Browse Source

Use zuul firewall rules in gate

Till now we've been flusing iptables in the gates to allow cross node
communication in the multi node ceph jobs. This raised security
concerns, in particular it exposed memcached to the external net.

This patch uses the infra provided role 'multi-node-firewall' in order
to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
for help with this.

Closes-Bug: #1749326
Change-Id: Iafaf1cf1d9b0227b0f869969d0bd52fbde3791a0
tags/7.0.0.0b2
Paul Bourke 1 year ago
parent
commit
404d4d0a50
2 changed files with 4 additions and 7 deletions
  1. +2
    -0
      .zuul.yaml
  2. +2
    -7
      tests/pre.yml

+ 2
- 0
.zuul.yaml View File

@@ -71,6 +71,8 @@
- ^doc/.*
vars:
scenario: aio
roles:
- zuul: openstack-infra/zuul-jobs

- job:
name: kolla-ansible-centos-source

+ 2
- 7
tests/pre.yml View File

@@ -29,10 +29,5 @@
hostname:
name: "{{ inventory_hostname }}"
become: true

# TODO(inc0): we're dropping iptables rules but in fact we should create
# linuxbridge-managed tunnels for control and dataplane

- name: Drop iptables rules
command: "iptables -F"
become: true
roles:
- multi-node-firewall

Loading…
Cancel
Save