From 15663daaf7398c18c59a276d7395daa9617abb72 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Mon, 20 Aug 2018 18:31:33 -0500 Subject: [PATCH] Add iptables role Co-Authored-By: James E. Blair Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c Depends-On: https://review.openstack.org/596503 --- hiera/common.yaml | 62 ---- inventory/groups.yaml | 17 +- manifests/site.pp | 274 +++--------------- modules/openstack_project/manifests/cacti.pp | 4 +- modules/openstack_project/manifests/git.pp | 4 +- .../manifests/openstackid_dev.pp | 4 +- .../manifests/openstackid_prod.pp | 4 +- modules/openstack_project/manifests/planet.pp | 4 +- modules/openstack_project/manifests/server.pp | 25 -- .../openstack_project/manifests/storyboard.pp | 4 +- modules/openstack_project/manifests/summit.pp | 8 - .../manifests/translate_dev.pp | 4 +- modules/openstack_project/manifests/wiki.pp | 4 +- .../spec/acceptance/basic_spec.rb | 10 - .../spec/acceptance/fixtures/default.pp | 4 - playbooks/base.yaml | 1 + playbooks/filter_plugins/__init__.py | 0 playbooks/filter_plugins/getaddrinfo.py | 41 +++ playbooks/group_vars/afs.yaml | 1 + playbooks/group_vars/afsdb.yaml | 1 + playbooks/group_vars/all.yaml | 12 + playbooks/group_vars/eavesdrop.yaml | 2 + playbooks/group_vars/elasticsearch.yaml | 82 ++++++ playbooks/group_vars/firehose.yaml | 6 + playbooks/group_vars/gerrit.yaml | 8 + playbooks/group_vars/git-loadbalancer.yaml | 4 + playbooks/group_vars/git-server.yaml | 4 + playbooks/group_vars/graphite.yaml | 88 ++++++ playbooks/group_vars/kdc.yaml | 9 + playbooks/group_vars/logstash.yaml | 103 +++++++ playbooks/group_vars/mailman.yaml | 4 + playbooks/group_vars/mirror.yaml | 5 + playbooks/group_vars/nodepool.yaml | 26 ++ playbooks/group_vars/ns.yaml | 2 + playbooks/group_vars/pbx.yaml | 7 + playbooks/group_vars/review-dev.yaml | 2 - playbooks/group_vars/review.yaml | 2 - playbooks/group_vars/webservers.yaml | 4 + playbooks/group_vars/zookeeper.yaml | 17 ++ playbooks/group_vars/zuul-executor.yaml | 3 + playbooks/group_vars/zuul-scheduler.yaml | 63 ++++ playbooks/roles/iptables/README.rst | 44 +++ playbooks/roles/iptables/defaults/main.yaml | 7 + playbooks/roles/iptables/handlers/main.yaml | 11 + playbooks/roles/iptables/tasks/RedHat.yaml | 11 + playbooks/roles/iptables/tasks/main.yaml | 54 ++++ .../roles/iptables/tasks/reload-debian.yaml | 2 + .../roles/iptables/tasks/reload-redhat.yaml | 5 + .../roles/iptables/templates/rules.v4.j2 | 31 ++ .../roles/iptables/templates/rules.v6.j2 | 30 ++ playbooks/roles/iptables/vars/Debian.yaml | 6 + playbooks/roles/iptables/vars/RedHat.yaml | 6 + .../roles/iptables/vars/Ubuntu.trusty.yaml | 6 + testinfra/test_base.py | 47 +++ 54 files changed, 816 insertions(+), 373 deletions(-) delete mode 100644 modules/openstack_project/manifests/summit.pp create mode 100644 playbooks/filter_plugins/__init__.py create mode 100644 playbooks/filter_plugins/getaddrinfo.py create mode 100644 playbooks/group_vars/afs.yaml create mode 100644 playbooks/group_vars/afsdb.yaml create mode 100644 playbooks/group_vars/eavesdrop.yaml create mode 100644 playbooks/group_vars/elasticsearch.yaml create mode 100644 playbooks/group_vars/gerrit.yaml create mode 100644 playbooks/group_vars/git-loadbalancer.yaml create mode 100644 playbooks/group_vars/graphite.yaml create mode 100644 playbooks/group_vars/kdc.yaml create mode 100644 playbooks/group_vars/logstash.yaml create mode 100644 playbooks/group_vars/mirror.yaml create mode 100644 playbooks/group_vars/nodepool.yaml create mode 100644 playbooks/group_vars/ns.yaml create mode 100644 playbooks/group_vars/pbx.yaml delete mode 100644 playbooks/group_vars/review-dev.yaml delete mode 100644 playbooks/group_vars/review.yaml create mode 100644 playbooks/group_vars/webservers.yaml create mode 100644 playbooks/group_vars/zookeeper.yaml create mode 100644 playbooks/group_vars/zuul-executor.yaml create mode 100644 playbooks/group_vars/zuul-scheduler.yaml create mode 100644 playbooks/roles/iptables/README.rst create mode 100644 playbooks/roles/iptables/defaults/main.yaml create mode 100644 playbooks/roles/iptables/handlers/main.yaml create mode 100644 playbooks/roles/iptables/tasks/RedHat.yaml create mode 100644 playbooks/roles/iptables/tasks/main.yaml create mode 100644 playbooks/roles/iptables/tasks/reload-debian.yaml create mode 100644 playbooks/roles/iptables/tasks/reload-redhat.yaml create mode 100644 playbooks/roles/iptables/templates/rules.v4.j2 create mode 100644 playbooks/roles/iptables/templates/rules.v6.j2 create mode 100644 playbooks/roles/iptables/vars/Debian.yaml create mode 100644 playbooks/roles/iptables/vars/RedHat.yaml create mode 100644 playbooks/roles/iptables/vars/Ubuntu.trusty.yaml diff --git a/hiera/common.yaml b/hiera/common.yaml index f3daa1d14c..14d3b45f80 100644 --- a/hiera/common.yaml +++ b/hiera/common.yaml @@ -6,68 +6,6 @@ elasticsearch_nodes: - elasticsearch05.openstack.org - elasticsearch06.openstack.org - elasticsearch07.openstack.org -elasticsearch_iptables_rule_data: -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'} -- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'} -logstash_iptables_rule_data: -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'} -- {protocol: 'tcp', port: '4730', hostname: 'ze11.openstack.org'} infra_apache_serveradmin: noc@openstack.org statusbot_channels: - airshipit diff --git a/inventory/groups.yaml b/inventory/groups.yaml index 84b7459409..79fb048fcc 100644 --- a/inventory/groups.yaml +++ b/inventory/groups.yaml @@ -2,6 +2,7 @@ plugin: constructed groups: adns: inventory_hostname.startswith('adns') afs: inventory_hostname is match('afs\d+.*openstack.org') + afs-client: inventory_hostname is match('(review-dev\d*|mirror\d*\..*|files\d*|ze\d+|afsdb.*|afs.*\..*)\.openstack\.org') afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org') afsdb: inventory_hostname is match('afsdb.*openstack.org') ask: inventory_hostname.startswith('ask') @@ -11,21 +12,31 @@ groups: eavesdrop: inventory_hostname.startswith('eavesdrop') elasticsearch: inventory_hostname is match('elasticsearch0[1-7]\.openstack\.org') ethercalc: inventory_hostname.startswith('ethercalc') + etherpad: inventory_hostname.startswith('etherpad') files: inventory_hostname.startswith('files') firehose: inventory_hostname.startswith('firehose') futureparser: inventory_hostname is match('(review-dev\d*|groups\d*|groups-dev\d*|graphite\d*|etherpad-dev\d*|ask-staging\d*|codesearch\d*)\.openstack\.org') + gerrit: inventory_hostname is match('review.*\.openstack\.org') git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org') git-server: inventory_hostname is match('git\d+\.openstack\.org') grafana: inventory_hostname.startswith('grafana') - groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org') + graphite: inventory_hostname.startswith('graphite') + groups: inventory_hostname is match('groups(-dev)?