This repository was archived by the owner on Jul 18, 2025. It is now read-only.
[EC2 driver] Only open SSH, docker and swarm ports on the first security group #3856
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ports once. Signed-off-by: Nils Le Roux <gilbsgilbert@gmail.com>
gilbsgilbs
changed the title
|
Cool, thanks for the PR. Might take a minute to review properly.
Yeah, that was somewhat the original intention, that if you skip the default security group, you'd be responsible for opening those yourself, but it was somewhat confusing to users. |
Signed-off-by: Nils Le Roux <gilbsgilbert@gmail.com>
|
Do you want me to open an issue so that we can discuss on this ? Let me know what I should do. |
xproax
approved these changes
Jan 5, 2017
|
Bump. Any update on this? |
xproax
approved these changes
Jan 9, 2017
xproax
approved these changes
Jan 9, 2017
|
Any news on this? Thanks! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
PR #3111 enabled the EC2 driver to handle setting multiple security groups on EC2 instances. Yet, this also opens SSH, docker and swarm ports for each security group set using
--amazonec2-security-groupflag which (I think) is useless and unexpected. Setting the rule on one security group only would be sufficient, proper and safer.This PR opens the required ports on the first security group provided only. Therefore, this makes the CLI options order-sensitive (I don't know if it is already). Maybe that's not what is expected either.
If this is problematic, another solution I could implement could be to set the main security group using the
--amazonec2-security-group docker-sgflag and set extra security groups using some kind of--amazonec2-extra-security-group some-extra-sgflag. This would mean that only one--amazonec2-security-groupflag could be accepted, but multiple--amazonec2-extra-security-groupflags could be provided (with no order consideration).Another (less intrusive) solution that would address my issue as a side-effect would be to add a flag that would make the driver trust the security groups provided and not try to update them. You'd have to pre-configure them using the AWS CLI.
Please, let me know what is acceptable to you, and tell me where and how I can document this if ever it's needed.
Thank you.