Merge "Move iptables management to o_p::server"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
b1dcd9b1e2
@ -197,6 +197,10 @@ class openstack_project::server (
|
||||
'kdc02.openstack.org',
|
||||
],
|
||||
}
|
||||
$all_udp = concat(
|
||||
$iptables_public_udp_ports, [7001])
|
||||
} else {
|
||||
$all_udp = $iptables_public_udp_ports
|
||||
}
|
||||
|
||||
class { 'openstack_project::automatic_upgrades':
|
||||
@ -205,6 +209,23 @@ class openstack_project::server (
|
||||
|
||||
include snmpd
|
||||
|
||||
$snmp_v4hosts = [
|
||||
'104.239.135.208',
|
||||
'104.130.253.206',
|
||||
]
|
||||
$snmp_v6hosts = [
|
||||
'2001:4800:7819:104:be76:4eff:fe05:1d6a',
|
||||
'2001:4800:7818:103:be76:4eff:fe04:7ed0',
|
||||
]
|
||||
class { 'iptables':
|
||||
public_tcp_ports => $iptables_public_tcp_ports,
|
||||
public_udp_ports => $all_udp,
|
||||
rules4 => $iptables_rules4,
|
||||
rules6 => $iptables_rules6,
|
||||
snmp_v4hosts => $snmp_v4hosts,
|
||||
snmp_v6hosts => $snmp_v6hosts,
|
||||
}
|
||||
|
||||
# We don't like byobu
|
||||
file { '/etc/profile.d/Z98-byobu.sh':
|
||||
ensure => absent,
|
||||
@ -265,18 +286,6 @@ class openstack_project::server (
|
||||
}
|
||||
|
||||
class { 'openstack_project::template':
|
||||
iptables_public_tcp_ports => $iptables_public_tcp_ports,
|
||||
iptables_public_udp_ports => $iptables_public_udp_ports,
|
||||
iptables_rules4 => $iptables_rules4,
|
||||
iptables_rules6 => $iptables_rules6,
|
||||
snmp_v4hosts => [
|
||||
'104.239.135.208',
|
||||
'104.130.253.206',
|
||||
],
|
||||
snmp_v6hosts => [
|
||||
'2001:4800:7819:104:be76:4eff:fe05:1d6a',
|
||||
'2001:4800:7818:103:be76:4eff:fe04:7ed0',
|
||||
],
|
||||
certname => $certname,
|
||||
pin_puppet => $pin_puppet,
|
||||
ca_server => $ca_server,
|
||||
|
||||
@ -14,20 +14,6 @@ class openstack_project::single_use_slave (
|
||||
class { 'openstack_project::template':
|
||||
certname => $certname,
|
||||
install_resolv_conf => $install_resolv_conf,
|
||||
iptables_rules4 =>
|
||||
[
|
||||
# Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
|
||||
# the ironic API from the neutron public net
|
||||
'-p udp --dport 69 -s 172.24.4.0/23 -j ACCEPT',
|
||||
'-p tcp --dport 6385 -s 172.24.4.0/23 -j ACCEPT',
|
||||
# Ports 8000, 8003, 8004 from the devstack neutron public net to allow
|
||||
# nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
|
||||
'-p tcp --dport 8000 -s 172.24.4.0/23 -j ACCEPT',
|
||||
'-p tcp --dport 8003 -s 172.24.4.0/23 -j ACCEPT',
|
||||
'-p tcp --dport 8004 -s 172.24.4.0/23 -j ACCEPT',
|
||||
'-m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "',
|
||||
],
|
||||
iptables_public_tcp_ports => [19885],
|
||||
}
|
||||
|
||||
class { '::jenkins::jenkinsuser':
|
||||
|
||||
@ -3,12 +3,6 @@
|
||||
# A template host with no running services
|
||||
#
|
||||
class openstack_project::template (
|
||||
$iptables_public_tcp_ports = [],
|
||||
$iptables_public_udp_ports = [],
|
||||
$iptables_rules4 = [],
|
||||
$iptables_rules6 = [],
|
||||
$snmp_v4hosts = [],
|
||||
$snmp_v6hosts = [],
|
||||
$pin_puppet = '3.',
|
||||
$install_resolv_conf = true,
|
||||
$certname = $::fqdn,
|
||||
@ -22,21 +16,6 @@ class openstack_project::template (
|
||||
###########################################################
|
||||
# Classes for all hosts
|
||||
|
||||
if ( $afs ) {
|
||||
$all_udp = concat(
|
||||
$iptables_public_udp_ports, [7001])
|
||||
} else {
|
||||
$all_udp = $iptables_public_udp_ports
|
||||
}
|
||||
|
||||
class { 'iptables':
|
||||
public_tcp_ports => $iptables_public_tcp_ports,
|
||||
public_udp_ports => $all_udp,
|
||||
rules4 => $iptables_rules4,
|
||||
rules6 => $iptables_rules6,
|
||||
snmp_v4hosts => $snmp_v4hosts,
|
||||
snmp_v6hosts => $snmp_v6hosts,
|
||||
}
|
||||
|
||||
if ($::osfamily == 'Debian') {
|
||||
# NOTE(pabelanger): Puppetlabs only support Ubuntu Trusty and below,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user