SlideShare una empresa de Scribd logo

Openstack Quantum Security Groups Session

Descargar como PPTX, PDF
David Lapsley
David Lapsley

Presentation on Quantum Security Groups Proposal given at Folsom Design Summit, San Francisco, CA April 2012.

TecnologíaNoticias y políticaEmpresariales
1 de 23
Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
Session Goals • Introduction to Nova Security Groups • Proposal: – Move Security Groups from Nova to Quantum • Discussion: – Provider Firewalling – Access Control Lists – Other
Proposal: move Security Groups from Nova to Quantum Naturally fit within network API Allow plugins to implement them in a compatible way
Features and Use Cases
Nova Security Groups • Collection of network access rules that specify what traffic is allowed to ingress a VM • Associated with a VM at startup – If Security Group not specified, VM belongs to default Security Group which allows traffic from all other members of the group • A VM can be associated with many Security Groups • Security Rule specifies: – Source of traffic (IP subnet in CIDR notation, or another security group) – Protocol (TCP, UDP, ICMP) – Destination port on VM
Security Group Command Line EC2 Openstack Nova euca-add-group secgroup-add-group-rule euca-authorize secgroup-add-rule euca-delete-group secgroup-create euca-describe-group secgroup-delete euca-describe-groups secgroup-delete-group-rule secgroup-delete-rule secgroup-list secgroup-list-rules
Example Openstack EC2 $ nova secgroup-create mygroup description $ euca-add-group -d description mygroup +---------+-------------+ | Name | Description | GROUP mygroup description +---------+-------------+ | mygroup | description | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup +---------+-------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 22 | 22 | 192.168.1.0/24 | | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup +-------------+-----------+---------+----------------+--------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 3306 | 3306 | 192.168.1.0/24 | | $ euca-describe-groups +-------------+-----------+---------+----------------+--------------+ $ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- GROUP 550d88112b9048fd931f1c66b2c7a932 default default security_groups mygroup server1 GROUP 550d88112b9048fd931f1c66b2c7a932 mygroup description +------------------------+--------------------------------------+ PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | OS-DCF:diskConfig | MANUAL | tcp 22 22 | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | FROM CIDR 192.168.1.0/24 | OS-EXT-STS:vm_state | building | PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | accessIPv4 | | | accessIPv6 | | tcp 3306 | adminPass | 2QCHvG7fJ6Pc | 3306 FROM CIDR 192.168.1.0/24 | config_drive | | | created | 2012-04-17T11:11:07Z | $ euca-run-instances tty -g mygroup | flavor | m1.tiny | | hostId | | RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 | id | 6d6bb47e-a356-4724-b48e-c248fceb1513 | mygroup | image | cirros-0.3.0-x86_64-blank | | key_name | | INSTANCE i-00000001 ami-00000001 server-1 server-1 | metadata | {} | pending 0 | name | server1 | m1.small 2012-04-17T05:51:30.000Z unknown zone aki- | progress | 0 | | status | BUILD | 00000002 | tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 | ari-00000003 | updated | 2012-04-17T11:11:08Z | | user_id | d4dc81acfd604f72a56a70879fe565ad | +------------------------+--------------------------------------+
Current Security Group Model • Features: – Per-Virtual Machine Security Group association – Network egress filtering (network to VM) – Matching on Source subnet, Protocol, and Destination Port Range
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall (current features)
Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} POST v1.1/{tenant_id}/os-security-group-rules Create security group rules DELETE v1.1/{tenant_id}/os-security-group- Delete security group rule rules/{security_group_rule_id} GET v1.1/{tenant_id}/servers/{server_id}/os- List security groups for a security-groups specific server
Proposed Security Group Model • Features: – Per-Port Security Group association – Network egress/ingress filtering • Similar to AWS VPC – Matching on Source subnet, Protocol, and Destination Port Range in both directions – Stateful egress filtering – Default deny except when no ingress rules, then accept all on ingress – IPv6 Support
Use Case: Distributed Firewall (proposed features)
Proposed Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group* GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Update security group* groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Associate port with groups/{security_group_id}/associate_port security group PUT v1.1/{tenant_id}/os-security- Dissociate port from groups/{security_group_id}/dissociate_port security group GET v1.1/{tenant_id}/os-security- List security groups for groups/list_for_port specified port
Architecture
Pre-Essex Architecture
Essex Architecture
Folsom Architecture?
Other Features
Provider Firewalling • Need to have security groups that are modifiable by tenants • Desirable to have security groups that are only modifiable by service providers – E.g. preventing a tenant from sending SMTP traffic – Blocking all incoming traffic on a known trojan port • Not ideal fit for security group
Access Control Lists • Current security group model is somewhat limited • Would be nice to have a more generic ACL capability • Features: – Ingress/Egress filtering – Port-based association – More sophisticated matching – Allow/deny – Combination of ACLs
Comments, Questions, Suggestions? @davlaps

