Page MenuHomePhabricator

Isolate contintcloud nova project from the rest of the wmflabs cloud
Closed, DeclinedPublic

Description

The labs project contintcloud created by T86167, needs to have its instances network isolated at OpenStack level. We need to determine the list of security rules we would have to apply. Things that come to mind:
out access to:

  • labs infrastructure (puppet? dns ntp ..)
  • npm/pip/rubygems​
  • Gerrit
  • Zuul git repositories

in access from:

  • Jenkins master via ssh

Event Timeline

hashar raised the priority of this task from to Needs Triage.
hashar updated the task description. (Show Details)
hashar subscribed.
Krinkle triaged this task as Medium priority.Mar 2 2015, 1:50 PM
Krinkle set Security to None.
Krinkle renamed this task from Isolate contintcloud labs project from rest of the labs project to Isolate contintcloud nova project from the rest of the wmflabs cloud.Apr 3 2015, 12:17 AM

@Andrew do we have an easy way to prevent a given labs project (contintcloud) from reaching other projects? Specially we will need a way to set outgress filter (currently Horizons only shows ingress and does not one allow to setup the direction apparently).

From a discussion with @Andrew on IRC. Horizons shows the direction next to rules which seems to indicate we can change it.

But from: https://wiki.openstack.org/wiki/Neutron/SecurityGroups

Allows specifications of ingress and egress (Nova security groups defines ingress rules only) --

We are using nova security groups and nova-network. So apparently no Egress filters for us :-/ We will need to migrate to Neutron and stop using Nova security groups.

And from https://bugs.launchpad.net/nova/+bug/1267140 :

... nova-network only supported ingress rules, so nova API matches that. If you want egress rules, you should use the Neutron API.

Peter601980 renamed this task from Isolate contintcloud nova project from the rest of the wmflabs cloud to r.Dec 28 2015, 8:06 AM
Peter601980 closed this task as Invalid.
Peter601980 lowered the priority of this task from Medium to Lowest.
Peter601980 updated the task description. (Show Details)
Peter601980 changed Security from None to Access Request.
Peter601980 removed subscribers: Krenair, Andrew, JanZerebecki and 2 others.
TTO renamed this task from r to Isolate contintcloud nova project from the rest of the wmflabs cloud.Dec 28 2015, 9:12 AM
TTO reopened this task as Open.
TTO raised the priority of this task from Lowest to Medium.
TTO updated the task description. (Show Details)
TTO changed Security from Access Request to None.
TTO added subscribers: Krenair, JanZerebecki, Andrew and 2 others.

That is no more needed. Nodepool is legacy and it will be phased out (as well as contintcloud) over the next few months.