Ubuntu
autopkgtest package

Spinning nova testbeds in given security-groups

Bug #1429862 reported by Celso Providelo
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
autopkgtest (Ubuntu)
Fix Released
Medium
Martin Pitt

Bug Description

This is a feature request to the current nova-ssh setup support for having more secure testbeds in wild cloud-environments.

I am looking for a way to spin testbeds that are only accessible from an specific keypair (already supported by the --key-pair option) and has access restrictions defined by specifics security group, for instance:

{{{
nova boot ... --security-groups <testbed-0>
}}}

The 'testbed-0' security group would be created prior to the `adt-run` allowing only ssh connections from the host and possibly internet access (for pkgs which needs it). This way the testbed access to other testbeds or infrastructure components within the same cloud could be programatically restricted.

Tags: patch
Martin Pitt (pitti)
Changed in autopkgtest (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
importance: Undecided → Medium
Revision history for this message
Martin Pitt (pitti) wrote :

Hey Celso,

this is a proposed patch against the current nova setup script. As I cannot test this myself (no cloud access) and don't want to commit it blindly, would you mind giving this a spin?

Thanks!

Revision history for this message
Celso Providelo (cprov) wrote :

Martin,

I've done added few tweaks to your patch (basically enabling the new option in the `getopt` check and removing quotes from the given secgroups, nova does not like them).

It works, as requested:

{{{
adt-run libpng -d --- ssh -s nova -- --flavor m1.small --image ubuntu-trusty-14.04-amd64-server-20150305-disk1.img --net-id 415a0839-eb05-4e7a-907c-413c657f4bf5 -k foo -s juju-bootstack-10-testbed -d
}}}

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Martin Pitt (pitti) wrote :

Argh, sorry for missing the getopt call, thanks for fixing! Pushed to http://anonscm.debian.org/cgit/autopkgtest/autopkgtest.git/commit/?id=2810c083

Changed in autopkgtest (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autopkgtest - 3.12

---------------
autopkgtest (3.12) unstable; urgency=medium

  * ssh-setup/adb: Re-enable ssh after reboot, in case an upgrade disables it.
  * ssh-setup/adb: Try to create /userdata/.adb_onlock, to get adb after
    rebooting without human interaction.
  * Fix apt-get install --simulate version parsing with third-party sources.
    (LP: #1430017)
  * ssh-setup-nova: Add --security-groups option. (LP: #1429862)
  * adt-buildvm-ubuntu-cloud: Avoid non-blocking reads from the socket in
    verbose mode, this sometimes causes hangs. Go back to blocking reads, but
    don't wait between them.
  * Fix UnicodeDecodeError on .deb package name reading. (LP: #1430773)
  * adt-virt-ssh: Export $SUDO_ASKPASS to tests if sudo is available.
    (LP: #1431421)

 -- Martin Pitt <email address hidden> Fri, 13 Mar 2015 12:52:49 +0100

Changed in autopkgtest (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.