Skip to content

Enable NSGs shared between multiple machines#77

Merged
aiyengar2 merged 1 commit intorancher:masterfrom
aiyengar2:new_nsg_requirements
May 21, 2020
Merged

Enable NSGs shared between multiple machines#77
aiyengar2 merged 1 commit intorancher:masterfrom
aiyengar2:new_nsg_requirements

Conversation

@aiyengar2
Copy link
Copy Markdown

@aiyengar2 aiyengar2 commented Mar 27, 2020
edited
Loading

This PR allows users of the Azure driver to submit an NSG name or ARM resource identifier to be used by multiple machines that are provisioned via Rancher Machine. If a user does not submit an NSG name, machine will default to the legacy option of creating an NSG per machine.

Related Issues: rancher/rancher#25342, rancher/rancher#11674, rancher/rancher#17181, rancher/rancher#22147, rancher/rancher#24449

@aiyengar2 aiyengar2 requested a review from a team March 27, 2020 20:49
@aiyengar2 aiyengar2 mentioned this pull request Apr 6, 2020
Closed
@aiyengar2
Copy link
Copy Markdown
Author

aiyengar2 commented Apr 6, 2020

A point of consideration for pooled NSGs in this commit:

In the pooled NSG case, we currently create one network interface per NSG and attach the network interface to the NSG referenced by the driver flag. As a result, when we have x nodes spun up in our node pool, there are x network interfaces (all part of the same subnet) that are attached to the single network security group.

An alternative to this design would be to have the one NSG attached directly to the subnet, as suggested in rancher/rancher#17181 and rancher/rancher#11674. However, I chose not to include that design due to the following two edge cases:

  1. Two node templates sharing the same subnet will be forced to share the same NSG / open port values.
  2. Cleanup logic (detailed here: https://github.com/rancher/machine/blob/master/drivers/azure/azure.go#L462-L480) currently deletes network security groups before deleting the subnet. Therefore, when cleaning up the network security group, it would not be clear whether the network security group is still in use by other nodes (as we haven't attempted to clean up the subnet yet) or this is the last node to be deleted. So to facilitate this logic, it would require a rewrite in the way we handle cleanup logic for nodes, which could have unintended consequences with legacy versions of machine currently running.

Would love to hear if there are any opposing opinions / suggested improvements for this design!

This was referenced Apr 6, 2020
Closed
Closed
Closed
Merged
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch from 4982a68 to 2c82443 Compare April 13, 2020 21:34
@aiyengar2
Copy link
Copy Markdown
Author

aiyengar2 commented Apr 13, 2020

This PR should resolve the following issues:

@aiyengar2 aiyengar2 mentioned this pull request Apr 13, 2020
Closed
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch from 2c82443 to 9b8a945 Compare April 14, 2020 19:18
@aiyengar2 aiyengar2 requested review from luthermonson, mrajashree and superseb and removed request for a team, mrajashree and superseb April 14, 2020 22:24
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch 2 times, most recently from 559965e to c889076 Compare April 19, 2020 22:58
@aiyengar2 aiyengar2 requested a review from mrajashree April 19, 2020 23:05
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch from c889076 to 628ea6c Compare April 21, 2020 23:01
aiyengar2
aiyengar2 commented Apr 21, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/azureutil.go Outdated
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch from 628ea6c to 976ae4a Compare April 27, 2020 04:23
aiyengar2
aiyengar2 commented Apr 27, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/securityrules.go Outdated
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/securityrules.go Outdated
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/securityrules.go Outdated
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/azure.go
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/securityrules.go Outdated
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/util.go Outdated
luthermonson
luthermonson reviewed Apr 28, 2020
View reviewed changes
Comment thread drivers/azure/azureutil/securityrules.go Outdated
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch 3 times, most recently from 6cb4e78 to aad464d Compare May 14, 2020 20:27
@aiyengar2
Copy link
Copy Markdown
Author

aiyengar2 commented May 14, 2020

PR has been simplified based on clarified requirements from #77 (comment) and is ready for re-review!

Double checked that the expected use cases provision correctly:

  • Creating 1 NSG per node when d.NSG is not specified / is empty (legacy)
  • Creating 1 NSG per pool when d.NSG is specified and is not an ARM resource identifier (new default)
  • Using an existing NSG when provided in the ARM resource identifier format
  • Creating a second node in the legacy case with an updated node template creates a brand new NSG with the updated rules. The older node's NSG is not updated, as expected.
  • Creating a second node in the pooled case with an updated node template attaches itself to the pooled NSG and updates the rules accordingly.

@deniseschannon
Copy link
Copy Markdown

deniseschannon commented May 16, 2020

rancher/rancher#24449

luthermonson
luthermonson previously approved these changes May 18, 2020
View reviewed changes
mrajashree
mrajashree previously approved these changes May 18, 2020
View reviewed changes
@aiyengar2 aiyengar2 requested review from deniseschannon and removed request for dramich May 18, 2020 23:55
This was referenced May 19, 2020
Merged
Merged
@maggieliu maggieliu requested review from a team and dramich and removed request for deniseschannon May 19, 2020 16:54
This was referenced May 19, 2020
Closed
Closed
dramich
dramich reviewed May 20, 2020
View reviewed changes
Comment thread drivers/azure/azure.go
dramich
dramich reviewed May 20, 2020
View reviewed changes
Comment thread drivers/azure/azure.go Outdated
Enable NSGs shared between multiple machines
bfde51e 
This commit allows users of the Azure driver to submit an NSG name or ARM resource identifier to be used by multiple machines that are provisioned via Rancher Machine. If a user does not submit an NSG name, machine will default to the legacy option of creating an NSG per machine.
@aiyengar2 aiyengar2 dismissed stale reviews from mrajashree and luthermonson via bfde51e May 21, 2020 17:35
@aiyengar2 aiyengar2 force-pushed the new_nsg_requirements branch from aad464d to bfde51e Compare May 21, 2020 17:35
@aiyengar2 aiyengar2 merged commit 2fbd7ec into rancher:master May 21, 2020
This was referenced May 21, 2020
Merged
Merged
@aiyengar2 aiyengar2 mentioned this pull request Jun 5, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@dramich dramich dramich approved these changes

@luthermonson luthermonson luthermonson left review comments

@mrajashree mrajashree mrajashree left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@aiyengar2 @deniseschannon @luthermonson @mrajashree @dramich