incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <Chiradeep.Vit...@citrix.com>
Subject Re: [VOTE] Accept a donation of SRX&F5 inline mode support in CloudStack from Citrix
Date Wed, 16 Jan 2013 21:20:02 GMT
+1 (binding)

On 1/16/13 11:59 AM, "Pranav Saxena" <pranav.saxena@citrix.com> wrote:

>+1 
>
>-----Original Message-----
>From: Sudha Ponnaganti [mailto:sudha.ponnaganti@citrix.com]
>Sent: Thursday, January 17, 2013 12:59 AM
>To: cloudstack-dev@incubator.apache.org
>Subject: RE: [VOTE] Accept a donation of SRX&F5 inline mode support in
>CloudStack from Citrix
>
>+1
>
>-----Original Message-----
>From: Animesh Chaturvedi [mailto:animesh.chaturvedi@citrix.com]
>Sent: Wednesday, January 16, 2013 10:53 AM
>To: cloudstack-dev@incubator.apache.org
>Subject: [VOTE] Accept a donation of SRX&F5 inline mode support in
>CloudStack from Citrix
>
>Reposting with subject line VOTE
>
>Committers have binding votes for this decision.
>
>Please respond with your vote:
>+1 - Accept the donation and begin the process of bringing this
>+enhancement to CloudStack
>in via the IP clearance process
>+0 - Don't care
>-1 - Do not accept the donation
>
>This vote will remain open for ~72 hours.
>
>
>> -----Original Message-----
>> From: Sheng Yang [mailto:sheng@yasker.org]
>> Sent: Tuesday, January 15, 2013 5:54 PM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: [IP Clearance] CLOUDSTACK-306 SRX&F5 inline mode
>> 
>> Hi,
>> 
>> I'd like to start the process of IP Clearance for CLOUDSTACK-306:
>> SRX&F5 inline mode support.
>> 
>> Citrix would like to donate this code to Apache Cloudstack.
>> 
>> This feature extended the support for external network devices for
>>Cloudstack.
>> 
>> In the Cloudstack 4.0 release, it's only able to work with SRX and F5
>> in side-by- side mode, which means all the traffic going through F5
>> load balancer would bypass SRX firewall, and F5 would facing the
>> public network directly. Cloudstack
>> 4.0 still have some obsolete codes to deal with inline mode back to
>> 2.2.x era, but they're not functional after NaaS work in 3.0 release.
>> 
>> After reintroducing this feature, SRX is able to working as the
>> firewall for the whole guest network(isolated network), including F5.
>> Every load balancing traffic must go through SRX, in order to reach F5.
>> 
>> In order to support inline mode, in the first patch, I had
>> re-implemented the firewall part SRX to make it able to filter based
>> on public ip we're using to identify the traffic, using firewall filter
>>of SRX.
>> 
>> In the second patch, I've investigated the possibility of using one F5
>> instance in site-by-site mode and inline-mode at the same time, and
>> found it doable. So I make "inline" a parameter for network offering,
>>not an option for device(e.g.
>> F5).
>> 
>> And I have reimplemented the inline mode feature in the third patch.
>> 
>> The whole patchset mostly deal with external devices related filres,
>>e.g.
>> JuniperSrxResource.java, ExternalFirewallDeviceManagerImpl.java,
>> F5BigIpResource.java, ExternalLoadBalancerDeviceManagerImpl.java.
>> There are also some refactor works regarding NetworkManagerImpl.java.
>> 
>> The patchset is at:
>> http://people.apache.org/~yasker/
>> 
>> Since there are three patches, I've checksumed and signed the tar ball.
>> 
>> The related Jira ticket at:
>> https://issues.apache.org/jira/browse/CLOUDSTACK-306
>> 
>> The function spec is at:
>> https://cwiki.apache.org/CLOUDSTACK/network-inline-mode-functional-
>> spec.html
>> 
>> The previous discussion happened on:
>> http://markmail.org/message/jnpl5b7b6cqqmrui
>> 
>> There is no objection on this feature at the time of discussion.
>> 
>> Thank you!
>> 
>> --Sheng


Mime
View raw message