From 3d8af2fcf8e2d41600fa10584120a8117e7ef40c Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Wed, 19 Apr 2017 14:51:02 +0100 Subject: Restrict nova migration ssh tunnel Specify the allowed networks for migration ssh tunneling. bp tripleo-cold-migration Change-Id: Iab022bdfb655e3c52fecebf416e75c9e981072ab Depends-on: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293 --- network/service_net_map.j2.yaml | 1 + puppet/services/nova-compute.yaml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index 7fb9420c..26ff3e0a 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -54,6 +54,7 @@ parameters: HeatApiCfnNetwork: internal_api HeatApiCloudwatchNetwork: internal_api NovaApiNetwork: internal_api + NovaColdMigrationNetwork: ctlplane NovaPlacementNetwork: internal_api NovaMetadataNetwork: internal_api NovaVncProxyNetwork: internal_api diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index b1711436..d608dc28 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -119,6 +119,11 @@ outputs: nova::compute::libvirt::migration_support: false tripleo::profile::base::nova::manage_migration: true tripleo::profile::base::nova::migration_ssh_key: {get_param: MigrationSshKey} + tripleo::profile::base::nova::migration_ssh_localaddrs: + - "%{hiera('cold_migration_ssh_inbound_addr')}" + - "%{hiera('live_migration_ssh_inbound_addr')}" + live_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + cold_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaColdMigrationNetwork]} tripleo::profile::base::nova::nova_compute_enabled: true nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName} nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName} -- cgit 1.2.3-korg