Status of Autoscale on 4.4
Hi guys, At Globo.com we are working on LB to our network orchestration tool ( http://globonetworkapi.readthedocs.org/en/latest/about.html) and we would like to help to develop autoscale feature on ACS 4.4.2 version. In 4.4.2 I could see many autoscale commands. What is the situation of autoscale in this version? There is any specific branch can I use to merge latest development of autoscale code to 4.4.2 release? There are any other relevant documentation different the links bellow? https://cwiki.apache.org/confluence/display/CLOUDSTACK/Autoscale+framework http://docs.cloudstack.apache.org/en/latest/networking/autoscale_without_netscaler.html http://www.slideshare.net/tuna20073882/autoscale-without-netscalerccceu13 Thanks Silvano Buback
Re: Load Balancer Crosszone
GSLB it's a kind of LoadBalancer balancing other load balancers. If I implement Cross Zone LoadBalancer using GSLB, I will need one public IP + 1 LB for each zone and I have a lot of load balancers. I will waste to much IPs. Without cross zones LB I can't achieve HA because if entire zone fail, I will miss one or more projects. On Wed, Oct 15, 2014 at 12:40 AM, Rajesh Battala rajesh.batt...@citrix.com wrote: If you use Netscaler as LB provider in your cloudstack, Netscaler has a supported feature called GSLB. This feature is Load Balancer across zones. It's been in Cloudstack long back. Thanks Rajesh Battala -Original Message- From: Silvano Nogueira Buback [mailto:silv...@corp.globo.com] Sent: Tuesday, October 14, 2014 11:02 PM To: dev@cloudstack.apache.org Subject: Load Balancer Crosszone Guys, There is any way to create a load balancer between zones, using shared network and advanced zone? This is not the idea of Global Load Balancer, is the same idea of Amazon LB cross zone. Att, Silvano Buback
Load Balancer Crosszone
Guys, There is any way to create a load balancer between zones, using shared network and advanced zone? This is not the idea of Global Load Balancer, is the same idea of Amazon LB cross zone. Att, Silvano Buback
Re: [MERGE] Merge saml2 branch to master
I'm working in cloudstack 4.3 and there some tokens and migrations in Globo.com internal version that I'm not able to share now. Next week I will clean and publish this integration in external repository. On Wed, Aug 27, 2014 at 7:16 AM, Rohit Yadav rohit.ya...@shapeblue.com wrote: Hi Silvano, Great, thanks for sharing. Sure, we can change this to suit your plugin as well. I suggest that you fork ACS on github and share your branch/url with us so those of us interested can help you out. Regards. On 27-Aug-2014, at 11:29 am, Silvano Nogueira Buback silv...@corp.globo.com wrote: I'm trying use your implementation to implement OAuth2. It's almost working, but I think is necessary a little change: Class APIAuthenticationManagerImpl is calling command without correct spring context. I'm working in 4.3 branch, so, I will show what I changed: - org.apache.cloudstack.api.auth.PluggableAPIAuthenticator needs to implements PluggableService and have no more method getAuthCommands. - Little patch in APIAuthenticationManagerImpl +++ b/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java @@ -55,24 +55,31 @@ public class APIAuthenticationManagerImpl extends ManagerBase implements APIAuth @Override public boolean start() { s_authenticators = new HashMapString, Class?(); -for (Class? authenticator: getCommands()) { -APICommand command = authenticator.getAnnotation(APICommand.class); -if (command != null !command.name().isEmpty() - APIAuthenticator.class.isAssignableFrom(authenticator)) { -s_authenticators.put(command.name(), authenticator); +for (Class? authenticatorCommand: getCommands()) { +registerCommandsInAPIAuthenticator(authenticatorCommand); +} +// Register all external APIAuthenticator(s) +for (PluggableAPIAuthenticator apiAuthenticator: _apiAuthenticators) { +for (Class? authenticatorCommand: apiAuthenticator.getCommands()) { + registerCommandsInAPIAuthenticator(authenticatorCommand); } } return true; } +private void registerCommandsInAPIAuthenticator(Class? authenticator) { +APICommand command = authenticator.getAnnotation(APICommand.class); +if (command != null !command.name().isEmpty() + APIAuthenticator.class.isAssignableFrom(authenticator)) { +s_authenticators.put(command.name(), authenticator); +} +} + @Override public ListClass? getCommands() { ListClass? cmdList = new ArrayListClass?(); cmdList.add(DefaultLoginAPIAuthenticatorCmd.class); cmdList.add(DefaultLogoutAPIAuthenticatorCmd.class); -for (PluggableAPIAuthenticator apiAuthenticator: _apiAuthenticators) { -cmdList.addAll(apiAuthenticator.getAuthCommands()); -} return cmdList; } Now, authentication commands work inside plugin context. PluggableAPIAuthenticator needs to implement tradicional getCommands to work. Best regards, Silvano Buback On Tue, Aug 26, 2014 at 6:59 AM, Rohit Yadav rohit.ya...@shapeblue.com wrote: On 26-Aug-2014, at 11:47 am, Sebastien Goasguen run...@gmail.com wrote: we do have some selenium tests in /test/selenium but I don't think they are being run. +1 from me (satisfied with your answers) Thanks! Few more classes; Class, %Method, %Line, % GetServiceProviderMetaDataCmd100% (1/ 1)62.5% (5/ 8)77.9% (53/ 68) SAMLMetaDataResponse100% (1/ 1)66.7% (2/ 3)80% (4/ 5) From IntelliJ: http://people.apache.org/~bhaisaab/samlcoverage.png Regards, Rohit Yadav Software Architect, ShapeBlue M. +41 779015219 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design Build http://shapeblue.com/iaas-cloud-design-and-build// CSForge – rapid IaaS deployment frameworkhttp://shapeblue.com/csforge/ CloudStack Consultinghttp://shapeblue.com/cloudstack-consultancy/ CloudStack Infrastructure Support http://shapeblue.com/cloudstack-infrastructure-support/ CloudStack Bootcamp Training Courses http://shapeblue.com/cloudstack-training/ This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England Wales
