diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-11 13:33:55 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-11 13:33:55 +0000 |
commit | 3236c25520ef30c242ebe8c04fbf1a79bf70cd62 (patch) | |
tree | 87c4217a2798eb35768399337c9aa8c5f7b8f0b8 /firewall.yaml | |
parent | 8c9e20cb80f769c13fc0f2c64afb1037beb62db7 (diff) | |
download | infrastructure-3236c25520ef30c242ebe8c04fbf1a79bf70cd62.tar.gz |
firewall: Add a security group for x86 Masons
We need to open port 8080 for cache.baserock.org, so it can fetch
artifacts from them. This was causing the Masons to fail to build.
Diffstat (limited to 'firewall.yaml')
-rw-r--r-- | firewall.yaml | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/firewall.yaml b/firewall.yaml index add75b12..5c933b91 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -198,6 +198,49 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 + - name: Mason x86 security group + neutron_sec_group: + name: mason-x86 + description: Allow inbound HTTP and HTTPS, and cache server fetches from port 8080. + state: present + + auth_url: "{{ ansible_env.OS_AUTH_URL }}" + login_username: "{{ ansible_env.OS_USERNAME }}" + login_password: "{{ ansible_env.OS_PASSWORD }}" + login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" + + rules: + # 80: HTTP + - direction: ingress + port_range_min: 80 + port_range_max: 80 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + # 443: HTTPS + - direction: ingress + port_range_min: 443 + port_range_max: 443 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + # 8080: morph-cache-server server port. The x86 Masons use + # cache.baserock.org as the cache server for their distbuild + # networks. So cache.baserock.org needs to be able to connect to + # them on this port to fetch artifacts. + - direction: ingress + port_range_min: 8080 + port_range_max: 8080 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 185.43.218.0/0 + # It'd be nice to limit access by security group, but it doesn't + # seem to actually work. Perhaps because we use external IP to + # access instead of internal IP. + #remote_group_id: "{{ default_group.sec_group.id }}" + - name: shared-artifact-cache security group neutron_sec_group: name: shared-artifact-cache @@ -277,16 +320,3 @@ ethertype: IPv4 protocol: tcp remote_ip_prefix: 0.0.0.0/0 - - # Old ones - - - name: remove Mason security group (just use 'web-server' for now) - neutron_sec_group: - name: mason - state: absent - - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - |