stackforge/puppet-openstack-cloud
Code Issues Proposed changes

Advanced Firewalling feature

Browse Source 
This patch enables Firewalling in this Puppet modules in a flexible way.

* Enable firewalling optionnaly (disabled by default).
* Enable 'pre' firewalling with defaults rules.
* Enable 'post' firewalling with DROP rule, with a debug option to
  disable it.
* Enable default rules for all services (OpenStack, etc).
* Ability to add custom firewall rules with Hiera
* Update puppetlabs-firewall refs
* Refactorize unit-tests
This commit is contained in:
Emilien Macchi 2014-11-11 10:18:36 +01:00 committed by Sebastien Badia
parent 7aed87b306
commit 5102e5130a
56 changed files with 1740 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Puppetfile
View File

@ -94,7 +94,7 @@ mod 'git',
:ref => '0df1f62130a7752c728efb7555f2b07ca178ee5b'
mod 'firewall',
:git => 'git://github.com/enovance/puppetlabs-firewall.git',
:ref => '6540b31b0ca0727094ddf44436274436d2853d6d'
:ref => '4ed1b43e1629c1b6108133b0fc3be603d03ffe6c'
mod 'fluentd',
:git => 'git://github.com/enovance/puppet-fluentd.git',
:ref => 'd073a97002c569d8bfc38ac814ee33ed2cb13ca6'

15
manifests/cache.pp
View File

@ -23,8 +23,14 @@
# (optional) IP address on which memcached instance should listen
# Defaults to '127.0.0.1'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::cache (
$listen_ip = '127.0.0.1',
$listen_ip = '127.0.0.1',
$firewall_settings = {},
){
class { 'memcached':
@ -32,4 +38,11 @@ class cloud::cache (
max_memory => '60%',
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow memcached access':
port => '11211',
extras => $firewall_settings,
}
}
}

29
manifests/compute/api.pp
View File

@ -13,7 +13,16 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# Compute API node
# == Class: cloud::compute::api
#
# Install a Nova-API node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::compute::api(
$ks_keystone_internal_host = '127.0.0.1',
@ -23,7 +32,8 @@ class cloud::compute::api(
$api_eth = '127.0.0.1',
$ks_nova_public_port = '8774',
$ks_ec2_public_port = '8773',
$ks_metadata_public_port = '8775'
$ks_metadata_public_port = '8775',
$firewall_settings = {},
){
include 'cloud::compute'
@ -39,6 +49,21 @@ class cloud::compute::api(
osapi_v3 => true,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow nova-api access':
port => $ks_nova_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow nova-metadata access':
port => $ks_metadata_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow nova-ec2 access':
port => $ks_ec2_public_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-compute_api_ec2":
listening_service => 'ec2_api_cluster',
server_names => $::hostname,

12
manifests/compute/consoleproxy.pp
View File

@ -16,8 +16,9 @@
# Compute Proxy Console node
#
class cloud::compute::consoleproxy(
$api_eth = '127.0.0.1',
$spice_port = '6082'
$api_eth = '127.0.0.1',
$spice_port = '6082',
$firewall_settings = {},
){
include 'cloud::compute'
@ -27,6 +28,13 @@ class cloud::compute::consoleproxy(
host => $api_eth
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow spice access':
port => $spice_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-compute_spice":
listening_service => 'spice_cluster',
server_names => $::hostname,

17
manifests/compute/hypervisor.pp
View File

@ -61,6 +61,11 @@
# Need to be a valid shell path.
# Defaults to false
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::compute::hypervisor(
$server_proxyclient_address = '127.0.0.1',
$libvirt_type = 'kvm',
@ -76,6 +81,7 @@ class cloud::compute::hypervisor(
$volume_rbd = false,
$manage_tso = true,
$nova_shell = false,
$firewall_settings = {},
# when using NFS storage backend
$nfs_enabled = false,
$nfs_device = false,
@ -340,4 +346,15 @@ Host *
class { 'ceilometer::agent::compute': }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow instances console access':
port => '5900-5999',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow instances migration access':
port => ['16509', '49152-49215'],
extras => $firewall_settings,
}
}
}

22
manifests/dashboard.pp
View File

@ -79,7 +79,12 @@
# (optional) Enable optional services provided by neutron
# Useful when using cisco n1kv plugin, vpnaas or fwaas.
# Default to {}
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::dashboard(
$ks_keystone_internal_host = '127.0.0.1',
$secret_key = 'secrete',
@ -100,6 +105,7 @@ class cloud::dashboard(
$allowed_hosts = $::fqdn,
$vhost_extra_params = {},
$neutron_extra_options = {},
$firewall_settings = {},
) {
# We build the param needed for horizon class
@ -155,6 +161,13 @@ class cloud::dashboard(
}
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow horizon access':
port => $horizon_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-horizon":
listening_service => 'horizon_cluster',
server_names => $::hostname,
@ -165,6 +178,13 @@ class cloud::dashboard(
if $listen_ssl {
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow horizon ssl access':
port => $horizon_ssl_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-horizon-ssl":
listening_service => 'horizon_ssl_cluster',
server_names => $::hostname,

14
manifests/database/dbaas/api.pp
View File

@ -17,6 +17,12 @@
#
# Class to install API service of OpenStack Database as a Service (Trove)
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::dbaas::api(
$ks_trove_password = 'trovepassword',
@ -28,6 +34,7 @@ class cloud::database::dbaas::api(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_port = '5000',
$ks_keystone_internal_proto = 'http',
$firewall_settings = {},
) {
include 'cloud::database::dbaas'
@ -42,6 +49,13 @@ class cloud::database::dbaas::api(
keystone_password => $ks_trove_password,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow trove-api access':
port => $ks_trove_public_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-trove_api":
listening_service => 'trove_api_cluster',
server_names => $::hostname,

20
manifests/database/nosql.pp
View File

@ -35,10 +35,16 @@
# If set to false, the setup won't be HA and no replicaset will be created.
# Defaults to hostname
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::nosql(
$bind_ip = '127.0.0.1',
$nojournal = false,
$replset_members = $::hostname
$bind_ip = '127.0.0.1',
$nojournal = false,
$replset_members = $::hostname,
$firewall_settings = {},
) {
# should be an array
@ -82,4 +88,12 @@ class cloud::database::nosql(
anchor {'mongodb setup done' :
require => Exec['check_mongodb'],
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow mongodb access':
port => '27017',
extras => $firewall_settings,
}
}
}

29
manifests/database/sql.pp
View File

@ -17,9 +17,14 @@
#
# === Parameters
#
# [*galera_internal_ips*]
# Array of internal ip of the galera nodes.
# Defaults to ['127.0.0.1']
# [*galera_internal_ips*]
# Array of internal ip of the galera nodes.
# Defaults to ['127.0.0.1']
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::database::sql (
$api_eth = '127.0.0.1',
@ -59,7 +64,8 @@ class cloud::database::sql (
$mysql_sys_maint_password = 'sys_maint',
$galera_clustercheck_dbuser = 'clustercheckdbuser',
$galera_clustercheck_dbpassword = 'clustercheckpassword',
$galera_clustercheck_ipaddress = '127.0.0.1'
$galera_clustercheck_ipaddress = '127.0.0.1',
$firewall_settings = {},
) {
include 'xinetd'
@ -339,6 +345,21 @@ class cloud::database::sql (
onlyif => "stat ${::mysql::params::datadir}/ib_logfile0 && test `du -sh ${::mysql::params::datadir}/ib_logfile0 | cut -f1` != '256M'",
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow galera access':
port => ['3306', '4567', '4568', '4444'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow mysqlchk access':
port => '9200',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow mysql rsync access':
port => '873',
extras => $firewall_settings,
}
}
@@haproxy::balancermember{$::fqdn:
listening_service => 'galera_cluster',
server_names => $::hostname,

41
manifests/firewall/post.pp Normal file
View File

@ -0,0 +1,41 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::firewall::post
#
# Firewall rules during 'post' Puppet stage
#
class cloud::firewall::post(
$debug = false,
$log = false,
$firewall_settings = {},
){
if $debug {
warning('debug is enabled, the traffic is not blocked.')
} else {
firewall { '998 log all':
proto => 'all',
jump => 'LOG',
}
cloud::firewall::rule{ '999 drop all':
proto => 'all',
action => 'drop',
extras => $firewall_settings,
}
notice('At this stage, all network traffic is blocked.')
}
}

50
manifests/firewall/pre.pp Normal file
View File

@ -0,0 +1,50 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::firewall::pre
#
# Firewall rules during 'pre' Puppet stage
#
class cloud::firewall::pre(
$firewall_settings = {},
){
# ensure the correct packages are installed
include firewall
# defaults 'pre' rules
cloud::firewall::rule{ '000 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '001 accept all icmp':
proto => 'icmp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '002 accept all to lo interface':
proto => 'all',
iniface => 'lo',
extras => $firewall_settings,
}
cloud::firewall::rule{ '003 accept ssh':
port => '22',
extras => $firewall_settings,
}
}

46
manifests/firewall/rule.pp Normal file
View File

@ -0,0 +1,46 @@
#
# Copyright (C) 2014 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Define::
#
# cloud::firewall
#
define cloud::firewall::rule (
$port = undef,
$proto = 'tcp',
$action = 'accept',
$state = ['NEW'],
$source = '0.0.0.0/0',
$iniface = undef,
$chain = 'INPUT',
$extras = {},
) {
$basic = {
'port' => $port,
'proto' => $proto,
'action' => $action,
'state' => $state,
'source' => $source,
'iniface' => $iniface,
'chain' => $chain,
}
$rule = merge($basic, $extras)
validate_hash($rule)
create_resources('firewall', { "${title}" => $rule })
}

19
manifests/identity.pp
View File

@ -355,6 +355,11 @@
# Experimental feature.
# Defaults to false
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::identity (
$swift_enabled = true,
$trove_enabled = false,
@ -450,7 +455,8 @@ class cloud::identity (
$log_facility = 'LOG_LOCAL0',
$use_syslog = true,
$ks_token_expiration = 3600,
$token_driver = 'keystone.token.backends.sql.Token'
$token_driver = 'keystone.token.backends.sql.Token',
$firewall_settings = {},
){
$encoded_user = uriescape($keystone_db_user)
@ -660,6 +666,17 @@ class cloud::identity (
unless => "/usr/bin/mysql keystone -h ${keystone_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables"
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow keystone access':
port => $ks_keystone_public_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow keystone admin access':
port => $ks_keystone_admin_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-keystone_api":
listening_service => 'keystone_api_cluster',
server_names => $::hostname,

13
manifests/image/api.pp
View File

@ -92,6 +92,11 @@
# service name removed.
# Defaults to 'keystone'.
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::image::api(
$glance_db_host = '127.0.0.1',
$glance_db_user = 'glance',
@ -118,6 +123,7 @@ class cloud::image::api(
$nfs_device = false,
$nfs_options = 'defaults',
$pipeline = 'keystone',
$firewall_settings = {},
) {
# Disable twice logging if syslog is enabled
@ -222,6 +228,13 @@ class cloud::image::api(
class { 'glance::cache::cleaner': }
class { 'glance::cache::pruner': }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow glance-api access':
port => $ks_glance_api_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-glance_api":
listening_service => 'glance_api_cluster',
server_names => $::hostname,

15
manifests/image/registry.pp
View File

@ -55,6 +55,11 @@
# (optional) Syslog facility to receive log lines
# Defaults to 'LOG_LOCAL0'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::image::registry(
$glance_db_host = '127.0.0.1',
$glance_db_user = 'glance',
@ -68,7 +73,8 @@ class cloud::image::registry(
$verbose = true,
$debug = true,
$log_facility = 'LOG_LOCAL0',
$use_syslog = true
$use_syslog = true,
$firewall_settings = {},
) {
# Disable twice logging if syslog is enabled
@ -116,6 +122,13 @@ class cloud::image::registry(
unless => "/usr/bin/mysql glance -h ${glance_db_host} -u ${encoded_glance_user} -p${encoded_glance_password} -e \"show tables\" | /bin/grep Tables"
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow glance-registry access':
port => $ks_glance_registry_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-glance_registry":
listening_service => 'glance_registry_cluster',
server_names => $::hostname,

61
manifests/init.pp
View File

@ -15,18 +15,23 @@
#
# Class: cloud
#
# Installs the private cloud system requirements
# Installs the system requirements
#
class cloud(
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$selinux_mode = 'permissive',
$selinux_directory = '/usr/share/selinux',
$selinux_booleans = [],
$selinux_modules = [],
$rhn_registration = undef,
$root_password = 'root',
$dns_ips = ['8.8.8.8', '8.8.4.4'],
$site_domain = 'mydomain',
$motd_title = 'eNovance IT Operations',
$selinux_mode = 'permissive',
$selinux_directory = '/usr/share/selinux',
$selinux_booleans = [],
$selinux_modules = [],
$manage_firewall = false,
$firewall_rules = {},
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
include ::stdlib
@ -100,4 +105,40 @@ This node is under the control of Puppet ${::puppetversion}.
"rhn-${::hostname}" => $rhn_registration
} )
}
if $manage_firewall {
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# anyone can add your own rules
# example with Hiera:
#
# cloud::firewall::rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('cloud::firewall::rule', $firewall_rules)
ensure_resource('class', 'cloud::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
'stage' => 'setup',
})
ensure_resource('class', 'cloud::firewall::post', {
'stage' => 'runtime',
'firewall_settings' => $firewall_post_extras,
})
}
}

