Fix sshd firewall rule
After migration to tripleo-ansible firewall role with [1], firwall rules for sshd were not applied correctly as value of heat param SshFirewallAllowAll was not being honored. This patch fixes it by using conditions properly. Issue was not hit in CI in CentOS7 jobs as rule to allow access to port 22 is done while creating nodepool images with nodepool-base element. Issue got visible in rhel8 jobs(rhel8 nodepool images don't have nodepool-base element applied due to [3]) after [2] was merged which fixed apply of DROP rules. [1] https://review.opendev.org/#/c/677237/ [2] https://review.opendev.org/#/c/699692/ [3] https://softwarefactory-project.io/r/#/c/15863/ Closes-Bug: #1857463 Change-Id: Ifd5db368d63e89150c5c46877cd20e1e4a65a08c
This commit is contained in:
parent
5a0d0a4730
commit
318ec87c36
@ -70,23 +70,20 @@ parameters:
|
||||
description: Set this to true to open up ssh access from all sources.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the ssh
|
||||
value:
|
||||
service_name: sshd
|
||||
if:
|
||||
- {get_param: SshFirewallAllowAll}
|
||||
- firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
- firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
extras:
|
||||
ensure: 'absent'
|
||||
firewall_rules:
|
||||
'003 accept ssh from all':
|
||||
proto: 'tcp'
|
||||
dport: 22
|
||||
extras:
|
||||
ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
|
||||
config_settings:
|
||||
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
|
||||
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
|
||||
|
Loading…
Reference in New Issue
Block a user