Federated Cloud siteconf

From EGIWiki
Jump to: navigation, search
Overview For users For resource providers Infrastructure status Site-specific configuration Architecture



Contents


The main purpose of this page is to collect site-specific configuration parameters of the Federated Cloud sites, allowing comparison among them, identify differences, get parameters for a specific site.

If you have any comments on the content of this page, please contact operations @ egi.eu.

Parameters provided by each site are:

Last update: September 2017

Site-specific configuration


default network name default network type public network name is outgoing connectivity guaranteed by default at start time? port default firewall policy ports firewall configuration ports default CMF policy ports policy on CMF mandatory closed ports port configuration requests method users requests comments
100IT private private public YES * all open
all closed
none OpenStack Horizon, GGUS
* Outgoing connectivity is available if an IP address is assigned to the VM's virtual router (this is the case by default). Users can disable this if desired.
BEgrid-BELNET /network/1 public /network/1 YES all closed 22, ICMP


GGUS ticket 80, 8080, 443 some users have requested to limit access to their VMs to a given list of source IPs
CESGA https://fedcloud-services.egi.cesga.es:11443/network/1
public https://fedcloud-services.egi.cesga.es:11443/network/1
YES
all open
all open
NA (no OpenStack)
NA (no OpenStack)
none
GGUS
Static DHCP server (IP assigned if network contextualization fails)

CESNET-MetaCloud https://carach5.ics.muni.cz:11443/network/24
public
public
YES
all open
all open
all open
all open
67/udp, 137/udp
GGUS
One request to provide a private network.
As soon as security groups are implemented in OCCI, we will switch to a more restrictive mode where only TCP 22 is open by default. Users will have a self-service control over this via OCCI.
CLOUDIFIN /occi1.1/network/500ed7e7-162e-4d97-916e-bc7bc3ab9b41
private
/occi1.1/network/PUBLIC
all open
all open
all open
all open

GGUS

As we well know by using occi we can create, destroy VMs, attach link networks.
Would it not be possible to access (ssh) VMs with private ip through occi?
CYFRONET-CLOUD fedcloud.egi.eu-internal-net
private
public
YES
all open
all open
all open
all open

GGUS


FZJ /network/PRIVATE
private
/network/PUBLIC
YES all closed
22, 80, 443, 7000-7020
all closed
all closed, except for 22, 80, 443, 7000-7020
25
Openstack Horizon portal, GGUS
3306, redirected to 7000; 25 (from the inside), redirected to 587.
Ports 7000-7020 have been defined by our network security team. We have so far redirected any requests for other ports to this range. There was a debate once when users insisted on port 3306 for MySQL, however we convinced them that their client was flawed by not supporting other ports. In the same way, users expected to be able to send email via port 25, we convinced them that port 587 is intended for that purpose.
GoeGrid https://occi.cloud.gwdg.de:3100/network/36
public
https://occi.cloud.gwdg.de:3100/network/36
YES all closed
22, 80, 443, ICMP
all open
all open
none
GGUS


HG-09-Okeanos-Cloud public
public
public
yes all open
all open
Not Available
Not Available
None
GGUS

All newly created VMs are getting a public IPv4 and public IPv6 address
IFCA-LCG2 provider-<project VLAN ID>
private
external
NO all open

all closed
any

OpenStack Horizon, GGUS


IISAS-FedCloud /occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5
public
/occi1.1/network/14bd3bc2-5f1a-4948-b94e-bc95e56122e5
YES all open

all closed 22,ICMP open

Openstack Horizon portal, GGUS

network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms
IISAS-Nebula https://nebula2.ui.savba.sk:11443/network/1
public
https://nebula2.ui.savba.sk:11443/network/1
YES all open

all closed 22, ICMP open

GGUS


IISAS-GPUCloud https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC
public https://nova3.ui.savba.sk:8787/occi1.1/network/PUBLIC
YES all open

all closed 22, ICMP open
Openstack Horizon portal, GGUS
port 8899 by enmr.eu
network connections should be monitored, unusual activities (e.g. very high volumes/frequency connections) should raise alarms
IN2P3-IRES /occi1.1/network/9a393ad0-057e-4d74-8a50-1818114caaba
private
/occi1.1/network/PUBLIC
Yes
all closed
22/80/443/8080 and ICMP open
Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.

