You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Mills, Joseph" <jo...@midokura.jp> on 2013/02/15 04:02:06 UTC
Security Groups in Advanced Zone - Plugin Support
I was looking at the FS for Security Group Isolation in Advanced Zone,
(CLOUDSTACK-737) and I noticed that:
"Only one network service provider is supported in advanced SG enabled zone
- Virtual Router"
Are there currently any plans to add pluggability support for Security
Groups in 4.2, and if so, is any timeline estimate available? As far as we
know, all other Services are pluggable, and we would like to support
Security Group Isolation as well.
Thanks,
Joe
Re: Security Groups in Advanced Zone - Plugin Support
Posted by Dave Cahill <dc...@midokura.com>.
Hi Chiradeep and Anthony,
Thanks for the feedback, that clarifies the scope of the 4.2 Security
Groups work nicely, especially around pluggability and supported network
models.
Thanks,
Dave.
On Fri, Mar 8, 2013 at 10:56 AM, Anthony Xu <Xu...@citrix.com> wrote:
> > >Lastly we wanted to understand timelines. The last comment on
> > >CLOUDSTACK-737 shows the feature being reverted, so we were wondering
> > >when it's aimed for master, and also to understand when Security
> > >Groups on Advanced Isolated mode is scheduled to hit master.
> >
> > As I said, there's hypervisor-level issues being sorted out. I'll let
> > Anthony reply on that one.
> >
>
> CLOUDSTACK-737 have limited version, it only supports one shared SG
> enabled network.
>
> I'll update FS to describe what we will do for 4.2.
>
> Below is summary in my mind,
> - SG is an option in network offering, not a flag in Zone level, SG could
> be added to existing zone.
> - SG can only be added to shared network ( zone-wide, domain-wide..)
> - SG will move to NIC level from VM level, a VM can have two NICs with two
> shared networks, each NIC can be associated to different SGs.
> - SG cannot be added to isolated network, or VPC network, firewall or ACL
> could provide similar function.
> - SG can coexist with external device in a shared network.
> - support XS and KVM.
> - for existing zone, if user wants to add SG in this zone, user needs to
> change XS network mode from OVS mode to bridge mode because iptables
> doesn't work with OVS.
>
>
>
> Thanks,
> Anthony
>
>
>
>
>
>
>
>
>
> > -----Original Message-----
> > From: Chiradeep Vittal
> > Sent: Thursday, March 07, 2013 3:18 PM
> > To: cloudstack-dev@incubator.apache.org
> > Cc: Anthony Xu
> > Subject: Re: Security Groups in Advanced Zone - Plugin Support
> >
> >
> >
> > On 3/7/13 12:22 AM, "Dave Cahill" <dc...@midokura.com> wrote:
> >
> > >Hi Chiradeep,
> > >
> > >Thanks for jumping in, great to get feedback on this one.
> > >
> > >However, SecurityGroups are handled by SecurityGroupManagerImpl, which
> > >simply sends a Command to the agent without checking for, or calling
> > >into, a SecurityGroupsProvider. In other words, it's not pluggable.
> > >
> > >That's the background for why we're interested in pluggability for the
> > >service.
> >
> > Yes, it should be pluggable, but it isn't currently. Patches welcome.
> >
> > >
> > >Our second question was aimed at checking our understanding of
> > >Anthony's response: "as for SG enabled shared network, current plan is
> > >only support Virtual Router as service provider". It sounds like this
> > >would make all of the other Providers (external ones like F5 as well
> > >as virtual ones like Nicira) unusable in a SG-enabled Advanced Shared
> > >network, but we wanted to double-check that.
> >
> > I don't see anything in the code that would preclude that. I think
> > given
> > the scope of testing with myriad providers, he was merely stating that
> > he
> > would vouch for it working with the virtual router.
> >
> > >
> > >Lastly we wanted to understand timelines. The last comment on
> > >CLOUDSTACK-737 shows the feature being reverted, so we were wondering
> > >when it's aimed for master, and also to understand when Security
> > >Groups on Advanced Isolated mode is scheduled to hit master.
> >
> > As I said, there's hypervisor-level issues being sorted out. I'll let
> > Anthony reply on that one.
> >
> > >
>
>
RE: Security Groups in Advanced Zone - Plugin Support
Posted by Anthony Xu <Xu...@citrix.com>.
