Ask Your Question
0

How works Security Groups?

asked 2016-05-18 09:48:45 -0500

David17 gravatar image

Hi,

I would like to know how really works the security groups, What is the mechanism to pass the rules to the machines? It use a orchestation tool? Where I can find this information?

Thanks!!

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2016-05-19 10:34:12 -0500

rmelton gravatar image

updated 2016-05-19 11:19:28 -0500

Security Group rules are enforced by Linux iptable rules at the compute host level. I'm using DVR (dist virtual routing) on Kilo, here are some rules dumped out on a compute host:

sudo iptables -L

Chain neutron-openvswi-i76b78cbd-2 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN     udp  --  192.168.51.2         anywhere             udp spt:bootps dpt:bootpc
RETURN     tcp  --  anywhere             anywhere             tcp
RETURN     udp  --  anywhere             anywhere             udp
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback  all  --  anywhere             anywhere             /* Send unmatched traffic to the fallback chain. */

yes, you can create security group rules in Heat orchestration template. Here is a brief example:

 mysecurity_group:
    type: OS::Neutron::SecurityGroup
    properties:
      description: Neutron security group rules
      name: mysecurity_group
      rules:
      - remote_ip_prefix: 0.0.0.0/0
        protocol: tcp
        port_range_min: 0
        port_range_max: 65535
        direction: ingress
edit flag offensive delete link more

Comments

I'm new to the whole OpenStack networking but this article (1) suggests they're implemented on virtual switch instead of on the hosts themselves. I tried finding more info about that but couldn't.

1) https://www.stratoscale.com/blog/openstack/openstack-security-groups-best-practices/ (https://www.stratoscale.com/blog/open...)

petrroll gravatar imagepetrroll ( 2018-07-12 13:06:44 -0500 )edit
add a comment
0

answered 2016-05-19 05:42:48 -0500

dbaxps gravatar image

See for instance
https://www.rdoproject.org/networking...

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2016-05-18 09:48:45 -0500

Seen: 802 times

Last updated: May 19 '16

Related questions

security group and neutron

[Solved] Rocky linuxbridge-agent keyword 'integration_bridge' and no attribute 'state_rpc'

How to add additional mangle rules into qrouter ?

neutron security group entry only works after iptables alteration on instance

iptables issue between spawned instance and compute host

Heat template: Can I create circular refference with OS::Neutron::SecurityGroup ?

RDO allinone (havana) with neutron

In iptables INPUT, FORWARD and OUTPUT chains, should nova-compute rules come first or linuxbri rules? [closed]

Get remote IP in OpenStack virtual machine accessed via NAT

When iptables is active i can't ping floating ip ,but when iptables is disable, floaing ip, private ip and every thing work perfect !!