186
manifests/loadbalancer.pp
View File

@ -184,6 +184,11 @@
# Should be part of keepalived_internal_ips
# Defaults to false (backward compatibility)
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::loadbalancer(
$swift_api = true,
$ceilometer_api = true,
@ -257,6 +262,7 @@ class cloud::loadbalancer(
$vip_internal_ip = false,
$galera_ip = ['127.0.0.1'],
$galera_slave = false,
$firewall_settings = {},
# Deprecated parameters
$keepalived_interface = false,
$keepalived_ipvs = false,
@ -364,94 +370,108 @@ class cloud::loadbalancer(
# Instanciate HAproxy binding
cloud::loadbalancer::binding { 'keystone_api_cluster':
ip => $keystone_api,
port => $ks_keystone_public_port,
bind_options => $keystone_bind_options,
ip => $keystone_api,
port => $ks_keystone_public_port,
bind_options => $keystone_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'keystone_api_admin_cluster':
ip => $keystone_api_admin,
port => $ks_keystone_admin_port,
bind_options => $keystone_admin_bind_options,
ip => $keystone_api_admin,
port => $ks_keystone_admin_port,
bind_options => $keystone_admin_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'swift_api_cluster':
ip => $swift_api,
port => $ks_swift_public_port,
bind_options => $swift_bind_options,
httpchk => 'httpchk /healthcheck',
ip => $swift_api,
port => $ks_swift_public_port,
bind_options => $swift_bind_options,
httpchk => 'httpchk /healthcheck',
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'nova_api_cluster':
ip => $nova_api,
port => $ks_nova_public_port,
bind_options => $nova_bind_options,
ip => $nova_api,
port => $ks_nova_public_port,
bind_options => $nova_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'ec2_api_cluster':
ip => $ec2_api,
port => $ks_ec2_public_port,
bind_options => $ec2_bind_options,
ip => $ec2_api,
port => $ks_ec2_public_port,
bind_options => $ec2_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'metadata_api_cluster':
ip => $metadata_api,
port => $ks_metadata_public_port,
bind_options => $metadata_bind_options,
ip => $metadata_api,
port => $ks_metadata_public_port,
bind_options => $metadata_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'spice_cluster':
ip => $spice,
port => $spice_port,
options => {
ip => $spice,
port => $spice_port,
options => {
'mode' => 'tcp',
'option' => ['tcpka', 'tcplog', 'forwardfor'],
'balance' => 'source',
'timeout server' => '120m',
'timeout client' => '120m',
},
bind_options => $spice_bind_options,
bind_options => $spice_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'rabbitmq_cluster':
ip => $rabbitmq,
port => $rabbitmq_port,
options => {
ip => $rabbitmq,
port => $rabbitmq_port,
options => {
'mode' => 'tcp',
'option' => ['tcpka', 'tcplog', 'forwardfor'],
'balance' => 'roundrobin',
},
bind_options => $rabbitmq_bind_options,
bind_options => $rabbitmq_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'trove_api_cluster':
ip => $trove_api,
port => $ks_trove_public_port,
bind_options => $trove_bind_options,
ip => $trove_api,
port => $ks_trove_public_port,
bind_options => $trove_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'glance_api_cluster':
ip => $glance_api,
options => {
ip => $glance_api,
options => {
'mode' => 'tcp',
'balance' => 'source',
'option' => ['tcpka', 'tcplog', 'forwardfor'],
'timeout server' => '120m',
'timeout client' => '120m',
},
port => $ks_glance_api_public_port,
bind_options => $glance_api_bind_options,
port => $ks_glance_api_public_port,
bind_options => $glance_api_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'glance_registry_cluster':
ip => $glance_registry,
port => $ks_glance_registry_internal_port,
bind_options => $glance_registry_bind_options,
ip => $glance_registry,
port => $ks_glance_registry_internal_port,
bind_options => $glance_registry_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'neutron_api_cluster':
ip => $neutron_api,
port => $ks_neutron_public_port,
bind_options => $neutron_bind_options,
ip => $neutron_api,
port => $ks_neutron_public_port,
bind_options => $neutron_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'cinder_api_cluster':
ip => $cinder_api,
port => $ks_cinder_public_port,
bind_options => $cinder_bind_options,
ip => $cinder_api,
port => $ks_cinder_public_port,
bind_options => $cinder_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'ceilometer_api_cluster':
ip => $ceilometer_api,
port => $ks_ceilometer_public_port,
bind_options => $ceilometer_bind_options,
ip => $ceilometer_api,
port => $ks_ceilometer_public_port,
bind_options => $ceilometer_bind_options,
firewall_settings => $firewall_settings,
}
if 'ssl' in $heat_api_bind_options {
$heat_api_options = {
@ -460,10 +480,11 @@ class cloud::loadbalancer(
$heat_api_options = {}
}
cloud::loadbalancer::binding { 'heat_api_cluster':
ip => $heat_api,
port => $ks_heat_public_port,
bind_options => $heat_api_bind_options,
options => $heat_api_options
ip => $heat_api,
port => $ks_heat_public_port,
bind_options => $heat_api_bind_options,
options => $heat_api_options,
firewall_settings => $firewall_settings,
}
if 'ssl' in $heat_cfn_bind_options {
$heat_cfn_options = {
@ -472,10 +493,11 @@ class cloud::loadbalancer(
$heat_cfn_options = { }
}
cloud::loadbalancer::binding { 'heat_cfn_api_cluster':
ip => $heat_cfn_api,
port => $ks_heat_cfn_public_port,
bind_options => $heat_cfn_bind_options,
options => $heat_cfn_options
ip => $heat_cfn_api,
port => $ks_heat_cfn_public_port,
bind_options => $heat_cfn_bind_options,
options => $heat_cfn_options,
firewall_settings => $firewall_settings,
}
if 'ssl' in $heat_cloudwatch_bind_options {
$heat_cloudwatch_options = {
@ -484,10 +506,11 @@ class cloud::loadbalancer(
$heat_cloudwatch_options = { }
}
cloud::loadbalancer::binding { 'heat_cloudwatch_api_cluster':
ip => $heat_cloudwatch_api,
port => $ks_heat_cloudwatch_public_port,
bind_options => $heat_cloudwatch_bind_options,
options => $heat_cloudwatch_options
ip => $heat_cloudwatch_api,
port => $ks_heat_cloudwatch_public_port,
bind_options => $heat_cloudwatch_bind_options,
options => $heat_cloudwatch_options,
firewall_settings => $firewall_settings,
}
$horizon_ssl_options = {
@ -510,19 +533,21 @@ class cloud::loadbalancer(
}
cloud::loadbalancer::binding { 'horizon_cluster':
ip => $horizon,
port => $horizon_port,
httpchk => "httpchk GET /${::cloud::params::horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"",
options => $horizon_options,
bind_options => $horizon_bind_options,
ip => $horizon,
port => $horizon_port,
httpchk => "httpchk GET /${::cloud::params::horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"",
options => $horizon_options,
bind_options => $horizon_bind_options,
firewall_settings => $firewall_settings,
}
cloud::loadbalancer::binding { 'horizon_ssl_cluster':
ip => $horizon_ssl,
port => $horizon_ssl_port,
httpchk => 'ssl-hello-chk',
options => $horizon_ssl_options,
bind_options => $horizon_ssl_bind_options,
ip => $horizon_ssl,
port => $horizon_ssl_port,
httpchk => 'ssl-hello-chk',
options => $horizon_ssl_options,
bind_options => $horizon_ssl_bind_options,
firewall_settings => $firewall_settings,
}
if (member(any2array($keepalived_public_ipvs_real), $galera_ip)) {
@ -541,7 +566,16 @@ class cloud::loadbalancer(
},
bind_options => $galera_bind_options,
}
if $galera_slave {
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow galera-slave binding access':
port => '3307',
extras => $firewall_settings,
}
}
haproxy::listen { 'galera_readonly_cluster':
ipaddress => $galera_ip,
ports => 3307,
@ -563,4 +597,20 @@ class cloud::loadbalancer(
}
create_resources(sysctl::value,$haproxy_sysctl_settings)
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow galera binding access':
port => '3306',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow haproxy monitor access':
port => '9300',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow keepalived access':
port => undef,
proto => 'vrrp',
extras => $firewall_settings,
}
}
}