Recomendados

Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
Hui Cheng
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutron
Haifeng Yan (颜海峰)
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014
yfauser
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the Scenes
Anil Bidari ( CEO , Cloud Enabled)
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
inbroker
 
Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?
Елена Ежова
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
mestery
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantum
Miguel Lavalle
 

Recomendados

Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
Hui Cheng
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutron
Haifeng Yan (颜海峰)
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014
yfauser
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the Scenes
Anil Bidari ( CEO , Cloud Enabled)
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
inbroker
 
Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?
Елена Ежова
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
mestery
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantum
Miguel Lavalle
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
Akihiro Motoki
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
Yongyoon Shin
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetups
yfauser
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
Adam Johnson
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
Kamesh Pemmaraju
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
markmcclain
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
Dave Neary
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
lilliput12
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
Yongyoon Shin
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
CREATE-NET
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
Scott Lowe
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, gre
Sim Janghoon
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
yfauser
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
Kamesh Pemmaraju
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?
Yongyoon Shin
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
lilliput12
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack Neutron
Sana Khan
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1
yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
carlbaldwin
 
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Liz Warner
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, gre
Sim Janghoon
 

La actualidad más candente (20)

neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetups
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, gre
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack Neutron
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
 

Similar a Openstack Quantum Security Groups Session

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Liz Warner
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
Spyros Trigazis
 

Similar a Openstack Quantum Security Groups Session (20)

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Passwordless login with unix auth_socket
Passwordless login with unix auth_socketPasswordless login with unix auth_socket
Passwordless login with unix auth_socket
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015
 

Más de David Lapsley

Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)
David Lapsley
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with Horizon
David Lapsley
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJS
David Lapsley
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
David Lapsley
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final
David Lapsley
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public
David Lapsley
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
David Lapsley
 

Más de David Lapsley (11)

Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with Horizon
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJS
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
Openstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialOpenstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack Tutorial
 
Openstack Nova and Quantum
Openstack Nova and QuantumOpenstack Nova and Quantum
Openstack Nova and Quantum
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Openstack Quantum Security Groups Session

