OpenStack Heat

Template Security Groups do not seem to get applied to instances

Asked by Saso Kavcic

I am using single node devstack with heat and quantum enabled. In the template I have created there are three instances, that have two types of security groups applied in the template. The security groups get created, but they do not seem to get applied to the instances, which instead use the default security group. I would like to know if I am doing something wrong in the template.

Template:
{
  "AWSTemplateFormatVersion" : "2013-05-04",

  "Description" : "AWS CloudFormation template for use with OpenStack. It uses Quantum for networking configuration. It sets up three Ubuntu 12.04 instances, each on its own subnet/network. One instance is set up with bind9 for configuration of DNS server. When stack is created, DNS is not configured, just installed on the instance. The other two instances are used for testing DNS configuration. The three subnets are connected with a router, that is also connected to the external network. Floating IPs are also provided to the spawned instances for external communication.",

  "Parameters" : {
    "KeyName" : {
      "Description" : "Name of an existing EC2 KeyPair to enable SSH access to the instances",
      "Type" : "String"
    },

    "ExtNetUuid" : {
      "Description" : "UUID of the external network to be used for external access",
      "Type" : "String"
    },

    "InstanceType" : {
      "Description" : "DNSServer EC2 instance type",
      "Type" : "String",
      "Default" : "m1.micro",
      "AllowedValues" : [ "t1.micro", "m1.small", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "c1.medium", "c1.xlarge", "cc1.4xlarge", "m1.micro" ],
      "ConstraintDescription" : "must be a valid EC2 instance type."
    },
    "LinuxDistribution": {
      "Default": "U12",
      "Description" : "Distribution of choice",
      "Type": "String",
      "AllowedValues" : [ "U10", "U12" ]
    }
  },

  "Mappings" : {
    "AWSInstanceType2Arch" : {
      "t1.micro" : { "Arch" : "32" },
      "m1.small" : { "Arch" : "32" },
      "m1.large" : { "Arch" : "64" },
      "m1.xlarge" : { "Arch" : "64" },
      "m2.xlarge" : { "Arch" : "64" },
      "m2.2xlarge" : { "Arch" : "64" },
      "m2.4xlarge" : { "Arch" : "64" },
      "c1.medium" : { "Arch" : "32" },
      "c1.xlarge" : { "Arch" : "64" },
      "cc1.4xlarge" : { "Arch" : "64" },
      "m1.micro" : { "Arch" : "64" }
    },
    "DistroArch2AMI": {
      "U12" : { "32" : "U12-i386-cfntools", "64" : "U12-x86_64-cfntools" },
      "U10" : { "32" : "U10-i386-cfntools", "64" : "U10-x86_64-cfntools" }
    }
  },

  "Resources" : {

    "network": {
      "Type": "OS::Quantum::Net",
      "Properties": {
        "name": "local_network"
      }
    },

    "subnet": {
      "Type": "OS::Quantum::Subnet",
      "Properties": {
        "network_id": { "Ref" : "network" },
        "ip_version": 4,
        "cidr": "10.0.10.0/24",
        "allocation_pools": [{"start": "10.0.10.20", "end": "10.0.10.50"}]
      }
    },

    "DNSServerPort": {
      "Type": "OS::Quantum::Port",
      "Properties": {
        "network_id": { "Ref" : "network" },
        "fixed_ips": [{
          "subnet_id": { "Ref" : "subnet" },
          "ip_address": "10.0.10.30"
        }]
      }
    },

    "Client1Port": {
      "Type": "OS::Quantum::Port",
      "Properties": {
        "network_id": { "Ref" : "network" },
        "fixed_ips": [{
          "subnet_id": { "Ref" : "subnet" },
          "ip_address": "10.0.10.31"
        }]
      }
    },

    "Client2Port": {
      "Type": "OS::Quantum::Port",
      "Properties": {
        "network_id": { "Ref" : "network" },
        "fixed_ips": [{
          "subnet_id": { "Ref" : "subnet" },
          "ip_address": "10.0.10.32"
        }]
      }
    },

