Need to create some simple useful security groups for each new Openstack cluster

Bug #1349819 reported by Timur Nurlygayanov on 2014-07-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Medium
Alexey Deryugin
6.1.x
Medium
Registry Administrators
7.0.x
Medium
Registry Administrators
Mitaka
Medium
Registry Administrators

Bug Description

We need to create some default security groups, that will allow to use OpenStack cloud immediately after the deployment and will help to understand how the security groups work (user will check how we open ports in default groups and can create his own security groups).

By default I suggest to create the following security groups:
1. global_http - security group which open 80 and 443 port for external traffic.
2. global_ssh - security group which open 22 port for external traffic (and we can remove code from OSTF testsm which creates the same security group).
3. allow_all - security group which allows all traffic for any TCP/UDP ports from external network (it is usefull for Sahara and probably for something alse).

Changed in fuel:
assignee: nobody → Fuel Library Team (fuel-library)
Mike Scherbakov (mihgen) wrote :

Let's keep this issue with High priority, as it affects UX of newcomers to Fuel & OpenStack. Also, we can take a look at EC2 and compare the ease of use to make the best solution.

Meg McRoberts (dreidellhasa) wrote :

The community docs about creating and using Security Groups are buried in the End User Guide. Specifically, http://docs.openstack.org/user-guide/content/Launching_Instances_using_Dashboard.html#security_groups_add_rule has the details

Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
Changed in fuel:
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
Changed in fuel:
status: Confirmed → Triaged
Changed in fuel:
importance: High → Medium
milestone: 6.0 → 6.1
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
importance: Medium → High
milestone: 6.1 → 6.0
status: Triaged → Confirmed
importance: High → Medium
milestone: 6.0 → 6.1
status: Confirmed → Triaged
tags: added: low-hanging-fruit
Changed in fuel:
status: Triaged → In Progress
tags: added: non-release
Vladimir Kuklin (vkuklin) wrote :

This change requires altering of upstream manifests. Unfortunately, we are lagging a little bit and we will need to rebase onto upstream breanch after we provide this fix. So the idea is to keep this bug as Won't Fix for 6.1 and update nova upstream manifests in 7.0 where it will be much easier to introduce new secgroup provider for nova.

Nastya Urlapova (aurlapova) wrote :

Guys, could you fix status for 6.1

Changed in fuel:
status: In Progress → Won't Fix
milestone: 6.1 → 7.0
status: Won't Fix → Confirmed
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
tags: added: qa-agree-7.0
Changed in fuel:
assignee: Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
status: Confirmed → In Progress
Matthew Mosesohn (raytrac3r) wrote :

Stanislaw, this solution has a few drawbacks. One - ruby openstack isn't used upstream and you're writing to the nova module directly. If anything, this provider should be in a separate module. We can use openstack CLI to do this, but the only example using a Puppet provider is in keystone module.

Adding tricky to this bug.

tags: added: tricky
removed: low-hanging-fruit

Change abandoned by Stanislaw Bogatkin (<email address hidden>) on branch: master
Review: https://review.openstack.org/136742
Reason: Should be reimplemented using new openstacklib library.

Dmitry Pyzhov (dpyzhov) on 2015-10-12
no longer affects: fuel/8.0.x
Changed in fuel:
assignee: Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
assignee: Fuel Library Team (fuel-library) → MOS Puppet Team (mos-puppet)
Dmitry Pyzhov (dpyzhov) on 2015-10-22
tags: added: area-library
Changed in fuel:
assignee: MOS Puppet Team (mos-puppet) → Nikita Karpin (mkarpin)
Dmitry Pyzhov (dpyzhov) on 2015-11-25
tags: added: area-mos
removed: area-library
Ivan Berezovskiy (iberezovskiy) wrote :

Related part to puppet-nova isn't implemented. I suggested to implement it in Mitaka release of puppet modules and then this code will be present in 9.0 Fuel, so we will be able to use it.

Changed in fuel:
status: Confirmed → Won't Fix
assignee: Nikita Karpin (mkarpin) → MOS Puppet Team (mos-puppet)
Alexey Deryugin (velovec) wrote :

Related upstream change on review: https://review.openstack.org/#/c/293989/
This change will allow to create security groups and rules from puppet.

Alexey Deryugin (velovec) wrote :

Related upstream change is merged

Fix proposed to branch: master
Review: https://review.openstack.org/295867

Changed in fuel:
assignee: MOS Puppet Team (mos-puppet) → Alexey Deryugin (velovec)
status: Won't Fix → In Progress
Changed in fuel:
assignee: Alexey Deryugin (velovec) → Alex Schultz (alex-schultz)
Changed in fuel:
assignee: Alex Schultz (alex-schultz) → Alexey Deryugin (velovec)
Dina Belova (dbelova) wrote :

Won't be fixed in 9.0 due to medium priority

Dmitry Pyzhov (dpyzhov) on 2016-04-13
no longer affects: fuel/future
no longer affects: fuel/newton
tags: added: tech-debt

Reviewed: https://review.openstack.org/295867
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=57fdc976531398be55c5c7e36872c8e5840fee64
Submitter: Jenkins
Branch: master

commit 57fdc976531398be55c5c7e36872c8e5840fee64
Author: Alexey Deryugin <email address hidden>
Date: Wed Mar 23 16:43:32 2016 +0300

    Create usefull security groups by default

    We need to create some default security groups, that will
    allow to use OpenStack cloud immediately after the deployment.

    By default it will create the following security groups:
    1. global_http - security group which opens HTTP/HTTPS for external traffic.
    2. global_ssh - security group which opens SSH port for external traffic.
    3. allow_all - security group which allows all traffic
    for any TCP/UDP ports from external network.

    Change-Id: I23ea837cbe92b5091f07de291f0e9f5f40e6fd44
    Closes-Bug: #1349819

Changed in fuel:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers