-
Language:
English
-
Language:
English
9.11. Enabling Network Isolation for Gears
Prior to OpenShift Enterprise 2.2, network isolation for gears was not applied by default. Without isolation, gears could bind and connect to
localhost
as well as IP addresses belonging to other gears on the node, allowing users access to unprotected network resources running in another user's gear. To prevent this, starting with OpenShift Enterprise 2.2 the oo-gear-firewall
command is invoked by default at installation when using the oo-install
installation utility or the installation scripts. It must be invoked explicitly on each node host during manual installations.
Note
The
oo-gear-firewall
command is available in OpenShift Enterprise 2.1 starting with release 2.1.9.
The
oo-gear-firewall
command configures nodes with firewall rules using the iptables
command and SELinux policies using the semanage
command to prevent gears from binding or connecting on IP addresses that belong to other gears.
Gears are identified as a range of user IDs on the node host. The
oo-gear-firewall
command creates static sets of rules and policies to isolate all possible gears in the range. The UID range must be the same across all hosts in a gear profile. By default, the range used by the oo-gear-firewall
command is taken from existing district settings if known, or 1000 through 6999 if unknown. The tool can be re-run to apply rules and policies for an updated UID range if the range is changed later.
To enable network isolation for gears using the default range, run the following command on each node host:
# oo-gear-firewall -i enable -s enable
To specify the UID range:
# oo-gear-firewall -i enable -s enable -b District_Beginning_UID -e District_Ending_UID