Bug #1826829 “[Rocky] Backport ssh lockdown” : Bugs : tripleo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Related fix proposed to tripleo-heat-templates (stable/rocky)

#1

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/656242

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29:

#2

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/656243

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Related fix proposed to puppet-tripleo (stable/rocky)

#3

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/656244

Bogdan Dobrelya (bogdando) on 2019-04-29

tags:

added: tech-debt

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29: Related fix merged to tripleo-heat-templates (stable/rocky)

#4

Reviewed: https://review.opendev.org/656242
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=123535d8c92caa8be4c19aaf64eff55f8be0c50d
Submitter: Zuul
Branch: stable/rocky

commit 123535d8c92caa8be4c19aaf64eff55f8be0c50d
Author: Lars Kellogg-Stedman <email address hidden>
Date: Thu Jul 12 15:36:48 2018 -0400

implement default ssh-from-ctlplane rule via hiera

    With the accompanying change in puppet-tripleo, this removes the
    hardcoded firewall rule allowing ssh traffic in tripleo::firewall::pre
    and replaces it with a configuration in tripleo-firewall.yaml that
    allows only ssh access from the undercloud's controlplane network
    address. This allows operators to define more granular ssh
    firewall rules via tripleo::firewall::firewall_rules.

    Change-Id: I89cff59947dda3f51482486c41a3d67c4aa36a3e
    Related-Bug: #1826829
    (cherry picked from commit a433e05e669a3c77445ccf7574c9ffe9d09cf5ef)

tags:

added: in-stable-rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-29:

#5

Reviewed: https://review.opendev.org/656243
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=cba7c2285758a25449fe108c304aeaad9f0c4ba3
Submitter: Zuul
Branch: stable/rocky

commit cba7c2285758a25449fe108c304aeaad9f0c4ba3
Author: Emilien Macchi <email address hidden>
Date: Fri Jan 18 13:08:02 2019 +0100

Allow ssh from all for undercloud

    I89cff59947dda3f51482486c41a3d67c4aa36a3e broke SSH access on the
    Undercloud, we shouldn't be that restrictive by default for the
    undercloud and standalone (as deployed via tripleo deploy).

    This change adds a new parameter called SshFirewallAllowAll that can be
    used to include an allow all for ssh. By default it is disabled when
    deploying the overcloud but is used by the undercloud and standalone to
    allow access after installation.

    Change-Id: Ie548f7216610e15af24c96f65a58cc8de603235c
    Co-Authored-By: Alex Schultz <email address hidden>
    Related-Bug: #1826829
    (cherry picked from commit 2b7cb198764a23d7d2a42d93da7a0f2d133a8af3)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix proposed to tripleo-heat-templates (stable/queens)

#6

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/656442

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30:

#7

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/656450

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix proposed to puppet-tripleo (stable/queens)

#8

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/656451

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix merged to tripleo-heat-templates (stable/queens)

#9

Reviewed: https://review.opendev.org/656442
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b81c744370a6ef0676bb63384e5b65dbed0d4834
Submitter: Zuul
Branch: stable/queens

commit b81c744370a6ef0676bb63384e5b65dbed0d4834
Author: Lars Kellogg-Stedman <email address hidden>
Date: Thu Jul 12 15:36:48 2018 -0400

implement default ssh-from-ctlplane rule via hiera

    With the accompanying change in puppet-tripleo, this removes the
    hardcoded firewall rule allowing ssh traffic in tripleo::firewall::pre
    and replaces it with a configuration in tripleo-firewall.yaml that
    allows only ssh access from the undercloud's controlplane network
    address. This allows operators to define more granular ssh
    firewall rules via tripleo::firewall::firewall_rules.

    Change-Id: I89cff59947dda3f51482486c41a3d67c4aa36a3e
    Related-Bug: #1826829
    (cherry picked from commit a433e05e669a3c77445ccf7574c9ffe9d09cf5ef)
    (cherry picked from commit 123535d8c92caa8be4c19aaf64eff55f8be0c50d)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix merged to puppet-tripleo (stable/rocky)

#10

Reviewed: https://review.opendev.org/656244
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=47034b224cd532c9b1d76f0aace0bdddbce9ea87
Submitter: Zuul
Branch: stable/rocky

commit 47034b224cd532c9b1d76f0aace0bdddbce9ea87
Author: Lars Kellogg-Stedman <email address hidden>
Date: Thu Jul 12 15:22:10 2018 -0400

remove ssh from tripleo::firewall::pre

    including global ssh access in tripleo::firewall::pre makes it
    difficult for the operator to control ssh access to overcloud hosts.
    This removes the hardcoded rule and the accompanying change in t-h-t
    configures the default firewall rules via hiera config_settings.

