On 9 September 2016 at 16:38, Paul Belanger <pabelan...@redhat.com> wrote: > Greetings, > > I would like to start the discussions around the removal of the bastion host > that sits in front of tripleo-test-cloud-rh1. It is my understanding, all > traffic from tripleo-test-cloud-rh1 flows through this linux box. Obviously > this is problematic for a public cloud. > > I currently do not know the history of the bastion host, I am hoping this > thread > will start discussions around it. > > However, my personal preference is to remove the bastion from the pipeline > between internet and tripleo-test-cloud-rh1. My main objection to the host, is > the fact we do packet filtering of traffic flowing between the internet and > tripleo-test-cloud-rh1.
Would it be enough to simply remove the traffic filtering? or are there other problems you are hoping to get rid of? > > Ideally tripleo-test-cloud-rh1 will simply have an unfiltered network drop on > the public web, this is how we do it today with the infracloud in > #openstack-infra. > > This will avoid the need to gain access to a private server (bastion) and need > to manipulate networking traffic. > > I'd like for us to try and establish a time frame to make this happen too. I don't know how much work this would be and what problems we would hit, historically the upstream tripleo team have been hands off when it comes to this box(and the rack switch), from our point of view we use it as a jump host to get to the other hosts on which openstack runs. And all outside traffic goes through it, I suppose the alternative would be to route the traffic directly to the overcloud controller. We should be moving all our cloud usage onto RDO-Cloud some day, we should probably try and first get a timeline for when we are moving onto RDO-Cloud, if that is coming up soon perhaps we can just wait at this situation goes away. > > --- > Paul > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev