Best Practice CentOs 7 Firewalld on Controller

2017-02-26



Hi there, I am currently setting up a new OpenStack cluster (Newton) and was wondering, what are the best practices concerning Firewalld on CentOs 7 for the Controller Node?

In most guides that I have read people tend to turn off firewalld - is this because of laziness/simplicity or is this the general best practice when working with OpenStack?

Cheers Jatha

3 answers

2017-02-26

is this because of laziness/simplicity

Simplicity, allowing the guide to focus on OpenStack. Also, the install guide recommends to turn the firewall off during installation, not during production.

2017-02-27

I believe this is because openstack uses iptables currently, not firewalld.

2017-02-27



Regarding filewalld setup for RDO Liberty see
Set up HAProxy/Keepalived 3 Node Controller on RDO Liberty per Javier Pena
Consider Liberty Configs as samples for recent RDO releases.
For instance Nova configuration :-

systemctl start openstack-nova-consoleauth
systemctl start openstack-nova-novncproxy 
systemctl start openstack-nova-api
systemctl start openstack-nova-scheduler
systemctl start openstack-nova-conductor
systemctl enable openstack-nova-consoleauth
systemctl enable openstack-nova-novncproxy 
systemctl enable openstack-nova-api
systemctl enable openstack-nova-scheduler
systemctl enable openstack-nova-conductor

firewall-cmd --add-port=8773-8775/tcp
firewall-cmd --add-port=8773-8775/tcp --permanent
firewall-cmd --add-port=6080/tcp
firewall-cmd --add-port=6080/tcp --permanent
Asked: 2017-02-26

