Hi,
I briefly discussed this topic with David on IRC and was advised to post
the question here to reach a wider audience and get more feedback.
I'm making a lot of progress with the FGCP implementation.
I am currently facing an issue that affects the implementation of
create_instance, firewalls, LBs and additional storage APIs.
With the FGCP, before creating nodes/LBs/additional storage, you have to
create a container called a virtual system ('vsys').
A vsys comes with a FW and helps to separate nodes into different
network segments (DMZ and optionally up to two SECURE segments).
The url below has an illustration of a vsys.
The nodes are placed in a DMZ (maybe for your web servers, fronted by a
LB) and secure zone (maybe your database). A FW connects the segments to
each other and the outside (if you add the FW rules to allow so). Users
can create as many vsys's as they like.
http://code.google.com/p/fgcp-client-api/
So my issue is, when the user adds a server instance or LB, they have to
specify the id of the vsys they want to add it to. These resources are
then scoped to that network segment; they can't move them to another
vsys.
So in that way it may fit the Realm concept.
Two further issues:
1. The above is not entirely correct: when the user creates a node or
LB, they have to specify the network segment (i.e. id of vsys' DMZ or
SECURE segment) it is to be added to, which is even more specific than
the vsys. (*)
2. Each vsys comes with a FW. There is no need to create it, and you
cannot add any more: it has a one to one mapping to a vsys.
It has operations to add and delete rules and to do the NAT'ing of
public IP addresses to nodes/LBs in the vsys.
Should I consider mapping 'create_firewall' to FGCP's create-vsys API?
Or introduce a realm creation operation? An additional snag for
create_firewall is that FGCP's FW creation method does not include rule
addition. You first need to create the FW, start it, and then you can
add rules.
(*)
So actually there are two concepts I need to map: vsys and network
segment. The vsys id is required for adding additional storage volumes,
while the network segment id is for adding instances and LBs.
If we map network segments to Realms, that would work from an
implementation point of view (as the driver can determine the vsys from
the network segment id). But it may look confusing to the user that the
API lets them add a volume to a network segment (even if it's called a
Realm), e.g. vsys_a_dmz, and then see it appear in Realm vsys_a_secure1
and vsys_a_secure2 as well.
Any suggestions very welcome!
Cheers,
Dies Koper
