[RFE] Security Groups support for baremetal servers

Bug #1594242 reported by Sukhdev Kapur on 2016-06-20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Fix Released
Sukhdev Kapur

Bug Description

With the Ironic-Neutron integration, we are able to take full benefit of Security Groups support offered by Neutron. With this integration effort, now Security Group support is available to Bare metal servers the same way as it is available to virtual instances. When "nova boot" is issued to launch a bare metal instance, similar to virtual instance, --security-groups <seg-group-id> may be specified to apply appropriate ACLs on the physical ports where the bare metal host is connected the TOR(s). ML2 drivers know how to support Security Groups in Neutron. While this works for tenant network, we need to address the security groups for the provisioning network. Following was proposed and agreed by the Ironic-neutron integration team (see here - http://eavesdrop.openstack.org/meetings/ironic_neutron/2016/ironic_neutron.2016-06-06-16.01.html):

Two Security Groups will be added to ironic config: One for Provisioning network and another for Cleaning network (provisioning_network_sg_uuid, and cleanin_network_sg_uuid) by using neutron command "neutron security-group-create"
Both of these networks, by default will be set to None - to keep the backward compatibility.
An Operator/Admin may create these security groups when the provisioning and cleaning networks are created and specify the uuid's of these security groups in ironic config
Ironic driver, during deploy phase, when issues neutron create-port for provisioning network, will use this uuid (if specified).
ML2 driver will be notified of the appropriate security group and it will apply the appropriate ACLs on the physical ports of the TOR where bare metal host is connected.
Note: Neutron Callback framework deals with notification of the Security Groups to the ML2 drivers. If a Security group rule is modified/added/deleted, the framework appropriately notifies the subscribers so that ML2 driver can appropriately update the ACLs on the ports where the bare metal hosts are connected.

Changed in ironic:
assignee: nobody → Sukhdev Kapur (sukhdev-8)
tags: added: rfe
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
tags: added: rfe-approved
removed: rfe
Ruby Loo (rloo) wrote :

I like the idea.

I assume it won't be a big problem when upgrading (eg, no security group, then added security group, especially for cleaning which could take a long time to finish.)

I am not crazy about the proposed configuration options. I see that our existing conf options under [neutron] group are 'provisioning_network_uuid' and 'cleaning_network_uuid'. I initially thought about using the same config for both the network uuid and the security group, eg the value could be '<network-uuid>:<security-group-uuid>' but maybe that would be too confusing.

To me, the proposed 'provisioning_network_sg_uuid' hides the important part, the security group. Is 'sg' a well known abbreviation for 'security group'? How about 'provision_net_security_group' or 'security-group-for-provisioning'? 'provision-security-group'? [I don't think 'uuid' needs to be in the config name.]

Fix proposed to branch: master
Review: https://review.openstack.org/361451

Changed in ironic:
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/393962

Reviewed: https://review.openstack.org/361451
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=3197e44c04de064bc3d8af09af7e0d2d9511af6d
Submitter: Jenkins
Branch: master

commit 3197e44c04de064bc3d8af09af7e0d2d9511af6d
Author: Sukhdev Kapur <email address hidden>
Date: Fri Aug 26 13:12:57 2016 -0700

    Add support for Security Groups for baremetal servers

    This patch adds support for Neutron Security Groups
    to the baremetal severs when neutron network interface is used
    for deployments.

    Specifically, this patch adds support so that security
    groups could be specified (and applied) for provisioning
    and cleaning networks.

    Change-Id: I0cf652bdd220480b104e478f2096bf89a9ba8bdf
    Partial-bug: #1594242

Fix proposed to branch: master
Review: https://review.openstack.org/401364

Changed in ironic:
assignee: Sukhdev Kapur (sukhdev-8) → Ruby Loo (rloo)

Reviewed: https://review.openstack.org/401364
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=49e65b968b9bfd560a85cdc25ee4452ec48f6015
Submitter: Jenkins
Branch: master

commit 49e65b968b9bfd560a85cdc25ee4452ec48f6015
Author: Ruby Loo <email address hidden>
Date: Wed Nov 23 12:39:42 2016 -0500

    Minor changes to neutron security groups code

    This is a follow-on patch to 3197e44c04de064bc3d8af09af7e0d2d9511af6d.
    It cleans up a bit of the code and addresses the nits (changes a
    LOG.exception to LOG.error and adds a unit test).

    Change-Id: I02b6346d9a2abff858c9dd6083fd29f393c63e97
    Partial-bug: #1594242

Ruby Loo (rloo) on 2016-11-29
Changed in ironic:
assignee: Ruby Loo (rloo) → Sukhdev Kapur (sukhdev-8)
Jay Faulkner (jason-oldos) wrote :

Docs patch is landing now! Congratulations on a feature! Woo!

Changed in ironic:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/393962
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=27b2453642cb9eaeab0226e0770212d15149c074
Submitter: Jenkins
Branch: master

commit 27b2453642cb9eaeab0226e0770212d15149c074
Author: Sukhdev Kapur <email address hidden>
Date: Fri Nov 4 16:55:49 2016 -0700

    Documentation for Security Groups for baremetal servers

    This patch updates the Ironic documentation to describe how to
    configure security groups for baremetal servers.

    Change-Id: I19b42f0fcecc7e4952de452e8576a1ad87e73b61
    Closes-bug: 1594242

This issue was fixed in the openstack/ironic 7.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers