Support for fixed private ip address

ystia / yorc

Ystia Orchestrator

https://ystia.github.io

Apache License 2.0

67 stars 23 forks source link

Support for fixed private ip address #498

Open trihoangvo opened 5 years ago

trihoangvo commented 5 years ago

Is your feature request related to a problem? Please describe.

In a4c and yorc, users cannot specify a fixed private ip address for their compute nodes. Missing a fixed ip address is related to the following security threats:

Avoid VMs after reboot to receive a different ip address (and causes disruption of availability).
The automatic configuration of IP addresses enables an attacker to divert traffic or impair communication.

Describe the solution you'd like

TOSCA provides the normative type: tosca.nodes.network.Port (with the property ip_address). So far not implement. (We could help to implement it, but we need to align with you).

Describe alternatives you've considered

May add a property ip_address to the Compute node. However, this is not a normative approach?

Additional context

loicalbertin commented 5 years ago

I agree that this could be great to specify IPs for clouds that support this feature. However here is some things to keep in mind:

Alien4Cloud use a simplified TOSCA model for Networks as specified in known TOSCA differences
I think we should support it both for the (default) admin endpoint (the one that Yorc uses to provision the Compute) and also when connecting to another (business) network.
We should take care of computes having a scalable capability: how to specify multiple addresses when a Compute node has several instances.

We need to think a bit about this, I will dive into the TOSCA spec to see how to implement it. Suggestions welcome! :smile:

trihoangvo commented 5 years ago

Solution (TOSCA-compliant)

If we follow the TOSCA spec precisely, the topology presentation looks like this at the moment. A Port node LinkTo a Network node and also BindsTo a Compute node. Notice the "giant" component presentation for a port type is not nice, but fulfills all requirements.

port1a

A Port has the following properties:

ip_address specifies the fixed ip address.
The other two (ip_range_start and ip_range_end) define the starting and ending IP of a range to be allocated for the compute instances. In practice, a network administrator should allocate all ip range for nodes in the beginning (e.g., he allocates 3 IPs for mongodb00, mongodb01, and mongodb02, etc.).

port1b