From 5102e5130ae42e643db4b95824e3b3bc59541bdf Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Tue, 11 Nov 2014 10:18:36 +0100 Subject: [PATCH] Advanced Firewalling feature This patch enables Firewalling in this Puppet modules in a flexible way. * Enable firewalling optionnaly (disabled by default). * Enable 'pre' firewalling with defaults rules. * Enable 'post' firewalling with DROP rule, with a debug option to disable it. * Enable default rules for all services (OpenStack, etc). * Ability to add custom firewall rules with Hiera * Update puppetlabs-firewall refs * Refactorize unit-tests --- Puppetfile | 2 +- manifests/cache.pp | 15 +- manifests/compute/api.pp | 29 ++- manifests/compute/consoleproxy.pp | 12 +- manifests/compute/hypervisor.pp | 17 ++ manifests/dashboard.pp | 22 ++- manifests/database/dbaas/api.pp | 14 ++ manifests/database/nosql.pp | 20 +- manifests/database/sql.pp | 29 ++- manifests/firewall/post.pp | 41 ++++ manifests/firewall/pre.pp | 50 +++++ manifests/firewall/rule.pp | 46 +++++ manifests/identity.pp | 19 +- manifests/image/api.pp | 13 ++ manifests/image/registry.pp | 15 +- manifests/init.pp | 61 +++++- manifests/loadbalancer.pp | 186 +++++++++++------- manifests/loadbalancer/binding.pp | 15 +- manifests/messaging.pp | 17 ++ manifests/network/controller.pp | 15 ++ manifests/network/dhcp.pp | 17 +- manifests/network/vswitch.pp | 24 +++ manifests/object/controller.pp | 17 ++ manifests/object/storage.pp | 29 +++ manifests/orchestration/api.pp | 25 +++ manifests/spof.pp | 25 ++- manifests/storage/rbd/monitor.pp | 14 +- manifests/storage/rbd/osd.pp | 15 +- manifests/telemetry/api.pp | 17 ++ manifests/volume/api.pp | 17 ++ manifests/volume/controller.pp | 4 +- spec/classes/cloud_cache_spec.rb | 39 +++- spec/classes/cloud_compute_api_spec.rb | 52 +++++ .../cloud_compute_consoleproxy_spec.rb | 30 +++ spec/classes/cloud_compute_hypervisor_spec.rb | 51 ++++- spec/classes/cloud_dashboard_spec.rb | 38 +++- spec/classes/cloud_database_dbaas_api_spec.rb | 30 +++ spec/classes/cloud_database_nosql_spec.rb | 30 +++ spec/classes/cloud_database_sql_spec.rb | 52 +++++ spec/classes/cloud_identity_spec.rb | 43 +++- spec/classes/cloud_image_api_spec.rb | 35 ++++ spec/classes/cloud_image_registry_spec.rb | 31 +++ spec/classes/cloud_init_spec.rb | 80 +++++++- spec/classes/cloud_loadbalancer_spec.rb | 74 ++++++- spec/classes/cloud_messaging_spec.rb | 40 +++- spec/classes/cloud_network_controller_spec.rb | 30 +++ spec/classes/cloud_network_dhcp_spec.rb | 46 +++++ spec/classes/cloud_network_vswitch_spec.rb | 31 +++ ...e_spec.rb => cloud_object_storage_spec.rb} | 67 ++++++- spec/classes/cloud_orchestration_api_spec.rb | 52 +++++ spec/classes/cloud_spof_spec.rb | 65 +++++- spec/classes/cloud_storage_rbd_mon_spec.rb | 38 +++- spec/classes/cloud_storage_rbd_osd_spec.rb | 38 +++- spec/classes/cloud_telemetry_api_spec.rb | 31 +++ spec/classes/cloud_volume_controller_spec.rb | 34 +++- spec/spec_helper.rb | 9 + 56 files changed, 1740 insertions(+), 168 deletions(-) create mode 100644 manifests/firewall/post.pp create mode 100644 manifests/firewall/pre.pp create mode 100644 manifests/firewall/rule.pp rename spec/classes/{cloud_objectstorage_storage_spec.rb => cloud_object_storage_spec.rb} (66%) diff --git a/Puppetfile b/Puppetfile index dd45947a..1274d5ac 100644 --- a/Puppetfile +++ b/Puppetfile @@ -94,7 +94,7 @@ mod 'git', :ref => '0df1f62130a7752c728efb7555f2b07ca178ee5b' mod 'firewall', :git => 'git://github.com/enovance/puppetlabs-firewall.git', - :ref => '6540b31b0ca0727094ddf44436274436d2853d6d' + :ref => '4ed1b43e1629c1b6108133b0fc3be603d03ffe6c' mod 'fluentd', :git => 'git://github.com/enovance/puppet-fluentd.git', :ref => 'd073a97002c569d8bfc38ac814ee33ed2cb13ca6' diff --git a/manifests/cache.pp b/manifests/cache.pp index 09a61d1e..3789bfd3 100644 --- a/manifests/cache.pp +++ b/manifests/cache.pp @@ -23,8 +23,14 @@ # (optional) IP address on which memcached instance should listen # Defaults to '127.0.0.1' # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::cache ( - $listen_ip = '127.0.0.1', + $listen_ip = '127.0.0.1', + $firewall_settings = {}, ){ class { 'memcached': @@ -32,4 +38,11 @@ class cloud::cache ( max_memory => '60%', } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow memcached access': + port => '11211', + extras => $firewall_settings, + } + } + } diff --git a/manifests/compute/api.pp b/manifests/compute/api.pp index f5a52952..7c745f88 100644 --- a/manifests/compute/api.pp +++ b/manifests/compute/api.pp @@ -13,7 +13,16 @@ # License for the specific language governing permissions and limitations # under the License. # -# Compute API node +# == Class: cloud::compute::api +# +# Install a Nova-API node +# +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} # class cloud::compute::api( $ks_keystone_internal_host = '127.0.0.1', @@ -23,7 +32,8 @@ class cloud::compute::api( $api_eth = '127.0.0.1', $ks_nova_public_port = '8774', $ks_ec2_public_port = '8773', - $ks_metadata_public_port = '8775' + $ks_metadata_public_port = '8775', + $firewall_settings = {}, ){ include 'cloud::compute' @@ -39,6 +49,21 @@ class cloud::compute::api( osapi_v3 => true, } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow nova-api access': + port => $ks_nova_public_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow nova-metadata access': + port => $ks_metadata_public_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow nova-ec2 access': + port => $ks_ec2_public_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-compute_api_ec2": listening_service => 'ec2_api_cluster', server_names => $::hostname, diff --git a/manifests/compute/consoleproxy.pp b/manifests/compute/consoleproxy.pp index 83813b35..69ecb5dc 100644 --- a/manifests/compute/consoleproxy.pp +++ b/manifests/compute/consoleproxy.pp @@ -16,8 +16,9 @@ # Compute Proxy Console node # class cloud::compute::consoleproxy( - $api_eth = '127.0.0.1', - $spice_port = '6082' + $api_eth = '127.0.0.1', + $spice_port = '6082', + $firewall_settings = {}, ){ include 'cloud::compute' @@ -27,6 +28,13 @@ class cloud::compute::consoleproxy( host => $api_eth } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow spice access': + port => $spice_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-compute_spice": listening_service => 'spice_cluster', server_names => $::hostname, diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp index 88fd1960..6c622f24 100644 --- a/manifests/compute/hypervisor.pp +++ b/manifests/compute/hypervisor.pp @@ -61,6 +61,11 @@ # Need to be a valid shell path. # Defaults to false # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::compute::hypervisor( $server_proxyclient_address = '127.0.0.1', $libvirt_type = 'kvm', @@ -76,6 +81,7 @@ class cloud::compute::hypervisor( $volume_rbd = false, $manage_tso = true, $nova_shell = false, + $firewall_settings = {}, # when using NFS storage backend $nfs_enabled = false, $nfs_device = false, @@ -340,4 +346,15 @@ Host * class { 'ceilometer::agent::compute': } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow instances console access': + port => '5900-5999', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow instances migration access': + port => ['16509', '49152-49215'], + extras => $firewall_settings, + } + } + } diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 295612c8..916e5d88 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -79,7 +79,12 @@ # (optional) Enable optional services provided by neutron # Useful when using cisco n1kv plugin, vpnaas or fwaas. # Default to {} - +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::dashboard( $ks_keystone_internal_host = '127.0.0.1', $secret_key = 'secrete', @@ -100,6 +105,7 @@ class cloud::dashboard( $allowed_hosts = $::fqdn, $vhost_extra_params = {}, $neutron_extra_options = {}, + $firewall_settings = {}, ) { # We build the param needed for horizon class @@ -155,6 +161,13 @@ class cloud::dashboard( } } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow horizon access': + port => $horizon_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-horizon": listening_service => 'horizon_cluster', server_names => $::hostname, @@ -165,6 +178,13 @@ class cloud::dashboard( if $listen_ssl { + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow horizon ssl access': + port => $horizon_ssl_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-horizon-ssl": listening_service => 'horizon_ssl_cluster', server_names => $::hostname, diff --git a/manifests/database/dbaas/api.pp b/manifests/database/dbaas/api.pp index 47ffab13..e0213987 100644 --- a/manifests/database/dbaas/api.pp +++ b/manifests/database/dbaas/api.pp @@ -17,6 +17,12 @@ # # Class to install API service of OpenStack Database as a Service (Trove) # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} # class cloud::database::dbaas::api( $ks_trove_password = 'trovepassword', @@ -28,6 +34,7 @@ class cloud::database::dbaas::api( $ks_keystone_internal_host = '127.0.0.1', $ks_keystone_internal_port = '5000', $ks_keystone_internal_proto = 'http', + $firewall_settings = {}, ) { include 'cloud::database::dbaas' @@ -42,6 +49,13 @@ class cloud::database::dbaas::api( keystone_password => $ks_trove_password, } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow trove-api access': + port => $ks_trove_public_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-trove_api": listening_service => 'trove_api_cluster', server_names => $::hostname, diff --git a/manifests/database/nosql.pp b/manifests/database/nosql.pp index c5faa78e..75987a39 100644 --- a/manifests/database/nosql.pp +++ b/manifests/database/nosql.pp @@ -35,10 +35,16 @@ # If set to false, the setup won't be HA and no replicaset will be created. # Defaults to hostname # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::database::nosql( - $bind_ip = '127.0.0.1', - $nojournal = false, - $replset_members = $::hostname + $bind_ip = '127.0.0.1', + $nojournal = false, + $replset_members = $::hostname, + $firewall_settings = {}, ) { # should be an array @@ -82,4 +88,12 @@ class cloud::database::nosql( anchor {'mongodb setup done' : require => Exec['check_mongodb'], } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow mongodb access': + port => '27017', + extras => $firewall_settings, + } + } + } diff --git a/manifests/database/sql.pp b/manifests/database/sql.pp index d16395b9..0b524075 100644 --- a/manifests/database/sql.pp +++ b/manifests/database/sql.pp @@ -17,9 +17,14 @@ # # === Parameters # -# [*galera_internal_ips*] -# Array of internal ip of the galera nodes. -# Defaults to ['127.0.0.1'] +# [*galera_internal_ips*] +# Array of internal ip of the galera nodes. +# Defaults to ['127.0.0.1'] +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} # class cloud::database::sql ( $api_eth = '127.0.0.1', @@ -59,7 +64,8 @@ class cloud::database::sql ( $mysql_sys_maint_password = 'sys_maint', $galera_clustercheck_dbuser = 'clustercheckdbuser', $galera_clustercheck_dbpassword = 'clustercheckpassword', - $galera_clustercheck_ipaddress = '127.0.0.1' + $galera_clustercheck_ipaddress = '127.0.0.1', + $firewall_settings = {}, ) { include 'xinetd' @@ -339,6 +345,21 @@ class cloud::database::sql ( onlyif => "stat ${::mysql::params::datadir}/ib_logfile0 && test `du -sh ${::mysql::params::datadir}/ib_logfile0 | cut -f1` != '256M'", } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow galera access': + port => ['3306', '4567', '4568', '4444'], + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow mysqlchk access': + port => '9200', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow mysql rsync access': + port => '873', + extras => $firewall_settings, + } + } + @@haproxy::balancermember{$::fqdn: listening_service => 'galera_cluster', server_names => $::hostname, diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp new file mode 100644 index 00000000..116f1a0e --- /dev/null +++ b/manifests/firewall/post.pp @@ -0,0 +1,41 @@ +# +# Copyright (C) 2014 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::firewall::post +# +# Firewall rules during 'post' Puppet stage +# +class cloud::firewall::post( + $debug = false, + $log = false, + $firewall_settings = {}, +){ + + if $debug { + warning('debug is enabled, the traffic is not blocked.') + } else { + firewall { '998 log all': + proto => 'all', + jump => 'LOG', + } + cloud::firewall::rule{ '999 drop all': + proto => 'all', + action => 'drop', + extras => $firewall_settings, + } + notice('At this stage, all network traffic is blocked.') + } + +} diff --git a/manifests/firewall/pre.pp b/manifests/firewall/pre.pp new file mode 100644 index 00000000..f2975aca --- /dev/null +++ b/manifests/firewall/pre.pp @@ -0,0 +1,50 @@ +# +# Copyright (C) 2014 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: cloud::firewall::pre +# +# Firewall rules during 'pre' Puppet stage +# +class cloud::firewall::pre( + $firewall_settings = {}, +){ + + # ensure the correct packages are installed + include firewall + + # defaults 'pre' rules + cloud::firewall::rule{ '000 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + extras => $firewall_settings, + } + + cloud::firewall::rule{ '001 accept all icmp': + proto => 'icmp', + extras => $firewall_settings, + } + + cloud::firewall::rule{ '002 accept all to lo interface': + proto => 'all', + iniface => 'lo', + extras => $firewall_settings, + } + + cloud::firewall::rule{ '003 accept ssh': + port => '22', + extras => $firewall_settings, + } + +} diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp new file mode 100644 index 00000000..2dc97ef8 --- /dev/null +++ b/manifests/firewall/rule.pp @@ -0,0 +1,46 @@ +# +# Copyright (C) 2014 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# Define:: +# +# cloud::firewall +# +define cloud::firewall::rule ( + $port = undef, + $proto = 'tcp', + $action = 'accept', + $state = ['NEW'], + $source = '0.0.0.0/0', + $iniface = undef, + $chain = 'INPUT', + $extras = {}, +) { + + $basic = { + 'port' => $port, + 'proto' => $proto, + 'action' => $action, + 'state' => $state, + 'source' => $source, + 'iniface' => $iniface, + 'chain' => $chain, + } + + $rule = merge($basic, $extras) + validate_hash($rule) + + create_resources('firewall', { "${title}" => $rule }) + +} diff --git a/manifests/identity.pp b/manifests/identity.pp index df1bbb7b..f18719ee 100644 --- a/manifests/identity.pp +++ b/manifests/identity.pp @@ -355,6 +355,11 @@ # Experimental feature. # Defaults to false # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::identity ( $swift_enabled = true, $trove_enabled = false, @@ -450,7 +455,8 @@ class cloud::identity ( $log_facility = 'LOG_LOCAL0', $use_syslog = true, $ks_token_expiration = 3600, - $token_driver = 'keystone.token.backends.sql.Token' + $token_driver = 'keystone.token.backends.sql.Token', + $firewall_settings = {}, ){ $encoded_user = uriescape($keystone_db_user) @@ -660,6 +666,17 @@ class cloud::identity ( unless => "/usr/bin/mysql keystone -h ${keystone_db_host} -u ${encoded_user} -p${encoded_password} -e \"show tables\" | /bin/grep Tables" } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow keystone access': + port => $ks_keystone_public_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow keystone admin access': + port => $ks_keystone_admin_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-keystone_api": listening_service => 'keystone_api_cluster', server_names => $::hostname, diff --git a/manifests/image/api.pp b/manifests/image/api.pp index a627db7b..5610f8f8 100644 --- a/manifests/image/api.pp +++ b/manifests/image/api.pp @@ -92,6 +92,11 @@ # service name removed. # Defaults to 'keystone'. # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::image::api( $glance_db_host = '127.0.0.1', $glance_db_user = 'glance', @@ -118,6 +123,7 @@ class cloud::image::api( $nfs_device = false, $nfs_options = 'defaults', $pipeline = 'keystone', + $firewall_settings = {}, ) { # Disable twice logging if syslog is enabled @@ -222,6 +228,13 @@ class cloud::image::api( class { 'glance::cache::cleaner': } class { 'glance::cache::pruner': } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow glance-api access': + port => $ks_glance_api_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-glance_api": listening_service => 'glance_api_cluster', server_names => $::hostname, diff --git a/manifests/image/registry.pp b/manifests/image/registry.pp index 7364370c..9169e0bc 100644 --- a/manifests/image/registry.pp +++ b/manifests/image/registry.pp @@ -55,6 +55,11 @@ # (optional) Syslog facility to receive log lines # Defaults to 'LOG_LOCAL0' # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::image::registry( $glance_db_host = '127.0.0.1', $glance_db_user = 'glance', @@ -68,7 +73,8 @@ class cloud::image::registry( $verbose = true, $debug = true, $log_facility = 'LOG_LOCAL0', - $use_syslog = true + $use_syslog = true, + $firewall_settings = {}, ) { # Disable twice logging if syslog is enabled @@ -116,6 +122,13 @@ class cloud::image::registry( unless => "/usr/bin/mysql glance -h ${glance_db_host} -u ${encoded_glance_user} -p${encoded_glance_password} -e \"show tables\" | /bin/grep Tables" } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow glance-registry access': + port => $ks_glance_registry_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-glance_registry": listening_service => 'glance_registry_cluster', server_names => $::hostname, diff --git a/manifests/init.pp b/manifests/init.pp index fcb168a0..1d87913c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,18 +15,23 @@ # # Class: cloud # -# Installs the private cloud system requirements +# Installs the system requirements # class cloud( - $rhn_registration = undef, - $root_password = 