Merge "Run iptables in service playbooks instead of base"

playbooks/base.yaml

@@ -8,4 +8,4 @@
     - base/unbound
     - base/exim
     - base/snmpd
-    - base/iptables
+    - iptables

playbooks/roles/run-puppet/tasks/main.yaml

@@ -1,4 +1,6 @@
 # Use include_role instead of roles: so that we can late-bind the roles list
+- include_role:
+    name: iptables
 - include_role:
     name: install-ansible-roles
 - include_role:

playbooks/service-backup.yaml

@@ -3,8 +3,10 @@
 - hosts: "backup:!disabled"
   name: "Base: Generate backup users and keys"
   roles:
+    - iptables
     - backup
 - hosts: "backup-server:!disabled"
   name: "Generate bup configuration"
   roles:
+    - iptables
     - backup-server

playbooks/service-bridge.yaml

@@ -1,6 +1,7 @@
 - hosts: bridge.openstack.org:!disabled
   name: "Bridge: configure the bastion host"
   roles:
+    - iptables
     - edit-secrets-script
     - install-docker
   tasks:

playbooks/service-codesearch.yaml

@@ -2,6 +2,7 @@
   name: "codesearch: run puppet on codesearch"
   strategy: free
   roles:
+    - iptables
     - sync-project-config
     - name: run-puppet
       manifest: /opt/system-config/production/manifests/codesearch.pp

playbooks/service-eavesdrop.yaml

@@ -2,6 +2,7 @@
   name: "eavesdrop: run puppet on eavesdrop"
   strategy: free
   roles:
+    - iptables
     - zuul-user
     - sync-project-config
     - install-docker

playbooks/service-etherpad.yaml

@@ -1,5 +1,6 @@
 - hosts: "etherpad01.opendev.org:!disabled"
   name: "Base: configure etherpad"
   roles:
+    - iptables
     - install-docker
     - etherpad

playbooks/service-gitea-lb.yaml

@@ -1,5 +1,6 @@
 - hosts: "gitea-lb:!disabled"
   name: "Base: configure gitea load balancer"
   roles:
+    - iptables
     - install-docker
     - haproxy

playbooks/service-gitea.yaml

@@ -2,5 +2,6 @@
   name: "Base: configure gitea"
   serial: 1
   roles:
+    - iptables
     - install-docker
     - gitea

playbooks/service-letsencrypt.yaml

@@ -5,7 +5,7 @@
   roles:
     - install-certcheck
 - hosts: "letsencrypt:!disabled"
-  name: "Base: deploy and renew certificates"
+  name: "Deploy and renew certificates"
   roles:
     - letsencrypt-acme-sh-install
     - letsencrypt-request-certs

playbooks/service-meetpad.yaml

@@ -1,12 +1,14 @@
 - hosts: "meetpad:!disabled"
   name: "Configure meetpad"
   roles:
+    - iptables
     - install-docker
     - jitsi-meet
 
 - hosts: "jvb:!disabled"
   name: "Configure extra jitsi video bridges"
   roles:
+    - iptables
     - install-docker
     - role: jitsi-meet
       docker_compose_file: jvb-docker-compose.yaml

playbooks/service-mirror-update.yaml

@@ -1,6 +1,7 @@
 - hosts: "mirror-update:!disabled"
   name: "Configure mirror-update"
   roles:
+    - role: iptables
     - role: kerberos-client
       kerberos_realm: 'OPENSTACK.ORG'
       kerberos_admin_server: 'kdc.openstack.org'

playbooks/service-mirror.yaml

@@ -1,6 +1,7 @@
 - hosts: "mirror:!disabled"
   name: "Configure per region opendev mirrors"
   roles:
+    - role: iptables
     - role: kerberos-client
       kerberos_realm: 'OPENSTACK.ORG'
       kerberos_admin_server: 'kdc.openstack.org'

playbooks/service-nameserver.yaml

@@ -1,10 +1,12 @@
 - hosts: adns:!disabled
   name: "Base: configure adns server"
   roles:
+    - iptables
     - master-nameserver
 
 - hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
   name: "Base: configure authoritative nameservers"
   roles:
+    - iptables
     - nameserver
 

playbooks/service-nodepool.yaml

@@ -2,6 +2,7 @@
   name: "Configure nodepool builders"
   strategy: free
   roles:
+    - iptables
     - install-docker
     - nodepool-base
     - configure-openstacksdk
@@ -11,6 +12,7 @@
   name: "run puppet on all older servers"
   strategy: free
   roles:
+    - iptables
     - nodepool-base-legacy
     - configure-openstacksdk
     - configure-kubectl
@@ -20,6 +22,7 @@
   name: "Configure nodepool launchers"
   strategy: free
   roles:
+    - iptables
     - install-docker
     - nodepool-base
     - configure-openstacksdk

playbooks/service-registry.yaml

@@ -1,5 +1,6 @@
 - hosts: "registry:!disabled"
   name: "Base: configure registry"
   roles:
+    - iptables
     - install-docker
     - registry

