Run iptables in service playbooks instead of base

It's the only part of base that's important to run when we run a
service. Run it in the service playbooks and get rid of the
dependency on infra-prod-base.

Continue running it in base so that new nodes are brought up
with iptables in place.

Bump the timeout for the mirror job, because the iptables addition
seems to have just bumped it over the edge.

Change-Id: I4608216f7a59cfa96d3bdb191edd9bc7bb9cca39
This commit is contained in:
Monty Taylor 2020-05-26 17:41:54 -05:00
parent 807b083735
commit d93a661ae4
37 changed files with 123 additions and 19 deletions

View File

@ -8,4 +8,4 @@
- base/unbound - base/unbound
- base/exim - base/exim
- base/snmpd - base/snmpd
- base/iptables - iptables

View File

@ -1,4 +1,6 @@
# Use include_role instead of roles: so that we can late-bind the roles list # Use include_role instead of roles: so that we can late-bind the roles list
- include_role:
name: iptables
- include_role: - include_role:
name: install-ansible-roles name: install-ansible-roles
- include_role: - include_role:

View File

@ -3,8 +3,10 @@
- hosts: "backup:!disabled" - hosts: "backup:!disabled"
name: "Base: Generate backup users and keys" name: "Base: Generate backup users and keys"
roles: roles:
- iptables
- backup - backup
- hosts: "backup-server:!disabled" - hosts: "backup-server:!disabled"
name: "Generate bup configuration" name: "Generate bup configuration"
roles: roles:
- iptables
- backup-server - backup-server

View File

@ -1,6 +1,7 @@
- hosts: bridge.openstack.org:!disabled - hosts: bridge.openstack.org:!disabled
name: "Bridge: configure the bastion host" name: "Bridge: configure the bastion host"
roles: roles:
- iptables
- edit-secrets-script - edit-secrets-script
- install-docker - install-docker
tasks: tasks:

View File

@ -2,6 +2,7 @@
name: "codesearch: run puppet on codesearch" name: "codesearch: run puppet on codesearch"
strategy: free strategy: free
roles: roles:
- iptables
- sync-project-config - sync-project-config
- name: run-puppet - name: run-puppet
manifest: /opt/system-config/production/manifests/codesearch.pp manifest: /opt/system-config/production/manifests/codesearch.pp

View File

@ -2,6 +2,7 @@
name: "eavesdrop: run puppet on eavesdrop" name: "eavesdrop: run puppet on eavesdrop"
strategy: free strategy: free
roles: roles:
- iptables
- zuul-user - zuul-user
- sync-project-config - sync-project-config
- install-docker - install-docker

View File

@ -1,5 +1,6 @@
- hosts: "etherpad01.opendev.org:!disabled" - hosts: "etherpad01.opendev.org:!disabled"
name: "Base: configure etherpad" name: "Base: configure etherpad"
roles: roles:
- iptables
- install-docker - install-docker
- etherpad - etherpad

View File

@ -1,5 +1,6 @@
- hosts: "gitea-lb:!disabled" - hosts: "gitea-lb:!disabled"
name: "Base: configure gitea load balancer" name: "Base: configure gitea load balancer"
roles: roles:
- iptables
- install-docker - install-docker
- haproxy - haproxy

View File

@ -2,5 +2,6 @@
name: "Base: configure gitea" name: "Base: configure gitea"
serial: 1 serial: 1
roles: roles:
- iptables
- install-docker - install-docker
- gitea - gitea

View File

@ -5,7 +5,7 @@
roles: roles:
- install-certcheck - install-certcheck
- hosts: "letsencrypt:!disabled" - hosts: "letsencrypt:!disabled"
name: "Base: deploy and renew certificates" name: "Deploy and renew certificates"
roles: roles:
- letsencrypt-acme-sh-install - letsencrypt-acme-sh-install
- letsencrypt-request-certs - letsencrypt-request-certs

View File

@ -1,12 +1,14 @@
- hosts: "meetpad:!disabled" - hosts: "meetpad:!disabled"
name: "Configure meetpad" name: "Configure meetpad"
roles: roles:
- iptables
- install-docker - install-docker
- jitsi-meet - jitsi-meet
- hosts: "jvb:!disabled" - hosts: "jvb:!disabled"
name: "Configure extra jitsi video bridges" name: "Configure extra jitsi video bridges"
roles: roles:
- iptables
- install-docker - install-docker
- role: jitsi-meet - role: jitsi-meet
docker_compose_file: jvb-docker-compose.yaml docker_compose_file: jvb-docker-compose.yaml

View File

@ -1,6 +1,7 @@
- hosts: "mirror-update:!disabled" - hosts: "mirror-update:!disabled"
name: "Configure mirror-update" name: "Configure mirror-update"
roles: roles:
- role: iptables
- role: kerberos-client - role: kerberos-client
kerberos_realm: 'OPENSTACK.ORG' kerberos_realm: 'OPENSTACK.ORG'
kerberos_admin_server: 'kdc.openstack.org' kerberos_admin_server: 'kdc.openstack.org'

View File

@ -1,6 +1,7 @@
- hosts: "mirror:!disabled" - hosts: "mirror:!disabled"
name: "Configure per region opendev mirrors" name: "Configure per region opendev mirrors"
roles: roles:
- role: iptables
- role: kerberos-client - role: kerberos-client
kerberos_realm: 'OPENSTACK.ORG' kerberos_realm: 'OPENSTACK.ORG'
kerberos_admin_server: 'kdc.openstack.org' kerberos_admin_server: 'kdc.openstack.org'

View File

@ -1,10 +1,12 @@
- hosts: adns:!disabled - hosts: adns:!disabled
name: "Base: configure adns server" name: "Base: configure adns server"
roles: roles:
- iptables
- master-nameserver - master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled" - hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers" name: "Base: configure authoritative nameservers"
roles: roles:
- iptables
- nameserver - nameserver

View File

@ -2,6 +2,7 @@
name: "Configure nodepool builders" name: "Configure nodepool builders"
strategy: free strategy: free
roles: roles:
- iptables
- install-docker - install-docker
- nodepool-base - nodepool-base
- configure-openstacksdk - configure-openstacksdk
@ -11,6 +12,7 @@
name: "run puppet on all older servers" name: "run puppet on all older servers"
strategy: free strategy: free
roles: roles:
- iptables
- nodepool-base-legacy - nodepool-base-legacy
- configure-openstacksdk - configure-openstacksdk
- configure-kubectl - configure-kubectl
@ -20,6 +22,7 @@
name: "Configure nodepool launchers" name: "Configure nodepool launchers"
strategy: free strategy: free
roles: roles:
- iptables
- install-docker - install-docker
- nodepool-base - nodepool-base
- configure-openstacksdk - configure-openstacksdk

View File

@ -1,5 +1,6 @@
- hosts: "registry:!disabled" - hosts: "registry:!disabled"
name: "Base: configure registry" name: "Base: configure registry"
roles: roles:
- iptables
- install-docker - install-docker
- registry - registry

View File

@ -1,6 +1,7 @@
- hosts: "review-dev:!disabled" - hosts: "review-dev:!disabled"
name: "Configure gerrit on review-dev" name: "Configure gerrit on review-dev"
roles: roles:
- iptables
- install-docker - install-docker
- role: gerrit - role: gerrit
gerrit_ssh_rsa_key_contents: "{{ gerrit_dev_ssh_rsa_key_contents }}" gerrit_ssh_rsa_key_contents: "{{ gerrit_dev_ssh_rsa_key_contents }}"

View File

@ -1,5 +1,6 @@
- hosts: "review:!disabled" - hosts: "review:!disabled"
name: "Configure gerrit" name: "Configure gerrit"
roles: roles:
- iptables
- install-docker - install-docker
- gerrit - gerrit

View File

@ -1,6 +1,7 @@
- hosts: "static:!disabled" - hosts: "static:!disabled"
name: "Static webserver" name: "Static webserver"
roles: roles:
- role: iptables
- role: kerberos-client - role: kerberos-client
kerberos_realm: 'OPENSTACK.ORG' kerberos_realm: 'OPENSTACK.ORG'
kerberos_admin_server: 'kdc.openstack.org' kerberos_admin_server: 'kdc.openstack.org'

View File

@ -12,5 +12,6 @@
name: "Configure Zookeeper" name: "Configure Zookeeper"
serial: 1 serial: 1
roles: roles:
- iptables
- install-docker - install-docker
- zookeeper - zookeeper

View File

@ -1,5 +1,6 @@
- hosts: "zuul-preview:!disabled" - hosts: "zuul-preview:!disabled"
name: "Base: configure zuul-preview" name: "Base: configure zuul-preview"
roles: roles:
- iptables
- install-docker - install-docker
- zuul-preview - zuul-preview

View File

@ -11,6 +11,7 @@
- hosts: "zuul:!disabled" - hosts: "zuul:!disabled"
name: "Configure zuul servers" name: "Configure zuul servers"
roles: roles:
- iptables
- install-docker - install-docker
- zuul - zuul

View File

@ -14,7 +14,6 @@
import socket import socket
testinfra_hosts = ['all'] testinfra_hosts = ['all']

73
testinfra/test_zuul.py Normal file
View File

@ -0,0 +1,73 @@
# Copyright 2018 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import socket
testinfra_hosts = [
'ze01.opendev.org',
'zm01.openstack.org',
'zuul01.openstack.org',
]
def get_ips(value, family=None):
ret = set()
try:
addr_info = socket.getaddrinfo(value, None, family)
except socket.gaierror:
return ret
for addr in addr_info:
ret.add(addr[4][0])
return ret
def test_iptables(host):
rules = host.iptables.rules()
rules = [x.strip() for x in rules]
needed_rules = [
'-P INPUT ACCEPT',
'-P FORWARD DROP',
'-P OUTPUT ACCEPT',
'-N openstack-INPUT',
'-A INPUT -j openstack-INPUT',
'-A openstack-INPUT -i lo -j ACCEPT',
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
'-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
]
for rule in needed_rules:
assert rule in rules
# Make sure that the gearman port is open to executors on the scheduler
if host.backend.get_hostname() == 'zuul01.openstack.org':
for ip in get_ips('ze01.opendev.org', socket.AF_INET):
zuul = ('-A openstack-INPUT -s %s/32 -p tcp -m state --state NEW'
' -m tcp --dport 4730 -j ACCEPT' % ip)
assert zuul in rules
# Ensure all IPv4+6 addresses for cacti are allowed
for ip in get_ips('cacti.openstack.org', socket.AF_INET):
snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
' --dport 161 -j ACCEPT' % ip)
assert snmp in rules
# TODO(ianw) add ip6tables support to testinfra iptables module
ip6rules = host.check_output('ip6tables -S')
for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
' --dport 161 -j ACCEPT' % ip)
assert snmp in ip6rules