> >Lastly we wanted to understand timelines. The last comment on
> >CLOUDSTACK-737 shows the feature being reverted, so we were wondering
> >when it's aimed for master, and also to understand when Security
> >Groups on Advanced Isolated mode is scheduled to hit master.
>
> As I said, there's hypervisor-level issues being sorted out. I'll let
> Anthony reply on that one.
>
CLOUDSTACK-737 have limited version, it only supports one shared SG enabled network.
I'll update FS to describe what we will do for 4.2.
Below is summary in my mind,
- SG is an option in network offering, not a flag in Zone level, SG could be added to existing zone.
- SG can only be added to shared network ( zone-wide, domain-wide..)
- SG will move to NIC level from VM level, a VM can have two NICs with two shared networks, each NIC can be associated to different SGs.
- SG cannot be added to isolated network, or VPC network, firewall or ACL could provide similar function.
- SG can coexist with external device in a shared network.
- support XS and KVM.
- for existing zone, if user wants to add SG in this zone, user needs to change XS network mode from OVS mode to bridge mode because iptables doesn't work with OVS.
Thanks,
Anthony
> -----Original Message-----
> From: Chiradeep Vittal
> Sent: Thursday, March 07, 2013 3:18 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: Anthony Xu
> Subject: Re: Security Groups in Advanced Zone - Plugin Support
>
>
>
> On 3/7/13 12:22 AM, "Dave Cahill" <dc...@midokura.com> wrote:
>
> >Hi Chiradeep,
> >
> >Thanks for jumping in, great to get feedback on this one.
> >
> >However, SecurityGroups are handled by SecurityGroupManagerImpl, which
> >simply sends a Command to the agent without checking for, or calling
> >into, a SecurityGroupsProvider. In other words, it's not pluggable.
> >
> >That's the background for why we're interested in pluggability for the
> >service.
>
> Yes, it should be pluggable, but it isn't currently. Patches welcome.
>
> >
> >Our second question was aimed at checking our understanding of
> >Anthony's response: "as for SG enabled shared network, current plan is
> >only support Virtual Router as service provider". It sounds like this
> >would make all of the other Providers (external ones like F5 as well
> >as virtual ones like Nicira) unusable in a SG-enabled Advanced Shared
> >network, but we wanted to double-check that.
>
> I don't see anything in the code that would preclude that. I think
> given
> the scope of testing with myriad providers, he was merely stating that
> he
> would vouch for it working with the virtual router.
>
> >
> >Lastly we wanted to understand timelines. The last comment on
> >CLOUDSTACK-737 shows the feature being reverted, so we were wondering
> >when it's aimed for master, and also to understand when Security
> >Groups on Advanced Isolated mode is scheduled to hit master.
>
> As I said, there's hypervisor-level issues being sorted out. I'll let
> Anthony reply on that one.
>
> >
Re: Security Groups in Advanced Zone - Plugin Support
Posted by Chiradeep Vittal <Ch...@citrix.com>.
On 3/7/13 12:22 AM, "Dave Cahill" <dc...@midokura.com> wrote:
>Hi Chiradeep,
>
>Thanks for jumping in, great to get feedback on this one.
>
>However, SecurityGroups are handled by SecurityGroupManagerImpl, which
>simply sends a Command to the agent without checking for, or calling
>into, a SecurityGroupsProvider. In other words, it's not pluggable.
>
>That's the background for why we're interested in pluggability for the
>service.
Yes, it should be pluggable, but it isn't currently. Patches welcome.
>
>Our second question was aimed at checking our understanding of
>Anthony's response: "as for SG enabled shared network, current plan is
>only support Virtual Router as service provider". It sounds like this
>would make all of the other Providers (external ones like F5 as well
>as virtual ones like Nicira) unusable in a SG-enabled Advanced Shared
>network, but we wanted to double-check that.
I don't see anything in the code that would preclude that. I think given
the scope of testing with myriad providers, he was merely stating that he
would vouch for it working with the virtual router.
>
>Lastly we wanted to understand timelines. The last comment on
>CLOUDSTACK-737 shows the feature being reverted, so we were wondering
>when it's aimed for master, and also to understand when Security
>Groups on Advanced Isolated mode is scheduled to hit master.
As I said, there's hypervisor-level issues being sorted out. I'll let
Anthony reply on that one.
>
Re: Security Groups in Advanced Zone - Plugin Support
Posted by Dave Cahill <dc...@midokura.com>.
