summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexandru Avadanii <Alexandru.Avadanii@enea.com>2016-07-12 16:17:06 +0200
committerAlexandru Avadanii <Alexandru.Avadanii@enea.com>2016-07-12 16:17:08 +0200
commit34adae647f17b22dc686417acd7539f44615837a (patch)
tree7e71a65e8d39e7f5b524d892248e6c448a369105
parentd3e30dfb0671fede8ba867e6559f447e30a2eff3 (diff)
iptables: Move SSH rules to post-scripts.
Previous change [1] introduced the addition of an iptables rule that was supposed to allow SSH access on all ifaces (not only admin iface) when additional ifaces are configured. However, Fuel installer is flushing the rules after transplant adds our SSH config, overwriting it. Move iptables SSH config to post-install section, as standalone script. In order to keep the same behavior, test ifcfg-eth0 (admin interface is expected to be called eth0 by convention) for "DEFROUTE=no" and only whitelist SSH on all ifaces if it matches. [1] https://gerrit.opnfv.org/gerrit/#/c/16571/ Change-Id: I086b75461daa62671cad10494fe34acfd77757ae Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
-rw-r--r--patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch4
-rw-r--r--patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch47
2 files changed, 48 insertions, 3 deletions
diff --git a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
index 4313c5ea..1291769e 100644
--- a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
+++ b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch
@@ -45,7 +45,7 @@ index e57a4fb..9a65cf6 100644
)
ASTUTE_YAML = '/etc/fuel/astute.yaml'
-@@ -35,15 +39,47 @@ def parse_arguments():
+@@ -35,15 +39,45 @@ def parse_arguments():
check_file_exists(dea_file)
return dea_file
@@ -88,8 +88,6 @@ index e57a4fb..9a65cf6 100644
+ exec_cmd('echo "DEFROUTE=no" >> %s' % admin_ifcfg)
+ log('At least one interface was reconfigured, restart network manager')
+ exec_cmd('systemctl restart network')
-+ log('At least one interface was reconfigured, accept SSH on all')
-+ exec_cmd('iptables -A INPUT -p tcp --dport ssh -j ACCEPT')
return astute
diff --git a/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch b/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch
new file mode 100644
index 00000000..e098d47c
--- /dev/null
+++ b/patches/opnfv-fuel/0010-post-scripts-Allow-SSH-on-non-admin-ifaces.patch
@@ -0,0 +1,47 @@
+From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+Date: Tue, 12 Jul 2016 16:12:25 +0200
+Subject: [PATCH] post-scripts: Allow SSH on non-admin ifaces.
+
+By default, Fuel 9.0 configures iptables to only accept SSH connections
+on admin interface.
+
+If more than the admin interface is configured (e.g. by transplant script
+or manually in fuel menu), whitelist SSH connections on all ifaces.
+
+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+---
+ .../post-scripts/10_accept_ssh_all_ifaces.sh | 25 ++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+ create mode 100755 build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+
+diff --git a/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+new file mode 100755
+index 0000000..b551516
+--- /dev/null
++++ b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
+@@ -0,0 +1,25 @@
++#/bin/sh
++##############################################################################
++# Copyright (c) 2016 Enea AB and others.
++# Alexandru.Avadanii@enea.com
++# All rights reserved. This program and the accompanying materials
++# are made available under the terms of the Apache License, Version 2.0
++# which accompanies this distribution, and is available at
++# http://www.apache.org/licenses/LICENSE-2.0
++##############################################################################
++
++# Only mess with iptables if we have additional interfaces configured
++if grep -q "DEFROUTE=no" "/etc/sysconfig/network-scripts/ifcfg-eth0"; then
++ echo "iptables: Allow SSH connections on all interfaces"
++ # By default, Fuel 9.0 configures iptables to only accept SSH connections
++ # on admin interface. Whitelist SSH connections on all ifaces.
++ while [ $? -eq 0 ]; do
++ # First, try removing the rule we want to add to prevent duplicates
++ iptables -D INPUT -p tcp --dport ssh -j ACCEPT > /dev/null 2>&1;
++ done
++ iptables -A INPUT -p tcp --dport ssh -j ACCEPT
++ service iptables save
++ echo "iptables: Done configuring SSH"
++else
++ echo "iptables: Skipping configuring SSH for non-admin ifaces"
++fi