Page MenuHomePhabricator

Clean out unused security groups on toollabs
Closed, ResolvedPublic


Lots of them are bogus, since most do not need to be accessed from outside the project at all.

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Toolforge.
yuvipanda subscribed.

Yes, but is the intra-project "accept all" policy a dependable promise or a bug in OpenStack that might disappear in the future? In general, it would certainly be preferable to just use ferm in Labs as well (use as in: "default deny all").

I think it will be a promise. If not pretty much everything breaks
everywhere :)

We can't use ferm for per project rules because our network topology isn't
really segregated by project and IP assignment is random...

That's right, but it only means that someone must manually enter the 10 IPs a project typically has at best :-).

scfc triaged this task as Low priority.Apr 6 2015, 7:31 AM
scfc moved this task from Backlog to Ready to be worked on on the Toolforge board.

import mwopenstackclients

clients = mwopenstackclients.clients()
nova = clients.novaclient()

instances = clients.allinstances(projectid='tools', allregions=True)
allgroups = {}
for instance in instances:
    for group in instance.security_groups:
        if group['name'] not in allgroups:
            allgroups[group['name']] = []

for group in sorted(allgroups.keys()):
    print("%s: %s" % (group, len(allgroups[group])))

MTA: 1
bastion: 2
checker: 1
default: 171
docker-registry: 2
elasticsearch: 3
etcd: 6
execnode: 71
gridmaster: 2
k8s-master: 1
k8s-worker: 39
letsencrypt: 1
paws: 12
paws-master: 1
prometheus: 2
puppetmaster: 1
redis: 2
tools-new-k8s-full-connectivity: 8
webproxy: 4
webserver: 33

Unused are:


Mentioned in SAL (#wikimedia-cloud) [2019-12-09T11:06:34Z] <andrewbogott> deleting unused security groups: catgraph, devpi, MTA, mysql, syslog, test T91619