21, 25
OpenStack for 80/443/8080, GGUS otherwise

user are not allowed to create / modify / delete security groups (in particular in a catch-all VO). Comment from the ticket: There is no name for the default network. In deed, with OpenStack and OOI, private networks does not have default name (like the public one). Each private network has its own ID (it is different for each project / VO.
INFN-CATANIA-STACK
public

all open
all open



Horizon Dashboard, GGUS

INFN-PADOVA-STACK /occi1.1/network/<UUID of the internal project network>
private
/occi1.1/network/PUBLIC
YES
all closed
22 open
al closed
22 open

GGUS
upon request: 8899 (from a given IM/EC3 server), 80 to be negotiated

RECAS-BARI /occi/network/fe82ef7b-4bb7-4c1e-b4ec-ec5c1b0c7333
public
public_net
YES all open except port 111

all closed
ssh (22) open
none
Horizon Dashboard, GGUS several ports because fedcloud users are currently running different services: web portals and applications (80/8080,443), onedata (9443), hadoop, elasticsearch, etc.
Finally we are configuring the private network in the new tenants with the latest version of ooi (1.1.2) that fixes a bug in the listing of networks. So now newly created tenants will also have a private network (isolated) as well as the public one (shared). We encourage you to use the private network whenever this is compatible with the architecture of the virtual infrastructure being deployed. If needed, we can provide direct access to the private network via our VPN (accessible with personal credentials).
SCAI public
public
public
Yes
all closed
ICMP, 22, 80, 443 open
all open
none
none
GGUS

Temporary configuration, because prior configuration with default routed internal network (VxLan) and optional public provider network didn't work, couldn't attach floating public IP through OCCI (worked through horizon).
TR-FC1-ULAKBIM http://fcctrl.ulakbim.gov.tr:8787/occi1.2/network/ed61199b-baac-4524-b801-324f341b0d89 for fedcloud.egi.eu
private
http://fcctrl.ulakbim.gov.tr:8787/occi1.2/network/ed61199b-baac-4524-b801-324f341b0d89

http://fcctrl.ulakbim.gov.tr:8787/occi1.2/network/PUBLIC

yes all closed 22, 443, ICMP open all closed
22, ICMP open
None
GGUS 443

UPV-GRyCAP private private /network/6 yes all closed 22, 443 NA NA None GGUS, email
At this point we are considering the option of migrating to OpenStack
NCG-INGRID-PT <PROJECTNAME>_private_net
private
public_net
all open

Ports 22/tcp and ICMP open by default. Users have the ability to use additional security group to open other ports.
Horizon Dashboard, GGUS

Horizon Dashboard, GGUS


MK-04-FINKICLOUD public
public
public
YES
all closed
ICMP, 22, 80, 443 open
Ports 22/ICMP, 22, 80, 443 are open by default. User can add additional security group for opening another port.
none
none
GGUS ticket
none

Upgrade campaigns

cASO upgrade

Started on September 21st, 2017.Still open.

The APEL team would like to encourage OpenStack sites to upgrade their version of caso to this version https://appdb.egi.eu/store/software/caso/releases/1.x/1.1.1/ Sites that are currently running 1.0.X or were running it in the past should upgrade and republish the period that 1.0.X was in use. Sites that never run 1.0.X, i.e. they went straight to 1.1.0 or never moved away from the older 0.X.X versions, don’t need to republish, they only need to upgrade.

Resource Centre Ticket Status comments
100IT https://ggus.eu/index.php?mode=ticket_info&ticket_id=130665 OPEN
CYFRONET-CLOUD https://ggus.eu/index.php?mode=ticket_info&ticket_id=130666 OPEN
FZJ https://ggus.eu/index.php?mode=ticket_info&ticket_id=130667 OPEN
IFCA-LCG2 https://ggus.eu/index.php?mode=ticket_info&ticket_id=130668 OPEN
IISAS-FedCloud https://ggus.eu/index.php?mode=ticket_info&ticket_id=130669 CLOSED cASO v1.1.1 is already installed. Previous version was 0.3.2.
IISAS-GPUCloud https://ggus.eu/index.php?mode=ticket_info&ticket_id=130670 CLOSED cASO v1.1.1 is already installed. Previous version was 0.3.2.
INFN-CATANIA-STACK https://ggus.eu/index.php?mode=ticket_info&ticket_id=130671 OPEN
RECAS-BARI https://ggus.eu/index.php?mode=ticket_info&ticket_id=130672 OPEN
INFN-PADOVA-STACK https://ggus.eu/index.php?mode=ticket_info&ticket_id=130673 OPEN
TR-FC1-ULAKBIM https://ggus.eu/index.php?mode=ticket_info&ticket_id=130674 OPEN
IN2P3-IRES https://ggus.eu/index.php?mode=ticket_info&ticket_id=130675 OPEN
NCG-INGRID-PT https://ggus.eu/index.php?mode=ticket_info&ticket_id=130676 OPEN
SCAI https://ggus.eu/index.php?mode=ticket_info&ticket_id=130677 CLOSED we went directly to caso 1.1.0 and skipped 1.0.X, so we should not be affected by republishing. We did the upgrade yesterday.  Upgraded to caso 1.1.1
CLOUDIFIN https://ggus.eu/index.php?mode=ticket_info&ticket_id=130678 OPEN
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export