    Depends-On: I89cff59947dda3f51482486c41a3d67c4aa36a3e
    Change-Id: I14b540e6564c5b7c5d54b4f1fd5368b000744135
    Related-Bug: #1826829
    (cherry picked from commit 9bdb8199cc394bd6283292a6964a089f012f2ae9)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix merged to tripleo-heat-templates (stable/queens)

#11

Reviewed: https://review.opendev.org/656450
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3c9f7577c4622e8fe353f53a7074dac1e5c14d4d
Submitter: Zuul
Branch: stable/queens

commit 3c9f7577c4622e8fe353f53a7074dac1e5c14d4d
Author: Emilien Macchi <email address hidden>
Date: Fri Jan 18 13:08:02 2019 +0100

Allow ssh from all for undercloud

    I89cff59947dda3f51482486c41a3d67c4aa36a3e broke SSH access on the
    Undercloud, we shouldn't be that restrictive by default for the
    undercloud and standalone (as deployed via tripleo deploy).

    This change adds a new parameter called SshFirewallAllowAll that can be
    used to include an allow all for ssh. By default it is disabled when
    deploying the overcloud but is used by the undercloud and standalone to
    allow access after installation.

    Change-Id: Ie548f7216610e15af24c96f65a58cc8de603235c
    Co-Authored-By: Alex Schultz <email address hidden>
    Related-Bug: #1826829
    (cherry picked from commit 2b7cb198764a23d7d2a42d93da7a0f2d133a8af3)
    (cherry picked from commit cba7c2285758a25449fe108c304aeaad9f0c4ba3)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-30: Related fix merged to puppet-tripleo (stable/queens)

#12

Reviewed: https://review.opendev.org/656451
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=d8b0dc73e2014d29908b5cc0406d5a1ffdc6b64d
Submitter: Zuul
Branch: stable/queens

commit d8b0dc73e2014d29908b5cc0406d5a1ffdc6b64d
Author: Lars Kellogg-Stedman <email address hidden>
Date: Thu Jul 12 15:22:10 2018 -0400

remove ssh from tripleo::firewall::pre

    including global ssh access in tripleo::firewall::pre makes it
    difficult for the operator to control ssh access to overcloud hosts.
    This removes the hardcoded rule and the accompanying change in t-h-t
    configures the default firewall rules via hiera config_settings.

    Depends-On: I89cff59947dda3f51482486c41a3d67c4aa36a3e
    Change-Id: I14b540e6564c5b7c5d54b4f1fd5368b000744135
    Related-Bug: #1826829
    (cherry picked from commit 9bdb8199cc394bd6283292a6964a089f012f2ae9)

Cédric Jeanneret (cjeanner) on 2019-05-01

Changed in tripleo:
status:	Triaged → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-06: Related fix proposed to instack-undercloud (stable/queens)

#13

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/657334

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-06: Related fix merged to instack-undercloud (stable/queens)

#14

Reviewed: https://review.opendev.org/657334
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=3d8563887a2b5dd2b5e2c8705a1531888cc4af35
Submitter: Zuul
Branch: stable/queens

commit 3d8563887a2b5dd2b5e2c8705a1531888cc4af35
Author: Emilien Macchi <email address hidden>
Date: Mon May 6 09:57:43 2019 +0200

[queens] re-add ssh firewall rule

    When the undercloud isn't containerized,
    I89cff59947dda3f51482486c41a3d67c4aa36a3e isn't enough and we need to
    add the rule in instack-undercloud.

    It was removed in pre-rules: I14b540e6564c5b7c5d54b4f1fd5368b000744135
    to allow more granularity for the operators.
    Let's keep the functionality but still allowing ssh by default.

Change-Id: I3a5c1f558ba3ae639857f1a0596a6243a91d49e6
Related-Bug: #1826829

wes hayutin (weshayutin) on 2020-05-11

Changed in tripleo:
status:	Fix Committed → Fix Released

tripleo

[Rocky] Backport ssh lockdown

Bug Description

Other bug subscribers

Remote bug watches