diff options
| author | HÃ¥kon Hallingstad <hakon@verizonmedia.com> | 2019-09-06 12:22:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-06 12:22:21 +0200 |
| commit | 283a224f73010a40bc8933a6568def2f3dc0608d (patch) | |
| tree | 360ca6e162275a52cd59560e68806652fe4e7fd6 /node-repository | |
| parent | 617fdc61b6c28e188489a28ac334290f85ef71d4 (diff) | |
| parent | 0dbd2b015a0e9b1c0e9439124385cbc6573ac4b1 (diff) | |
Merge pull request #10533 from vespa-engine/hakonhall/allow-ssh-to-hosts-with-host-network
Allow SSH to hosts with host-network
Diffstat (limited to 'node-repository')
4 files changed, 16 insertions, 2 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java index 1fbb83c7718..a237b09b6dd 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/NodeRepository.java @@ -207,9 +207,14 @@ public class NodeRepository extends AbstractComponent { Set<String> trustedNetworks = new LinkedHashSet<>(); // For all cases below, trust: + // - SSH: If the Docker host has one container, and it is using the Docker host's network namespace, + // opening up SSH to the Docker host is done here as a trusted port. For simplicity all nodes have + // SSH opened (which is safe for 2 reasons: SSH daemon is not run inside containers, and NPT networks + // will (should) not forward port 22 traffic to container). // - parent host (for health checks and metrics) // - nodes in same application // - load balancers allocated to application + trustedPorts.add(22); candidates.parentOf(node).ifPresent(trustedNodes::add); node.allocation().ifPresent(allocation -> { trustedNodes.addAll(candidates.owner(allocation.owner()).asList()); diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java index 2b669750cc6..762fd87c2d1 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/provisioning/AclProvisioningTest.java @@ -158,7 +158,7 @@ public class AclProvisioningTest { // Controllers and hosts all trust each other List<NodeAcl> controllerAcls = tester.nodeRepository().getNodeAcls(controllers.get(0), false); assertAcls(List.of(controllers), controllerAcls); - assertEquals(Set.of(4443, 443), controllerAcls.get(0).trustedPorts()); + assertEquals(Set.of(22, 4443, 443), controllerAcls.get(0).trustedPorts()); } @Test diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json index 88e8fb44f9f..c8a8037aeb0 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-config-server.json @@ -226,6 +226,10 @@ "trustedNetworks": [], "trustedPorts": [ { + "port":22, + "trustedBy":"cfg1.yahoo.com" + }, + { "port": 4443, "trustedBy": "cfg1.yahoo.com" } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json index 040b2ebe167..370dacd3c85 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/responses/acl-tenant-node.json @@ -170,5 +170,10 @@ } ], "trustedNetworks": [], - "trustedPorts": [] + "trustedPorts": [ + { + "port":22, + "trustedBy":"foo.yahoo.com" + } + ] } |