Return-Path: <dev-return-24989-archive-asf-public=cust-asf.ponee.io@brooklyn.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2DDF0200C8B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 22 May 2017 18:09:36 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 2C4F7160BBF; Mon, 22 May 2017 16:09:36 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4BBA3160BA5
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 22 May 2017 18:09:35 +0200 (CEST)
Received: (qmail 84011 invoked by uid 500); 22 May 2017 16:09:34 -0000
Mailing-List: contact dev-help@brooklyn.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@brooklyn.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@brooklyn.apache.org>
List-Post: <mailto:dev@brooklyn.apache.org>
List-Id: <dev.brooklyn.apache.org>
Reply-To: dev@brooklyn.apache.org
Delivered-To: mailing list dev@brooklyn.apache.org
Received: (qmail 83993 invoked by uid 99); 22 May 2017 16:09:33 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 May 2017 16:09:33 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 753F7190D3A
	for <dev@brooklyn.apache.org>; Mon, 22 May 2017 16:09:33 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.397
X-Spam-Level: 
X-Spam-Status: No, score=-2.397 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=cloudsoftcorp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id YcoQwJp-7e2g for <dev@brooklyn.apache.org>;
	Mon, 22 May 2017 16:09:31 +0000 (UTC)
Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com [209.85.128.171])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 681235F21F
	for <dev@brooklyn.apache.org>; Mon, 22 May 2017 16:09:31 +0000 (UTC)
Received: by mail-wr0-f171.google.com with SMTP id z52so41594752wrc.2
        for <dev@brooklyn.apache.org>; Mon, 22 May 2017 09:09:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cloudsoftcorp.com; s=google;
        h=from:to:subject:message-id:date:user-agent:mime-version
         :content-transfer-encoding:content-language;
        bh=qUY0xBjgF+xPEKs3Xmxqpa0BoV3i5LPniZoL5LIrrJ8=;
        b=fdOvw5rGgBYXQFttTNqKCHaL8BaxoXh29U5PEZfWAMReLZr4q3ZyTnc0uDeEi5mPxk
         Rx4T+12Ak1rkRAIFal6tCssxPPMV3muEtiPwzev27DXbIQDMBNI/eJZtwHt8cORpENv4
         ut5irIo16ffGROPKKigP2OD/SWJFMsIfIykSc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:message-id:date:user-agent
         :mime-version:content-transfer-encoding:content-language;
        bh=qUY0xBjgF+xPEKs3Xmxqpa0BoV3i5LPniZoL5LIrrJ8=;
        b=WcPCP85oTRTvC5uDMruNL/plZiqj1Xev1qnVJJN7NqJrGQsHFfH669ss7B06+K0YnC
         ACLCrBWgGiXAGf05dGJzdre7nhFwh5dez7L6FcO1TyV1qytnaRFoMWXShn7qld+/GvTM
         UdFGemEy/ay8uLGMs2L00iYDoyDAY0eJiYTzEzzQQeAJML9XZsn7QT9bN38KzOgW+2Z/
         o+gyA+ZSNw6FiZrQmdLUYgWrn0F2Ad9oyfo9pknlEov2cKhbg8yVg/o6ZUMTi99aqE6t
         3V6cHh66Kg9q3Xmity9GgJbZ5waJGtxsPttXIqEdfoFolDJh5EW8T2ZSaC7uWSJlgVad
         Lrbw==
X-Gm-Message-State: AODbwcBNLN9FxlCjrWwPGU+dxgzcECfJ0+ecy6LjbZgZPs+HXMNco2tA
	tTsK5y3Do0MiUIyQQRM1rht+snWBHOdC88A8NueC0abOG8jCd3wA8UdPdNMPzSIdi0EhMdDLu5N
	/j8bD
X-Received: by 10.223.131.34 with SMTP id 31mr14364763wrd.95.1495469370468;
        Mon, 22 May 2017 09:09:30 -0700 (PDT)
Received: from localhost.localdomain ([85.196.172.162])
        by smtp.googlemail.com with ESMTPSA id 2sm33946129wmk.20.2017.05.22.09.09.29
        for <dev@brooklyn.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 22 May 2017 09:09:29 -0700 (PDT)
From: Valentin Aitken <valentin.aitken@cloudsoftcorp.com>
X-Google-Original-From: Valentin Aitken <valentin.aitken@cloudsoft.io>
To: dev@brooklyn.apache.org
Subject: Single config for TCP/UDP port opening on clouds and on OSs
Message-ID: <d15799ef-4b5a-21a7-ab76-325e683b71d1@cloudsoft.io>
Date: Mon, 22 May 2017 19:09:27 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-Legal-Virus-Advice: Whilst all reasonable care has been taken to avoid the
 transmission of viruses, it is the responsibility of the recipient to ensure
 that the onward transmission, opening or use of this message and any
 attachments will not adversely affect its systems or data. No responsibility
 is accepted by Cloudsoft Corporation Limited in this regard and the recipient
 should carry out such virus and other checks as it considers appropriate.
X-Legal-Confidentiality: This e-mail message is confidential and for use by
 the addressee only. If the message is received by anyone other than the
 addressee, please return the message to the sender by replying to it and then
 delete the message from your computer. Internet e-mails are not necessarily
 secure. Cloudsoft Corporation Limited does not accept responsibility for
 changes made to this message after it was sent.
X-Legal-Company-Info: Cloudsoft Corporation Limited. Registered in Scotland.
 Number: SC349230. Registered Office: 13 Dryden Place, Edinburgh, EH9 1RP.
archived-at: Mon, 22 May 2017 16:09:36 -0000

