Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AGENT-925: Block port 22624 when adding day 2 worker node #1671

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions agent/05_agent_configure.sh
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,36 @@ function get_nodes_bmc_info() {

}

function block_insecure_machine_config_server_port() {
existing_filter=$(sudo virsh nwfilter-list)
if [[ "$existing_filter" == *"block-insecure-machine-config-server"* ]]; then
sudo virsh nwfilter-undefine block-insecure-machine-config-server
fi
tmpfilter=$(mktemp --tmpdir "block-insecure-mcs--XXXXXXXXXX")
_tmpfiles="$_tmpfiles $tmpfilter"
echo "<filter name='block-insecure-machine-config-server' chain='root'>
<uuid>aaaaaaaa-aaaa-aaaa-aaaa-000000000001</uuid>
<rule action='drop' direction='in' priority='500'>
<tcp match='yes' dstportstart='22624' dstportend='22624'/>
</rule>
</filter>" > $tmpfilter
sudo virsh nwfilter-define $tmpfilter

for (( n=0; n<${2}; n++ ))
do
name=${CLUSTER_NAME}_${1}_${n}
tmpdomain=$(mktemp --tmpdir "${name}--XXXXXXXXXX")
_tmpfiles="$_tmpfiles $tmpdomain"
sudo virsh dumpxml ${name} > ${tmpdomain}

sed -i '/interface type=\([^>]*\)>/a\
<filterref filter="block-insecure-machine-config-server"/>\' ${tmpdomain}

sudo virsh define ${tmpdomain}
done
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm oversimplifying it a little bit, but wouldn't be enough to execute a simple ansible playbook like the following (similar to the ones used in metal3-dev-env):

tasks:
    - name: Block port 22624 using firewalld
      firewalld:
        port: 22624/tcp
        state: disabled
        immediate: yes
        permanent: yes

on each control plane (master) node? Given also that this is a specific requirement for the add nodes workflow, it could be probably a task executed only in the new step



write_pull_secret

# needed for assisted-service to run nmstatectl
Expand Down Expand Up @@ -519,6 +549,8 @@ if [[ "${AGENT_PLATFORM_TYPE}" == "external" ]] || [[ "${AGENT_PLATFORM_TYPE}" =
set_device_mfg worker $NUM_WORKERS ${AGENT_PLATFORM_TYPE} ${AGENT_PLATFORM_NAME}
fi

block_insecure_machine_config_server_port extraworker $NUM_EXTRA_WORKERS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned before, I was expecting the port to be blocked on the control plane nodes, more than on the hosts to be added


generate_cluster_manifests

generate_extra_cluster_manifests