Skip to content

Commit 128da2e

Browse files
Alex-WelshAlex-Welsh
committed
Firewall doc review changes
1 parent 7dbed8b commit 128da2e

File tree

1 file changed

+24
-13
lines changed

1 file changed

+24
-13
lines changed

doc/source/configuration/firewall.rst

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,17 @@ The firewall configuration is provided in
1515
Enabling StackHPC firewalld rules
1616
=================================
1717

18-
The standardised firewalld configuration is not used by default and must be
19-
actively opted into. This can be done as follows:
18+
The standardised firewalld configuration is not enabled by default and must be
19+
actively opted into. To do so, make the following changes in
20+
``etc/kayobe/<group>.yml`` (or
21+
``etc/kayobe/environments/<enviroment>/<group>.yml`` if environments are being
22+
used).
2023

2124
Controller firewalld Configuration
2225
----------------------------------
2326

2427
.. code-block:: yaml
25-
:caption: ``etc/kayobe/controllers.yml``
28+
:caption: ``controllers.yml``
2629
2730
###############################################################################
2831
# Controller node firewalld configuration.
@@ -51,7 +54,7 @@ Compute firewalld Configuration
5154
-------------------------------
5255

5356
.. code-block:: yaml
54-
:caption: ``etc/kayobe/compute.yml``
57+
:caption: ``compute.yml``
5558
5659
###############################################################################
5760
# Compute node firewalld configuration.
@@ -80,7 +83,7 @@ Storage firewalld Configuration
8083
-------------------------------
8184

8285
.. code-block:: yaml
83-
:caption: ``etc/kayobe/storage.yml``
86+
:caption: ``storage.yml``
8487
8588
###############################################################################
8689
# storage node firewalld configuration.
@@ -109,7 +112,7 @@ Monitoring firewalld Configuration
109112
----------------------------------
110113

111114
.. code-block:: yaml
112-
:caption: ``etc/kayobe/monitoring.yml``
115+
:caption: ``monitoring.yml``
113116
114117
###############################################################################
115118
# monitoring node firewalld configuration.
@@ -141,7 +144,7 @@ The standard firewalld configuration has rules for wazuh-manager and Ansible
141144
control host Infrastructure VMs.
142145

143146
.. code-block:: yaml
144-
:caption: ``etc/kayobe/infra-vms.yml``
147+
:caption: ``infra-vms.yml``
145148
146149
###############################################################################
147150
# Infrastructure VM node firewalld configuration
@@ -170,7 +173,7 @@ Seed firewalld Configuration
170173
----------------------------
171174

172175
.. code-block:: yaml
173-
:caption: ``etc/kayobe/seed.yml``
176+
:caption: ``seed.yml``
174177
175178
###############################################################################
176179
# seed node firewalld configuration.
@@ -199,7 +202,7 @@ Seed Hypervisor firewalld Configuration
199202
---------------------------------------
200203

201204
.. code-block:: yaml
202-
:caption: ``etc/kayobe/seed_hypervisor.yml``
205+
:caption: ``seed_hypervisor.yml``
203206
204207
###############################################################################
205208
# seed_hypervisor node firewalld configuration.
@@ -230,6 +233,7 @@ Custom rules
230233
Custom firewalld rules can be added for any of the following groups using their
231234
corresponding variables:
232235

236+
* All hosts - ``stackhpc_common_firewalld_rules_extra``
233237
* Controllers - ``stackhpc_controller_firewalld_rules_extra``
234238
* Compute - ``stackhpc_compute_firewalld_rules_extra``
235239
* Storage - ``stackhpc_storage_firewalld_rules_extra``
@@ -240,7 +244,8 @@ corresponding variables:
240244
* Seed Hypervisor - ``stackhpc_seed_hypervisor_firewalld_rules_extra``
241245

242246
Each variable is a list of firewall rules to apply. Each item is a dict
243-
containing arguments to pass to the firewalld module.
247+
containing arguments to pass to the firewalld module. The variables can be
248+
defined as group vars, host vars, or in the extra vars files.
244249

245250
The example below would enable SSH on the ``provision_oc`` network, and disable
246251
UDP port 1000 on the ``admin_oc`` network for the Wazuh manager Infrastructure
@@ -265,8 +270,8 @@ way to override rules in the standard configuration, other than to find the
265270
rule and delete it manually. If you find a standard rule that does not work for
266271
your deployment, please consider merging your changes back in to upstream SKC.
267272

268-
Applying changes
269-
----------------
273+
Validation
274+
----------
270275

271276
The ``kayobe configuration dump`` command can be used to view all the rules
272277
that will be applied to a host.
@@ -281,6 +286,9 @@ other variables such as ``stackhpc_firewalld_rules_unverified`` or
281286
``stackhpc_*_firewalld_rules`` to debug the configuration. See the `How it
282287
works`_ section for more details.
283288

289+
Kolla-Ansible configuration
290+
---------------------------
291+
284292
Ensure Kolla Ansible opens up ports in firewalld for services on the public
285293
API network:
286294

@@ -295,7 +303,10 @@ configuration is to set the internal network zone to ``trusted`` and every
295303
other zone to the name of the network. See
296304
``etc/kayobe/environments/ci-multinode/networks.yml`` for a practical example.
297305

298-
Apply the changes:
306+
Applying changes
307+
----------------
308+
309+
Use the ``kayobe * host configure`` commands to apply the changes:
299310

300311
.. code-block:: bash
301312

0 commit comments

Comments
 (0)