Security Groups and Metadata Service

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Groups and Metadata Service

Saverio Proto
Hello,

we have this recurring problem with our users.

An advanced user deletes all the default security groups to create his
own. This user will define only ingress rules.

Because there is no egress rule, the cloud-init will fail to open a
connection to the metadata service.

The user will open a ticket that he cant login into the VM, because of
corse the SSH key was not injected.

Does anyone has a good solution to prevent the user from setting the
system in a such a way that does not work ??

thank you

Saverio

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Reply | Threaded
Open this post in threaded view
|

Re: Security Groups and Metadata Service

Jeremy Stanley
On 2017-12-05 10:32:10 +0100 (+0100), Saverio Proto wrote:
[...]
> Because there is no egress rule, the cloud-init will fail to open a
> connection to the metadata service.
[...]
> Does anyone has a good solution to prevent the user from setting the
> system in a such a way that does not work ??

Perhaps not the answer you are looking for, but the metadata service
is far less reliable in most cases than using configdrive metadata
(which recent cloud-init releases should support fine).
--
Jeremy Stanley

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

signature.asc (968 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security Groups and Metadata Service

Matt Riedemann-3
In reply to this post by Saverio Proto
On 12/5/2017 3:32 AM, Saverio Proto wrote:

> Hello,
>
> we have this recurring problem with our users.
>
> An advanced user deletes all the default security groups to create his
> own. This user will define only ingress rules.
>
> Because there is no egress rule, the cloud-init will fail to open a
> connection to the metadata service.
>
> The user will open a ticket that he cant login into the VM, because of
> corse the SSH key was not injected.
>
> Does anyone has a good solution to prevent the user from setting the
> system in a such a way that does not work ??
>
> thank you
>
> Saverio
>
> _______________________________________________
> OpenStack-operators mailing list
> [hidden email]
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>

There is a config option to force the config drive on the compute
service - can you just set that to True so you're sure all VMs in your
cloud have a config drive so they can get the goodies they need in case
they can't reach the metadata service?

--

Thanks,

Matt

_______________________________________________
OpenStack-operators mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators