SlideShare uma empresa Scribd logo
1 de 23
Baixar para ler offline
Quantum Security Groups
       Session

            Dave Lapsley
             @davlaps
           http://slidesha.re/HQvDTk
http://etherpad.openstack.org/quantum-folsom
Session Goals

• Introduction to Nova Security Groups
• Proposal:
  – Move Security Groups from Nova to Quantum
• Discussion:
  – Provider Firewalling
  – Access Control Lists
  – Other
Proposal: move Security Groups
    from Nova to Quantum

    Naturally fit within network API
   Allow plugins to implement them
         in a compatible way
Features and Use Cases
Nova Security Groups
•   Collection of network access rules that
    specify what traffic is allowed to ingress a VM
•   Associated with a VM at startup
    – If Security Group not specified, VM belongs to
      default Security Group which allows traffic from all
      other members of the group
•   A VM can be associated with many Security
    Groups
•   Security Rule specifies:
    – Source of traffic (IP subnet in CIDR notation, or
      another security group)
    – Protocol (TCP, UDP, ICMP)
    – Destination port on VM
Security Group Command Line

EC2                    Openstack Nova
euca-add-group         secgroup-add-group-rule
euca-authorize         secgroup-add-rule
euca-delete-group      secgroup-create
euca-describe-group    secgroup-delete
euca-describe-groups   secgroup-delete-group-rule
                       secgroup-delete-rule
                       secgroup-list
                       secgroup-list-rules
Example

Openstack                                                               EC2
$ nova secgroup-create mygroup description                              $ euca-add-group -d description mygroup
+---------+-------------+
|   Name | Description |                                                GROUP   mygroup description
+---------+-------------+
| mygroup | description |                                               $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup
+---------+-------------+                                               GROUP   mygroup
$ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24
+-------------+-----------+---------+----------------+--------------+   PERMISSION mygroup ALLOWS tcp 22 22 FROM        CIDR
| IP Protocol | From Port | To Port |    IP Range    | Source Group |   192.168.1.0/24
+-------------+-----------+---------+----------------+--------------+
| tcp         | 22        | 22      | 192.168.1.0/24 |              |   $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup
+-------------+-----------+---------+----------------+--------------+   GROUP   mygroup
$ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24
+-------------+-----------+---------+----------------+--------------+   PERMISSION mygroup ALLOWS tcp 3306      3306    FROM    CIDR
| IP Protocol | From Port | To Port |    IP Range    | Source Group |   192.168.1.0/24
+-------------+-----------+---------+----------------+--------------+
| tcp         | 3306      | 3306    | 192.168.1.0/24 |              |   $ euca-describe-groups
+-------------+-----------+---------+----------------+--------------+
$ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 --
                                                                        GROUP   550d88112b9048fd931f1c66b2c7a932    default default
security_groups mygroup server1                                         GROUP   550d88112b9048fd931f1c66b2c7a932    mygroup description
+------------------------+--------------------------------------+       PERMISSION 550d88112b9048fd931f1c66b2c7a932     mygroup ALLOWS
| OS-DCF:diskConfig      | MANUAL                               |       tcp 22 22
| OS-EXT-STS:power_state | 0                                    |
| OS-EXT-STS:task_state | scheduling                            |       FROM    CIDR    192.168.1.0/24
| OS-EXT-STS:vm_state    | building                             |       PERMISSION 550d88112b9048fd931f1c66b2c7a932     mygroup ALLOWS
| accessIPv4             |                                      |
| accessIPv6             |                                      |       tcp 3306
| adminPass              | 2QCHvG7fJ6Pc                         |       3306    FROM    CIDR    192.168.1.0/24
| config_drive           |                                      |
| created                | 2012-04-17T11:11:07Z                 |       $ euca-run-instances tty -g mygroup
| flavor                 | m1.tiny                              |
| hostId                 |                                      |
                                                                        RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932
| id                     | 6d6bb47e-a356-4724-b48e-c248fceb1513 |       mygroup
| image                  | cirros-0.3.0-x86_64-blank            |
| key_name               |                                      |
                                                                        INSTANCE    i-00000001 ami-00000001     server-1    server-1
| metadata               | {}                                   |       pending     0
| name                   | server1                              |       m1.small    2012-04-17T05:51:30.000Z    unknown zone    aki-
| progress               | 0                                    |
| status                 | BUILD                                |       00000002
| tenant_id              | 63c4cab49c8b449191d9ea5cfce0f928     |       ari-00000003
| updated                | 2012-04-17T11:11:08Z                 |
| user_id                | d4dc81acfd604f72a56a70879fe565ad     |
+------------------------+--------------------------------------+
Current Security Group Model