Hi Chiradeep,
Thanks for jumping in, great to get feedback on this one.
Let me back up and explain where we're coming from.
Let's take the Firewall service as an example. When a user sets
Firewall rules via the UI / API, the request (skipping a few steps for
brevity) ends up in FirewallManagerImpl, where the relevant
FirewallServiceProvider class is called. In other words, the Firewall
rules Capability is pluggable - an Element can implement the
FirewallServiceProvider, set Firewall as one of its Capabilities etc,
and it will then be able to receive and take care of new Firewall
rules.
However, SecurityGroups are handled by SecurityGroupManagerImpl, which
simply sends a Command to the agent without checking for, or calling
into, a SecurityGroupsProvider. In other words, it's not pluggable.
If the service was pluggable, our Provider (Element) would inform the
MidoNet virtual network of the new security group rule, and this rule
would then be applied to any traffic coming into / out of the virtual
network from the relevant VMs. We wouldn't send a Command to the
agent, because there's no need in our case.
That's the background for why we're interested in pluggability for the
service.
Our second question was aimed at checking our understanding of
Anthony's response: "as for SG enabled shared network, current plan is
only support Virtual Router as service provider". It sounds like this
would make all of the other Providers (external ones like F5 as well
as virtual ones like Nicira) unusable in a SG-enabled Advanced Shared
network, but we wanted to double-check that.
Lastly we wanted to understand timelines. The last comment on
CLOUDSTACK-737 shows the feature being reverted, so we were wondering
when it's aimed for master, and also to understand when Security
Groups on Advanced Isolated mode is scheduled to hit master.
Again, thanks for the response - if any of the above is unclear,
please let me know.
Thanks,
Dave.
On Thu, Mar 7, 2013 at 2:53 AM, Chiradeep Vittal <
Chiradeep.Vittal@citrix.com> wrote:
> Not sure I understand the thread below.
> Security groups today are provided on the hypervisor level (dom0 / kvm
> host).
> There is currently a conundrum
> - on XenServer Open vSwitch (OVS) is the defacto vswitch. OVS however
> cannot do stateful packet inspection. This might entail switching to Linux
> bridge, however this is under discussion with Citrix.
> - on vSphere, the vSwitch does not support SPI either and will require a
> plugin such as vShield or Cisco VSG. One alternative to what Paul is
> describing is to provide L2 isolation on a shared VLAN using PVLAN.
> However there too there's questions on hardware support (requires VMWare
> dvSwitch and requires hardware switches to understand PVLAN)
>
> On 3/5/13 12:34 AM, "Mills, Joseph" <jo...@midokura.jp> wrote:
>
> >Hi Anthony,
> >
> >Any thoughts? We are looking forward to hearing back from you about this.
> >Just to recap:
> >
> >(1) Your current changes add Security Group capabilities for the Virtual
> >Router in advance-shared only, is this correct?
> >
> >(2) Your future plan is to add Security Groups to Virtual Router in
> >advanced-isolated, but will NOT be supportable by other network service
> >providers, is this correct?
> >
> >(3) Any reason you have decided to implement Security Groups differently
> >than the other network services? Particularly with respect to
> >pluggability?
> >
> >Thanks,
> >Joe
> >
> >On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dc...@midokura.com>
> wrote:
> >
> >> Hi Anthony,
> >>
> >> Adding you in CC in case you missed this message.
> >>
> >> We're trying to understand in more detail your plan for Security Groups
> >> support.
> >>
> >> Thanks,
> >> Dave.
> >>
> >> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <jo...@midokura.jp> wrote:
> >>
> >> > *Hi Anthony,
> >> >
> >> > Thanks for the quick response. Just to check my understanding:
> >> >
> >> > CloudStack has 4 networking models:
> >> > Basic (Only in Basic Zone)
> >> > Isolated (Only in Advanced Zone)
> >> > Shared (Only in Advanced Zone)
> >> > VPC (Only in Advanced Zone)
> >> >
> >> > Zones can be Security Group enabled, or Security Group disabled - this
> >> is a
> >> > tickbox in the UI when creating a Zone.
> >> >
> >> > Network Offerings can have the Security Groups Capability enabled or
> >>not
> >> -
> >> > this is a tickbox in the UI when creating a NetworkOffering.
