Closed
Bug 1091726
Opened 10 years ago
Closed 9 years ago
Openup API ACLs for OpenStack from the refspec-vms VLAN
Categories
(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)
Infrastructure & Operations Graveyard
NetOps: DC ACL Request
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: gozer, Assigned: jbarnell)
Details
So, these VMs will need to be able to talk back to the OpenStack APIs on quite a few ports: Compute 10.22.111.43:8774 Network 10.22.111.43:9696 Network 10.22.111.43:8775 Network 10.22.111.43:6080 Volumev2 10.22.111.43:8776 S3 10.22.111.43:8080 Image 10.22.111.43:9292 Image 10.22.111.43:9191 Metering 10.22.111.43:8777 Cloudformation 10.22.111.43:8000 Volume 10.22.111.43:8776 EC2 10.22.111.43:8773 Orchestration 10.22.111.43:8004 Orchestration 10.22.111.43:8003 Object Store 10.22.111.43:8080 Identity 10.22.111.43:5000 Identity 10.22.111.43:35357 Web UI 10.22.111.43:80 For simplicity, this could easily just be a blanket ACL into the labs.phy.scl3 VLAN, limited only by specific ports. Otherwise, you'll have to pin each flow down to the openstack admin Hosts. So option 1: refspec-vms => labs-phy tcp/8774 refspec-vms => labs-phy tcp/9696 refspec-vms => labs-phy tcp/8775 refspec-vms => labs-phy tcp/6080 refspec-vms => labs-phy tcp/8776 refspec-vms => labs-phy tcp/8080 refspec-vms => labs-phy tcp/9292 refspec-vms => labs-phy tcp/9191 refspec-vms => labs-phy tcp/8777 refspec-vms => labs-phy tcp/8000 refspec-vms => labs-phy tcp/8776 refspec-vms => labs-phy tcp/8773 refspec-vms => labs-phy tcp/8004 refspec-vms => labs-phy tcp/8003 refspec-vms => labs-phy tcp/8080 refspec-vms => labs-phy tcp/5000 refspec-vms => labs-phy tcp/35357 refspec-vms => labs-phy tcp/80 So, option 2 (admin hosts vm1-7.phy.labs.scl3.mozilla.com and vm1-6.phy.labs.scl3.mozilla.com) refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8774 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9696 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8775 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/6080 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8776 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8080 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9292 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/9191 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8777 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8000 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8776 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8773 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8004 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8003 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/8080 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/5000 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/35357 refspec-vms => vm1-7.phy.labs.scl3.mozilla.com tcp/80 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8774 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9696 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8775 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/6080 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8776 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8080 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9292 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/9191 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8777 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8000 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8776 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8773 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8004 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8003 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/8080 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/5000 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/35357 refspec-vms => vm1-6.phy.labs.scl3.mozilla.com tcp/80
Assignee | ||
Updated•10 years ago
|
Assignee: network-operations → jbarnell
Assignee | ||
Comment 1•10 years ago
|
||
Gozer I'm looking at this but when you say refspec-vms are your specifically referrring to hosts in this address space: 10.22.96/24
Reporter | ||
Comment 2•10 years ago
|
||
Yes, and I thought that was the actual name of that VLAN
Assignee | ||
Comment 3•10 years ago
|
||
Changes below: jbarnell@fw1.scl3.mozilla.net# show | compare [edit security policies from-zone refspec-vms to-zone labs] + policy refspec-project { + match { + source-address refspec-vms-net; + destination-address [ vm1-6.phy.labs vm1-7.phy.labs ]; + application [ refspec-project-set httpproxy mecurial flask junos-http keystone tcp-8775 tcp-6080 tcp-9191 tcp-8003 ]; + } + then { + permit; + } + } [edit security zones security-zone labs address-book] address vm1-1.phy { ... } + address vm1-6.phy.labs 10.22.111.42/32; + address vm1-7.phy.labs 10.22.111.43/32; [edit security zones security-zone refspec-vms] + address-book { + address refspec-vms-net 10.22.96.0/24; + } [edit applications] application domain-udp-alg-off { ... } + application tcp-8775 { + protocol tcp; + destination-port 8775; + } + application tcp-6080 { + protocol tcp; + destination-port 6080; + } + application tcp-9191 { + protocol tcp; + destination-port 9191; + } + application tcp-8003 { + protocol tcp; + destination-port 8003; + } Representative of your option 2.
Assignee | ||
Comment 4•9 years ago
|
||
Gozer ... I've left this open but are you ok to close it?
Flags: needinfo?(gozer)
Reporter | ||
Comment 5•9 years ago
|
||
Openstack is no more, please destroy with prejudice!
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(gozer)
Resolution: --- → WONTFIX
Updated•1 year ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•