'root', - $dns_ips = ['8.8.8.8', '8.8.4.4'], - $site_domain = 'mydomain', - $motd_title = 'eNovance IT Operations', - $selinux_mode = 'permissive', - $selinux_directory = '/usr/share/selinux', - $selinux_booleans = [], - $selinux_modules = [], + $rhn_registration = undef, + $root_password = 'root', + $dns_ips = ['8.8.8.8', '8.8.4.4'], + $site_domain = 'mydomain', + $motd_title = 'eNovance IT Operations', + $selinux_mode = 'permissive', + $selinux_directory = '/usr/share/selinux', + $selinux_booleans = [], + $selinux_modules = [], + $manage_firewall = false, + $firewall_rules = {}, + $purge_firewall_rules = false, + $firewall_pre_extras = {}, + $firewall_post_extras = {}, ) { include ::stdlib @@ -100,4 +105,40 @@ This node is under the control of Puppet ${::puppetversion}. "rhn-${::hostname}" => $rhn_registration } ) } + + if $manage_firewall { + + # Only purges IPv4 rules + if $purge_firewall_rules { + resources { 'firewall': + purge => true + } + } + + # anyone can add your own rules + # example with Hiera: + # + # cloud::firewall::rules: + # '300 allow custom application 1': + # port: 999 + # proto: udp + # action: accept + # '301 allow custom application 2': + # port: 8081 + # proto: tcp + # action: accept + # + create_resources('cloud::firewall::rule', $firewall_rules) + + ensure_resource('class', 'cloud::firewall::pre', { + 'firewall_settings' => $firewall_pre_extras, + 'stage' => 'setup', + }) + + ensure_resource('class', 'cloud::firewall::post', { + 'stage' => 'runtime', + 'firewall_settings' => $firewall_post_extras, + }) + } + } diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 87cc4ea1..1a1ad380 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -184,6 +184,11 @@ # Should be part of keepalived_internal_ips # Defaults to false (backward compatibility) # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::loadbalancer( $swift_api = true, $ceilometer_api = true, @@ -257,6 +262,7 @@ class cloud::loadbalancer( $vip_internal_ip = false, $galera_ip = ['127.0.0.1'], $galera_slave = false, + $firewall_settings = {}, # Deprecated parameters $keepalived_interface = false, $keepalived_ipvs = false, @@ -364,94 +370,108 @@ class cloud::loadbalancer( # Instanciate HAproxy binding cloud::loadbalancer::binding { 'keystone_api_cluster': - ip => $keystone_api, - port => $ks_keystone_public_port, - bind_options => $keystone_bind_options, + ip => $keystone_api, + port => $ks_keystone_public_port, + bind_options => $keystone_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'keystone_api_admin_cluster': - ip => $keystone_api_admin, - port => $ks_keystone_admin_port, - bind_options => $keystone_admin_bind_options, + ip => $keystone_api_admin, + port => $ks_keystone_admin_port, + bind_options => $keystone_admin_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'swift_api_cluster': - ip => $swift_api, - port => $ks_swift_public_port, - bind_options => $swift_bind_options, - httpchk => 'httpchk /healthcheck', + ip => $swift_api, + port => $ks_swift_public_port, + bind_options => $swift_bind_options, + httpchk => 'httpchk /healthcheck', + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'nova_api_cluster': - ip => $nova_api, - port => $ks_nova_public_port, - bind_options => $nova_bind_options, + ip => $nova_api, + port => $ks_nova_public_port, + bind_options => $nova_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'ec2_api_cluster': - ip => $ec2_api, - port => $ks_ec2_public_port, - bind_options => $ec2_bind_options, + ip => $ec2_api, + port => $ks_ec2_public_port, + bind_options => $ec2_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'metadata_api_cluster': - ip => $metadata_api, - port => $ks_metadata_public_port, - bind_options => $metadata_bind_options, + ip => $metadata_api, + port => $ks_metadata_public_port, + bind_options => $metadata_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'spice_cluster': - ip => $spice, - port => $spice_port, - options => { + ip => $spice, + port => $spice_port, + options => { 'mode' => 'tcp', 'option' => ['tcpka', 'tcplog', 'forwardfor'], 'balance' => 'source', 'timeout server' => '120m', 'timeout client' => '120m', }, - bind_options => $spice_bind_options, + bind_options => $spice_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'rabbitmq_cluster': - ip => $rabbitmq, - port => $rabbitmq_port, - options => { + ip => $rabbitmq, + port => $rabbitmq_port, + options => { 'mode' => 'tcp', 'option' => ['tcpka', 'tcplog', 'forwardfor'], 'balance' => 'roundrobin', }, - bind_options => $rabbitmq_bind_options, + bind_options => $rabbitmq_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'trove_api_cluster': - ip => $trove_api, - port => $ks_trove_public_port, - bind_options => $trove_bind_options, + ip => $trove_api, + port => $ks_trove_public_port, + bind_options => $trove_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'glance_api_cluster': - ip => $glance_api, - options => { + ip => $glance_api, + options => { 'mode' => 'tcp', 'balance' => 'source', 'option' => ['tcpka', 'tcplog', 'forwardfor'], 'timeout server' => '120m', 'timeout client' => '120m', }, - port => $ks_glance_api_public_port, - bind_options => $glance_api_bind_options, + port => $ks_glance_api_public_port, + bind_options => $glance_api_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'glance_registry_cluster': - ip => $glance_registry, - port => $ks_glance_registry_internal_port, - bind_options => $glance_registry_bind_options, + ip => $glance_registry, + port => $ks_glance_registry_internal_port, + bind_options => $glance_registry_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'neutron_api_cluster': - ip => $neutron_api, - port => $ks_neutron_public_port, - bind_options => $neutron_bind_options, + ip => $neutron_api, + port => $ks_neutron_public_port, + bind_options => $neutron_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'cinder_api_cluster': - ip => $cinder_api, - port => $ks_cinder_public_port, - bind_options => $cinder_bind_options, + ip => $cinder_api, + port => $ks_cinder_public_port, + bind_options => $cinder_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'ceilometer_api_cluster': - ip => $ceilometer_api, - port => $ks_ceilometer_public_port, - bind_options => $ceilometer_bind_options, + ip => $ceilometer_api, + port => $ks_ceilometer_public_port, + bind_options => $ceilometer_bind_options, + firewall_settings => $firewall_settings, } if 'ssl' in $heat_api_bind_options { $heat_api_options = { @@ -460,10 +480,11 @@ class cloud::loadbalancer( $heat_api_options = {} } cloud::loadbalancer::binding { 'heat_api_cluster': - ip => $heat_api, - port => $ks_heat_public_port, - bind_options => $heat_api_bind_options, - options => $heat_api_options + ip => $heat_api, + port => $ks_heat_public_port, + bind_options => $heat_api_bind_options, + options => $heat_api_options, + firewall_settings => $firewall_settings, } if 'ssl' in $heat_cfn_bind_options { $heat_cfn_options = { @@ -472,10 +493,11 @@ class cloud::loadbalancer( $heat_cfn_options = { } } cloud::loadbalancer::binding { 'heat_cfn_api_cluster': - ip => $heat_cfn_api, - port => $ks_heat_cfn_public_port, - bind_options => $heat_cfn_bind_options, - options => $heat_cfn_options + ip => $heat_cfn_api, + port => $ks_heat_cfn_public_port, + bind_options => $heat_cfn_bind_options, + options => $heat_cfn_options, + firewall_settings => $firewall_settings, } if 'ssl' in $heat_cloudwatch_bind_options { $heat_cloudwatch_options = { @@ -484,10 +506,11 @@ class cloud::loadbalancer( $heat_cloudwatch_options = { } } cloud::loadbalancer::binding { 'heat_cloudwatch_api_cluster': - ip => $heat_cloudwatch_api, - port => $ks_heat_cloudwatch_public_port, - bind_options => $heat_cloudwatch_bind_options, - options => $heat_cloudwatch_options + ip => $heat_cloudwatch_api, + port => $ks_heat_cloudwatch_public_port, + bind_options => $heat_cloudwatch_bind_options, + options => $heat_cloudwatch_options, + firewall_settings => $firewall_settings, } $horizon_ssl_options = { @@ -510,19 +533,21 @@ class cloud::loadbalancer( } cloud::loadbalancer::binding { 'horizon_cluster': - ip => $horizon, - port => $horizon_port, - httpchk => "httpchk GET /${::cloud::params::horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"", - options => $horizon_options, - bind_options => $horizon_bind_options, + ip => $horizon, + port => $horizon_port, + httpchk => "httpchk GET /${::cloud::params::horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"", + options => $horizon_options, + bind_options => $horizon_bind_options, + firewall_settings => $firewall_settings, } cloud::loadbalancer::binding { 'horizon_ssl_cluster': - ip => $horizon_ssl, - port => $horizon_ssl_port, - httpchk => 'ssl-hello-chk', - options => $horizon_ssl_options, - bind_options => $horizon_ssl_bind_options, + ip => $horizon_ssl, + port => $horizon_ssl_port, + httpchk => 'ssl-hello-chk', + options => $horizon_ssl_options, + bind_options => $horizon_ssl_bind_options, + firewall_settings => $firewall_settings, } if (member(any2array($keepalived_public_ipvs_real), $galera_ip)) { @@ -541,7 +566,16 @@ class cloud::loadbalancer( }, bind_options => $galera_bind_options, } + if $galera_slave { + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow galera-slave binding access': + port => '3307', + extras => $firewall_settings, + } + } + haproxy::listen { 'galera_readonly_cluster': ipaddress => $galera_ip, ports => 3307, @@ -563,4 +597,20 @@ class cloud::loadbalancer( } create_resources(sysctl::value,$haproxy_sysctl_settings) + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow galera binding access': + port => '3306', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow haproxy monitor access': + port => '9300', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow keepalived access': + port => undef, + proto => 'vrrp', + extras => $firewall_settings, + } + } + } diff --git a/manifests/loadbalancer/binding.pp b/manifests/loadbalancer/binding.pp index c315b537..5fb957f1 100644 --- a/manifests/loadbalancer/binding.pp +++ b/manifests/loadbalancer/binding.pp @@ -17,9 +17,10 @@ define cloud::loadbalancer::binding ( $ip, $port, - $httpchk = undef, - $options = undef, - $bind_options = undef, + $httpchk = undef, + $options = undef, + $bind_options = undef, + $firewall_settings = {}, ){ include cloud::loadbalancer @@ -62,6 +63,14 @@ define cloud::loadbalancer::binding ( listen_ip => $listen_ip_real, bind_options => $bind_options; } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ "100 allow ${name} binding access": + port => $port, + extras => $firewall_settings, + } + } + } } diff --git a/manifests/messaging.pp b/manifests/messaging.pp index 810ab1e1..6a993160 100644 --- a/manifests/messaging.pp +++ b/manifests/messaging.pp @@ -45,6 +45,11 @@ # (optional) Port of RabbitMQ service. # Defaults to '5672' # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::messaging( $cluster_node_type = 'disc', $rabbit_names = $::hostname, @@ -52,6 +57,7 @@ class cloud::messaging( $haproxy_binding = false, $rabbitmq_ip = $::ipaddress, $rabbitmq_port = '5672', + $firewall_settings = {}, ){ # we ensure having an array @@ -109,6 +115,17 @@ class cloud::messaging( provider => 'rabbitmqctl', } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow rabbitmq access': + port => $rabbitmq_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow rabbitmq management access': + port => '55672', + extras => $firewall_settings, + } + } + if $haproxy_binding { @@haproxy::balancermember{"${::fqdn}-rabbitmq": listening_service => 'rabbitmq_cluster', diff --git a/manifests/network/controller.pp b/manifests/network/controller.pp index 7f198c71..b763d316 100644 --- a/manifests/network/controller.pp +++ b/manifests/network/controller.pp @@ -15,10 +15,17 @@ # # Network Controller node (API + Scheduler) # +# === Parameters: +# # [*manage_ext_network*] # (optionnal) Manage or not external network with provider network API # Defaults to false. # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::network::controller( $neutron_db_host = '127.0.0.1', $neutron_db_user = 'neutron', @@ -37,6 +44,7 @@ class cloud::network::controller( $nova_admin_password = 'novapassword', $nova_region_name = 'RegionOne', $manage_ext_network = false, + $firewall_settings = {}, ) { include 'cloud::network' @@ -86,6 +94,13 @@ class cloud::network::controller( notify => Service['neutron-server'] } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow neutron-server access': + port => $ks_neutron_public_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-neutron_api": listening_service => 'neutron_api_cluster', server_names => $::hostname, diff --git a/manifests/network/dhcp.pp b/manifests/network/dhcp.pp index a693ab88..d4abee4f 100644 --- a/manifests/network/dhcp.pp +++ b/manifests/network/dhcp.pp @@ -18,7 +18,8 @@ class cloud::network::dhcp( $veth_mtu = 1500, $debug = true, - $dnsmasq_dns_server = false + $dnsmasq_dns_server = false, + $firewall_settings = {}, ) { include 'cloud::network' @@ -48,4 +49,18 @@ class cloud::network::dhcp( notify => Service['neutron-dhcp-agent'] } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow dhcp in access': + port => '67', + proto => 'udp', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow dhcp out access': + port => '68', + proto => 'udp', + chain => 'OUTPUT', + extras => $firewall_settings, + } + } + } diff --git a/manifests/network/vswitch.pp b/manifests/network/vswitch.pp index e0163f53..5f8ba2a7 100644 --- a/manifests/network/vswitch.pp +++ b/manifests/network/vswitch.pp @@ -120,12 +120,18 @@ # Not applicable if 'n1kv_source' is a file. (Option-B above) # Defaults to 'present' # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::network::vswitch( # common $driver = 'ml2_ovs', $manage_ext_network = false, $external_int = 'eth1', $external_bridge = 'br-pub', + $firewall_settings = {}, # ml2_ovs $tunnel_types = ['gre'], $provider_bridge_mappings = ['public:br-pub'], @@ -190,4 +196,22 @@ class cloud::network::vswitch( bridge => $external_bridge } } + + if $::cloud::manage_firewall { + if ('gre' in $tunnel_types) { + cloud::firewall::rule{ '100 allow gre access': + port => undef, + proto => 'gre', + extras => $firewall_settings, + } + } + if ('vxlan' in $tunnel_types) { + cloud::firewall::rule{ '100 allow vxlan access': + port => '4789', + proto => 'udp', + extras => $firewall_settings, + } + } + } + } diff --git a/manifests/object/controller.pp b/manifests/object/controller.pp index 50e56763..28d59fdb 100644 --- a/manifests/object/controller.pp +++ b/manifests/object/controller.pp @@ -13,8 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. # +# == Class: cloud::object::controller +# # Swift Proxy node # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::object::controller( $ks_keystone_admin_host = '127.0.0.1', $ks_keystone_admin_port = 35357, @@ -29,6 +38,7 @@ class cloud::object::controller( $statsd_port = 4125, $memcache_servers = ['127.0.0.1:11211'], $api_eth = '127.0.0.1', + $firewall_settings = {}, ) { include 'cloud::object' @@ -113,6 +123,13 @@ cache = swift.cache') Swift::Ringsync<<| |>> #~> Service["swift-proxy"] + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow swift-proxy access': + port => $ks_swift_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-swift_api": listening_service => 'swift_api_cluster', server_names => $::hostname, diff --git a/manifests/object/storage.pp b/manifests/object/storage.pp index 2b59e51a..3cc98180 100644 --- a/manifests/object/storage.pp +++ b/manifests/object/storage.pp @@ -13,8 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. # +# == Class: cloud::object::storage +# # Swift Storage node # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::object::storage ( $storage_eth = '127.0.0.1', $swift_zone = undef, @@ -25,6 +34,7 @@ class cloud::object::storage ( $device_config_hash = {}, $ring_container_device = 'sdb', $ring_account_device = 'sdb', + $firewall_settings = {}, ) { include 'cloud::object' @@ -102,4 +112,23 @@ allow_versions = on Swift::Storage::Server[$account_port] -> Swift::Storage::Server[$object_port] + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow swift-container access': + port => $container_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow swift-account access': + port => $account_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow swift-object access': + port => $object_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow swift rsync access': + port => '873', + extras => $firewall_settings, + } + } + } diff --git a/manifests/orchestration/api.pp b/manifests/orchestration/api.pp index 73451db4..3a3c3d4d 100644 --- a/manifests/orchestration/api.pp +++ b/manifests/orchestration/api.pp @@ -13,14 +13,24 @@ # License for the specific language governing permissions and limitations # under the License. # +# == Class: cloud::image::api +# # Orchestration APIs node # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::orchestration::api( $ks_heat_internal_port = 8004, $ks_heat_cfn_internal_port = 8000, $ks_heat_cloudwatch_internal_port = 8003, $api_eth = '127.0.0.1', $workers = $::processorcount, + $firewall_settings = {}, ) { include 'cloud::orchestration' @@ -43,6 +53,21 @@ class cloud::orchestration::api( workers => $workers } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow heat-api access': + port => $ks_heat_internal_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow heat-cfn access': + port => $ks_heat_cfn_internal_port, + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow heat-cloudwatch access': + port => $ks_heat_cloudwatch_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-heat_api": listening_service => 