GitLab

Inspired by the recent mirai-in-openstack problem in a cloudlab experiment, Leigh and I had this conversation. I'll tackle this at the same time I do the openstack profile upgrade (#341 (closed)).

@stoller: Just curious .... but on clusters with control net vlans, we can do per-experiment firewalls, can we put the Openstack profile behind that firewall?

 @johnsond: There might be some complications. For instance, the per-VM VNC proxy service that listens on the public ifaces of the physical hosts, might listen on a random port; I can't recall. Then, of course, any outbound internet traffic from the VMs is being SNAT'd by the openstack virtual routers (whose control net IP is one of the floating IPs allocated to the expt), so we would want to extend the firewall ruleset to drop all outbound traffic from the floating IPs, and only allow inbound ssh + established (ssh) connections to them. Regular rulesets for the physical host IPs would suffice. I thought about this yesterday, but given the complications I didn't suggest it immediately. If you have a geni-lib profile with a firewall node and custom rules, I will look at adding a parameter that sticks a firewall node in front. But again, the custom rules for the floating ips have to be handled at runtime on the firewall. We could have a template ruleset that gets applied to the firewall for each floating ip, but what says you want the same ruleset for each floating ip. We also have no way to refer to floating ips as resource ids, so there is no way to bind a particular ruleset template to a particular IP. Oh well, I suppose for this case, the ability to bind a template ruleset to floating ips could be good enough. Anyway, I suppose there could be more complications than I can think of; openstack is a big beast; but I bet we could make it work.