diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index ba4682a5d0..fcf27f5651 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -89,9 +89,33 @@ outputs: value: service_name: nova_migration_target firewall_rules: - '113 nova_migration_target': - dport: - - {get_param: MigrationSshPort} + map_merge: + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + template: + '113 nova_migration_target accept libvirt subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: {get_param: MigrationSshPort} + - map_merge: + repeat: + for_each: + <%net_cidr%>: + get_param: + - ServiceData + - net_cidr_map + - {get_param: [ServiceNetMap, NovaApiNetwork]} + template: + '113 nova_migration_target accept api subnet <%net_cidr%>': + source: <%net_cidr%> + proto: 'tcp' + dport: {get_param: MigrationSshPort} config_settings: map_merge: - get_attr: [SshdBase, role_data, config_settings] diff --git a/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml new file mode 100644 index 0000000000..ea1577eec0 --- /dev/null +++ b/releasenotes/notes/nova_migration_limit_access-20be8d69686ca95c.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Previously access to the sshd running by the nova-migration-target + container is only limited via the sshd_config. While login is + not possible from other networks, the service is reachable via + all networks. This change limits the access to the NovaLibvirt + and NovaApi networks which are used for cold and live-migration.