incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clayton Weise <cwe...@iswest.net>
Subject RE: domr iptables rules
Date Thu, 10 May 2012 22:27:32 GMT
So in this case are your app servers reaching the database servers via their public or private
addresses?

-----Original Message-----
From: Abhinandan Prateek [mailto:Abhinandan.Prateek@citrix.com] 
Sent: Thursday, May 10, 2012 9:05 AM
To: cloudstack-dev@incubator.apache.org
Subject: RE: domr iptables rules

Why not a set of VMs running app server load balanced using VR.
A VM running db (or probably  a set of VM running db in master-slave conf) with no external
access but only via the app server VMs.
I guess this is what you want ?

-Abhi 

>-----Original Message-----
>From: Clayton Weise [mailto:cweise@iswest.net]
>Sent: Thursday, May 10, 2012 9:00 PM
>To: 'cloudstack-dev@incubator.apache.org'
>Subject: RE: domr iptables rules
>
>It's something I have been toying with.  Basically it's a standard app/db setup
>where the app servers would reside in a dmz and the db servers would sit in a
>trusted network.  We need to limit the traffic going between the app and the
>db servers in advanced networking.  So currently the db and app servers have
>their own separate networks (vlans) and their own virtual routers.  I was
>thinking of different ways to limit the traffic from app to db to be permitted
>on specific ports.
>
>-----Original Message-----
>From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>Sent: Wednesday, May 09, 2012 4:33 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: domr iptables rules
>
>It is better to do it through API. CloudStack already provides several APIs for
>customer to add ACL for customer network, what kind of rules do you want to
>add? Can you do it through current API? Or what kind API you would like to
>add?
>
>Anthony
>
>> -----Original Message-----
>> From: Clayton Weise [mailto:cweise@iswest.net]
>> Sent: Wednesday, May 09, 2012 4:26 PM
>> To: 'cloudstack-dev@incubator.apache.org'
>> Subject: RE: domr iptables rules
>>
>> As a dirty hack would it be possible to create an init script which
>> added these custom rules when the domr boots?
>>
>> -----Original Message-----
>> From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>> Sent: Wednesday, May 09, 2012 12:21 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: RE: domr iptables rules
>>
>> Iptables rules is not persistent inside domr, CloudStack send command
>> to domr to generate rules on demand.
>> So if you reboot domr, some rules may not come back. But if you reboot
>> domr through Cloudstack UI, all rules should come back, Cloudstack
>> will send commands to program rules again.
>>
>>
>> Anthony
>>
>>
>> > -----Original Message-----
>> > From: Clayton Weise [mailto:cweise@iswest.net]
>> > Sent: Wednesday, May 09, 2012 10:09 AM
>> > To: 'cloudstack-dev@incubator.apache.org'
>> > Subject: domr iptables rules
>> >
>> > Where are these kept?  After rebooting a virtual router not all of
>> the
>> > firewall rules came back.  Also, I wanted to manually add a few
>> things
>> > and I was curious where I could do it and have those rules retained
>> > when the domr reboots.
>> >
>> > Thanks

Mime
View raw message