Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-10 Thread Baohua Yang
Not arguing if it's suitable to implement this with security-group commands.

To solve the problem, I guess no 20 rules are necessary at all.

You can just add one rules like the following to allow all traffic going
out of the vm.

iptables -I neutron-openvswi-o9LETTERID -j RETURN
Where the id part is the first 9 letters of the vm attached port id.
This rule will bypass all security filtering for the outgoing traffic.

On Fri, Sep 5, 2014 at 11:27 PM, Monty Taylor mord...@inaugust.com wrote:

 Hi!

 I've decided that as I have problems with OpenStack while using it in the
 service of Infra, I'm going to just start spamming the list.

 Please make something like this:

 neutron security-group-create default --allow-every-damn-thing

 Right now, to make security groups get the hell out of our way because
 they do not provide us any value because we manage our own iptables, it
 takes adding something like 20 rules.

 15:24:05  clarkb | one each for ingress and egress udp tcp over
 ipv4 then ipv6 and finaly icmp

 That may be great for someone using my-first-server-pony, but for me, I
 know how the internet works, and when I ask for a server, I want it to just
 work.

 Now, I know, I know - the DEPLOYER can make decisions blah blah blah.

 BS

 If OpenStack is going to let my deployer make the absolutely assinine
 decision that all of my network traffic should be blocked by default, it
 should give me, the USER, a get out of jail free card.

 kthxbai

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
Best wishes!
Baohua
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-08 Thread Brian Haley
On 09/05/2014 11:27 AM, Monty Taylor wrote:
 Hi!
 
 I've decided that as I have problems with OpenStack while using it in the
 service of Infra, I'm going to just start spamming the list.
 
 Please make something like this:
 
 neutron security-group-create default --allow-every-damn-thing

Does this work?  Sure, it's a rule in the default group and not a group itself,
but it's a one-liner:

$ neutron security-group-rule-create --direction ingress --remote-ip-prefix
0.0.0.0/0 default

 Right now, to make security groups get the hell out of our way because they do
 not provide us any value because we manage our own iptables, it takes adding
 something like 20 rules.
 
 15:24:05  clarkb | one each for ingress and egress udp tcp over ipv4
 then ipv6 and finaly icmp

I guess you mean 20 rules because there's services using ~20 different ports,
which sounds about right.  If you really didn't care you could have just opened
all of ICMP, TCP and UDP with three rules.

And isn't egress typically wide-open by default?  You shouldn't need any rules
there.

And I do fall in the more security camp - giving someone a publicly-routable
IP address with all ports open is not typically a good idea, I wouldn't want to
hear the complaints from customers on that one...

-Brian

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-06 Thread Lingxian Kong
Hi, Monty,

Thanks for bringing this topic up. I think the blueprint that Miguel
mentioned will address the issue you're sufffering from, but maybe
there are not many people interested in this feature, so
unfortunately, the bp will not be landed in Juno release. But I will
continue the bp when the Kilo dev cycle get started, since I believe
this feature will benefit people like you.

2014-09-06 0:17 GMT+08:00 Dean Troyer dtro...@gmail.com:
 On Fri, Sep 5, 2014 at 10:27 AM, Monty Taylor mord...@inaugust.com wrote:

 I've decided that as I have problems with OpenStack while using it in the
 service of Infra, I'm going to just start spamming the list.


 User CLI/API feedback!


 neutron security-group-create default --allow-every-damn-thing


 You mean like this?  https://review.openstack.org/#/c/119407/

 dt

 *Disclaimer: For demonstration purposes on nova-network only; the views
 expressed here may not be those of the OpenStack Foundation, it's member
 companies or lackeys; in case of duplicates, ties will be awarded; your
 mileage may vary; allow 4 to 6 weeks for delivery; any resemblance to
 functional code, living or dead, is unintentional and purely coincidental;
 representations of this code may be freely reused without the express
 written consent of the Commissioner of the National Football League.

 --

 Dean Troyer
 dtro...@gmail.com

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
Regards!
---
Lingxian Kong

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-06 Thread Salvatore Orlando
While it's good that somebody is addressing this specific issue, perhaps
punctual solutions  - eg: hey I have a patch for that, are not
addressing the general issues, which is that Neutron has very granular
primitives that force users to do multiple API requests for operations they
regard as atomic.