> >> >
> >> > You have code that is almost ready to commit (CLOUDSTACK-737,
> >>currently
> >> > adding unit tests), and you also plan to make further changes for 4.2
> >>-
> >> > let¹s call these ³current² and ³future². changes.
> >> >
> >> > (1) Your ³current² changes add support for the Security Groups
> >>Capability
> >> > in Advanced Shared networks, however this will be only be supported by
> >> the
> >> > Virtual Router Provider, with no option to be supported by other
> >>network
> >> > plugins.
> >> >
> >> > (2) For 4.2 (³future²), you plan to add support for the Security
> >>Groups
> >> > Capability in Advanced Isolated networks. This will also not have the
> >> > option of being supported by other network plugins.
> >> >
> >> > Is this correct?
> >> >
> >> > Any reason why you have chosen to implement this service differently
> >>than
> >> > the other Services with respect to pluggability?
> >> >
> >> > Thanks,
> >> > Joe*
> >> >
> >> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com>
> >> wrote:
> >> >
> >> > > I have plan to add isolated and shared networks to SG enabled zone
> >>in
> >> > 4.2,
> >> > > the service providers on these network will be supported in SG
> >>enabled
> >> > > zone, but as for SG enabled shared network, current plan is only
> >> support
> >> > > Virtual Router as service provider. If you want to add other service
> >> > > provider in SG enabled shared network, please file a feature request
> >> for
> >> > > it, and welcome work on that feature.
> >> > >
> >> > >
> >> > > Anthony
> >> > >
> >> > > > -----Original Message-----
> >> > > > From: Mills, Joseph [mailto:joe@midokura.jp]
> >> > > > Sent: Thursday, February 14, 2013 7:02 PM
> >> > > > To: cloudstack-dev@incubator.apache.org
> >> > > > Subject: Security Groups in Advanced Zone - Plugin Support
> >> > > >
> >> > > > I was looking at the FS for Security Group Isolation in Advanced
> >> Zone,
> >> > > > (CLOUDSTACK-737) and I noticed that:
> >> > > >
> >> > > > "Only one network service provider is supported in advanced SG
> >> enabled
> >> > > > zone
> >> > > > - Virtual Router"
> >> > > >
> >> > > > Are there currently any plans to add pluggability support for
> >> Security
> >> > > > Groups in 4.2, and if so, is any timeline estimate available? As
> >>far
> >> as
> >> > > > we
> >> > > > know, all other Services are pluggable, and we would like to
> >>support
> >> > > > Security Group Isolation as well.
> >> > > >
> >> > > > Thanks,
> >> > > > Joe
> >> > >
> >> >
> >>
>
>
RE: Security Groups in Advanced Zone - Plugin Support
Posted by Paul Angus <pa...@shapeblue.com>.
We at ShapeBlue are also very keen to understand the direction that 'Security Groups in Advanced Zones' is going.
We have a large client who would like to use advanced zone VLAN isolation of accounts, with security groups based isolation of VM tiers within each account.
Regards,
Paul Angus
S: +44 20 3603 0540 | M: +447711418784
paul.angus@shapeblue.com
-----Original Message-----
From: Mills, Joseph [mailto:joe@midokura.jp]
Sent: 05 March 2013 08:34
To: cloudstack-dev@incubator.apache.org
Cc: Anthony Xu
Subject: Re: Security Groups in Advanced Zone - Plugin Support
Hi Anthony,
Any thoughts? We are looking forward to hearing back from you about this.
Just to recap:
(1) Your current changes add Security Group capabilities for the Virtual Router in advance-shared only, is this correct?
(2) Your future plan is to add Security Groups to Virtual Router in advanced-isolated, but will NOT be supportable by other network service providers, is this correct?
(3) Any reason you have decided to implement Security Groups differently than the other network services? Particularly with respect to pluggability?
Thanks,
Joe
On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dc...@midokura.com> wrote:
> Hi Anthony,
>
> Adding you in CC in case you missed this message.
>
> We're trying to understand in more detail your plan for Security
> Groups support.
>
> Thanks,
> Dave.
>
> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <jo...@midokura.jp> wrote:
>
> > *Hi Anthony,
> >
> > Thanks for the quick response. Just to check my understanding:
> >
> > CloudStack has 4 networking models:
> > Basic (Only in Basic Zone)
> > Isolated (Only in Advanced Zone)
> > Shared (Only in Advanced Zone)
> > VPC (Only in Advanced Zone)
> >
> > Zones can be Security Group enabled, or Security Group disabled -
> > this
> is a
> > tickbox in the UI when creating a Zone.
