incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angeline Shen <Angeline.S...@citrix.com>
Subject RE: [DISCUSS] Security Groups Isolation in Advanced Zone
Date Mon, 21 Jan 2013 03:19:44 GMT
Cloudstack-dev Community:

Test plan for FS:   https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+Security+Groups+in+Advance+zone
   is

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based+on+Security+Groups+in+Advance+zone+Test+Plan
 

Your comments, questions  are greatly appreciated.

Thank you.


-----Original Message-----
From: Anthony Xu [mailto:Xuefei.Xu@citrix.com] 
Sent: Wednesday, January 16, 2013 5:11 PM
To: cloudstack-dev@incubator.apache.org
Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone

In this spec, security group is only supported in shared guest network, we might add isolated
guest network support later. I have a concern about this, normally there is firewall for isolated
network, if security group is added to isolated network, that means if user wants to allow
some kind ingress traffic , he might need to program both security group and firewall, it
might be inconvenient for user.

As for ACL, are you referring to ACL in VPC? in this spec, VPC is not supported due to the
similar reason of isolated guest network, user might need to handle ACL and security group
at the same time.


Anthony


> -----Original Message-----
> From: Kelcey Damage (BT) [mailto:kelcey@backbonetechnology.com]
> Sent: Wednesday, January 16, 2013 4:55 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
> 
> So to catch myself up, this will allow functional security group 
> isolation/ACLs on both 'shared' and 'isolated' networks?
> 
> -kd
> 
> 
> >-----Original Message-----
> >From: Animesh Chaturvedi [mailto:animesh.chaturvedi@citrix.com]
> >Sent: Wednesday, January 16, 2013 1:36 PM
> >To: cloudstack-dev@incubator.apache.org
> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
> >
> >Folks please pass on comments if any, otherwise it is assumed that 
> >the
> spec
> is
> >approved by the community
> >
> >> -----Original Message-----
> >> From: Anthony Xu [mailto:Xuefei.Xu@citrix.com]
> >> Sent: Friday, January 11, 2013 3:53 PM
> >> To: cloudstack-dev@incubator.apache.org
> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone
> >>
> >>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based
> >> +on+
> >> Security+Groups+in+Advance+zone
> >>
> >>
> >> This is upgraded spec ,
> >> Compared to original one, following are major changes
> >>
> >> 1.  SG enabled is zone wide parameter, if this zone is SG enabled,
> all
> >> guest networks in this zone must be SG enabled.
> >> 2.  support all shared network types, includes zone-wide shared 
> >> network, domain-wide shared networks and account-specific share 
> >> networks 3.  support multiple SG enabled networks in one SG enabled
> zone.
> >> 4.  VM can be on multiple SG enabled networks 5.  SG rules apply to 
> >> all NICs for a VM 6.  support both KVM and XenServer.
> >>
> >> Comments, question, suggestion and flame are welcome!
> >>
> >>
> >> Thanks,
> >> Anthony
> >>
> >>
> >> > -----Original Message-----
> >> > From: Dave Cahill [mailto:dcahill@midokura.jp]
> >> > Sent: Thursday, January 10, 2013 5:29 PM
> >> > To: cloudstack-dev@incubator.apache.org
> >> > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone
> >> >
> >> > Hi Anthony,
> >> >
> >> > Understood - thanks for the update.
> >> >
> >> > Dave.
> >> >
> >> >
> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu 
> >> > <Xuefei.Xu@citrix.com>
> >> > wrote:
> >> >
> >> > > Hi Dave,
> >> > >
> >> > > For 4.1 , this feature is only for shared network on advanced 
> >> > > zone,
> >> > both
> >> > > XenServer and KVM are supported.
> >> > > Will upgrade FS soon.
> >> > >
> >> > >
> >> > > Anthony
> >> > >
> >> > > > -----Original Message-----
> >> > > > From: Dave Cahill [mailto:dcahill@midokura.jp]
> >> > > > Sent: Thursday, January 10, 2013 12:33 AM
> >> > > > To: cloudstack-dev@incubator.apache.org
> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced

> >> > > > Zone
> >> > > >
> >> > > > Hi Manan,
> >> > > >
> >> > > > I'm interested in this feature - when (roughly) are you
> planning
> >> > > > to commit this to master?
> >> > > >
> >> > > > Are you planning the full list of features from your 
> >> > > > requirements
> >> > doc
> >> > > > (including support for Adavnced, Isolated networks) in 4.1?
> >> > > >
> >> > > > Thanks in advance,
> >> > > > Dave.
> >> > > >
> >> > > >
> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah 
> >> > > > <manan.shah@citrix.com>
> >> > > > wrote:
> >> > > >
> >> > > > > Yes, FS definitely needs updating. Please also look at the
> >> > "Future"
> >> > > > > section of Alena's FS.
> >> > > > >
> >> > > > > Regards,
> >> > > > > Manan Shah
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam"
> >> > > > <prasanna.santhanam@citrix.com>
> >> > > > > wrote:
> >> > > > >
> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah
wrote:
> >> > > > > >> Hi Chip,
> >> > > > > >>
> >> > > > > >> As Alena had mentioned in her FS, her focus was
to 
> >> > > > > >> initially
> >> > > > support
> >> > > > > >>only
> >> > > > > >> the functionality that was enabled in CS 2.2. She
had 
> >> > > > > >>created
> >> > a
> >> > > > section
> >> > > > > >>in
> >> > > > > >> her FS that talked about Future release plans.
> >> > > > > >>
> >> > > > > >> My requirements page covers requirements for both,
the 
> >> > > > > >> CS
> >> > > > > >> 2.2
> >> > use
> >> > > > case
> >> > > > > >>as
> >> > > > > >> well as the broader use case.
> >> > > > > >>
> >> > > > > >> Let me know if you have additional questions.
> >> > > > > >>
> >> > > > > >Thanks - Alena's FS lists only support for KVM while
you
> have
> >> > listed
> >> > > > > >support for XenServer and KVM. Guess the FS needs updating?
> >> > > > > >
> >> > > > > >--
> >> > > > > >Prasanna.,
> >> > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Thanks,
> >> > > > Dave.
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Thanks,
> >> > Dave.


Mime
View raw message