← Back to team overview

openstack team mailing list archive

Re: Default rules for the 'default' security group

 

On 24/08/12 20:50, Yufang Zhang wrote:
2012/8/24 Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx
<mailto:Gabriel.Hurley@xxxxxxxxxx>>

    I traced this through the code at one point looking for the same
    thing. As it stands, right now there is **not** a mechanism for
    customizing the default security group’s rules. It’s created
    programmatically the first time the rules for a project are
    retrieved with no hook to add or change its characteristics.____

    __ __

    I’d love to see this be possible, but it’s definitely a feature
    request.____

    __


  Really agreed. I have created a blueprint to track this issue:
https://blueprints.launchpad.net/nova/+spec/default-rules-for-default-security-group

At NeCTAR, rather than modifying the default group we create 3 new groups (SSH, ICMP, HTTP/S) for the tenant at the time of tenant creation, and found this to be a reasonable compromise between security and convenience. This has its issues of course, but perhaps the blueprint could be extended to cover the creation of new groups, as well as modifying the existing default one . . .


    __

    __-__Gabriel____

    __ __

    *From:*openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx
    <mailto:nebula.com@xxxxxxxxxxxxxxxxxxx>
    [mailto:openstack-bounces+gabriel.hurley
    <mailto:openstack-bounces%2Bgabriel.hurley>=nebula.com@xxxxxxxxxxxxxxxxxxx
    <mailto:nebula.com@xxxxxxxxxxxxxxxxxxx>] *On Behalf Of *Boris-Michel
    Deschenes
    *Sent:* Thursday, August 23, 2012 7:59 AM
    *To:* Yufang Zhang; openstack@xxxxxxxxxxxxxxxxxxx
    <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
    *Subject:* Re: [Openstack] Default rules for the 'default' security
    group____

    __ __

    I’m very interested in this, we run essex and have a very bad
    workaround for this currently, but it would be great to be able to
    do this (set default rules for the default security group).____

    __ __

    Boris____

    __ __

    *De :*openstack-bounces+boris-michel.deschenes=ubisoft.com@xxxxxxxxxxxxxxxxxxx
    <mailto:openstack-bounces+boris-michel.deschenes=ubisoft.com@xxxxxxxxxxxxxxxxxxx>
    [mailto:openstack-bounces+boris-michel.deschenes=ubisoft.com@xxxxxxxxxxxxxxxxxxx]
    <mailto:[mailto:openstack-bounces+boris-michel.deschenes=ubisoft.com@xxxxxxxxxxxxxxxxxxx]>
    *De la part de* Yufang Zhang
    *Envoyé :* 23 août 2012 08:43
    *À :* openstack@xxxxxxxxxxxxxxxxxxx
    <mailto:openstack@xxxxxxxxxxxxxxxxxxx>
    *Objet :* [Openstack] Default rules for the 'default' security group____

    __ __

    Hi all,____

    __ __

    Could I ask how to set the default rules for the 'default' security
    group for all the users in openstack? Currently, the 'default'
    security group has no rule by default, thus newly created instances
    could only be accessed by instances from the same group. ____

    __ __

    Is there any method to set default rules(such as ssh or icmp) for
    the 'default' security group for all users in openstack, so that I
    don't have to remind the new users to modify security group setting
    the fist time they logged into openstack and create instances?  I
    have ever tried HP could which is built on openstack, they permit
    ssh or ping to the instances in the 'default' security group. ____

    __ __

    Best Regards.____

    __ __

    Yufang____




_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




References