Ironic

[RFE] Security Groups support for baremetal servers

Bug #1594242 reported by Sukhdev Kapur on 2016-06-20

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Ironic	Fix Released	Wishlist	Sukhdev Kapur

Bug Description

With the Ironic-Neutron integration, we are able to take full benefit of Security Groups support offered by Neutron. With this integration effort, now Security Group support is available to Bare metal servers the same way as it is available to virtual instances. When "nova boot" is issued to launch a bare metal instance, similar to virtual instance, --security-groups <seg-group-id> may be specified to apply appropriate ACLs on the physical ports where the bare metal host is connected the TOR(s). ML2 drivers know how to support Security Groups in Neutron. While this works for tenant network, we need to address the security groups for the provisioning network. Following was proposed and agreed by the Ironic-neutron integration team (see here - http://eavesdrop.openstack.org/meetings/ironic_neutron/2016/ironic_neutron.2016-06-06-16.01.html):

Two Security Groups will be added to ironic config: One for Provisioning network and another for Cleaning network (provisioning_network_sg_uuid, and cleanin_network_sg_uuid) by using neutron command "neutron security-group-create"
Both of these networks, by default will be set to None - to keep the backward compatibility.
An Operator/Admin may create these security groups when the provisioning and cleaning networks are created and specify the uuid's of these security groups in ironic config
Ironic driver, during deploy phase, when issues neutron create-port for provisioning network, will use this uuid (if specified).
ML2 driver will be notified of the appropriate security group and it will apply the appropriate ACLs on the physical ports of the TOR where bare metal host is connected.
Note: Neutron Callback framework deals with notification of the Security Groups to the ML2 drivers. If a Security group rule is modified/added/deleted, the framework appropriately notifies the subscribers so that ML2 driver can appropriately update the ACLs on the ports where the bare metal hosts are connected.

Tags:

Sukhdev Kapur (sukhdev-8) on 2016-06-20

Changed in ironic:
assignee:	nobody → Sukhdev Kapur (sukhdev-8)

Mathieu Mitchell (mat128) on 2016-06-22

tags:	added: rfe
Changed in ironic:
status:	New → Confirmed
importance:	Undecided → Wishlist

Jim Rollenhagen (jim-rollenhagen) on 2016-08-08

tags:

added: rfe-approved
removed: rfe

Revision history for this message

Ruby Loo (rloo) wrote on 2016-08-08:

I like the idea.

I assume it won't be a big problem when upgrading (eg, no security group, then added security group, especially for cleaning which could take a long time to finish.)

I am not crazy about the proposed configuration options. I see that our existing conf options under [neutron] group are 'provisioning_network_uuid' and 'cleaning_network_uuid'. I initially thought about using the same config for both the network uuid and the security group, eg the value could be '<network-uuid>:<security-group-uuid>' but maybe that would be too confusing.

To me, the proposed 'provisioning_network_sg_uuid' hides the important part, the security group. Is 'sg' a well known abbreviation for 'security group'? How about 'provision_net_security_group' or 'security-group-for-provisioning'? 'provision-security-group'? [I don't think 'uuid' needs to be in the config name.]

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-26: Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/361451

Changed in ironic:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-05:

Fix proposed to branch: master
Review: https://review.openstack.org/393962

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-23: Fix merged to ironic (master)

Reviewed: https://review.openstack.org/361451
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=3197e44c04de064bc3d8af09af7e0d2d9511af6d
Submitter: Jenkins
Branch: master

commit 3197e44c04de064bc3d8af09af7e0d2d9511af6d
Author: Sukhdev Kapur <email address hidden>
Date: Fri Aug 26 13:12:57 2016 -0700

Add support for Security Groups for baremetal servers

    This patch adds support for Neutron Security Groups
    to the baremetal severs when neutron network interface is used
    for deployments.

    Specifically, this patch adds support so that security
    groups could be specified (and applied) for provisioning
    and cleaning networks.

Change-Id: I0cf652bdd220480b104e478f2096bf89a9ba8bdf
Partial-bug: #1594242

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-23: Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/401364

Changed in ironic:
assignee:	Sukhdev Kapur (sukhdev-8) → Ruby Loo (rloo)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-24: Fix merged to ironic (master)

Reviewed: https://review.openstack.org/401364
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=49e65b968b9bfd560a85cdc25ee4452ec48f6015
Submitter: Jenkins
Branch: master

commit 49e65b968b9bfd560a85cdc25ee4452ec48f6015
Author: Ruby Loo <email address hidden>
Date: Wed Nov 23 12:39:42 2016 -0500

Minor changes to neutron security groups code

    This is a follow-on patch to 3197e44c04de064bc3d8af09af7e0d2d9511af6d.
    It cleans up a bit of the code and addresses the nits (changes a
    LOG.exception to LOG.error and adds a unit test).

Change-Id: I02b6346d9a2abff858c9dd6083fd29f393c63e97
Partial-bug: #1594242

Ruby Loo (rloo) on 2016-11-29

Changed in ironic:
assignee:	Ruby Loo (rloo) → Sukhdev Kapur (sukhdev-8)

Revision history for this message

Jay Faulkner (jason-oldos) wrote on 2016-12-08:

Docs patch is landing now! Congratulations on a feature! Woo!

Changed in ironic:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-08:

Reviewed: https://review.openstack.org/393962
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=27b2453642cb9eaeab0226e0770212d15149c074
Submitter: Jenkins
Branch: master

commit 27b2453642cb9eaeab0226e0770212d15149c074
Author: Sukhdev Kapur <email address hidden>
Date: Fri Nov 4 16:55:49 2016 -0700

Documentation for Security Groups for baremetal servers

This patch updates the Ironic documentation to describe how to
configure security groups for baremetal servers.

Change-Id: I19b42f0fcecc7e4952de452e8576a1ad87e73b61
Closes-bug: 1594242

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-13: Fix included in openstack/ironic 7.0.0

This issue was fixed in the openstack/ironic 7.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.