15
manifests/loadbalancer/binding.pp
View File

@ -17,9 +17,10 @@
define cloud::loadbalancer::binding (
$ip,
$port,
$httpchk = undef,
$options = undef,
$bind_options = undef,
$httpchk = undef,
$options = undef,
$bind_options = undef,
$firewall_settings = {},
){
include cloud::loadbalancer
@ -62,6 +63,14 @@ define cloud::loadbalancer::binding (
listen_ip => $listen_ip_real,
bind_options => $bind_options;
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ "100 allow ${name} binding access":
port => $port,
extras => $firewall_settings,
}
}
}
}

17
manifests/messaging.pp
View File

@ -45,6 +45,11 @@
# (optional) Port of RabbitMQ service.
# Defaults to '5672'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::messaging(
$cluster_node_type = 'disc',
$rabbit_names = $::hostname,
@ -52,6 +57,7 @@ class cloud::messaging(
$haproxy_binding = false,
$rabbitmq_ip = $::ipaddress,
$rabbitmq_port = '5672',
$firewall_settings = {},
){
# we ensure having an array
@ -109,6 +115,17 @@ class cloud::messaging(
provider => 'rabbitmqctl',
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow rabbitmq access':
port => $rabbitmq_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow rabbitmq management access':
port => '55672',
extras => $firewall_settings,
}
}
if $haproxy_binding {
@@haproxy::balancermember{"${::fqdn}-rabbitmq":
listening_service => 'rabbitmq_cluster',

15
manifests/network/controller.pp
View File

@ -15,10 +15,17 @@
#
# Network Controller node (API + Scheduler)
#
# === Parameters:
#
# [*manage_ext_network*]
# (optionnal) Manage or not external network with provider network API
# Defaults to false.
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::controller(
$neutron_db_host = '127.0.0.1',
$neutron_db_user = 'neutron',
@ -37,6 +44,7 @@ class cloud::network::controller(
$nova_admin_password = 'novapassword',
$nova_region_name = 'RegionOne',
$manage_ext_network = false,
$firewall_settings = {},
) {
include 'cloud::network'
@ -86,6 +94,13 @@ class cloud::network::controller(
notify => Service['neutron-server']
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow neutron-server access':
port => $ks_neutron_public_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-neutron_api":
listening_service => 'neutron_api_cluster',
server_names => $::hostname,

17
manifests/network/dhcp.pp
View File

@ -18,7 +18,8 @@
class cloud::network::dhcp(
$veth_mtu = 1500,
$debug = true,
$dnsmasq_dns_server = false
$dnsmasq_dns_server = false,
$firewall_settings = {},
) {
include 'cloud::network'
@ -48,4 +49,18 @@ class cloud::network::dhcp(
notify => Service['neutron-dhcp-agent']
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow dhcp in access':
port => '67',
proto => 'udp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow dhcp out access':
port => '68',
proto => 'udp',
chain => 'OUTPUT',
extras => $firewall_settings,
}
}
}

24
manifests/network/vswitch.pp
View File

@ -120,12 +120,18 @@
# Not applicable if 'n1kv_source' is a file. (Option-B above)
# Defaults to 'present'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::network::vswitch(
# common
$driver = 'ml2_ovs',
$manage_ext_network = false,
$external_int = 'eth1',
$external_bridge = 'br-pub',
$firewall_settings = {},
# ml2_ovs
$tunnel_types = ['gre'],
$provider_bridge_mappings = ['public:br-pub'],
@ -190,4 +196,22 @@ class cloud::network::vswitch(
bridge => $external_bridge
}
}
if $::cloud::manage_firewall {
if ('gre' in $tunnel_types) {
cloud::firewall::rule{ '100 allow gre access':
port => undef,
proto => 'gre',
extras => $firewall_settings,
}
}
if ('vxlan' in $tunnel_types) {
cloud::firewall::rule{ '100 allow vxlan access':
port => '4789',
proto => 'udp',
extras => $firewall_settings,
}
}
}
}

17
manifests/object/controller.pp
View File

@ -13,8 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::controller
#
# Swift Proxy node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::object::controller(
$ks_keystone_admin_host = '127.0.0.1',
$ks_keystone_admin_port = 35357,
@ -29,6 +38,7 @@ class cloud::object::controller(
$statsd_port = 4125,
$memcache_servers = ['127.0.0.1:11211'],
$api_eth = '127.0.0.1',
$firewall_settings = {},
) {
include 'cloud::object'
@ -113,6 +123,13 @@ cache = swift.cache')
Swift::Ringsync<<| |>> #~> Service["swift-proxy"]
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow swift-proxy access':
port => $ks_swift_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-swift_api":
listening_service => 'swift_api_cluster',
server_names => $::hostname,

