Add firewall config, and autostart VM's

commit: 3db3b961d9f0d6912e2e982c2bbf733ffb07dbdd [log] [tgz]
author: Zack Williams <zdw@artisancomputer.com> Tue Mar 01 21:59:25 2016 -0700
committer: Zack Williams <zdw@artisancomputer.com> Tue Mar 01 21:59:25 2016 -0700
tree: a1bd662fdea82cf39a95f94b16b98daaaeb42265
parent: 4da23cf50dcfb8a0a3fca18dae9956d1577847da [diff]
diff --git a/roles/juju-setup/defaults/main.yml b/roles/juju-setup/defaults/main.yml
index d4f77a1..f98ca2a 100644
--- a/roles/juju-setup/defaults/main.yml
+++ b/roles/juju-setup/defaults/main.yml

@@ -2,20 +2,64 @@
 # roles/juju-setup/defaults/main.yml
 
 openstack_version: kilo
+
 openstack_cfg_path: /usr/local/src/openstack.cfg
 
 head_vm_list:
-  - { name: "juju", cpu: "1", memMB: "2048", diskGB: "20" }
-  - { name: "ceilometer", cpu: "1", memMB: "2048", diskGB: "20" }
-  - { name: "glance", cpu: "2", memMB: "4096", diskGB: "160" }
-  - { name: "keystone", cpu: "2", memMB: "4096", diskGB: "40" }
-  - { name: "mysql", cpu: "2", memMB: "4096", diskGB: "40" }
-  - { name: "nagios", cpu: "1", memMB: "2048", diskGB: "20" }
-  - { name: "neutron-api", cpu: "2", memMB: "4096", diskGB: "40" }
-  - { name: "neutron-gateway", cpu: "2", memMB: "4096", diskGB: "40" }
-  - { name: "nova-cloud-controller", cpu: "2", memMB: "4096", diskGB: "40" }
-  - { name: "openstack-dashboard", cpu: "1", memMB: "2048", diskGB: "20" }
-  - { name: "rabbitmq-server", cpu: "2", memMB: "4096", diskGB: "40" }
+  - name: "juju"
+    cpu: "1"
+    memMB: "2048"
+    diskGB: "20"
+
+  - name: "ceilometer"
+    cpu: "1"
+    memMB: "2048"
+    diskGB: "20"
+
+  - name: "glance"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "160"
+
+  - name: "keystone"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
+
+  - name: "mysql"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
+
+  - name: "nagios"
+    cpu: "1"
+    memMB: "2048"
+    diskGB: "20"
+
+  - name: "neutron-api"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
+
+  - name: "neutron-gateway"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
+
+  - name: "nova-cloud-controller"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
+
+  - name: "openstack-dashboard"
+    cpu: "1"
+    memMB: "2048"
+    diskGB: "20"
+
+  - name: "rabbitmq-server"
+    cpu: "2"
+    memMB: "4096"
+    diskGB: "40"
 
 vm_service_list:
   - ceilometer
@@ -38,30 +82,43 @@
 service_relations:
   - name: keystone
     relations: [ "mysql", "nrpe", ]
+
   - name: nova-cloud-controller
     relations: [ "mysql", "rabbitmq-server", "glance", "keystone", "nrpe", ]
+
   - name: glance
     relations: [ "mysql", "keystone", "nrpe", ]
+
   - name: neutron-gateway
     relations: [ "neutron-api", "nova-cloud-controller", "mysql", "nrpe", ]
+
   - name: "neutron-gateway:amqp"
     relations: [ "rabbitmq-server:amqp", ]
+
   - name: neutron-api
     relations: [ "keystone", "neutron-openvswitch", "mysql", "rabbitmq-server", "nova-cloud-controller", "nrpe", ]
+
   - name: neutron-openvswitch
     relations: [ "rabbitmq-server", ]
+
   - name: openstack-dashboard
     relations: [ "keystone", "nrpe", ]
+
   - name: nagios
     relations: [ "nrpe", ]
+
   - name: "mysql:juju-info"
     relations: [ "nrpe:general-info", ]
+
   - name: rabbitmq-server
     relations: [ "nrpe", ]
+
   - name: ceilometer
     relations: [ "mongodb", "rabbitmq-server", "nagios", "nrpe", ]
+
   - name: "ceilometer:identity-service"
     relations: [ "keystone:identity-service", ]
+
   - name: "ceilometer:ceilometer-service"
     relations: [ "ceilometer-agent:ceilometer-service", ]
 

diff --git a/roles/juju-setup/files/daemon b/roles/juju-setup/files/daemon
new file mode 100644
index 0000000..8d9102b
--- /dev/null
+++ b/roles/juju-setup/files/daemon

