Ask Your Question
0

Template Security Groups do not seem to get applied to instances

asked 2013-05-11 22:34:16 -0500

sasokavcic66 gravatar image

I am using single node devstack with heat and quantum enabled. In the template I have created there are three instances, that have two types of security groups applied in the template. The security groups get created, but they do not seem to get applied to the instances, which instead use the default security group. I would like to know if I am doing something wrong in the template.

Template: { "AWSTemplateFormatVersion" : "2013-05-04",

"Description" : "AWS CloudFormation template for use with OpenStack. It uses Quantum for networking configuration. It sets up three Ubuntu 12.04 instances, each on its own subnet/network. One instance is set up with bind9 for configuration of DNS server. When stack is created, DNS is not configured, just installed on the instance. The other two instances are used for testing DNS configuration. The three subnets are connected with a router, that is also connected to the external network. Floating IPs are also provided to the spawned instances for external communication.",

"Parameters" : { "KeyName" : { "Description" : "Name of an existing EC2 KeyPair to enable SSH access to the instances", "Type" : "String" },

"ExtNetUuid" : {
  "Description" : "UUID of the external network to be used for external access",
  "Type" : "String"
},

"InstanceType" : {
  "Description" : "DNSServer EC2 instance type",
  "Type" : "String",
  "Default" : "m1.micro",
  "AllowedValues" : [ "t1.micro", "m1.small", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "c1.medium", "c1.xlarge", "cc1.4xlarge", "m1.micro" ],
  "ConstraintDescription" : "must be a valid EC2 instance type."
},
"LinuxDistribution": {
  "Default": "U12",
  "Description" : "Distribution of choice",
  "Type": "String",
  "AllowedValues" : [ "U10", "U12" ]
}

},

"Mappings" : { "AWSInstanceType2Arch" : { "t1.micro" : { "Arch" : "32" }, "m1.small" : { "Arch" : "32" }, "m1.large" : { "Arch" : "64" }, "m1.xlarge" : { "Arch" : "64" }, "m2.xlarge" : { "Arch" : "64" }, "m2.2xlarge" : { "Arch" : "64" }, "m2.4xlarge" : { "Arch" : "64" }, "c1.medium" : { "Arch" : "32" }, "c1.xlarge" : { "Arch" : "64" }, "cc1.4xlarge" : { "Arch" : "64" }, "m1.micro" : { "Arch" : "64" } }, "DistroArch2AMI": { "U12" : { "32" : "U12-i386-cfntools", "64" : "U12-x86_64-cfntools" }, "U10" : { "32" : "U10-i386-cfntools", "64" : "U10-x86_64-cfntools" } } },

"Resources" : {

"network": {
  "Type": "OS::Quantum::Net",
  "Properties": {
    "name": "local_network"
  }
},

"subnet": {
  "Type": "OS::Quantum::Subnet",
  "Properties": {
    "network_id": { "Ref" : "network" },
    "ip_version": 4,
    "cidr": "10.0.10.0/24",
    "allocation_pools": [{"start": "10.0.10.20", "end": "10.0.10.50"}]
  }
},

"DNSServerPort": {
  "Type": "OS::Quantum::Port",
  "Properties": {
    "network_id": { "Ref" : "network" },
    "fixed_ips": [{
      "subnet_id": { "Ref" : "subnet" },
      "ip_address": "10.0.10.30"
    }]
  }
},

"Client1Port": {
  "Type": "OS::Quantum::Port",
  "Properties": {
    "network_id": { "Ref" : "network" },
    "fixed_ips": [{
      "subnet_id": { "Ref" : "subnet" },
      "ip_address": "10.0.10.31"
    }]
  }
},

"Client2Port": {
  "Type": "OS::Quantum::Port",
  "Properties": {
    "network_id": { "Ref" : "network" },
    "fixed_ips": [{
      "subnet_id": { "Ref" : "subnet" },
      "ip_address": "10.0.10.32"
    }]
  }
},

"router": {
  "Type": "OS::Quantum::Router"
},

"router_interface_private": {
  "Type": "OS::Quantum::RouterInterface",
  "Properties": {
    "router_id": { "Ref" : "router" },
    "subnet_id": { "Ref" : "subnet" }
  }
},

"router_gateway_external": {
  "Type": "OS::Quantum::RouterGateway",
  "Properties": {
    "router_id": { "Ref" : "router" },
    "network_id": { "Ref" : "ExtNetUuid" }
  }
},

"DNSServerSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "Enable ping, SSH and DNS (port 53) access",
    "SecurityGroupIngress" : [
      {"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "0.0.0.0/0"},
      {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"},
      {"IpProtocol" : "tcp", "FromPort" : "53", "ToPort" : "53", "CidrIp" : "0.0.0.0/0"},
      {"IpProtocol" : "udp", "FromPort" : "53", "ToPort" : "53", "CidrIp" : "0.0.0.0/0"}
    ]
  }
},

"MinimalSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "Enable only ...
(more)
edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2013-05-13 15:55:54 -0500

I suspect that if you assign the DNSServerPort in the same security group as the instance the security group will be applied as expected.

edit flag offensive delete link more
0

answered 2013-05-14 17:34:01 -0500

sasokavcic66 gravatar image

Can you help me adding the security group to the port. I have added the following line to the port properties: "security_groups" : [ { "Ref" : "DNSServerSecurityGroup" } ],

But when I try to create the stack I get the following error:

| stack_status_reason | Resource Port "DNSServerPort" failed with: | | | QuantumClientException: Invalid input for operation: | | | 'DNSServerSecurityGroup' is not an integer or uuid.

I

edit flag offensive delete link more
0

answered 2013-05-14 20:16:49 -0500

It appears that you have done so correctly as I'm getting the same error message. So this is a bug, which you can track its progress via the related bugs link above.

edit flag offensive delete link more
0

answered 2013-09-03 18:06:02 -0500

The template used with today's code would not be allowed because SecurityGroups and NetworkInterfaces are not allowed to both be used simultaneously. With the fix for bug 1179481 now merged, you should be able to specify the security groups on the port successfully.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-05-11 22:34:16 -0500

Seen: 94 times

Last updated: Sep 03 '13