Bug #31993
openAdd missing ports for OpenStack
Description
Foreman can connect to OpenStack, however the API is fairly complicated with lots of endpoints and introspection. We have been adding ports on a "when it fails" basis but to improve experience, I would like to propose adding rules for all ports which are documented as a public API in OpenStack: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/firewall_rules_for_red_hat_openstack_platform/firewall_rules_for_red_hat_openstack_platform
% grep "ublic API" ref_source-NetworkFlowMatrix.csv aodh_api,TCP,13042,"AODH Alarming Configuration Public API.llow barbican_api,TCP,13311,"Barbican Public API (TLS). ceph_rgw,TCP,13808,"Ceph RadosGW public API (TLS) S3/Swift. cinder,TCP,13776,"Cinder public API (TLS). ec2_api,TCP,13788,"EC2 Public API (TLS). glance,TCP,13292,"Glance Public API (TLS). gnocchi,TCP,13041,"Gnocchi Public API (TLS). Heat Public API,TCP,13004,"Heat Public API Endpoint (Public TLS). ironic,TCP,13385,"Ironic public API (TLS). ironic_inspector,TCP,13050,"Ironic inspector public API (TLS). keystone,TCP,13000,"Keystone public API (TLS). manila,TCP,13786,"Manila Public API (TLS). mistral_api,TCP,13989,"Mistral API Public API (TLS). neutron,TCP,13696,"Neutron Public API (TLS). nova,TCP,13774,"Nova public API (TLS). nova_vnc_proxy,TCP,13080,"Nova VNC Proxy public API (TLS). nova_placement,TCP,13778,"Nova placement public API (TLS). octavia_api,TCP,13876,"Octavia public API (TLS). panko_api,TCP,13977,"Panko public API (TLS). sahara,TCP,13386,"Sahara public API (TLS). zaqar,TCP,13888,"Zaqar public API (TLS). zaqar websockets,TCP,9000,"Zaqar websockets public API (TLS).
These ports are likely exported in the OpenStack SELinux policy however this is not available on Foreman server, OpenStack is usually installed on a remote machine and the policy might not be even available (e.g. for RHOS a subscription must be purchased in order to enable repository). Therefore we need to define our own type (foreman_openstack_port_t) and assign all those ports into it.
Updated by The Foreman Bot about 3 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-selinux/pull/123 added