The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "Federated Cloud siteconf"
Jump to navigation
Jump to search
| Line 23: | Line 23: | ||
{| style="border:1px solid black; text-align:left;" class="wikitable" cellspacing="0" cellpadding="5" | {| style="border:1px solid black; text-align:left;" class="wikitable" cellspacing="0" cellpadding="5" | ||
|- style="background:lightgray;" | |- style="background:lightgray;" | ||
! style="border-bottom:1px solid black;" | | ! style="border-bottom:1px solid black;" | <br> | ||
! style="border-bottom:1px solid black;" | default network name | ! style="border-bottom:1px solid black;" | default network name | ||
! style="border-bottom:1px solid black;" | default network type | ! style="border-bottom:1px solid black;" | default network type | ||
| Line 41: | Line 41: | ||
| style="border-bottom:1px dotted silver;" | public | | style="border-bottom:1px dotted silver;" | public | ||
| style="border-bottom:1px dotted silver;" | all open | | style="border-bottom:1px dotted silver;" | all open | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | all closed | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | none | | style="border-bottom:1px dotted silver;" | none | ||
| style="border-bottom:1px dotted silver;" | OpenStack Horizon, GGUS | | style="border-bottom:1px dotted silver;" | OpenStack Horizon, GGUS | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | BEgrid-BELNET | | style="border-bottom:1px dotted silver;" | BEgrid-BELNET | ||
| Line 55: | Line 55: | ||
| style="border-bottom:1px dotted silver;" | all closed | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | 22, ICMP | | style="border-bottom:1px dotted silver;" | 22, ICMP | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | GGUS ticket | | style="border-bottom:1px dotted silver;" | GGUS ticket | ||
| style="border-bottom:1px dotted silver;" | 80, 8080, 443 | | style="border-bottom:1px dotted silver;" | 80, 8080, 443 | ||
| Line 63: | Line 63: | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | BIFI | | style="border-bottom:1px dotted silver;" | BIFI | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | all closed | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | 22,ICMP open | | style="border-bottom:1px dotted silver;" | 22,ICMP open | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | GGUS,email | | style="border-bottom:1px dotted silver;" | GGUS,email | ||
| style="border-bottom:1px dotted silver;" | 8080, 8081 8888, 9443, 61616 (Training VO) to be opened | | style="border-bottom:1px dotted silver;" | 8080, 8081 8888, 9443, 61616 (Training VO) to be opened | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | CESGA | | style="border-bottom:1px dotted silver;" | CESGA | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://fedcloud-services.egi.cesga.es:11443/network/1<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://fedcloud-services.egi.cesga.es:11443/network/1<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | NA (no OpenStack)<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | NA (no OpenStack)<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | none<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Static DHCP server (IP assigned if network contextualization fails)<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | CESNET-MetaCloud | | style="border-bottom:1px dotted silver;" | CESNET-MetaCloud | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://carach5.ics.muni.cz:11443/network/24<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | default network name<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 67/udp, 137/udp<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | One request to provide a private network.<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | As soon as security groups are implemented in OCCI, we will switch to a more restrictive mode where only TCP 22 is open by default. Users will have a self-service control over this via OCCI.<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | CLOUDIFIN | | style="border-bottom:1px dotted silver;" | CLOUDIFIN | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /occi1.1/network/500ed7e7-162e-4d97-916e-bc7bc3ab9b41<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | private<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /occi1.1/network/PUBLIC<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | As we well know by using occi we can create, destroy VMs, attach link networks.<br>Would it not be possible to access (ssh) VMs with private ip through occi?<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | CYFRONET-CLOUD | | style="border-bottom:1px dotted silver;" | CYFRONET-CLOUD | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | fedcloud.egi.eu-internal-net<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | private<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | FZJ | | style="border-bottom:1px dotted silver;" | FZJ | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /network/PRIVATE<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | private<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /network/PUBLIC<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22, 80, 443, 7000-7020 <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed, except for 22, 80, 443, 7000-7020<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 25<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Openstack Horizon portal, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 3306, redirected to 7000; 25 (from the inside), redirected to 587.<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Ports 7000-7020 have been defined by our network security team. We have so far redirected any requests for other ports to this range. There was a debate once when users insisted on port 3306 for MySQL, however we convinced them that their client was flawed by not supporting other ports. In the same way, users expected to be able to send email via port 25, we convinced them that port 587 is intended for that purpose.