Ask Your Question
1

How do I set OS::Neutron::Port security_groups property when autoscaling?

asked 2015-08-07 01:17:15 -0500

jwitko1 gravatar image

updated 2015-08-07 12:00:15 -0500

Hey All,

I am having issues on the Kilo branch creating an auto-scaling template that builds a security group and then adds instances to it. I have tried every various method I could think of with no success. My issues are as such:

1) OS::Neutron::Port does not seem to recognize security groups by name, the heat template is building the security group so I do not have an ID until run time
2) OS::Neutron::SecurityGroup has no attributes or methods of returning the ID of the security group one created

The entire heat stack will complete and report successful but the ports will not have security groups attached to them (using neutron port-show <port-id> to check).

Here are my heat template files:

autoscaling.yaml - http://paste.openstack.org/show/412143/

heat_template_version: 2015-04-30
description: Auto-scaling group for redirector
parameters:
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  private_net_id:
    type: string
    description: ID of private network into which servers get deployed
  private_subnet_id:
    type: string
    description: ID of private sub network into which servers get deployed

resources:
 asg:
    type: OS::Heat::AutoScalingGroup
    properties:
      cooldown: 5
      desired_capacity: 3
      max_size: 5
      min_size: 3
      resource:
        type: redirector.yaml
        properties:
          image: { get_param: image }
          flavor: { get_param: flavor }
          private_net_id: { get_param: private_net_id }
          private_subnet_id: { get_param: private_subnet_id }

redirector.yaml - http://paste.openstack.org/show/412144/

heat_template_version: 2015-04-30

description: HOT template to deploy redirect servers into an existing external network subnet.

parameters:
  image:
    type: string
    description: Name of image to use for servers
  flavor:
    type: string
    description: Flavor to use for servers
  private_net_id:
    type: string
    description: ID of private network into which servers get deployed
  private_subnet_id:
    type: string
    description: ID of private sub network into which servers get deployed

resources:
  server_security_group:
    type: OS::Neutron::SecurityGroup
    properties:
      description: Add security group rules for server
      name: redirector-security-group
      rules:
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
        - remote_ip_prefix: 0.0.0.0/0
          protocol: icmp
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 3170
          port_range_max: 3170
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 4002
          port_range_max: 4002
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 5040
          port_range_max: 5040
        - remote_ip_prefix: 0.0.0.0/0
          protocol: udp
          port_range_min: 5040
          port_range_max: 5040
        - remote_ip_prefix: 0.0.0.0/0
          protocol: udp
          port_range_min: 5060
          port_range_max: 5060
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 5060
          port_range_max: 5060
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp
          port_range_min: 38807
          port_range_max: 38807
        - remote_ip_prefix: 0.0.0.0/0
          protocol: udp
          port_range_min: 38807
          port_range_max: 38807
        - remote_ip_prefix: 0.0.0.0/0
          protocol: udp
          port_range_min: 28807
          port_range_max: 28807
        - remote_ip_prefix: 0.0.0.0/0
          protocol: tcp

  server_port:
    type: OS::Neutron::Port
    properties:
      device_owner: "network:dhcp"
      name: "oss-redirect_%index%"
      network_id: { get_param: private_net_id }
      security_groups:
        - { get_resource: server_security_group }
      fixed_ips:
        - subnet_id: { get_param: private_subnet_id }

  server:
    type: OS::Nova::Server
    properties:
      name: "oss-redirect_%index%"
      availability_zone: nova
      flavor: { get_param: flavor }
      config_drive: true
      block_device_mapping:
        - device_name: vda
          delete_on_termination: true
          snapshot_id: { get_param: image }
      networks:
        - port: { get_resource: server_port }

outputs:
  server_private_ip:
    description: IP address of ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-08-10 11:01:33 -0500

jwitko1 gravatar image

Had to remove the line "device_owner: "network:dhcp"", you can not set a security group on a port you are not the owner of.

Also of note, %index% does not work in the name property.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-08-07 01:14:13 -0500

Seen: 4,544 times

Last updated: Aug 10 '15