Federated Cloud siteconf

From EGIWiki
Revision as of 12:03, 24 July 2017 by Davidb (talk | contribs) (100IT)
Jump to: navigation, search
Overview For users For resource providers Infrastructure status Site-specific configuration Architecture




The main purpose of this page is to collect site-specific configuration parameters of the Federated Cloud sites, allowing comparison among them, identify differences, get parameters for a specific site.

If you have any comments on the content of this page, please contact operations @ egi.eu.

Site-specific configuration

Parameters provided by each site are:

  • default network name, as the name of the network assigned by default when firing up a VM to the site; at the moment, it might be that the network is private, public or not assigned at all; example: /network/PRIVATE
  • default network type, can be public, private, or N/A (not available)
  • public network name: name of the public network to be used; usually this is different from the default network, which is private in most of the cases; example: /network/PUBLIC
  • port default firewall policy: default policy available at infrastructure level (firewall); usually it's either "all open" or "all closed"
  • ports firewall configuration: port configuration on top of the default firewall policy; so you can specify i.e. which ports are open on the firewall if the default configuration is "all closed"; example: 22, ICMP open
  • ports default CMF policy: on OpenStack, it is possible to open/close ports using the OpenStack user interface; these "security groups" feature is an additional firewall feature, independent from the infrastructure (low level) firewall, and can be configured by the user (using the Horizon interface) or by API, or asking for support through the EGI Helpdesk. Example: "all open" or "all closed".
  • ports policy on CMF: if ports default CMF policy is "all closed", you may want to specify here if there are exceptions. Example: ssh.
  • mandatory closed ports: if there are ports that cannot be opened due to local rules or national regulations or infrastructure constraints. Example: 25 is usually not available for security reasons (used 587 instead).
  • port configuration requests method: how the site allows to fulfill port reconfiguration requests. Examples: GGUS, Horizon, other ways.
  • users requests: please mention here any special requests come from users in the past and that you have worked in order to make a specific use case run on your site.
  • comments: if you have any comments to report here that could help us in improving this page.

100IT

  • default network name: private
  • default network type: private
  • public network name: public
  • port default firewall policy: all open
  • ports firewall configuration:
  • ports default CMF policy: all closed
  • ports policy on CMF:
  • mandatory closed ports: none
  • port configuration requests method: OpenStack Horizon, GGUS
  • users requests:
  • comments:

BEgrid-BELNET

  • default network name: /network/1
  • default network type: public
  • public network name: iihe.ac.be
  • port default firewall policy: all closed
  • ports firewall configuration: 22, ICMP
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: GGUS ticket
  • users requests: 80, 8080, 443
  • comments: some users have requested to limit access to their VMs to a given list of source IPs

BIFI

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22,ICMP open
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: GGUS,email
  • users requests: 8080, 8081 8888, 9443, 61616 (Training VO) to be opened
  • comments:

CESGA

CESNET-MetaCloud

  • default network name: https://carach5.ics.muni.cz:11443/network/24
  • default network type: public
  • public network name: = default network name
  • port default firewall policy: all open
  • ports firewall configuration: all open
  • ports default CMF policy: all open
  • ports policy on CMF: all open
  • mandatory closed ports: 67/udp, 137/udp
  • port configuration requests method: GGUS
  • users requests: One request to provide a private network.
  • comments: As soon as security groups are implemented in OCCI, we will switch to a more restrictive mode where only TCP 22 is open by default. Users will have a self-service control over this via OCCI.

CLOUDIFIN

  • default network name: /occi1.1/network/500ed7e7-162e-4d97-916e-bc7bc3ab9b41
  • default network type: private
  • public network name: /occi1.1/network/PUBLIC
  • port default firewall policy: all open
  • ports firewall configuration: all open
  • ports default CMF policy: all open
  • ports policy on CMF: all open
  • mandatory closed ports:
  • port configuration requests method: GGUS
  • users requests:
  • comments: As we well know by using occi we can create, destroy VMs, attach link networks.

Would it not be possible to access (ssh) VMs with private ip through occi?

