Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DD8A0DE41 for ; Thu, 15 Nov 2012 06:50:43 +0000 (UTC) Received: (qmail 36431 invoked by uid 500); 15 Nov 2012 06:50:43 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 36390 invoked by uid 500); 15 Nov 2012 06:50:43 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 36345 invoked by uid 99); 15 Nov 2012 06:50:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Nov 2012 06:50:41 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Murali.Reddy@citrix.com designates 203.166.19.134 as permitted sender) Received: from [203.166.19.134] (HELO SMTP.CITRIX.COM.AU) (203.166.19.134) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Nov 2012 06:50:35 +0000 X-IronPort-AV: E=Sophos;i="4.83,254,1352073600"; d="scan'208";a="13514329" Received: from banpmailmx01.citrite.net ([10.103.128.73]) by SYDPIPO01.CITRIX.COM.AU with ESMTP/TLS/RC4-MD5; 15 Nov 2012 06:50:10 +0000 Received: from BANPMAILBOX01.citrite.net ([10.103.128.72]) by BANPMAILMX01.citrite.net ([10.103.128.73]) with mapi; Thu, 15 Nov 2012 12:20:08 +0530 From: Murali Reddy To: "cloudstack-dev@incubator.apache.org" CC: Anthony Xu Date: Thu, 15 Nov 2012 12:24:48 +0530 Subject: Re: Security Group support in Advance zone Thread-Topic: Security Group support in Advance zone Thread-Index: Ac3C/XMP3XvIK4DRRfWIl53wgvNmFQ== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.2.3.120616 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Alena, I have couple of queries on the requirements listed in the spec. - "Shared Zone Wide SG Enabled Guest network is required in Advance SG enabled zone as CPVM/SSVM are using it." =20 I am not clear why CPVM/SSVM will use the shared guest network with SG. - "No Isolated networks can be added to the Advance SG enabled zone. No Shared Domain wide networks are allowed either." Does this mean, there will be only one shared network in the entire SG enabled zone? You mentioned relaxing some of these restriction as future release plans, but was wondering why such stringent restriction. Does overlapping CIDR's of multiple isolated network will conflict with the security groups functionality at hypervisor level? Thanks, Murali On 14/11/12 12:17 AM, "Alena Prokharchyk" wrote: >In 2.2.x version of the cloudStack we provided support for Security Groups >in Advance zone. The feature was temporary disabled in released versions >of 3.0.x branch due to lack of dev and test resources needed to >accommodate the feature to the new NaaS framework. > > >Disabling the feature made an upgrade for existing 2.2.x customers using >this network model, impossible. We are going to re-enable the feature in >the next CS release with all the limitations accompanying it in 2.2.x >branch. > >Here is the functional specification: > >https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+ >S >ecurity+Groups+in+Advance+zone > > > >It reflects: > >* current behavior model >* feature limitations >* upgrade path >* feature enhancements plan > > >Please review and point out if there are any inconsistencies/unclearness >in the spec. > >Anthony Xu will be the key developer for Java + Scripting part; UI >developers haven't been assigned to the feature yet. > >-Alena. > > >