1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# File 'modules/profile/manifests/openstack/base/nova/api/service.pp', line 1
class profile::openstack::base::nova::api::service(
$version = lookup('profile::openstack::base::version'),
String $region = lookup('profile::openstack::base::region'),
Stdlib::Port $api_bind_port = lookup('profile::openstack::base::nova::osapi_compute_listen_port'),
Stdlib::Port $metadata_bind_port = lookup('profile::openstack::base::nova::metadata_listen_port'),
String $dhcp_domain = lookup('profile::openstack::base::nova::dhcp_domain',
{default_value => 'example.com'}),
) {
$prod_networks = join($::network::constants::production_networks, ' ')
$labs_networks = join($::network::constants::labs_networks, ' ')
class {'::openstack::nova::api::service':
version => $version,
active => true,
api_bind_port => $api_bind_port,
metadata_bind_port => $metadata_bind_port,
dhcp_domain => $dhcp_domain,
}
contain '::openstack::nova::api::service'
ferm::rule{'nova_api_public':
ensure => 'present',
rule => "saddr (${prod_networks} ${labs_networks}
) proto tcp dport (8774 28774) ACCEPT;",
}
$nova_hosts_ranges = $::network::constants::cloud_nova_hosts_ranges[$region]
# Allow neutron hosts to access the metadata service
# TODO: check if this is used by neutron only (as the comment above claims), and if so,
# update this firewall rule to only permit traffic from the neutron hosts
ferm::service { 'nova-metadata-nova-hosts':
proto => 'tcp',
port => '8775',
srange => "(${nova_hosts_ranges.join(' ')})",
}
}
|