Merge "Limit access to sshd used for nova migration" into stable/train
This commit is contained in:
commit
1fac8174fc
|
@ -117,9 +117,33 @@ outputs:
|
||||||
tripleo::profile::base::sshd::port:
|
tripleo::profile::base::sshd::port:
|
||||||
- 22
|
- 22
|
||||||
tripleo::nova_migration_target::firewall_rules:
|
tripleo::nova_migration_target::firewall_rules:
|
||||||
'113 nova_migration_target':
|
map_merge:
|
||||||
dport:
|
- map_merge:
|
||||||
- {get_param: MigrationSshPort}
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>:
|
||||||
|
get_param:
|
||||||
|
- ServiceData
|
||||||
|
- net_cidr_map
|
||||||
|
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
template:
|
||||||
|
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
|
||||||
|
source: <%net_cidr%>
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: {get_param: MigrationSshPort}
|
||||||
|
- map_merge:
|
||||||
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>:
|
||||||
|
get_param:
|
||||||
|
- ServiceData
|
||||||
|
- net_cidr_map
|
||||||
|
- {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||||
|
template:
|
||||||
|
'113 nova_migration_target accept api subnet <%net_cidr%>':
|
||||||
|
source: <%net_cidr%>
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: {get_param: MigrationSshPort}
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: nova_libvirt
|
config_volume: nova_libvirt
|
||||||
step_config:
|
step_config:
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Previously access to the sshd running by the nova-migration-target
|
||||||
|
container is only limited via the sshd_config. While login is
|
||||||
|
not possible from other networks, the service is reachable via
|
||||||
|
all networks. This change limits the access to the NovaLibvirt
|
||||||
|
and NovaApi networks which are used for cold and live-migration.
|
Loading…
Reference in New Issue