-
Notifications
You must be signed in to change notification settings - Fork 23
Firewall config #1016
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall config #1016
Conversation
db400f7
to
bfc290c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've done a quick first pass. I think we need to consider whether these things are set by default or need to be opted into (like the LVM config). In the latter case we might provide some variables that can be referenced to enable the firewall config.
My opinion would be that we could disable it for Antelope and enable it for Caracal. I'll look into making a single bool to enable/disable all the rules at once. |
cc5e64b
to
041fdef
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reno pls :)
6420f28
to
c5398fc
Compare
etc/kayobe/environments/ci-multinode/kolla/inventory/group_vars/all
Outdated
Show resolved
Hide resolved
249ab49
to
614853b
Compare
e4a5239
to
fac0d01
Compare
949c041
to
6892308
Compare
0f29ea9
to
71c6f23
Compare
71c6f23
to
2c96950
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When testing this in one deployment we saw an issue where seed/infra VM networking was blocked by the seed hypervisor firewall. We worked around it like this:
seed_hypervisor_sysctl_parameters:
# By default this is 1, which causes layer 2 traffic flowing through Linux
# bridges to pass through iptables. This blocks traffic from VMs (seed, wazuh) to
# the Internet.
net.bridge.bridge-nf-call-iptables: 0
This should be documented.
Co-authored-by: Jack Hodgkiss <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Debug only when firewalld is enabled
We are missing the firewall-cmd executable
We are missing the firewall-cmd executable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This worked pretty nicely for me. I like the way that the rules take into account multiple group membership - really nice job. Lets get this in before it gets stale. It's disabled by default and we can iterate on it once it is.
I've made a jira to fix to the OVS AIO: INFRA-818
Testing changes in CI because my AIO died.