diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index e296da7a82..9d7f01c051 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -117,9 +117,33 @@ outputs: tripleo::profile::base::sshd::port: - 22 tripleo::nova_migration_target::firewall_rules: - '113 nova_migration_target': - dport: - - {get_param: MigrationSshPort} + map_merge: + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + template: + '113 nova_migration_target accept libvirt subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: {get_param: MigrationSshPort} + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, NovaApiNetwork]} + template: + '113 nova_migration_target accept api subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: {get_param: MigrationSshPort} puppet_config: config_volume: nova_libvirt step_config: diff --git a/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml new file mode 100644 index 0000000000..ea1577eec0 --- /dev/null +++ b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Previously access to the sshd running by the nova-migration-target + container is only limited via the sshd_config. While login is + not possible from other networks, the service is reachable via + all networks. This change limits the access to the NovaLibvirt + and NovaApi networks which are used for cold and live-migration.