Fuel for OpenStack

No documentation about security & firewall use

Bug #1429078 reported by Adam Heczko on 2015-03-06

This bug report is a duplicate of: Bug #1429072: Hardware checklist should contain a list of all open ports required for firewall configuration in case the firewall is put between controller and compute nodes, for example. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	New	Undecided	Fuel Documentation Team	Fuel for OpenStack 6.1

Bug Description

We need to document how to implement MOS in a secure environment, with external, out-of-band firewall.
As a initial assumption, IMO we should assume typical firewall usage, described below.

Firewall - central point of the network communication, with various "DMZ" zones:

Fuel master node - DMZ zone 1
CIC nodes HA setup - DMZ zone 2
Nova-Compute hosts - DMZ zone 3
Ceph monitors - DMZ zone 4
Ceph OSD storage hosts - DMZ zone 5
Horizon UI - DMZ zone 6 (not deployed on CIC nodes, like in default config)

CIC / MOS Services: all possible services enabled, including Neutron L3 agent, LBaaS, Sahara, Murano, Heat, Ceilometer+MongoDB
Detailed zones/node placing could be discussed during laboratory tests.

Expected outcome regarding documentation:
Detailed specifications of network connectivity/TCP flows/UDP flows requirements per service, required for normal cluster operations.
We assume that only required ports/flows are permitted, all others are DENIED at the end of every DMZ firewall rule.
We assume that firewall is statefull regarding to TCP connectivity.

Nastya Urlapova (aurlapova) on 2015-03-06

Changed in fuel:
assignee:	nobody → Fuel Documentation Team (fuel-docs)
milestone:	none → 6.1

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1429072 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.