Page MenuHomePhabricator
Create Task
Maniphest T91619

Clean out unused security groups on toollabs
Closed, ResolvedPublic
Actions

Description

Lots of them are bogus, since most do not need to be accessed from outside the project at all.

Related Objects

Event Timeline

yuvipanda created this task.Mar 5 2015, 8:20 AM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Toolforge.
yuvipanda subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 5 2015, 8:20 AM
yuvipanda added subscribers: coren, scfc.Mar 5 2015, 11:48 AM
scfc added a comment.Mar 5 2015, 3:36 PM

Yes, but is the intra-project "accept all" policy a dependable promise or a bug in OpenStack that might disappear in the future? In general, it would certainly be preferable to just use ferm in Labs as well (use as in: "default deny all").

yuvipanda added a comment.Mar 5 2015, 3:41 PM

I think it will be a promise. If not pretty much everything breaks
everywhere :)

yuvipanda added a comment.Mar 5 2015, 3:42 PM

We can't use ferm for per project rules because our network topology isn't
really segregated by project and IP assignment is random...

scfc added a comment.Mar 5 2015, 4:48 PM

That's right, but it only means that someone must manually enter the 10 IPs a project typically has at best :-).

scfc triaged this task as Low priority.Apr 6 2015, 7:31 AM
scfc moved this task from Backlog to Ready to be worked on on the Toolforge board.
Aklapper added a project: Cloud-Services.Oct 24 2015, 8:02 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:54 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.Mar 21 2019, 6:54 PM
Krenair subscribed.Sep 25 2019, 11:09 PM

Tricky to figure out which ones are in use or not due to T222414: Nova policy does not permit novaobserver to view an instance's security groups

Andrew claimed this task.Nov 27 2019, 4:21 PM
Andrew added a comment.Dec 9 2019, 11:00 AM
#!/usr/bin/python

import mwopenstackclients

clients = mwopenstackclients.clients()
nova = clients.novaclient()

instances = clients.allinstances(projectid='tools', allregions=True)
allgroups = {}
for instance in instances:
    for group in instance.security_groups:
        if group['name'] not in allgroups:
            allgroups[group['name']] = []
        allgroups[group['name']].append(instance.name)

for group in sorted(allgroups.keys()):
    print("%s: %s" % (group, len(allgroups[group])))

MTA: 1
bastion: 2
checker: 1
default: 171
docker-registry: 2
elasticsearch: 3
etcd: 6
execnode: 71
gridmaster: 2
k8s-master: 1
k8s-worker: 39
letsencrypt: 1
paws: 12
paws-master: 1
prometheus: 2
puppetmaster: 1
redis: 2
tools-new-k8s-full-connectivity: 8
webproxy: 4
webserver: 33

Andrew added a comment.Dec 9 2019, 11:03 AM

Unused are:

catgraph
devpi
MTA
mysql
syslog
test

Stashbot added a comment.Dec 9 2019, 11:06 AM

Mentioned in SAL (#wikimedia-cloud) [2019-12-09T11:06:34Z] <andrewbogott> deleting unused security groups: catgraph, devpi, MTA, mysql, syslog, test T91619

Andrew closed this task as Resolved.Dec 9 2019, 11:07 AM

deleted.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits