Page MenuHomePhabricator

Empty default security group for newly created project
Closed, ResolvedPublic

Description

When the google-api-proxy project was created the default security group was empty rather than having the expected rules for basic instance access:

-1	-1	icmp	0.0.0.0/0
22	22	tcp	10.0.0.0/8
5666	5666	tcp	10.0.0.0/8

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript
chasemp added a subscriber: chasemp.

@bd808 is this still happening?

Yes. I just created a new project named t136871 and it has the same empty default security group.

Now I have created the privpol-captcha project and its default security group is fine.

A noticable difference from when I created the t136871 project is that my Nova session credentials seemed to be expired when I made the one with missing rules. I had to log out and log back in after creating the project to even see the empty security group. So maybe a cloud-admin has enough powers just via the wiki session status to create a basic project but not to completely configure the defaults?

@Andrew can you take a look at this when you get back? seems relevant to recent work I imagine :)

krenair@silver:~$ nova secgroup-list-default-rules
+-------------+-----------+---------+----------+
| IP Protocol | From Port | To Port | IP Range |
+-------------+-----------+---------+----------+
+-------------+-----------+---------+----------+

:/

Maybe someone just needs to go through and nova secgroup-add-default-rule the whole lot?

Just a note about this still happening

Just a note about this still happening

Can you be more specific @Lokal_Profil. Is there a new project you noticed demonstrated this behavior?

Just a note about this still happening

Can you be more specific @Lokal_Profil. Is there a new project you noticed demonstrated this behavior?

Yes this happened to the wikispeech project (I added the rules manually afterwards).

I've added nova default rules as per Alex's suggestion:

$ nova secgroup-list-default-rules
+-------------+-----------+---------+------------+

IP ProtocolFrom PortTo PortIP Range

+-------------+-----------+---------+------------+

icmp-1-10.0.0.0/0
tcp222210.0.0.0/8
tcp5666566610.0.0.0/8

+-------------+-----------+---------+------------+

As best I can tell, though, there's no way to add a group rule to that. So I can't add the rule which allows all traffic between instances in the same project.

As best I can tell, though, there's no way to add a group rule to that. So I can't add the rule which allows all traffic between instances in the same project.

Hmm. I don't think I've seen an explicit rule to do that before? Can you show an example?

Can you show an example?

It's called a 'Remote Security Group' in horizon.

Ugh, right, it's the first rule here:

krenair@silver:~$ nova --os-tenant-name admin secgroup-list
+-----+---------+-------------+
| Id  | Name    | Description |
+-----+---------+-------------+
| 663 | default | default     |
+-----+---------+-------------+
krenair@silver:~$ nova --os-tenant-name admin secgroup-list-rules default
+-------------+-----------+---------+------------+--------------+
| IP Protocol | From Port | To Port | IP Range   | Source Group |
+-------------+-----------+---------+------------+--------------+
|             |           |         |            | default      |
| icmp        | -1        | -1      | 0.0.0.0/0  |              |
| tcp         | 22        | 22      | 10.0.0.0/8 |              |
| tcp         | 5666      | 5666    | 10.0.0.0/8 |              |
+-------------+-----------+---------+------------+--------------+

We'd want to turn that into a default default rule, which doesn't appear to be possible, looking at the compute api-ref. Do we have a list of commands to run for each new project somewhere? This should probably be added to it :(

Change 332899 had a related patch set uploaded (by Andrew Bogott):
Keystone hooks: Set up default security groups for new projects.

https://gerrit.wikimedia.org/r/332899

Change 332899 merged by Andrew Bogott:
Keystone hooks: Set up default security groups for new projects.

https://gerrit.wikimedia.org/r/332899

Should be fixed by the above ugly patch