] parameters: puppet_manifest: /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq.pp @@ -37,3 +38,13 @@ test_post: cmd: ruby /etc/puppet/modules/osnailyfacter/modular/rabbitmq/rabbitmq_post.rb +# Deployment tasks +- id: rabbitmq-firewall + type: puppet + groups: [standalone-rabbitmq] + requires: [hosts, globals, rabbitmq-hiera-override, firewall] + required_for: [deploy_end] + parameters: + puppet_manifest: "rabbitmq_firewall.pp" + puppet_modules: /etc/puppet/modules + timeout: 3600