playbooks/service-review-dev.yaml

@@ -1,6 +1,7 @@
 - hosts: "review-dev:!disabled"
   name: "Configure gerrit on review-dev"
   roles:
+    - iptables
     - install-docker
     - role: gerrit
       gerrit_ssh_rsa_key_contents: "{{ gerrit_dev_ssh_rsa_key_contents }}"

playbooks/service-review.yaml

@@ -1,5 +1,6 @@
 - hosts: "review:!disabled"
   name: "Configure gerrit"
   roles:
+    - iptables
     - install-docker
     - gerrit

playbooks/service-static.yaml

@@ -1,6 +1,7 @@
 - hosts: "static:!disabled"
   name: "Static webserver"
   roles:
+    - role: iptables
     - role: kerberos-client
       kerberos_realm: 'OPENSTACK.ORG'
       kerberos_admin_server: 'kdc.openstack.org'

playbooks/service-zookeeper.yaml

@@ -12,5 +12,6 @@
   name: "Configure Zookeeper"
   serial: 1
   roles:
+    - iptables
     - install-docker
     - zookeeper

playbooks/service-zuul-preview.yaml

@@ -1,5 +1,6 @@
 - hosts: "zuul-preview:!disabled"
   name: "Base: configure zuul-preview"
   roles:
+    - iptables
     - install-docker
     - zuul-preview

playbooks/service-zuul.yaml

@@ -11,6 +11,7 @@
 - hosts: "zuul:!disabled"
   name: "Configure zuul servers"
   roles:
+    - iptables
     - install-docker
     - zuul
 

testinfra/test_base.py

@@ -14,7 +14,6 @@
 
 import socket
 
-
 testinfra_hosts = ['all']
 
 

testinfra/test_zuul.py

@@ -0,0 +1,73 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import socket
+
+
+testinfra_hosts = [
+    'ze01.opendev.org',
+    'zm01.openstack.org',
+    'zuul01.openstack.org',
+]
+
+
+def get_ips(value, family=None):
+    ret = set()
+    try:
+        addr_info = socket.getaddrinfo(value, None, family)
+    except socket.gaierror:
+        return ret
+    for addr in addr_info:
+        ret.add(addr[4][0])
+    return ret
+
+
+def test_iptables(host):
+    rules = host.iptables.rules()
+    rules = [x.strip() for x in rules]
+
+    needed_rules = [
+        '-P INPUT ACCEPT',
+        '-P FORWARD DROP',
+        '-P OUTPUT ACCEPT',
+        '-N openstack-INPUT',
+        '-A INPUT -j openstack-INPUT',
+        '-A openstack-INPUT -i lo -j ACCEPT',
+        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
+        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
+        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
+        '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
+    ]
+    for rule in needed_rules:
+        assert rule in rules
+
+    # Make sure that the gearman port is open to executors on the scheduler
+    if host.backend.get_hostname() == 'zuul01.openstack.org':
+        for ip in get_ips('ze01.opendev.org', socket.AF_INET):
+            zuul = ('-A openstack-INPUT -s %s/32 -p tcp -m state --state NEW'
+                    ' -m tcp --dport 4730 -j ACCEPT' % ip)
+            assert zuul in rules
+
+    # Ensure all IPv4+6 addresses for cacti are allowed
+    for ip in get_ips('cacti.openstack.org', socket.AF_INET):
+        snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
+                ' --dport 161 -j ACCEPT' % ip)
+        assert snmp in rules
+
+    # TODO(ianw) add ip6tables support to testinfra iptables module
+    ip6rules = host.check_output('ip6tables -S')
+    for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
+        snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
+                ' --dport 161 -j ACCEPT' % ip)
+        assert snmp in ip6rules

zuul.d/infra-prod.yaml

@@ -69,8 +69,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
     files:
       - inventory/
       - playbooks/service-letsencrypt.yaml
@@ -105,8 +103,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
 
@@ -120,6 +116,7 @@
       - inventory/
       - playbooks/service-bridge.yaml
       - playbooks/host_vars/bridge.openstack.org.yaml
+      - playbooks/roles/iptables/
       - playbooks/roles/logrotate/
       - playbooks/roles/edit-secrets-script/
       - playbooks/roles/install-kubectl/
@@ -138,6 +135,7 @@
       - playbooks/service-gitea-lb.yaml
       - playbooks/group_vars/gitea-lb.yaml
       - playbooks/roles/pip3/
+      - playbooks/roles/iptables/
       - playbooks/roles/install-docker/
       - playbooks/roles/haproxy/
 
@@ -157,6 +155,7 @@
       - playbooks/group_vars/ns.yaml
       - playbooks/roles/master-nameserver/
       - playbooks/roles/nameserver/
+      - playbooks/roles/iptables/
 
 - job:
     name: infra-prod-service-nodepool
@@ -179,6 +178,7 @@
       - playbooks/roles/configure-kubectl/
       - playbooks/roles/configure-openstacksdk/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/nodepool
       - playbooks/templates/clouds/nodepool_
 
@@ -197,6 +197,7 @@
       - playbooks/roles/pip3/
       - playbooks/roles/etherpad
       - playbooks/roles/logrotate
+      - playbooks/roles/iptables/
 
