9.11. Enabling Network Isolation for Gears

Prior to OpenShift Enterprise 2.2, network isolation for gears was not applied by default. Without isolation, gears could bind and connect to localhost as well as IP addresses belonging to other gears on the node, allowing users access to unprotected network resources running in another user's gear. To prevent this, starting with OpenShift Enterprise 2.2 the oo-gear-firewall command is invoked by default at installation when using the oo-install installation utility or the installation scripts. It must be invoked explicitly on each node host during manual installations.

The oo-gear-firewall command configures nodes with firewall rules using the iptables command and SELinux policies using the semanage command to prevent gears from binding or connecting on IP addresses that belong to other gears.

Gears are identified as a range of user IDs on the node host. The oo-gear-firewall command creates static sets of rules and policies to isolate all possible gears in the range. The UID range must be the same across all hosts in a gear profile. By default, the range used by the oo-gear-firewall command is taken from existing district settings if known, or 1000 through 6999 if unknown. The tool can be re-run to apply rules and policies for an updated UID range if the range is changed later.

To enable network isolation for gears using the default range, run the following command on each node host:

oo-gear-firewall -i enable -s enable

# oo-gear-firewall -i enable -s enable

To specify the UID range:

oo-gear-firewall -i enable -s enable -b District_Beginning_UID -e District_Ending_UID

# oo-gear-firewall -i enable -s enable -b District_Beginning_UID -e District_Ending_UID