Magnum

improve-swarm-security

Bug #1501050 reported by Daneyon Hansen on 2015-09-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Wishlist	yatin	Magnum mitaka-1

Bug Description

Neutron security groups for the swarm bay type were too restrictive, causing containers to be unable to communicate. This was fixed in [1]. However, the fix leaves security rules wide open, allowing all icmp/tcp/udp traffic to the swarm manager and agent nodes.

[1] https://review.openstack.org/229134

A better fix should be implemented that allows container to freely communicate, while providing a reasonable level of protection to swarm nodes.

Suggested implementation:

Allow magnum bay-create to take a parameter --security-group-id that will pass the security group to template generation to result in a security group like the one in magnum/templates/docker-swarm/swarm.yaml.

Consider input validation to require access to the following ports in any security groups passed in:

tcp/22 # ssh
tcp/2375 # docker
tcp/2376 # swarm-manager

If any passed security group does not include these ports, raise an exception indicating that swarm will not work without them.

See original description

Tags:

Daneyon Hansen (danehans) on 2015-09-29

summary:

- better-swarm-security
+ improve-swarm-security

Adrian Otto (aotto) on 2015-09-29

description:

updated

Manjeet Singh Bhatia (manjeet-s-bhatia) on 2015-09-30

Changed in magnum:
assignee:	nobody → Manjeet Singh Bhatia (manjeet-s-bhatia)
status:	New → Confirmed
status:	Confirmed → New

Adrian Otto (aotto) on 2015-11-24

Changed in magnum:
milestone:	none → mitaka-1

Tom Cammann (tom-cammann) on 2016-08-05

Changed in magnum:
importance:	Undecided → Wishlist
assignee:	Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody

rajiv (rajiv-kumar) on 2016-08-06

Changed in magnum:
assignee:	nobody → rajiv (rajiv-kumar)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-08: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/352358

Changed in magnum:
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2016-11-23

Changed in magnum:
assignee:	rajiv (rajiv-kumar) → yatin (yatinkarel)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-15: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/352358
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=5b02a6090d88c0bfb3dcbdf0a6aa78949d2f873d
Submitter: Jenkins
Branch: master

commit 5b02a6090d88c0bfb3dcbdf0a6aa78949d2f873d
Author: Rajiv Kumar <email address hidden>
Date: Mon Aug 8 16:44:07 2016 +0530

Improve security for swarm

All traffic was allowed for swarm manager. With this patch
following secgroup is created for restricted access.

Security Group: secgroup_swarm_manager

      1) Allow TCP 22, 2376 ports for everyone.
      2) Allow all the ports to subnet created.
      3) Allow UDP 53 port for everyone.

    Change-Id: Ie1aa4fffeb6317dc200a764319ac93e18d414a4b
    Depends-On: I9ad6e0577918e811e9dd051b56aa69bfe2c391a0
    Closes-bug: #1501050

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-27: Fix included in openstack/magnum 4.0.0

This issue was fixed in the openstack/magnum 4.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.