When the google-api-proxy project was created the default security group was empty rather than having the expected rules for basic instance access:
-1 -1 icmp 0.0.0.0/0 22 22 tcp 10.0.0.0/8 5666 5666 tcp 10.0.0.0/8
When the google-api-proxy project was created the default security group was empty rather than having the expected rules for basic instance access:
-1 -1 icmp 0.0.0.0/0 22 22 tcp 10.0.0.0/8 5666 5666 tcp 10.0.0.0/8
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Keystone hooks: Set up default security groups for new projects. | operations/puppet | production | +185 -34 |
Yes. I just created a new project named t136871 and it has the same empty default security group.
Now I have created the privpol-captcha project and its default security group is fine.
A noticable difference from when I created the t136871 project is that my Nova session credentials seemed to be expired when I made the one with missing rules. I had to log out and log back in after creating the project to even see the empty security group. So maybe a cloud-admin has enough powers just via the wiki session status to create a basic project but not to completely configure the defaults?
@Andrew can you take a look at this when you get back? seems relevant to recent work I imagine :)
krenair@silver:~$ nova secgroup-list-default-rules +-------------+-----------+---------+----------+ | IP Protocol | From Port | To Port | IP Range | +-------------+-----------+---------+----------+ +-------------+-----------+---------+----------+
:/
Maybe someone just needs to go through and nova secgroup-add-default-rule the whole lot?
Can you be more specific @Lokal_Profil. Is there a new project you noticed demonstrated this behavior?
I've added nova default rules as per Alex's suggestion:
$ nova secgroup-list-default-rules
+-------------+-----------+---------+------------+
IP Protocol | From Port | To Port | IP Range |
+-------------+-----------+---------+------------+
icmp | -1 | -1 | 0.0.0.0/0 |
tcp | 22 | 22 | 10.0.0.0/8 |
tcp | 5666 | 5666 | 10.0.0.0/8 |
+-------------+-----------+---------+------------+
As best I can tell, though, there's no way to add a group rule to that. So I can't add the rule which allows all traffic between instances in the same project.
Hmm. I don't think I've seen an explicit rule to do that before? Can you show an example?
Ugh, right, it's the first rule here:
krenair@silver:~$ nova --os-tenant-name admin secgroup-list +-----+---------+-------------+ | Id | Name | Description | +-----+---------+-------------+ | 663 | default | default | +-----+---------+-------------+ krenair@silver:~$ nova --os-tenant-name admin secgroup-list-rules default +-------------+-----------+---------+------------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+------------+--------------+ | | | | | default | | icmp | -1 | -1 | 0.0.0.0/0 | | | tcp | 22 | 22 | 10.0.0.0/8 | | | tcp | 5666 | 5666 | 10.0.0.0/8 | | +-------------+-----------+---------+------------+--------------+
We'd want to turn that into a default default rule, which doesn't appear to be possible, looking at the compute api-ref. Do we have a list of commands to run for each new project somewhere? This should probably be added to it :(
Change 332899 had a related patch set uploaded (by Andrew Bogott):
Keystone hooks: Set up default security groups for new projects.
Change 332899 merged by Andrew Bogott:
Keystone hooks: Set up default security groups for new projects.