Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AGENT-925: Block port 22624 when adding day 2 worker node #1671

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rwsu
Copy link
Contributor

@rwsu rwsu commented Jun 28, 2024

22624 is the insecure port for the machine config server. Day 2
nodes should be communicating through the secure port 22623. By
blocking the insecure port for extra worker nodes, we force them
to use the secure port.

The filter isn't applied to master or worker nodes because they
fetch their ignition through the secure port during initial
installation.

22624 is the insecure port for the machine config server. Day 2
nodes should be communicating through the secure port 22623. By
blocking the insecure port for extra worker nodes, we force them
to use the secure port.

The filter isn't applied to master or worker nodes because they
fetch their ignition through the secure port during initial
installation.
@openshift-ci openshift-ci bot requested review from andfasano and bfournie June 28, 2024 02:37
Copy link

openshift-ci bot commented Jun 28, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from rwsu. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment


sudo virsh define ${tmpdomain}
done
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm oversimplifying it a little bit, but wouldn't be enough to execute a simple ansible playbook like the following (similar to the ones used in metal3-dev-env):

tasks:
    - name: Block port 22624 using firewalld
      firewalld:
        port: 22624/tcp
        state: disabled
        immediate: yes
        permanent: yes

on each control plane (master) node? Given also that this is a specific requirement for the add nodes workflow, it could be probably a task executed only in the new step

@@ -519,6 +549,8 @@ if [[ "${AGENT_PLATFORM_TYPE}" == "external" ]] || [[ "${AGENT_PLATFORM_TYPE}" =
set_device_mfg worker $NUM_WORKERS ${AGENT_PLATFORM_TYPE} ${AGENT_PLATFORM_NAME}
fi

block_insecure_machine_config_server_port extraworker $NUM_EXTRA_WORKERS
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned before, I was expecting the port to be blocked on the control plane nodes, more than on the hosts to be added

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants