cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Xu <Xuefei...@citrix.com>
Subject RE: [DISCUSS] Security Groups Isolation in Advanced Zone
Date Sat, 19 Jan 2013 01:57:48 GMT
That's why VPC support is not in this FS for 4.1
After introduce NIC based SG, instance-based SG will be removed, each NIC of the VM will associate
with the same instance-based SG through upgrade, 


Anthony

> -----Original Message-----
> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> Sent: Friday, January 18, 2013 5:52 PM
> To: CloudStack DeveloperList
> Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone
> 
> That is just so confusing. So if we do ENI-style in 4.2, the rules for
> accessing a VM within a VPC will be the union of
> * ACL accept
> * ACL deny
> * instance-based SG
> * nic based SG
> 
> On 1/18/13 9:50 AM, "Anthony Xu" <Xuefei.Xu@citrix.com> wrote:
> 
> >Thanks for comments,
> >It is nice to have security group in NIC level
> >checked AWS, which is implemented with Elastic Network Interfaces
> (ENI),
> >but when deploy VM , all NICs of the VM are associated with same
> security
> >groups, which is the same as what we did in the FS.
> >
> >Maybe we can implement NIC-level security group after we have VM NIC
> hot
> >plug feature( something like ENI) in 4.2.
> >
> >Anthony
> >
> >
> >> -----Original Message-----
> >> From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
> >> Sent: Thursday, January 17, 2013 5:29 PM
> >> To: CloudStack DeveloperList
> >> Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone
> >>
> >> I don't think that's what Anthony is saying.
> >> I think he is saying that if a VM is in security groups X,Y,Z, then
> ALL
> >> nics of the VM are in security groups X,Y,Z.
> >>
> >> The AWS-compatible way is that nics are associated with the security
> >> group.
> >> So, VM's eth0 can be in security group Z and eth1 can be in security
> >> group
> >> X
> >> I think we should do it this way.
> >>
> >> On 1/16/13 5:35 PM, "kdamage@apache.org" <kdamage@apache.org> wrote:
> >>
> >> >So the VM will determine it's own participation level. A VM can
> have
> >> >networks with SG and without at the same time. If that's the case
> this
> >> >feature proposal just got more awesome!
> >> >
> >> >-kd
> >> >
> >> >
> >> >>-----Original Message-----
> >> >>From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
> >> >>Sent: Wednesday, January 16, 2013 5:21 PM
> >> >>To: cloudstack-dev@incubator.apache.org
> >> >>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
> >> >>
> >> >>Correct,
> >> >>there are several types of guest shared network, Zone-wide guest
> >> shared
> >> >>network Domain-wide guest shared network Account-specific guest
> share
> >> >>network
> >> >>
> >> >>One VM can be on multiple networks,
> >> >>SG is on VM level, means SG will be applied to all NICs of this VM.
> >> >>
> >> >>
> >> >>Cheers,
> >> >>Anthony
> >> >>
> >> >>> -----Original Message-----
> >> >>> From: Kelcey Damage (BT) [mailto:kelcey@backbonetechnology.com]
> On
> >> >>> Behalf Of kdamage@apache.org
> >> >>> Sent: Wednesday, January 16, 2013 5:17 PM
> >> >>> To: cloudstack-dev@incubator.apache.org
> >> >>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced
> Zone
> >> >>>
> >> >>> Got it,
> >> >>>
> >> >>> So we are still only talking about SG on advanced shared
> networks.
> >> >>>
> >> >>> Thanks.
> >> >>>
> >> >>>
> >> >>> -kd
> >> >>>
> >> >>>
> >> >>> >-----Original Message-----
> >> >>> >From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
> >> >>> >Sent: Wednesday, January 16, 2013 5:11 PM
> >> >>> >To: cloudstack-dev@incubator.apache.org
> >> >>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced
> Zone
> >> >>> >
> >> >>> >In this spec, security group is only supported in shared guest
> >> >>> >network,
> >> >>> we
> >> >>> >might add isolated guest network support later. I have a
> concern
> >> >>> >about
> >> >>> this,
> >> >>> >normally there is firewall for isolated network, if security
> group
> >> is
> >> >>> added
> >> >>> to
> >> >>> >isolated network, that means if user wants to allow some kind
> >> ingress
> >> >>> traffic ,
> >> >>> >he might need to program both security group and firewall,
it
> >> might
> >> >>> >be inconvenient for user.
