[IRONIC] Firewall drivers / implementation

Karl Kloppenborg kkloppenborg at rwts.com.au
Fri Jun 30 18:05:58 UTC 2023


Hi Team!

Firstly, thank you for your replies, I really appreciate it.
Probably worth me outlining how we do this currently.

I have attached a screenshot of the network topology as seen from the horizon dashboard.
“Management” node is a VM.
“HCI-POC-1” is a Bare Metal instance.

Essentially, each tenancy has:

  1.  Two neutron routers are setup and attached to the external NORTHBOUND VLAN network, where neutron gets an external public IP.
     *   Routers are IPv4 and IPv6 separation due to BGP limitations in OS currently.
  2.  A VXLAN Tenancy network is created and attached to the neutron routers, this is used for VM connectivity.
  3.  A VLAN Bare Metal Network is created with the VLAN ID being the same as the VXLAN ID, this is then attached to the IPv4 Router (we only support IPv4 on BM currently)
     *   This then uses networking-generic-switch to allow ironic to configure the switchports as needed.
So when a floating IP is assigned to a BM node, it’s attached on the neutron router itself.

Naturally IPTables Security groups don’t work in this setup because at no point does any flow pass a BR-INT or compute node, the traffic transverses the L3 Agent and it’s neutron router before going directly back out the VLAN BM Network and hitting the relevant node.

However, could firewalling be achieved by using Open vSwitch Firwall driver? https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html

How are others achieving this, surely people are just leaving BM’s out of the mix when it comes to security groups! 😃

Also, I should mention, for those following along with this, we’re offering paid consulting time on this issue for anyone who feels they’re up for it!

Thanks,
Karl.

From: Julia Kreger <juliaashleykreger at gmail.com>
Date: Friday, 30 June 2023 at 11:15 pm
To: Slawek Kaplonski <skaplons at redhat.com>
Cc: openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>, Karl Kloppenborg <kkloppenborg at rwts.com.au>
Subject: Re: [IRONIC] Firewall drivers / implementation
Thanks for the pointer Slawek!

I am wondering if the OP is thinking of security groups, and if so that is through an ML2 plugin mechanism on the switch level configuration, however.... very few ML2 plugins have supported applying security groups to switches because the translation can be difficult or the switches don't support packet inspection without performance degradation.



On Fri, Jun 30, 2023 at 12:27 AM Slawek Kaplonski <skaplons at redhat.com<mailto:skaplons at redhat.com>> wrote:

Hi,


Dnia czwartek, 29 czerwca 2023 19:08:30 CEST Karl Kloppenborg pisze:

> Hi Team,

>

> We have Ironic deployed and configured to deploy baremetal on vlans attached to the neutron routers of a tenancy/project.

>

> However, when assigned a floating IP, there’s no firewall and the server is completely exposed.

>

> I cannot seem to see any information on Ironic Firewall’s, how are others achieving this?

>

> Any suggestions would be greatly appreciated.

>

> Thanks,

> Karl Kloppenborg.

> Openstack-Helm Team.

>


For firewall on the Neutron's router level there is neutron-fwaas project [1]. Did You checked that?


[1] https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html


--

Slawek Kaplonski

Principal Software Engineer

Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230630/8cb463de/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2023-07-01 at 3.46.09 am.png
Type: image/png
Size: 19728 bytes
Desc: Screenshot 2023-07-01 at 3.46.09 am.png
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230630/8cb463de/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2023-07-01 at 3.58.47 am.png
Type: image/png
Size: 45826 bytes
Desc: Screenshot 2023-07-01 at 3.58.47 am.png
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230630/8cb463de/attachment-0003.png>


More information about the openstack-discuss mailing list