From 8010c3b4bf4035dd167bca8656ad36f202e6ec6f Mon Sep 17 00:00:00 2001 From: Alexandru Avadanii Date: Thu, 7 Jul 2016 19:24:53 +0200 Subject: [PATCH] transplant.py: Allow SSH on all interfaces. Previously (in Fuel 8.0), SSH used to listen only on 10.20.0.2 (admin interface), which required editing sshd_config and restarting SSH server for allowing SSH connections over the public IP on eth1 (just an example, which corresponds to Armband PODs use cases). In Fuel 9.0, SSH server on Fuel Master listens on all ifaces, but connections are filtered by iptables. This change piggy-backs on a previous Armband addition that allows transplant.py script to configure additional interfaces (e.g. public). In case additional interfaces have been configured by transplant, this change will instruct iptables to accept SSH connections on ANY interface, not only the admin one. Possible improvements: - limit SSH access to admin + interfaces added by transplant instead of ANY; Change-Id: I0923496e1b23f6dc826c8afbbe9805956c2d4b34 Signed-off-by: Alexandru Avadanii --- .../0005-transplant-Generate-extra-interfaces-config-file.patch | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch index 2c8587a5..4313c5ea 100644 --- a/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch +++ b/patches/opnfv-fuel/0005-transplant-Generate-extra-interfaces-config-file.patch @@ -1,4 +1,3 @@ -From 7dad9f8350e8563942f4e9ffae595bbfe44e606d Mon Sep 17 00:00:00 2001 From: Josep Puigdemont Date: Wed, 4 May 2016 17:58:56 +0200 Subject: [PATCH] transplant: Generate extra interfaces config file @@ -46,7 +45,7 @@ index e57a4fb..9a65cf6 100644 ) ASTUTE_YAML = '/etc/fuel/astute.yaml' -@@ -35,15 +39,45 @@ def parse_arguments(): +@@ -35,15 +39,47 @@ def parse_arguments(): check_file_exists(dea_file) return dea_file @@ -89,6 +88,8 @@ index e57a4fb..9a65cf6 100644 + exec_cmd('echo "DEFROUTE=no" >> %s' % admin_ifcfg) + log('At least one interface was reconfigured, restart network manager') + exec_cmd('systemctl restart network') ++ log('At least one interface was reconfigured, accept SSH on all') ++ exec_cmd('iptables -A INPUT -p tcp --dport ssh -j ACCEPT') return astute @@ -107,6 +108,3 @@ index e57a4fb..9a65cf6 100644 if __name__ == '__main__': --- -2.5.5 - -- 2.16.6