Merge "Limit access to sshd used for nova migration"

This commit is contained in:
Zuul 2021-04-13 18:17:42 +00:00 committed by Gerrit Code Review
commit 35ce618084
2 changed files with 35 additions and 3 deletions

View File

@ -71,9 +71,33 @@ outputs:
value:
service_name: nova_migration_target
firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
map_merge:
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
template:
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: {get_param: MigrationSshPort}
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, NovaApiNetwork]}
template:
'113 nova_migration_target accept api subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: {get_param: MigrationSshPort}
config_settings:
map_merge:
- get_attr: [SshdBase, role_data, config_settings]

View File

@ -0,0 +1,8 @@
---
fixes:
- |
Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is
not possible from other networks, the service is reachable via
all networks. This change limits the access to the NovaLibvirt
and NovaApi networks which are used for cold and live-migration.