From 19c4cd05b32e71cf36a230d2ff8d41214070d99b Mon Sep 17 00:00:00 2001
From: Ivan Chavero <ichavero@redhat.com>
Date: Thu, 12 Sep 2013 16:44:10 -0600
Subject: [PATCH] Adds Firewall rules for mysql access.

Allows only hosts that need to connect to mysql.

This patch is for mysql only, rules for the other
services are being developed since the bug
addresses the entire openstack installation.

Fixed and apply review comments

Changed the firewall template so it can be used
by the other plugins.

Fixes (partially): rhbz#1002063

Change-Id: I6639ebd5438d47c92d8cabb91f94e72b61426b98
---
 packstack/plugins/mysql_001.py              | 23 +++++++++++++++++++++
 packstack/puppet/templates/firewall.pp      | 15 ++++++++++++++
 packstack/puppet/templates/mysql_install.pp |  5 -----
 3 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 packstack/puppet/templates/firewall.pp

diff --git a/packstack/plugins/mysql_001.py b/packstack/plugins/mysql_001.py
index c903a176a..f416f6805 100644
--- a/packstack/plugins/mysql_001.py
+++ b/packstack/plugins/mysql_001.py
@@ -103,8 +103,31 @@ def createmanifest(config):
         manifestdata.append(getManifestTemplate(template))
 
     append_for("keystone", suffix)
+    hosts = set()
     for mod in ['nova', 'cinder', 'glance', 'neutron', 'heat']:
         if config['CONFIG_%s_INSTALL' % mod.upper()] == 'y':
             append_for(mod, suffix)
+            # Check wich modules are enabled so we can allow their
+            # hosts on the firewall
+            if mod != 'nova' and mod != 'neutron':
+                hosts.add(config.get('CONFIG_%s_HOST' % mod.upper()).strip())
+            elif mod == 'neutron':
+                hosts.add(config.get('CONFIG_NEUTRON_SERVER_HOST').strip())
+            else:
+                #In that remote case that we have lot's of nova hosts
+                hosts.add(config.get('CONFIG_NOVA_API_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CERT_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_VNCPROXY_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CONDUCTOR_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_SCHED_HOST').strip())
+                if config['CONFIG_NEUTRON_INSTALL'] != 'y':
+                    hosts.add(config.get('CONFIG_NOVA_NETWORK_HOST').strip())
+                for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
+                    hosts.add(host.strip())
+
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
+    config['FIREWALL_SERVICE_NAME'] = "mysql"
+    config['FIREWALL_PORTS'] = "'3306'"
+    manifestdata.append(getManifestTemplate("firewall.pp"))
 
     appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
diff --git a/packstack/puppet/templates/firewall.pp b/packstack/puppet/templates/firewall.pp
new file mode 100644
index 000000000..d5542223f
--- /dev/null
+++ b/packstack/puppet/templates/firewall.pp
@@ -0,0 +1,15 @@
+# Create firewall rules to allow only the hosts that need to connect
+# to %(FIREWALL_SERVICE_NAME)s
+
+$hosts = [ %(FIREWALL_ALLOWED)s ]
+
+define add_allow_host {
+    firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
+        proto  => 'tcp',
+        dport  => [%(FIREWALL_PORTS)s],
+        action => 'accept',
+        source => $title,
+    }
+}
+
+add_allow_host { $hosts:}
diff --git a/packstack/puppet/templates/mysql_install.pp b/packstack/puppet/templates/mysql_install.pp
index f80d6c1f6..3f95fb26e 100644
--- a/packstack/puppet/templates/mysql_install.pp
+++ b/packstack/puppet/templates/mysql_install.pp
@@ -21,8 +21,3 @@ if ($::fqdn != $::hostname and $::hostname != "localhost") {
     }
 }
 
-firewall { '001 mysql incoming':
-    proto  => 'tcp',
-    dport  => ['3306'],
-    action => 'accept',
-}