improve-swarm-security

Bug #1501050 reported by Daneyon Hansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Wishlist
yatin

Bug Description

Neutron security groups for the swarm bay type were too restrictive, causing containers to be unable to communicate. This was fixed in [1]. However, the fix leaves security rules wide open, allowing all icmp/tcp/udp traffic to the swarm manager and agent nodes.

[1] https://review.openstack.org/229134

A better fix should be implemented that allows container to freely communicate, while providing a reasonable level of protection to swarm nodes.

Suggested implementation:

Allow magnum bay-create to take a parameter --security-group-id that will pass the security group to template generation to result in a security group like the one in magnum/templates/docker-swarm/swarm.yaml.

Consider input validation to require access to the following ports in any security groups passed in:

tcp/22 # ssh
tcp/2375 # docker
tcp/2376 # swarm-manager

If any passed security group does not include these ports, raise an exception indicating that swarm will not work without them.

Tags: tech-debt
summary: - better-swarm-security
+ improve-swarm-security
Adrian Otto (aotto)
description: updated
Changed in magnum:
assignee: nobody → Manjeet Singh Bhatia (manjeet-s-bhatia)
status: New → Confirmed
status: Confirmed → New
Adrian Otto (aotto)
Changed in magnum:
milestone: none → mitaka-1
Changed in magnum:
importance: Undecided → Wishlist
assignee: Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody
rajiv (rajiv-kumar)
Changed in magnum:
assignee: nobody → rajiv (rajiv-kumar)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/352358

Changed in magnum:
status: New → In Progress
Changed in magnum:
assignee: rajiv (rajiv-kumar) → yatin (yatinkarel)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/352358
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=5b02a6090d88c0bfb3dcbdf0a6aa78949d2f873d
Submitter: Jenkins
Branch: master

commit 5b02a6090d88c0bfb3dcbdf0a6aa78949d2f873d
Author: Rajiv Kumar <email address hidden>
Date: Mon Aug 8 16:44:07 2016 +0530

    Improve security for swarm

    All traffic was allowed for swarm manager. With this patch
    following secgroup is created for restricted access.

    Security Group: secgroup_swarm_manager

      1) Allow TCP 22, 2376 ports for everyone.
      2) Allow all the ports to subnet created.
      3) Allow UDP 53 port for everyone.

    Change-Id: Ie1aa4fffeb6317dc200a764319ac93e18d414a4b
    Depends-On: I9ad6e0577918e811e9dd051b56aa69bfe2c391a0
    Closes-bug: #1501050

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 4.0.0

This issue was fixed in the openstack/magnum 4.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.