Presentation is loading. Please wait.

Presentation is loading. Please wait.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI’s user access, OpenStack security groups and firewall.

Published byNelson Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI’s user access, OpenStack security groups and firewall."— Presentation transcript:

1 Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI’s user access, OpenStack security groups and firewall Vítor Gouveia, vitor.gouveia@cern.ch IT-PES-PS

2 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Agenda AI development lifecycle Puppet 3 AI user access Openstack security groups Firewall 2

3 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI development lifecycle Since the last meeting after your feedback you are revising the development lifecycle. All you concerns were taking and account and several change are going to be introduced. –easier to control the changes –easier to test –easier to maintain a stable production environment –etc.. More details in the future meetings, the last weeks we have been dealing with puppet scalability problems Will be the top priority after solving the scalability problems 3

4 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Migration to the standard workflow The vocs_devel branch is over… Since the 7/6/2013 all your machines were migrated to the devel branch. –The devel is the current official branch for development and you should use the devel branch from now on –Any issue please contact me 4

5 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Puppet 3 Since yesterday our infrastructure is running Puppet 3 –Yesterday: puppet masters In a few days all the clients would get it too If you are using the devel branch all your VM’s should be working –Any issue: agile configuration management support lineagile configuration management support line Backwards-Incompatible changes in 3.x –http://docs.puppetlabs.com/puppet/3/reference/whats_new.html#backwards-incompatible-changes-in-3xhttp://docs.puppetlabs.com/puppet/3/reference/whats_new.html#backwards-incompatible-changes-in-3x 5

6 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI user access - ROOT There is no ROOT password Authentication methods –kerberos –ssh public/private key Injected during the creation of the VM –you need to specify this with the help of puppet we can populate the /root/.ssh/authorized_keys –not documentation about this yet –single-user mode (VNC console is available in the OpenStack portal) extreme measure 6 [vgomesgo@lxplus0157 ~]$ ssh root@voboxvm

7 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI user access - ROOT Use the hiera variables rootegroups and rootusers –rootegroups: a comma separated list of egroups –rootusers: a comma separated list of users When those variables are set the k5login file will receive the users from the egroups and the users list 7

8 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI user access – Interactive Use the hiera variables: –Interactiveallowgroups: a comma delimited list of egroups –Interactiveusers: a comma delimited list of users that will get interactive access –Interactivedenygroups: a comma delimited list of groups to deny access Those hiera variables will enable the interactive access through the puppet module sssd –sssd module is not included by default include ( “sssd” ) 8 [vgomesgo@lxplus0157 ~]$ ssh vgomesgo@voboxvm

9 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI user access – Interactive Limit the user/group search base in sssd –Hiera variables: sssd_ldap_user_search_base sssd_ldap_group_search_base Filter users and groups –Hiera variables: sssd_filter_users sssd_filter_groups Those variable will overwrite, in the sssd.conf file, the keys: –ldap_user_search_base –ldap_group_search_base –filter_users –filter_groups 9

10 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI User access - SUDO Sudo Puppet module provides a simple way to write sudo configuration parts 10 # Allow aivobox user to run any commands anywhere sudo::directive {'admin_users': ensure => present, content => "aivobox ALL=(ALL) ALL", }

11 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI user access – local user access Puppet resource user Local groups can be managed by the puppet resource groups 11 user { "localuser": uid => ‘500’, gid => ‘admin’, ensure => present, shell => '/bin/bash', home => '/home/localuser', managehome => true, password => '$1$A0PYwHC5$eRrCZkAPSWpRSxfnI0sn./', }

12 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES OpenStack Security groups - Ibex By default the following network ports are allowed: –ping (ICMP) –ssh (TCP port 22) –RDP (TCP port 3389) for remote access to the console –AFS (UDP port 7001) –Any other network ports will be blocked To add/change/delete the network ports you need to modify the project security group rules –A security group rules allow us specify the type of traffic and direction that is allowed to pass through a port. –Security groups is a container for security rules Defined per project –Different projects can have different security groups configurations More information herehere 12

13 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES OpenStack Security groups - Ibex Independent of the virtual machine IP tables configuration –IP tables can be managed with using iptables commands on Linux puppet module firewall The security group is independent of the CERN firewall configuration The security groups will be disable in Grizzly –Maybe it will come back later… –Appropriate documentation will be provided 13

14 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Puppet module Firewall The iptables rules can be managed by the puppet module firewall 14 #Open connection firewall { ' 4411 accept tcp on port ': state => 'NEW', proto => 'tcp', dport => '4411', action => 'accept', } All rules employ a numbering system in the resource’s title that is used for ordering. When titling your rules, make sure you prefix the rule with a number. Attention the ordering is a dictionary-order Additional information herehere

15 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Puppet modules Firewall 15 # creating a rule that forwards to a user defined chain firewall { '100 forward to MY_CHAIN': chain => 'INPUT', jump => 'MY_CHAIN', } # The namevar here is in the format chain_name:table:protocol firewallchain { 'MY_CHAIN:filter:IPv4': ensure => present, } # adding a rule to the chain firewall { '100 my rule': chain => 'MY_CHAIN', action => 'accept', proto => 'tcp', dport => 5000, }

16 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Nodes accessible from outside CERN – LanDB set If order to enable your nodes to be visible from outside you need to add the LanDB sets with firewall openings Two ways of doing this: node level cluster/hosgroup level Quattor way: Responsible of the set should be: CDB-LANDBSET E- GROUP IT PES 16 "/system/landbset/it_cc_lxplus/active" = true - which denotes that a node is member of the IT CC LXPLUS set. "/system/landbset/it_cc_mysql/active" = false - which denotes that a node is not a member of the IT CC MYSQL set.

17 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Nodes accessible from outside CERN – LanDB set AI way: –Hiera variable: cernfw_landbset The variable can be set at: –hostgroup level –node level The hiera value is converted into a fact with cernfw puppet module 17 cernfw_landbset: it_cc_lxplus # facter -p landbset it_cc_lxplus

18 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Nodes accessible from outside CERN – LanDB set Only properly configured PRODUCTION instances should be added to LanDB sets with firewall openings Security baselines should be fulfilled –https://security.web.cern.ch/security/rules/en/bas elines.shtmlhttps://security.web.cern.ch/security/rules/en/bas elines.shtml 18

19 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES Open a service to the outside - Ibex Three steps are necessary: –configure iptables in the nodes firewall puppet module –configure OpenStack security groups OpenStack web portal –configure the LandDB set Hiera variable cernfw_landbset 19

20 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES ???????????????????????

Download ppt "Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t PES AI’s user access, OpenStack security groups and firewall."

Similar presentations

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.

A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Web Content Management System Discussion.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Web Content Management System Discussion.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.

© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
AI project components: Facter and Hiera

AI project components: Facter and Hiera
VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.

VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.
K. Liu, Q. Huang, J. Xia, Z. Li, P. Lostritto, 2013. Chapter 4 How to use cloud computing?, In Spatial Cloud Computing: a practical approach, edited by.

K. Liu, Q. Huang, J. Xia, Z. Li, P. Lostritto, Chapter 4 How to use cloud computing?, In Spatial Cloud Computing: a practical approach, edited by.

Similar presentations

Ads by Google