<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | GoeGrid | | style="border-bottom:1px dotted silver;" | GoeGrid | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | HG-09-Okeanos-Cloud | | style="border-bottom:1px dotted silver;" | HG-09-Okeanos-Cloud | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | IFCA-LCG2 | | style="border-bottom:1px dotted silver;" | IFCA-LCG2 | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | ICMP open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | OpenStack Horizon, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | IISAS-FedCloud | | style="border-bottom:1px dotted silver;" | IISAS-FedCloud | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | /occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22,ICMP open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Openstack Horizon portal, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | IISAS-Nebula | | style="border-bottom:1px dotted silver;" | IISAS-Nebula | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://nebula2.ui.savba.sk:11443/network/1<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://nebula2.ui.savba.sk:11443/network/1<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22, ICMP open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | IISAS-GPUCloud | | style="border-bottom:1px dotted silver;" | IISAS-GPUCloud | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22, ICMP open | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Openstack Horizon portal, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | port 8899 by enmr.eu<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | IN2P3-IRES | | style="border-bottom:1px dotted silver;" | IN2P3-IRES | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | private<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | PUBLIC<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22/80/443/8080 and ICMP open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 21, 25<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | OpenStack for 80/443/8080, GGUS otherwise<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | user are not allowed to create / modify / delete security groups (in particular in a catch-all VO). Comment from the ticket: There is no name for the default network. In deed, with OpenStack and OOI, private networks does not have default name (like the public one). Each private network has its own ID (it is different for each project / VO.<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | INFN-CATANIA-STACK | | style="border-bottom:1px dotted silver;" | INFN-CATANIA-STACK | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | INFN-PADOVA-STACK | | style="border-bottom:1px dotted silver;" | INFN-PADOVA-STACK | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22 open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 80, 8899 (from upv.es servers only, it was needed for users who wanted to use IM and/or EC3, now has been closed due to the CRITICAL vulnerability announced the 12th of October 2016<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | here i am talking about ports open at the institute firewall level (as pointed out by Jerome's mail), while in principle every user should be able via OCCI [1] to open the desired ports by setting up his own OpenStack security group for his VM. Of course if he opens via security groups e.g. port 443 but at institute firewall level port 443 is closed, he'll not be able to reach port 443 from outside INFN-PADOVA<br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | RECAS-BARI | | style="border-bottom:1px dotted silver;" | RECAS-BARI | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Horizon Dashboard, GGUS | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | several ports because fedcloud users are currently running different services: web portals and applications (80/8080,443), onedata (9443), hadoop, elasticsearch, etc.<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | SCAI | | style="border-bottom:1px dotted silver;" | SCAI | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | TR-FC1-ULAKBIM | | style="border-bottom:1px dotted silver;" | TR-FC1-ULAKBIM | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all closed | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | 22/443 open by default | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | GGUS | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | UPV-GRyCAP | | style="border-bottom:1px dotted silver;" | UPV-GRyCAP | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|- | |- | ||
| style="border-bottom:1px dotted silver;" | NCG-INGRID-PT | | style="border-bottom:1px dotted silver;" | NCG-INGRID-PT | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <PROJECTNAME>_private_net<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | private<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | public_net<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | all open<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Horizon Dashboard, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | Horizon Dashboard, GGUS<br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
| style="border-bottom:1px dotted silver;" | | | style="border-bottom:1px dotted silver;" | <br> | ||
|} | |} | ||
Revision as of 16:18, 25 July 2017
| Overview | For users | For resource providers | Infrastructure status | Site-specific configuration | Architecture |
The main purpose of this page is to collect site-specific configuration parameters of the Federated Cloud sites, allowing comparison among them, identify differences, get parameters for a specific site.
If you have any comments on the content of this page, please contact operations @ egi.eu.
Parameters provided by each site are:
- default network name, as the name of the network assigned by default when firing up a VM to the site; at the moment, it might be that the network is private, public or not assigned at all; example: /network/PRIVATE
- default network type, can be public, private, or N/A (not available)
- public network name: name of the public network to be used; usually this is different from the default network, which is private in most of the cases; example: /network/PUBLIC
- port default firewall policy: default policy available at infrastructure level (firewall); usually it's either "all open" or "all closed"
- ports firewall configuration: port configuration on top of the default firewall policy; so you can specify i.e. which ports are open on the firewall if the default configuration is "all closed"; example: 22, ICMP open
- ports default CMF policy: on OpenStack, it is possible to open/close ports using the OpenStack user interface; these "security groups" feature is an additional firewall feature, independent from the infrastructure (low level) firewall, and can be configured by the user (using the Horizon interface) or by API, or asking for support through the EGI Helpdesk. Example: "all open" or "all closed".
- ports policy on CMF: if ports default CMF policy is "all closed", you may want to specify here if there are exceptions. Example: ssh.
- mandatory closed ports: if there are ports that cannot be opened due to local rules or national regulations or infrastructure constraints. Example: 25 is usually not available for security reasons (used 587 instead).
- port configuration requests method: how the site allows to fulfill port reconfiguration requests. Examples: GGUS, Horizon, other ways.
- users requests: please mention here any special requests come from users in the past and that you have worked in order to make a specific use case run on your site.
- comments: if you have any comments to report here that could help us in improving this page.