29
manifests/object/storage.pp
View File

@ -13,8 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::object::storage
#
# Swift Storage node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::object::storage (
$storage_eth = '127.0.0.1',
$swift_zone = undef,
@ -25,6 +34,7 @@ class cloud::object::storage (
$device_config_hash = {},
$ring_container_device = 'sdb',
$ring_account_device = 'sdb',
$firewall_settings = {},
) {
include 'cloud::object'
@ -102,4 +112,23 @@ allow_versions = on
Swift::Storage::Server[$account_port] ->
Swift::Storage::Server[$object_port]
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow swift-container access':
port => $container_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-account access':
port => $account_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift-object access':
port => $object_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow swift rsync access':
port => '873',
extras => $firewall_settings,
}
}
}

25
manifests/orchestration/api.pp
View File

@ -13,14 +13,24 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::image::api
#
# Orchestration APIs node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::orchestration::api(
$ks_heat_internal_port = 8004,
$ks_heat_cfn_internal_port = 8000,
$ks_heat_cloudwatch_internal_port = 8003,
$api_eth = '127.0.0.1',
$workers = $::processorcount,
$firewall_settings = {},
) {
include 'cloud::orchestration'
@ -43,6 +53,21 @@ class cloud::orchestration::api(
workers => $workers
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow heat-api access':
port => $ks_heat_internal_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow heat-cfn access':
port => $ks_heat_cfn_internal_port,
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow heat-cloudwatch access':
port => $ks_heat_cloudwatch_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-heat_api":
listening_service => 'heat_api_cluster',
server_names => $::hostname,

25
manifests/spof.pp
View File

@ -30,11 +30,17 @@
# (optionnal) IP address used to send multicast traffic
# Defaults to '239.1.1.2'
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::spof(
$cluster_ip = '127.0.0.1',
$cluster_members = false,
$multicast_address = '239.1.1.2',
$cluster_password = 'secrete'
$cluster_password = 'secrete',
$firewall_settings = {},
) {
if $::osfamily == 'RedHat' {
@ -125,4 +131,21 @@ class cloud::spof(
enabled => false,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow vrrp access':
port => undef,
proto => 'vrrp',
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow corosync tcp access':
port => ['2224','3121','21064'],
extras => $firewall_settings,
}
cloud::firewall::rule{ '100 allow corosync udp access':
port => ['5404','5405'],
proto => 'udp',
extras => $firewall_settings,
}
}
}

14
manifests/storage/rbd/monitor.pp
View File

@ -14,9 +14,10 @@
# under the License.
#
class cloud::storage::rbd::monitor (
$id = $::uniqueid,
$mon_addr = '127.0.0.1',
$monitor_secret = 'cephmonsecret'
$id = $::uniqueid,
$mon_addr = '127.0.0.1',
$monitor_secret = 'cephmonsecret',
$firewall_settings = {},
) {
include 'cloud::storage::rbd'
@ -27,4 +28,11 @@ class cloud::storage::rbd::monitor (
mon_addr => $mon_addr,
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceph-mon access':
port => '6789',
extras => $firewall_settings,
}
}
}

15
manifests/storage/rbd/osd.pp
View File

@ -14,9 +14,10 @@
# under the License.
#
class cloud::storage::rbd::osd (
$public_address = '127.0.0.1',
$cluster_address = '127.0.0.1',
$devices = ['sdb','/dev/sdc'],
$public_address = '127.0.0.1',
$cluster_address = '127.0.0.1',
$devices = ['sdb','/dev/sdc'],
$firewall_settings = {},
) {
include 'cloud::storage::rbd'
@ -38,4 +39,12 @@ class cloud::storage::rbd::osd (
elsif is_hash($devices) {
create_resources('ceph::osd::device', $devices)
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceph-osd access':
port => '6800-6810',
extras => $firewall_settings,
}
}
}

17
manifests/telemetry/api.pp
View File

@ -13,14 +13,24 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::telemetry::api
#
# Telemetry API nodes
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::telemetry::api(
$ks_keystone_internal_host = '127.0.0.1',
$ks_keystone_internal_proto = 'http',
$ks_ceilometer_internal_port = '8777',
$ks_ceilometer_password = 'ceilometerpassword',
$api_eth = '127.0.0.1',
$firewall_settings = {},
){
include 'cloud::telemetry'
@ -44,6 +54,13 @@ class cloud::telemetry::api(
Cron <<| title == 'ceilometer-expirer' |>> { command => "sleep $((\$RANDOM % 86400)) && ${::ceilometer::params::expirer_command}" }
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow ceilometer-api access':
port => $ks_ceilometer_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-ceilometer_api":
listening_service => 'ceilometer_api_cluster',
server_names => $::hostname,

17
manifests/volume/api.pp
View File

@ -13,8 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: cloud::volume::api
#
# Volume API node
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class cloud::volume::api(
$ks_cinder_internal_port = 8776,
$ks_cinder_password = 'cinderpassword',
@ -25,6 +34,7 @@ class cloud::volume::api(
$api_eth = '127.0.0.1',
$ks_glance_internal_proto = 'http',
$default_volume_type = undef,
$firewall_settings = {},
# Maintain backward compatibility for multi-backend
$volume_multi_backend = false
) {
@ -55,6 +65,13 @@ class cloud::volume::api(
glance_num_retries => '10'
}
if $::cloud::manage_firewall {
cloud::firewall::rule{ '100 allow cinder-api access':
port => $ks_cinder_internal_port,
extras => $firewall_settings,
}
}
@@haproxy::balancermember{"${::fqdn}-cinder_api":
listening_service => 'cinder_api_cluster',
server_names => $::hostname,

4
manifests/volume/controller.pp
View File

@ -24,6 +24,7 @@ class cloud::volume::controller(
$ks_glance_api_internal_port = 9292,
$api_eth = '127.0.0.1',
$default_volume_type = undef,
$firewall_settings = {},
# Maintain backward compatibility for multi-backend
$volume_multi_backend = false
) {
@ -43,7 +44,8 @@ class cloud::volume::controller(
api_eth => $api_eth,
default_volume_type => $default_volume_type,
# Maintain backward compatibility for multi-backend
volume_multi_backend => $volume_multi_backend
volume_multi_backend => $volume_multi_backend,
firewall_settings => $firewall_settings,
}
class { 'cloud::volume::scheduler':
volume_multi_backend => $volume_multi_backend

39
spec/classes/cloud_cache_spec.rb
View File

@ -32,13 +32,42 @@ describe 'cloud::cache' do
:max_memory => '60%'
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure memcached firewall rules' do
is_expected.to contain_firewall('100 allow memcached access').with(
:port => '11211',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure memcached firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow memcached access').with(
:port => '11211',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:memorysize => '1000 MB',
:processorcount => '1' }
{ :osfamily => 'Debian' }
end
it_configures 'cache server'
@ -46,9 +75,7 @@ describe 'cloud::cache' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:memorysize => '1000 MB',
:processorcount => '1' }
{ :osfamily => 'RedHat' }
end
it_configures 'cache server'

52
spec/classes/cloud_compute_api_spec.rb
View File

@ -125,6 +125,58 @@ describe 'cloud::compute::api' do
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure nova firewall rules' do
is_expected.to contain_firewall('100 allow nova-api access').with(
:port => '8774',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow nova-ec2 access').with(
:port => '8773',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow nova-metadata access').with(
:port => '8775',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure nova firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow nova-api access').with(
:port => '8774',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow nova-ec2 access').with(
:port => '8773',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow nova-metadata access').with(
:port => '8775',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

30
spec/classes/cloud_compute_consoleproxy_spec.rb
View File

@ -94,6 +94,36 @@ describe 'cloud::compute::consoleproxy' do
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure spice firewall rules' do
is_expected.to contain_firewall('100 allow spice access').with(
:port => '6082',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure spice firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow spice access').with(
:port => '6082',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

51
spec/classes/cloud_compute_hypervisor_spec.rb
View File

@ -256,7 +256,6 @@ describe 'cloud::compute::hypervisor' do
{ :osfamily => 'Debian',
:operatingsystem => 'Ubuntu',
:vtx => true,
:concat_basedir => '/var/lib/puppet/concat'
}
end
@ -272,8 +271,7 @@ describe 'cloud::compute::hypervisor' do
before :each do
facts.merge!( :osfamily => 'Debian',
:operatingsystem => 'Debian',
:vtx => true,
:concat_basedir => '/var/lib/puppet/concat' )
:vtx => true )
end
it 'ensure TSO script is enabled at boot' do
is_expected.to contain_exec('enable-tso-script').with(
@ -294,8 +292,7 @@ describe 'cloud::compute::hypervisor' do
context 'without TSO/GSO/GRO on Red Hat systems' do
before :each do
facts.merge!( :osfamily => 'RedHat',
:vtx => true,
:concat_basedir => '/var/lib/puppet/concat' )
:vtx => true )
end
it 'ensure TSO script is enabled at boot' do
is_expected.to contain_exec('enable-tso-script').with(
@ -525,6 +522,48 @@ describe 'cloud::compute::hypervisor' do
end
it_raises 'a Puppet::Error', /When running NFS backend, vm_rbd parameter cannot be set to true./
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure compute firewall rules' do
is_expected.to contain_firewall('100 allow instances console access').with(
:port => '5900-5999',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow instances migration access').with(
:port => ['16509', '49152-49215'],
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure compute firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow instances console access').with(
:port => '5900-5999',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow instances migration access').with(
:port => ['16509', '49152-49215'],
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
@ -532,7 +571,6 @@ describe 'cloud::compute::hypervisor' do
{ :osfamily => 'Debian',
:operatingsystem => 'Debian',
:vtx => true,
:concat_basedir => '/var/lib/puppet/concat',
# required for rpcbind module
:lsbdistid => 'Debian'
}
@ -546,7 +584,6 @@ describe 'cloud::compute::hypervisor' do
let :facts do
{ :osfamily => 'RedHat',
:vtx => true,
:concat_basedir => '/var/lib/puppet/concat',
# required for rbd support check
:operatingsystemmajrelease => '7',
# required for nfs module

38
spec/classes/cloud_dashboard_spec.rb
View File

@ -124,15 +124,43 @@ describe 'cloud::dashboard' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure horizon firewall rules' do
is_expected.to contain_firewall('100 allow horizon access').with(
:port => '80',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure horizon firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow horizon access').with(
:port => '80',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:operatingsystem => 'Ubuntu',
:operatingsystemrelease => '12.04',
:processorcount => '1',
:concat_basedir => '/var/lib/puppet/concat' }
:operatingsystemrelease => '12.04' }
end
it_configures 'openstack dashboard'
@ -141,9 +169,7 @@ describe 'cloud::dashboard' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:operatingsystemrelease => '6',
:processorcount => '1',
:concat_basedir => '/var/lib/puppet/concat' }
:operatingsystemrelease => '6' }
end
it_configures 'openstack dashboard'

30
spec/classes/cloud_database_dbaas_api_spec.rb
View File

@ -79,6 +79,36 @@ describe 'cloud::database::dbaas::api' do
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure trove-api firewall rules' do
is_expected.to contain_firewall('100 allow trove-api access').with(
:port => '8779',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure trove-api firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow trove-api access').with(
:port => '8779',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

30
spec/classes/cloud_database_nosql_spec.rb
View File

@ -59,6 +59,36 @@ describe 'cloud::database::nosql' do
is_expected.not_to contain_mongodb_replset('ceilometer')
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure mongodb firewall rules' do
is_expected.to contain_firewall('100 allow mongodb access').with(
:port => '27017',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure mongodb firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow mongodb access').with(
:port => '27017',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

52
spec/classes/cloud_database_sql_spec.rb
View File

@ -208,6 +208,58 @@ describe 'cloud::database::sql' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure mysql firewall rules' do
is_expected.to contain_firewall('100 allow galera access').with(
:port => ['3306', '4567', '4568', '4444'],
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow mysqlchk access').with(
:port => '9200',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow mysql rsync access').with(
:port => '873',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure mysql firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow galera access').with(
:port => ['3306', '4567', '4568', '4444'],
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow mysqlchk access').with(
:port => '9200',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow mysql rsync access').with(
:port => '873',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end # openstack database sql
context 'on Debian platforms' do

43
spec/classes/cloud_identity_spec.rb
View File

@ -345,6 +345,47 @@ describe 'cloud::identity' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure keystone firewall rules' do
is_expected.to contain_firewall('100 allow keystone access').with(
:port => '5000',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow keystone admin access').with(
:port => '35357',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure keystone firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow keystone access').with(
:port => '5000',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow keystone admin access').with(
:port => '35357',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
@ -352,7 +393,6 @@ describe 'cloud::identity' do
{ :osfamily => 'Debian',
:operatingsystemrelease => '12.04',
:processorcount => '2',
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'keystone.openstack.org' }
end
@ -364,7 +404,6 @@ describe 'cloud::identity' do
{ :osfamily => 'RedHat',
:operatingsystemrelease => '6',
:processorcount => '2',
:concat_basedir => '/var/lib/puppet/concat',
:fqdn => 'keystone.openstack.org' }
end

