Merge "Limit access to sshd used for nova migration" into stable/train
This commit is contained in:
Zuul
Gerrit Code Review
commit
1fac8174fc
|
|
@ -117,9 +117,33 @@ outputs:
|
|||
tripleo::profile::base::sshd::port:
|
||||
- 22
|
||||
tripleo::nova_migration_target::firewall_rules:
|
||||
'113 nova_migration_target':
|
||||
dport:
|
||||
- {get_param: MigrationSshPort}
|
||||
map_merge:
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
template:
|
||||
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: {get_param: MigrationSshPort}
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
template:
|
||||
'113 nova_migration_target accept api subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: {get_param: MigrationSshPort}
|
||||
puppet_config:
|
||||
config_volume: nova_libvirt
|
||||
step_config:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Previously access to the sshd running by the nova-migration-target
|
||||
container is only limited via the sshd_config. While login is
|
||||
not possible from other networks, the service is reachable via
|
||||
all networks. This change limits the access to the NovaLibvirt
|
||||
and NovaApi networks which are used for cold and live-migration.
|
||||
Loading…
Reference in New Issue