Fuel for OpenStack

Need to create some simple useful security groups for each new Openstack cluster

Bug #1349819 reported by Timur Nurlygayanov on 2014-07-29

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Committed	Medium	Alexey Deryugin	Fuel for OpenStack 10.0
6.1.x	Won't Fix	Medium	Registry Administrators	Fuel for OpenStack 6.1
7.0.x	Won't Fix	Medium	Registry Administrators	Fuel for OpenStack 7.0
Mitaka	Won't Fix	Medium	Registry Administrators	Fuel for OpenStack 9.0

Bug Description

We need to create some default security groups, that will allow to use OpenStack cloud immediately after the deployment and will help to understand how the security groups work (user will check how we open ports in default groups and can create his own security groups).

By default I suggest to create the following security groups:
1. global_http - security group which open 80 and 443 port for external traffic.
2. global_ssh - security group which open 22 port for external traffic (and we can remove code from OSTF testsm which creates the same security group).
3. allow_all - security group which allows all traffic for any TCP/UDP ports from external network (it is usefull for Sahara and probably for something alse).

Tags:

Timur Nurlygayanov (tnurlygayanov) on 2014-07-29

Changed in fuel:
assignee:	nobody → Fuel Library Team (fuel-library)

Revision history for this message

Mike Scherbakov (mihgen) wrote on 2014-07-29:

Let's keep this issue with High priority, as it affects UX of newcomers to Fuel & OpenStack. Also, we can take a look at EC2 and compare the ease of use to make the best solution.

Revision history for this message

Meg McRoberts (dreidellhasa) wrote on 2014-07-30:

The community docs about creating and using Security Groups are buried in the End User Guide. Specifically, http://docs.openstack.org/user-guide/content/Launching_Instances_using_Dashboard.html#security_groups_add_rule has the details

Vladimir Kuklin (vkuklin) on 2014-10-09

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)

Matthew Mosesohn (raytrac3r) on 2014-11-13

Changed in fuel:
assignee:	Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)

Stanislaw Bogatkin (sbogatkin) on 2014-11-13

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)

Bogdan Dobrelya (bogdando) on 2014-11-13

Changed in fuel:
status:	Confirmed → Triaged

Vladimir Kuklin (vkuklin) on 2014-11-17

Changed in fuel:
importance:	High → Medium
milestone:	6.0 → 6.1
assignee:	Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)

Stanislaw Bogatkin (sbogatkin) on 2014-11-18

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
importance:	Medium → High
milestone:	6.1 → 6.0
status:	Triaged → Confirmed
importance:	High → Medium
milestone:	6.0 → 6.1
status:	Confirmed → Triaged

Bogdan Dobrelya (bogdando) on 2014-11-18

tags:

added: low-hanging-fruit

Stanislaw Bogatkin (sbogatkin) on 2014-11-19

Changed in fuel:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-24: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/136742

Stanislaw Bogatkin (sbogatkin) on 2015-04-07

tags:

added: non-release

Revision history for this message

Vladimir Kuklin (vkuklin) wrote on 2015-04-07:

This change requires altering of upstream manifests. Unfortunately, we are lagging a little bit and we will need to rebase onto upstream breanch after we provide this fix. So the idea is to keep this bug as Won't Fix for 6.1 and update nova upstream manifests in 7.0 where it will be much easier to introduce new secgroup provider for nova.

Revision history for this message

Nastya Urlapova (aurlapova) wrote on 2015-04-19:

Guys, could you fix status for 6.1

Timur Nurlygayanov (tnurlygayanov) on 2015-04-19

Changed in fuel:
status:	In Progress → Won't Fix
milestone:	6.1 → 7.0
status:	Won't Fix → Confirmed
assignee:	Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)

Nastya Urlapova (aurlapova) on 2015-04-25

tags:

added: qa-agree-7.0

OpenStack Infra (hudson-openstack) on 2015-07-22

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)
status:	Confirmed → In Progress

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-09-18:

Stanislaw, this solution has a few drawbacks. One - ruby openstack isn't used upstream and you're writing to the nova module directly. If anything, this provider should be in a separate module. We can use openstack CLI to do this, but the only example using a Puppet provider is in keystone module.

