| opendevreview | Merged openstack/kayobe stable/victoria: Add support for Ironic inspection through DHCP-relay https://review.opendev.org/c/openstack/kayobe/+/819385 | 00:44 |
|---|---|---|
| opendevreview | Verification of a change to openstack/kayobe stable/victoria failed: Limit ip-routing and snat to seed hosts only https://review.opendev.org/c/openstack/kayobe/+/819372 | 01:28 |
| opendevreview | Radosław Piliszek proposed openstack/kolla-ansible master: [WIP] [CI] Add Venus scenario https://review.opendev.org/c/openstack/kolla-ansible/+/823222 | 10:46 |
| opendevreview | Dr. Jens Harbott proposed openstack/kolla-ansible master: Add a variable to set dns_servers for OVN https://review.opendev.org/c/openstack/kolla-ansible/+/818362 | 14:23 |
| opendevreview | Merged openstack/kayobe stable/victoria: Limit ip-routing and snat to seed hosts only https://review.opendev.org/c/openstack/kayobe/+/819372 | 18:22 |
| gueswhat | can anyone help, please? how i can expose openstack api for internal instances? ( for heat for example for callbacks ) | 19:04 |
| ladrua | gueswhat: you can just access it trough the public api? Just make sure your floating ip(external) network can reach that network address | 20:05 |
| ladrua | gueswhat: not sure how you could access it trough the internal network. | 20:06 |
| gueswhat | ladrua, but it requires a different interface than neutron_external_network... | 20:53 |
| gueswhat | seems that even horizon is no bundled with apache or some waf, so proly it would be exposed to brute force attacks once it will be publicly available | 22:08 |
| gueswhat | https://docs.mirantis.com/mcp/q4-18/mcp-security-best-practices/use-cases/brute-force-prevention.html | 22:10 |
| ladrua | gueswhat: it all depends on how you setup your network. In my case I solve it outside of openstack I have a floating ip pool thats in the same subnet as the control network | 22:38 |
| ladrua | and I have another ip-pool that is connected to public facing ips | 22:39 |
| ladrua | so in my case if I need to connect to both my internal control network and get a public ip I add an instance with two nic's that is connected to its respective network | 22:39 |
| ladrua | *interface meant instance | 22:40 |
| gueswhat | ladrua what are you using for protecting horizon from brute force attacks from internet ? | 22:42 |
| ladrua | gueswhat: it is not connected to the public facing ips, just my control network can access horizon. But my instances can access my control network if needed | 22:43 |
| ladrua | I solve this on my physical hardware switches with vlan and trunking | 22:44 |
| ladrua | so I have two subnets with different vlan tags, one is the internal control network, and the other public network. and I attach from pool depending on my needs | 22:46 |
| gueswhat | oh, i see, and you have allocated floating ip ( as reservation ), which is actually assigned to your vlan inteface as external vip, right ? | 22:47 |
| ladrua | gueswhat: prettymuch yes | 22:48 |
| gueswhat | is your trunk mapped as provider network ( external ) | 22:48 |
| gueswhat | ? | 22:48 |
| ladrua | exyes | 22:48 |
| ladrua | yes | 22:48 |
| ladrua | if the only reason for you is to access the api, I would not be surprised if there is a easier path | 22:49 |
| gueswhat | i dont know, i started using openstack month ago... | 22:49 |
| ladrua | I did this back in the day to just setup internal servers | 22:49 |
| ladrua | yes, problem in my case is is just manage one cloud, our own internal, so I am no expert. | 22:50 |
| ladrua | but you would solve your problem by seting up a similar network as I am mentioning | 22:51 |
| ladrua | another way is to just use a flat network, so you just have your control subnet, then you use your network router to nat public ips and ports | 22:52 |
| ladrua | depends what the end goal is too, a big cloud? small lab server? | 22:53 |
| gueswhat | small lab, single baremetal, openstack is hosted in proxmox, management network and external is reachable via vpn ..., thats behind pfsense... i have 4 networks ( public(external,flat), external(provider,flat), internal(vxlan), management ), external is meant for accessing non openstack objects and viceversa ... | 22:54 |
| gueswhat | see https://drive.google.com/file/d/1KM4CzO7RgY8JoRtY4QZu7HPgPlyeB80O/view?usp=sharing | 22:55 |
| gueswhat | *are | 22:58 |
| ladrua | maybe just have same subnet for floating ip pool as control network? | 23:01 |
| ladrua | then you do your public ip port forwarding on your router? | 23:01 |
| ladrua | presuming you have a hardware router of course | 23:01 |
| ladrua | for a lab setup with single host I would do that I think | 23:02 |
| gueswhat | i dont have a hw router... | 23:04 |
| gueswhat | thats why i using proxmox | 23:04 |
| gueswhat | to virtualize whole thing | 23:04 |
| gueswhat | its just baremetal in datacenter | 23:05 |
| ladrua | ah, missed that. Havent heard of proxmox before. Ok then this is a bit outside of my experiences as I am used to managing the physical network as well. | 23:07 |
| gueswhat | oh, its ok, thanks :) | 23:24 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!