Commit 9396d455 authored by Thomas Goirand's avatar Thomas Goirand

Firewall swift's container, account and object servers.

parent 686873eb
......@@ -22,6 +22,7 @@ openstack-cluster-installer (21) UNRELEASED; urgency=medium
ordering was broken).
* Add the nf_conntrack module by default in /etc/modules.
* Make sure python-keystonemiddleware is installed on swift-proxy nodes.
* Firewall swift's container, account and object servers.
[ Oliver Chaze ]
* swift: do not log in syslog general logs
......
......@@ -10,6 +10,10 @@ class oci::swiftstore(
$pass_swift_hashpathprefix = undef,
$zoneid = undef,
$use_ssl = true,
$all_swiftstore_ip = undef,
$all_swiftstore = undef,
$all_swiftproxy = undef,
$all_swiftproxy_ip = undef,
){
::oci::sysctl { 'oci-rox': }
......@@ -17,6 +21,7 @@ class oci::swiftstore(
# Right on time!
class { '::oci::chrony': time_server_host => $time_sever_host, }
# rsyslog correctly
package { 'rsyslog':
ensure => present,
}
......@@ -43,11 +48,75 @@ class oci::swiftstore(
group => 'adm'
}
# Install memcache
class { '::memcached':
listen_ip => '127.0.0.1',
udp_port => 0,
}
# Fireall object, account and container servers,
# so that only our management network has access to it.
# First, general definirion (could be in global site.pp)
resources { "firewall":
purge => true
}
class { 'firewall': }
$all_allowed_ips = concat($all_swiftproxy_ip, $all_swiftstore_ip)
$all_allowed_ips.each |Integer $index, String $value| {
$val1 = $index*2+100
$val2 = $index*2+101
firewall { "${val1} Allow ${value} to access to swift container and account servers":
proto => tcp,
action => accept,
source => "${value}",
dport => '6001-6002',
}->
firewall { "${val2} Allow ${value} to access to swift object servers":
proto => tcp,
action => accept,
source => "${value}",
dport => '6200-6229',
}
}
firewall { '801 Jump to LOGDROP for container and account servers':
proto => tcp,
jump => 'LOGDROP',
dport => '6001-6002',
}
firewall { '801 Jump to LOGDROP for object servers':
proto => tcp,
jump => 'LOGDROP',
dport => '6200-6229',
}
firewallchain { 'LOGDROP:filter:IPv4':
ensure => present,
}
firewall { '901 LOG rule for dropped packets':
chain => 'LOGDROP',
proto => tcp,
jump => 'LOG',
log_level => '6',
log_prefix => 'swift dropped packet'
}
firewall { "902 Deny all access to container and account server":
chain => 'LOGDROP',
proto => tcp,
action => drop,
dport => '6001-6002',
}
firewall { "903 Deny all access to object server":
chain => 'LOGDROP',
proto => tcp,
action => drop,
dport => '6200-6229',
}
class { 'swift':
swift_hash_path_suffix => $pass_swift_hashpathsuffix,
swift_hash_path_prefix => $pass_swift_hashpathprefix,
......
......@@ -933,6 +933,15 @@ function api_actions($con,$conf){
$enc_file .= " statsd_hostname: $cluster_statsd_hostname\n";
$enc_file .= " all_swiftstore:\n";
$enc_file .= $enc_allswiftstore_hostanme;
$enc_file .= " all_swiftstore_ip:\n";
$enc_file .= $enc_allswiftstore_ip;
$enc_file .= " all_swiftproxy:\n";
$enc_file .= $enc_allswiftproxies_hostanme;
$enc_file .= " all_swiftproxy_ip:\n";
$enc_file .= $enc_allswiftproxies_ip;
$json = get_cluster_password($con, $conf, $cluster_id, 'swift', 'hashpathsuffix');
if($json["status"] != "success"){ return $json; }
$enc_file .= " pass_swift_hashpathsuffix: " . $json["data"] . "\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment