You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@libcloud.apache.org by Paul Querna <pq...@apache.org> on 2010/01/25 22:39:38 UTC
[libcloud] Firewall Configurations, was Fwd: svn commit: r902984 -
/incubator/libcloud/trunk/libcloud/drivers/ec2.py
Any thoughts about how we should make generic firewall configurations?
For ec2 specifically, its kinda annoying if you boot a node and you
can't... access it at all :)
---------- Forwarded message ----------
From: <pq...@apache.org>
Date: Mon, Jan 25, 2010 at 1:37 PM
Subject: svn commit: r902984 - /incubator/libcloud/trunk/libcloud/drivers/ec2.py
To: libcloud-commits@incubator.apache.org
Author: pquerna
Date: Mon Jan 25 21:37:44 2010
New Revision: 902984
URL: http://svn.apache.org/viewvc?rev=902984&view=rev
Log:
Add create_security_group and authorize_security_group_permissive to ec2 driver.
Modified:
incubator/libcloud/trunk/libcloud/drivers/ec2.py
Modified: incubator/libcloud/trunk/libcloud/drivers/ec2.py
URL: http://svn.apache.org/viewvc/incubator/libcloud/trunk/libcloud/drivers/ec2.py?rev=902984&r1=902983&r2=902984&view=diff
==============================================================================
--- incubator/libcloud/trunk/libcloud/drivers/ec2.py (original)
+++ incubator/libcloud/trunk/libcloud/drivers/ec2.py Mon Jan 25 21:37:44 2010
@@ -270,6 +270,42 @@
self.connection.request('/', params=params).object)
return images
+ def create_security_group(self, name, description):
+ params = {'Action': 'CreateSecurityGroup',
+ 'GroupName': name,
+ 'GroupDescription': description}
+ return self.connection.request('/', params=params).object
+
+ def authorize_security_group_permissive(self, name):
+ results = []
+ params = {'Action': 'AuthorizeSecurityGroupIngress',
+ 'GroupName': name,
+ 'IpProtocol': 'tcp',
+ 'FromPort': '0',
+ 'ToPort': '65535',
+ 'CidrIp': '0.0.0.0/0'}
+ try:
+ results.append(self.connection.request('/',
params=params.copy()).object)
+ except Exception, e:
+ if e.args[0].find("InvalidPermission.Duplicate") == -1:
+ raise e
+ params['IpProtocol'] = 'udp'
+
+ try:
+ results.append(self.connection.request('/',
params=params.copy()).object)
+ except Exception, e:
+ if e.args[0].find("InvalidPermission.Duplicate") == -1:
+ raise e
+
+ params.update({'IpProtocol': 'icmp', 'FromPort': '-1', 'ToPort': '-1'})
+
+ try:
+ results.append(self.connection.request('/',
params=params.copy()).object)
+ except Exception, e:
+ if e.args[0].find("InvalidPermission.Duplicate") == -1:
+ raise e
+ return results
+
# name doesn't apply to EC2 nodes.
def create_node(self, **kwargs):
name = kwargs["name"]
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984
- /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Adrian Cole <fe...@gmail.com>.
+1 to ignore if irrelevant.
On Mon, Jan 25, 2010 at 3:53 PM, Jed Smith <je...@jedsmith.org> wrote:
> On Jan 25, 2010, at 6:32 PM, Paul Querna wrote:
>
> > Should we throw an exception if a provider can't support that, but it
> > was requested by the API user?
>
> No. Ignore it quietly.
>
> In the Linode case, there is no security configuration to allow -- that's
> up to configuration after boot. Rather than me patching the Linode driver
> to ignore inbound_tcp_ports if provided, a better default is that it's a
> feature that some providers implement and others ignore quietly...
>
> JS
>
>
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984 - /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Jed Smith <je...@jedsmith.org>.
On Jan 25, 2010, at 8:27 PM, Paul Querna wrote:
> On Mon, Jan 25, 2010 at 3:53 PM, Jed Smith <je...@jedsmith.org> wrote:
>> On Jan 25, 2010, at 6:32 PM, Paul Querna wrote:
>>
>>> Should we throw an exception if a provider can't support that, but it
>>> was requested by the API user?
>>
>> No. Ignore it quietly.
>>
>> In the Linode case, there is no security configuration to allow -- that's
>> up to configuration after boot. Rather than me patching the Linode driver
>> to ignore inbound_tcp_ports if provided, a better default is that it's a
>> feature that some providers implement and others ignore quietly...
>
> What I meant is, if the provider does firewall ports by default, but
> there isn't an API to open them.
That I'm on board with. (Is there such a company?)
> If the provider defaults to open ports, ya, 'ignore' is fine, but to
> ignore it if they default to closed ports really sucks, as then you
> don't have a portable booting a machine to do X.
Well, if libcloud's API guarantees that after a node is created the
provided ports will be open, ignoring it is safe in at least Linode's case
because they certainly will be.
Sounded to me like we were considering raising an exception if the parameter
inbound_tcp_ports was passed but the driver did not handle it -- little
miscommunication there. I'm on board with THIS idea. :)
JS
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984
- /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Paul Querna <pa...@querna.org>.
On Mon, Jan 25, 2010 at 3:53 PM, Jed Smith <je...@jedsmith.org> wrote:
> On Jan 25, 2010, at 6:32 PM, Paul Querna wrote:
>
>> Should we throw an exception if a provider can't support that, but it
>> was requested by the API user?
>
> No. Ignore it quietly.
