Browse Source

Merge "Limit access to sshd used for nova migration" into stable/victoria

changes/42/787242/1
Zuul 3 weeks ago
committed by Gerrit Code Review
parent
commit
ef28df61fc
2 changed files with 35 additions and 3 deletions
  1. +27
    -3
      deployment/nova/nova-migration-target-container-puppet.yaml
  2. +8
    -0
      releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml

+ 27
- 3
deployment/nova/nova-migration-target-container-puppet.yaml View File

@ -89,9 +89,33 @@ outputs:
value:
service_name: nova_migration_target
firewall_rules:
'113 nova_migration_target':
dport:
- {get_param: MigrationSshPort}
map_merge:
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
template:
'113 nova_migration_target accept libvirt subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: {get_param: MigrationSshPort}
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, NovaApiNetwork]}
template:
'113 nova_migration_target accept api subnet <%net_cidr%>':
source: <%net_cidr%>
proto: 'tcp'
dport: {get_param: MigrationSshPort}
config_settings:
map_merge:
- get_attr: [SshdBase, role_data, config_settings]


+ 8
- 0
releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml View File

@ -0,0 +1,8 @@
---
fixes:
- |
Previously access to the sshd running by the nova-migration-target
container is only limited via the sshd_config. While login is
not possible from other networks, the service is reachable via
all networks. This change limits the access to the NovaLibvirt
and NovaApi networks which are used for cold and live-migration.

Loading…
Cancel
Save