That is just so confusing. So if we do ENI-style in 4.2, the rules for accessing a VM within a VPC will be the union of * ACL accept * ACL deny * instance-based SG * nic based SG
On 1/18/13 9:50 AM, "Anthony Xu" <xuefei...@citrix.com> wrote: >Thanks for comments, >It is nice to have security group in NIC level >checked AWS, which is implemented with Elastic Network Interfaces (ENI), >but when deploy VM , all NICs of the VM are associated with same security >groups, which is the same as what we did in the FS. > >Maybe we can implement NIC-level security group after we have VM NIC hot >plug feature( something like ENI) in 4.2. > >Anthony > > >> -----Original Message----- >> From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] >> Sent: Thursday, January 17, 2013 5:29 PM >> To: CloudStack DeveloperList >> Subject: Re: [DISCUSS] Security Groups Isolation in Advanced Zone >> >> I don't think that's what Anthony is saying. >> I think he is saying that if a VM is in security groups X,Y,Z, then ALL >> nics of the VM are in security groups X,Y,Z. >> >> The AWS-compatible way is that nics are associated with the security >> group. >> So, VM's eth0 can be in security group Z and eth1 can be in security >> group >> X >> I think we should do it this way. >> >> On 1/16/13 5:35 PM, "kdam...@apache.org" <kdam...@apache.org> wrote: >> >> >So the VM will determine it's own participation level. A VM can have >> >networks with SG and without at the same time. If that's the case this >> >feature proposal just got more awesome! >> > >> >-kd >> > >> > >> >>-----Original Message----- >> >>From: Anthony Xu [mailto:xuefei...@citrix.com] >> >>Sent: Wednesday, January 16, 2013 5:21 PM >> >>To: cloudstack-dev@incubator.apache.org >> >>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >> >> >>Correct, >> >>there are several types of guest shared network, Zone-wide guest >> shared >> >>network Domain-wide guest shared network Account-specific guest share >> >>network >> >> >> >>One VM can be on multiple networks, >> >>SG is on VM level, means SG will be applied to all NICs of this VM. >> >> >> >> >> >>Cheers, >> >>Anthony >> >> >> >>> -----Original Message----- >> >>> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] On >> >>> Behalf Of kdam...@apache.org >> >>> Sent: Wednesday, January 16, 2013 5:17 PM >> >>> To: cloudstack-dev@incubator.apache.org >> >>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >>> >> >>> Got it, >> >>> >> >>> So we are still only talking about SG on advanced shared networks. >> >>> >> >>> Thanks. >> >>> >> >>> >> >>> -kd >> >>> >> >>> >> >>> >-----Original Message----- >> >>> >From: Anthony Xu [mailto:xuefei...@citrix.com] >> >>> >Sent: Wednesday, January 16, 2013 5:11 PM >> >>> >To: cloudstack-dev@incubator.apache.org >> >>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >>> > >> >>> >In this spec, security group is only supported in shared guest >> >>> >network, >> >>> we >> >>> >might add isolated guest network support later. I have a concern >> >>> >about >> >>> this, >> >>> >normally there is firewall for isolated network, if security group >> is >> >>> added >> >>> to >> >>> >isolated network, that means if user wants to allow some kind >> ingress >> >>> traffic , >> >>> >he might need to program both security group and firewall, it >> might >> >>> >be inconvenient for user. >> >>> > >> >>> >As for ACL, are you referring to ACL in VPC? in this spec, VPC is >> not >> >>> supported >> >>> >due to the similar reason of isolated guest network, user might >> need >> >>> to >> >>> >handle ACL and security group at the same time. >> >>> > >> >>> > >> >>> >Anthony >> >>> > >> >>> > >> >>> >> -----Original Message----- >> >>> >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] >> >>> >> Sent: Wednesday, January 16, 2013 4:55 PM >> >>> >> To: cloudstack-dev@incubator.apache.org >> >>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced >> Zone >> >>> >> >> >>> >> So to catch myself up, this will allow functional security group >> >>> >> isolation/ACLs on both 'shared' and 'isolated' networks? >> >>> >> >> >>> >> -kd >> >>> >> >> >>> >> >> >>> >> >-----Original Message----- >> >>> >> >From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] >> >>> >> >Sent: Wednesday, January 16, 2013 1:36 PM >> >>> >> >To: cloudstack-dev@incubator.apache.org >> >>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced >> Zone >> >>> >> > >> >>> >> >Folks please pass on comments if any, otherwise it is assumed >> that >> >>> >> >the >> >>> >> spec >> >>> >> is >> >>> >> >approved by the community >> >>> >> > >> >>> >> >> -----Original Message----- >> >>> >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] >> >>> >> >> Sent: Friday, January 11, 2013 3:53 PM >> >>> >> >> To: cloudstack-dev@incubator.apache.org >> >>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced >> >>> >> >> Zone >> >>> >> >> >> >>> >> >> >> >>> >> >> >>> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based >> >>> >> >> +on+ >> >>> >> >> Security+Groups+in+Advance+zone >> >>> >> >> >> >>> >> >> >> >>> >> >> This is upgraded spec , >> >>> >> >> Compared to original one, following are major changes >> >>> >> >> >> >>> >> >> 1. SG enabled is zone wide parameter, if this zone is SG >> >>> >> >> enabled, >> >>> >> all >> >>> >> >> guest networks in this zone must be SG enabled. >> >>> >> >> 2. support all shared network types, includes zone-wide >> shared >> >>> >> >> network, domain-wide shared networks and account-specific >> share >> >>> >> >> networks 3. support multiple SG enabled networks in one SG >> >>> enabled >> >>> >> zone. >> >>> >> >> 4. VM can be on multiple SG enabled networks 5. SG rules >> apply >> >>> to >> >>> >> >> all NICs for a VM 6. support both KVM and XenServer. >> >>> >> >> >> >>> >> >> Comments, question, suggestion and flame are welcome! >> >>> >> >> >> >>> >> >> >> >>> >> >> Thanks, >> >>> >> >> Anthony >> >>> >> >> >> >>> >> >> >> >>> >> >> > -----Original Message----- >> >>> >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] >> >>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM >> >>> >> >> > To: cloudstack-dev@incubator.apache.org >> >>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in >> Advanced >> >>> Zone >> >>> >> >> > >> >>> >> >> > Hi Anthony, >> >>> >> >> > >> >>> >> >> > Understood - thanks for the update. >> >>> >> >> > >> >>> >> >> > Dave. >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu >> >>> >> >> > <xuefei...@citrix.com> >> >>> >> >> > wrote: >> >>> >> >> > >> >>> >> >> > > Hi Dave, >> >>> >> >> > > >> >>> >> >> > > For 4.1 , this feature is only for shared network on >> >>> >> >> > > advanced zone, >> >>> >> >> > both >> >>> >> >> > > XenServer and KVM are supported. >> >>> >> >> > > Will upgrade FS soon. >> >>> >> >> > > >> >>> >> >> > > >> >>> >> >> > > Anthony >> >>> >> >> > > >> >>> >> >> > > > -----Original Message----- >> >>> >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] >> >>> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM >> >>> >> >> > > > To: cloudstack-dev@incubator.apache.org >> >>> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in >> >>> Advanced >> >>> >> >> > > > Zone >> >>> >> >> > > > >> >>> >> >> > > > Hi Manan, >> >>> >> >> > > > >> >>> >> >> > > > I'm interested in this feature - when (roughly) are you >> >>> >> planning >> >>> >> >> > > > to commit this to master? >> >>> >> >> > > > >> >>> >> >> > > > Are you planning the full list of features from your >> >>> >> >> > > > requirements >> >>> >> >> > doc >> >>> >> >> > > > (including support for Adavnced, Isolated networks) in >> 4.1? >> >>> >> >> > > > >> >>> >> >> > > > Thanks in advance, >> >>> >> >> > > > Dave. >> >>> >> >> > > > >> >>> >> >> > > > >> >>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah >> >>> >> >> > > > <manan.s...@citrix.com> >> >>> >> >> > > > wrote: >> >>> >> >> > > > >> >>> >> >> > > > > Yes, FS definitely needs updating. Please also look >> at >> >>> the >> >>> >> >> > "Future" >> >>> >> >> > > > > section of Alena's FS. >> >>> >> >> > > > > >> >>> >> >> > > > > Regards, >> >>> >> >> > > > > Manan Shah >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" >> >>> >> >> > > > <prasanna.santha...@citrix.com> >> >>> >> >> > > > > wrote: >> >>> >> >> > > > > >> >>> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah >> >>> wrote: >> >>> >> >> > > > > >> Hi Chip, >> >>> >> >> > > > > >> >> >>> >> >> > > > > >> As Alena had mentioned in her FS, her focus was to >> >>> >> >> > > > > >> initially >> >>> >> >> > > > support >> >>> >> >> > > > > >>only >> >>> >> >> > > > > >> the functionality that was enabled in CS 2.2. She >> had >> >>> >> >> > > > > >>created >> >>> >> >> > a >> >>> >> >> > > > section >> >>> >> >> > > > > >>in >> >>> >> >> > > > > >> her FS that talked about Future release plans. >> >>> >> >> > > > > >> >> >>> >> >> > > > > >> My requirements page covers requirements for both, >> >>> >> >> > > > > >> the CS >> >>> >> >> > > > > >> 2.2 >> >>> >> >> > use >> >>> >> >> > > > case >> >>> >> >> > > > > >>as >> >>> >> >> > > > > >> well as the broader use case. >> >>> >> >> > > > > >> >> >>> >> >> > > > > >> Let me know if you have additional questions. >> >>> >> >> > > > > >> >> >>> >> >> > > > > >Thanks - Alena's FS lists only support for KVM while >> >>> >> >> > > > > >you >> >>> >> have >> >>> >> >> > listed >> >>> >> >> > > > > >support for XenServer and KVM. Guess the FS needs >> >>> updating? >> >>> >> >> > > > > > >> >>> >> >> > > > > >-- >> >>> >> >> > > > > >Prasanna., >> >>> >> >> > > > > >> >>> >> >> > > > > >> >>> >> >> > > > >> >>> >> >> > > > >> >>> >> >> > > > -- >> >>> >> >> > > > Thanks, >> >>> >> >> > > > Dave. >> >>> >> >> > > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > -- >> >>> >> >> > Thanks, >> >>> >> >> > Dave. >> >>> >> > >> > >