View File

@ -69,8 +69,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
files: files:
- inventory/ - inventory/
- playbooks/service-letsencrypt.yaml - playbooks/service-letsencrypt.yaml
@ -105,8 +103,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
@ -120,6 +116,7 @@
- inventory/ - inventory/
- playbooks/service-bridge.yaml - playbooks/service-bridge.yaml
- playbooks/host_vars/bridge.openstack.org.yaml - playbooks/host_vars/bridge.openstack.org.yaml
- playbooks/roles/iptables/
- playbooks/roles/logrotate/ - playbooks/roles/logrotate/
- playbooks/roles/edit-secrets-script/ - playbooks/roles/edit-secrets-script/
- playbooks/roles/install-kubectl/ - playbooks/roles/install-kubectl/
@ -138,6 +135,7 @@
- playbooks/service-gitea-lb.yaml - playbooks/service-gitea-lb.yaml
- playbooks/group_vars/gitea-lb.yaml - playbooks/group_vars/gitea-lb.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/iptables/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/haproxy/ - playbooks/roles/haproxy/
@ -157,6 +155,7 @@
- playbooks/group_vars/ns.yaml - playbooks/group_vars/ns.yaml
- playbooks/roles/master-nameserver/ - playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/ - playbooks/roles/nameserver/
- playbooks/roles/iptables/
- job: - job:
name: infra-prod-service-nodepool name: infra-prod-service-nodepool
@ -179,6 +178,7 @@
- playbooks/roles/configure-kubectl/ - playbooks/roles/configure-kubectl/
- playbooks/roles/configure-openstacksdk/ - playbooks/roles/configure-openstacksdk/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/nodepool - playbooks/roles/nodepool
- playbooks/templates/clouds/nodepool_ - playbooks/templates/clouds/nodepool_
@ -197,6 +197,7 @@
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/etherpad - playbooks/roles/etherpad
- playbooks/roles/logrotate - playbooks/roles/logrotate
- playbooks/roles/iptables/
- job: - job:
name: infra-prod-service-meetpad name: infra-prod-service-meetpad
@ -205,8 +206,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: system-config-promote-image-jitsi-meet - name: system-config-promote-image-jitsi-meet
@ -220,6 +219,7 @@
- playbooks/group_vars/meetpad.yaml - playbooks/group_vars/meetpad.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/jitsi-meet/ - playbooks/roles/jitsi-meet/
- job: - job:
@ -234,6 +234,7 @@
- playbooks/roles/kerberos-client/ - playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/ - playbooks/roles/openafs-client/
- playbooks/roles/mirror-update/ - playbooks/roles/mirror-update/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/ - playbooks/roles/logrotate/
- job: - job:
@ -251,6 +252,7 @@
- playbooks/roles/mirror/ - playbooks/roles/mirror/
- playbooks/roles/afs-release/ - playbooks/roles/afs-release/
- playbooks/roles/afsmon/ - playbooks/roles/afsmon/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/ - playbooks/roles/logrotate/
- job: - job:
@ -264,6 +266,7 @@
- playbooks/service-static.yaml - playbooks/service-static.yaml
- playbooks/host_vars/static01.opendev.org.yaml - playbooks/host_vars/static01.opendev.org.yaml
- playbooks/group_vars/static.yaml - playbooks/group_vars/static.yaml
- playbooks/roles/iptables/
- playbooks/roles/kerberos-client/ - playbooks/roles/kerberos-client/
- playbooks/roles/openafs-client/ - playbooks/roles/openafs-client/
- playbooks/roles/static/ - playbooks/roles/static/
@ -280,6 +283,7 @@
- playbooks/service-backup.yaml - playbooks/service-backup.yaml
- playbooks/roles/backup/ - playbooks/roles/backup/
- playbooks/roles/backup-server/ - playbooks/roles/backup-server/
- playbooks/roles/iptables/
- job: - job:
name: infra-prod-service-registry name: infra-prod-service-registry
@ -293,6 +297,7 @@
- playbooks/group_vars/registry.yaml - playbooks/group_vars/registry.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/registry/ - playbooks/roles/registry/
- job: - job:
@ -307,6 +312,7 @@
- playbooks/group_vars/zuul-preview.yaml - playbooks/group_vars/zuul-preview.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zuul-preview/ - playbooks/roles/zuul-preview/
- job: - job:
@ -321,6 +327,7 @@
- ^playbooks/host_vars/zk\d+\..* - ^playbooks/host_vars/zk\d+\..*