> >
> > Network Offerings can have the Security Groups Capability enabled or
> > not
> -
> > this is a tickbox in the UI when creating a NetworkOffering.
> >
> > You have code that is almost ready to commit (CLOUDSTACK-737,
> > currently adding unit tests), and you also plan to make further
> > changes for 4.2 - let’s call these “current” and “future”. changes.
> >
> > (1) Your “current” changes add support for the Security Groups
> > Capability in Advanced Shared networks, however this will be only be
> > supported by
> the
> > Virtual Router Provider, with no option to be supported by other
> > network plugins.
> >
> > (2) For 4.2 (“future”), you plan to add support for the Security
> > Groups Capability in Advanced Isolated networks. This will also not
> > have the option of being supported by other network plugins.
> >
> > Is this correct?
> >
> > Any reason why you have chosen to implement this service differently
> > than the other Services with respect to pluggability?
> >
> > Thanks,
> > Joe*
> >
> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com>
> wrote:
> >
> > > I have plan to add isolated and shared networks to SG enabled zone
> > > in
> > 4.2,
> > > the service providers on these network will be supported in SG
> > > enabled zone, but as for SG enabled shared network, current plan
> > > is only
> support
> > > Virtual Router as service provider. If you want to add other
> > > service provider in SG enabled shared network, please file a
> > > feature request
> for
> > > it, and welcome work on that feature.
> > >
> > >
> > > Anthony
> > >
> > > > -----Original Message-----
> > > > From: Mills, Joseph [mailto:joe@midokura.jp]
> > > > Sent: Thursday, February 14, 2013 7:02 PM
> > > > To: cloudstack-dev@incubator.apache.org
> > > > Subject: Security Groups in Advanced Zone - Plugin Support
> > > >
> > > > I was looking at the FS for Security Group Isolation in Advanced
> Zone,
> > > > (CLOUDSTACK-737) and I noticed that:
> > > >
> > > > "Only one network service provider is supported in advanced SG
> enabled
> > > > zone
> > > > - Virtual Router"
> > > >
> > > > Are there currently any plans to add pluggability support for
> Security
> > > > Groups in 4.2, and if so, is any timeline estimate available? As
> > > > far
> as
> > > > we
> > > > know, all other Services are pluggable, and we would like to
> > > > support Security Group Isolation as well.
> > > >
> > > > Thanks,
> > > > Joe
> > >
> >
>
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.
________________________________
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
Re: Security Groups in Advanced Zone - Plugin Support
Posted by Chiradeep Vittal <Ch...@citrix.com>.
Not sure I understand the thread below.
Security groups today are provided on the hypervisor level (dom0 / kvm
host).
There is currently a conundrum
- on XenServer Open vSwitch (OVS) is the defacto vswitch. OVS however
cannot do stateful packet inspection. This might entail switching to Linux
bridge, however this is under discussion with Citrix.
- on vSphere, the vSwitch does not support SPI either and will require a
plugin such as vShield or Cisco VSG. One alternative to what Paul is
describing is to provide L2 isolation on a shared VLAN using PVLAN.
However there too there's questions on hardware support (requires VMWare
dvSwitch and requires hardware switches to understand PVLAN)
On 3/5/13 12:34 AM, "Mills, Joseph" <jo...@midokura.jp> wrote:
>Hi Anthony,
>
>Any thoughts? We are looking forward to hearing back from you about this.
>Just to recap:
>
>(1) Your current changes add Security Group capabilities for the Virtual
>Router in advance-shared only, is this correct?
>
>(2) Your future plan is to add Security Groups to Virtual Router in
>advanced-isolated, but will NOT be supportable by other network service
>providers, is this correct?
>
>(3) Any reason you have decided to implement Security Groups differently
>than the other network services? Particularly with respect to
>pluggability?
>
>Thanks,
>Joe
>
>On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dc...@midokura.com> wrote:
>
>> Hi Anthony,
>>
>> Adding you in CC in case you missed this message.
>>
>> We're trying to understand in more detail your plan for Security Groups
>> support.
>>
>> Thanks,
>> Dave.
