summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorScott Hussey <sh8121@att.com>2019-01-10 21:12:10 -0600
committerScott Hussey <sh8121@att.com>2019-01-10 21:12:10 -0600
commit7f50e96ff37cbfd95611066eded6a715509b4e7e (patch)
tree5b77d15b1d8121c85fd5acd0fc63aa563d177c1c
parent43a2306f0a991e81f5487233386f031811d50efc (diff)
Open MAAS proxy ACL
- Allow requests from any source through the MAAS proxy so that traffic routed through maas-ingress will work Change-Id: I91e40789ad45c0ea75c54eccbf37931156b224e3
Notes
Notes (review): Code-Review+1: Steve Wilkerson <wilkers.steve@gmail.com> Code-Review+2: Mark Burnett <mark.m.burnett@gmail.com> Workflow+1: Mark Burnett <mark.m.burnett@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 11 Jan 2019 14:28:43 +0000 Reviewed-on: https://review.openstack.org/630011 Project: openstack/airship-maas Branch: refs/heads/master
-rw-r--r--images/maas-region-controller/2.3_proxy_acl.patch10
-rw-r--r--images/maas-region-controller/Dockerfile5
2 files changed, 15 insertions, 0 deletions
diff --git a/images/maas-region-controller/2.3_proxy_acl.patch b/images/maas-region-controller/2.3_proxy_acl.patch
new file mode 100644
index 0000000..0de535e
--- /dev/null
+++ b/images/maas-region-controller/2.3_proxy_acl.patch
@@ -0,0 +1,10 @@
118,24c18
2< http_access allow maas_proxy_manager localhost
3< http_access deny maas_proxy_manager
4< http_access deny !Safe_ports
5< http_access deny CONNECT !SSL_ports
6< http_access allow localnet
7< http_access allow localhost
8< http_access deny all
9---
10> http_access allow all
diff --git a/images/maas-region-controller/Dockerfile b/images/maas-region-controller/Dockerfile
index e008e35..2552422 100644
--- a/images/maas-region-controller/Dockerfile
+++ b/images/maas-region-controller/Dockerfile
@@ -69,12 +69,17 @@ COPY 2.3_bios_grub_preseed.patch /tmp/2.3_bios_grub_preseed.patch
69COPY 2.3_maas_enlist.patch /tmp/2.3_maas_enlist.patch 69COPY 2.3_maas_enlist.patch /tmp/2.3_maas_enlist.patch
70# sh8121att: patch so that interfaces with MAC 00:00:00:00:00:00 omit the MAC address 70# sh8121att: patch so that interfaces with MAC 00:00:00:00:00:00 omit the MAC address
71COPY 2.3_mac_address.patch /tmp/2.3_mac_address.patch 71COPY 2.3_mac_address.patch /tmp/2.3_mac_address.patch
72# sh8121att: allow all requests via the proxy to allow it to work
73# behind ingress
74COPY 2.3_proxy_acl.patch /tmp/2.3_proxy_acl.patch
72RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch 75RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
73RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.3_kernel_package.patch 76RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.3_kernel_package.patch
74RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.3_bios_grub_partition.patch 77RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.3_bios_grub_partition.patch
75RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_storage.py < /tmp/2.3_bios_grub_preseed.patch 78RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_storage.py < /tmp/2.3_bios_grub_preseed.patch
76RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_enlist.sh < /tmp/2.3_maas_enlist.patch 79RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_enlist.sh < /tmp/2.3_maas_enlist.patch
77RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch ipaddr.py < /tmp/2.3_mac_address.patch 80RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch ipaddr.py < /tmp/2.3_mac_address.patch
81RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch ipaddr.py < /tmp/2.3_mac_address.patch
82RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/2.3_proxy_acl.patch
78 83
79COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service 84COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
80RUN mkdir -p /etc/systemd/system/basic.target.wants ;\ 85RUN mkdir -p /etc/systemd/system/basic.target.wants ;\