[ironic][neutron] Security groups on bare metal instances
Hi all,
We've been scratching our heads for a while, trying to figure out how security groups for bare metal instances are supposed to work. The configuration guide for Networkinghttps://docs.openstack.org/ironic/latest/install/configure-networking.html[1] implies that using the 'iptables_hybrid' firewall driver should work. We are using Neutron tenant networkshttps://docs.openstack.org/ironic/latest/install/configure-tenant-networks.html[2] with Ironic. My understanding is that the iptables_hybrid driver creates a new OVS port (with prefix qvo), logically connects that to the integration bridge, and then creates a veth pair inside a new network namespace, and that veth device then gets some iptables rules to handle the security group rules. It is not clear to me how or when that qvo "hybrid" port is even created; I've combed through the Neutron code base for a while looking for clues.
We had tried using the "pure" OVS firewall solution, where security group rules are expessed using OpenFlow flows. However, this doesn't work, as there is not OVS port for a bare metal instance (at least, not in our setup.) We are using networking-generic-switchhttps://docs.openstack.org/networking-generic-switch/latest/[3], which provisions ports on a physical switch with a VLAN tag on the provider network. From OVS' perspective, the traffic exits OVS with that VLAN tag and that's that; OVS in this situation is only responsible for handling routing between provider networks and performing NAT for egress and ingress via Floating IP assignments.
So, I'm wondering if others have had success getting security groups to work in a bare metal environment, and have any clues we could follow to get this working nicely. I'm beginning to suspect our problems have to do with the fact that we're doing VLAN isolation predominately via configuring physical switches, and as such there isn't a clear point where security groups can be inserted. The problem we are trying to solve is limiting ingress traffic on a Floating IP, so we only allow SSH from a given host, or only allow ports X and Y to be open externally, etc.
Thanks in advance, as usual, for any insights!
/Jason
[1]: https://docs.openstack.org/ironic/latest/install/configure-networking.html [2]: https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.h... [3]: https://docs.openstack.org/networking-generic-switch/latest/
On Tue, 2019-06-11 at 15:33 +0000, Jason Anderson wrote:
Hi all,
We've been scratching our heads for a while, trying to figure out how security groups for bare metal instances are supposed to work. The configuration guide for Networking< https://docs.openstack.org/ironic/latest/install/configure-networking.html%3...] implies that using the 'iptables_hybrid' firewall driver should work. We are using Neutron tenant networks< https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.h...] with Ironic. My understanding is that the iptables_hybrid driver creates a new OVS port (with prefix qvo), logically connects that to the integration bridge, and then creates a veth pair inside a new network namespace, and that veth device then gets some iptables rules to handle the security group rules. It is not clear to me how or when that qvo "hybrid" port is even created; I've combed through the Neutron code base for a while looking for clues.
We had tried using the "pure" OVS firewall solution, where security group rules are expessed using OpenFlow flows. However, this doesn't work, as there is not OVS port for a bare metal instance (at least, not in our setup.) We are using networking-generic-switchhttps://docs.openstack.org/networking-generic-switch/latest/[3], which provisions ports on a physical switch with a VLAN tag on the provider network. From OVS' perspective, the traffic exits OVS with that VLAN tag and that's that; OVS in this situation is only responsible for handling routing between provider networks and performing NAT for egress and ingress via Floating IP assignments.
So, I'm wondering if others have had success getting security groups to work in a bare metal environment, and have any clues we could follow to get this working nicely.
in a baremetal enviornment the only way to implement security groups for the baremetal instance is to rely on an ml2 driver that supports implementing security groups at the top of rack switch.
the iptables and and openvswtich firewall dirvers can only be used in a vm deployment.
I'm beginning to suspect our problems have to do with the fact that we're doing VLAN isolation predominately via configuring physical switches, and as such there isn't a clear point where security groups can be inserted.
some switch vendors can implement security gorups directly in the TOR i belive either arrista or cisco support this in there top of rack swtich driver. e.g. https://github.com/openstack/networking-arista/blob/master/networking_arista...
The problem we are trying to solve is limiting ingress traffic on a Floating IP, so we only allow SSH from a given host, or only allow ports X and Y to be open externally, etc.
as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn routers rather than at the port level.
Thanks in advance, as usual, for any insights!
/Jason
Hi Sean, thanks for the reply.
On 6/11/19 11:00 AM, Sean Mooney wrote:
as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn routers rather than at the port level.
This was a good idea! I found that it actually worked to solve our use-case. I set up FWaaS and configured a firewall group with the rules I wanted. Then I added my subnets's router_interface port to the firewall. Thank you!
Re: the general issue of doing security groups in Ironic, I was wondering if this is something that others envision eventually being the job of networking-baremetal[1]. I looked and the storyboard[2] for the project doesn't show any planned work for this, but I saw it mentioned in this presentation[3] from 2017.
Cheers, /Jason
[1]: https://docs.openstack.org/networking-baremetal/latest/ [2]: https://storyboard.openstack.org/#!/project/955 [3]: https://www.slideshare.net/nyechiel/openstack-networking-the-road-ahead
I helped to design the python-networking-ansible driver for ML2 + bare metal networking automation [1]. The idea behind it is a more production-grade alternative to networking-generic-switch that works with multiple makes/models of switches in the same environment. Behind the scenes, Ansible Networking is used to provide a vendor-neutral interface.
I have tried to architect security groups for bare metal, but it’s a difficult challenge. I’d appreciate if anyone has suggestions.
The main question is where to apply the security groups? Ideally, security groups would be applied at the port-level where the baremetal node is attached (we already configure VLAN assignment at the port level). Unfortunately, port security implementations vary wildly between vendors, and implementations may support only L2 filters, or very basic L3 filters only.
The next logical place to apply the security group is at the VLAN router interface. That wouldn’t prevent hosts on the same network from talking to one another (access would be wide open between hosts on the same VLAN), but it would allow firewalling of hosts between networks. The challenge with this is that the plugin would have to know not only the switch and port where the baremetal node is attached, but also the switch/router where the VLAN router interface is located (or switches/routers in an HA environment).
The baremetal port info is collected via Ironic Inspector, or it may be specified by the operator. How would we obtain the switch info and interface name for the VLAN L3 interface? What if there are multiple switch routers running with HA? Would the switch/interface have to be passed to Neutron when the network is created? I would love to discuss some ideas about how this could be implemented.
[1] - https://pypi.org/project/networking-ansible/
On Wed, Jun 12, 2019 at 2:21 PM Jason Anderson jasonanderson@uchicago.edu wrote:
Hi Sean, thanks for the reply.
On 6/11/19 11:00 AM, Sean Mooney wrote:
as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn routers rather than at the port level.
This was a good idea! I found that it actually worked to solve our use-case. I set up FWaaS and configured a firewall group with the rules I wanted. Then I added my subnets's router_interface port to the firewall. Thank you!
Re: the general issue of doing security groups in Ironic, I was wondering if this is something that others envision eventually being the job of networking-baremetal[1]. I looked and the storyboard[2] for the project doesn't show any planned work for this, but I saw it mentioned in this presentation[3] from 2017.
Cheers, /Jason
participants (3)
-
Dan Sneddon
-
Jason Anderson
-
Sean Mooney