>>
>> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <jo...@midokura.jp> wrote:
>>
>> > *Hi Anthony,
>> >
>> > Thanks for the quick response. Just to check my understanding:
>> >
>> > CloudStack has 4 networking models:
>> > Basic (Only in Basic Zone)
>> > Isolated (Only in Advanced Zone)
>> > Shared (Only in Advanced Zone)
>> > VPC (Only in Advanced Zone)
>> >
>> > Zones can be Security Group enabled, or Security Group disabled - this
>> is a
>> > tickbox in the UI when creating a Zone.
>> >
>> > Network Offerings can have the Security Groups Capability enabled or
>>not
>> -
>> > this is a tickbox in the UI when creating a NetworkOffering.
>> >
>> > You have code that is almost ready to commit (CLOUDSTACK-737,
>>currently
>> > adding unit tests), and you also plan to make further changes for 4.2
>>-
>> > let¹s call these ³current² and ³future². changes.
>> >
>> > (1) Your ³current² changes add support for the Security Groups
>>Capability
>> > in Advanced Shared networks, however this will be only be supported by
>> the
>> > Virtual Router Provider, with no option to be supported by other
>>network
>> > plugins.
>> >
>> > (2) For 4.2 (³future²), you plan to add support for the Security
>>Groups
>> > Capability in Advanced Isolated networks. This will also not have the
>> > option of being supported by other network plugins.
>> >
>> > Is this correct?
>> >
>> > Any reason why you have chosen to implement this service differently
>>than
>> > the other Services with respect to pluggability?
>> >
>> > Thanks,
>> > Joe*
>> >
>> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com>
>> wrote:
>> >
>> > > I have plan to add isolated and shared networks to SG enabled zone
>>in
>> > 4.2,
>> > > the service providers on these network will be supported in SG
>>enabled
>> > > zone, but as for SG enabled shared network, current plan is only
>> support
>> > > Virtual Router as service provider. If you want to add other service
>> > > provider in SG enabled shared network, please file a feature request
>> for
>> > > it, and welcome work on that feature.
>> > >
>> > >
>> > > Anthony
>> > >
>> > > > -----Original Message-----
>> > > > From: Mills, Joseph [mailto:joe@midokura.jp]
>> > > > Sent: Thursday, February 14, 2013 7:02 PM
>> > > > To: cloudstack-dev@incubator.apache.org
>> > > > Subject: Security Groups in Advanced Zone - Plugin Support
>> > > >
>> > > > I was looking at the FS for Security Group Isolation in Advanced
>> Zone,
>> > > > (CLOUDSTACK-737) and I noticed that:
>> > > >
>> > > > "Only one network service provider is supported in advanced SG
>> enabled
>> > > > zone
>> > > > - Virtual Router"
>> > > >
>> > > > Are there currently any plans to add pluggability support for
>> Security
>> > > > Groups in 4.2, and if so, is any timeline estimate available? As
>>far
>> as
>> > > > we
>> > > > know, all other Services are pluggable, and we would like to
>>support
>> > > > Security Group Isolation as well.
>> > > >
>> > > > Thanks,
>> > > > Joe
>> > >
>> >
>>
Re: Security Groups in Advanced Zone - Plugin Support
Posted by "Mills, Joseph" <jo...@midokura.jp>.
Hi Anthony,
Any thoughts? We are looking forward to hearing back from you about this.
Just to recap:
(1) Your current changes add Security Group capabilities for the Virtual
Router in advance-shared only, is this correct?
(2) Your future plan is to add Security Groups to Virtual Router in
advanced-isolated, but will NOT be supportable by other network service
providers, is this correct?
(3) Any reason you have decided to implement Security Groups differently
than the other network services? Particularly with respect to pluggability?
Thanks,
Joe
On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dc...@midokura.com> wrote:
> Hi Anthony,
>
> Adding you in CC in case you missed this message.
>
> We're trying to understand in more detail your plan for Security Groups
> support.
>
> Thanks,
> Dave.
>
> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <jo...@midokura.jp> wrote:
>
> > *Hi Anthony,
> >
> > Thanks for the quick response. Just to check my understanding:
> >
> > CloudStack has 4 networking models:
> > Basic (Only in Basic Zone)
> > Isolated (Only in Advanced Zone)
> > Shared (Only in Advanced Zone)
> > VPC (Only in Advanced Zone)
> >
> > Zones can be Security Group enabled, or Security Group disabled - this
> is a
> > tickbox in the UI when creating a Zone.
> >
> > Network Offerings can have the Security Groups Capability enabled or not
> -
> > this is a tickbox in the UI when creating a NetworkOffering.