What we need, in my opinion, is a set of macros which will provide some
basic orchestration over the primitives exposed by the Neutron API. For
instance another macro which has been requested several times is the
ability to create a port and associate it with a floating IP (well actually
the request I think is to boot a server with a public IP).
I think such macros are better placed on the server side rather than the
CLI, mostly because not all API clients use the CLI and failure management
is easier if done on th server side.
On the other hand I see those macros better implemented as by addition on
top of the current API rather than by modifying resources and actions
available in the current API.

I think it will be a good idea to compile a list of all the macros we want
to implement for Kilo, and then implement all of them within this
mini-framework, rather than as many disjoint blueprints.

On another note, I think the teams working on the group policy API have
asserted several times that the new abstractions proposed will
automatically simplify the user interface. Everybody will be super happy
when that happens, but in the meanwhile we should provide solutions
targeting the current Neutron API.

Salvatore


On 6 September 2014 18:00, Lingxian Kong anlin.k...@gmail.com wrote:

 Hi, Monty,

 Thanks for bringing this topic up. I think the blueprint that Miguel
 mentioned will address the issue you're sufffering from, but maybe
 there are not many people interested in this feature, so
 unfortunately, the bp will not be landed in Juno release. But I will
 continue the bp when the Kilo dev cycle get started, since I believe
 this feature will benefit people like you.

 2014-09-06 0:17 GMT+08:00 Dean Troyer dtro...@gmail.com:
  On Fri, Sep 5, 2014 at 10:27 AM, Monty Taylor mord...@inaugust.com
 wrote:
 
  I've decided that as I have problems with OpenStack while using it in
 the
  service of Infra, I'm going to just start spamming the list.
 
 
  User CLI/API feedback!
 
 
  neutron security-group-create default --allow-every-damn-thing
 
 
  You mean like this?  https://review.openstack.org/#/c/119407/
 
  dt
 
  *Disclaimer: For demonstration purposes on nova-network only; the views
  expressed here may not be those of the OpenStack Foundation, it's member
  companies or lackeys; in case of duplicates, ties will be awarded; your
  mileage may vary; allow 4 to 6 weeks for delivery; any resemblance to
  functional code, living or dead, is unintentional and purely
 coincidental;
  representations of this code may be freely reused without the express
  written consent of the Commissioner of the National Football League.
 
  --
 
  Dean Troyer
  dtro...@gmail.com
 
  ___
  OpenStack-dev mailing list
  OpenStack-dev@lists.openstack.org
  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 



 --
 Regards!
 ---
 Lingxian Kong

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-05 Thread Miguel Angel Ajo Pelayo

I believe your request matches this, and I agree
it'd be something good

https://blueprints.launchpad.net/neutron/+spec/default-rules-for-default-security-group

And also, the fact that we have hardcoded default 
security group settings. It would be good to have 
a system wide default security group settings.

https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L122





- Original Message -
 Hi!
 
 I've decided that as I have problems with OpenStack while using it in
 the service of Infra, I'm going to just start spamming the list.
 
 Please make something like this:
 
 neutron security-group-create default --allow-every-damn-thing
 
 Right now, to make security groups get the hell out of our way because
 they do not provide us any value because we manage our own iptables, it
 takes adding something like 20 rules.
 
 15:24:05  clarkb | one each for ingress and egress udp tcp over
 ipv4 then ipv6 and finaly icmp
 
 That may be great for someone using my-first-server-pony, but for me, I
 know how the internet works, and when I ask for a server, I want it to
 just work.
 
 Now, I know, I know - the DEPLOYER can make decisions blah blah blah.
 
 BS
 
 If OpenStack is going to let my deployer make the absolutely assinine
 decision that all of my network traffic should be blocked by default, it
 should give me, the USER, a get out of jail free card.
 
 kthxbai
 
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [nova][neutron] default allow security group

2014-09-05 Thread Dean Troyer
On Fri, Sep 5, 2014 at 10:27 AM, Monty Taylor mord...@inaugust.com wrote:

 I've decided that as I have problems with OpenStack while using it in the
 service of Infra, I'm going to just start spamming the list.


User CLI/API feedback!


 neutron security-group-create default --allow-every-damn-thing


You mean like this?  https://review.openstack.org/#/c/119407/

dt

*Disclaimer: For demonstration purposes on nova-network only; the views
expressed here may not be those of the OpenStack Foundation, it's member
companies or lackeys; in case of duplicates, ties will be awarded; your
mileage may vary; allow 4 to 6 weeks for delivery; any resemblance to
functional code, living or dead, is unintentional and purely coincidental;
representations of this code may be freely reused without the express
written consent of the Commissioner of the National Football League.

-- 

Dean Troyer
dtro...@gmail.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev