Skip to content

OC-2178 Automatically assign edxapp appserver VMs to a network security group

Boros Gábor requested to merge security-groups into master

Created by: bradenmacdonald

With this PR, every AppServer deployed by OpenCraft IM will automatically be added to an OpenStack "security group" in order to provide an additional layer of protection against unwanted exposure of services that may be running on the AppServer.

The security group is created automatically by OpenCraft IM, and OpenCraft IM will define the rules of the security group. (Specifically, it will ensure the the security group always matches the following configuration: allow all egress, and allow ingress only on ports 22, 80, and 443.)

No new configuration is required, since everything is managed automatically.

This PR also introduces the ability for specific instances to be given additional security groups, e.g. if one instance needs to connect to some secure/dedicated database server, then that can be done more securely using security groups to grant access only to that instance's appservers.

Testing instructions:

  • Run an OC IM devstack, and ensure it is configured with a valid OpenStack account (e.g. our OVH dev account) - an example .env file is in our internal private documentation repo if you need it.
  • Optional: In your .env file, set EDXAPP_APPSERVER_SECURITY_GROUP_NAME='edxapp-appserver-YOUR_NAME_HERE' so that you can tell which rules were created for you specifically. Then restart OC IM.
  • Go to https://horizon.cloud.ovh.net/project/access_and_security/ (dev account) and confirm that no security group with the name set in EDXAPP_APPSERVER_SECURITY_GROUP_NAME (e.g. "edxapp-appserver" or "edxapp-appserver-yourname") exists yet.
  • Provision a new AppServer (it doesn't have to finish; it just has to get to the stage where ansible is running)
  • Go to https://horizon.cloud.ovh.net/project/instances/ and confirm that the new appserver has been added to the security group, and is not a member of the "default" security group. screen shot 2017-01-11 at 7 21 04 pm
  • Go to https://horizon.cloud.ovh.net/project/access_and_security/ and verify that the new security group has the correct rules

Notes:

  • I fixed the bug that prevented editing sandbox instances from the django admin
  • The nova python API for interacting with security groups is deprecated. So I added the python-openstacksdk package and used that. We should plan to Remove the python-novaclient and python-swiftclient in the future, and just use python-openstacksdk, which can do everything, is newer, nicer, and has very few dependencies.
  • I rename "openstack.py" to "openstack_utils" so it doesn't conflict with the new "openstack" import in people's minds
  • I removed delete_servers_by_name as it didn't seem to be used.

Things I noticed while working on this PR (to do in other tickets):

  • We should remove “protocol” from OpenCraft IM OpenEdXAppConfiguration
  • We should change the popup help text for "Activate AppServer" so it doesn't talk about DNS entries

Merge request reports