Limit access to sshd used for nova migration
Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is
not possible from other networks, the service is reachable via
all networks. This change limits the access to the NovaLibvirt
and NovaApi networks which are used for cold and live-migration.
Change-Id: Ie868463143af66c7004dbcacefde76ca0977880e
(cherry picked from commit c04c9b0d70
)
This commit is contained in:
parent
5171cd3d7a
commit
9befbde219
|
@ -89,9 +89,33 @@ outputs:
|
|||
value:
|
||||
service_name: nova_migration_target
|
||||
firewall_rules:
|
||||
'113 nova_migration_target':
|
||||
dport:
|
||||
- {get_param: MigrationSshPort}
|
||||
map_merge:
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
template:
|
||||
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: {get_param: MigrationSshPort}
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
template:
|
||||
'113 nova_migration_target accept api subnet <%net_cidr%>':
|
||||
source: <%net_cidr%>
|
||||
proto: 'tcp'
|
||||
dport: {get_param: MigrationSshPort}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [SshdBase, role_data, config_settings]
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Previously access to the sshd running by the nova-migration-target
|
||||
container is only limited via the sshd_config. While login is
|
||||
not possible from other networks, the service is reachable via
|
||||
all networks. This change limits the access to the NovaLibvirt
|
||||
and NovaApi networks which are used for cold and live-migration.
|
Loading…
Reference in New Issue