Adding tricky to this bug.

tags:

added: tricky
removed: low-hanging-fruit

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-30: Change abandoned on fuel-library (master)

Change abandoned by Stanislaw Bogatkin (<email address hidden>) on branch: master
Review: https://review.openstack.org/136742
Reason: Should be reimplemented using new openstacklib library.

Dmitry Pyzhov (dpyzhov) on 2015-10-12

no longer affects:

fuel/8.0.x

Matthew Mosesohn (raytrac3r) on 2015-10-21

Changed in fuel:
assignee:	Stanislaw Bogatkin (sbogatkin) → Fuel Library Team (fuel-library)
assignee:	Fuel Library Team (fuel-library) → MOS Puppet Team (mos-puppet)

Dmitry Pyzhov (dpyzhov) on 2015-10-22

tags:

added: area-library

Ivan Berezovskiy (iberezovskiy) on 2015-11-11

Changed in fuel:
assignee:	MOS Puppet Team (mos-puppet) → Nikita Karpin (mkarpin)

Dmitry Pyzhov (dpyzhov) on 2015-11-25

tags:

added: area-mos
removed: area-library

Revision history for this message

Ivan Berezovskiy (iberezovskiy) wrote on 2015-12-22:

Related part to puppet-nova isn't implemented. I suggested to implement it in Mitaka release of puppet modules and then this code will be present in 9.0 Fuel, so we will be able to use it.

Changed in fuel:
status:	Confirmed → Won't Fix
assignee:	Nikita Karpin (mkarpin) → MOS Puppet Team (mos-puppet)

Revision history for this message

Alexey Deryugin (velovec) wrote on 2016-03-18:

Related upstream change on review: https://review.openstack.org/#/c/293989/
This change will allow to create security groups and rules from puppet.

Revision history for this message

Alexey Deryugin (velovec) wrote on 2016-03-22:

#10

Related upstream change is merged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-22: Fix proposed to fuel-library (master)

#11

Fix proposed to branch: master
Review: https://review.openstack.org/295867

Changed in fuel:
assignee:	MOS Puppet Team (mos-puppet) → Alexey Deryugin (velovec)
status:	Won't Fix → In Progress

OpenStack Infra (hudson-openstack) on 2016-03-24

Changed in fuel:
assignee:	Alexey Deryugin (velovec) → Alex Schultz (alex-schultz)

Alex Schultz (alex-schultz) on 2016-03-24

Changed in fuel:
assignee:	Alex Schultz (alex-schultz) → Alexey Deryugin (velovec)

Revision history for this message

Dina Belova (dbelova) wrote on 2016-04-12:

#12

Won't be fixed in 9.0 due to medium priority

Dmitry Pyzhov (dpyzhov) on 2016-04-13

no longer affects:	fuel/future
no longer affects:	fuel/newton

Bogdan Dobrelya (bogdando) on 2016-04-14

tags:

added: tech-debt

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Fix merged to fuel-library (master)

#13

Reviewed: https://review.openstack.org/295867
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=57fdc976531398be55c5c7e36872c8e5840fee64
Submitter: Jenkins
Branch: master

commit 57fdc976531398be55c5c7e36872c8e5840fee64
Author: Alexey Deryugin <email address hidden>
Date: Wed Mar 23 16:43:32 2016 +0300

Create usefull security groups by default

We need to create some default security groups, that will
allow to use OpenStack cloud immediately after the deployment.

    By default it will create the following security groups:
    1. global_http - security group which opens HTTP/HTTPS for external traffic.
    2. global_ssh - security group which opens SSH port for external traffic.
    3. allow_all - security group which allows all traffic
    for any TCP/UDP ports from external network.

Change-Id: I23ea837cbe92b5091f07de291f0e9f5f40e6fd44
Closes-Bug: #1349819

Changed in fuel:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.