From c04c9b0d701abb91ddacf0fd5320899d907e6cf1 Mon Sep 17 00:00:00 2001
From: Martin Schuppert <mschuppert@redhat.com>
Date: Wed, 31 Mar 2021 11:10:01 +0200
Subject: [PATCH] Limit access to sshd used for nova migration

Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is
not possible from other networks, the service is reachable via
all networks. This change limits the access to the NovaLibvirt
and NovaApi networks which are used for cold and live-migration.

Change-Id: Ie868463143af66c7004dbcacefde76ca0977880e
---
 ...ova-migration-target-container-puppet.yaml | 30 +++++++++++++++++--
 ...gration_limit_access-20be8d69686ca95c.yaml |  8 +++++
 2 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml

diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml
index 3b7dbe6d2c..cc66326ab2 100644
--- a/deployment/nova/nova-migration-target-container-puppet.yaml
+++ b/deployment/nova/nova-migration-target-container-puppet.yaml
@@ -85,9 +85,33 @@ outputs:
     value:
       service_name: nova_migration_target
       firewall_rules:
-        '113 nova_migration_target':
-          dport:
-            - {get_param: MigrationSshPort}
+        map_merge:
+          - map_merge:
+              repeat:
+                for_each:
+                  <%net_cidr%>:
+                    get_param:
+                      - ServiceData
+                      - net_cidr_map
+                      - {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                template:
+                  '113 nova_migration_target accept libvirt subnet <%net_cidr%>':
+                    source: <%net_cidr%>
+                    proto: 'tcp'
+                    dport: {get_param: MigrationSshPort}
+          - map_merge:
+              repeat:
+                for_each:
+                  <%net_cidr%>:
+                    get_param:
+                      - ServiceData
+                      - net_cidr_map
+                      - {get_param: [ServiceNetMap, NovaApiNetwork]}
+                template:
+                  '113 nova_migration_target accept api subnet <%net_cidr%>':
+                    source: <%net_cidr%>
+                    proto: 'tcp'
+                    dport: {get_param: MigrationSshPort}
       config_settings:
         map_merge:
           - get_attr: [SshdBase, role_data, config_settings]
diff --git a/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml
new file mode 100644
index 0000000000..ea1577eec0
--- /dev/null
+++ b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Previously access to the sshd running by the nova-migration-target
+    container is only limited via the sshd_config. While login is
+    not possible from other networks, the service is reachable via
+    all networks. This change limits the access to the NovaLibvirt
+    and NovaApi networks which are used for cold and live-migration.