'heat_api_cluster', server_names => $::hostname, diff --git a/manifests/spof.pp b/manifests/spof.pp index 97af00f9..abd733ad 100644 --- a/manifests/spof.pp +++ b/manifests/spof.pp @@ -30,11 +30,17 @@ # (optionnal) IP address used to send multicast traffic # Defaults to '239.1.1.2' # +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::spof( $cluster_ip = '127.0.0.1', $cluster_members = false, $multicast_address = '239.1.1.2', - $cluster_password = 'secrete' + $cluster_password = 'secrete', + $firewall_settings = {}, ) { if $::osfamily == 'RedHat' { @@ -125,4 +131,21 @@ class cloud::spof( enabled => false, } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow vrrp access': + port => undef, + proto => 'vrrp', + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow corosync tcp access': + port => ['2224','3121','21064'], + extras => $firewall_settings, + } + cloud::firewall::rule{ '100 allow corosync udp access': + port => ['5404','5405'], + proto => 'udp', + extras => $firewall_settings, + } + } + } diff --git a/manifests/storage/rbd/monitor.pp b/manifests/storage/rbd/monitor.pp index 9d24ea5f..21b69b27 100644 --- a/manifests/storage/rbd/monitor.pp +++ b/manifests/storage/rbd/monitor.pp @@ -14,9 +14,10 @@ # under the License. # class cloud::storage::rbd::monitor ( - $id = $::uniqueid, - $mon_addr = '127.0.0.1', - $monitor_secret = 'cephmonsecret' + $id = $::uniqueid, + $mon_addr = '127.0.0.1', + $monitor_secret = 'cephmonsecret', + $firewall_settings = {}, ) { include 'cloud::storage::rbd' @@ -27,4 +28,11 @@ class cloud::storage::rbd::monitor ( mon_addr => $mon_addr, } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow ceph-mon access': + port => '6789', + extras => $firewall_settings, + } + } + } diff --git a/manifests/storage/rbd/osd.pp b/manifests/storage/rbd/osd.pp index 16e5d5dc..b4e362ea 100644 --- a/manifests/storage/rbd/osd.pp +++ b/manifests/storage/rbd/osd.pp @@ -14,9 +14,10 @@ # under the License. # class cloud::storage::rbd::osd ( - $public_address = '127.0.0.1', - $cluster_address = '127.0.0.1', - $devices = ['sdb','/dev/sdc'], + $public_address = '127.0.0.1', + $cluster_address = '127.0.0.1', + $devices = ['sdb','/dev/sdc'], + $firewall_settings = {}, ) { include 'cloud::storage::rbd' @@ -38,4 +39,12 @@ class cloud::storage::rbd::osd ( elsif is_hash($devices) { create_resources('ceph::osd::device', $devices) } + + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow ceph-osd access': + port => '6800-6810', + extras => $firewall_settings, + } + } + } diff --git a/manifests/telemetry/api.pp b/manifests/telemetry/api.pp index e243e640..a8769531 100644 --- a/manifests/telemetry/api.pp +++ b/manifests/telemetry/api.pp @@ -13,14 +13,24 @@ # License for the specific language governing permissions and limitations # under the License. # +# == Class: cloud::telemetry::api +# # Telemetry API nodes # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::telemetry::api( $ks_keystone_internal_host = '127.0.0.1', $ks_keystone_internal_proto = 'http', $ks_ceilometer_internal_port = '8777', $ks_ceilometer_password = 'ceilometerpassword', $api_eth = '127.0.0.1', + $firewall_settings = {}, ){ include 'cloud::telemetry' @@ -44,6 +54,13 @@ class cloud::telemetry::api( Cron <<| title == 'ceilometer-expirer' |>> { command => "sleep $((\$RANDOM % 86400)) && ${::ceilometer::params::expirer_command}" } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow ceilometer-api access': + port => $ks_ceilometer_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-ceilometer_api": listening_service => 'ceilometer_api_cluster', server_names => $::hostname, diff --git a/manifests/volume/api.pp b/manifests/volume/api.pp index e98428f6..eb8f598e 100644 --- a/manifests/volume/api.pp +++ b/manifests/volume/api.pp @@ -13,8 +13,17 @@ # License for the specific language governing permissions and limitations # under the License. # +# == Class: cloud::volume::api +# # Volume API node # +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# class cloud::volume::api( $ks_cinder_internal_port = 8776, $ks_cinder_password = 'cinderpassword', @@ -25,6 +34,7 @@ class cloud::volume::api( $api_eth = '127.0.0.1', $ks_glance_internal_proto = 'http', $default_volume_type = undef, + $firewall_settings = {}, # Maintain backward compatibility for multi-backend $volume_multi_backend = false ) { @@ -55,6 +65,13 @@ class cloud::volume::api( glance_num_retries => '10' } + if $::cloud::manage_firewall { + cloud::firewall::rule{ '100 allow cinder-api access': + port => $ks_cinder_internal_port, + extras => $firewall_settings, + } + } + @@haproxy::balancermember{"${::fqdn}-cinder_api": listening_service => 'cinder_api_cluster', server_names => $::hostname, diff --git a/manifests/volume/controller.pp b/manifests/volume/controller.pp index 5636f3c9..5f31cd8b 100644 --- a/manifests/volume/controller.pp +++ b/manifests/volume/controller.pp @@ -24,6 +24,7 @@ class cloud::volume::controller( $ks_glance_api_internal_port = 9292, $api_eth = '127.0.0.1', $default_volume_type = undef, + $firewall_settings = {}, # Maintain backward compatibility for multi-backend $volume_multi_backend = false ) { @@ -43,7 +44,8 @@ class cloud::volume::controller( api_eth => $api_eth, default_volume_type => $default_volume_type, # Maintain backward compatibility for multi-backend - volume_multi_backend => $volume_multi_backend + volume_multi_backend => $volume_multi_backend, + firewall_settings => $firewall_settings, } class { 'cloud::volume::scheduler': volume_multi_backend => $volume_multi_backend diff --git a/spec/classes/cloud_cache_spec.rb b/spec/classes/cloud_cache_spec.rb index 299cae5d..ea4f476e 100644 --- a/spec/classes/cloud_cache_spec.rb +++ b/spec/classes/cloud_cache_spec.rb @@ -32,13 +32,42 @@ describe 'cloud::cache' do :max_memory => '60%' ) end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure memcached firewall rules' do + is_expected.to contain_firewall('100 allow memcached access').with( + :port => '11211', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure memcached firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow memcached access').with( + :port => '11211', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :memorysize => '1000 MB', - :processorcount => '1' } + { :osfamily => 'Debian' } end it_configures 'cache server' @@ -46,9 +75,7 @@ describe 'cloud::cache' do context 'on RedHat platforms' do let :facts do - { :osfamily => 'RedHat', - :memorysize => '1000 MB', - :processorcount => '1' } + { :osfamily => 'RedHat' } end it_configures 'cache server' diff --git a/spec/classes/cloud_compute_api_spec.rb b/spec/classes/cloud_compute_api_spec.rb index c11c161a..8c2aede1 100644 --- a/spec/classes/cloud_compute_api_spec.rb +++ b/spec/classes/cloud_compute_api_spec.rb @@ -125,6 +125,58 @@ describe 'cloud::compute::api' do ) end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure nova firewall rules' do + is_expected.to contain_firewall('100 allow nova-api access').with( + :port => '8774', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow nova-ec2 access').with( + :port => '8773', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow nova-metadata access').with( + :port => '8775', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure nova firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow nova-api access').with( + :port => '8774', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow nova-ec2 access').with( + :port => '8773', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow nova-metadata access').with( + :port => '8775', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_compute_consoleproxy_spec.rb b/spec/classes/cloud_compute_consoleproxy_spec.rb index 91abfbc6..ae2ddab1 100644 --- a/spec/classes/cloud_compute_consoleproxy_spec.rb +++ b/spec/classes/cloud_compute_consoleproxy_spec.rb @@ -94,6 +94,36 @@ describe 'cloud::compute::consoleproxy' do ) end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure spice firewall rules' do + is_expected.to contain_firewall('100 allow spice access').with( + :port => '6082', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure spice firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow spice access').with( + :port => '6082', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_compute_hypervisor_spec.rb b/spec/classes/cloud_compute_hypervisor_spec.rb index 7d4ef4af..3600c424 100644 --- a/spec/classes/cloud_compute_hypervisor_spec.rb +++ b/spec/classes/cloud_compute_hypervisor_spec.rb @@ -256,7 +256,6 @@ describe 'cloud::compute::hypervisor' do { :osfamily => 'Debian', :operatingsystem => 'Ubuntu', :vtx => true, - :concat_basedir => '/var/lib/puppet/concat' } end @@ -272,8 +271,7 @@ describe 'cloud::compute::hypervisor' do before :each do facts.merge!( :osfamily => 'Debian', :operatingsystem => 'Debian', - :vtx => true, - :concat_basedir => '/var/lib/puppet/concat' ) + :vtx => true ) end it 'ensure TSO script is enabled at boot' do is_expected.to contain_exec('enable-tso-script').with( @@ -294,8 +292,7 @@ describe 'cloud::compute::hypervisor' do context 'without TSO/GSO/GRO on Red Hat systems' do before :each do facts.merge!( :osfamily => 'RedHat', - :vtx => true, - :concat_basedir => '/var/lib/puppet/concat' ) + :vtx => true ) end it 'ensure TSO script is enabled at boot' do is_expected.to contain_exec('enable-tso-script').with( @@ -525,6 +522,48 @@ describe 'cloud::compute::hypervisor' do end it_raises 'a Puppet::Error', /When running NFS backend, vm_rbd parameter cannot be set to true./ end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure compute firewall rules' do + is_expected.to contain_firewall('100 allow instances console access').with( + :port => '5900-5999', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow instances migration access').with( + :port => ['16509', '49152-49215'], + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure compute firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow instances console access').with( + :port => '5900-5999', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow instances migration access').with( + :port => ['16509', '49152-49215'], + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do @@ -532,7 +571,6 @@ describe 'cloud::compute::hypervisor' do { :osfamily => 'Debian', :operatingsystem => 'Debian', :vtx => true, - :concat_basedir => '/var/lib/puppet/concat', # required for rpcbind module :lsbdistid => 'Debian' } @@ -546,7 +584,6 @@ describe 'cloud::compute::hypervisor' do let :facts do { :osfamily => 'RedHat', :vtx => true, - :concat_basedir => '/var/lib/puppet/concat', # required for rbd support check :operatingsystemmajrelease => '7', # required for nfs module diff --git a/spec/classes/cloud_dashboard_spec.rb b/spec/classes/cloud_dashboard_spec.rb index 5dffa024..f8bbf725 100644 --- a/spec/classes/cloud_dashboard_spec.rb +++ b/spec/classes/cloud_dashboard_spec.rb @@ -124,15 +124,43 @@ describe 'cloud::dashboard' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure horizon firewall rules' do + is_expected.to contain_firewall('100 allow horizon access').with( + :port => '80', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure horizon firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow horizon access').with( + :port => '80', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do { :osfamily => 'Debian', :operatingsystem => 'Ubuntu', - :operatingsystemrelease => '12.04', - :processorcount => '1', - :concat_basedir => '/var/lib/puppet/concat' } + :operatingsystemrelease => '12.04' } end it_configures 'openstack dashboard' @@ -141,9 +169,7 @@ describe 'cloud::dashboard' do context 'on RedHat platforms' do let :facts do { :osfamily => 'RedHat', - :operatingsystemrelease => '6', - :processorcount => '1', - :concat_basedir => '/var/lib/puppet/concat' } + :operatingsystemrelease => '6' } end it_configures 'openstack dashboard' diff --git a/spec/classes/cloud_database_dbaas_api_spec.rb b/spec/classes/cloud_database_dbaas_api_spec.rb index 518c4773..66c27a57 100644 --- a/spec/classes/cloud_database_dbaas_api_spec.rb +++ b/spec/classes/cloud_database_dbaas_api_spec.rb @@ -79,6 +79,36 @@ describe 'cloud::database::dbaas::api' do ) end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure trove-api firewall rules' do + is_expected.to contain_firewall('100 allow trove-api access').with( + :port => '8779', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure trove-api firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow trove-api access').with( + :port => '8779', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_database_nosql_spec.rb b/spec/classes/cloud_database_nosql_spec.rb index 38342af9..59f5654e 100644 --- a/spec/classes/cloud_database_nosql_spec.rb +++ b/spec/classes/cloud_database_nosql_spec.rb @@ -59,6 +59,36 @@ describe 'cloud::database::nosql' do is_expected.not_to contain_mongodb_replset('ceilometer') end end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure mongodb firewall rules' do + is_expected.to contain_firewall('100 allow mongodb access').with( + :port => '27017', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure mongodb firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow mongodb access').with( + :port => '27017', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end end context 'on Debian platforms' do diff --git a/spec/classes/cloud_database_sql_spec.rb b/spec/classes/cloud_database_sql_spec.rb index 969492c7..0cd742db 100644 --- a/spec/classes/cloud_database_sql_spec.rb +++ b/spec/classes/cloud_database_sql_spec.rb @@ -208,6 +208,58 @@ describe 'cloud::database::sql' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure mysql firewall rules' do + is_expected.to contain_firewall('100 allow galera access').with( + :port => ['3306', '4567', '4568', '4444'], + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow mysqlchk access').with( + :port => '9200', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow mysql rsync access').with( + :port => '873', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure mysql firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow galera access').with( + :port => ['3306', '4567', '4568', '4444'], + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow mysqlchk access').with( + :port => '9200', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow mysql rsync access').with( + :port => '873', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end # openstack database sql context 'on Debian platforms' do diff --git a/spec/classes/cloud_identity_spec.rb b/spec/classes/cloud_identity_spec.rb index 378f7d1e..2c5b3eff 100644 --- a/spec/classes/cloud_identity_spec.rb +++ b/spec/classes/cloud_identity_spec.rb @@ -345,6 +345,47 @@ describe 'cloud::identity' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure keystone firewall rules' do + is_expected.to contain_firewall('100 allow keystone access').with( + :port => '5000', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow keystone admin access').with( + :port => '35357', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure keystone firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow keystone access').with( + :port => '5000', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow keystone admin access').with( + :port => '35357', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do @@ -352,7 +393,6 @@ describe 'cloud::identity' do { :osfamily => 'Debian', :operatingsystemrelease => '12.04', :processorcount => '2', - :concat_basedir => '/var/lib/puppet/concat', :fqdn => 'keystone.openstack.org' } end @@ -364,7 +404,6 @@ describe 'cloud::identity' do { :osfamily => 'RedHat', :operatingsystemrelease => '6', :processorcount => '2', - :concat_basedir => '/var/lib/puppet/concat', :fqdn => 'keystone.openstack.org' } end diff --git a/spec/classes/cloud_image_api_spec.rb b/spec/classes/cloud_image_api_spec.rb index e05c664c..e13cd90e 100644 --- a/spec/classes/cloud_image_api_spec.rb +++ b/spec/classes/cloud_image_api_spec.rb @@ -46,6 +46,10 @@ describe 'cloud::image::api' do shared_examples_for 'openstack image api' do + it 'should not configure firewall rule' do + is_expected.not_to contain_firewall('100 allow glance api access') + end + it 'configure glance-api' do is_expected.to contain_class('glance::api').with( :database_connection => 'mysql://glance:secrete@10.0.0.1/glance?charset=utf8', @@ -143,6 +147,37 @@ describe 'cloud::image::api' do end it { is_expected.to compile.and_raise_error(/Something is not a Glance supported backend./) } end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure Glance API firewall rules' do + is_expected.to contain_firewall('100 allow glance-api access').with( + :port => '9292', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure Glance API firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow glance-api access').with( + :port => '9292', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_image_registry_spec.rb b/spec/classes/cloud_image_registry_spec.rb index a1199eae..dc103174 100644 --- a/spec/classes/cloud_image_registry_spec.rb +++ b/spec/classes/cloud_image_registry_spec.rb @@ -65,6 +65,37 @@ describe 'cloud::image::registry' do :unless => '/usr/bin/mysql glance -h 10.0.0.1 -u glance -psecrete -e "show tables" | /bin/grep Tables' ) end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure Glance Registry firewall rules' do + is_expected.to contain_firewall('100 allow glance-registry access').with( + :port => '9191', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure Glance API firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow glance-registry access').with( + :port => '9191', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_init_spec.rb b/spec/classes/cloud_init_spec.rb index 19016625..895e8f0b 100644 --- a/spec/classes/cloud_init_spec.rb +++ b/spec/classes/cloud_init_spec.rb @@ -24,7 +24,7 @@ describe 'cloud' do { } end - shared_examples_for 'private cloud node' do + shared_examples_for 'cloud node' do let :pre_condition do ' @@ -50,27 +50,90 @@ describe 'cloud' do :enable => true }) } + context 'with firewall enabled' do + before :each do + params.merge!