cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Functional Specification for the multiple IPs per NIC
Date Sat, 15 Dec 2012 20:55:16 GMT
Good point, there…maybe what we need here is to beef up the password server idea to provide
a standardized conduit to get info down to a VM. Similar to EC2's user-data. 

Data I could see this framework providing:
 * System passwords
 * Additional IPs (so need to be able to return data sets, JSON-style maybe?)
 * Encryption keys
 * Metadata about the VM ("webserver," "database," "high-availability," "master")
 * What else?

One very important piece that's missing is a timeout - need to be able to have the object
server provide the object(s) when a VM boots, but should be able to specify for some objects
that after X seconds that data should be thrown away. Hugely important for encryption keys
(I want to provide key to decryption system at boot, but don't want malicious user to be able
to login a week later and easily get that key).

So I'd suggest maybe have one spec to update/expand the password server to be an object server,
and then Jayapal's multiple-IP spec would integrate with that.

Super awesome bonus points: support for fetching/storing said objects in HSM. I've got one
vendor in mind who has a sw solution we're looking at, but following a PKCS#11 format would
probably be best.

John

On Dec 15, 2012, at 11:52 AM, "Kelceydamage@bbits" <kelcey@bbits.ca>
 wrote:

> This is a prime example where guest scripts make sense for automating the interface alias
creation. I still think I'm missing something however, does this include a new fetch IP API?
> 
> Also the 30 IP limit seems out of place, when I can go in right now and give any guest
VM 256+ interface aliases without restriction. The default isolated network behind any VR
is also a /24. Maybe adjust the limit to 256. That way it's more of a logical boundary.
> 
> Thanks
> 
> Sent from my iPhone
> 
> On Dec 15, 2012, at 8:38 AM, John Kinsella <jlk@stratosec.co> wrote:
> 
>> I'd remove the limitation of having 30 IPs per interface. Modern OSes can support
way more.
>> 
>> Why no support for basic networking? I can see a small hosting provider with a basic
setup wanting to manage web servers...
>> 
>> John
>> 
>> On Dec 14, 2012, at 9:37 AM, Jayapal Reddy Uradi <jayapalreddy.uradi@citrix.com>
wrote:
>> 
>>> Hi All,
>>> 
>>> Current guest VM by default having one NIC and one IP address assigned.
>>> If your wants extra IP for the guest VM, there no provision from  the CS.
>>> 
>>> Using multiple IP address per NIC feature CS can associate IP address for the
NIC,  user can take that IP and assign it to the VM.
>>> 
>>> Please find the FS for  the more details.
>>> 
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Multiple+IP+address+per+NIC
>>> 
>>> Please provide your comments on the FS.
>>> 
>>> 
>>> Thanks,
>>> jayapal
>> 
>> Stratosec - Secure Infrastructure as a Service
>> o: 415.315.9385
>> @johnlkinsella
>> 
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message