35
spec/classes/cloud_image_api_spec.rb
View File

@ -46,6 +46,10 @@ describe 'cloud::image::api' do
shared_examples_for 'openstack image api' do
it 'should not configure firewall rule' do
is_expected.not_to contain_firewall('100 allow glance api access')
end
it 'configure glance-api' do
is_expected.to contain_class('glance::api').with(
:database_connection => 'mysql://glance:secrete@10.0.0.1/glance?charset=utf8',
@ -143,6 +147,37 @@ describe 'cloud::image::api' do
end
it { is_expected.to compile.and_raise_error(/Something is not a Glance supported backend./) }
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure Glance API firewall rules' do
is_expected.to contain_firewall('100 allow glance-api access').with(
:port => '9292',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure Glance API firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow glance-api access').with(
:port => '9292',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

31
spec/classes/cloud_image_registry_spec.rb
View File

@ -65,6 +65,37 @@ describe 'cloud::image::registry' do
:unless => '/usr/bin/mysql glance -h 10.0.0.1 -u glance -psecrete -e "show tables" | /bin/grep Tables'
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure Glance Registry firewall rules' do
is_expected.to contain_firewall('100 allow glance-registry access').with(
:port => '9191',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure Glance API firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow glance-registry access').with(
:port => '9191',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

80
spec/classes/cloud_init_spec.rb
View File

@ -24,7 +24,7 @@ describe 'cloud' do
{ }
end
shared_examples_for 'private cloud node' do
shared_examples_for 'cloud node' do
let :pre_condition do
'
@ -50,27 +50,90 @@ describe 'cloud' do
:enable => true
}) }
context 'with firewall enabled' do
before :each do
params.merge!(
:manage_firewall => true,
)
end
it 'configure basic pre firewall rules' do
is_expected.to contain_firewall('000 accept related established rules').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
)
is_expected.to contain_firewall('001 accept all icmp').with(
:proto => 'icmp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('002 accept all to lo interface').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('003 accept ssh').with(
:port => '22',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
it 'configure basic post firewall rules' do
is_expected.to contain_firewall('999 drop all').with(
:proto => 'all',
:action => 'drop',
:source => '0.0.0.0/0',
)
end
end
context 'with custom firewall rules' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
}
)
end
it 'configure custom firewall rules' do
is_expected.to contain_firewall('300 add custom application 1').with(
:port => '999',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('301 add custom application 2').with(
:port => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat',
:puppetversion => '3.3' }
{ :osfamily => 'Debian' }
end
let :platform_params do
{ :cron_service_name => 'cron'}
end
it_configures 'private cloud node'
it_configures 'cloud node'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:concat_basedir => '/var/lib/puppet/concat',
:puppetversion => '3.3',
:hostname => 'redhat1' }
end
@ -82,7 +145,7 @@ describe 'cloud' do
{ :rhn_registration => { "username" => "rhn", "password" => "pass" } }
end
#it_configures 'private cloud node'
it_configures 'cloud node'
xit { is_expected.to contain_rhn_register('rhn-redhat1') }
@ -103,7 +166,6 @@ describe 'cloud' do
:stage => 'setup',
)
end
end
end

74
spec/classes/cloud_loadbalancer_spec.rb
View File

@ -515,13 +515,80 @@ describe 'cloud::loadbalancer' do
}
)}
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure haproxy firewall rules' do
# test the firewall rule in cloud::loadbalancer::binding
is_expected.to contain_firewall('100 allow horizon_cluster binding access').with(
:port => '80',
:proto => 'tcp',
:action => 'accept',
)
# test the firewall rules in cloud::loadbalancer
is_expected.to contain_firewall('100 allow galera binding access').with(
:port => '3306',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow haproxy monitor access').with(
:port => '9300',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow keepalived access').with(
:port => nil,
:proto => 'vrrp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure haproxy firewall rules with custom parameter' do
# test the firewall rule in cloud::loadbalancer::binding
is_expected.to contain_firewall('100 allow horizon_cluster binding access').with(
:port => '80',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
# test the firewall rules in cloud::loadbalancer
is_expected.to contain_firewall('100 allow galera binding access').with(
:port => '3306',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow haproxy monitor access').with(
:port => '9300',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow keepalived access').with(
:port => nil,
:proto => 'vrrp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end # shared:: openstack loadbalancer
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:hostname => 'myhost',
:concat_basedir => '/var/lib/puppet/concat' }
:hostname => 'myhost' }
end
let :platform_params do
@ -539,8 +606,7 @@ describe 'cloud::loadbalancer' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:hostname => 'myhost',
:concat_basedir => '/var/lib/puppet/concat' }
:hostname => 'myhost' }
end
let :platform_params do

40
spec/classes/cloud_messaging_spec.rb
View File

@ -53,12 +53,45 @@ describe 'cloud::messaging' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure rabbitmq firewall rules' do
is_expected.to contain_firewall('100 allow rabbitmq access').with(
:port => '5672',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow rabbitmq management access').with(
:port => '55672',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure rabbitmq firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow rabbitmq management access').with(
:port => '55672',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:puppetversion => '3.3' }
{ :osfamily => 'Debian' }
end
it_configures 'openstack messaging'
@ -66,8 +99,7 @@ describe 'cloud::messaging' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:puppetversion => '3.3' }
{ :osfamily => 'RedHat' }
end
it_configures 'openstack messaging'

30
spec/classes/cloud_network_controller_spec.rb
View File

@ -123,6 +123,36 @@ describe 'cloud::network::controller' do
is_expected.not_to contain__neutron_network('public')
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure neutron-server firewall rules' do
is_expected.to contain_firewall('100 allow neutron-server access').with(
:port => '9696',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure neutrons-server firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow neutron-server access').with(
:port => '9696',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

46
spec/classes/cloud_network_dhcp_spec.rb
View File

@ -131,6 +131,52 @@ describe 'cloud::network::dhcp' do
)
is_expected.to contain_file('/etc/neutron/dnsmasq-neutron.conf').with_content(/^dhcp-option-force=26,1400$/)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure neutron-server firewall rules' do
is_expected.to contain_firewall('100 allow dhcp in access').with(
:port => '67',
:proto => 'udp',
:chain => 'INPUT',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow dhcp out access').with(
:port => '68',
:proto => 'udp',
:chain => 'OUTPUT',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure neutrons-server firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow dhcp in access').with(
:port => '67',
:proto => 'udp',
:chain => 'INPUT',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow dhcp out access').with(
:port => '68',
:proto => 'udp',
:chain => 'OUTPUT',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

