Bug 1305123
| Summary: | RFE: configure iptables rules on overcloud hosts | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Omri Hochman <ohochman> |
| Component: | rhosp-director | Assignee: | Angus Thomas <athomas> |
| Status: | CLOSED WONTFIX | QA Contact: | yeylon <yeylon> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 (Kilo) | CC: | dbecker, dmacpher, dsneddon, emacchi, kbasil, mburns, morazi, oblaut, rhel-osp-director-maint, srevivo |
| Target Milestone: | y3 | Keywords: | FutureFeature, Triaged |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: |
OSP 7 does not configure iptables or any other firewall on the overcloud bare metal nodes. It is recommended that the provisioning network be protected with an Access Control List (ACL) that allows outbound traffic from the overcloud nodes for DNS, NTP, and updates, but that inbound access be limited.
Since the provisioning network is typically the only routed data path for the compute nodes and storage nodes, this will ensure that the compute and storage nodes are protected.
Customers may also wish to configure firwalls for the controller nodes, in order to limit access to the Public APIs. This can be done with either with a firewall in the data path above the controller nodes, or iptables may be configured on the controllers after deployment.
|
Story Points: | --- |
| Clone Of: | 1274196 | Environment: | |
| Last Closed: | 2016-02-09 16:23:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1274196 | ||
| Bug Blocks: | |||
|
Comment 2
Angus Thomas
2016-02-09 16:23:19 UTC
|