Hi Brooklyners,

There is a customer requirement to have simple single config for 
exposing opening TCP and UDP ports
on Cloud level and on OS Level.
Later, one would also want to open ports during runtime with an effector.


Currently,
Opening ports on the **cloud** on **provisioning** is possible for 
Security Groups with a jclouds customizer 
org.apache.brooklyn.location.jclouds.networking.SharedLocationSecurityGroupCustomizer

The SharedLocationSecurityGroupCustomizer functionality can be added on 
the entity and used during runtime
by setting on the entity `effector.add.openInboundPorts: true`.

We have location config `openIptables: true`.


---

What a customer would like to also have is:

For PortForwarder to have the same functionality as in 
SharedLocationSecurityGroupCustomizer.
- Opening UDP port rules
- Opening ranges of TCP and UDP ports
- above to be configurable runtime

For PortForwarder and port openings and 
SharedLocationSecurityGroupCustomizer, customer is looking for one way 
config which would map the rules depending on the cloud.

For that it would be also good to turn off jclouds customizer for clouds 
which do not support security groups
and have only jclouds inboundPorts so user have seamless config.

----

One would also like cloud rules defined above to be mapped to OS rules.
This currently is supported with `openIptables: true` flag.
However it lacks:
- UDP port opening
- Opening ranges of UDP and TCP ports

OS firewall Requirement 2:
- TCP, UDP port opening for Windows

However when it comes to runtime port opening, openIptables: true is not 
enough.

----

Rough suggestions on approaching the problem:

As a starting point for implementing the requirements,
I first want to discuss best place to plug the pieces of port logic.
I am looking on the problem in two main parts Cloud (jclouds) port 
opening and OS port opening.

Aled once said we should try to bound port rules to the entity rather 
than the location.

That is already the case for inbound ports [1].
Because of specifics of jclouds inboundPorts they are obtained from the 
entity to the location before provisioning.

---
Cloud Level suggestion:
For PortForwarder clouds I am thinking for something very similar to 
SharedLocationSecurityGroupCustomizer probably use an abstract class for 
both.
Then wrap the SharedLocationSecurityGroupCustomizer and 
PortForwarderPortCustomizer in a customizer which will use one of them 
depending on the cloud.

Rules applied to a cloud from above cloud port opener then should be 
passed for OS level application.

---
OS Level suggestion:
Replace `openIptables: true` with MultiOSPortOpenerMachineCustomizer 
which understands from cloud port rules created on previous step.
MultiOSPortOpenerMachineCustomizer to add WindowsPortOpener, 
IptablesPortOpener, FirewalldPortOpener depending on the OS.

Hopefully all described above can be done runtime runtime with an 
effector similar to `effector.add.openInboundPorts: true` [2]. 
(brooklyn.initializer would be better than a config)
Similarly to above add an initializer which adds an effector which will 
open ports on cloud and OS level depending on the case.


[1] 
https://github.com/apache/brooklyn-server/blob/0.11.x/software/base/src/main/java/org/apache/brooklyn/entity/software/base/SoftwareProcessImpl.java#L491-L524
[2] 
https://github.com/apache/brooklyn-server/blob/0.11.x/software/base/src/main/java/org/apache/brooklyn/entity/software/base/SoftwareProcessImpl.java#L132

-- 
Valentin Aitken
Software Engineer
Cloudsoft Corporation Ltd.
www.cloudsoft.io