2016년 6월 11일 토요일

Opening Ports for Openstack in Firewalld

Last week I made a post about opening ports in Ubuntu's ufw firewall when using Devstack (Openstack upstream). Today I will show you how to do the same thing in firewalld dynamic firewall which is now the default in RHEL 7+ and Fedora.

The ports to be opened are the same, but you must also enable two additional services in firewalld, namely http and vnc-server. If you don't enable the former, you will be unable to access Horizon web UI, and if you don't enable the latter, you will not be able to see the console through Horizon when you launch an instance on Nova compute.

In the case of ufw, however, http port 80 was opened by default and vnc was enabled by simply opening 6080/tcp.

I wrote a Bash script to open the necessary ports for Openstack in firewalld. I have tested it on Openstack Kilo running on F23. You can find the script at the following link:

https://gitlab.com/gojun077/openstack-conf/blob/67f98aa4b93ab268e386028ec0e764547d0a1bb2/firewalld_openstack_rdo.sh

#!/bin/bash
# firewalld_openstack_rdo.sh
# Created by Jun Go gojun077@gmail.com
# Last Updated 2016-06-07

# Script that will permanently open ports needed by
# Redhat Distribution of Openstack (RDO) in Firewalld

# Tested with Openstack Kilo RDO 7

# This script should be run as root

# DEFAULT FIREWALLD ZONE
DZONE=FedoraServer

#################
#   NETWORK
#   IFACES
#################
EXT0=br-ex
INT0=br-enp5s0

#################
#   TCP PORTS
#################
AMQP=5672
CEILOM=8777
CINDER=8776
GLANCE=9292
GLANCEREG=9191
NEUTRON=9696
NOVNCPROX=6080
#NOVAEC2=8773
#NOVAMETA=8775
#NOVAISCSI=3260
#NOVAREDIS=6379
#NOVAS3=3333
SHEEPDOG=7000

#################
#   UDP PORTS
#################
CEILUDP=4952
OVSNEUTRONVXLAN=4789

TCPPORTS=($AMQP
   $CEILOM
   $CINDER
   $GLANCE
   $GLANCEREG
   $NEUTRON
   $NOVNCPROX
   $SHEEPDOG
  )

UDPPORTS=($CEILUDP
   $OVSNEUTRONVXLAN
   )

# ADD NETWORK IFACES TO DEFAULT ZONE
firewall-cmd --permanent --zone=$DZONE --add-interface=$EXT0
firewall-cmd --permanent --zone=$DZONE --add-interface=$INT0

# ENABLE SERVICES REQ'D FOR OPENSTACK
# Horizon (http)
firewall-cmd --permanent --zone=$DZONE --add-service=http
# vnc-server (for some reason, enabling TCP 6080 is not enough)
firewall-cmd --permanent --zone=$DZONE --add-service=vnc-server

for i in ${TCPPORTS[*]}; do
  firewall-cmd --permanent --zone=$DZONE --add-port="$i"/tcp
done

for j in ${UDPPORTS[*]}; do
  firewall-cmd --permanent --zone=$DZONE --add-port="$j"/udp
done

# Apply permanent rules as the current runtime config
firewall-cmd --reload

# List Default Zone Firewall Info (along with ports & svcs)
firewall-cmd --list-all