• Features:
  – Per-Virtual Machine Security Group association
  – Network egress filtering (network to VM)
  – Matching on Source subnet, Protocol, and
    Destination Port Range
Use Case: Distributed Firewall
     (current features)
Use Case: Distributed Firewall
     (current features)
Use Case: Distributed Firewall
     (current features)
Security Group API
Verb     URI                                        Description
GET      v1.1/{tenant_id}/os-security-groups        List security groups
POST     v1.1/{tenant_id}/os-security-groups        Create a new security
                                                    group
GET      v1.1/{tenant_id}/os-security-              Get specific security group
         groups/{security_group_id}
DELETE   v1.1/{tenant_id}/os-security-              Delete security group
         groups/{security_group_id}
POST     v1.1/{tenant_id}/os-security-group-rules   Create security group rules
DELETE   v1.1/{tenant_id}/os-security-group-        Delete security group rule
         rules/{security_group_rule_id}
GET      v1.1/{tenant_id}/servers/{server_id}/os-   List security groups for a
         security-groups                            specific server
Proposed Security Group Model

• Features:
  – Per-Port Security Group association
  – Network egress/ingress filtering
    • Similar to AWS VPC
  – Matching on Source subnet, Protocol, and
    Destination Port Range in both directions
  – Stateful egress filtering
  – Default deny except when no ingress
    rules, then accept all on ingress
  – IPv6 Support
Use Case: Distributed Firewall
     (proposed features)
Proposed Security Group API
Verb      URI                                          Description
GET       v1.1/{tenant_id}/os-security-groups          List security groups
POST      v1.1/{tenant_id}/os-security-groups          Create a new security
                                                       group*
GET       v1.1/{tenant_id}/os-security-                Get specific security group
          groups/{security_group_id}
DELETE    v1.1/{tenant_id}/os-security-                Delete security group
          groups/{security_group_id}
PUT       v1.1/{tenant_id}/os-security-                Update security group*
          groups/{security_group_id}
PUT       v1.1/{tenant_id}/os-security-                Associate port with
          groups/{security_group_id}/associate_port    security group
PUT       v1.1/{tenant_id}/os-security-                Dissociate port from
          groups/{security_group_id}/dissociate_port   security group
GET       v1.1/{tenant_id}/os-security-                List security groups for
          groups/list_for_port                         specified port
Architecture
Pre-Essex Architecture
Essex Architecture
Folsom Architecture?
Other Features
Provider Firewalling

• Need to have security groups that are
  modifiable by tenants
• Desirable to have security groups that are
  only modifiable by service providers
  – E.g. preventing a tenant from sending SMTP
    traffic
  – Blocking all incoming traffic on a known trojan
    port
• Not ideal fit for security group
Access Control Lists

• Current security group model is
  somewhat limited
• Would be nice to have a more generic
  ACL capability
• Features:
  –   Ingress/Egress filtering
  –   Port-based association
  –   More sophisticated matching
  –   Allow/deny
  –   Combination of ACLs
Comments, Questions,
   Suggestions?

      @davlaps

Mais conteúdo relacionado

Mais procurados

neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerYongyoon Shin
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsyfauser
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
Open stack networking vlan, gre
Open stack networking   vlan, greOpen stack networking   vlan, gre
Open stack networking vlan, greSim Janghoon
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?Yongyoon Shin
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronSana Khan
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 

Mais procurados (20)

neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetups
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
 
Open stack networking vlan, gre
Open stack networking   vlan, greOpen stack networking   vlan, gre
Open stack networking vlan, gre
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack Neutron
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
 

Semelhante a Openstack Quantum Security Groups Session

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Liz Warner
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014Amazon Web Services
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교  및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교  및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinChiradeep Vittal
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Trevor Roberts Jr.
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnTrevor Roberts Jr.
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private CloudAmazon Web Services
 
Percona Live UK 2014 Part III
Percona Live UK 2014  Part IIIPercona Live UK 2014  Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Common schema my sql uc 2012
Common schema   my sql uc 2012Common schema   my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Common schema my sql uc 2012
Common schema   my sql uc 2012Common schema   my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Passwordless login with unix auth_socket
Passwordless login with unix auth_socketPasswordless login with unix auth_socket
Passwordless login with unix auth_socketOtto Kekäläinen
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containersSpyros Trigazis
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)YoungHeon (Roy) Kim
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Stephen Gordon
 

Semelhante a Openstack Quantum Security Groups Session (20)

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교  및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교  및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
 
Percona Live UK 2014 Part III
Percona Live UK 2014  Part IIIPercona Live UK 2014  Part III
Percona Live UK 2014 Part III
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Common schema my sql uc 2012
Common schema   my sql uc 2012Common schema   my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema   my sql uc 2012Common schema   my sql uc 2012
Common schema my sql uc 2012
 
Passwordless login with unix auth_socket
Passwordless login with unix auth_socketPasswordless login with unix auth_socket
Passwordless login with unix auth_socket
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015
 

Mais de David Lapsley

Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!David Lapsley
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)David Lapsley
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with HorizonDavid Lapsley
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJSDavid Lapsley
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-finalDavid Lapsley
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-finalDavid Lapsley
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-publicDavid Lapsley
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
Openstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialOpenstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialDavid Lapsley
 
Openstack Nova and Quantum
Openstack Nova and QuantumOpenstack Nova and Quantum
Openstack Nova and QuantumDavid Lapsley
 

Mais de David Lapsley (11)

Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with Horizon
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJS
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
Openstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialOpenstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack Tutorial
 
Openstack Nova and Quantum
Openstack Nova and QuantumOpenstack Nova and Quantum
Openstack Nova and Quantum
 

Último

PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 

Último (20)

PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 

Openstack Quantum Security Groups Session

  • 1. Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
  • 2. Session Goals • Introduction to Nova Security Groups • Proposal: – Move Security Groups from Nova to Quantum • Discussion: – Provider Firewalling – Access Control Lists – Other
  • 3. Proposal: move Security Groups from Nova to Quantum Naturally fit within network API Allow plugins to implement them in a compatible way
  • 5. Nova Security Groups • Collection of network access rules that specify what traffic is allowed to ingress a VM • Associated with a VM at startup – If Security Group not specified, VM belongs to default Security Group which allows traffic from all other members of the group • A VM can be associated with many Security Groups • Security Rule specifies: – Source of traffic (IP subnet in CIDR notation, or another security group) – Protocol (TCP, UDP, ICMP) – Destination port on VM
  • 6. Security Group Command Line EC2 Openstack Nova euca-add-group secgroup-add-group-rule euca-authorize secgroup-add-rule euca-delete-group secgroup-create euca-describe-group secgroup-delete euca-describe-groups secgroup-delete-group-rule secgroup-delete-rule secgroup-list secgroup-list-rules
  • 7. Example Openstack EC2 $ nova secgroup-create mygroup description $ euca-add-group -d description mygroup +---------+-------------+ | Name | Description | GROUP mygroup description +---------+-------------+ | mygroup | description | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup +---------+-------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 22 | 22 | 192.168.1.0/24 | | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup +-------------+-----------+---------+----------------+--------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 3306 | 3306 | 192.168.1.0/24 | | $ euca-describe-groups +-------------+-----------+---------+----------------+--------------+ $ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- GROUP 550d88112b9048fd931f1c66b2c7a932 default default security_groups mygroup server1 GROUP 550d88112b9048fd931f1c66b2c7a932 mygroup description +------------------------+--------------------------------------+ PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | OS-DCF:diskConfig | MANUAL | tcp 22 22 | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | FROM CIDR 192.168.1.0/24 | OS-EXT-STS:vm_state | building | PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | accessIPv4 | | | accessIPv6 | | tcp 3306 | adminPass | 2QCHvG7fJ6Pc | 3306 FROM CIDR 192.168.1.0/24 | config_drive | | | created | 2012-04-17T11:11:07Z | $ euca-run-instances tty -g mygroup | flavor | m1.tiny | | hostId | | RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 | id | 6d6bb47e-a356-4724-b48e-c248fceb1513 | mygroup | image | cirros-0.3.0-x86_64-blank | | key_name | | INSTANCE i-00000001 ami-00000001 server-1 server-1 | metadata | {} | pending 0 | name | server1 | m1.small 2012-04-17T05:51:30.000Z unknown zone aki- | progress | 0 | | status | BUILD | 00000002 | tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 | ari-00000003 | updated | 2012-04-17T11:11:08Z | | user_id | d4dc81acfd604f72a56a70879fe565ad | +------------------------+--------------------------------------+
  • 8. Current Security Group Model • Features: – Per-Virtual Machine Security Group association – Network egress filtering (network to VM) – Matching on Source subnet, Protocol, and Destination Port Range
  • 9. Use Case: Distributed Firewall (current features)
  • 10. Use Case: Distributed Firewall (current features)
  • 11. Use Case: Distributed Firewall (current features)
  • 12. Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} POST v1.1/{tenant_id}/os-security-group-rules Create security group rules DELETE v1.1/{tenant_id}/os-security-group- Delete security group rule rules/{security_group_rule_id} GET v1.1/{tenant_id}/servers/{server_id}/os- List security groups for a security-groups specific server
  • 13. Proposed Security Group Model • Features: – Per-Port Security Group association – Network egress/ingress filtering • Similar to AWS VPC – Matching on Source subnet, Protocol, and Destination Port Range in both directions – Stateful egress filtering – Default deny except when no ingress rules, then accept all on ingress – IPv6 Support
  • 14. Use Case: Distributed Firewall (proposed features)
  • 15. Proposed Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group* GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Update security group* groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Associate port with groups/{security_group_id}/associate_port security group PUT v1.1/{tenant_id}/os-security- Dissociate port from groups/{security_group_id}/dissociate_port security group GET v1.1/{tenant_id}/os-security- List security groups for groups/list_for_port specified port
  • 21. Provider Firewalling • Need to have security groups that are modifiable by tenants • Desirable to have security groups that are only modifiable by service providers – E.g. preventing a tenant from sending SMTP traffic – Blocking all incoming traffic on a known trojan port • Not ideal fit for security group
  • 22. Access Control Lists • Current security group model is somewhat limited • Would be nice to have a more generic ACL capability • Features: – Ingress/Egress filtering – Port-based association – More sophisticated matching – Allow/deny – Combination of ACLs
  • 23. Comments, Questions, Suggestions? @davlaps