Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI’s user access, OpenStack security groups and firewall Vítor Gouveia, IT-PES-PS

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Agenda AI development lifecycle Puppet 3 AI user access Openstack security groups Firewall 2

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI development lifecycle Since the last meeting after your feedback you are revising the development lifecycle. All you concerns were taking and account and several change are going to be introduced. –easier to control the changes –easier to test –easier to maintain a stable production environment –etc.. More details in the future meetings, the last weeks we have been dealing with puppet scalability problems Will be the top priority after solving the scalability problems 3

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Migration to the standard workflow The vocs_devel branch is over… Since the 7/6/2013 all your machines were migrated to the devel branch. –The devel is the current official branch for development and you should use the devel branch from now on –Any issue please contact me 4

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Puppet 3 Since yesterday our infrastructure is running Puppet 3 –Yesterday: puppet masters In a few days all the clients would get it too If you are using the devel branch all your VM’s should be working –Any issue: agile configuration management support lineagile configuration management support line Backwards-Incompatible changes in 3.x – 5

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI user access - ROOT There is no ROOT password Authentication methods –kerberos –ssh public/private key Injected during the creation of the VM –you need to specify this with the help of puppet we can populate the /root/.ssh/authorized_keys –not documentation about this yet –single-user mode (VNC console is available in the OpenStack portal) extreme measure 6 ~]$ ssh

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI user access - ROOT Use the hiera variables rootegroups and rootusers –rootegroups: a comma separated list of egroups –rootusers: a comma separated list of users When those variables are set the k5login file will receive the users from the egroups and the users list 7

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI user access – Interactive Use the hiera variables: –Interactiveallowgroups: a comma delimited list of egroups –Interactiveusers: a comma delimited list of users that will get interactive access –Interactivedenygroups: a comma delimited list of groups to deny access Those hiera variables will enable the interactive access through the puppet module sssd –sssd module is not included by default include ( “sssd” ) 8 ~]$ ssh

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI user access – Interactive Limit the user/group search base in sssd –Hiera variables: sssd_ldap_user_search_base sssd_ldap_group_search_base Filter users and groups –Hiera variables: sssd_filter_users sssd_filter_groups Those variable will overwrite, in the sssd.conf file, the keys: –ldap_user_search_base –ldap_group_search_base –filter_users –filter_groups 9

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI User access - SUDO Sudo Puppet module provides a simple way to write sudo configuration parts 10 # Allow aivobox user to run any commands anywhere sudo::directive {'admin_users': ensure => present, content => "aivobox ALL=(ALL) ALL", }

CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI user access – local user access Puppet resource user Local groups can be managed by the puppet resource groups 11 user { "localuser": uid => ‘500’, gid => ‘admin’, ensure => present, shell => '/bin/bash', home => '/home/localuser', managehome => true, password => '$1$A0PYwHC5$eRrCZkAPSWpRSxfnI0sn./', }

CERN IT Department CH-1211 Geneva 23 Switzerland t PES OpenStack Security groups - Ibex By default the following network ports are allowed: –ping (ICMP) –ssh (TCP port 22) –RDP (TCP port 3389) for remote access to the console –AFS (UDP port 7001) –Any other network ports will be blocked To add/change/delete the network ports you need to modify the project security group rules –A security group rules allow us specify the type of traffic and direction that is allowed to pass through a port. –Security groups is a container for security rules Defined per project –Different projects can have different security groups configurations More information herehere 12

CERN IT Department CH-1211 Geneva 23 Switzerland t PES OpenStack Security groups - Ibex Independent of the virtual machine IP tables configuration –IP tables can be managed with using iptables commands on Linux puppet module firewall The security group is independent of the CERN firewall configuration The security groups will be disable in Grizzly –Maybe it will come back later… –Appropriate documentation will be provided 13

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Puppet module Firewall The iptables rules can be managed by the puppet module firewall 14 #Open connection firewall { ' 4411 accept tcp on port ': state => 'NEW', proto => 'tcp', dport => '4411', action => 'accept', } All rules employ a numbering system in the resource’s title that is used for ordering. When titling your rules, make sure you prefix the rule with a number. Attention the ordering is a dictionary-order Additional information herehere

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Puppet modules Firewall 15 # creating a rule that forwards to a user defined chain firewall { '100 forward to MY_CHAIN': chain => 'INPUT', jump => 'MY_CHAIN', } # The namevar here is in the format chain_name:table:protocol firewallchain { 'MY_CHAIN:filter:IPv4': ensure => present, } # adding a rule to the chain firewall { '100 my rule': chain => 'MY_CHAIN', action => 'accept', proto => 'tcp', dport => 5000, }

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Nodes accessible from outside CERN – LanDB set If order to enable your nodes to be visible from outside you need to add the LanDB sets with firewall openings Two ways of doing this: node level cluster/hosgroup level Quattor way: Responsible of the set should be: CDB-LANDBSET E- GROUP IT PES 16 "/system/landbset/it_cc_lxplus/active" = true - which denotes that a node is member of the IT CC LXPLUS set. "/system/landbset/it_cc_mysql/active" = false - which denotes that a node is not a member of the IT CC MYSQL set.

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Nodes accessible from outside CERN – LanDB set AI way: –Hiera variable: cernfw_landbset The variable can be set at: –hostgroup level –node level The hiera value is converted into a fact with cernfw puppet module 17 cernfw_landbset: it_cc_lxplus # facter -p landbset it_cc_lxplus

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Nodes accessible from outside CERN – LanDB set Only properly configured PRODUCTION instances should be added to LanDB sets with firewall openings Security baselines should be fulfilled – elines.shtmlhttps://security.web.cern.ch/security/rules/en/bas elines.shtml 18

CERN IT Department CH-1211 Geneva 23 Switzerland t PES Open a service to the outside - Ibex Three steps are necessary: –configure iptables in the nodes firewall puppet module –configure OpenStack security groups OpenStack web portal –configure the LandDB set Hiera variable cernfw_landbset 19

CERN IT Department CH-1211 Geneva 23 Switzerland t PES ???????????????????????