Fix sshd firewall rule

After migration to tripleo-ansible firewall role with [1],
firwall rules for sshd were not applied correctly as value
of heat param SshFirewallAllowAll was not being honored.
This patch fixes it by using conditions properly.

Issue was not hit in CI in CentOS7 jobs as rule to allow
access to port 22 is done while creating nodepool images with
nodepool-base element. Issue got visible in rhel8 jobs(rhel8
nodepool images don't have nodepool-base element applied due
to [3]) after [2] was merged which fixed apply of DROP rules.

[1] https://review.opendev.org/#/c/677237/
[2] https://review.opendev.org/#/c/699692/
[3] https://softwarefactory-project.io/r/#/c/15863/

Closes-Bug: #1857463
Change-Id: Ifd5db368d63e89150c5c46877cd20e1e4a65a08c
This commit is contained in:
yatinkarel 2020-01-01 12:58:42 +05:30
parent 5a0d0a4730
commit 318ec87c36

View File

@ -70,23 +70,20 @@ parameters:
description: Set this to true to open up ssh access from all sources.
type: boolean
conditions:
ssh_firewall_allow_all: {equals: [{get_param: SshFirewallAllowAll}, true]}
outputs:
role_data:
description: Role data for the ssh
value:
service_name: sshd
if:
- {get_param: SshFirewallAllowAll}
- firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
- firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
extras:
ensure: 'absent'
firewall_rules:
'003 accept ssh from all':
proto: 'tcp'
dport: 22
extras:
ensure: {if: [ssh_firewall_allow_all, 'present', 'absent']}
config_settings:
tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}