    "router": {
      "Type": "OS::Quantum::Router"
    },

    "router_interface_private": {
      "Type": "OS::Quantum::RouterInterface",
      "Properties": {
        "router_id": { "Ref" : "router" },
        "subnet_id": { "Ref" : "subnet" }
      }
    },

    "router_gateway_external": {
      "Type": "OS::Quantum::RouterGateway",
      "Properties": {
        "router_id": { "Ref" : "router" },
        "network_id": { "Ref" : "ExtNetUuid" }
      }
    },

    "DNSServerSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "GroupDescription" : "Enable ping, SSH and DNS (port 53) access",
        "SecurityGroupIngress" : [
          {"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "53", "ToPort" : "53", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "udp", "FromPort" : "53", "ToPort" : "53", "CidrIp" : "0.0.0.0/0"}
        ]
      }
    },

    "MinimalSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "GroupDescription" : "Enable only ping and SSH access",
        "SecurityGroupIngress" : [
          {"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
        ]
      }
    },

    "DNSServer": {
      "Type": "AWS::EC2::Instance",
      "Metadata" : {
        "AWS::CloudFormation::Init" : {
          "config" : {
            "packages" : {
              "apt" : {
                "bind9" : [],
                "dnsutils" : []
              }
            }
          }
        }
      },
      "Properties": {
        "ImageId" : { "Fn::FindInMap" : [ "DistroArch2AMI", { "Ref" : "LinuxDistribution" },
                          { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
        "InstanceType" : { "Ref" : "InstanceType" },
        "KeyName" : { "Ref" : "KeyName" },
        "SecurityGroups" : [ { "Ref" : "DNSServerSecurityGroup" } ],
        "NetworkInterfaces" : [ { "Ref" : "DNSServerPort" } ],
        "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
          "#!/bin/bash -v\n",
          "echo \"nameserver 8.8.8.8\" >> /etc/resolv.conf\n",
          "/opt/aws/bin/cfn-init\n"
        ]]}}
      }
    },

    "Client1": {
      "Type": "AWS::EC2::Instance",
      "Metadata" : {
        "AWS::CloudFormation::Init" : {
          "config" : {
            "packages" : {
              "apt" : {
                "dnsutils" : []
              }
            }
          }
        }
      },
      "Properties": {
        "ImageId" : { "Fn::FindInMap" : [ "DistroArch2AMI", { "Ref" : "LinuxDistribution" },
                          { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
        "InstanceType" : { "Ref" : "InstanceType" },
        "KeyName" : { "Ref" : "KeyName" },
        "SecurityGroups" : [ { "Ref" : "MinimalSecurityGroup" } ],
        "NetworkInterfaces" : [ { "Ref" : "Client1Port" } ],
        "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
          "#!/bin/bash -v\n",
          "echo \"nameserver 8.8.8.8\" >> /etc/resolv.conf\n",
          "/opt/aws/bin/cfn-init\n"
        ]]}}
      }
    },

    "Client2": {
      "Type": "AWS::EC2::Instance",
      "Metadata" : {
        "AWS::CloudFormation::Init" : {
          "config" : {
            "packages" : {
              "apt" : {
                "dnsutils" : []
              }
            }
          }
        }
      },
      "Properties": {
        "ImageId" : { "Fn::FindInMap" : [ "DistroArch2AMI", { "Ref" : "LinuxDistribution" },
                          { "Fn::FindInMap" : [ "AWSInstanceType2Arch", { "Ref" : "InstanceType" }, "Arch" ] } ] },
        "InstanceType" : { "Ref" : "InstanceType" },
        "KeyName" : { "Ref" : "KeyName" },
        "SecurityGroups" : [ { "Ref" : "MinimalSecurityGroup" } ],
        "NetworkInterfaces" : [ { "Ref" : "Client2Port" } ],
        "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
          "#!/bin/bash -v\n",
          "echo \"nameserver 8.8.8.8\" >> /etc/resolv.conf\n",
          "/opt/aws/bin/cfn-init\n"
        ]]}}
      }
    }
  },

