Merge "Make libvirt safe again"
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 5d0e6a1..e8b29cc 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -1,5 +1,6 @@
classes:
- service.nova.compute.kvm
+- service.iptables.server
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -94,3 +95,15 @@
public_key: ${_param:nova_compute_ssh_public}
private_key: ${_param:nova_compute_ssh_private}
my_ip: ${_param:single_address}
+ libvirt:
+ uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+ iptables:
+ service:
+ enabled: true
+ chain:
+ INPUT:
+ rules:
+ # deny any connections to libvirt port
+ - destination_port: 16509
+ protocol: tcp
+ jump: DROP
\ No newline at end of file
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index b915145..d5126df 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -2,6 +2,7 @@
- nova
classes:
- service.nova.compute.kvm
+- service.iptables.server
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -90,3 +91,15 @@
public_key: ${_param:nova_compute_ssh_public}
private_key: ${_param:nova_compute_ssh_private}
my_ip: ${_param:single_address}
+ libvirt:
+ uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+ iptables:
+ service:
+ enabled: true
+ chain:
+ INPUT:
+ rules:
+ # deny any connections to libvirt port
+ - destination_port: 16509
+ protocol: tcp
+ jump: DROP
\ No newline at end of file