Openup API ACLs for OpenStack from the refspec-vms VLAN

RESOLVED WONTFIX

Status

Infrastructure & Operations
NetOps: DC ACL Request
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: gozer, Assigned: jbarnell)

Tracking

Details

(Reporter)

Description

3 years ago
So, these VMs will need to be able to talk back to the OpenStack APIs on quite a few ports:

Compute		10.22.111.43:8774
Network		10.22.111.43:9696
Network		10.22.111.43:8775
Network		10.22.111.43:6080
Volumev2	10.22.111.43:8776
S3		10.22.111.43:8080
Image		10.22.111.43:9292
Image		10.22.111.43:9191
Metering	10.22.111.43:8777
Cloudformation	10.22.111.43:8000
Volume		10.22.111.43:8776
EC2		10.22.111.43:8773
Orchestration	10.22.111.43:8004
Orchestration	10.22.111.43:8003
Object Store	10.22.111.43:8080
Identity	10.22.111.43:5000
Identity	10.22.111.43:35357
Web UI		10.22.111.43:80


For simplicity, this could easily just be a blanket ACL into the labs.phy.scl3 VLAN, limited only by specific ports. Otherwise, you'll have to pin each flow down to the openstack admin Hosts.

So option 1:

refspec-vms => labs-phy tcp/8774
refspec-vms => labs-phy tcp/9696
refspec-vms => labs-phy tcp/8775
refspec-vms => labs-phy tcp/6080
refspec-vms => labs-phy tcp/8776
refspec-vms => labs-phy tcp/8080
refspec-vms => labs-phy tcp/9292
refspec-vms => labs-phy tcp/9191
refspec-vms => labs-phy tcp/8777
refspec-vms => labs-phy tcp/8000
refspec-vms => labs-phy tcp/8776
refspec-vms => labs-phy tcp/8773
refspec-vms => labs-phy tcp/8004
refspec-vms => labs-phy tcp/8003
refspec-vms => labs-phy tcp/8080
refspec-vms => labs-phy tcp/5000
refspec-vms => labs-phy tcp/35357
refspec-vms => labs-phy tcp/80


So, option 2 (admin hosts vm1-7.phy.labs.scl3.mozilla.com and vm1-6.phy.labs.scl3.mozilla.com)

refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8774
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9696
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8775
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/6080
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8776
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8080
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9292
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9191
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8777
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8000
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8776
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8773
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8004
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8003
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8080
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/5000
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/35357
refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/80

refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8774
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9696
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8775
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/6080
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8776
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8080
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9292
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9191
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8777
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8000
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8776
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8773
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8004
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8003
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8080
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/5000
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/35357
refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/80
(Assignee)

Updated

3 years ago
Assignee: network-operations → jbarnell
(Assignee)

Comment 1

3 years ago
Gozer I'm looking at this but when you say refspec-vms are your specifically referrring to hosts in this address space: 10.22.96/24
(Reporter)

Comment 2

3 years ago
Yes, and I thought that was the actual name of that VLAN
(Assignee)

Comment 3

3 years ago
Changes below:

jbarnell@fw1.scl3.mozilla.net# show | compare 
[edit security policies from-zone refspec-vms to-zone labs]
+     policy refspec-project {
+         match {
+             source-address refspec-vms-net;
+             destination-address [ vm1-6.phy.labs vm1-7.phy.labs ];
+             application [ refspec-project-set httpproxy mecurial flask junos-http keystone tcp-8775 tcp-6080 tcp-9191 tcp-8003 ];
+         }
+         then {
+             permit;
+         }
+     }
[edit security zones security-zone labs address-book]
       address vm1-1.phy { ... }
+      address vm1-6.phy.labs 10.22.111.42/32;
+      address vm1-7.phy.labs 10.22.111.43/32;
[edit security zones security-zone refspec-vms]
+     address-book {
+         address refspec-vms-net 10.22.96.0/24;
+     }
[edit applications]
    application domain-udp-alg-off { ... }
+   application tcp-8775 {
+       protocol tcp;
+       destination-port 8775;
+   }
+   application tcp-6080 {
+       protocol tcp;
+       destination-port 6080;
+   }
+   application tcp-9191 {
+       protocol tcp;
+       destination-port 9191;
+   }
+   application tcp-8003 {
+       protocol tcp;
+       destination-port 8003;
+   }
 

Representative of your option 2.
(Assignee)

Comment 4

3 years ago
Gozer ... I've left this open but are you ok to close it?
Flags: needinfo?(gozer)
(Reporter)

Comment 5

3 years ago
Openstack is no more, please destroy with prejudice!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(gozer)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.