Bug 1614587
| Summary: | [RFE] TripleO should report on firewall rules needed per role | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Dan Sneddon <dsneddon> |
| Component: | openstack-tripleo | Assignee: | OSP Team <rhos-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Nobody <nobody> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14.0 (Rocky) | CC: | ekuris, mbarnett, mburns |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-22 18:07:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
See this blueprint for more information: https://blueprints.launchpad.net/tripleo/+spec/tripleo-firewall-rule-reporting This bug is obsolete now that TripleO is being replaced. Perhaps the same concept could be applied to EDPM but that should be in a new RFE BZ. |
Description of problem: TripleO service definitions include the ports used by the service, and this information is used to configure iptables on the host running the service. Some operators want to enhance this security with hardware firewalls. Unfortunately, it isn't clear to operators what rules need to be configured on hardware firewalls or router ACLs. Version-Release number of selected component (if applicable): Rocky and all previous versions Actual results: Since we already have the firewall ports used by each service in the service definition, we have the information about which ports are needed for a particular service. TripleO should publish or report, on a per-node or per-role basis, what ports need to be open for each composable role. This would be used to report which ports need to be opened when using a hardware firewall or router ACL to further secure the environment. Expected results: It would be ideal if we could publish this data in a machine-readable format such as JSON. This would allow some automation to be inserted so that hardware firewalls could be automatically configured based on which services are used on which nodes. This would also make it clear what changes were required on hardware firewalls during upgrades. Each service contains firewall rules in a unique key, for instance: tripleo.nova_api.firewall_rules: '113 nova_api': dport: - 8774 - 13774 - 8775 This data can be extracted from the TripleO service files using grep: find -L /usr/share/openstack-tripleo-heat-templates/ -type f | while read f;do if `grep -q firewall_rules $f`;then echo -e "\n $f " ; grep firewall_rules "$f" -A10;fi; done Additional info: So what is needed is a way to compile all the applicable tripleo.*.firewall_rules parameters used on a role, and publish this in a report or file. This should include any custom rules that are added manually to the role by the installer. Since this is being done per-role, the first step should be to look at roles_data.yaml and identify which services are used in a role, then extract the destinations ports from each service. A JSON or YAML report should be output, so that automation can be used to configure firewall rules based on services used in a role.