> >> >>> >
> >> >>> >As for ACL, are you referring to ACL in VPC? in this spec,
VPC
> is
> >> not
> >> >>> supported
> >> >>> >due to the similar reason of isolated guest network, user might
> >> need
> >> >>> to
> >> >>> >handle ACL and security group at the same time.
> >> >>> >
> >> >>> >
> >> >>> >Anthony
> >> >>> >
> >> >>> >
> >> >>> >> -----Original Message-----
> >> >>> >> From: Kelcey Damage (BT)
> [mailto:kelcey@backbonetechnology.com]
> >> >>> >> Sent: Wednesday, January 16, 2013 4:55 PM
> >> >>> >> To: cloudstack-dev@incubator.apache.org
> >> >>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced
> >> Zone
> >> >>> >>
> >> >>> >> So to catch myself up, this will allow functional security
> group
> >> >>> >> isolation/ACLs on both 'shared' and 'isolated' networks?
> >> >>> >>
> >> >>> >> -kd
> >> >>> >>
> >> >>> >>
> >> >>> >> >-----Original Message-----
> >> >>> >> >From: Animesh Chaturvedi
> [mailto:animesh.chaturvedi@citrix.com]
> >> >>> >> >Sent: Wednesday, January 16, 2013 1:36 PM
> >> >>> >> >To: cloudstack-dev@incubator.apache.org
> >> >>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in
Advanced
> >> Zone
> >> >>> >> >
> >> >>> >> >Folks please pass on comments if any, otherwise it
is
> assumed
> >> that
> >> >>> >> >the
> >> >>> >> spec
> >> >>> >> is
> >> >>> >> >approved by the community
> >> >>> >> >
> >> >>> >> >> -----Original Message-----
> >> >>> >> >> From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
> >> >>> >> >> Sent: Friday, January 11, 2013 3:53 PM
> >> >>> >> >> To: cloudstack-dev@incubator.apache.org
> >> >>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation
in
> Advanced
> >> >>> >> >> Zone
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >>
> >> >>>
> >>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based
> >> >>> >> >> +on+
> >> >>> >> >> Security+Groups+in+Advance+zone
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >> This is upgraded spec ,
> >> >>> >> >> Compared to original one, following are major
changes
> >> >>> >> >>
> >> >>> >> >> 1.  SG enabled is zone wide parameter, if this
zone is SG
> >> >>> >> >> enabled,
> >> >>> >> all
> >> >>> >> >> guest networks in this zone must be SG enabled.
> >> >>> >> >> 2.  support all shared network types, includes
zone-wide
> >> shared
> >> >>> >> >> network, domain-wide shared networks and account-specific
> >> share
> >> >>> >> >> networks 3.  support multiple SG enabled networks
in one
> SG
> >> >>> enabled
> >> >>> >> zone.
> >> >>> >> >> 4.  VM can be on multiple SG enabled networks
5.  SG rules
> >> apply
> >> >>> to
> >> >>> >> >> all NICs for a VM 6.  support both KVM and XenServer.
> >> >>> >> >>
> >> >>> >> >> Comments, question, suggestion and flame are
welcome!
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >> Thanks,
> >> >>> >> >> Anthony
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >> > -----Original Message-----
> >> >>> >> >> > From: Dave Cahill [mailto:dcahill@midokura.jp]
> >> >>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM
> >> >>> >> >> > To: cloudstack-dev@incubator.apache.org
> >> >>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation
in
> >> Advanced
> >> >>> Zone
> >> >>> >> >> >
> >> >>> >> >> > Hi Anthony,
> >> >>> >> >> >
> >> >>> >> >> > Understood - thanks for the update.
> >> >>> >> >> >
> >> >>> >> >> > Dave.
> >> >>> >> >> >
> >> >>> >> >> >
> >> >>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony
Xu
> >> >>> >> >> > <Xuefei.Xu@citrix.com>
> >> >>> >> >> > wrote:
> >> >>> >> >> >
> >> >>> >> >> > > Hi Dave,
> >> >>> >> >> > >
> >> >>> >> >> > > For 4.1 , this feature is only for
shared network on
> >> >>> >> >> > > advanced zone,
> >> >>> >> >> > both
> >> >>> >> >> > > XenServer and KVM are supported.
> >> >>> >> >> > > Will upgrade FS soon.