Site-specific configuration
| default network name | default network type | public network name | port default firewall policy | ports firewall configuration | ports default CMF policy | ports policy on CMF | mandatory closed ports | port configuration requests method | users requests | comments | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 100IT | private | private | public | all open | all closed | none | OpenStack Horizon, GGUS | ||||
| BEgrid-BELNET | /network/1 | public | /network/1 | all closed | 22, ICMP | GGUS ticket | 80, 8080, 443 | some users have requested to limit access to their VMs to a given list of source IPs | |||
| BIFI | all closed | 22,ICMP open | GGUS,email | 8080, 8081 8888, 9443, 61616 (Training VO) to be opened | |||||||
| CESGA | https://fedcloud-services.egi.cesga.es:11443/network/1 |
public | https://fedcloud-services.egi.cesga.es:11443/network/1 |
all open |
all open |
NA (no OpenStack) |
NA (no OpenStack) |
none |
GGUS |
Static DHCP server (IP assigned if network contextualization fails) |
|
| CESNET-MetaCloud | https://carach5.ics.muni.cz:11443/network/24 |
public |
default network name |
all open |
all open |
all open |
all open |
67/udp, 137/udp |
GGUS |
One request to provide a private network. |
As soon as security groups are implemented in OCCI, we will switch to a more restrictive mode where only TCP 22 is open by default. Users will have a self-service control over this via OCCI. |
| CLOUDIFIN | /occi1.1/network/500ed7e7-162e-4d97-916e-bc7bc3ab9b41 |
private |
/occi1.1/network/PUBLIC |
all open |
all open |
all open |
all open |
GGUS |
As we well know by using occi we can create, destroy VMs, attach link networks. Would it not be possible to access (ssh) VMs with private ip through occi? | ||
| CYFRONET-CLOUD | fedcloud.egi.eu-internal-net |
private |
public |
all open |
all open |
all open |
all open |
GGUS |
|||
| FZJ | /network/PRIVATE |
private |
/network/PUBLIC |
all closed |
22, 80, 443, 7000-7020 |
all closed |
all closed, except for 22, 80, 443, 7000-7020 |
25 |
Openstack Horizon portal, GGUS |
3306, redirected to 7000; 25 (from the inside), redirected to 587. |
Ports 7000-7020 have been defined by our network security team. We have so far redirected any requests for other ports to this range. There was a debate once when users insisted on port 3306 for MySQL, however we convinced them that their client was flawed by not supporting other ports. In the same way, users expected to be able to send email via port 25, we convinced them that port 587 is intended for that purpose. |
| GoeGrid | |||||||||||
| HG-09-Okeanos-Cloud | |||||||||||
| IFCA-LCG2 | all open |
all closed |
ICMP open |
OpenStack Horizon, GGUS |
|||||||
| IISAS-FedCloud | /occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5 |
public |
/occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5 |
all open |
all closed | 22,ICMP open |
Openstack Horizon portal, GGUS |
network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms | |||
| IISAS-Nebula | https://nebula2.ui.savba.sk:11443/network/1 |
public |
https://nebula2.ui.savba.sk:11443/network/1 |
all open |
all closed | 22, ICMP open |
GGUS |
||||
| IISAS-GPUCloud | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC |
public | https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC |
all open |
all closed | 22, ICMP open | Openstack Horizon portal, GGUS |
port 8899 by enmr.eu |
network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms | ||
| IN2P3-IRES | private |
PUBLIC |
all closed |
22/80/443/8080 and ICMP open |
Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports. |
21, 25 |
OpenStack for 80/443/8080, GGUS otherwise |
user are not allowed to create / modify / delete security groups (in particular in a catch-all VO). Comment from the ticket: There is no name for the default network. In deed, with OpenStack and OOI, private networks does not have default name (like the public one). Each private network has its own ID (it is different for each project / VO. | |||
| INFN-CATANIA-STACK | |||||||||||
| INFN-PADOVA-STACK | all closed |
22 open |
GGUS |
80, 8899 (from upv.es servers only, it was needed for users who wanted to use IM and/or EC3, now has been closed due to the CRITICAL vulnerability announced the 12th of October 2016 |
here i am talking about ports open at the institute firewall level (as pointed out by Jerome's mail), while in principle every user should be able via OCCI [1] to open the desired ports by setting up his own OpenStack security group for his VM. Of course if he opens via security groups e.g. port 443 but at institute firewall level port 443 is closed, he'll not be able to reach port 443 from outside INFN-PADOVA | ||||||
| RECAS-BARI | public |
all open |
all open |
Horizon Dashboard, GGUS | several ports because fedcloud users are currently running different services: web portals and applications (80/8080,443), onedata (9443), hadoop, elasticsearch, etc. |
||||||
| SCAI | |||||||||||
| TR-FC1-ULAKBIM | all closed | 22/443 open by default | GGUS | ||||||||
| UPV-GRyCAP | |||||||||||
| NCG-INGRID-PT | <PROJECTNAME>_private_net |
private |
public_net |
all open |
Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports. |
Horizon Dashboard, GGUS |
Horizon Dashboard, GGUS |