\d*\.openstack\.org') + health: inventory_hostname.startswith('health') + kdc: inventory_hostname.startswith('kdc') + logstash: inventory_hostname is match('logstash\d*\.openstack\.org') logstash-worker: inventory_hostname.startswith('logstash-worker') mailman: inventory_hostname.startswith('lists') - nodepool: inventory_hostname is match('^(nodepool|nb|nl)') + mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org') + nodepool: inventory_hostname is match('(nodepool|nb|nl)') ns: inventory_hostname.startswith('ns') paste: inventory_hostname.startswith('paste') + pbx: inventory_hostname.startswith('pbx') puppet: not inventory_hostname.startswith('bridge') + refstack: inventory_hostname.startswith('refstack') review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org') review: inventory_hostname is match('review\d+\.openstack\.org') + static: inventory_hostname.startswith('static') status: inventory_hostname.startswith('status') storyboard: inventory_hostname.startswith('storyboard') storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org') @@ -33,8 +44,10 @@ groups: survey: inventory_hostname.startswith('survey') translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org') translate: inventory_hostname is match('translate\d+\.openstack\.org') + webservers: inventory_hostname is match('(grafana\d*|health\d*|graphite\d*|groups\d*|groups-dev\d*|eavesdrop\d*|paste\d*|ethercalc\d+|etherpad\d*|etherpad-dev\d*|files\d*|refstack\d*|static\d*|status\d*|survey\d+|nodepool|nl\d+|nb\d+|zm\d+|ask|ask-staging|translate.*|codesearch\d*|cacti\d+|wiki.*|storyboard.*|openstackid-dev|planet)\.openstack\.org|openstackid.org') wiki-dev: inventory_hostname is match('wiki-dev\d+\.openstack\.org') wiki: inventory_hostname is match('wiki\d+\.openstack\.org') + zookeeper: inventory_hostname.startswith('zk') zuul-executor: inventory_hostname.startswith('ze') zuul-merger: inventory_hostname is match('z[lm](static)?\d+\.openstack\.org') zuul-scheduler: inventory_hostname.startswith('zuul') diff --git a/manifests/site.pp b/manifests/site.pp index d78792b1a4..8a8118d55a 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -20,13 +20,7 @@ node default { # # Node-OS: xenial node 'review.openstack.org' { - $iptables_rules = - ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT'] - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418], - iptables_rules6 => $iptables_rules, - iptables_rules4 => $iptables_rules, - } + class { 'openstack_project::server': } class { 'openstack_project::review': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', @@ -66,13 +60,7 @@ node 'review.openstack.org' { node 'review01.openstack.org' { $group = "review" - $iptables_rules = - ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT'] - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418], - iptables_rules6 => $iptables_rules, - iptables_rules4 => $iptables_rules, - } + class { 'openstack_project::server': } class { 'openstack_project::review': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', @@ -112,12 +100,7 @@ node 'review01.openstack.org' { node /^review-dev\d*\.openstack\.org$/ { $group = "review-dev" - $iptables_rules = - ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT'] class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418], - iptables_rules6 => $iptables_rules, - iptables_rules4 => $iptables_rules, afs => true, } @@ -148,9 +131,7 @@ node /^review-dev\d*\.openstack\.org$/ { # Node-OS: xenial node /^grafana\d*\.openstack\.org$/ { $group = "grafana" - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } class { 'openstack_project::grafana': admin_password => hiera('grafana_admin_password'), admin_user => hiera('grafana_admin_user', 'username'), @@ -166,9 +147,7 @@ node /^grafana\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^health\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::openstack_health_api': subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'), } @@ -187,7 +166,6 @@ node /^cacti\d+\.openstack\.org$/ { # Node-OS: trusty node 'puppetmaster.openstack.org' { class { 'openstack_project::server': - iptables_public_tcp_ports => [8140], pin_puppet => '3.6.', } class { 'openstack_project::puppetmaster': @@ -206,40 +184,7 @@ node 'puppetmaster.openstack.org' { # Node-OS: trusty # Node-OS: xenial node /^graphite\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - iptables_allowed_hosts => [ - {protocol => 'udp', port => '8125', hostname => 'git.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'mirror-update01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'nl03.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'nl04.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'}, - {protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'}, - ], - } + class { 'openstack_project::server': } class { '::graphite': graphite_admin_user => hiera('graphite_admin_user', 'username'), @@ -251,9 +196,7 @@ node /^graphite\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^groups\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::groups': site_admin_password => hiera('groups_site_admin_password'), site_mysql_host => hiera('groups_site_mysql_host', 'localhost'), @@ -268,9 +211,7 @@ node /^groups\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^groups-dev\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::groups_dev': site_admin_password => hiera('groups_dev_site_admin_password'), site_mysql_host => hiera('groups_dev_site_mysql_host', 'localhost'), @@ -286,9 +227,7 @@ node /^groups-dev\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^lists\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [25, 80, 465], - } + class { 'openstack_project::server': } class { 'openstack_project::lists': listpassword => hiera('listpassword'), @@ -297,9 +236,7 @@ node /^lists\d*\.openstack\.org$/ { # Node-OS: xenial node /^lists\d*\.katacontainers\.io$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [25, 80, 465], - } + class { 'openstack_project::server': } class { 'openstack_project::kata_lists': listpassword => hiera('listpassword'), @@ -310,9 +247,7 @@ node /^lists\d*\.katacontainers\.io$/ { node /^paste\d*\.openstack\.org$/ { $group = "paste" - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } class { 'openstack_project::paste': db_password => hiera('paste_db_password'), db_host => hiera('paste_db_host'), @@ -329,9 +264,7 @@ node /planet\d*\.openstack\.org$/ { # Node-OS: xenial node /^eavesdrop\d*\.openstack\.org$/ { $group = "eavesdrop" - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } class { 'openstack_project::eavesdrop': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', @@ -368,9 +301,7 @@ node /^eavesdrop\d*\.openstack\.org$/ { # Node-OS: xenial node /^ethercalc\d+\.openstack\.org$/ { $group = "ethercalc" - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::ethercalc': vhost_name => 'ethercalc.openstack.org', @@ -383,9 +314,7 @@ node /^ethercalc\d+\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^etherpad\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::etherpad': ssl_cert_file_contents => hiera('etherpad_ssl_cert_file_contents'), @@ -400,9 +329,7 @@ node /^etherpad\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^etherpad-dev\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::etherpad_dev': mysql_host => hiera('etherpad-dev_db_host', 'localhost'), @@ -454,10 +381,7 @@ node /^wiki-dev\d+\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^logstash\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 3306], - iptables_allowed_hosts => hiera_array('logstash_iptables_rule_data'), - } + class { 'openstack_project::server': } class { 'openstack_project::logstash': discover_nodes => [ @@ -477,9 +401,7 @@ node /^logstash\d*\.openstack\.org$/ { node /^logstash-worker\d+\.openstack\.org$/ { $group = 'logstash-worker' - class { 'openstack_project::server': - iptables_public_tcp_ports => [22], - } + class { 'openstack_project::server': } class { 'openstack_project::logstash_worker': discover_node => 'elasticsearch03.openstack.org', @@ -492,9 +414,7 @@ node /^logstash-worker\d+\.openstack\.org$/ { # Node-OS: xenial node /^subunit-worker\d+\.openstack\.org$/ { $group = "subunit-worker" - class { 'openstack_project::server': - iptables_public_tcp_ports => [22], - } + class { 'openstack_project::server': } class { 'openstack_project::subunit_worker': subunit2sql_db_host => hiera('subunit2sql_db_host', ''), subunit2sql_db_pass => hiera('subunit2sql_db_password', ''), @@ -506,10 +426,7 @@ node /^subunit-worker\d+\.openstack\.org$/ { # Node-OS: xenial node /^elasticsearch0[1-7]\.openstack\.org$/ { $group = "elasticsearch" - class { 'openstack_project::server': - iptables_public_tcp_ports => [22], - iptables_allowed_hosts => hiera_array('elasticsearch_iptables_rule_data'), - } + class { 'openstack_project::server': } class { 'openstack_project::elasticsearch_node': discover_nodes => $elasticsearch_nodes, } @@ -517,12 +434,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ { # Node-OS: xenial node /^firehose\d+\.openstack\.org$/ { - class { 'openstack_project::server': - # NOTE(mtreinish) Port 80 and 8080 are disabled because websocket - # connections seem to crash mosquitto. Once this is fixed we should add - # them back - iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::firehose': gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'), gerrit_public_key => hiera('germqtt_gerrit_ssh_public_key'), @@ -572,9 +484,7 @@ node /^git(-fe\d+)?\.openstack\.org$/ { node /^git\d+\.openstack\.org$/ { $group = "git-server" include openstack_project - class { 'openstack_project::server': - iptables_public_tcp_ports => [4443, 8080, 29418], - } + class { 'openstack_project::server': } class { 'openstack_project::git_backend': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', @@ -621,7 +531,6 @@ node /^mirror\d*\..*\.openstack\.org$/ { $group = "mirror" class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082], afs => true, afs_cache_size => 50000000, # 50GB } @@ -637,7 +546,6 @@ node /^mirror\d*\..*\.openstack\.org$/ { node /^files\d*\.openstack\.org$/ { $group = "files" class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], afs => true, afs_cache_size => 10000000, # 10GB } @@ -666,9 +574,7 @@ node /^files\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^refstack\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'refstack': mysql_host => hiera('refstack_mysql_host', 'localhost'), mysql_database => hiera('refstack_mysql_db_name', 'refstack'), @@ -750,9 +656,7 @@ node /^storyboard-dev\d*\.openstack\.org$/ { # Node-OS: trusty # Node-OS: xenial node /^static\d*\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::static': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/', @@ -769,27 +673,7 @@ node /^static\d*\.openstack\.org$/ { # Node-OS: xenial node /^zk\d+\.openstack\.org$/ { - class { 'openstack_project::server': - iptables_allowed_hosts => [ - # Zookeeper clients - {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'}, - # Zookeeper election - {protocol => 'tcp', port => '2888', hostname => 'zk01.openstack.org'}, - {protocol => 'tcp', port => '2888', hostname => 'zk02.openstack.org'}, - {protocol => 'tcp', port => '2888', hostname => 'zk03.openstack.org'}, - # Zookeeper leader - {protocol => 'tcp', port => '3888', hostname => 'zk01.openstack.org'}, - {protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'}, - {protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'}, - ], - } + class { 'openstack_project::server': } class { '::zookeeper': # ID needs to be numeric, so we use regex to extra numbers from fqdn. @@ -810,9 +694,7 @@ node /^zk\d+\.openstack\.org$/ { node /^status\d*\.openstack\.org$/ { $group = 'status' - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::status': gerrit_host => 'review.openstack.org', @@ -829,9 +711,7 @@ node /^status\d*\.openstack\.org$/ { # Node-OS: xenial node /^survey\d+\.openstack\.org$/ { $group = "survey" - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::survey': vhost_name => 'survey.openstack.org', @@ -853,12 +733,7 @@ node /^survey\d+\.openstack\.org$/ { node /^adns\d+\.openstack\.org$/ { $group = 'adns' - class { 'openstack_project::server': - iptables_allowed_hosts => [ - {protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'}, - {protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'}, - ], - } + class { 'openstack_project::server': } class { 'openstack_project::master_nameserver': tsig_key => hiera('tsig_key', {}), @@ -872,10 +747,7 @@ node /^adns\d+\.openstack\.org$/ { node /^ns\d+\.openstack\.org$/ { $group = 'ns' - class { 'openstack_project::server': - iptables_public_udp_ports => [53], - iptables_public_tcp_ports => [53], - } + class { 'openstack_project::server': } $tsig_key = hiera('tsig_key', {}) if $tsig_key != {} { @@ -905,19 +777,7 @@ node /^ns\d+\.openstack\.org$/ { node 'nodepool.openstack.org' { $group = 'nodepool' - class { 'openstack_project::server': - iptables_allowed_hosts => [ - {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'}, - {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'}, - ], - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } class { '::zookeeper': # The frequency in hours to look for and purge old snapshots, @@ -968,9 +828,7 @@ node /^nl\d+\.openstack\.org$/ { $packethost_project = hiera('nodepool_packethost_project', 'project') $clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb") - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } include openstack_project @@ -1030,9 +888,7 @@ node /^nb\d+\.openstack\.org$/ { $packethost_project = hiera('nodepool_packethost_project', 'project') $clouds_yaml = template("openstack_project/nodepool/clouds.yaml.erb") - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } include openstack_project @@ -1085,7 +941,6 @@ node /^ze\d+\.openstack\.org$/ { $revision = 'master' class { 'openstack_project::server': - iptables_public_tcp_ports => [79, 7900], afs => true, } @@ -1177,30 +1032,7 @@ node /^zuul\d+\.openstack\.org$/ { $git_name = 'OpenStack Zuul' $revision = 'master' - class { 'openstack_project::server': - iptables_public_tcp_ports => [79, 80, 443], - iptables_allowed_hosts => [ - {protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'ze11.