> >
> > You have code that is almost ready to commit (CLOUDSTACK-737, currently
> > adding unit tests), and you also plan to make further changes for 4.2 -
> > let’s call these “current” and “future”. changes.
> >
> > (1) Your “current” changes add support for the Security Groups Capability
> > in Advanced Shared networks, however this will be only be supported by
> the
> > Virtual Router Provider, with no option to be supported by other network
> > plugins.
> >
> > (2) For 4.2 (“future”), you plan to add support for the Security Groups
> > Capability in Advanced Isolated networks. This will also not have the
> > option of being supported by other network plugins.
> >
> > Is this correct?
> >
> > Any reason why you have chosen to implement this service differently than
> > the other Services with respect to pluggability?
> >
> > Thanks,
> > Joe*
> >
> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com>
> wrote:
> >
> > > I have plan to add isolated and shared networks to SG enabled zone in
> > 4.2,
> > > the service providers on these network will be supported in SG enabled
> > > zone, but as for SG enabled shared network, current plan is only
> support
> > > Virtual Router as service provider. If you want to add other service
> > > provider in SG enabled shared network, please file a feature request
> for
> > > it, and welcome work on that feature.
> > >
> > >
> > > Anthony
> > >
> > > > -----Original Message-----
> > > > From: Mills, Joseph [mailto:joe@midokura.jp]
> > > > Sent: Thursday, February 14, 2013 7:02 PM
> > > > To: cloudstack-dev@incubator.apache.org
> > > > Subject: Security Groups in Advanced Zone - Plugin Support
> > > >
> > > > I was looking at the FS for Security Group Isolation in Advanced
> Zone,
> > > > (CLOUDSTACK-737) and I noticed that:
> > > >
> > > > "Only one network service provider is supported in advanced SG
> enabled
> > > > zone
> > > > - Virtual Router"
> > > >
> > > > Are there currently any plans to add pluggability support for
> Security
> > > > Groups in 4.2, and if so, is any timeline estimate available? As far
> as
> > > > we
> > > > know, all other Services are pluggable, and we would like to support
> > > > Security Group Isolation as well.
> > > >
> > > > Thanks,
> > > > Joe
> > >
> >
>
Re: Security Groups in Advanced Zone - Plugin Support
Posted by Dave Cahill <dc...@midokura.com>.
Hi Anthony,
Adding you in CC in case you missed this message.
We're trying to understand in more detail your plan for Security Groups
support.
Thanks,
Dave.
On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <jo...@midokura.jp> wrote:
> *Hi Anthony,
>
> Thanks for the quick response. Just to check my understanding:
>
> CloudStack has 4 networking models:
> Basic (Only in Basic Zone)
> Isolated (Only in Advanced Zone)
> Shared (Only in Advanced Zone)
> VPC (Only in Advanced Zone)
>
> Zones can be Security Group enabled, or Security Group disabled - this is a
> tickbox in the UI when creating a Zone.
>
> Network Offerings can have the Security Groups Capability enabled or not -
> this is a tickbox in the UI when creating a NetworkOffering.
>
> You have code that is almost ready to commit (CLOUDSTACK-737, currently
> adding unit tests), and you also plan to make further changes for 4.2 -
> let’s call these “current” and “future”. changes.
>
> (1) Your “current” changes add support for the Security Groups Capability
> in Advanced Shared networks, however this will be only be supported by the
> Virtual Router Provider, with no option to be supported by other network
> plugins.
>
> (2) For 4.2 (“future”), you plan to add support for the Security Groups
> Capability in Advanced Isolated networks. This will also not have the
> option of being supported by other network plugins.
>
> Is this correct?
>
> Any reason why you have chosen to implement this service differently than
> the other Services with respect to pluggability?
>
> Thanks,
> Joe*
>
> On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com> wrote:
>
> > I have plan to add isolated and shared networks to SG enabled zone in
> 4.2,
> > the service providers on these network will be supported in SG enabled
> > zone, but as for SG enabled shared network, current plan is only support
> > Virtual Router as service provider. If you want to add other service
> > provider in SG enabled shared network, please file a feature request for
> > it, and welcome work on that feature.
