deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sang-Min Park <sang-min.p...@eucalyptus.com>
Subject Re: firewall support for ec2 instances
Date Tue, 28 Jun 2011 23:24:50 GMT
Sorry marios for my late response. What I meant was not that Eucalyptus
driver supports firewall now, but the issue is there for me to implement it.
Thanks for pointing out that AWS still has the old code. I'll use that old
methods to implement firewalls against Eucalyptus. It will be uglier than
your code though (multiple AWS invocation as you imagine).

-- SM


On Sun, Jun 26, 2011 at 11:06 PM, marios@redhat.com <mandreou@redhat.com>wrote:

> Hi Sang-Min,
>
>
> On 25/06/11 15:49, Sang-Min Park wrote:
>
>> FYI, I looked at the firewall implementation and found that there's an
>> issue
>> with Eucalyptus driver.
>>
>
> I was confused at first by what you meant as looking at Euca driver there's
> no mention of firewalls yet (besides the declaration of 'feature :instances,
> :firewalls')
>
>
>  Eucalyptus supports the old parameter convention in
>> '**AuthorizeSecurityGroupIngress' action. I'll try if I can patch AWS to
>> generate the old parameters as well as the new one.
>>
>
> OK: you shouldn't need to patch aws at all - my additions to aws added the
> new 'manage_security_group_**ingress' method, BUT did not remove any of
> the old code. I'm not sure if thats what you meant by 'generate the old
> parameters as well as the new one' but if you mean that your Euca setup (or
> Euca in general) relies on the old appoxy/aws interface then your existing
> code should be fine - appoxy/aws gem has not removed any of those earlier
> methods:
>
> 1.  authorize_security_group_**named_ingress
> 2.  revoke_security_group_named_**ingress
> 3.  authorize_security_group_IP_**ingress
> 4.  revoke_security_group_IP_**ingress
>
> That being said, here's why I implemented the new 'manage_security_groups'
> method in the appoxy/aws gem: (https://github.com/appoxy/**aws/pull/91<https://github.com/appoxy/aws/pull/91>):
> methods 1/2 above don't allow you to specify fine-grained control over group
> access - i.e. you can specify which groups to authorize, but not which
> protocols/ports to allow for those groups. Also, 3/4 only allow you to
> specify a single IP range at a time - thus if a given firewall rule has a
> large number of address ranges then this operation will need to be done for
> each of those. Similarly, you can't specify both groups AND IP addresses in
> a single call (thus defining an entire firewall rule with a single call).
>
> The earlier implementations of appoxy/aws were based on the 2009 version of
> AWS API http://docs.amazonwebservices.**com/AWSEC2/2009-07-15/**
> APIReference/ApiReference-**query-**AuthorizeSecurityGroupIngress.**html<http://docs.amazonwebservices.com/AWSEC2/2009-07-15/APIReference/ApiReference-query-AuthorizeSecurityGroupIngress.html>.
In the latest version of API, you can specify a number of IP addresses, or
> groups, or mix of both, for which the specified rule will apply. You can now
> also specify 'from_port' 'to_port' and 'protocol' for ingress groups in a
> rule,
>
> marios
>
>
>
>
>
>
>> Sang-min
>>
>>
>>
>> On Fri, Jun 17, 2011 at 8:06 AM,<marios@redhat.com>  wrote:
>>
>>
>>> This patch uses the new 'Firewalls' collection (I pushed that to trunk
>>> today).
>>> The create_instance operation for the ec2 driver takes an array of
>>> firewall
>>> names
>>> for the instance to be 'launched into'. Patch includes:
>>>
>>> * necessary modifications to server.rb
>>> * addition of 'firewalls' to the Instance model
>>> * modification of the haml views: html for the create operation, html/xml
>>> for showing
>>>  firewalls when inspecting a given instance.
>>>
>>> If you aren't using the html interface to create an instance, you can
>>> specify
>>> firewalls using form input : 'firewall#=name' where '#' is any digit.
>>>  For
>>> example:
>>>
>>> curl -F 'image_id=ami-48aa4921' -F 'firewalls1=default' -F
>>> 'firewalls2=test'
>>>  --user 'ec2_key:ec2_password'
>>> http://localhost:3001/api/**instances?format=xml<http://localhost:3001/api/instances?format=xml>
>>>
>>> will create an instance from ami-48aa4921 and place it into firewalls
>>> 'default'
>>> and 'test'. EC2 does not support 'moving' an instance between firewalls
>>> once it's
>>> launched so this functionality was not implemented
>>> (http://aws.amazon.com/**articles/1145?_encoding=UTF8&**
>>> jiveRedirect=1#13<http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedirect=1#13>
>>> )
>>>
>>> marios
>>>
>>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message