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'}, - {protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'}, - ], - } + class { 'openstack_project::server': } class { '::project_config': url => 'https://git.openstack.org/openstack-infra/project-config', @@ -1288,9 +1120,7 @@ node /^zm\d+.openstack\.org$/ { $git_name = 'OpenStack Zuul' $revision = 'master' - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } # NOTE(pabelanger): We call ::zuul directly, so we can override all in one # settings. @@ -1323,12 +1153,7 @@ node /^zm\d+.openstack\.org$/ { # Node-OS: trusty node 'pbx.openstack.org' { - class { 'openstack_project::server': - # SIP signaling is either TCP or UDP port 5060. - # RTP media (audio/video) uses a range of UDP ports. - iptables_public_tcp_ports => [5060], - iptables_public_udp_ports => ['5060', '10000:20000'], - } + class { 'openstack_project::server': } class { 'openstack_project::pbx': sip_providers => [ { @@ -1346,9 +1171,7 @@ node 'pbx.openstack.org' { # A backup machine. Don't run cron or puppet agent on it. node /^backup\d+\..*\.ci\.openstack\.org$/ { $group = "ci-backup" - class { 'openstack_project::server': - iptables_public_tcp_ports => [], - } + class { 'openstack_project::server': } include openstack_project::backup_server } @@ -1417,20 +1240,14 @@ node 'single-node-ci.test.only' { # Node-OS: trusty node 'kdc01.openstack.org' { - class { 'openstack_project::server': - iptables_public_tcp_ports => [88, 464, 749, 754], - iptables_public_udp_ports => [88, 464, 749], - } + class { 'openstack_project::server': } class { 'openstack_project::kdc': } } # Node-OS: xenial node 'kdc04.openstack.org' { - class { 'openstack_project::server': - iptables_public_tcp_ports => [88, 464, 749, 754], - iptables_public_udp_ports => [88, 464, 749], - } + class { 'openstack_project::server': } class { 'openstack_project::kdc': slave => true, @@ -1442,7 +1259,6 @@ node 'afsdb01.openstack.org' { $group = "afsdb" class { 'openstack_project::server': - iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], afs => true, } @@ -1455,7 +1271,6 @@ node /^afsdb.*\.openstack\.org$/ { $group = "afsdb" class { 'openstack_project::server': - iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], afs => true, } @@ -1467,7 +1282,6 @@ node /^afs.*\..*\.openstack\.org$/ { $group = "afs" class { 'openstack_project::server': - iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007], afs => true, } @@ -1477,9 +1291,7 @@ node /^afs.*\..*\.openstack\.org$/ { # Node-OS: trusty node 'ask.openstack.org' { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::ask': db_user => hiera('ask_db_user', 'ask'), @@ -1493,9 +1305,7 @@ node 'ask.openstack.org' { # Node-OS: trusty node 'ask-staging.openstack.org' { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::ask_staging': db_password => hiera('ask_staging_db_password'), @@ -1507,9 +1317,7 @@ node 'ask-staging.openstack.org' { # Node-OS: xenial node /^translate\d+\.openstack\.org$/ { $group = "translate" - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'openstack_project::translate': admin_users => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk', openid_url => 'https://openstackid.org', @@ -1555,9 +1363,7 @@ node /^translate-dev\d*\.openstack\.org$/ { # Node-OS: xenial node /^codesearch\d*\.openstack\.org$/ { $group = "codesearch" - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } class { 'openstack_project::codesearch': project_config_repo => 'https://git.openstack.org/openstack-infra/project-config', } diff --git a/modules/openstack_project/manifests/cacti.pp b/modules/openstack_project/manifests/cacti.pp index 336e454ca5..06a8da528b 100644 --- a/modules/openstack_project/manifests/cacti.pp +++ b/modules/openstack_project/manifests/cacti.pp @@ -8,9 +8,7 @@ class openstack_project::cacti ( fail("${::osfamily} is not supported.") } - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { '::apache': default_vhost => false, diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index cd5ff5e4a4..1be7200e52 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -20,9 +20,7 @@ class openstack_project::git ( $balancer_member_ips = [], $selinux_mode = 'enforcing' ) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 9418], - } + class { 'openstack_project::server': } if ($::osfamily == 'RedHat') { class { 'selinux': diff --git a/modules/openstack_project/manifests/openstackid_dev.pp b/modules/openstack_project/manifests/openstackid_dev.pp index 5ecaffc563..69333a5d07 100644 --- a/modules/openstack_project/manifests/openstackid_dev.pp +++ b/modules/openstack_project/manifests/openstackid_dev.pp @@ -61,9 +61,7 @@ class openstack_project::openstackid_dev ( $session_cookie_secure = false, ) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'openstackid': site_admin_password => $site_admin_password, diff --git a/modules/openstack_project/manifests/openstackid_prod.pp b/modules/openstack_project/manifests/openstackid_prod.pp index 6734ccd374..1a5a68deb5 100644 --- a/modules/openstack_project/manifests/openstackid_prod.pp +++ b/modules/openstack_project/manifests/openstackid_prod.pp @@ -62,9 +62,7 @@ class openstack_project::openstackid_prod ( $session_cookie_secure = false, ) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'openstackid': site_admin_password => $site_admin_password, diff --git a/modules/openstack_project/manifests/planet.pp b/modules/openstack_project/manifests/planet.pp index 65e1c5ee7b..82124b9641 100644 --- a/modules/openstack_project/manifests/planet.pp +++ b/modules/openstack_project/manifests/planet.pp @@ -2,9 +2,7 @@ # class openstack_project::planet ( ) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80], - } + class { 'openstack_project::server': } include ::planet planet::site { 'openstack': diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 6d8f357a28..c5d001ceb3 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -2,11 +2,6 @@ # # A server that we expect to run for some time class openstack_project::server ( - $iptables_public_tcp_ports = [], - $iptables_public_udp_ports = [], - $iptables_rules4 = [], - $iptables_rules6 = [], - $iptables_allowed_hosts = [], $pin_puppet = '3.', $ca_server = undef, $enable_unbound = true, @@ -49,10 +44,6 @@ class openstack_project::server ( 'kdc04.openstack.org', ], } - $all_udp = concat( - $iptables_public_udp_ports, [7001]) - } else { - $all_udp = $iptables_public_udp_ports } class { 'openstack_project::automatic_upgrades': @@ -61,20 +52,4 @@ class openstack_project::server ( include snmpd - $snmp_v4hosts = [ - '172.99.116.215', # cacti02.openstack.org - ] - $snmp_v6hosts = [ - '2001:4800:7821:105:be76:4eff:fe04:b9a5', # cacti02.opentsack.org - ] - class { 'iptables': - public_tcp_ports => $iptables_public_tcp_ports, - public_udp_ports => $all_udp, - rules4 => $iptables_rules4, - rules6 => $iptables_rules6, - snmp_v4hosts => $snmp_v4hosts, - snmp_v6hosts => $snmp_v6hosts, - allowed_hosts => $iptables_allowed_hosts, - } - } diff --git a/modules/openstack_project/manifests/storyboard.pp b/modules/openstack_project/manifests/storyboard.pp index 2a33cf55a9..7a40c0f211 100644 --- a/modules/openstack_project/manifests/storyboard.pp +++ b/modules/openstack_project/manifests/storyboard.pp @@ -26,9 +26,7 @@ class openstack_project::storyboard( url => $project_config_repo, } - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } mysql_backup::backup_remote { 'storyboard': diff --git a/modules/openstack_project/manifests/summit.pp b/modules/openstack_project/manifests/summit.pp deleted file mode 100644 index 97b0393186..0000000000 --- a/modules/openstack_project/manifests/summit.pp +++ /dev/null @@ -1,8 +0,0 @@ -class openstack_project::summit ( -) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [22, 80], - } -} - -# vim:sw=2:ts=2:expandtab:textwidth=79 diff --git a/modules/openstack_project/manifests/translate_dev.pp b/modules/openstack_project/manifests/translate_dev.pp index d2adf98f3d..10ebbef22d 100644 --- a/modules/openstack_project/manifests/translate_dev.pp +++ b/modules/openstack_project/manifests/translate_dev.pp @@ -35,9 +35,7 @@ class openstack_project::translate_dev( $from_address, ) { - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'project_config': url => $project_config_repo, diff --git a/modules/openstack_project/manifests/wiki.pp b/modules/openstack_project/manifests/wiki.pp index 702b985faa..af54e36a58 100644 --- a/modules/openstack_project/manifests/wiki.pp +++ b/modules/openstack_project/manifests/wiki.pp @@ -23,9 +23,7 @@ class openstack_project::wiki ( ensure => present; } - class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443], - } + class { 'openstack_project::server': } class { 'mediawiki': role => 'all', diff --git a/modules/openstack_project/spec/acceptance/basic_spec.rb b/modules/openstack_project/spec/acceptance/basic_spec.rb index babb3c8be3..291e871255 100755 --- a/modules/openstack_project/spec/acceptance/basic_spec.rb +++ b/modules/openstack_project/spec/acceptance/basic_spec.rb @@ -79,14 +79,4 @@ describe 'openstack_project::server' do end end - describe command('iptables -S') do - its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') } - its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') } - its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') } - its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') } - its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') } - its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') } - its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') } - end - end diff --git a/modules/openstack_project/spec/acceptance/fixtures/default.pp b/modules/openstack_project/spec/acceptance/fixtures/default.pp index bdf3f04206..7eec7a7104 100644 --- a/modules/openstack_project/spec/acceptance/fixtures/default.pp +++ b/modules/openstack_project/spec/acceptance/fixtures/default.pp @@ -1,12 +1,8 @@ -$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT'] $manage_afs = $::operatingsystem ? { 'CentOS' => false, default => true } class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 443, 29418], - iptables_rules6 => $iptables_rules, - iptables_rules4 => $iptables_rules, afs => $manage_afs, } diff --git a/playbooks/base.yaml b/playbooks/base.yaml index 27a9176bd6..9b18ee9954 100644 --- a/playbooks/base.yaml +++ b/playbooks/base.yaml @@ -16,3 +16,4 @@ - hosts: "!ci-backup:!disabled" roles: - exim + - iptables diff --git a/playbooks/filter_plugins/__init__.py b/playbooks/filter_plugins/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/playbooks/filter_plugins/getaddrinfo.py b/playbooks/filter_plugins/getaddrinfo.py new file mode 100644 index 0000000000..ae98bab2ae --- /dev/null +++ b/playbooks/filter_plugins/getaddrinfo.py @@ -0,0 +1,41 @@ +# Copyright (c) 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import socket + + +class FilterModule(object): + + def dns(self, value, family): + ret = set() + try: + addr_info = socket.getaddrinfo(value, None, family) + except socket.gaierror: + return ret + for addr in addr_info: + ret.add(addr[4][0]) + return sorted(ret) + + def dns_a(self, value): + return self.dns(value, socket.AF_INET) + + def dns_aaaa(self, value): + return self.dns(value, socket.AF_INET6) + + def filters(self): + return { + 'dns_a': self.dns_a, + 'dns_aaaa': self.dns_aaaa, + } diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml new file mode 100644 index 0000000000..83f47e6b62 --- /dev/null +++ b/playbooks/group_vars/afs.yaml @@ -0,0 +1 @@ +iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] diff --git a/playbooks/group_vars/afsdb.yaml b/playbooks/group_vars/afsdb.yaml new file mode 100644 index 0000000000..83f47e6b62 --- /dev/null +++ b/playbooks/group_vars/afsdb.yaml @@ -0,0 +1 @@ +iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] diff --git a/playbooks/group_vars/all.yaml b/playbooks/group_vars/all.yaml index 30982ea09a..a66b58e0ad 100644 --- a/playbooks/group_vars/all.yaml +++ b/playbooks/group_vars/all.yaml @@ -12,6 +12,11 @@ exim_base_aliases: root: "{{ exim_sysadmins }}" exim_aliases: "{{ exim_base_aliases|combine(exim_extra_aliases) }}" +iptables_base_allowed_hosts: + - {'protocol': 'udp', 'port': 161, 'hostname': 'cacti.openstack.org'} +iptables_extra_allowed_hosts: [] +iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}" + # When adding new users, always pick a UID larger than the last UID, do not # fill in holes in the middle of the range. all_users: @@ -161,3 +166,10 @@ disabled_users: - elizabeth - nibz - slukjanov + +iptables_snmp_v4_hosts: + # cacti02.openstack.org + - 172.99.116.215 +iptables_snmp_v6_hosts: + # cacti02.openstack.org + - 2001:4800:7821:105:be76:4eff:fe04:b9a5 diff --git a/playbooks/group_vars/eavesdrop.yaml b/playbooks/group_vars/eavesdrop.yaml new file mode 100644 index 0000000000..afaf3290b0 --- /dev/null +++ b/playbooks/group_vars/eavesdrop.yaml @@ -0,0 +1,2 @@ +iptables_public_tcp_ports: + - 80 diff --git a/playbooks/group_vars/elasticsearch.yaml b/playbooks/group_vars/elasticsearch.yaml new file mode 100644 index 0000000000..6a47b30327 --- /dev/null +++ b/playbooks/group_vars/elasticsearch.yaml @@ -0,0 +1,82 @@ +iptables_rule_data: + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch02.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch03.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch04.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch05.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch06.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: elasticsearch07.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker01.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker02.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker03.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker04.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker05.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker06.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker07.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker08.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker09.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker10.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker11.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker12.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker13.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker14.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker15.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker16.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker17.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker18.