( + :manage_firewall => true, + ) + end + + it 'configure basic pre firewall rules' do + is_expected.to contain_firewall('000 accept related established rules').with( + :proto => 'all', + :state => ['RELATED', 'ESTABLISHED'], + :action => 'accept', + ) + is_expected.to contain_firewall('001 accept all icmp').with( + :proto => 'icmp', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('002 accept all to lo interface').with( + :proto => 'all', + :iniface => 'lo', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('003 accept ssh').with( + :port => '22', + :proto => 'tcp', + :action => 'accept', + :state => ['NEW'], + ) + end + + it 'configure basic post firewall rules' do + is_expected.to contain_firewall('999 drop all').with( + :proto => 'all', + :action => 'drop', + :source => '0.0.0.0/0', + ) + end + end + + context 'with custom firewall rules' do + before :each do + params.merge!( + :manage_firewall => true, + :firewall_rules => { + '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'}, + '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'} + } + ) + end + it 'configure custom firewall rules' do + is_expected.to contain_firewall('300 add custom application 1').with( + :port => '999', + :proto => 'udp', + :action => 'accept', + :state => ['NEW'], + ) + is_expected.to contain_firewall('301 add custom application 2').with( + :port => '8081', + :proto => 'tcp', + :action => 'accept', + :state => ['NEW'], + ) + end + end + end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :concat_basedir => '/var/lib/puppet/concat', - :puppetversion => '3.3' } + { :osfamily => 'Debian' } end let :platform_params do { :cron_service_name => 'cron'} end - it_configures 'private cloud node' + it_configures 'cloud node' end context 'on RedHat platforms' do let :facts do { :osfamily => 'RedHat', - :concat_basedir => '/var/lib/puppet/concat', - :puppetversion => '3.3', :hostname => 'redhat1' } end @@ -82,7 +145,7 @@ describe 'cloud' do { :rhn_registration => { "username" => "rhn", "password" => "pass" } } end - #it_configures 'private cloud node' + it_configures 'cloud node' xit { is_expected.to contain_rhn_register('rhn-redhat1') } @@ -103,7 +166,6 @@ describe 'cloud' do :stage => 'setup', ) end - end end diff --git a/spec/classes/cloud_loadbalancer_spec.rb b/spec/classes/cloud_loadbalancer_spec.rb index 4c85d22f..98b0210b 100644 --- a/spec/classes/cloud_loadbalancer_spec.rb +++ b/spec/classes/cloud_loadbalancer_spec.rb @@ -515,13 +515,80 @@ describe 'cloud::loadbalancer' do } )} end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure haproxy firewall rules' do + # test the firewall rule in cloud::loadbalancer::binding + is_expected.to contain_firewall('100 allow horizon_cluster binding access').with( + :port => '80', + :proto => 'tcp', + :action => 'accept', + ) + # test the firewall rules in cloud::loadbalancer + is_expected.to contain_firewall('100 allow galera binding access').with( + :port => '3306', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow haproxy monitor access').with( + :port => '9300', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow keepalived access').with( + :port => nil, + :proto => 'vrrp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure haproxy firewall rules with custom parameter' do + # test the firewall rule in cloud::loadbalancer::binding + is_expected.to contain_firewall('100 allow horizon_cluster binding access').with( + :port => '80', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + # test the firewall rules in cloud::loadbalancer + is_expected.to contain_firewall('100 allow galera binding access').with( + :port => '3306', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow haproxy monitor access').with( + :port => '9300', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow keepalived access').with( + :port => nil, + :proto => 'vrrp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end # shared:: openstack loadbalancer context 'on Debian platforms' do let :facts do { :osfamily => 'Debian', - :hostname => 'myhost', - :concat_basedir => '/var/lib/puppet/concat' } + :hostname => 'myhost' } end let :platform_params do @@ -539,8 +606,7 @@ describe 'cloud::loadbalancer' do context 'on RedHat platforms' do let :facts do { :osfamily => 'RedHat', - :hostname => 'myhost', - :concat_basedir => '/var/lib/puppet/concat' } + :hostname => 'myhost' } end let :platform_params do diff --git a/spec/classes/cloud_messaging_spec.rb b/spec/classes/cloud_messaging_spec.rb index cb9573b3..ff20621b 100644 --- a/spec/classes/cloud_messaging_spec.rb +++ b/spec/classes/cloud_messaging_spec.rb @@ -53,12 +53,45 @@ describe 'cloud::messaging' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure rabbitmq firewall rules' do + is_expected.to contain_firewall('100 allow rabbitmq access').with( + :port => '5672', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow rabbitmq management access').with( + :port => '55672', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure rabbitmq firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow rabbitmq management access').with( + :port => '55672', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :puppetversion => '3.3' } + { :osfamily => 'Debian' } end it_configures 'openstack messaging' @@ -66,8 +99,7 @@ describe 'cloud::messaging' do context 'on RedHat platforms' do let :facts do - { :osfamily => 'RedHat', - :puppetversion => '3.3' } + { :osfamily => 'RedHat' } end it_configures 'openstack messaging' diff --git a/spec/classes/cloud_network_controller_spec.rb b/spec/classes/cloud_network_controller_spec.rb index 16fc0630..02ed3ff8 100644 --- a/spec/classes/cloud_network_controller_spec.rb +++ b/spec/classes/cloud_network_controller_spec.rb @@ -123,6 +123,36 @@ describe 'cloud::network::controller' do is_expected.not_to contain__neutron_network('public') end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure neutron-server firewall rules' do + is_expected.to contain_firewall('100 allow neutron-server access').with( + :port => '9696', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure neutrons-server firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow neutron-server access').with( + :port => '9696', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_network_dhcp_spec.rb b/spec/classes/cloud_network_dhcp_spec.rb index 503941ac..2f5f5ba0 100644 --- a/spec/classes/cloud_network_dhcp_spec.rb +++ b/spec/classes/cloud_network_dhcp_spec.rb @@ -131,6 +131,52 @@ describe 'cloud::network::dhcp' do ) is_expected.to contain_file('/etc/neutron/dnsmasq-neutron.conf').with_content(/^dhcp-option-force=26,1400$/) end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure neutron-server firewall rules' do + is_expected.to contain_firewall('100 allow dhcp in access').with( + :port => '67', + :proto => 'udp', + :chain => 'INPUT', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow dhcp out access').with( + :port => '68', + :proto => 'udp', + :chain => 'OUTPUT', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure neutrons-server firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow dhcp in access').with( + :port => '67', + :proto => 'udp', + :chain => 'INPUT', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow dhcp out access').with( + :port => '68', + :proto => 'udp', + :chain => 'OUTPUT', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_network_vswitch_spec.rb b/spec/classes/cloud_network_vswitch_spec.rb index 98966ca4..3e28334f 100644 --- a/spec/classes/cloud_network_vswitch_spec.rb +++ b/spec/classes/cloud_network_vswitch_spec.rb @@ -131,6 +131,37 @@ describe 'cloud::network::vswitch' do end it { should compile.and_raise_error(/Something plugin is not supported./) } end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure gre firewall rules' do + is_expected.to contain_firewall('100 allow gre access').with( + :port => nil, + :proto => 'gre', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure gre firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow gre access').with( + :port => nil, + :proto => 'gre', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_objectstorage_storage_spec.rb b/spec/classes/cloud_object_storage_spec.rb similarity index 66% rename from spec/classes/cloud_objectstorage_storage_spec.rb rename to spec/classes/cloud_object_storage_spec.rb index b15773a8..766e2121 100644 --- a/spec/classes/cloud_objectstorage_storage_spec.rb +++ b/spec/classes/cloud_object_storage_spec.rb @@ -94,13 +94,74 @@ describe 'cloud::object::storage' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure swift-storage firewall rules' do + is_expected.to contain_firewall('100 allow swift-container access').with( + :port => '6001', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow swift-account access').with( + :port => '6002', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow swift-object access').with( + :port => '6000', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow swift rsync access').with( + :port => '873', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure swift-storage firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow swift-container access').with( + :port => '6001', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow swift-account access').with( + :port => '6002', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow swift-object access').with( + :port => '6000', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow swift rsync access').with( + :port => '873', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do { - :concat_basedir => '/tmp/', - :concat_basedir => '/tmp/foo', :osfamily => 'Debian' , } end @@ -111,8 +172,6 @@ describe 'cloud::object::storage' do context 'on RedHat platforms' do let :facts do { - :concat_basedir => '/tmp/', - :concat_basedir => '/tmp/foo', :osfamily => 'RedHat' } end diff --git a/spec/classes/cloud_orchestration_api_spec.rb b/spec/classes/cloud_orchestration_api_spec.rb index a7f08d14..cf6ffa77 100644 --- a/spec/classes/cloud_orchestration_api_spec.rb +++ b/spec/classes/cloud_orchestration_api_spec.rb @@ -98,6 +98,58 @@ describe 'cloud::orchestration::api' do ) end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure heat api firewall rules' do + is_expected.to contain_firewall('100 allow heat-api access').with( + :port => '8004', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow heat-cfn access').with( + :port => '8000', + :proto => 'tcp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow heat-cloudwatch access').with( + :port => '8003', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure heat firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow heat-api access').with( + :port => '8004', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow heat-cfn access').with( + :port => '8000', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow heat-cloudwatch access').with( + :port => '8003', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_spof_spec.rb b/spec/classes/cloud_spof_spec.rb index f9043e85..306de31c 100644 --- a/spec/classes/cloud_spof_spec.rb +++ b/spec/classes/cloud_spof_spec.rb @@ -96,13 +96,68 @@ describe 'cloud::spof' do end it { is_expected.to compile.and_raise_error(/cluster_members is a required parameter./) } end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!( :cluster_members => 'srv1 srv2 srv3') + end + it 'configure pacemaker firewall rules' do + is_expected.to contain_firewall('100 allow vrrp access').with( + :port => nil, + :proto => 'vrrp', + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow corosync tcp access').with( + :port => ['2224','3121','21064'], + :action => 'accept', + ) + is_expected.to contain_firewall('100 allow corosync udp access').with( + :port => ['5404','5405'], + :proto => 'udp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!( + :firewall_settings => { 'limit' => '50/sec' }, + :cluster_members => 'srv1 srv2 srv3' + ) + end + it 'configure pacemaker firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow vrrp access').with( + :port => nil, + :proto => 'vrrp', + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow corosync tcp access').with( + :port => ['2224','3121','21064'], + :action => 'accept', + :limit => '50/sec', + ) + is_expected.to contain_firewall('100 allow corosync udp access').with( + :port => ['5404','5405'], + :proto => 'udp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'Debian' } end it_configures 'cloud spof' @@ -110,9 +165,7 @@ describe 'cloud::spof' do context 'on RedHat platforms' do let :facts do - { :osfamily => 'RedHat', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'RedHat' } end it_configures 'cloud spof' end diff --git a/spec/classes/cloud_storage_rbd_mon_spec.rb b/spec/classes/cloud_storage_rbd_mon_spec.rb index c3b61ca9..b9aa8a4c 100644 --- a/spec/classes/cloud_storage_rbd_mon_spec.rb +++ b/spec/classes/cloud_storage_rbd_mon_spec.rb @@ -52,13 +52,41 @@ describe 'cloud::storage::rbd::monitor' do ) end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure ceph monitor firewall rules' do + is_expected.to contain_firewall('100 allow ceph-mon access').with( + :port => '6789', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure ceph monitor firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow ceph-mon access').with( + :port => '6789', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'Debian' } end it_configures 'ceph monitor' @@ -66,9 +94,7 @@ describe 'cloud::storage::rbd::monitor' do context 'on RedHat platforms' do let :facts do - { :osfamily => 'RedHat', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'RedHat' } end it_configures 'ceph monitor' end diff --git a/spec/classes/cloud_storage_rbd_osd_spec.rb b/spec/classes/cloud_storage_rbd_osd_spec.rb index b36ed791..63229940 100644 --- a/spec/classes/cloud_storage_rbd_osd_spec.rb +++ b/spec/classes/cloud_storage_rbd_osd_spec.rb @@ -61,22 +61,48 @@ describe 'cloud::storage::rbd::osd' do end end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure ceph osd firewall rules' do + is_expected.to contain_firewall('100 allow ceph-osd access').with( + :port => '6800-6810', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure ceph osd firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow ceph-osd access').with( + :port => '6800-6810', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do let :facts do - { :osfamily => 'Debian', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'Debian' } end it_configures 'ceph osd' end context 'on RedHat platforms' do let :facts do - { :osfamily => 'RedHat', - :concat_basedir => '/var/lib/puppet/concat', - :uniqueid => '123' } + { :osfamily => 'RedHat' } end it_configures 'ceph osd' end diff --git a/spec/classes/cloud_telemetry_api_spec.rb b/spec/classes/cloud_telemetry_api_spec.rb index f4fd7dca..b486ae6d 100644 --- a/spec/classes/cloud_telemetry_api_spec.rb +++ b/spec/classes/cloud_telemetry_api_spec.rb @@ -81,6 +81,37 @@ describe 'cloud::telemetry::api' do :hour => '0' ) end + + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure ceilometer firewall rules' do + is_expected.to contain_firewall('100 allow ceilometer-api access').with( + :port => '8777', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure ceilometer firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow ceilometer-api access').with( + :port => '8777', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/classes/cloud_volume_controller_spec.rb b/spec/classes/cloud_volume_controller_spec.rb index 5a7b3cef..13c037e7 100644 --- a/spec/classes/cloud_volume_controller_spec.rb +++ b/spec/classes/cloud_volume_controller_spec.rb @@ -105,8 +105,8 @@ describe 'cloud::volume::controller' do :default_volume_type => nil ) end - xit 'should raise an error and fail' do - is_expected.to compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/) + it 'should raise an error and fail' do + is_expected.not_to compile end end @@ -137,6 +137,36 @@ describe 'cloud::volume::controller' do # ) #end + context 'with default firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + it 'configure cinder firewall rules' do + is_expected.to contain_firewall('100 allow cinder-api access').with( + :port => '8776', + :proto => 'tcp', + :action => 'accept', + ) + end + end + + context 'with custom firewall enabled' do + let :pre_condition do + "class { 'cloud': manage_firewall => true }" + end + before :each do + params.merge!(:firewall_settings => { 'limit' => '50/sec' } ) + end + it 'configure cinder firewall rules with custom parameter' do + is_expected.to contain_firewall('100 allow cinder-api access').with( + :port => '8776', + :proto => 'tcp', + :action => 'accept', + :limit => '50/sec', + ) + end + end + end context 'on Debian platforms' do diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 53d4dd02..0171d5dd 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -4,4 +4,13 @@ require 'shared_examples' RSpec.configure do |c| c.alias_it_should_behave_like_to :it_configures, 'configures' c.alias_it_should_behave_like_to :it_raises, 'raises' + + c.default_facts = { + :kernel => 'Linux', + :concat_basedir => '/var/lib/puppet/concat', + :memorysize => '1000 MB', + :processorcount => '1', + :puppetversion => '3.7.3', + :uniqueid => '123' + } end