>
> In the Linode case, there is no security configuration to allow -- that's
> up to configuration after boot. Rather than me patching the Linode driver
> to ignore inbound_tcp_ports if provided, a better default is that it's a
> feature that some providers implement and others ignore quietly...
What I meant is, if the provider does firewall ports by default, but
there isn't an API to open them.
If the provider defaults to open ports, ya, 'ignore' is fine, but to
ignore it if they default to closed ports really sucks, as then you
don't have a portable booting a machine to do X.
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984 - /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Jed Smith <je...@jedsmith.org>.
On Jan 25, 2010, at 6:32 PM, Paul Querna wrote:
> Should we throw an exception if a provider can't support that, but it
> was requested by the API user?
No. Ignore it quietly.
In the Linode case, there is no security configuration to allow -- that's
up to configuration after boot. Rather than me patching the Linode driver
to ignore inbound_tcp_ports if provided, a better default is that it's a
feature that some providers implement and others ignore quietly...
JS
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984
- /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Solomon Hykes <so...@gmail.com>.
On Tue, Jan 26, 2010 at 12:32 AM, Paul Querna <pa...@querna.org> wrote:
> So the proposal would be:
> create_node(...., inbound_tcp_ports=[22, 80, 443])
>
> Would ensure that TCP ports 22, 80, and 443 are open, across all
> drivers -- Other ports may be open to the node, but the api guarantee
> is that at least the ports specified will be open to incoming traffic.
> Should we throw an exception if a provider can't support that, but it
> was requested by the API user?
That seems sensible to me.
Best,
Solomon
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984
- /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Paul Querna <pa...@querna.org>.
On Mon, Jan 25, 2010 at 2:00 PM, Solomon Hykes <so...@gmail.com> wrote:
> How about an optional argument defining a list of inbound ports to
> authorize at node creation? The default (for example [22]) should be
> the same across all drivers.
Ya, I think a 'default' of allowing in port 22 is sensible.
So the proposal would be:
create_node(...., inbound_tcp_ports=[22, 80, 443])
Would ensure that TCP ports 22, 80, and 443 are open, across all
drivers -- Other ports may be open to the node, but the api guarantee
is that at least the ports specified will be open to incoming traffic.
Should we throw an exception if a provider can't support that, but it
was requested by the API user?
Thanks,
Paul
Re: [libcloud] Firewall Configurations, was Fwd: svn commit: r902984
- /incubator/libcloud/trunk/libcloud/drivers/ec2.py
Posted by Solomon Hykes <so...@gmail.com>.
How about an optional argument defining a list of inbound ports to
authorize at node creation? The default (for example [22]) should be
the same across all drivers.
On Monday, January 25, 2010, Paul Querna <pq...@apache.org> wrote:
> Any thoughts about how we should make generic firewall configurations?
>
> For ec2 specifically, its kinda annoying if you boot a node and you
> can't... access it at all :)
>
>
> ---------- Forwarded message ----------
> From: <pq...@apache.org>
> Date: Mon, Jan 25, 2010 at 1:37 PM
> Subject: svn commit: r902984 - /incubator/libcloud/trunk/libcloud/drivers/ec2.py
> To: libcloud-commits@incubator.apache.org
>
>
> Author: pquerna
> Date: Mon Jan 25 21:37:44 2010
> New Revision: 902984
>
> URL: http://svn.apache.org/viewvc?rev=902984&view=rev
> Log:
> Add create_security_group and authorize_security_group_permissive to ec2 driver.
>
> Modified:
> incubator/libcloud/trunk/libcloud/drivers/ec2.py
>
> Modified: incubator/libcloud/trunk/libcloud/drivers/ec2.py
> URL: http://svn.apache.org/viewvc/incubator/libcloud/trunk/libcloud/drivers/ec2.py?rev=902984&r1=902983&r2=902984&view=diff
> ==============================================================================
> --- incubator/libcloud/trunk/libcloud/drivers/ec2.py (original)
> +++ incubator/libcloud/trunk/libcloud/drivers/ec2.py Mon Jan 25 21:37:44 2010
> @@ -270,6 +270,42 @@
> self.connection.request('/', params=params).object)
> return images
>
> + def create_security_group(self, name, description):
> + params = {'Action': 'CreateSecurityGroup',
> + 'GroupName': name,
> + 'GroupDescription': description}
> + return self.connection.request('/', params=params).object
> +
> + def authorize_security_group_permissive(self, name):
> + results = []
> + params = {'Action': 'AuthorizeSecurityGroupIngress',
> + 'GroupName': name,
> + 'IpProtocol': 'tcp',
> + 'FromPort': '0',
> + 'ToPort': '65535',
> + 'CidrIp': '0.0.0.0/0'}
> + try:
> + results.append(self.connection.request('/',
> params=params.copy()).object)
> + except Exception, e:
> + if e.args[0].find("InvalidPermission.Duplicate") == -1:
> + raise e
> + params['IpProtocol'] = 'udp'
> +
> + try:
> + results.append(self.connection.request('/',
> params=params.copy()).object)
> + except Exception, e:
> + if e.args[0].find("InvalidPermission.Duplicate") == -1:
> + raise e
> +
> + params.update({'IpProtocol': 'icmp', 'FromPort': '-1', 'ToPort': '-1'})
> +
> + try:
> + results.append(self.connection.request('/',
> params=params.copy()).object)
> + except Exception, e:
> + if e.args[0].find("InvalidPermission.Duplicate") == -1:
> + raise e
> + return results
> +
> # name doesn't apply to EC2 nodes.
> def create_node(self, **kwargs):
> name = kwargs["name"]
>