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker19.openstack.org + - protocol: tcp + port: 9200:9400 + hostname: logstash-worker20.openstack.org diff --git a/playbooks/group_vars/firehose.yaml b/playbooks/group_vars/firehose.yaml index eff02f1243..a4cb95ce0f 100644 --- a/playbooks/group_vars/firehose.yaml +++ b/playbooks/group_vars/firehose.yaml @@ -17,3 +17,9 @@ exim_transports: socket = /var/run/cyrus/socket/lmtp user = cyrus batch_max = 35 +iptables_public_tcp_ports: + - 25 + - 80 + - 443 + - 1883 + - 8883 diff --git a/playbooks/group_vars/gerrit.yaml b/playbooks/group_vars/gerrit.yaml new file mode 100644 index 0000000000..124327e5ae --- /dev/null +++ b/playbooks/group_vars/gerrit.yaml @@ -0,0 +1,8 @@ +exim_extra_aliases: + gerrit2: root +iptables_rules: + - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT +iptables_public_tcp_ports: + - 80 + - 443 + - 29418 diff --git a/playbooks/group_vars/git-loadbalancer.yaml b/playbooks/group_vars/git-loadbalancer.yaml new file mode 100644 index 0000000000..8edb0426ae --- /dev/null +++ b/playbooks/group_vars/git-loadbalancer.yaml @@ -0,0 +1,4 @@ +iptables_public_tcp_ports: + - 80 + - 443 + - 9418 diff --git a/playbooks/group_vars/git-server.yaml b/playbooks/group_vars/git-server.yaml index 384145b39b..775ba85f5e 100644 --- a/playbooks/group_vars/git-server.yaml +++ b/playbooks/group_vars/git-server.yaml @@ -1 +1,5 @@ ansible_python_interpreter: python2 +iptables_public_tcp_ports: + - 4443 + - 8080 + - 29418 diff --git a/playbooks/group_vars/graphite.yaml b/playbooks/group_vars/graphite.yaml new file mode 100644 index 0000000000..e8a5c57513 --- /dev/null +++ b/playbooks/group_vars/graphite.yaml @@ -0,0 +1,88 @@ +iptables_extra_allowed_hosts: + - hostname: git.openstack.org + port: 8125 + protocol: udp + - hostname: firehose01.openstack.org + port: 8125 + protocol: udp + - hostname: mirror-update01.openstack.org + port: 8125 + protocol: udp + - hostname: logstash.openstack.org + port: 8125 + protocol: udp + - hostname: nodepool.openstack.org + port: 8125 + protocol: udp + - hostname: nl01.openstack.org + port: 8125 + protocol: udp + - hostname: nl02.openstack.org + port: 8125 + protocol: udp + - hostname: nl03.openstack.org + port: 8125 + protocol: udp + - hostname: nl04.openstack.org + port: 8125 + protocol: udp + - hostname: zuul01.openstack.org + port: 8125 + protocol: udp + - hostname: zm01.openstack.org + port: 8125 + protocol: udp + - hostname: zm02.openstack.org + port: 8125 + protocol: udp + - hostname: zm03.openstack.org + port: 8125 + protocol: udp + - hostname: zm04.openstack.org + port: 8125 + protocol: udp + - hostname: zm05.openstack.org + port: 8125 + protocol: udp + - hostname: zm06.openstack.org + port: 8125 + protocol: udp + - hostname: zm07.openstack.org + port: 8125 + protocol: udp + - hostname: zm08.openstack.org + port: 8125 + protocol: udp + - hostname: ze01.openstack.org + port: 8125 + protocol: udp + - hostname: ze02.openstack.org + port: 8125 + protocol: udp + - hostname: ze03.openstack.org + port: 8125 + protocol: udp + - hostname: ze04.openstack.org + port: 8125 + protocol: udp + - hostname: ze05.openstack.org + port: 8125 + protocol: udp + - hostname: ze06.openstack.org + port: 8125 + protocol: udp + - hostname: ze07.openstack.org + port: 8125 + protocol: udp + - hostname: ze08.openstack.org + port: 8125 + protocol: udp + - hostname: ze09.openstack.org + port: 8125 + protocol: udp + - hostname: ze10.openstack.org + port: 8125 + protocol: udp + - hostname: ze11.openstack.org + port: 8125 + protocol: udp diff --git a/playbooks/group_vars/kdc.yaml b/playbooks/group_vars/kdc.yaml new file mode 100644 index 0000000000..d9245cb1d8 --- /dev/null +++ b/playbooks/group_vars/kdc.yaml @@ -0,0 +1,9 @@ +iptables_public_tcp_ports: + - 88 + - 464 + - 749 + - 754 +iptables_public_udp_ports: + - 88 + - 464 + - 749 diff --git a/playbooks/group_vars/logstash.yaml b/playbooks/group_vars/logstash.yaml new file mode 100644 index 0000000000..2df70e1472 --- /dev/null +++ b/playbooks/group_vars/logstash.yaml @@ -0,0 +1,103 @@ +iptables_public_tcp_ports: + - 80 + - 3306 +iptables_rule_data: + - protocol: tcp + port: '4730' + hostname: logstash-worker01.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker02.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker03.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker04.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker05.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker06.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker07.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker08.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker09.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker10.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker11.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker12.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker13.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker14.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker15.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker16.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker17.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker18.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker19.openstack.org + - protocol: tcp + port: '4730' + hostname: logstash-worker20.openstack.org + - protocol: tcp + port: '4730' + hostname: subunit-worker01.openstack.org + - protocol: tcp + port: '4730' + hostname: subunit-worker02.openstack.org + - protocol: tcp + port: '4730' + hostname: ze01.openstack.org + - protocol: tcp + port: '4730' + hostname: ze02.openstack.org + - protocol: tcp + port: '4730' + hostname: ze03.openstack.org + - protocol: tcp + port: '4730' + hostname: ze04.openstack.org + - protocol: tcp + port: '4730' + hostname: ze05.openstack.org + - protocol: tcp + port: '4730' + hostname: ze06.openstack.org + - protocol: tcp + port: '4730' + hostname: ze07.openstack.org + - protocol: tcp + port: '4730' + hostname: ze08.openstack.org + - protocol: tcp + port: '4730' + hostname: ze09.openstack.org + - protocol: tcp + port: '4730' + hostname: ze10.openstack.org + - protocol: tcp + port: '4730' + hostname: ze11.openstack.org diff --git a/playbooks/group_vars/mailman.yaml b/playbooks/group_vars/mailman.yaml index eb4ad8a64b..127111ce1b 100644 --- a/playbooks/group_vars/mailman.yaml +++ b/playbooks/group_vars/mailman.yaml @@ -2,3 +2,7 @@ exim_queue_interval: '1m' exim_queue_run_max: '50' exim_smtp_accept_max: '100' exim_smtp_accept_max_per_host: '10' +iptables_public_tcp_ports: + - 25 + - 80 + - 465 diff --git a/playbooks/group_vars/mirror.yaml b/playbooks/group_vars/mirror.yaml new file mode 100644 index 0000000000..3e696348c4 --- /dev/null +++ b/playbooks/group_vars/mirror.yaml @@ -0,0 +1,5 @@ +iptables_public_tcp_ports: + - 80 + - 8080 + - 8081 + - 8082 diff --git a/playbooks/group_vars/nodepool.yaml b/playbooks/group_vars/nodepool.yaml new file mode 100644 index 0000000000..ebb2b91c07 --- /dev/null +++ b/playbooks/group_vars/nodepool.yaml @@ -0,0 +1,26 @@ +iptables_extra_allowed_hosts: + - protocol: tcp + port: 2181 + hostname: nb01.openstack.org + - protocol: tcp + port: 2181 + hostname: nb02.openstack.org + - protocol: tcp + port: 2181 + hostname: nb03.openstack.org + - protocol: tcp + port: 2181 + hostname: nl01.openstack.org + - protocol: tcp + port: 2181 + hostname: nl02.openstack.org + - protocol: tcp + port: 2181 + hostname: nl03.openstack.org + - protocol: tcp + port: 2181 + hostname: nl04.openstack.org + - protocol: tcp + port: 2181 + hostname: zuul01.openstack.org + diff --git a/playbooks/group_vars/ns.yaml b/playbooks/group_vars/ns.yaml new file mode 100644 index 0000000000..2dc09d9b08 --- /dev/null +++ b/playbooks/group_vars/ns.yaml @@ -0,0 +1,2 @@ +iptables_public_ports: + - 53 diff --git a/playbooks/group_vars/pbx.yaml b/playbooks/group_vars/pbx.yaml new file mode 100644 index 0000000000..827e00a387 --- /dev/null +++ b/playbooks/group_vars/pbx.yaml @@ -0,0 +1,7 @@ +# SIP signaling is either TCP or UDP port 5060. +# RTP media (audio/video) uses a range of UDP ports. +iptables_public_tcp_ports: + - 5060 +iptables_public_udp_ports: + - 5060 + - 10000:20000 diff --git a/playbooks/group_vars/review-dev.yaml b/playbooks/group_vars/review-dev.yaml deleted file mode 100644 index d08451605a..0000000000 --- a/playbooks/group_vars/review-dev.yaml +++ /dev/null @@ -1,2 +0,0 @@ -exim_extra_aliases: - gerrit2: root diff --git a/playbooks/group_vars/review.yaml b/playbooks/group_vars/review.yaml deleted file mode 100644 index d08451605a..0000000000 --- a/playbooks/group_vars/review.yaml +++ /dev/null @@ -1,2 +0,0 @@ -exim_extra_aliases: - gerrit2: root diff --git a/playbooks/group_vars/webservers.yaml b/playbooks/group_vars/webservers.yaml new file mode 100644 index 0000000000..418fca0b98 --- /dev/null +++ b/playbooks/group_vars/webservers.yaml @@ -0,0 +1,4 @@ +iptables_public_tcp_ports: + - 22 + - 80 + - 443 diff --git a/playbooks/group_vars/zookeeper.yaml b/playbooks/group_vars/zookeeper.yaml new file mode 100644 index 0000000000..2b464fcadc --- /dev/null +++ b/playbooks/group_vars/zookeeper.yaml @@ -0,0 +1,17 @@ +iptables_extra_allowed_hosts: + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb03.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl01.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl02.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl03.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl04.openstack.org'} + - {'protocol': 'tcp', 'port': '2181', 'hostname': 'zuul01.openstack.org'} + # Zookeeper election + - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk01.openstack.org'} + - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk02.openstack.org'} + - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk03.openstack.org'} + # Zookeeper leader + - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk01.openstack.org'} + - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk02.openstack.org'} + - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk03.openstack.org'} diff --git a/playbooks/group_vars/zuul-executor.yaml b/playbooks/group_vars/zuul-executor.yaml new file mode 100644 index 0000000000..999385d702 --- /dev/null +++ b/playbooks/group_vars/zuul-executor.yaml @@ -0,0 +1,3 @@ +iptables_public_tcp_ports: + - 79 + - 7900 diff --git a/playbooks/group_vars/zuul-scheduler.yaml b/playbooks/group_vars/zuul-scheduler.yaml new file mode 100644 index 0000000000..b78de230c2 --- /dev/null +++ b/playbooks/group_vars/zuul-scheduler.yaml @@ -0,0 +1,63 @@ +iptables_public_tcp_ports: + - 79 + - 80 + - 443 +iptables_extra_allowed_hosts: + - protocol: tcp + port: 4730 + hostname: ze01.openstack.org + - protocol: tcp + port: 4730 + hostname: ze02.openstack.org + - protocol: tcp + port: 4730 + hostname: ze03.openstack.org + - protocol: tcp + port: 4730 + hostname: ze04.openstack.org + - protocol: tcp + port: 4730 + hostname: ze05.openstack.org + - protocol: tcp + port: 4730 + hostname: ze06.openstack.org + - protocol: tcp + port: 4730 + hostname: ze07.openstack.org + - protocol: tcp + port: 4730 + hostname: ze08.openstack.org + - protocol: tcp + port: 4730 + hostname: ze09.openstack.org + - protocol: tcp + port: 4730 + hostname: ze10.openstack.org + - protocol: tcp + port: 4730 + hostname: ze11.openstack.org + - protocol: tcp + port: 4730 + hostname: zm01.openstack.org + - protocol: tcp + port: 4730 + hostname: zm02.openstack.org + - protocol: tcp + port: 4730 + hostname: zm03.openstack.org + - protocol: tcp + port: 4730 + hostname: zm04.openstack.org + - protocol: tcp + port: 4730 + hostname: zm05.openstack.org + - protocol: tcp + port: 4730 + hostname: zm06.openstack.org + - protocol: tcp + port: 4730 + hostname: zm07.openstack.org + - protocol: tcp + port: 4730 + hostname: zm08.openstack.org + diff --git a/playbooks/roles/iptables/README.rst b/playbooks/roles/iptables/README.rst new file mode 100644 index 0000000000..71c30da5cf --- /dev/null +++ b/playbooks/roles/iptables/README.rst @@ -0,0 +1,44 @@ +Install and configure iptables + +**Role Variables** + +.. zuul:rolevar:: iptables_allowed_hosts + :default: [] + + A list of dictionaries, each item in the list is a rule to add for + a host/port combination. The format of the dictionary is: + + .. zuul:rolevar:: hostname + + The hostname to allow. It will automatically be resolved, and + all IP addresses will be added to the firewall. + + .. zuul:rolevar:: protocol + + One of "tcp" or "udp". + + .. zuul:rolevar:: port + + The port number. + +.. zuul:rolevar:: iptables_public_tcp_ports + :default: [] + + A list of public TCP ports to open. + +.. zuul:rolevar:: iptables_public_udp_ports + :default: [] + + A list of public UDP ports to open. + +.. zuul:rolevar:: iptables_rules_v4 + :default: [] + + A list of iptables v4 rules. Each item is a string containing the + iptables command line options for the rule. + +.. zuul:rolevar:: iptables_rules_v6 + :default: [] + + A list of iptables v6 rules. Each item is a string containing the + iptables command line options for the rule. diff --git a/playbooks/roles/iptables/defaults/main.yaml b/playbooks/roles/iptables/defaults/main.yaml new file mode 100644 index 0000000000..8752607609 --- /dev/null +++ b/playbooks/roles/iptables/defaults/main.yaml @@ -0,0 +1,7 @@ +iptables_allowed_hosts: [] +iptables_public_ports: [] +iptables_public_tcp_ports: '{{ iptables_public_ports }}' +iptables_public_udp_ports: '{{ iptables_public_ports }}' +iptables_rules: [] +iptables_rules_v4: '{{ iptables_rules }}' +iptables_rules_v6: '{{ iptables_rules }}' diff --git a/playbooks/roles/iptables/handlers/main.yaml b/playbooks/roles/iptables/handlers/main.yaml new file mode 100644 index 0000000000..1d54c922c6 --- /dev/null +++ b/playbooks/roles/iptables/handlers/main.yaml @@ -0,0 +1,11 @@ +- name: Reload iptables Debian + import_tasks: tasks/reload-debian.yaml + when: + - not ansible_facts.is_chroot + - ansible_facts.os_family == 'Debian' + +- name: Reload iptables RedHat + import_tasks: tasks/reload-redhat.yaml + when: + - not ansible_facts.is_chroot + - ansible_facts.os_family == 'RedHat' diff --git a/playbooks/roles/iptables/tasks/RedHat.yaml b/playbooks/roles/iptables/tasks/RedHat.yaml new file mode 100644 index 0000000000..426e7660aa --- /dev/null +++ b/playbooks/roles/iptables/tasks/RedHat.yaml @@ -0,0 +1,11 @@ +- name: Disable firewalld + service: + name: firewalld + enabled: no + state: stopped + failed_when: false + +- name: Ensure firewalld is removed + package: + name: firewalld + state: absent diff --git a/playbooks/roles/iptables/tasks/main.yaml b/playbooks/roles/iptables/tasks/main.yaml new file mode 100644 index 0000000000..62bd120357 --- /dev/null +++ b/playbooks/roles/iptables/tasks/main.yaml @@ -0,0 +1,54 @@ +- name: Include OS-specific variables + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: "{{ distro_lookup_path }}" + paths: + - 'vars' + +- name: Install iptables + package: + name: '{{ package_name }}' + state: present + +- name: Ensure iptables rules directory + file: + state: directory + path: '{{ rules_dir }}' + +- name: Install IPv4 rules files + template: + src: rules.v4.j2 + dest: '{{ ipv4_rules }}' + owner: root + group: root + mode: 0640 + setype: '{{ setype | default(omit) }}' + notify: + - Reload iptables Debian + - Reload iptables RedHat + +- name: Install IPv6 rules files + template: + src: rules.v6.j2 + dest: '{{ ipv6_rules }}' + owner: root + group: root + mode: 0640 + setype: '{{ setype | default(omit) }}' + notify: + - Reload iptables Debian + - Reload iptables RedHat + +- name: Include OS specific tasks + include_tasks: "{{ item }}" + vars: + params: + files: "{{ distro_lookup_path }}" + skip: true + loop: "{{ query('first_found', params) }}" + +- name: Enable iptables service + service: + name: '{{ service_name }}' + enabled: true diff --git a/playbooks/roles/iptables/tasks/reload-debian.yaml b/playbooks/roles/iptables/tasks/reload-debian.yaml new file mode 100644 index 0000000000..3e8483aa82 --- /dev/null +++ b/playbooks/roles/iptables/tasks/reload-debian.yaml @@ -0,0 +1,2 @@ +- name: Reload iptables (Debian) + command: '{{ reload_command }}' diff --git a/playbooks/roles/iptables/tasks/reload-redhat.yaml b/playbooks/roles/iptables/tasks/reload-redhat.yaml new file mode 100644 index 0000000000..4be6044de4 --- /dev/null +++ b/playbooks/roles/iptables/tasks/reload-redhat.yaml @@ -0,0 +1,5 @@ +- name: Reload iptables (Red Hat) + command: 'systemctl reload iptables' + +- name: Reload ip6tables (Red Hat) + command: 'systemctl reload ip6tables' diff --git a/playbooks/roles/iptables/templates/rules.v4.j2 b/playbooks/roles/iptables/templates/rules.v4.j2 new file mode 100644 index 0000000000..ec2f8db503 --- /dev/null +++ b/playbooks/roles/iptables/templates/rules.v4.j2 @@ -0,0 +1,31 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:openstack-INPUT - [0:0] +-A INPUT -j openstack-INPUT +-A openstack-INPUT -i lo -j ACCEPT +-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT +#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT +-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +# SSH from anywhere +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +# Public TCP ports +{% for port in iptables_public_tcp_ports -%} +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT +{% endfor -%} +# Public UDP ports +{% for port in iptables_public_udp_ports -%} +-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT +{% endfor -%} +# Per-host rules +{% for rule in iptables_rules_v4 -%} +-A openstack-INPUT {{ rule }} +{% endfor -%} +{% for host in iptables_allowed_hosts -%} +{% for addr in host.hostname | dns_a -%} +-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT +{% endfor -%} +{% endfor -%} +-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/playbooks/roles/iptables/templates/rules.v6.j2 b/playbooks/roles/iptables/templates/rules.v6.j2 new file mode 100644 index 0000000000..3b38657fbd --- /dev/null +++ b/playbooks/roles/iptables/templates/rules.v6.j2 @@ -0,0 +1,30 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:openstack-INPUT - [0:0] +-A INPUT -j openstack-INPUT +-A openstack-INPUT -i lo -j ACCEPT +-A openstack-INPUT -p icmpv6 -j ACCEPT +-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +# SSH from anywhere +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +# Public TCP ports +{% for port in iptables_public_tcp_ports -%} +-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT +{% endfor -%} +# Public UDP ports +{% for port in iptables_public_udp_ports -%} +-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT +{% endfor -%} +# Per-host rules +{% for rule in iptables_rules_v6 -%} +-A openstack-INPUT {{ rule }} +{% endfor -%} +{% for host in iptables_allowed_hosts -%} +{% for addr in host.hostname | dns_aaaa -%} +-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT +{% endfor -%} +{% endfor -%} +-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/playbooks/roles/iptables/vars/Debian.yaml b/playbooks/roles/iptables/vars/Debian.yaml new file mode 100644 index 0000000000..769f18d787 --- /dev/null +++ b/playbooks/roles/iptables/vars/Debian.yaml @@ -0,0 +1,6 @@ +package_name: iptables-persistent +service_name: netfilter-persistent +rules_dir: /etc/iptables +ipv4_rules: /etc/iptables/rules.v4 +ipv6_rules: /etc/iptables/rules.v6 +reload_command: /usr/sbin/netfilter-persistent start diff --git a/playbooks/roles/iptables/vars/RedHat.yaml b/playbooks/roles/iptables/vars/RedHat.yaml new file mode 100644 index 0000000000..465d5b3125 --- /dev/null +++ b/playbooks/roles/iptables/vars/RedHat.yaml @@ -0,0 +1,6 @@ +package_name: iptables-services +service_name: iptables +rules_dir: /etc/sysconfig +ipv4_rules: /etc/sysconfig/iptables +ipv6_rules: /etc/sysconfig/ip6tables +setype: 'etc_t' diff --git a/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml b/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml new file mode 100644 index 0000000000..e806919bcc --- /dev/null +++ b/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml @@ -0,0 +1,6 @@ +package_name: iptables-persistent +service_name: iptables-persistent +rules_dir: /etc/iptables +ipv4_rules: /etc/iptables/rules.v4 +ipv6_rules: /etc/iptables/rules.v6 +reload_command: /etc/init.d/iptables-persistent reload diff --git a/testinfra/test_base.py b/testinfra/test_base.py index 2b0909f0f9..58d22795df 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -12,6 +12,20 @@ # License for the specific language governing permissions and limitations # under the License. +import socket + + +def get_ips(value, family=None): + ret = set() + try: + addr_info = socket.getaddrinfo(value, None, family) + except socket.gaierror: + return ret + for addr in addr_info: + ret.add(addr[4][0]) + return ret + + def test_exim_is_installed(host): if host.system_info.distribution in ['ubuntu', 'debian']: exim = host.package("exim4-base") @@ -21,3 +35,36 @@ def test_exim_is_installed(host): cmd = host.run("exim -bt root") assert cmd.rc == 0 + + +def test_iptables(host): + rules = host.iptables.rules() + rules = [x.strip() for x in rules] + + start = [ + '-P INPUT ACCEPT', + '-P FORWARD ACCEPT', + '-P OUTPUT ACCEPT', + '-N openstack-INPUT', + '-A INPUT -j openstack-INPUT', + '-A openstack-INPUT -i lo -j ACCEPT', + '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT', + '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT', + '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT', + ] + assert rules[:len(start)] == start + + reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited' + assert reject in rules + + # Make sure that the zuul console stream rule has been removed + # from the test node + zuul = ('-A openstack-INPUT -p tcp -m state --state NEW' + ' -m tcp --dport 19885 -j ACCEPT') + assert zuul not in rules + + # Ensure all IPv4 addresses for cacti are allowed + for ip in get_ips('cacti.openstack.org', socket.AF_INET): + snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp' + ' --dport 161 -j ACCEPT' % ip) + assert snmp in rules