Difference between revisions of "Federated Cloud siteconf"
Jump to navigation
Jump to search
Line 10: | Line 10: | ||
*'''default network type''', can be ''public'', ''private'', or ''N/A'' (not available) | *'''default network type''', can be ''public'', ''private'', or ''N/A'' (not available) | ||
*'''public network name''': name of the public network to be used; usually this is different from the default network, which is private in most of the cases; example: ''/network/PUBLIC'' | *'''public network name''': name of the public network to be used; usually this is different from the default network, which is private in most of the cases; example: ''/network/PUBLIC'' | ||
*'''outgoing connectivity available by default at start time: '''please say YES if newly started VM provide directly outgoing connection, either through public IP or, if public IP is not assigned at instantiation time, through NAT (private IP enabled to outgoing connection) | |||
*'''port default firewall policy''': default policy available at infrastructure level (firewall); usually it's either "all open" or "all closed" | *'''port default firewall policy''': default policy available at infrastructure level (firewall); usually it's either "all open" or "all closed" | ||
*'''ports firewall configuration''': port configuration on top of the default firewall policy; so you can specify i.e. which ports are open on the firewall if the default configuration is "all closed"; example: ''22, ICMP open'' | *'''ports firewall configuration''': port configuration on top of the default firewall policy; so you can specify i.e. which ports are open on the firewall if the default configuration is "all closed"; example: ''22, ICMP open'' | ||
Line 27: | Line 28: | ||
! style="border-bottom:1px solid black;" | default network type | ! style="border-bottom:1px solid black;" | default network type | ||
! style="border-bottom:1px solid black;" | public network name | ! style="border-bottom:1px solid black;" | public network name | ||
! style="border-bottom:1px solid black;" | outgoing connectivity available by default at start time? | ! style="border-bottom:1px solid black;" | outgoing connectivity available by default at start time? | ||
! style="border-bottom:1px solid black;" | port default firewall policy | ! style="border-bottom:1px solid black;" | port default firewall policy | ||
! style="border-bottom:1px solid black;" | ports firewall configuration | ! style="border-bottom:1px solid black;" | ports firewall configuration |
Revision as of 17:08, 25 July 2017
Overview | For users | For resource providers | Infrastructure status | Site-specific configuration | Architecture |
The main purpose of this page is to collect site-specific configuration parameters of the Federated Cloud sites, allowing comparison among them, identify differences, get parameters for a specific site.
If you have any comments on the content of this page, please contact operations @ egi.eu.
Parameters provided by each site are:
- default network name, as the name of the network assigned by default when firing up a VM to the site; at the moment, it might be that the network is private, public or not assigned at all; example: /network/PRIVATE
- default network type, can be public, private, or N/A (not available)
- public network name: name of the public network to be used; usually this is different from the default network, which is private in most of the cases; example: /network/PUBLIC
- outgoing connectivity available by default at start time: please say YES if newly started VM provide directly outgoing connection, either through public IP or, if public IP is not assigned at instantiation time, through NAT (private IP enabled to outgoing connection)
- port default firewall policy: default policy available at infrastructure level (firewall); usually it's either "all open" or "all closed"
- ports firewall configuration: port configuration on top of the default firewall policy; so you can specify i.e. which ports are open on the firewall if the default configuration is "all closed"; example: 22, ICMP open
- ports default CMF policy: on OpenStack, it is possible to open/close ports using the OpenStack user interface; these "security groups" feature is an additional firewall feature, independent from the infrastructure (low level) firewall, and can be configured by the user (using the Horizon interface) or by API, or asking for support through the EGI Helpdesk. Example: "all open" or "all closed".
- ports policy on CMF: if ports default CMF policy is "all closed", you may want to specify here if there are exceptions. Example: ssh.
- mandatory closed ports: if there are ports that cannot be opened due to local rules or national regulations or infrastructure constraints. Example: 25 is usually not available for security reasons (used 587 instead).
- port configuration requests method: how the site allows to fulfill port reconfiguration requests. Examples: GGUS, Horizon, other ways.
- users requests: please mention here any special requests come from users in the past and that you have worked in order to make a specific use case run on your site.
- comments: if you have any comments to report here that could help us in improving this page.