31
spec/classes/cloud_network_vswitch_spec.rb
View File

@ -131,6 +131,37 @@ describe 'cloud::network::vswitch' do
end
it { should compile.and_raise_error(/Something plugin is not supported./) }
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure gre firewall rules' do
is_expected.to contain_firewall('100 allow gre access').with(
:port => nil,
:proto => 'gre',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure gre firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow gre access').with(
:port => nil,
:proto => 'gre',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

67
spec/classes/cloud_objectstorage_storage_spec.rb → spec/classes/cloud_object_storage_spec.rb
View File

@ -94,13 +94,74 @@ describe 'cloud::object::storage' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure swift-storage firewall rules' do
is_expected.to contain_firewall('100 allow swift-container access').with(
:port => '6001',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow swift-account access').with(
:port => '6002',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow swift-object access').with(
:port => '6000',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow swift rsync access').with(
:port => '873',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure swift-storage firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow swift-container access').with(
:port => '6001',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow swift-account access').with(
:port => '6002',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow swift-object access').with(
:port => '6000',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow swift rsync access').with(
:port => '873',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{
:concat_basedir => '/tmp/',
:concat_basedir => '/tmp/foo',
:osfamily => 'Debian' ,
}
end
@ -111,8 +172,6 @@ describe 'cloud::object::storage' do
context 'on RedHat platforms' do
let :facts do
{
:concat_basedir => '/tmp/',
:concat_basedir => '/tmp/foo',
:osfamily => 'RedHat'
}
end

52
spec/classes/cloud_orchestration_api_spec.rb
View File

@ -98,6 +98,58 @@ describe 'cloud::orchestration::api' do
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure heat api firewall rules' do
is_expected.to contain_firewall('100 allow heat-api access').with(
:port => '8004',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow heat-cfn access').with(
:port => '8000',
:proto => 'tcp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow heat-cloudwatch access').with(
:port => '8003',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure heat firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow heat-api access').with(
:port => '8004',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow heat-cfn access').with(
:port => '8000',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow heat-cloudwatch access').with(
:port => '8003',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

65
spec/classes/cloud_spof_spec.rb
View File

@ -96,13 +96,68 @@ describe 'cloud::spof' do
end
it { is_expected.to compile.and_raise_error(/cluster_members is a required parameter./) }
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!( :cluster_members => 'srv1 srv2 srv3')
end
it 'configure pacemaker firewall rules' do
is_expected.to contain_firewall('100 allow vrrp access').with(
:port => nil,
:proto => 'vrrp',
:action => 'accept',
)
is_expected.to contain_firewall('100 allow corosync tcp access').with(
:port => ['2224','3121','21064'],
:action => 'accept',
)
is_expected.to contain_firewall('100 allow corosync udp access').with(
:port => ['5404','5405'],
:proto => 'udp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(
:firewall_settings => { 'limit' => '50/sec' },
:cluster_members => 'srv1 srv2 srv3'
)
end
it 'configure pacemaker firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow vrrp access').with(
:port => nil,
:proto => 'vrrp',
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow corosync tcp access').with(
:port => ['2224','3121','21064'],
:action => 'accept',
:limit => '50/sec',
)
is_expected.to contain_firewall('100 allow corosync udp access').with(
:port => ['5404','5405'],
:proto => 'udp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'Debian' }
end
it_configures 'cloud spof'
@ -110,9 +165,7 @@ describe 'cloud::spof' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'RedHat' }
end
it_configures 'cloud spof'
end

38
spec/classes/cloud_storage_rbd_mon_spec.rb
View File

@ -52,13 +52,41 @@ describe 'cloud::storage::rbd::monitor' do
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure ceph monitor firewall rules' do
is_expected.to contain_firewall('100 allow ceph-mon access').with(
:port => '6789',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure ceph monitor firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow ceph-mon access').with(
:port => '6789',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'Debian' }
end
it_configures 'ceph monitor'
@ -66,9 +94,7 @@ describe 'cloud::storage::rbd::monitor' do
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'RedHat' }
end
it_configures 'ceph monitor'
end

38
spec/classes/cloud_storage_rbd_osd_spec.rb
View File

@ -61,22 +61,48 @@ describe 'cloud::storage::rbd::osd' do
end
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure ceph osd firewall rules' do
is_expected.to contain_firewall('100 allow ceph-osd access').with(
:port => '6800-6810',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure ceph osd firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow ceph-osd access').with(
:port => '6800-6810',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do
let :facts do
{ :osfamily => 'Debian',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'Debian' }
end
it_configures 'ceph osd'
end
context 'on RedHat platforms' do
let :facts do
{ :osfamily => 'RedHat',
:concat_basedir => '/var/lib/puppet/concat',
:uniqueid => '123' }
{ :osfamily => 'RedHat' }
end
it_configures 'ceph osd'
end

31
spec/classes/cloud_telemetry_api_spec.rb
View File

@ -81,6 +81,37 @@ describe 'cloud::telemetry::api' do
:hour => '0'
)
end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure ceilometer firewall rules' do
is_expected.to contain_firewall('100 allow ceilometer-api access').with(
:port => '8777',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure ceilometer firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow ceilometer-api access').with(
:port => '8777',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

34
spec/classes/cloud_volume_controller_spec.rb
View File

@ -105,8 +105,8 @@ describe 'cloud::volume::controller' do
:default_volume_type => nil
)
end
xit 'should raise an error and fail' do
is_expected.to compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/)
it 'should raise an error and fail' do
is_expected.not_to compile
end
end
@ -137,6 +137,36 @@ describe 'cloud::volume::controller' do
# )
#end
context 'with default firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
it 'configure cinder firewall rules' do
is_expected.to contain_firewall('100 allow cinder-api access').with(
:port => '8776',
:proto => 'tcp',
:action => 'accept',
)
end
end
context 'with custom firewall enabled' do
let :pre_condition do
"class { 'cloud': manage_firewall => true }"
end
before :each do
params.merge!(:firewall_settings => { 'limit' => '50/sec' } )
end
it 'configure cinder firewall rules with custom parameter' do
is_expected.to contain_firewall('100 allow cinder-api access').with(
:port => '8776',
:proto => 'tcp',
:action => 'accept',
:limit => '50/sec',
)
end
end
end
context 'on Debian platforms' do

9
spec/spec_helper.rb
View File

@ -4,4 +4,13 @@ require 'shared_examples'
RSpec.configure do |c|
c.alias_it_should_behave_like_to :it_configures, 'configures'
c.alias_it_should_behave_like_to :it_raises, 'raises'
c.default_facts = {
:kernel => 'Linux',
:concat_basedir => '/var/lib/puppet/concat',
:memorysize => '1000 MB',
:processorcount => '1',
:puppetversion => '3.7.3',
:uniqueid => '123'
}
end