Adds Firewall rules for mysql access.

Allows only hosts that need to connect to mysql. This patch is for mysql only, rules for the other services are being developed since the bug addresses the entire openstack installation. Fixed and apply review comments Changed the firewall template so it can be used by the other plugins. Fixes (partially): rhbz#1002063 Change-Id: I6639ebd5438d47c92d8cabb91f94e72b61426b98
2013-09-12 16:44:10 -06:00 · 2013-09-12 16:44:10 -06:00 · 19c4cd05b3
commit 19c4cd05b3
parent 5e2c4eb494
3 changed files with 38 additions and 5 deletions
--- a/packstack/plugins/mysql_001.py
+++ b/packstack/plugins/mysql_001.py
@ -103,8 +103,31 @@ def createmanifest(config):
        manifestdata.append(getManifestTemplate(template))

    append_for("keystone", suffix)
+    hosts = set()
    for mod in ['nova', 'cinder', 'glance', 'neutron', 'heat']:
        if config['CONFIG_%s_INSTALL' % mod.upper()] == 'y':
            append_for(mod, suffix)
+            # Check wich modules are enabled so we can allow their
+            # hosts on the firewall
+            if mod != 'nova' and mod != 'neutron':
+                hosts.add(config.get('CONFIG_%s_HOST' % mod.upper()).strip())
+            elif mod == 'neutron':
+                hosts.add(config.get('CONFIG_NEUTRON_SERVER_HOST').strip())
+            else:
+                #In that remote case that we have lot's of nova hosts
+                hosts.add(config.get('CONFIG_NOVA_API_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CERT_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_VNCPROXY_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CONDUCTOR_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_SCHED_HOST').strip())
+                if config['CONFIG_NEUTRON_INSTALL'] != 'y':
+                    hosts.add(config.get('CONFIG_NOVA_NETWORK_HOST').strip())
+                for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
+                    hosts.add(host.strip())
+
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
+    config['FIREWALL_SERVICE_NAME'] = "mysql"
+    config['FIREWALL_PORTS'] = "'3306'"
+    manifestdata.append(getManifestTemplate("firewall.pp"))

    appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
--- a/packstack/puppet/templates/firewall.pp
+++ b/packstack/puppet/templates/firewall.pp
@ -0,0 +1,15 @@
+# Create firewall rules to allow only the hosts that need to connect
+# to %(FIREWALL_SERVICE_NAME)s
+
+$hosts = [ %(FIREWALL_ALLOWED)s ]
+
+define add_allow_host {
+    firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
+        proto  => 'tcp',
+        dport  => [%(FIREWALL_PORTS)s],
+        action => 'accept',
+        source => $title,
+    }
+}
+
+add_allow_host { $hosts:}
--- a/packstack/puppet/templates/mysql_install.pp
+++ b/packstack/puppet/templates/mysql_install.pp
@ -21,8 +21,3 @@ if ($::fqdn != $::hostname and $::hostname != "localhost") {
    }
 }

-firewall { '001 mysql incoming':
-    proto  => 'tcp',
-    dport  => ['3306'],
-    action => 'accept',
-}