Site-specific configuration
default network name | default network type | public network name | outgoing connectivity available by default at start time? | port default firewall policy | ports firewall configuration | ports default CMF policy | ports policy on CMF | mandatory closed ports | port configuration requests method | users requests | comments | |
---|---|---|---|---|---|---|---|---|---|---|---|---|
100IT | private | private | public | all open | all closed | none | OpenStack Horizon, GGUS | |||||
BEgrid-BELNET | /network/1 | public | /network/1 | all closed | 22, ICMP | GGUS ticket | 80, 8080, 443 | some users have requested to limit access to their VMs to a given list of source IPs | ||||
BIFI | all closed | 22,ICMP open | GGUS,email | 8080, 8081 8888, 9443, 61616 (Training VO) to be opened | ||||||||
CESGA | https://fedcloud-services.egi.cesga.es:11443/network/1 |
public | https://fedcloud-services.egi.cesga.es:11443/network/1 |
all open |
all open |
NA (no OpenStack) |
NA (no OpenStack) |
none |
GGUS |
Static DHCP server (IP assigned if network contextualization fails) |
||
CESNET-MetaCloud | https://carach5.ics.muni.cz:11443/network/24 |
public |
default network name |
all open |
all open |
all open |
all open |
67/udp, 137/udp |
GGUS |
One request to provide a private network. |
As soon as security groups are implemented in OCCI, we will switch to a more restrictive mode where only TCP 22 is open by default. Users will have a self-service control over this via OCCI. | |
CLOUDIFIN | /occi1.1/network/500ed7e7-162e-4d97-916e-bc7bc3ab9b41 |
private |
/occi1.1/network/PUBLIC |
all open |
all open |
all open |
all open |
GGUS |
As we well know by using occi we can create, destroy VMs, attach link networks. Would it not be possible to access (ssh) VMs with private ip through occi? | |||
CYFRONET-CLOUD | fedcloud.egi.eu-internal-net |
private |
public |
all open |
all open |
all open |
all open |
GGUS |
||||
FZJ | /network/PRIVATE |
private |
/network/PUBLIC |
all closed |
22, 80, 443, 7000-7020 |
all closed |
all closed, except for 22, 80, 443, 7000-7020 |
25 |
Openstack Horizon portal, GGUS |
3306, redirected to 7000; 25 (from the inside), redirected to 587. |
Ports 7000-7020 have been defined by our network security team. We have so far redirected any requests for other ports to this range. There was a debate once when users insisted on port 3306 for MySQL, however we convinced them that their client was flawed by not supporting other ports. In the same way, users expected to be able to send email via port 25, we convinced them that port 587 is intended for that purpose. | |
GoeGrid | ||||||||||||
HG-09-Okeanos-Cloud | ||||||||||||
IFCA-LCG2 | all open |
all closed |
ICMP open |
OpenStack Horizon, GGUS |
||||||||
IISAS-FedCloud | /occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5 |
public |
/occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5 |
all open |
all closed | 22,ICMP open |
Openstack Horizon portal, GGUS |
network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms | ||||
IISAS-Nebula | https://nebula2.ui.savba.sk:11443/network/1 |
public |
https://nebula2.ui.savba.sk:11443/network/1 |
all open |
all closed | 22, ICMP open |
GGUS |
|||||
IISAS-GPUCloud | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC |
public | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC |
all open |
all closed | 22, ICMP open | Openstack Horizon portal, GGUS |
port 8899 by enmr.eu |
network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms | |||
IN2P3-IRES | private |
PUBLIC |
all closed |
22/80/443/8080 and ICMP open |
Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports. |
21, 25 |
OpenStack for 80/443/8080, GGUS otherwise |
user are not allowed to create / modify / delete security groups (in particular in a catch-all VO). Comment from the ticket: There is no name for the default network. In deed, with OpenStack and OOI, private networks does not have default name (like the public one). Each private network has its own ID (it is different for each project / VO. | ||||
INFN-CATANIA-STACK | ||||||||||||
INFN-PADOVA-STACK | all closed |
22 open |
GGUS |
80, 8899 (from upv.es servers only, it was needed for users who wanted to use IM and/or EC3, now has been closed due to the CRITICAL vulnerability announced the 12th of October 2016 |
here i am talking about ports open at the institute firewall level (as pointed out by Jerome's mail), while in principle every user should be able via OCCI [1] to open the desired ports by setting up his own OpenStack security group for his VM. Of course if he opens via security groups e.g. port 443 but at institute firewall level port 443 is closed, he'll not be able to reach port 443 from outside INFN-PADOVA | |||||||
RECAS-BARI | public |
all open |
all open |
Horizon Dashboard, GGUS | several ports because fedcloud users are currently running different services: web portals and applications (80/8080,443), onedata (9443), hadoop, elasticsearch, etc. |
|||||||
SCAI | ||||||||||||
TR-FC1-ULAKBIM | all closed | 22/443 open by default | GGUS | |||||||||
UPV-GRyCAP | ||||||||||||
NCG-INGRID-PT | <PROJECTNAME>_private_net |
private |
public_net |
all open |
Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports. |
Horizon Dashboard, GGUS |
Horizon Dashboard, GGUS |