Open Stack

Hello Marco,

more comments inline.

Salvatore

On 7 July 2015 at 22:09, Marco Mariani <marco.mariani at alterway.fr> wrote:

> 2015-07-07 20:52 GMT+02:00 Salvatore Orlando <sorlando at nicira.com>:
>
> If I understand correctly your use case security groups can be probably
>> used to satisfy your goal with Neutron.
>>
>> Groups of isolated VMs in the same network can be assigned to different
>> security groups. Traffic among different groups will be dropped unless
>> unable by a specific security group rule.
>>
>
> Not in my experience, if VMs are in the same tenant network they can ping
> and connect to each other regardless of security rules. With nova-network
> that depends on the setting of allow_same_net_traffic={True, False}.
>
> By the way, I'm using Juno (with Fuel 6.1)
>

Even if VMs are in the same logical network, it should be possible to do
isolation associating them with different security groups, in your case N
security groups.
For instance if VM1 and VM2 are associated respectively with security group
SG1 and SG2, and this security group only have the default rules plus one
for enabling connectivity with VM0, VM1 should not reach VM2. If this
happens something is not quite right.


>
> Still I am not sure if this is your goal
>>
>
> Yes, indeed. I have VM1 to N that should be able to reach Internet and a
> designated "master" VM0, but not each other. Instances 1 through N are
> created with Heat templates.
>

Now I probably understand. It is a scenario similar to PVLAN.


>
> as you wrote that you want to forbid traffic between VMs and floating IPs,
>> you might be trying to achieve something different.
>>
>
> That would be easier to fix, I can set up netfilter in the exposed
> machines and in the OpenStack nodes. But between VMs, there are no Allow /
> Deny rules. And neither would FWaaS help me, since it operates at the
> perimeter.
>

Correct, FWaaS enforces rules at the edge and won't help you.


>
> I suppose Role-basec Access Control (
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
> could help me, but if so, that's a solution that does not directly map to
> how I see my problem.
>

RBAC won't helo you I think. It provides a way to declare which tenants can
use a given network, but it is a management layer abstraction - it has no
goal of policing the traffic on the logical network where it is applied.


>
> Thanks for the reply!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150707/83c8cd3e/attachment.html>