Make libvirt safe again

At the current moment libvirt is not authenticated and listens
all incoming connection on his port.
The current patch proposes:
1. Use unix socket to connect to libvirt from nova compute
so it won't be affected by
2. protect libvirt port with firewall.
so we will drop all connections to libvirt port from anywhere.
Live migrations seems not be affected because at the current
configuration it seems libvirt uses another randomly-chosen port.

Rel-Prod: 15651
Change-Id: I1dcca1ad34029b5c158c4013036f33827255235b
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 5d0e6a1..e8b29cc 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -1,5 +1,6 @@
 classes:
 - service.nova.compute.kvm
+- service.iptables.server
 parameters:
   _param:
     nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -94,3 +95,15 @@
         public_key: ${_param:nova_compute_ssh_public}
         private_key: ${_param:nova_compute_ssh_private}
       my_ip: ${_param:single_address}
+      libvirt:
+        uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+  iptables:
+    service:
+      enabled: true
+      chain:
+        INPUT:
+          rules:
+            # deny any connections to libvirt port
+            - destination_port: 16509
+              protocol: tcp
+              jump: DROP
\ No newline at end of file
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index b915145..d5126df 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.compute.kvm
+- service.iptables.server
 parameters:
   _param:
     nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -90,3 +91,15 @@
         public_key: ${_param:nova_compute_ssh_public}
         private_key: ${_param:nova_compute_ssh_private}
       my_ip: ${_param:single_address}
+      libvirt:
+        uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+  iptables:
+    service:
+      enabled: true
+      chain:
+        INPUT:
+          rules:
+            # deny any connections to libvirt port
+            - destination_port: 16509
+              protocol: tcp
+              jump: DROP
\ No newline at end of file