  • 1. Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
  • 2. Session Goals • Introduction to Nova Security Groups • Proposal: – Move Security Groups from Nova to Quantum • Discussion: – Provider Firewalling – Access Control Lists – Other
  • 3. Proposal: move Security Groups from Nova to Quantum Naturally fit within network API Allow plugins to implement them in a compatible way
  • 5. Nova Security Groups • Collection of network access rules that specify what traffic is allowed to ingress a VM • Associated with a VM at startup – If Security Group not specified, VM belongs to default Security Group which allows traffic from all other members of the group • A VM can be associated with many Security Groups • Security Rule specifies: – Source of traffic (IP subnet in CIDR notation, or another security group) – Protocol (TCP, UDP, ICMP) – Destination port on VM
  • 6. Security Group Command Line EC2 Openstack Nova euca-add-group secgroup-add-group-rule euca-authorize secgroup-add-rule euca-delete-group secgroup-create euca-describe-group secgroup-delete euca-describe-groups secgroup-delete-group-rule secgroup-delete-rule secgroup-list secgroup-list-rules
  • 7. Example Openstack EC2 $ nova secgroup-create mygroup description $ euca-add-group -d description mygroup +---------+-------------+ | Name | Description | GROUP mygroup description +---------+-------------+ | mygroup | description | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup +---------+-------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 22 | 22 | 192.168.1.0/24 | | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup +-------------+-----------+---------+----------------+--------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 3306 | 3306 | 192.168.1.0/24 | | $ euca-describe-groups +-------------+-----------+---------+----------------+--------------+ $ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- GROUP 550d88112b9048fd931f1c66b2c7a932 default default security_groups mygroup server1 GROUP 550d88112b9048fd931f1c66b2c7a932 mygroup description +------------------------+--------------------------------------+ PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | OS-DCF:diskConfig | MANUAL | tcp 22 22 | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | FROM CIDR 192.168.1.0/24 | OS-EXT-STS:vm_state | building | PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | accessIPv4 | | | accessIPv6 | | tcp 3306 | adminPass | 2QCHvG7fJ6Pc | 3306 FROM CIDR 192.168.1.0/24 | config_drive | | | created | 2012-04-17T11:11:07Z | $ euca-run-instances tty -g mygroup | flavor | m1.tiny | | hostId | | RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 | id | 6d6bb47e-a356-4724-b48e-c248fceb1513 | mygroup | image | cirros-0.3.0-x86_64-blank | | key_name | | INSTANCE i-00000001 ami-00000001 server-1 server-1 | metadata | {} | pending 0 | name | server1 | m1.small 2012-04-17T05:51:30.000Z unknown zone aki- | progress | 0 | | status | BUILD | 00000002 | tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 | ari-00000003 | updated | 2012-04-17T11:11:08Z | | user_id | d4dc81acfd604f72a56a70879fe565ad | +------------------------+--------------------------------------+
  • 8. Current Security Group Model • Features: – Per-Virtual Machine Security Group association – Network egress filtering (network to VM) – Matching on Source subnet, Protocol, and Destination Port Range
  • 9. Use Case: Distributed Firewall (current features)
  • 10. Use Case: Distributed Firewall (current features)
  • 11. Use Case: Distributed Firewall (current features)
  • 12. Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} POST v1.1/{tenant_id}/os-security-group-rules Create security group rules DELETE v1.1/{tenant_id}/os-security-group- Delete security group rule rules/{security_group_rule_id} GET v1.1/{tenant_id}/servers/{server_id}/os- List security groups for a security-groups specific server
  • 13. Proposed Security Group Model • Features: – Per-Port Security Group association – Network egress/ingress filtering • Similar to AWS VPC – Matching on Source subnet, Protocol, and Destination Port Range in both directions – Stateful egress filtering – Default deny except when no ingress rules, then accept all on ingress – IPv6 Support
  • 14. Use Case: Distributed Firewall (proposed features)
  • 15. Proposed Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group* GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Update security group* groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Associate port with groups/{security_group_id}/associate_port security group PUT v1.1/{tenant_id}/os-security- Dissociate port from groups/{security_group_id}/dissociate_port security group GET v1.1/{tenant_id}/os-security- List security groups for groups/list_for_port specified port
  • 21. Provider Firewalling • Need to have security groups that are modifiable by tenants • Desirable to have security groups that are only modifiable by service providers – E.g. preventing a tenant from sending SMTP traffic – Blocking all incoming traffic on a known trojan port • Not ideal fit for security group
  • 22. Access Control Lists • Current security group model is somewhat limited • Would be nice to have a more generic ACL capability • Features: – Ingress/Egress filtering – Port-based association – More sophisticated matching – Allow/deny – Combination of ACLs
  • 23. Comments, Questions, Suggestions? @davlaps