[RFE] Security Groups support for baremetal servers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Wishlist
|
Sukhdev Kapur |
Bug Description
With the Ironic-Neutron integration, we are able to take full benefit of Security Groups support offered by Neutron. With this integration effort, now Security Group support is available to Bare metal servers the same way as it is available to virtual instances. When "nova boot" is issued to launch a bare metal instance, similar to virtual instance, --security-groups <seg-group-id> may be specified to apply appropriate ACLs on the physical ports where the bare metal host is connected the TOR(s). ML2 drivers know how to support Security Groups in Neutron. While this works for tenant network, we need to address the security groups for the provisioning network. Following was proposed and agreed by the Ironic-neutron integration team (see here - http://
Two Security Groups will be added to ironic config: One for Provisioning network and another for Cleaning network (provisioning_
Both of these networks, by default will be set to None - to keep the backward compatibility.
An Operator/Admin may create these security groups when the provisioning and cleaning networks are created and specify the uuid's of these security groups in ironic config
Ironic driver, during deploy phase, when issues neutron create-port for provisioning network, will use this uuid (if specified).
ML2 driver will be notified of the appropriate security group and it will apply the appropriate ACLs on the physical ports of the TOR where bare metal host is connected.
Note: Neutron Callback framework deals with notification of the Security Groups to the ML2 drivers. If a Security group rule is modified/
Changed in ironic: | |
assignee: | nobody → Sukhdev Kapur (sukhdev-8) |
tags: | added: rfe |
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
tags: |
added: rfe-approved removed: rfe |
Changed in ironic: | |
assignee: | Ruby Loo (rloo) → Sukhdev Kapur (sukhdev-8) |
I like the idea.
I assume it won't be a big problem when upgrading (eg, no security group, then added security group, especially for cleaning which could take a long time to finish.)
I am not crazy about the proposed configuration options. I see that our existing conf options under [neutron] group are 'provisioning_ network_ uuid' and 'cleaning_ network_ uuid'. I initially thought about using the same config for both the network uuid and the security group, eg the value could be '<network- uuid>:< security- group-uuid> ' but maybe that would be too confusing.
To me, the proposed 'provisioning_ network_ sg_uuid' hides the important part, the security group. Is 'sg' a well known abbreviation for 'security group'? How about 'provision_ net_security_ group' or 'security- group-for- provisioning' ? 'provision- security- group'? [I don't think 'uuid' needs to be in the config name.]