incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <kdam...@apache.org>
Subject RE: [DISCUSS] Security Groups Isolation in Advanced Zone
Date Thu, 17 Jan 2013 01:35:15 GMT
So the VM will determine it's own participation level. A VM can have
networks with SG and without at the same time. If that's the case this
feature proposal just got more awesome!

-kd


>-----Original Message-----
>From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>Sent: Wednesday, January 16, 2013 5:21 PM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
>
>Correct,
>there are several types of guest shared network, Zone-wide guest shared
>network Domain-wide guest shared network Account-specific guest share
>network
>
>One VM can be on multiple networks,
>SG is on VM level, means SG will be applied to all NICs of this VM.
>
>
>Cheers,
>Anthony
>
>> -----Original Message-----
>> From: Kelcey Damage (BT) [mailto:kelcey@backbonetechnology.com] On
>> Behalf Of kdamage@apache.org
>> Sent: Wednesday, January 16, 2013 5:17 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
>>
>> Got it,
>>
>> So we are still only talking about SG on advanced shared networks.
>>
>> Thanks.
>>
>>
>> -kd
>>
>>
>> >-----Original Message-----
>> >From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>> >Sent: Wednesday, January 16, 2013 5:11 PM
>> >To: cloudstack-dev@incubator.apache.org
>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
>> >
>> >In this spec, security group is only supported in shared guest
>> >network,
>> we
>> >might add isolated guest network support later. I have a concern
>> >about
>> this,
>> >normally there is firewall for isolated network, if security group is
>> added
>> to
>> >isolated network, that means if user wants to allow some kind ingress
>> traffic ,
>> >he might need to program both security group and firewall, it might
>> >be inconvenient for user.
>> >
>> >As for ACL, are you referring to ACL in VPC? in this spec, VPC is not
>> supported
>> >due to the similar reason of isolated guest network, user might need
>> to
>> >handle ACL and security group at the same time.
>> >
>> >
>> >Anthony
>> >
>> >
>> >> -----Original Message-----
>> >> From: Kelcey Damage (BT) [mailto:kelcey@backbonetechnology.com]
>> >> Sent: Wednesday, January 16, 2013 4:55 PM
>> >> To: cloudstack-dev@incubator.apache.org
>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
>> >>
>> >> So to catch myself up, this will allow functional security group
>> >> isolation/ACLs on both 'shared' and 'isolated' networks?
>> >>
>> >> -kd
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >From: Animesh Chaturvedi [mailto:animesh.chaturvedi@citrix.com]
>> >> >Sent: Wednesday, January 16, 2013 1:36 PM
>> >> >To: cloudstack-dev@incubator.apache.org
>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
>> >> >
>> >> >Folks please pass on comments if any, otherwise it is assumed that
>> >> >the
>> >> spec
>> >> is
>> >> >approved by the community
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
>> >> >> Sent: Friday, January 11, 2013 3:53 PM
>> >> >> To: cloudstack-dev@incubator.apache.org
>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced
>> >> >> Zone
>> >> >>
>> >> >>
>> >>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based
>> >> >> +on+
>> >> >> Security+Groups+in+Advance+zone
>> >> >>
>> >> >>
>> >> >> This is upgraded spec ,
>> >> >> Compared to original one, following are major changes
>> >> >>
>> >> >> 1.  SG enabled is zone wide parameter, if this zone is SG
>> >> >> enabled,
>> >> all
>> >> >> guest networks in this zone must be SG enabled.
>> >> >> 2.  support all shared network types, includes zone-wide shared
>> >> >> network, domain-wide shared networks and account-specific share
>> >> >> networks 3.  support multiple SG enabled networks in one SG
