improve-swarm-security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
Fix Released
|
Wishlist
|
yatin |
Bug Description
Neutron security groups for the swarm bay type were too restrictive, causing containers to be unable to communicate. This was fixed in [1]. However, the fix leaves security rules wide open, allowing all icmp/tcp/udp traffic to the swarm manager and agent nodes.
[1] https:/
A better fix should be implemented that allows container to freely communicate, while providing a reasonable level of protection to swarm nodes.
Suggested implementation:
Allow magnum bay-create to take a parameter --security-group-id that will pass the security group to template generation to result in a security group like the one in magnum/
Consider input validation to require access to the following ports in any security groups passed in:
tcp/22 # ssh
tcp/2375 # docker
tcp/2376 # swarm-manager
If any passed security group does not include these ports, raise an exception indicating that swarm will not work without them.
summary: |
- better-swarm-security + improve-swarm-security |
description: | updated |
Changed in magnum: | |
assignee: | nobody → Manjeet Singh Bhatia (manjeet-s-bhatia) |
status: | New → Confirmed |
status: | Confirmed → New |
Changed in magnum: | |
milestone: | none → mitaka-1 |
Changed in magnum: | |
importance: | Undecided → Wishlist |
assignee: | Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody |
Changed in magnum: | |
assignee: | nobody → rajiv (rajiv-kumar) |
Changed in magnum: | |
assignee: | rajiv (rajiv-kumar) → yatin (yatinkarel) |
Fix proposed to branch: master /review. openstack. org/352358
Review: https:/