Merge "Adds Firewall rules for mysql access."

2013-09-17 18:30:46 +00:00 · 2013-09-17 18:30:46 +00:00 · 1e237cd155
commit 1e237cd155
parent d5e1fafbac 19c4cd05b3
3 changed files with 38 additions and 5 deletions
--- a/packstack/plugins/mysql_001.py
+++ b/packstack/plugins/mysql_001.py
@ -103,8 +103,31 @@ def createmanifest(config):
        manifestdata.append(getManifestTemplate(template))

    append_for("keystone", suffix)
+    hosts = set()
    for mod in ['nova', 'cinder', 'glance', 'neutron', 'heat']:
        if config['CONFIG_%s_INSTALL' % mod.upper()] == 'y':
            append_for(mod, suffix)
+            # Check wich modules are enabled so we can allow their
+            # hosts on the firewall
+            if mod != 'nova' and mod != 'neutron':
+                hosts.add(config.get('CONFIG_%s_HOST' % mod.upper()).strip())
+            elif mod == 'neutron':
+                hosts.add(config.get('CONFIG_NEUTRON_SERVER_HOST').strip())
+            else:
+                #In that remote case that we have lot's of nova hosts
+                hosts.add(config.get('CONFIG_NOVA_API_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CERT_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_VNCPROXY_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CONDUCTOR_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_SCHED_HOST').strip())
+                if config['CONFIG_NEUTRON_INSTALL'] != 'y':
+                    hosts.add(config.get('CONFIG_NOVA_NETWORK_HOST').strip())
+                for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
+                    hosts.add(host.strip())
+
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
+    config['FIREWALL_SERVICE_NAME'] = "mysql"
+    config['FIREWALL_PORTS'] = "'3306'"
+    manifestdata.append(getManifestTemplate("firewall.pp"))

    appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
--- a/packstack/puppet/templates/firewall.pp
+++ b/packstack/puppet/templates/firewall.pp
@ -0,0 +1,15 @@
+# Create firewall rules to allow only the hosts that need to connect
+# to %(FIREWALL_SERVICE_NAME)s
+
+$hosts = [ %(FIREWALL_ALLOWED)s ]
+
+define add_allow_host {
+    firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
+        proto  => 'tcp',
+        dport  => [%(FIREWALL_PORTS)s],
+        action => 'accept',
+        source => $title,
+    }
+}
+
+add_allow_host { $hosts:}
--- a/packstack/puppet/templates/mysql_install.pp
+++ b/packstack/puppet/templates/mysql_install.pp
@ -21,8 +21,3 @@ if ($::fqdn != $::hostname and $::hostname != "localhost") {
    }
 }

-firewall { '001 mysql incoming':
-    proto  => 'tcp',
-    dport  => ['3306'],
-    action => 'accept',
-}