CYFRONET-CLOUD

  • default network name: fedcloud.egi.eu-internal-net
  • default network type: private
  • public network name: public
  • port default firewall policy: all open
  • ports firewall configuration: all open
  • ports default CMF policy: all open
  • ports policy on CMF: all open
  • mandatory closed ports:
  • port configuration requests method: GGUS
  • users requests:
  • comments:

FZJ

  • default network name: /network/PRIVATE
  • default network type: private
  • public network name: /network/PUBLIC
  • port default firewall policy: all closed
  • ports firewall configuration: 22, 80, 443, 7000-7020
  • ports default CMF policy: all closed
  • ports policy on CMF: all closed, except for 22, 80, 443, 7000-7020
  • mandatory closed ports: 25
  • port configuration requests method: Openstack Horizon portal, GGUS
  • users requests: 3306, redirected to 7000; 25 (from the inside), redirected to 587.
  • comments: Ports 7000-7020 have been defined by our network security team. We have so far redirected any requests for other ports to this range. There was a debate once when users insisted on port 3306 for MySQL, however we convinced them that their client was flawed by not supporting other ports. In the same way, users expected to be able to send email via port 25, we convinced them that port 587 is intended for that purpose.

GoeGrid

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy:
  • ports firewall configuration:
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method:
  • users requests:
  • comments:

HG-09-Okeanos-Cloud

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy:
  • ports firewall configuration:
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method:
  • users requests:
  • comments:

IFCA-LCG2

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all open
  • ports firewall configuration:
  • ports default CMF policy: all closed
  • ports policy on CMF: ICMP open
  • mandatory closed ports:
  • port configuration requests method: OpenStack Horizon, GGUS
  • users requests:
  • comments:

IISAS-FedCloud

  • default network name:
  • default network type: public
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22,ICMP open
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: Openstack Horizon portal, GGUS
  • users requests:
  • comments: network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms

IISAS-Nebula

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22,ICMP open
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: GGUS
  • users requests:
  • comments:

IISAS-GPUCloud

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22,ICMP open
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: Openstack Horizon portal, GGUS
  • users requests: port 8899 by enmr.eu
  • comments: network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms

IN2P3-IRES

  • default network name:
  • default network type: private
  • public network name: PUBLIC
  • port default firewall policy: all closed
  • ports firewall configuration: 22/80/443/8080 and ICMP open
  • ports default CMF policy: Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.
  • ports policy on CMF:
  • mandatory closed ports: 21, 25
  • port configuration requests method: OpenStack for 80/443/8080, GGUS otherwise
  • users requests:
  • comments: user are not allowed to create / modify / delete security groups (in particular in a catch-all VO). Comment from the ticket: There is no name for the default network. In deed, with OpenStack and OOI, private networks does not have default name (like the public one). Each private network has its own ID (it is different for each project / VO.

INFN-CATANIA-STACK

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy:
  • ports firewall configuration:
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method:
  • users requests:
  • comments:

INFN-PADOVA-STACK

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22 open
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: GGUS
  • users requests: 80, 8899 (from upv.es servers only, it was needed for users who wanted to use IM and/or EC3, now has been closed due to the CRITICAL vulnerability announced the 12th of October 2016
  • comments: here i am talking about ports open at the institute firewall level (as pointed out by Jerome's mail), while in principle every user should be able via OCCI [1] to open the desired ports by setting up his own OpenStack security group for his VM. Of course if he opens via security groups e.g. port 443 but at institute firewall level port 443 is closed, he'll not be able to reach port 443 from outside INFN-PADOVA

RECAS-BARI

  • default network name:
  • default network type: public
  • public network name:
  • port default firewall policy: all open
  • ports firewall configuration: all open
  • ports default CMF policy:
  • ports policy on CMF: Horizon Dashboard, GGUS
  • mandatory closed ports:
  • port configuration requests method:
  • users requests: several ports because fedcloud users are currently running different services: web portals and applications (80/8080,443), onedata (9443), hadoop, elasticsearch, etc.
  • comments:

SCAI

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy:
  • ports firewall configuration:
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method:
  • users requests:
  • comments:

TR-FC1-ULAKBIM

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy: all closed
  • ports firewall configuration: 22/443 open by default
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method: GGUS
  • users requests:
  • comments:

UPV-GRyCAP

  • default network name:
  • default network type:
  • public network name:
  • port default firewall policy:
  • ports firewall configuration:
  • ports default CMF policy:
  • ports policy on CMF:
  • mandatory closed ports:
  • port configuration requests method:
  • users requests:
  • comments:

NCG-INGRID-PT

  • default network name: <PROJECTNAME>_private_net
  • default network type: private
  • public network name: public_net
  • port default firewall policy: all open
  • ports firewall configuration:
  • ports default CMF policy: Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.
  • ports policy on CMF: Horizon Dashboard, GGUS
  • mandatory closed ports:
  • port configuration requests method: Horizon Dashboard, GGUS
  • users requests:
  • comments: