When the google-api-proxy project was created the default security group was empty rather than having the expected rules for basic instance access:
-1 -1 icmp 0.0.0.0/0 22 22 tcp 10.0.0.0/8 5666 5666 tcp 10.0.0.0/8
Description
Description
Details
Details
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Keystone hooks: Set up default security groups for new projects. | operations/puppet | production | +185 -34 |
Event Timeline
Comment Actions
Yes. I just created a new project named t136871 and it has the same empty default security group.
Comment Actions
Now I have created the privpol-captcha project and its default security group is fine.
A noticable difference from when I created the t136871 project is that my Nova session credentials seemed to be expired when I made the one with missing rules. I had to log out and log back in after creating the project to even see the empty security group. So maybe a cloud-admin has enough powers just via the wiki session status to create a basic project but not to completely configure the defaults?
Comment Actions
@Andrew can you take a look at this when you get back? seems relevant to recent work I imagine :)
Comment Actions
krenair@silver:~$ nova secgroup-list-default-rules +-------------+-----------+---------+----------+ | IP Protocol | From Port | To Port | IP Range | +-------------+-----------+---------+----------+ +-------------+-----------+---------+----------+
:/
Maybe someone just needs to go through and nova secgroup-add-default-rule the whole lot?
Comment Actions
Can you be more specific @Lokal_Profil. Is there a new project you noticed demonstrated this behavior?
Comment Actions
Yes this happened to the wikispeech project (I added the rules manually afterwards).
Comment Actions
I've added nova default rules as per Alex's suggestion:
$ nova secgroup-list-default-rules
+-------------+-----------+---------+------------+
| IP Protocol | From Port | To Port | IP Range |
+-------------+-----------+---------+------------+
| icmp | -1 | -1 | 0.0.0.0/0 |
| tcp | 22 | 22 | 10.0.0.0/8 |
| tcp | 5666 | 5666 | 10.0.0.0/8 |
+-------------+-----------+---------+------------+
As best I can tell, though, there's no way to add a group rule to that. So I can't add the rule which allows all traffic between instances in the same project.
Comment Actions
Hmm. I don't think I've seen an explicit rule to do that before? Can you show an example?
Comment Actions
Ugh, right, it's the first rule here:
krenair@silver:~$ nova --os-tenant-name admin secgroup-list +-----+---------+-------------+ | Id | Name | Description | +-----+---------+-------------+ | 663 | default | default | +-----+---------+-------------+ krenair@silver:~$ nova --os-tenant-name admin secgroup-list-rules default +-------------+-----------+---------+------------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+------------+--------------+ | | | | | default | | icmp | -1 | -1 | 0.0.0.0/0 | | | tcp | 22 | 22 | 10.0.0.0/8 | | | tcp | 5666 | 5666 | 10.0.0.0/8 | | +-------------+-----------+---------+------------+--------------+
We'd want to turn that into a default default rule, which doesn't appear to be possible, looking at the compute api-ref. Do we have a list of commands to run for each new project somewhere? This should probably be added to it :(
Comment Actions
Change 332899 had a related patch set uploaded (by Andrew Bogott):
Keystone hooks: Set up default security groups for new projects.
Comment Actions
Change 332899 merged by Andrew Bogott:
Keystone hooks: Set up default security groups for new projects.