Merge pull request #2070 from deepssin/sec_rule

zmc · web-flow · commit 501b94205628 · 2025-07-25T16:01:41.000-06:00
[Openstack]allow all TCP ingress to prevent node communication failures
diff --git a/teuthology/openstack/__init__.py b/teuthology/openstack/__init__.py
@@ -1222,15 +1222,15 @@ def create_security_group(self):
             server_sg = conn.network.create_security_group(name=self.server_group())
         if not worker_sg:
             worker_sg = conn.network.create_security_group(name=self.worker_group())
-        def add_rule(sg_id, protocol, port, remote_group_id=None):
+        def add_rule(sg_id, protocol, port=None, remote_group_id=None):
             rule_args = {
                 'security_group_id': sg_id,
                 'direction': 'ingress',
                 'protocol': protocol,
-                'port_range_min': port,
-                'port_range_max': port,
                 'ethertype': 'IPv4',
             }
+            if port is not None:
+                rule_args['port_range_min'] = rule_args['port_range_max'] = port
             if remote_group_id:
                 rule_args['remote_group_id'] = remote_group_id
             else:
@@ -1239,17 +1239,17 @@ def add_rule(sg_id, protocol, port, remote_group_id=None):
                 conn.network.create_security_group_rule(**rule_args)
             except Exception as e:
                 log.warning(f"Security group rule creation skipped or failed: {e}")
-        # Rules for SSH, log, pulpito and paddles
-        for port in (22, 80, 8080, 8081):
-            add_rule(server_sg.id, 'tcp', port)
+        # tcp access to enable reliable inter-node communication
+        for sg in (server_sg, worker_sg):
+            add_rule(sg.id, 'tcp')
         # access between teuthology and workers
         for port in (65535,):
-            add_rule(worker_sg.id, 'udp', port, remote_group_id=server_sg.id)
-            add_rule(server_sg.id, 'udp', port, remote_group_id=worker_sg.id)
+            add_rule(worker_sg.id, 'udp', port=port, remote_group_id=server_sg.id)
+            add_rule(server_sg.id, 'udp', port=port, remote_group_id=worker_sg.id)
         # access between members of one group
-        add_rule(server_sg.id, 'udp', 65535, remote_group_id=server_sg.id)
+        add_rule(server_sg.id, 'udp', port=65535, remote_group_id=server_sg.id)
         # access within worker group
-        add_rule(worker_sg.id, 'udp', 65535, remote_group_id=worker_sg.id)
+        add_rule(worker_sg.id, 'udp', port=65535, remote_group_id=worker_sg.id)
 
     @staticmethod
     def get_unassociated_floating_ip():
