Hi Chiradeep, Thanks for jumping in, great to get feedback on this one.
Let me back up and explain where we're coming from. Let's take the Firewall service as an example. When a user sets Firewall rules via the UI / API, the request (skipping a few steps for brevity) ends up in FirewallManagerImpl, where the relevant FirewallServiceProvider class is called. In other words, the Firewall rules Capability is pluggable - an Element can implement the FirewallServiceProvider, set Firewall as one of its Capabilities etc, and it will then be able to receive and take care of new Firewall rules. However, SecurityGroups are handled by SecurityGroupManagerImpl, which simply sends a Command to the agent without checking for, or calling into, a SecurityGroupsProvider. In other words, it's not pluggable. If the service was pluggable, our Provider (Element) would inform the MidoNet virtual network of the new security group rule, and this rule would then be applied to any traffic coming into / out of the virtual network from the relevant VMs. We wouldn't send a Command to the agent, because there's no need in our case. That's the background for why we're interested in pluggability for the service. Our second question was aimed at checking our understanding of Anthony's response: "as for SG enabled shared network, current plan is only support Virtual Router as service provider". It sounds like this would make all of the other Providers (external ones like F5 as well as virtual ones like Nicira) unusable in a SG-enabled Advanced Shared network, but we wanted to double-check that. Lastly we wanted to understand timelines. The last comment on CLOUDSTACK-737 shows the feature being reverted, so we were wondering when it's aimed for master, and also to understand when Security Groups on Advanced Isolated mode is scheduled to hit master. Again, thanks for the response - if any of the above is unclear, please let me know. Thanks, Dave. On Thu, Mar 7, 2013 at 2:53 AM, Chiradeep Vittal < chiradeep.vit...@citrix.com> wrote: > Not sure I understand the thread below. > Security groups today are provided on the hypervisor level (dom0 / kvm > host). > There is currently a conundrum > - on XenServer Open vSwitch (OVS) is the defacto vswitch. OVS however > cannot do stateful packet inspection. This might entail switching to Linux > bridge, however this is under discussion with Citrix. > - on vSphere, the vSwitch does not support SPI either and will require a > plugin such as vShield or Cisco VSG. One alternative to what Paul is > describing is to provide L2 isolation on a shared VLAN using PVLAN. > However there too there's questions on hardware support (requires VMWare > dvSwitch and requires hardware switches to understand PVLAN) > > On 3/5/13 12:34 AM, "Mills, Joseph" <j...@midokura.jp> wrote: > > >Hi Anthony, > > > >Any thoughts? We are looking forward to hearing back from you about this. > >Just to recap: > > > >(1) Your current changes add Security Group capabilities for the Virtual > >Router in advance-shared only, is this correct? > > > >(2) Your future plan is to add Security Groups to Virtual Router in > >advanced-isolated, but will NOT be supportable by other network service > >providers, is this correct? > > > >(3) Any reason you have decided to implement Security Groups differently > >than the other network services? Particularly with respect to > >pluggability? > > > >Thanks, > >Joe > > > >On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dcah...@midokura.com> > wrote: > > > >> Hi Anthony, > >> > >> Adding you in CC in case you missed this message. > >> > >> We're trying to understand in more detail your plan for Security Groups > >> support. > >> > >> Thanks, > >> Dave. > >> > >> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <j...@midokura.jp> wrote: > >> > >> > *Hi Anthony, > >> > > >> > Thanks for the quick response. Just to check my understanding: > >> > > >> > CloudStack has 4 networking models: > >> > Basic (Only in Basic Zone) > >> > Isolated (Only in Advanced Zone) > >> > Shared (Only in Advanced Zone) > >> > VPC (Only in Advanced Zone) > >> > > >> > Zones can be Security Group enabled, or Security Group disabled - this > >> is a > >> > tickbox in the UI when creating a Zone. > >> > > >> > Network Offerings can have the Security Groups Capability enabled or > >>not > >> - > >> > this is a tickbox in the UI when creating a NetworkOffering. > >> > > >> > You have code that is almost ready to commit (CLOUDSTACK-737, > >>currently > >> > adding unit tests), and you also plan to make further changes for 4.2 > >>- > >> > let¹s call these ³current² and ³future². changes. > >> > > >> > (1) Your ³current² changes add support for the Security Groups > >>Capability > >> > in Advanced Shared networks, however this will be only be supported by > >> the > >> > Virtual Router Provider, with no option to be supported by other > >>network > >> > plugins. > >> > > >> > (2) For 4.2 (³future²), you plan to add support for the Security > >>Groups > >> > Capability in Advanced Isolated networks. This will also not have the > >> > option of being supported by other network plugins. > >> > > >> > Is this correct? > >> > > >> > Any reason why you have chosen to implement this service differently > >>than > >> > the other Services with respect to pluggability? > >> > > >> > Thanks, > >> > Joe* > >> > > >> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <xuefei...@citrix.com> > >> wrote: > >> > > >> > > I have plan to add isolated and shared networks to SG enabled zone > >>in > >> > 4.2, > >> > > the service providers on these network will be supported in SG > >>enabled > >> > > zone, but as for SG enabled shared network, current plan is only > >> support > >> > > Virtual Router as service provider. If you want to add other service > >> > > provider in SG enabled shared network, please file a feature request > >> for > >> > > it, and welcome work on that feature. > >> > > > >> > > > >> > > Anthony > >> > > > >> > > > -----Original Message----- > >> > > > From: Mills, Joseph [mailto:j...@midokura.jp] > >> > > > Sent: Thursday, February 14, 2013 7:02 PM > >> > > > To: cloudstack-dev@incubator.apache.org > >> > > > Subject: Security Groups in Advanced Zone - Plugin Support > >> > > > > >> > > > I was looking at the FS for Security Group Isolation in Advanced > >> Zone, > >> > > > (CLOUDSTACK-737) and I noticed that: > >> > > > > >> > > > "Only one network service provider is supported in advanced SG > >> enabled > >> > > > zone > >> > > > - Virtual Router" > >> > > > > >> > > > Are there currently any plans to add pluggability support for > >> Security > >> > > > Groups in 4.2, and if so, is any timeline estimate available? As > >>far > >> as > >> > > > we > >> > > > know, all other Services are pluggable, and we would like to > >>support > >> > > > Security Group Isolation as well. > >> > > > > >> > > > Thanks, > >> > > > Joe > >> > > > >> > > >> > >
