[ironic][neutron] Security groups on bare metal instances

Dan Sneddon dsneddon at redhat.com
Wed Jun 12 22:03:16 UTC 2019

I helped to design the python-networking-ansible driver for ML2 + bare
metal networking automation [1]. The idea behind it is a more
production-grade alternative to networking-generic-switch that works with
multiple makes/models of switches in the same environment. Behind the
scenes, Ansible Networking is used to provide a vendor-neutral interface.

I have tried to architect security groups for bare metal, but it’s a
difficult challenge. I’d appreciate if anyone has suggestions.

The main question is where to apply the security groups? Ideally, security
groups would be applied at the port-level where the baremetal node is
attached (we already configure VLAN assignment at the port level).
Unfortunately, port security implementations vary wildly between vendors,
and implementations may support only L2 filters, or very basic L3 filters

The next logical place to apply the security group is at the VLAN router
interface. That wouldn’t prevent hosts on the same network from talking to
one another (access would be wide open between hosts on the same VLAN), but
it would allow firewalling of hosts between networks. The challenge with
this is that the plugin would have to know not only the switch and port
where the baremetal node is attached, but also the switch/router where the
VLAN router interface is located (or switches/routers in an HA environment).

The baremetal port info is collected via Ironic Inspector, or it may be
specified by the operator. How would we obtain the switch info and
interface name for the VLAN L3 interface? What if there are multiple switch
routers running with HA? Would the switch/interface have to be passed to
Neutron when the network is created? I would love to discuss some ideas
about how this could be implemented.

[1] - https://pypi.org/project/networking-ansible/

On Wed, Jun 12, 2019 at 2:21 PM Jason Anderson <jasonanderson at uchicago.edu>

> Hi Sean, thanks for the reply.
> On 6/11/19 11:00 AM, Sean Mooney wrote:
> as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn
> routers rather than at the port level.
> This was a good idea! I found that it actually worked to solve our
> use-case. I set up FWaaS and configured a firewall group with the rules I
> wanted. Then I added my subnets's router_interface port to the firewall.
> Thank you!
> Re: the general issue of doing security groups in Ironic, I was wondering
> if this is something that others envision eventually being the job of
> networking-baremetal[1]. I looked and the storyboard[2] for the project
> doesn't show any planned work for this, but I saw it mentioned in this
> presentation[3] from 2017.
> Cheers,
> /Jason
> [1]: https://docs.openstack.org/networking-baremetal/latest/
> [2]: https://storyboard.openstack.org/#!/project/955
> [3]:
> https://www.slideshare.net/nyechiel/openstack-networking-the-road-ahead
Dan Sneddon         |  Senior Principal Software Engineer
dsneddon at redhat.com |  redhat.com/cloud
dsneddon:irc        |  @dxs:twitter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190612/1a096408/attachment.html>

More information about the openstack-discuss mailing list