<div><div dir="auto">I helped to design the python-networking-ansible driver for ML2 + bare metal networking automation [1]. The idea behind it is a more production-grade alternative to networking-generic-switch that works with multiple makes/models of switches in the same environment. Behind the scenes, Ansible Networking is used to provide a vendor-neutral interface.</div></div><div dir="auto"><br></div><div dir="auto">I have tried to architect security groups for bare metal, but it’s a difficult challenge. I’d appreciate if anyone has suggestions.</div><div dir="auto"><br></div><div dir="auto">The main question is where to apply the security groups? Ideally, security groups would be applied at the port-level where the baremetal node is attached (we already configure VLAN assignment at the port level). Unfortunately, port security implementations vary wildly between vendors, and implementations may support only L2 filters, or very basic L3 filters only.</div><div dir="auto"><br></div><div dir="auto">The next logical place to apply the security group is at the VLAN router interface. That wouldn’t prevent hosts on the same network from talking to one another (access would be wide open between hosts on the same VLAN), but it would allow firewalling of hosts between networks. The challenge with this is that the plugin would have to know not only the switch and port where the baremetal node is attached, but also the switch/router where the VLAN router interface is located (or switches/routers in an HA environment).</div><div dir="auto"><br></div><div dir="auto">The baremetal port info is collected via Ironic Inspector, or it may be specified by the operator. How would we obtain the switch info and interface name for the VLAN L3 interface? What if there are multiple switch routers running with HA? Would the switch/interface have to be passed to Neutron when the network is created? I would love to discuss some ideas about how this could be implemented.</div><div dir="auto"><br></div><div dir="auto">[1] - <a href="https://pypi.org/project/networking-ansible/">https://pypi.org/project/networking-ansible/</a></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 12, 2019 at 2:21 PM Jason Anderson <<a href="mailto:jasonanderson@uchicago.edu">jasonanderson@uchicago.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Sean, thanks for the reply.<br>
</p>
<p>On 6/11/19 11:00 AM, Sean Mooney wrote:</p>
<blockquote type="cite">
<pre class="m_2881365201451217409moz-quote-pre">as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn
routers rather than at the port level.</pre>
</blockquote>
<p>This was a good idea! I found that it actually worked to solve our use-case. I set up FWaaS and configured a firewall group with the rules I wanted. Then I added my subnets's router_interface port to the firewall. Thank you!<br>
</p>
<p>Re: the general issue of doing security groups in Ironic, I was wondering if this is something that others envision eventually being the job of networking-baremetal[1]. I looked and the storyboard[2] for the project doesn't show any planned work for this,
but I saw it mentioned in this presentation[3] from 2017.</p>
<p>Cheers,<br>
/Jason<br>
</p>
<p>[1]: <a href="https://docs.openstack.org/networking-baremetal/latest/" target="_blank">https://docs.openstack.org/networking-baremetal/latest/</a><br>
[2]: <a href="https://storyboard.openstack.org/#!/project/955" target="_blank">https://storyboard.openstack.org/#!/project/955</a><br>
[3]: <a href="https://www.slideshare.net/nyechiel/openstack-networking-the-road-ahead" target="_blank">https://www.slideshare.net/nyechiel/openstack-networking-the-road-ahead</a></p>
</div>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="monospace, monospace">Dan Sneddon | Senior Principal Software Engineer<br><a href="mailto:dsneddon@redhat.com" target="_blank">dsneddon@redhat.com</a> | <a href="http://redhat.com/cloud" target="_blank">redhat.com/cloud</a><br>dsneddon:irc | @dxs:twitter</font><br></div></div></div></div></div></div>