diff --git a/roles/edpm_telemetry_power_monitoring/molecule/default/prepare.yml b/roles/edpm_telemetry_power_monitoring/molecule/default/prepare.yml index 5fcfd7e70..a04d7592b 100644 --- a/roles/edpm_telemetry_power_monitoring/molecule/default/prepare.yml +++ b/roles/edpm_telemetry_power_monitoring/molecule/default/prepare.yml @@ -67,6 +67,25 @@ become: true command: groupadd libvirt + - name: Create firewall directory + become: true + ansible.builtin.file: + path: "/var/lib/edpm-config/firewall" + state: directory + owner: root + group: root + mode: '0750' + + - name: open port 22 (edpm_nftables will active this later) + become: true + ansible.builtin.copy: + dest: /var/lib/edpm-config/firewall/sshd-networks.yaml + content: | + - rule_name: 003 Allow SSH + rule: + proto: tcp + dport: 22 + - name: Create ceilometer.conf become: true ansible.builtin.copy: diff --git a/roles/edpm_telemetry_power_monitoring/molecule/default/test-helpers/kepler.yaml b/roles/edpm_telemetry_power_monitoring/molecule/default/test-helpers/kepler.yaml new file mode 100644 index 000000000..e248fc1d9 --- /dev/null +++ b/roles/edpm_telemetry_power_monitoring/molecule/default/test-helpers/kepler.yaml @@ -0,0 +1,22 @@ +- name: kepler rule source file exists + become: true + ansible.builtin.stat: + path: "/var/lib/edpm-config/firewall/kepler.yaml" + register: kepler_rule_source_exists +- name: Assert kepler rule source file exists + ansible.builtin.assert: + that: + - kepler_rule_source_exists.stat.exists + fail_msg: "kepler rule source file does not exist" + +- name: verify vnc nftables firewall rules + block: + - name: Run nft list command and grep for Kepler rule in EDPM_INPUT chain + become: true + ansible.builtin.shell: nft list table inet filter | awk '/chain EDPM_INPUT {/,/}/' | grep Kepler + register: kepler_chain_exists + - name: Assert that output from greping for VNC contains the correct rule + assert: + that: + - item | regex_search('\s+tcp dport 8888 ct state new counter packets \d+ bytes \d+ accept comment\s+') + loop: "{{ kepler_chain_exists.stdout_lines }}" diff --git a/roles/edpm_telemetry_power_monitoring/molecule/default/verify.yml b/roles/edpm_telemetry_power_monitoring/molecule/default/verify.yml index f161cf510..85a2aca80 100644 --- a/roles/edpm_telemetry_power_monitoring/molecule/default/verify.yml +++ b/roles/edpm_telemetry_power_monitoring/molecule/default/verify.yml @@ -50,3 +50,6 @@ - "Copying /var/lib/openstack/config/polling.yaml to /etc/ceilometer/polling.yaml" - "/usr/bin/ceilometer-polling --polling-namespaces ipmi --logfile /dev/stdout" - "Copying /var/lib/openstack/config/ceilometer-host-specific.conf to /etc/ceilometer/ceilometer.conf.d/02-ceilometer-host-specific.conf" + + - name: ensure firewall is configured + ansible.builtin.include_tasks: "test-helpers/kepler.yaml" diff --git a/roles/edpm_telemetry_power_monitoring/tasks/main.yml b/roles/edpm_telemetry_power_monitoring/tasks/main.yml index 2fce36e0c..83c5d2c88 100644 --- a/roles/edpm_telemetry_power_monitoring/tasks/main.yml +++ b/roles/edpm_telemetry_power_monitoring/tasks/main.yml @@ -22,3 +22,6 @@ - name: Install telemetry power monitoring services ansible.builtin.import_tasks: install.yml + +- name: Post-install + ansible.builtin.include_tasks: post-install.yml diff --git a/roles/edpm_telemetry_power_monitoring/tasks/post-install.yml b/roles/edpm_telemetry_power_monitoring/tasks/post-install.yml new file mode 100644 index 000000000..914b3e21c --- /dev/null +++ b/roles/edpm_telemetry_power_monitoring/tasks/post-install.yml @@ -0,0 +1,26 @@ +--- +- name: Ensure firewall directory is present + become: true + ansible.builtin.file: + path: "/var/lib/edpm-config/firewall/" + state: directory + owner: root + group: root + mode: '0750' + +- name: Copy kepler firewall config + become: true + ansible.builtin.template: + src: "firewall.yaml.j2" + dest: "/var/lib/edpm-config/firewall/kepler.yaml" + mode: "0640" + +- name: Configure firewall for kepler + ansible.builtin.include_role: + name: osp.edpm.edpm_nftables + tasks_from: "configure.yml" + +- name: Reload firewall for kepler + ansible.builtin.include_role: + name: osp.edpm.edpm_nftables + tasks_from: "run.yml" diff --git a/roles/edpm_telemetry_power_monitoring/templates/firewall.yaml.j2 b/roles/edpm_telemetry_power_monitoring/templates/firewall.yaml.j2 new file mode 100644 index 000000000..289957363 --- /dev/null +++ b/roles/edpm_telemetry_power_monitoring/templates/firewall.yaml.j2 @@ -0,0 +1,7 @@ +--- +# Generated via edpm_telemetry_power_monitoring +- rule_name: 000 Allow Kepler traffic + rule: + proto: tcp + dport: + - "8888"