Sahara

Cannot access VMs if no floating IPs and custom network

Bug #1386193 reported by Adrien Vergé
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
High
Adrien Vergé
Sahara 2015.1.0 "kilo"

Bug Description

On infras with custom network topology (to meet strong security requirements, for instance), VMs can only be accessed through a relay host, proxy or any other artifact. This kind of network configuration should not be an impediment to use Sahara.

Currently Sahara accesses VMs using two methods:
- directly when floating IPs are assigned;
- using a proxy when use_floating_ips=false and use_namespaces=true, the proxy command being hard-coded ('ip netns exec qrouter...')

One should be able to specify a custom proxy command in conf, to enable Sahara to reach VMs via SSH and HTTP.

Adrien Vergé (adrienverge)
Changed in sahara:
assignee: nobody → Adrien Vergé (adrien-verge)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara (master)

Fix proposed to branch: master
Review: https://review.openstack.org/131142

Changed in sahara:
status: New → In Progress
Sergey Lukjanov (slukjanov)
Changed in sahara:
milestone: none → kilo-1
Sergey Reshetnyak (sreshetniak)
Changed in sahara:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/131142
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=d901039ea1d8567db92ef2bd454e239119455118
Submitter: Jenkins
Branch: master

commit d901039ea1d8567db92ef2bd454e239119455118
Author: Adrien Vergé <email address hidden>
Date: Tue Oct 21 16:48:02 2014 +0200

    Make proxy command generic and user-definable

    When using Sahara with use_floating_ips=false, instances are accessed
    through a proxy (both for SSH and HTTP connections). Currently Sahara
    reaches them using a hard-coded proxy command. This patch makes this
    command user-definable in the configuration file.

    Changes:
    - Move HTTP adapters logic out of Neutron-related code.
    - Transform the neutron proxy command into a generic one:
        'ip netns exec qrouter-{router_id} nc {host} {port}'
    - Use user-defined proxy command when proxy_command is set in conf;
      the hard-coded proxy command when use_floating_ips=false and
      use_namespaces=true; otherwise no proxy.
    - Add tests for those three possibilities + misconfiguration.

    Examples of use:
    - proxy_command='ip netns exec ns_for_{network_id} nc {host} {port}'
    - proxy_command='ssh proxy-machine-{tenant_id} nc {host} {port}'

    Change-Id: Iac033659e97b1ad935bb7be84de9fc731f787f4b
    Closes-Bug: #1386193

Changed in sahara:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in sahara:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in sahara:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.