Project

General

Profile

Bug #31993

Add missing ports for OpenStack

Added by Lukas Zapletal about 2 months ago. Updated about 2 months ago.

Status:
Ready For Testing
Priority:
Normal
Category:
Compute resources
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Foreman can connect to OpenStack, however the API is fairly complicated with lots of endpoints and introspection. We have been adding ports on a "when it fails" basis but to improve experience, I would like to propose adding rules for all ports which are documented as a public API in OpenStack: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.1/html/firewall_rules_for_red_hat_openstack_platform/firewall_rules_for_red_hat_openstack_platform

% grep "ublic API" ref_source-NetworkFlowMatrix.csv
aodh_api,TCP,13042,"AODH Alarming Configuration Public API.llow
barbican_api,TCP,13311,"Barbican Public API (TLS).
ceph_rgw,TCP,13808,"Ceph RadosGW public API (TLS) S3/Swift.
cinder,TCP,13776,"Cinder public API (TLS).
ec2_api,TCP,13788,"EC2 Public API (TLS).
glance,TCP,13292,"Glance Public API (TLS).
gnocchi,TCP,13041,"Gnocchi Public API (TLS).
Heat Public API,TCP,13004,"Heat Public API Endpoint (Public TLS).
ironic,TCP,13385,"Ironic public API (TLS).
ironic_inspector,TCP,13050,"Ironic inspector public API (TLS).
keystone,TCP,13000,"Keystone public API (TLS).
manila,TCP,13786,"Manila Public API (TLS).
mistral_api,TCP,13989,"Mistral API Public API (TLS).
neutron,TCP,13696,"Neutron Public API (TLS).
nova,TCP,13774,"Nova public API (TLS).
nova_vnc_proxy,TCP,13080,"Nova VNC Proxy public API (TLS).
nova_placement,TCP,13778,"Nova placement public API (TLS).
octavia_api,TCP,13876,"Octavia public API (TLS).
panko_api,TCP,13977,"Panko public API (TLS).
sahara,TCP,13386,"Sahara public API (TLS).
zaqar,TCP,13888,"Zaqar public API (TLS).
zaqar websockets,TCP,9000,"Zaqar websockets public API (TLS).

These ports are likely exported in the OpenStack SELinux policy however this is not available on Foreman server, OpenStack is usually installed on a remote machine and the policy might not be even available (e.g. for RHOS a subscription must be purchased in order to enable repository). Therefore we need to define our own type (foreman_openstack_port_t) and assign all those ports into it.

History

#1 Updated by The Foreman Bot about 2 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/123 added

Also available in: Atom PDF