From 800397c3da565574fa21ba1a03383c0c58664b01 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 28 Aug 2018 15:51:27 -0700 Subject: [PATCH] base-test: iptables: allow zuul console streaming This adds a group var which should normally be the empty list but can be overridden by the test framework to inject additional iptables rules. It's used to add the zuul console streaming port. To accomplish this, the base+extras pattern is adopted for iptables public tcp/udp ports. This means all host/group vars should use the "extra" form of the variable rather than the actual variable defined by the role. Change-Id: I33fe2b7de4a4ba79c25c0fb41a00e3437cee5463 --- playbooks/group_vars/afs.yaml | 2 +- playbooks/group_vars/afsdb.yaml | 2 +- playbooks/group_vars/all.yaml | 11 +++++++++++ playbooks/group_vars/eavesdrop.yaml | 2 +- playbooks/group_vars/firehose.yaml | 2 +- playbooks/group_vars/gerrit.yaml | 2 +- playbooks/group_vars/git-loadbalancer.yaml | 2 +- playbooks/group_vars/git-server.yaml | 2 +- playbooks/group_vars/kdc.yaml | 4 ++-- playbooks/group_vars/logstash.yaml | 2 +- playbooks/group_vars/mailman.yaml | 2 +- playbooks/group_vars/mirror.yaml | 2 +- playbooks/group_vars/ns.yaml | 4 +++- playbooks/group_vars/pbx.yaml | 4 ++-- playbooks/group_vars/webservers.yaml | 2 +- playbooks/group_vars/zuul-executor.yaml | 2 +- playbooks/group_vars/zuul-scheduler.yaml | 2 +- playbooks/zuul/run-base.yaml | 1 + playbooks/zuul/templates/group_vars/all.yaml.j2 | 1 + testinfra/test_base.py | 5 ++--- 20 files changed, 35 insertions(+), 21 deletions(-) diff --git a/playbooks/group_vars/afs.yaml b/playbooks/group_vars/afs.yaml index 83f47e6b62..2314190b2e 100644 --- a/playbooks/group_vars/afs.yaml +++ b/playbooks/group_vars/afs.yaml @@ -1 +1 @@ -iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] +iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] diff --git a/playbooks/group_vars/afsdb.yaml b/playbooks/group_vars/afsdb.yaml index 83f47e6b62..2314190b2e 100644 --- a/playbooks/group_vars/afsdb.yaml +++ b/playbooks/group_vars/afsdb.yaml @@ -1 +1 @@ -iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] +iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007] diff --git a/playbooks/group_vars/all.yaml b/playbooks/group_vars/all.yaml index a66b58e0ad..292b3507c4 100644 --- a/playbooks/group_vars/all.yaml +++ b/playbooks/group_vars/all.yaml @@ -17,6 +17,17 @@ iptables_base_allowed_hosts: iptables_extra_allowed_hosts: [] iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}" +iptables_base_public_tcp_ports: [] +iptables_extra_public_tcp_ports: [] +# iptables_test_public_tcp_ports is here only to allow the test +# framework to inject an iptables rule to allow zuul console +# streaming. Do not use it otherwise. +iptables_public_tcp_ports: "{{ iptables_test_public_tcp_ports|default([]) + iptables_base_public_tcp_ports + iptables_extra_public_tcp_ports }}" + +iptables_base_public_udp_ports: [] +iptables_extra_public_udp_ports: [] +iptables_public_udp_ports: "{{ iptables_base_public_udp_ports + iptables_extra_public_udp_ports }}" + # When adding new users, always pick a UID larger than the last UID, do not # fill in holes in the middle of the range. all_users: diff --git a/playbooks/group_vars/eavesdrop.yaml b/playbooks/group_vars/eavesdrop.yaml index afaf3290b0..2ff4864007 100644 --- a/playbooks/group_vars/eavesdrop.yaml +++ b/playbooks/group_vars/eavesdrop.yaml @@ -1,2 +1,2 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 80 diff --git a/playbooks/group_vars/firehose.yaml b/playbooks/group_vars/firehose.yaml index a4cb95ce0f..4bfb2382b1 100644 --- a/playbooks/group_vars/firehose.yaml +++ b/playbooks/group_vars/firehose.yaml @@ -17,7 +17,7 @@ exim_transports: socket = /var/run/cyrus/socket/lmtp user = cyrus batch_max = 35 -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 25 - 80 - 443 diff --git a/playbooks/group_vars/gerrit.yaml b/playbooks/group_vars/gerrit.yaml index 124327e5ae..477b3d450e 100644 --- a/playbooks/group_vars/gerrit.yaml +++ b/playbooks/group_vars/gerrit.yaml @@ -2,7 +2,7 @@ exim_extra_aliases: gerrit2: root iptables_rules: - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 80 - 443 - 29418 diff --git a/playbooks/group_vars/git-loadbalancer.yaml b/playbooks/group_vars/git-loadbalancer.yaml index 8edb0426ae..3baea5cb13 100644 --- a/playbooks/group_vars/git-loadbalancer.yaml +++ b/playbooks/group_vars/git-loadbalancer.yaml @@ -1,4 +1,4 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 80 - 443 - 9418 diff --git a/playbooks/group_vars/git-server.yaml b/playbooks/group_vars/git-server.yaml index 775ba85f5e..2d5a84276c 100644 --- a/playbooks/group_vars/git-server.yaml +++ b/playbooks/group_vars/git-server.yaml @@ -1,5 +1,5 @@ ansible_python_interpreter: python2 -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 4443 - 8080 - 29418 diff --git a/playbooks/group_vars/kdc.yaml b/playbooks/group_vars/kdc.yaml index d9245cb1d8..33fc460c88 100644 --- a/playbooks/group_vars/kdc.yaml +++ b/playbooks/group_vars/kdc.yaml @@ -1,9 +1,9 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 88 - 464 - 749 - 754 -iptables_public_udp_ports: +iptables_extra_public_udp_ports: - 88 - 464 - 749 diff --git a/playbooks/group_vars/logstash.yaml b/playbooks/group_vars/logstash.yaml index 0a1a59002e..2ecc468fb5 100644 --- a/playbooks/group_vars/logstash.yaml +++ b/playbooks/group_vars/logstash.yaml @@ -1,4 +1,4 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 80 - 3306 iptables_extra_allowed_hosts: diff --git a/playbooks/group_vars/mailman.yaml b/playbooks/group_vars/mailman.yaml index 127111ce1b..a3a089e0d7 100644 --- a/playbooks/group_vars/mailman.yaml +++ b/playbooks/group_vars/mailman.yaml @@ -2,7 +2,7 @@ exim_queue_interval: '1m' exim_queue_run_max: '50' exim_smtp_accept_max: '100' exim_smtp_accept_max_per_host: '10' -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 25 - 80 - 465 diff --git a/playbooks/group_vars/mirror.yaml b/playbooks/group_vars/mirror.yaml index 3e696348c4..ec2b85c27c 100644 --- a/playbooks/group_vars/mirror.yaml +++ b/playbooks/group_vars/mirror.yaml @@ -1,4 +1,4 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 80 - 8080 - 8081 diff --git a/playbooks/group_vars/ns.yaml b/playbooks/group_vars/ns.yaml index 2dc09d9b08..416da9c806 100644 --- a/playbooks/group_vars/ns.yaml +++ b/playbooks/group_vars/ns.yaml @@ -1,2 +1,4 @@ -iptables_public_ports: +iptables_extra_public_tcp_ports: + - 53 +iptables_extra_public_udp_ports: - 53 diff --git a/playbooks/group_vars/pbx.yaml b/playbooks/group_vars/pbx.yaml index 827e00a387..5e59086bac 100644 --- a/playbooks/group_vars/pbx.yaml +++ b/playbooks/group_vars/pbx.yaml @@ -1,7 +1,7 @@ # SIP signaling is either TCP or UDP port 5060. # RTP media (audio/video) uses a range of UDP ports. -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 5060 -iptables_public_udp_ports: +iptables_extra_public_udp_ports: - 5060 - 10000:20000 diff --git a/playbooks/group_vars/webservers.yaml b/playbooks/group_vars/webservers.yaml index 418fca0b98..c216395298 100644 --- a/playbooks/group_vars/webservers.yaml +++ b/playbooks/group_vars/webservers.yaml @@ -1,4 +1,4 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 22 - 80 - 443 diff --git a/playbooks/group_vars/zuul-executor.yaml b/playbooks/group_vars/zuul-executor.yaml index 999385d702..2d320ec06b 100644 --- a/playbooks/group_vars/zuul-executor.yaml +++ b/playbooks/group_vars/zuul-executor.yaml @@ -1,3 +1,3 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 79 - 7900 diff --git a/playbooks/group_vars/zuul-scheduler.yaml b/playbooks/group_vars/zuul-scheduler.yaml index b78de230c2..530a8997d7 100644 --- a/playbooks/group_vars/zuul-scheduler.yaml +++ b/playbooks/group_vars/zuul-scheduler.yaml @@ -1,4 +1,4 @@ -iptables_public_tcp_ports: +iptables_extra_public_tcp_ports: - 79 - 80 - 443 diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index f1caf79f96..6c1a87da10 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -36,6 +36,7 @@ bastion_ipv4: "{{ nodepool['public_ipv4'] }}" bastion_ipv6: "{{ nodepool['public_ipv6'] }}" bastion_public_key: "{{ lookup('file', zuul.executor.work_root + '/' + zuul.build + '_id_rsa.pub') }}" + iptables_test_public_tcp_ports: [19885] template: src: "templates/{{ item }}.j2" dest: "/etc/ansible/hosts/{{ item }}" diff --git a/playbooks/zuul/templates/group_vars/all.yaml.j2 b/playbooks/zuul/templates/group_vars/all.yaml.j2 index 42d75091d7..1f077ff3f9 100644 --- a/playbooks/zuul/templates/group_vars/all.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/all.yaml.j2 @@ -8,3 +8,4 @@ bastion_ipv4: {{ bastion_ipv4 }} bastion_ipv6: {{ bastion_ipv6 }} {% endif %} bastion_public_key: {{ bastion_public_key }} +iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }} diff --git a/testinfra/test_base.py b/testinfra/test_base.py index 6ecdb76452..d660a5242c 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -75,11 +75,10 @@ def test_iptables(host): reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited' assert reject in rules - # Make sure that the zuul console stream rule has been removed - # from the test node + # Make sure that the zuul console stream rule is still present zuul = ('-A openstack-INPUT -p tcp -m state --state NEW' ' -m tcp --dport 19885 -j ACCEPT') - assert zuul not in rules + assert zuul in rules # Ensure all IPv4 addresses for cacti are allowed for ip in get_ips('cacti.openstack.org', socket.AF_INET):