So the VM will determine it's own participation level. A VM can have networks with SG and without at the same time. If that's the case this feature proposal just got more awesome!
-kd >-----Original Message----- >From: Anthony Xu [mailto:xuefei...@citrix.com] >Sent: Wednesday, January 16, 2013 5:21 PM >To: cloudstack-dev@incubator.apache.org >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone > >Correct, >there are several types of guest shared network, Zone-wide guest shared >network Domain-wide guest shared network Account-specific guest share >network > >One VM can be on multiple networks, >SG is on VM level, means SG will be applied to all NICs of this VM. > > >Cheers, >Anthony > >> -----Original Message----- >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] On >> Behalf Of kdam...@apache.org >> Sent: Wednesday, January 16, 2013 5:17 PM >> To: cloudstack-dev@incubator.apache.org >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >> Got it, >> >> So we are still only talking about SG on advanced shared networks. >> >> Thanks. >> >> >> -kd >> >> >> >-----Original Message----- >> >From: Anthony Xu [mailto:xuefei...@citrix.com] >> >Sent: Wednesday, January 16, 2013 5:11 PM >> >To: cloudstack-dev@incubator.apache.org >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> > >> >In this spec, security group is only supported in shared guest >> >network, >> we >> >might add isolated guest network support later. I have a concern >> >about >> this, >> >normally there is firewall for isolated network, if security group is >> added >> to >> >isolated network, that means if user wants to allow some kind ingress >> traffic , >> >he might need to program both security group and firewall, it might >> >be inconvenient for user. >> > >> >As for ACL, are you referring to ACL in VPC? in this spec, VPC is not >> supported >> >due to the similar reason of isolated guest network, user might need >> to >> >handle ACL and security group at the same time. >> > >> > >> >Anthony >> > >> > >> >> -----Original Message----- >> >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] >> >> Sent: Wednesday, January 16, 2013 4:55 PM >> >> To: cloudstack-dev@incubator.apache.org >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >> >> >> So to catch myself up, this will allow functional security group >> >> isolation/ACLs on both 'shared' and 'isolated' networks? >> >> >> >> -kd >> >> >> >> >> >> >-----Original Message----- >> >> >From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] >> >> >Sent: Wednesday, January 16, 2013 1:36 PM >> >> >To: cloudstack-dev@incubator.apache.org >> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >> > >> >> >Folks please pass on comments if any, otherwise it is assumed that >> >> >the >> >> spec >> >> is >> >> >approved by the community >> >> > >> >> >> -----Original Message----- >> >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] >> >> >> Sent: Friday, January 11, 2013 3:53 PM >> >> >> To: cloudstack-dev@incubator.apache.org >> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced >> >> >> Zone >> >> >> >> >> >> >> >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based >> >> >> +on+ >> >> >> Security+Groups+in+Advance+zone >> >> >> >> >> >> >> >> >> This is upgraded spec , >> >> >> Compared to original one, following are major changes >> >> >> >> >> >> 1. SG enabled is zone wide parameter, if this zone is SG >> >> >> enabled, >> >> all >> >> >> guest networks in this zone must be SG enabled. >> >> >> 2. support all shared network types, includes zone-wide shared >> >> >> network, domain-wide shared networks and account-specific share >> >> >> networks 3. support multiple SG enabled networks in one SG >> enabled >> >> zone. >> >> >> 4. VM can be on multiple SG enabled networks 5. SG rules apply >> to >> >> >> all NICs for a VM 6. support both KVM and XenServer. >> >> >> >> >> >> Comments, question, suggestion and flame are welcome! >> >> >> >> >> >> >> >> >> Thanks, >> >> >> Anthony >> >> >> >> >> >> >> >> >> > -----Original Message----- >> >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] >> >> >> > Sent: Thursday, January 10, 2013 5:29 PM >> >> >> > To: cloudstack-dev@incubator.apache.org >> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced >> Zone >> >> >> > >> >> >> > Hi Anthony, >> >> >> > >> >> >> > Understood - thanks for the update. >> >> >> > >> >> >> > Dave. >> >> >> > >> >> >> > >> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu >> >> >> > <xuefei...@citrix.com> >> >> >> > wrote: >> >> >> > >> >> >> > > Hi Dave, >> >> >> > > >> >> >> > > For 4.1 , this feature is only for shared network on >> >> >> > > advanced zone, >> >> >> > both >> >> >> > > XenServer and KVM are supported. >> >> >> > > Will upgrade FS soon. >> >> >> > > >> >> >> > > >> >> >> > > Anthony >> >> >> > > >> >> >> > > > -----Original Message----- >> >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] >> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM >> >> >> > > > To: cloudstack-dev@incubator.apache.org >> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in >> Advanced >> >> >> > > > Zone >> >> >> > > > >> >> >> > > > Hi Manan, >> >> >> > > > >> >> >> > > > I'm interested in this feature - when (roughly) are you >> >> planning >> >> >> > > > to commit this to master? >> >> >> > > > >> >> >> > > > Are you planning the full list of features from your >> >> >> > > > requirements >> >> >> > doc >> >> >> > > > (including support for Adavnced, Isolated networks) in 4.1? >> >> >> > > > >> >> >> > > > Thanks in advance, >> >> >> > > > Dave. >> >> >> > > > >> >> >> > > > >> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah >> >> >> > > > <manan.s...@citrix.com> >> >> >> > > > wrote: >> >> >> > > > >> >> >> > > > > Yes, FS definitely needs updating. Please also look at >> the >> >> >> > "Future" >> >> >> > > > > section of Alena's FS. >> >> >> > > > > >> >> >> > > > > Regards, >> >> >> > > > > Manan Shah >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > >> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" >> >> >> > > > <prasanna.santha...@citrix.com> >> >> >> > > > > wrote: >> >> >> > > > > >> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah >> wrote: >> >> >> > > > > >> Hi Chip, >> >> >> > > > > >> >> >> >> > > > > >> As Alena had mentioned in her FS, her focus was to >> >> >> > > > > >> initially >> >> >> > > > support >> >> >> > > > > >>only >> >> >> > > > > >> the functionality that was enabled in CS 2.2. She had >> >> >> > > > > >>created >> >> >> > a >> >> >> > > > section >> >> >> > > > > >>in >> >> >> > > > > >> her FS that talked about Future release plans. >> >> >> > > > > >> >> >> >> > > > > >> My requirements page covers requirements for both, >> >> >> > > > > >> the CS >> >> >> > > > > >> 2.2 >> >> >> > use >> >> >> > > > case >> >> >> > > > > >>as >> >> >> > > > > >> well as the broader use case. >> >> >> > > > > >> >> >> >> > > > > >> Let me know if you have additional questions. >> >> >> > > > > >> >> >> >> > > > > >Thanks - Alena's FS lists only support for KVM while >> >> >> > > > > >you >> >> have >> >> >> > listed >> >> >> > > > > >support for XenServer and KVM. Guess the FS needs >> updating? >> >> >> > > > > > >> >> >> > > > > >-- >> >> >> > > > > >Prasanna., >> >> >> > > > > >> >> >> > > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > -- >> >> >> > > > Thanks, >> >> >> > > > Dave. >> >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > Thanks, >> >> >> > Dave. >>
