Restrict nova migration ssh tunnel

Specify the allowed networks for migration ssh tunneling.

bp tripleo-cold-migration

Change-Id: Iab022bdfb655e3c52fecebf416e75c9e981072ab
Depends-on: Idb56acd1e1ecb5a5fd4d942969be428cc9cbe293

diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml
index 7fb9420..26ff3e0 100644 (file)
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@@ -54,6 +54,7 @@ parameters:
       HeatApiCfnNetwork: internal_api
       HeatApiCloudwatchNetwork: internal_api
       NovaApiNetwork: internal_api
+      NovaColdMigrationNetwork: ctlplane
       NovaPlacementNetwork: internal_api
       NovaMetadataNetwork: internal_api
       NovaVncProxyNetwork: internal_api

diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml
index b171143..d608dc2 100644 (file)
--- a/puppet/services/nova-compute.yaml
+++ b/puppet/services/nova-compute.yaml
@@ -119,6 +119,11 @@ outputs:
             nova::compute::libvirt::migration_support: false
             tripleo::profile::base::nova::manage_migration: true
             tripleo::profile::base::nova::migration_ssh_key: {get_param: MigrationSshKey}
+            tripleo::profile::base::nova::migration_ssh_localaddrs:
+              - "%{hiera('cold_migration_ssh_inbound_addr')}"
+              - "%{hiera('live_migration_ssh_inbound_addr')}"
+            live_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+            cold_migration_ssh_inbound_addr: {get_param: [ServiceNetMap, NovaColdMigrationNetwork]}
             tripleo::profile::base::nova::nova_compute_enabled: true
             nova::compute::rbd::libvirt_images_rbd_pool: {get_param: NovaRbdPoolName}
             nova::compute::rbd::libvirt_rbd_user: {get_param: CephClientUserName}