diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp index 60bdb849f9..dbdc6c100c 100644 --- a/modules/openstack_project/manifests/server.pp +++ b/modules/openstack_project/manifests/server.pp @@ -197,6 +197,10 @@ class openstack_project::server ( 'kdc02.openstack.org', ], } + $all_udp = concat( + $iptables_public_udp_ports, [7001]) + } else { + $all_udp = $iptables_public_udp_ports } class { 'openstack_project::automatic_upgrades': @@ -205,6 +209,23 @@ class openstack_project::server ( include snmpd + $snmp_v4hosts = [ + '104.239.135.208', + '104.130.253.206', + ] + $snmp_v6hosts = [ + '2001:4800:7819:104:be76:4eff:fe05:1d6a', + '2001:4800:7818:103:be76:4eff:fe04:7ed0', + ] + class { 'iptables': + public_tcp_ports => $iptables_public_tcp_ports, + public_udp_ports => $all_udp, + rules4 => $iptables_rules4, + rules6 => $iptables_rules6, + snmp_v4hosts => $snmp_v4hosts, + snmp_v6hosts => $snmp_v6hosts, + } + # We don't like byobu file { '/etc/profile.d/Z98-byobu.sh': ensure => absent, @@ -265,18 +286,6 @@ class openstack_project::server ( } class { 'openstack_project::template': - iptables_public_tcp_ports => $iptables_public_tcp_ports, - iptables_public_udp_ports => $iptables_public_udp_ports, - iptables_rules4 => $iptables_rules4, - iptables_rules6 => $iptables_rules6, - snmp_v4hosts => [ - '104.239.135.208', - '104.130.253.206', - ], - snmp_v6hosts => [ - '2001:4800:7819:104:be76:4eff:fe05:1d6a', - '2001:4800:7818:103:be76:4eff:fe04:7ed0', - ], certname => $certname, pin_puppet => $pin_puppet, ca_server => $ca_server, diff --git a/modules/openstack_project/manifests/single_use_slave.pp b/modules/openstack_project/manifests/single_use_slave.pp index 0e4672626a..56c7f6f8a1 100644 --- a/modules/openstack_project/manifests/single_use_slave.pp +++ b/modules/openstack_project/manifests/single_use_slave.pp @@ -14,20 +14,6 @@ class openstack_project::single_use_slave ( class { 'openstack_project::template': certname => $certname, install_resolv_conf => $install_resolv_conf, - iptables_rules4 => - [ - # Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and - # the ironic API from the neutron public net - '-p udp --dport 69 -s 172.24.4.0/23 -j ACCEPT', - '-p tcp --dport 6385 -s 172.24.4.0/23 -j ACCEPT', - # Ports 8000, 8003, 8004 from the devstack neutron public net to allow - # nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api - '-p tcp --dport 8000 -s 172.24.4.0/23 -j ACCEPT', - '-p tcp --dport 8003 -s 172.24.4.0/23 -j ACCEPT', - '-p tcp --dport 8004 -s 172.24.4.0/23 -j ACCEPT', - '-m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "', - ], - iptables_public_tcp_ports => [19885], } class { '::jenkins::jenkinsuser': diff --git a/modules/openstack_project/manifests/template.pp b/modules/openstack_project/manifests/template.pp index 812e7f3ed6..14b4eb8ca1 100644 --- a/modules/openstack_project/manifests/template.pp +++ b/modules/openstack_project/manifests/template.pp @@ -3,12 +3,6 @@ # A template host with no running services # class openstack_project::template ( - $iptables_public_tcp_ports = [], - $iptables_public_udp_ports = [], - $iptables_rules4 = [], - $iptables_rules6 = [], - $snmp_v4hosts = [], - $snmp_v6hosts = [], $pin_puppet = '3.', $install_resolv_conf = true, $certname = $::fqdn, @@ -22,21 +16,6 @@ class openstack_project::template ( ########################################################### # Classes for all hosts - if ( $afs ) { - $all_udp = concat( - $iptables_public_udp_ports, [7001]) - } else { - $all_udp = $iptables_public_udp_ports - } - - class { 'iptables': - public_tcp_ports => $iptables_public_tcp_ports, - public_udp_ports => $all_udp, - rules4 => $iptables_rules4, - rules6 => $iptables_rules6, - snmp_v4hosts => $snmp_v4hosts, - snmp_v6hosts => $snmp_v6hosts, - } if ($::osfamily == 'Debian') { # NOTE(pabelanger): Puppetlabs only support Ubuntu Trusty and below,