Add NTP security group rules for OpenStack instances

Add UDP port 123 ingress and egress rules for both server and worker
security groups to enable NTP time synchronization. Also refactor
add_rule() to accept direction parameter instead of hardcoding ingress.

Signed-off-by: deepssin <deepssin@redhat.com>

diff --git a/teuthology/openstack/__init__.py b/teuthology/openstack/__init__.py
index 11d8ff150d7c67c8cc6f565a0019c7583385e632..b9faffd8eb2b2515efba0d8ab984d7176b35fa40 100644 (file)
--- a/teuthology/openstack/__init__.py
+++ b/teuthology/openstack/__init__.py
@@ -1233,10 +1233,10 @@ ssh access           : ssh {identity}{username}@{ip} # logs in /usr/share/nginx/
             server_sg = conn.network.create_security_group(name=self.server_group())
         if not worker_sg:
             worker_sg = conn.network.create_security_group(name=self.worker_group())
-        def add_rule(sg_id, protocol, port=None, remote_group_id=None):
+        def add_rule(sg_id, protocol, port=None, remote_group_id=None, direction='ingress'):
             rule_args = {
                 'security_group_id': sg_id,
-                'direction': 'ingress',
+                'direction': direction,
                 'protocol': protocol,
                 'ethertype': 'IPv4',
             }
@@ -1262,6 +1262,12 @@ ssh access           : ssh {identity}{username}@{ip} # logs in /usr/share/nginx/
         # access within worker group
         add_rule(worker_sg.id, 'udp', port=65535, remote_group_id=worker_sg.id)
 
+        # NTP synchronization(UDP port 123)
+        add_rule(server_sg.id, 'udp', port=123, direction='egress')
+        add_rule(worker_sg.id, 'udp', port=123, direction='egress')
+        add_rule(server_sg.id, 'udp', port=123, direction='ingress')
+        add_rule(worker_sg.id, 'udp', port=123, direction='ingress')
+
     @staticmethod
     def get_unassociated_floating_ip():
         """