From d934cf11ef2b0110991ab8d01b3df34f02b2a3ad Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 28 Feb 2015 03:15:15 +0000 Subject: [PATCH] Fold in new private cloud work from today. Gets things pretty working. --- files/fedora-cloud/ifcfg-eth0 | 8 +++ inventory/group_vars/openstack-compute | 2 + .../fed-cloud09.cloud.fedoraproject.org.yml | 2 + .../iptables/iptables.openstack-compute | 71 +++++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 files/fedora-cloud/ifcfg-eth0 create mode 100644 inventory/group_vars/openstack-compute create mode 100644 roles/base/templates/iptables/iptables.openstack-compute diff --git a/files/fedora-cloud/ifcfg-eth0 b/files/fedora-cloud/ifcfg-eth0 new file mode 100644 index 0000000000..4c91be4c88 --- /dev/null +++ b/files/fedora-cloud/ifcfg-eth0 @@ -0,0 +1,8 @@ +DEVICE="eth0" +NAME="eth0" +ONBOOT=yes +BOOTPROTO=none +HWADDR="f0:1f:af:e3:5f:0c" +DEVICETYPE=ovs +TYPE=OVSPort +OVS_BRIDGE=br-ex diff --git a/inventory/group_vars/openstack-compute b/inventory/group_vars/openstack-compute new file mode 100644 index 0000000000..ca2d561131 --- /dev/null +++ b/inventory/group_vars/openstack-compute @@ -0,0 +1,2 @@ +--- +host_group: openstack-compute diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml index 5f287b006e..4a543e2dc9 100644 --- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml +++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml @@ -101,6 +101,8 @@ - lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="BOOTPROTO=" line="BOOTPROTO=none" - template: src={{files}}/fedora-cloud/ifcfg-br-ex dest=/etc/sysconfig/network-scripts/ifcfg-br-ex owner=root mode=0644 when: packstack_sucessfully_finished.stat.exists == False + - template: src={{files}}/fedora-cloud/ifcfg-eth0 dest=/etc/sysconfig/network-scripts/ifcfg-eth0 owner=root mode=0644 + when: packstack_sucessfully_finished.stat.exists == False - command: ifup eth1 when: packstack_sucessfully_finished.stat.exists == False diff --git a/roles/base/templates/iptables/iptables.openstack-compute b/roles/base/templates/iptables/iptables.openstack-compute new file mode 100644 index 0000000000..801ac1a4bb --- /dev/null +++ b/roles/base/templates/iptables/iptables.openstack-compute @@ -0,0 +1,71 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# allow ping and traceroute +-A INPUT -p icmp -j ACCEPT + +# localhost is fine +-A INPUT -i lo -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT + +# allow incoming gre +# openstack needs this to handle external ips right +-A INPUT -p gre -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT + +# for nrpe - allow it from nocs +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT +# FIXME - this is the global nat-ip and we need the noc01-specific ip +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT + +{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %} +# +# In the phx2 datacenter, both production and staging hosts are in the same +# subnet/vlan. We want production hosts to reject connectons from staging group hosts +# to prevent them from interfering with production. There are however a few hosts in +# production we have marked 'staging-friendly' that we do allow staging to talk to for +# mostly read-only data they need. +# +{% for host in groups['staging'] %} +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +{% endif %} + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if custom_rules is defined %} +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT