Restrict SSH according the security settings

* Bind SSH service on the all interfaces by default * Restrict SSH access only on ssh_network from the fuelmenu Change-Id: I3c5f7e931669d9d28f59d9f64b4d407b2f37215e Depends-on: I2d1149a7596d596f581b7628de7089ac375772f6 Depends-on: I6518923c089a0f602566394bc4502a57c4306eb7 Depends-on: I9609003d892875b0bbe00d24fe8365edb1f3c57e Closes-Bug: #1557190
2016-03-16 01:50:43 +03:00 · 2016-03-16 01:50:43 +03:00 · 583bf0bf6e
parent 0a7b366c92
commit 583bf0bf6e
3 changed files with 9 additions and 5 deletions
--- a/deployment/puppet/fuel/examples/host.pp
+++ b/deployment/puppet/fuel/examples/host.pp
@ -127,13 +127,14 @@ class { 'osnailyfacter::atop': }

 class { 'osnailyfacter::ssh':
  password_auth  => 'yes',
-  listen_address => [$::fuel_settings['ADMIN_NETWORK']['ipaddress']],
+  listen_address => ['0.0.0.0'],
 }

 class { 'fuel::iptables':
-  admin_iface => $::fuel_settings['ADMIN_NETWORK']['interface'],
+  admin_iface     => $::fuel_settings['ADMIN_NETWORK']['interface'],
+  ssh_network     => $::fuel_settings['ADMIN_NETWORK']['ssh_network'],
  network_address => ipcalc_network_by_address_netmask($::fuel_settings['ADMIN_NETWORK']['ipaddress'],$::fuel_settings['ADMIN_NETWORK']['netmask']),
-  network_cidr => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
+  network_cidr    => ipcalc_network_cidr_by_netmask($::fuel_settings['ADMIN_NETWORK']['netmask']),
 }

 # FIXME(kozhukalov): this should be a part of repo management tool
--- a/deployment/puppet/fuel/manifests/iptables.pp
+++ b/deployment/puppet/fuel/manifests/iptables.pp
@ -4,6 +4,7 @@ class fuel::iptables (

  $admin_iface           = $::fuel::params::admin_interface,
  $ssh_port              = '22',
+  $ssh_network           = '0.0.0.0/0',
  $nailgun_web_port      = $::fuel::params::nailgun_port,
  $nailgun_internal_port = $::fuel::params::nailgun_internal_port,
  $nailgun_repo_port     = $::fuel::params::repo_port,
@ -43,6 +44,7 @@ class fuel::iptables (
  firewall { '005 ssh':
    port    => $ssh_port,
    proto   => 'tcp',
+    source  => $ssh_network,
    action  => 'accept',
  }

--- a/tests/noop/spec/hosts/master/host_spec.rb
+++ b/tests/noop/spec/hosts/master/host_spec.rb
@ -57,8 +57,8 @@ describe manifest do

    it 'should declare "osnailyfacter::ssh" class with correct parameters' do
      parameters = {
-          :password_auth => 'yes',
-          :listen_address => [fuel_settings['ADMIN_NETWORK']['ipaddress']],
+          :password_auth  => 'yes',
+          :listen_address => ['0.0.0.0'],
      }
      is_expected.to contain_class('osnailyfacter::ssh').with parameters
    end
@ -66,6 +66,7 @@ describe manifest do
    it 'should declare "fuel::iptables" class with correct parameters' do
      parameters = {
        :admin_iface => fuel_settings['ADMIN_NETWORK']['interface'],
+        :ssh_network => fuel_settings['ADMIN_NETWORK']['ssh_network'],
        :network_address => Noop.puppet_function(
            'ipcalc_network_by_address_netmask',
            fuel_settings['ADMIN_NETWORK']['ipaddress'],