  "Outputs" : {
  }
}

Security groups in nova:
saso@devstack-new-virt:~/diploma$ nova secgroup-list
+-----------------------------+-------------------------------------------+
| Name | Description |
+-----------------------------+-------------------------------------------+
| DNS9.DNSServerSecurityGroup | Enable ping, SSH and DNS (port 53) access |
| DNS9.MinimalSecurityGroup | Enable only ping and SSH access |
| default | default |
+-----------------------------+-------------------------------------------+
saso@devstack-new-virt:~/diploma$

Security group in quantum:
saso@devstack-new-virt:~/diploma$ quantum security-group-list
+--------------------------------------+-----------------------------+-------------------------------------------+
| id | name | description |
+--------------------------------------+-----------------------------+-------------------------------------------+
| 16e33b54-087a-4237-9b56-e599ff1e26e9 | DNS9.MinimalSecurityGroup | Enable only ping and SSH access |
| 1edcc064-8571-410c-8e4a-1ff39d5bf250 | default | default |
| 7c6cb905-35b3-4495-9e73-08324c7279c6 | DNS9.DNSServerSecurityGroup | Enable ping, SSH and DNS (port 53) access |
+--------------------------------------+-----------------------------+-------------------------------------------+
saso@devstack-new-virt:~/diploma$

Event list for the stack:
saso@devstack-new-virt:~/diploma$ heat event-list DNS9
+--------------------------+-----+------------------------+-----------------+----------------------+
| logical_resource_id | id | resource_status_reason | resource_status | event_time |
+--------------------------+-----+------------------------+-----------------+----------------------+
| network | 843 | state changed | IN_PROGRESS | 2013-05-11T21:20:13Z |
| network | 844 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:14Z |
| DNSServerPort | 847 | state changed | IN_PROGRESS | 2013-05-11T21:20:15Z |
| subnet | 845 | state changed | IN_PROGRESS | 2013-05-11T21:20:15Z |
| subnet | 846 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:15Z |
| Client2Port | 849 | state changed | IN_PROGRESS | 2013-05-11T21:20:16Z |
| DNSServerPort | 848 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:16Z |
| Client1Port | 851 | state changed | IN_PROGRESS | 2013-05-11T21:20:17Z |
| Client2Port | 850 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:17Z |
| Client1Port | 852 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:18Z |
| MinimalSecurityGroup | 853 | state changed | IN_PROGRESS | 2013-05-11T21:20:19Z |
| MinimalSecurityGroup | 854 | state changed | CREATE_COMPLETE | 2013-05-11T21:20:23Z |
| Client1 | 855 | state changed | IN_PROGRESS | 2013-05-11T21:20:24Z |
| Client1 | 856 | state changed | CREATE_COMPLETE | 2013-05-11T21:22:46Z |
| Client2 | 857 | state changed | IN_PROGRESS | 2013-05-11T21:22:47Z |
| Client2 | 858 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:14Z |
| router | 859 | state changed | IN_PROGRESS | 2013-05-11T21:23:15Z |
| router | 860 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:15Z |
| router_gateway_external | 861 | state changed | IN_PROGRESS | 2013-05-11T21:23:15Z |
| DNSServerSecurityGroup | 865 | state changed | IN_PROGRESS | 2013-05-11T21:23:16Z |
| router_gateway_external | 862 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:16Z |
| router_interface_private | 863 | state changed | IN_PROGRESS | 2013-05-11T21:23:16Z |
| router_interface_private | 864 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:16Z |
| DNSServerSecurityGroup | 866 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:21Z |
| DNSServer | 867 | state changed | IN_PROGRESS | 2013-05-11T21:23:22Z |
| DNSServer | 868 | state changed | CREATE_COMPLETE | 2013-05-11T21:23:47Z |
+--------------------------+-----+------------------------+-----------------+----------------------+
saso@devstack-new-virt:~/diploma$

