tripleo

SshFirewallAllowAll not taken into account anymore?

Bug #1859475 reported by Cédric Jeanneret on 2020-01-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Invalid	High	Unassigned	tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

Hello there,

Apparently, the move to the new firewall management thing (pure ansible) doesn't take into account the "SshFirewallAllowAll" param.
This param should inject an ip(6)tables rule opening Ssh service to the world.

As we can see here, it's set to "true" by default in t-h-t:
environments/standalone/standalone-tripleo.yaml: SshFirewallAllowAll: True
environments/undercloud.yaml: SshFirewallAllowAll: true

I need to investigate a bit more, but I'd say it's a regression.

Stay tuned!

Tags:

Revision history for this message

Rabi Mishra (rabi) wrote on 2020-01-13:

From heat parameter point of view true/True both should work.

https://github.com/openstack/heat/blob/master/heat/engine/parameters.py#L347

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2020-01-13:

After some discussions, it's indeed OK - but "master" didn't get promotion in a while, meaning the following patch isn't available in "tripleo-current": https://review.opendev.org/#/c/700829/2/deployment/sshd/sshd-baremetal-puppet.yaml

Hence, if using "master", use tripleo-current-dev for now (matches CI anyway).

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2020-01-13:

Already sorted out.

Changed in tripleo:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.