> >
> >
> > Anthony
> >
> > > -----Original Message-----
> > > From: Mills, Joseph [mailto:joe@midokura.jp]
> > > Sent: Thursday, February 14, 2013 7:02 PM
> > > To: cloudstack-dev@incubator.apache.org
> > > Subject: Security Groups in Advanced Zone - Plugin Support
> > >
> > > I was looking at the FS for Security Group Isolation in Advanced Zone,
> > > (CLOUDSTACK-737) and I noticed that:
> > >
> > > "Only one network service provider is supported in advanced SG enabled
> > > zone
> > > - Virtual Router"
> > >
> > > Are there currently any plans to add pluggability support for Security
> > > Groups in 4.2, and if so, is any timeline estimate available? As far as
> > > we
> > > know, all other Services are pluggable, and we would like to support
> > > Security Group Isolation as well.
> > >
> > > Thanks,
> > > Joe
> >
>
Re: Security Groups in Advanced Zone - Plugin Support
Posted by "Mills, Joseph" <jo...@midokura.jp>.
*Hi Anthony,
Thanks for the quick response. Just to check my understanding:
CloudStack has 4 networking models:
Basic (Only in Basic Zone)
Isolated (Only in Advanced Zone)
Shared (Only in Advanced Zone)
VPC (Only in Advanced Zone)
Zones can be Security Group enabled, or Security Group disabled - this is a
tickbox in the UI when creating a Zone.
Network Offerings can have the Security Groups Capability enabled or not -
this is a tickbox in the UI when creating a NetworkOffering.
You have code that is almost ready to commit (CLOUDSTACK-737, currently
adding unit tests), and you also plan to make further changes for 4.2 -
let’s call these “current” and “future”. changes.
(1) Your “current” changes add support for the Security Groups Capability
in Advanced Shared networks, however this will be only be supported by the
Virtual Router Provider, with no option to be supported by other network
plugins.
(2) For 4.2 (“future”), you plan to add support for the Security Groups
Capability in Advanced Isolated networks. This will also not have the
option of being supported by other network plugins.
Is this correct?
Any reason why you have chosen to implement this service differently than
the other Services with respect to pluggability?
Thanks,
Joe*
On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <Xu...@citrix.com> wrote:
> I have plan to add isolated and shared networks to SG enabled zone in 4.2,
> the service providers on these network will be supported in SG enabled
> zone, but as for SG enabled shared network, current plan is only support
> Virtual Router as service provider. If you want to add other service
> provider in SG enabled shared network, please file a feature request for
> it, and welcome work on that feature.
>
>
> Anthony
>
> > -----Original Message-----
> > From: Mills, Joseph [mailto:joe@midokura.jp]
> > Sent: Thursday, February 14, 2013 7:02 PM
> > To: cloudstack-dev@incubator.apache.org
> > Subject: Security Groups in Advanced Zone - Plugin Support
> >
> > I was looking at the FS for Security Group Isolation in Advanced Zone,
> > (CLOUDSTACK-737) and I noticed that:
> >
> > "Only one network service provider is supported in advanced SG enabled
> > zone
> > - Virtual Router"
> >
> > Are there currently any plans to add pluggability support for Security
> > Groups in 4.2, and if so, is any timeline estimate available? As far as
> > we
> > know, all other Services are pluggable, and we would like to support
> > Security Group Isolation as well.
> >
> > Thanks,
> > Joe
>
RE: Security Groups in Advanced Zone - Plugin Support
Posted by Anthony Xu <Xu...@citrix.com>.
I have plan to add isolated and shared networks to SG enabled zone in 4.2, the service providers on these network will be supported in SG enabled zone, but as for SG enabled shared network, current plan is only support Virtual Router as service provider. If you want to add other service provider in SG enabled shared network, please file a feature request for it, and welcome work on that feature.
Anthony
> -----Original Message-----
> From: Mills, Joseph [mailto:joe@midokura.jp]
> Sent: Thursday, February 14, 2013 7:02 PM
> To: cloudstack-dev@incubator.apache.org
> Subject: Security Groups in Advanced Zone - Plugin Support
>
> I was looking at the FS for Security Group Isolation in Advanced Zone,
> (CLOUDSTACK-737) and I noticed that:
>
> "Only one network service provider is supported in advanced SG enabled
> zone
> - Virtual Router"
>
> Are there currently any plans to add pluggability support for Security
> Groups in 4.2, and if so, is any timeline estimate available? As far as
> we
> know, all other Services are pluggable, and we would like to support
> Security Group Isolation as well.
>
> Thanks,
> Joe