> >> >>> >> >> > >
> >> >>> >> >> > >
> >> >>> >> >> > > Anthony
> >> >>> >> >> > >
> >> >>> >> >> > > > -----Original Message-----
> >> >>> >> >> > > > From: Dave Cahill [mailto:dcahill@midokura.jp]
> >> >>> >> >> > > > Sent: Thursday, January 10, 2013
12:33 AM
> >> >>> >> >> > > > To: cloudstack-dev@incubator.apache.org
> >> >>> >> >> > > > Subject: Re: [DISCUSS] Security
Groups Isolation in
> >> >>> Advanced
> >> >>> >> >> > > > Zone
> >> >>> >> >> > > >
> >> >>> >> >> > > > Hi Manan,
> >> >>> >> >> > > >
> >> >>> >> >> > > > I'm interested in this feature
- when (roughly) are
> you
> >> >>> >> planning
> >> >>> >> >> > > > to commit this to master?
> >> >>> >> >> > > >
> >> >>> >> >> > > > Are you planning the full list
of features from your
> >> >>> >> >> > > > requirements
> >> >>> >> >> > doc
> >> >>> >> >> > > > (including support for Adavnced,
Isolated networks)
> in
> >> 4.1?
> >> >>> >> >> > > >
> >> >>> >> >> > > > Thanks in advance,
> >> >>> >> >> > > > Dave.
> >> >>> >> >> > > >
> >> >>> >> >> > > >
> >> >>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM,
Manan Shah
> >> >>> >> >> > > > <manan.shah@citrix.com>
> >> >>> >> >> > > > wrote:
> >> >>> >> >> > > >
> >> >>> >> >> > > > > Yes, FS definitely needs
updating. Please also
> look
> >> at
> >> >>> the
> >> >>> >> >> > "Future"
> >> >>> >> >> > > > > section of Alena's FS.
> >> >>> >> >> > > > >
> >> >>> >> >> > > > > Regards,
> >> >>> >> >> > > > > Manan Shah
> >> >>> >> >> > > > >
> >> >>> >> >> > > > >
> >> >>> >> >> > > > >
> >> >>> >> >> > > > >
> >> >>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna
Santhanam"
> >> >>> >> >> > > > <prasanna.santhanam@citrix.com>
> >> >>> >> >> > > > > wrote:
> >> >>> >> >> > > > >
> >> >>> >> >> > > > > >On Sat, Jan 05, 2013
at 12:16:44AM +0530, Manan
> Shah
> >> >>> wrote:
> >> >>> >> >> > > > > >> Hi Chip,
> >> >>> >> >> > > > > >>
> >> >>> >> >> > > > > >> As Alena had mentioned
in her FS, her focus was
> to
> >> >>> >> >> > > > > >> initially
> >> >>> >> >> > > > support
> >> >>> >> >> > > > > >>only
> >> >>> >> >> > > > > >> the functionality
that was enabled in CS 2.2.
> She
> >> had
> >> >>> >> >> > > > > >>created
> >> >>> >> >> > a
> >> >>> >> >> > > > section
> >> >>> >> >> > > > > >>in
> >> >>> >> >> > > > > >> her FS that talked
about Future release plans.
> >> >>> >> >> > > > > >>
> >> >>> >> >> > > > > >> My requirements
page covers requirements for
> both,
> >> >>> >> >> > > > > >> the CS
> >> >>> >> >> > > > > >> 2.2
> >> >>> >> >> > use
> >> >>> >> >> > > > case
> >> >>> >> >> > > > > >>as
> >> >>> >> >> > > > > >> well as the broader
use case.
> >> >>> >> >> > > > > >>
> >> >>> >> >> > > > > >> Let me know if you
have additional questions.
> >> >>> >> >> > > > > >>
> >> >>> >> >> > > > > >Thanks - Alena's FS lists
only support for KVM
> while
> >> >>> >> >> > > > > >you
> >> >>> >> have
> >> >>> >> >> > listed
> >> >>> >> >> > > > > >support for XenServer
and KVM. Guess the FS needs
> >> >>> updating?
> >> >>> >> >> > > > > >
> >> >>> >> >> > > > > >--
> >> >>> >> >> > > > > >Prasanna.,
> >> >>> >> >> > > > >
> >> >>> >> >> > > > >
> >> >>> >> >> > > >
> >> >>> >> >> > > >
> >> >>> >> >> > > > --
> >> >>> >> >> > > > Thanks,
> >> >>> >> >> > > > Dave.
> >> >>> >> >> > >
> >> >>> >> >> >
> >> >>> >> >> >
> >> >>> >> >> >
> >> >>> >> >> > --
> >> >>> >> >> > Thanks,
> >> >>> >> >> > Dave.
> >> >>>
> >> >
> >> >
> >


Mime
View raw message