 - job:
     name: infra-prod-service-meetpad
@@ -205,8 +206,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
       - name: system-config-promote-image-jitsi-meet
@@ -220,6 +219,7 @@
       - playbooks/group_vars/meetpad.yaml
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/jitsi-meet/
 
 - job:
@@ -234,6 +234,7 @@
       - playbooks/roles/kerberos-client/
       - playbooks/roles/openafs-client/
       - playbooks/roles/mirror-update/
+      - playbooks/roles/iptables/
       - playbooks/roles/logrotate/
 
 - job:
@@ -251,6 +252,7 @@
       - playbooks/roles/mirror/
       - playbooks/roles/afs-release/
       - playbooks/roles/afsmon/
+      - playbooks/roles/iptables/
       - playbooks/roles/logrotate/
 
 - job:
@@ -264,6 +266,7 @@
       - playbooks/service-static.yaml
       - playbooks/host_vars/static01.opendev.org.yaml
       - playbooks/group_vars/static.yaml
+      - playbooks/roles/iptables/
       - playbooks/roles/kerberos-client/
       - playbooks/roles/openafs-client/
       - playbooks/roles/static/
@@ -280,6 +283,7 @@
       - playbooks/service-backup.yaml
       - playbooks/roles/backup/
       - playbooks/roles/backup-server/
+      - playbooks/roles/iptables/
 
 - job:
     name: infra-prod-service-registry
@@ -293,6 +297,7 @@
       - playbooks/group_vars/registry.yaml
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/registry/
 
 - job:
@@ -307,6 +312,7 @@
       - playbooks/group_vars/zuul-preview.yaml
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/zuul-preview/
 
 - job:
@@ -321,6 +327,7 @@
       - ^playbooks/host_vars/zk\d+\..*
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/zookeeper/
 
 - job:
@@ -337,8 +344,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
       - name: infra-prod-manage-projects
@@ -352,6 +357,7 @@
       - playbooks/host_vars/zk\d+
       - playbooks/host_vars/zuul01.openstack.org
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/zookeeper/
       - playbooks/roles/zuul
 
@@ -364,8 +370,6 @@
     dependencies: &infra_prod_service_review_deps
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
       - name: system-config-promote-image-gerrit-2.13
@@ -377,6 +381,7 @@
       - playbooks/host_vars/review01.openstack.org.yaml
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/gerrit/
 
 - job:
@@ -393,6 +398,7 @@
       - playbooks/host_vars/review-dev01.opendev.org.yaml
       - playbooks/roles/pip3/
       - playbooks/roles/install-docker/
+      - playbooks/roles/iptables/
       - playbooks/roles/gerrit/
 
 - job:
@@ -404,8 +410,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
       - name: system-config-promote-image-gitea-init
@@ -420,6 +424,7 @@
       - playbooks/roles/install-docker/
       - playbooks/roles/pip3/
       - playbooks/roles/gitea/
+      - playbooks/roles/iptables/
       - playbooks/roles/logrotate/
       - docker/gitea/
       - docker/gitea-init/
@@ -443,6 +448,7 @@
       - playbooks/group_vars/puppet.yaml
       - playbooks/roles/run-puppet/
       - playbooks/roles/install-ansible-roles/
+      - playbooks/roles/iptables/
       - playbooks/roles/sync-project-config
       - playbooks/roles/puppet-install/
       - playbooks/roles/disable-puppet-agent/
@@ -461,8 +467,6 @@
     dependencies:
       - name: infra-prod-install-ansible
         soft: true
-      - name: infra-prod-base
-        soft: true
       - name: infra-prod-service-letsencrypt
         soft: true
       - name: system-config-promote-image-accessbot
@@ -479,6 +483,7 @@
       - playbooks/roles/install-ansible-roles/
       - playbooks/roles/zuul-user
       - playbooks/roles/install-docker
+      - playbooks/roles/iptables/
       - playbooks/roles/puppet-install/
       - playbooks/roles/disable-puppet-agent/
       - playbooks/roles/accessbot
@@ -526,6 +531,7 @@
       - playbooks/roles/install-ansible-roles/
       - playbooks/roles/puppet-install/
       - playbooks/roles/disable-puppet-agent/
+      - playbooks/roles/iptables/
       - playbooks/roles/vos-release/
       - modules/
       - manifests/
@@ -551,6 +557,7 @@
       - playbooks/roles/install-ansible-roles/
       - playbooks/roles/puppet-install/
       - playbooks/roles/disable-puppet-agent/
+      - playbooks/roles/iptables/
       - modules/
       - manifests/
 

zuul.d/project.yaml

@@ -204,8 +204,6 @@
             dependencies:
               - name: infra-prod-install-ansible
                 soft: true
-              - name: infra-prod-base
-                soft: true
               - name: infra-prod-service-letsencrypt
                 soft: true
               - name: system-config-promote-image-etherpad

zuul.d/system-config-run.yaml

@@ -374,6 +374,7 @@
 - job:
     name: system-config-run-mirror-x86
     parent: system-config-run-mirror-base
+    timeout: 3600
     nodeset:
       nodes:
         - name: bridge.openstack.org