>> enabled
>> >> zone.
>> >> >> 4.  VM can be on multiple SG enabled networks 5.  SG rules apply
>> to
>> >> >> all NICs for a VM 6.  support both KVM and XenServer.
>> >> >>
>> >> >> Comments, question, suggestion and flame are welcome!
>> >> >>
>> >> >>
>> >> >> Thanks,
>> >> >> Anthony
>> >> >>
>> >> >>
>> >> >> > -----Original Message-----
>> >> >> > From: Dave Cahill [mailto:dcahill@midokura.jp]
>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM
>> >> >> > To: cloudstack-dev@incubator.apache.org
>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced
>> Zone
>> >> >> >
>> >> >> > Hi Anthony,
>> >> >> >
>> >> >> > Understood - thanks for the update.
>> >> >> >
>> >> >> > Dave.
>> >> >> >
>> >> >> >
>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu
>> >> >> > <Xuefei.Xu@citrix.com>
>> >> >> > wrote:
>> >> >> >
>> >> >> > > Hi Dave,
>> >> >> > >
>> >> >> > > For 4.1 , this feature is only for shared network on
>> >> >> > > advanced zone,
>> >> >> > both
>> >> >> > > XenServer and KVM are supported.
>> >> >> > > Will upgrade FS soon.
>> >> >> > >
>> >> >> > >
>> >> >> > > Anthony
>> >> >> > >
>> >> >> > > > -----Original Message-----
>> >> >> > > > From: Dave Cahill [mailto:dcahill@midokura.jp]
>> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM
>> >> >> > > > To: cloudstack-dev@incubator.apache.org
>> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation
in
>> Advanced
>> >> >> > > > Zone
>> >> >> > > >
>> >> >> > > > Hi Manan,
>> >> >> > > >
>> >> >> > > > I'm interested in this feature - when (roughly)
are you
>> >> planning
>> >> >> > > > to commit this to master?
>> >> >> > > >
>> >> >> > > > Are you planning the full list of features from
your
>> >> >> > > > requirements
>> >> >> > doc
>> >> >> > > > (including support for Adavnced, Isolated networks)
in 4.1?
>> >> >> > > >
>> >> >> > > > Thanks in advance,
>> >> >> > > > Dave.
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah
>> >> >> > > > <manan.shah@citrix.com>
>> >> >> > > > wrote:
>> >> >> > > >
>> >> >> > > > > Yes, FS definitely needs updating. Please also
look at
>> the
>> >> >> > "Future"
>> >> >> > > > > section of Alena's FS.
>> >> >> > > > >
>> >> >> > > > > Regards,
>> >> >> > > > > Manan Shah
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam"
>> >> >> > > > <prasanna.santhanam@citrix.com>
>> >> >> > > > > wrote:
>> >> >> > > > >
>> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530,
Manan Shah
>> wrote:
>> >> >> > > > > >> Hi Chip,
>> >> >> > > > > >>
>> >> >> > > > > >> As Alena had mentioned in her FS,
her focus was to
>> >> >> > > > > >> initially
>> >> >> > > > support
>> >> >> > > > > >>only
>> >> >> > > > > >> the functionality that was enabled
in CS 2.2. She had
>> >> >> > > > > >>created
>> >> >> > a
>> >> >> > > > section
>> >> >> > > > > >>in
>> >> >> > > > > >> her FS that talked about Future release
plans.
>> >> >> > > > > >>
>> >> >> > > > > >> My requirements page covers requirements
for both,
>> >> >> > > > > >> the CS
>> >> >> > > > > >> 2.2
>> >> >> > use
>> >> >> > > > case
>> >> >> > > > > >>as
>> >> >> > > > > >> well as the broader use case.
>> >> >> > > > > >>
>> >> >> > > > > >> Let me know if you have additional
questions.
>> >> >> > > > > >>
>> >> >> > > > > >Thanks - Alena's FS lists only support
for KVM while
>> >> >> > > > > >you
>> >> have
>> >> >> > listed
>> >> >> > > > > >support for XenServer and KVM. Guess the
FS needs
>> updating?
>> >> >> > > > > >
>> >> >> > > > > >--
>> >> >> > > > > >Prasanna.,
>> >> >> > > > >
>> >> >> > > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > --
>> >> >> > > > Thanks,
>> >> >> > > > Dave.
>> >> >> > >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Thanks,
>> >> >> > Dave.
>>



Mime
View raw message