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_port_fwd_rule() {
+    DPORT=$1
+    VM=$2
+    TOPORT=$3
+
+    VMIP=$( getent ahosts $VM|head -1|awk '{print $1}' )
+    iptables -t nat -C PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+    if [ "$?" -ne 0 ]
+    then
+        iptables -t nat -A PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+    fi
+}
+
+if [ "$OP" = "start" ] || [ "$OP" = "reload" ]
+then
+    iptables -t nat -F
+    add_port_fwd_rule 35357 keystone 35357
+    add_port_fwd_rule 4990 keystone 4990
+    add_port_fwd_rule 5000 keystone 5000
+    add_port_fwd_rule 8774 nova-cloud-controller 8774
+    add_port_fwd_rule 9696 neutron-api 9696
+    add_port_fwd_rule 9292 glance 9292
+    add_port_fwd_rule 8080 openstack-dashboard 80
+    add_port_fwd_rule 3128 nagios 80
+    add_port_fwd_rule 8777 ceilometer 8777
+
+    # Also flush the filter table before rules re-added
+    iptables -F
+fi

diff --git a/roles/juju-setup/files/qemu b/roles/juju-setup/files/qemu
new file mode 100644
index 0000000..1c947f9
--- /dev/null
+++ b/roles/juju-setup/files/qemu

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+PORTAL=$( dig +short portal.opencloud.us | tail -1 )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_rule() {
+    CHAIN=$1
+    ARGS=$2
+    iptables -C $CHAIN $ARGS
+    if [ "$?" -ne 0 ]
+    then
+        iptables -I $CHAIN 1 $ARGS
+    fi
+}
+
+add_local_access_rules() {
+    SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
+    PRIVATENET=$( ip addr show virbr0|grep "inet "|awk '{print $2}' )
+    add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
+    # Don't NAT traffic from service VMs destined to the local subnet
+    add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
+}
+
+add_portal_access_rules() {
+    add_rule "FORWARD" "-s $PORTAL -j ACCEPT"
+}
+
+add_web_access_rules() {
+    add_rule "FORWARD" "-p tcp --dport 80 -j ACCEPT"
+}
+
+if [ "$OP" = "start" ]
+then
+	add_local_access_rules
+	add_portal_access_rules
+	add_web_access_rules
+fi

diff --git a/roles/juju-setup/handlers/main.yml b/roles/juju-setup/handlers/main.yml
new file mode 100644
index 0000000..d54f5dc
--- /dev/null
+++ b/roles/juju-setup/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+# roles/juju-setup/handlers/tasks.yml
+
+- name: reload libvirt-bin
+  service:
+    name=libvirt-bin
+    state=reloaded
+
+- name: run qemu hook
+  command: /etc/libvirt/hooks/qemu start start
+
+

diff --git a/roles/juju-setup/tasks/main.yml b/roles/juju-setup/tasks/main.yml
index 7935fe3..6b7c25e 100644
--- a/roles/juju-setup/tasks/main.yml
+++ b/roles/juju-setup/tasks/main.yml

@@ -7,7 +7,11 @@
     creates=/var/lib/uvtool/libvirt/images/{{ item.name }}.qcow
   with_items: "{{ head_vm_list }}"
 
-- name: discover VM IP addresses
+- name: Have VMs autostart on reboot
+  command: virsh autostart {{ item.name }}
+  with_items: "{{ head_vm_list }}"
+
+- name: Discover VM IP addresses
   shell: "uvt-kvm ip {{ item.name }}"
   with_items: "{{ head_vm_list }}"
   register: vm_ip
@@ -82,3 +86,18 @@
     - relations
 
 # Need to wait for services to come up here
+# Possibly do so by using wait_for and wating on forwarded ports after next step?
+
+- name: Have libvirt enable port forwarding to VM's
+  become: yes
+  copy:
+    src={{ item }}
+    dest=/etc/libvirt/hooks/{{ item }}
+    mode=0755 owner=root
+  with_items:
+    - daemon
+    - qemu
+  notify:
+    - reload libvirt-bin
+    - run qemu hook
+
commit	3db3b961d9f0d6912e2e982c2bbf733ffb07dbdd	[log] [tgz]
author	Zack Williams <zdw@artisancomputer.com>	Tue Mar 01 21:59:25 2016 -0700
committer	Zack Williams <zdw@artisancomputer.com>	Tue Mar 01 21:59:25 2016 -0700
tree	a1bd662fdea82cf39a95f94b16b98daaaeb42265
parent	4da23cf50dcfb8a0a3fca18dae9956d1577847da [diff]