TripleO Should Report Required Firewall Rules by Role

Registered by Dan Sneddon on 2018-06-13

TripleO service definitions include the ports used by the service, and this information is used to configure iptables on the host running the service. Some operators want to enhance this security with hardware firewalls. Unfortunately, it isn't clear to operators what rules need to be configured on hardware firewalls or router ACLs.

Since we already have the firewall ports used by each service in the service definition, we have the information about which ports are needed for a particular service. TripleO should publish or report, on a per-node or per-role basis, what ports need to be open for each composable role. This would be used to report which ports need to be opened when using a hardware firewall or router ACL to further secure the environment.

It would be ideal if we could publish this data in a machine-readable format such as JSON. This would allow some automation to be inserted so that hardware firewalls could be automatically configured based on which services are used on which nodes. This would also make it clear what changes were required on hardware firewalls during upgrades.

Each service contains firewall rules in a unique key, for instance:

            '113 nova_api':
                - 8774
                - 13774
                - 8775

So what is needed is a way to compile all the applicable tripleo.*.firewall_rules parameters used on a role, and publish this in a report or file. This should include any custom rules that are added manually to the role by the installer.

Blueprint information

Not started
Emilien Macchi
Dan Sneddon
Needs approval
Series goal:
Accepted for ussuri
Not started
Milestone target:

Related branches



[2019-09-18] (aschultz): Not implemented by the end of Train, moving out to Ussuri


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.