Merge "Limit access to sshd used for nova migration"
This commit is contained in:
commit
35ce618084
|
@ -71,9 +71,33 @@ outputs:
|
||||||
value:
|
value:
|
||||||
service_name: nova_migration_target
|
service_name: nova_migration_target
|
||||||
firewall_rules:
|
firewall_rules:
|
||||||
'113 nova_migration_target':
|
map_merge:
|
||||||
dport:
|
- map_merge:
|
||||||
- {get_param: MigrationSshPort}
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>:
|
||||||
|
get_param:
|
||||||
|
- ServiceData
|
||||||
|
- net_cidr_map
|
||||||
|
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
template:
|
||||||
|
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
|
||||||
|
source: <%net_cidr%>
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: {get_param: MigrationSshPort}
|
||||||
|
- map_merge:
|
||||||
|
repeat:
|
||||||
|
for_each:
|
||||||
|
<%net_cidr%>:
|
||||||
|
get_param:
|
||||||
|
- ServiceData
|
||||||
|
- net_cidr_map
|
||||||
|
- {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||||
|
template:
|
||||||
|
'113 nova_migration_target accept api subnet <%net_cidr%>':
|
||||||
|
source: <%net_cidr%>
|
||||||
|
proto: 'tcp'
|
||||||
|
dport: {get_param: MigrationSshPort}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [SshdBase, role_data, config_settings]
|
- get_attr: [SshdBase, role_data, config_settings]
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Previously access to the sshd running by the nova-migration-target
|
||||||
|
container is only limited via the sshd_config. While login is
|
||||||
|
not possible from other networks, the service is reachable via
|
||||||
|
all networks. This change limits the access to the NovaLibvirt
|
||||||
|
and NovaApi networks which are used for cold and live-migration.
|
Loading…
Reference in New Issue