OC-2178 Automatically assign edxapp appserver VMs to a network security group
Created by: bradenmacdonald
With this PR, every AppServer deployed by OpenCraft IM will automatically be added to an OpenStack "security group" in order to provide an additional layer of protection against unwanted exposure of services that may be running on the AppServer.
The security group is created automatically by OpenCraft IM, and OpenCraft IM will define the rules of the security group. (Specifically, it will ensure the the security group always matches the following configuration: allow all egress, and allow ingress only on ports 22, 80, and 443.)
No new configuration is required, since everything is managed automatically.
This PR also introduces the ability for specific instances to be given additional security groups, e.g. if one instance needs to connect to some secure/dedicated database server, then that can be done more securely using security groups to grant access only to that instance's appservers.
Testing instructions:
- Run an OC IM devstack, and ensure it is configured with a valid OpenStack account (e.g. our OVH dev account) - an example .env file is in our internal private documentation repo if you need it.
- Optional: In your
.env
file, setEDXAPP_APPSERVER_SECURITY_GROUP_NAME='edxapp-appserver-YOUR_NAME_HERE'
so that you can tell which rules were created for you specifically. Then restart OC IM. - Go to https://horizon.cloud.ovh.net/project/access_and_security/ (dev account) and confirm that no security group with the name set in EDXAPP_APPSERVER_SECURITY_GROUP_NAME (e.g. "edxapp-appserver" or "edxapp-appserver-yourname") exists yet.
- Provision a new AppServer (it doesn't have to finish; it just has to get to the stage where ansible is running)
- Go to https://horizon.cloud.ovh.net/project/instances/ and confirm that the new appserver has been added to the security group, and is not a member of the "default" security group.
- Go to https://horizon.cloud.ovh.net/project/access_and_security/ and verify that the new security group has the correct rules
Notes:
- I fixed the bug that prevented editing sandbox instances from the django admin
- The
nova
python API for interacting with security groups is deprecated. So I added thepython-openstacksdk
package and used that. We should plan to Remove thepython-novaclient
andpython-swiftclient
in the future, and just usepython-openstacksdk
, which can do everything, is newer, nicer, and has very few dependencies. - I rename "openstack.py" to "openstack_utils" so it doesn't conflict with the new "openstack" import in people's minds
- I removed
delete_servers_by_name
as it didn't seem to be used.
Things I noticed while working on this PR (to do in other tickets):
- We should remove “protocol” from OpenCraft IM OpenEdXAppConfiguration
- We should change the popup help text for "Activate AppServer" so it doesn't talk about DNS entries