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/ - playbooks/roles/zookeeper/
- job: - job:
@ -337,8 +344,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: infra-prod-manage-projects - name: infra-prod-manage-projects
@ -352,6 +357,7 @@
- playbooks/host_vars/zk\d+ - playbooks/host_vars/zk\d+
- playbooks/host_vars/zuul01.openstack.org - playbooks/host_vars/zuul01.openstack.org
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/zookeeper/ - playbooks/roles/zookeeper/
- playbooks/roles/zuul - playbooks/roles/zuul
@ -364,8 +370,6 @@
dependencies: &infra_prod_service_review_deps dependencies: &infra_prod_service_review_deps
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: system-config-promote-image-gerrit-2.13 - name: system-config-promote-image-gerrit-2.13
@ -377,6 +381,7 @@
- playbooks/host_vars/review01.openstack.org.yaml - playbooks/host_vars/review01.openstack.org.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/ - playbooks/roles/gerrit/
- job: - job:
@ -393,6 +398,7 @@
- playbooks/host_vars/review-dev01.opendev.org.yaml - playbooks/host_vars/review-dev01.opendev.org.yaml
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/iptables/
- playbooks/roles/gerrit/ - playbooks/roles/gerrit/
- job: - job:
@ -404,8 +410,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: system-config-promote-image-gitea-init - name: system-config-promote-image-gitea-init
@ -420,6 +424,7 @@
- playbooks/roles/install-docker/ - playbooks/roles/install-docker/
- playbooks/roles/pip3/ - playbooks/roles/pip3/
- playbooks/roles/gitea/ - playbooks/roles/gitea/
- playbooks/roles/iptables/
- playbooks/roles/logrotate/ - playbooks/roles/logrotate/
- docker/gitea/ - docker/gitea/
- docker/gitea-init/ - docker/gitea-init/
@ -443,6 +448,7 @@
- playbooks/group_vars/puppet.yaml - playbooks/group_vars/puppet.yaml
- playbooks/roles/run-puppet/ - playbooks/roles/run-puppet/
- playbooks/roles/install-ansible-roles/ - playbooks/roles/install-ansible-roles/
- playbooks/roles/iptables/
- playbooks/roles/sync-project-config - playbooks/roles/sync-project-config
- playbooks/roles/puppet-install/ - playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/ - playbooks/roles/disable-puppet-agent/
@ -461,8 +467,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: system-config-promote-image-accessbot - name: system-config-promote-image-accessbot
@ -479,6 +483,7 @@
- playbooks/roles/install-ansible-roles/ - playbooks/roles/install-ansible-roles/
- playbooks/roles/zuul-user - playbooks/roles/zuul-user
- playbooks/roles/install-docker - playbooks/roles/install-docker
- playbooks/roles/iptables/
- playbooks/roles/puppet-install/ - playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/ - playbooks/roles/disable-puppet-agent/
- playbooks/roles/accessbot - playbooks/roles/accessbot
@ -526,6 +531,7 @@
- playbooks/roles/install-ansible-roles/ - playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/ - playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/ - playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- playbooks/roles/vos-release/ - playbooks/roles/vos-release/
- modules/ - modules/
- manifests/ - manifests/
@ -551,6 +557,7 @@
- playbooks/roles/install-ansible-roles/ - playbooks/roles/install-ansible-roles/
- playbooks/roles/puppet-install/ - playbooks/roles/puppet-install/
- playbooks/roles/disable-puppet-agent/ - playbooks/roles/disable-puppet-agent/
- playbooks/roles/iptables/
- modules/ - modules/
- manifests/ - manifests/

View File

@ -204,8 +204,6 @@
dependencies: dependencies:
- name: infra-prod-install-ansible - name: infra-prod-install-ansible
soft: true soft: true
- name: infra-prod-base
soft: true
- name: infra-prod-service-letsencrypt - name: infra-prod-service-letsencrypt
soft: true soft: true
- name: system-config-promote-image-etherpad - name: system-config-promote-image-etherpad

View File

@ -374,6 +374,7 @@
- job: - job:
name: system-config-run-mirror-x86 name: system-config-run-mirror-x86
parent: system-config-run-mirror-base parent: system-config-run-mirror-base
timeout: 3600
nodeset: nodeset:
nodes: nodes:
- name: bridge.openstack.org - name: bridge.openstack.org