yorc icon indicating copy to clipboard operation
yorc copied to clipboard

Published 20 hours ago verified publisher icon ystia

Support for fixed private ip address

Open trihoangvo opened this issue 5 years ago • 2 comments

Is your feature request related to a problem? Please describe.

In a4c and yorc, users cannot specify a fixed private ip address for their compute nodes. Missing a fixed ip address is related to the following security threats:

  • Avoid VMs after reboot to receive a different ip address (and causes disruption of availability).
  • The automatic configuration of IP addresses enables an attacker to divert traffic or impair communication.

Describe the solution you'd like

TOSCA provides the normative type: tosca.nodes.network.Port (with the property ip_address). So far not implement. (We could help to implement it, but we need to align with you).

Describe alternatives you've considered

May add a property ip_address to the Compute node. However, this is not a normative approach?

Additional context

No

trihoangvo avatar Aug 14 '19 18:08 trihoangvo

I agree that this could be great to specify IPs for clouds that support this feature. However here is some things to keep in mind:

  • Alien4Cloud use a simplified TOSCA model for Networks as specified in known TOSCA differences
  • I think we should support it both for the (default) admin endpoint (the one that Yorc uses to provision the Compute) and also when connecting to another (business) network.
  • We should take care of computes having a scalable capability: how to specify multiple addresses when a Compute node has several instances.

We need to think a bit about this, I will dive into the TOSCA spec to see how to implement it. Suggestions welcome! :smile:

loicalbertin avatar Aug 19 '19 09:08 loicalbertin

Solution (TOSCA-compliant)

If we follow the TOSCA spec precisely, the topology presentation looks like this at the moment. A Port node LinkTo a Network node and also BindsTo a Compute node. Notice the "giant" component presentation for a port type is not nice, but fulfills all requirements.

port1a

A Port has the following properties:

  • ip_address specifies the fixed ip address.
  • The other two (ip_range_start and ip_range_end) define the starting and ending IP of a range to be allocated for the compute instances. In practice, a network administrator should allocate all ip range for nodes in the beginning (e.g., he allocates 3 IPs for mongodb00, mongodb01, and mongodb02, etc.).

port1b

trihoangvo avatar Aug 20 '19 11:08 trihoangvo