DNS server instance data:
saso@devstack-new-virt:~/diploma$ nova show DNS9.DNSServer
+-----------------------------+------------------------------------------------------------+
| Property | Value |
+-----------------------------+------------------------------------------------------------+
| status | ACTIVE |
| updated | 2013-05-11T21:23:46Z |
| OS-EXT-STS:task_state | None |
| key_name | saso-key |
| image | U12-x86_64-cfntools (61099289-7dd6-4dfe-8384-df8b353385ca) |
| hostId | 7e91c36a06dfddd599d91d82e5978b2ec447fb2656f4b4a54c3ee354 |
| OS-EXT-STS:vm_state | active |
| flavor | m1.micro (84) |
| id | 9f826369-553d-4b71-9407-16a88cbafe3b |
| security_groups | [{u'name': u'default'}] |
| user_id | 8711545839b64c41b039c1bc92779dbf |
| name | DNS9.DNSServer |
| created | 2013-05-11T21:23:24Z |
| tenant_id | c3bc20838ee4425cbe78af1d97d71390 |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| accessIPv4 | |
| accessIPv6 | |
| local_network network | 10.0.10.30 |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
+-----------------------------+------------------------------------------------------------+

Client instance data:
saso@devstack-new-virt:~/diploma$ nova show DNS9.Client1
+-----------------------------+------------------------------------------------------------+
| Property | Value |
+-----------------------------+------------------------------------------------------------+
| status | ACTIVE |
| updated | 2013-05-11T21:22:45Z |
| OS-EXT-STS:task_state | None |
| key_name | saso-key |
| image | U12-x86_64-cfntools (61099289-7dd6-4dfe-8384-df8b353385ca) |
| hostId | 7e91c36a06dfddd599d91d82e5978b2ec447fb2656f4b4a54c3ee354 |
| OS-EXT-STS:vm_state | active |
| flavor | m1.micro (84) |
| id | 8718c54f-6d82-43fd-8a89-e94e8c8516a9 |
| security_groups | [{u'name': u'default'}] |
| user_id | 8711545839b64c41b039c1bc92779dbf |
| name | DNS9.Client1 |
| created | 2013-05-11T21:20:27Z |
| tenant_id | c3bc20838ee4425cbe78af1d97d71390 |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| accessIPv4 | |
| accessIPv6 | |
| local_network network | 10.0.10.31 |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
+-----------------------------+------------------------------------------------------------+
saso@devstack-new-virt:~/diploma$

In the security groups field for both server and client, only default security group is listed, not the ones created in the template.
I would like to know if I am doing something wrong or is that a bug in heat?

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Heat Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Jeff Peeler (jpeeler-z) said : 		#1

I suspect that if you assign the DNSServerPort in the same security group as the instance the security group will be applied as expected.

Revision history for this message
Saso Kavcic (sasokavcic66) said : 		#2

Can you help me adding the security group to the port. I have added the following line to the port properties:
 "security_groups" : [ { "Ref" : "DNSServerSecurityGroup" } ],

But when I try to create the stack I get the following error:

| stack_status_reason | Resource Port "DNSServerPort" failed with: |
| | QuantumClientException: Invalid input for operation: |
| | 'DNSServerSecurityGroup' is not an integer or uuid.

I

Revision history for this message
Jeff Peeler (jpeeler-z) said : 		#3

It appears that you have done so correctly as I'm getting the same error message. So this is a bug, which you can track its progress via the related bugs link above.

Revision history for this message
Jeff Peeler (jpeeler-z) said : 		#4

The template used with today's code would not be allowed because SecurityGroups and NetworkInterfaces are not allowed to both be used simultaneously. With the fix for bug 1179481 now merged, you should be able to specify the security groups on the port successfully.

Can you help with this problem?

Provide an answer of your own, or ask Saso Kavcic for more information if necessary.

To post a message you must log in.