| Summary: | Add note about firewall not being set up by Director in "Director Installation" guide | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Nathan Kinder <nkinder> |
| Component: | documentation | Assignee: | Dan Macpherson <dmacpher> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | RHOS Documentation Team <rhos-docs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 10.0 (Newton) | CC: | dcadzow, dmacpher, nkinder, srevivo |
| Target Milestone: | --- | Keywords: | Documentation |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-08-06 05:09:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Just a consideration here: instead of a documentation fix, would it be worth filing an engineering bug for the Undercloud install config to add that firewall rule automatically? Hi Nathan, Checking my backlog and found this BZ. I checked the overcloud firewall and it seems more restrictive. In /etc/sysconfig/iptables, all firewall rules for OSP services are listed and at the end is the following rule: -A INPUT -m state --state NEW -m comment --comment "999 drop all ipv4" -j DROP This should drop any incoming packets that do not satisfy the previous rules. Just want to check with you, do we still need a note about the firewall? No response for several month on this BZ. Closing it down. |
The RH-OSP "Director Installation and Usage" guide has an "Important" section that mentions that ports should be restricted to a minimum in the "Networking Requirements" section. While this is correct, it is probably worth making it very clear that Director does not configure the firewall in a restrictive manner in this same section. There are more details available in the following comment of the bug that we plan to use for hardening Director in a future RH-OSP release: https://bugzilla.redhat.com/show_bug.cgi?id=1227760#c4