incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "marios@redhat.com" <mandr...@redhat.com>
Subject Re: firewall support for ec2 instances
Date Mon, 27 Jun 2011 06:06:31 GMT
Hi Sang-Min,

On 25/06/11 15:49, Sang-Min Park wrote:
> FYI, I looked at the firewall implementation and found that there's an issue
> with Eucalyptus driver.

I was confused at first by what you meant as looking at Euca driver 
there's no mention of firewalls yet (besides the declaration of 'feature 
:instances, :firewalls')

> Eucalyptus supports the old parameter convention in
> 'AuthorizeSecurityGroupIngress' action. I'll try if I can patch AWS to
> generate the old parameters as well as the new one.

OK: you shouldn't need to patch aws at all - my additions to aws added 
the new 'manage_security_group_ingress' method, BUT did not remove any 
of the old code. I'm not sure if thats what you meant by 'generate the 
old parameters as well as the new one' but if you mean that your Euca 
setup (or Euca in general) relies on the old appoxy/aws interface then 
your existing code should be fine - appoxy/aws gem has not removed any 
of those earlier methods:

1.  authorize_security_group_named_ingress
2.  revoke_security_group_named_ingress
3.  authorize_security_group_IP_ingress
4.  revoke_security_group_IP_ingress

That being said, here's why I implemented the new 
'manage_security_groups' method in the appoxy/aws gem: 
(https://github.com/appoxy/aws/pull/91): methods 1/2 above don't allow 
you to specify fine-grained control over group access - i.e. you can 
specify which groups to authorize, but not which protocols/ports to 
allow for those groups. Also, 3/4 only allow you to specify a single IP 
range at a time - thus if a given firewall rule has a large number of 
address ranges then this operation will need to be done for each of 
those. Similarly, you can't specify both groups AND IP addresses in a 
single call (thus defining an entire firewall rule with a single call).

The earlier implementations of appoxy/aws were based on the 2009 version 
of AWS API 
http://docs.amazonwebservices.com/AWSEC2/2009-07-15/APIReference/ApiReference-query-AuthorizeSecurityGroupIngress.html

. In the latest version of API, you can specify a number of IP 
addresses, or groups, or mix of both, for which the specified rule will 
apply. You can now also specify 'from_port' 'to_port' and 'protocol' for 
ingress groups in a rule,

marios




>
> Sang-min
>
>
>
> On Fri, Jun 17, 2011 at 8:06 AM,<marios@redhat.com>  wrote:
>
>>
>> This patch uses the new 'Firewalls' collection (I pushed that to trunk
>> today).
>> The create_instance operation for the ec2 driver takes an array of firewall
>> names
>> for the instance to be 'launched into'. Patch includes:
>>
>> * necessary modifications to server.rb
>> * addition of 'firewalls' to the Instance model
>> * modification of the haml views: html for the create operation, html/xml
>> for showing
>>   firewalls when inspecting a given instance.
>>
>> If you aren't using the html interface to create an instance, you can
>> specify
>> firewalls using form input : 'firewall#=name' where '#' is any digit.  For
>> example:
>>
>> curl -F 'image_id=ami-48aa4921' -F 'firewalls1=default' -F
>> 'firewalls2=test'
>>   --user 'ec2_key:ec2_password'
>> http://localhost:3001/api/instances?format=xml
>>
>> will create an instance from ami-48aa4921 and place it into firewalls
>> 'default'
>> and 'test'. EC2 does not support 'moving' an instance between firewalls
>> once it's
>> launched so this functionality was not implemented
>> (http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedirect=1#13)
>>
>> marios
>>
>


Mime
View raw message