Re: [SHOW] Authentication refactoring
Rohit, When I started implementing OAuth2 integration I faced this problem, but I had other things to do first, now I am back to this problem too. I took a look at your implementation and it's almost fit for OAuth2. I have a few comments: Some authentication mechanisms may not work as a command. I proposed to use commands to implement OAuth2 to not change ApiServlet (before knowing the real problem with unauthenticated command), but I think this is not a good implementation (for OAuth2). If the idea is to refactor to support multiple authentication mechanisms, maybe a filter can be better. Take a look in Spring Security implementation [1]. So, using your implementation, I would suggest: 1. When a new request arrives, If user is not authenticated, APIAuthenticatorManager is called and should iterate over all APIAuthenticator instances, one by one, in the order specified by user.authenticators.order global setting (do not forget this, please). 1. In each APIAuthenticator, it can analyze the HttpRequest and if it should authenticate, it must return an UserAccount object. If the authenticator doesn't authenticate it raises some exception like Spring does. 2. As all existed authenticators inheriting today from DefaultUserAuthenticator, this authenticator can implement the APIAuthenticator interface and if there is a parameter with command=login, username, password the abstract method authenticate from UserAuthenticator must be called. So, all existing authentication mechanisms will work as today, respecting the order from user.authenticators.order global setting. 2. After authentication, the name of the APIAuthenticator that authenticated must be kept in session. User, and other objects must be kept as well. In logout, the APIAuthenticator used can be called. 3. When a new request arrives, if user is authenticated, it works as today. If everybody agrees on the solution I can work together with you to finish this if you want. I need to finish OAuth2 integration in the next 15 days... and I don't want to change my implementation later on. If it's possible to work together, we need do this in a separated fork of ACS, since I'm not a committer yet. Regards, Silvano Buback [1] http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html On Tue, Aug 12, 2014 at 11:20 AM, Carlos Reategui create...@me.com wrote: On Aug 12, 2014, at 5:12 AM, Adrian Lewis adr...@alsiconsulting.co.uk wrote: Hi Rohit, Not a very constructive email I'm afraid but I too would be very interested in one-time password authentication for CS. Is anyone that you know of working on RADIUS auth as this would be a relatively easy way to integrate a wide number of OTP systems that rely on a secondary auth challenge for the OTP. This secondary auth mechanism is part of the RADIUS standard and would cover RSA as well as the system that I'm interested in implementing (Fortinet's FortiAuthenticator) and many other enterprise-focussed OTP systems. Not sure if OTP/2FA would be suitable for API access so a second question is: Would it be feasible to use different auth backends for the GUI vs the API? As I understand it, the GUI is simply a 'wrapper' for the API so perhaps not but I'm sure I'm not alone here in wanting OTP/2FA, perhaps even at the expense of API access. Contrary to popular belief within the CS community, not everyone uses the API (shock horror!). Maybe OTP/2FA is not an issue for API access but I assume it would be a problem for the use of Puppet/Ansible/Salt etc. Perhaps a source IP ACL so that only specified IPs can use a standard auth method but all other access mandates OTP/2FA? Not sure how AWS works with their MFA feature - anyone? MFA is used for accessing UI console where you manage your keys for API usage. API access is controlled via IAM or key/secret which you manage from the UI I'm afraid I'm just a (ab)user and couldn't program anything myself - just curious to see if anyone has any thoughts or existing efforts in this area? Cheers, Adrian -Original Message- From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com] Sent: 12 August 2014 11:41 To: dev@cloudstack.apache.org Subject: Re: [SHOW] Authentication refactoring From the user end there is no change, not in UI or any change expected in clients except one: Since login and logout are now implemented like your regular api, we don't allow uses to call login and logout and other such AuthenticatorAPIs directly like via integration port Stephen, I'm not sure if we natively support RSA and other things at present we only have our custom login auth mechanism, signature/key based auth and a simple SSO (pre-shared key) methods. This refactoring will open doors
Re: [DISCUSS] Acquire New Ip from a different range on shared networks
@Murali, Yes, I have a bunch of publics IPs that are accessible only by load balancers. Load balancers network are cross zone too. @Ilya, This is not exactly I am trying. @Chiradeep, Yes. @All When I acquire new IP in shared network the same IP of vms are given to the users. I would like to change Acquired New Ip mechanism to ask the network guru to decide which ip must be given to the users. Network guru is the only one that need to understand how network is implemented, so it must decide which IP must be associate. So, my idea is to create a new method in Network Guru named allocate, but with only with Network as argument. For the Network Guru existing, the rule is the same, but any new guru subclass (like mine) can change the behavior if it want. Basically, the command associateIpAddress only need to verify permission, ask networkguru.allocate and mark the IP as allocated in database. What do you think? If everyone agrees I can create the design document and start this development. Works for my guru, and I guess keeps clean the code to allocate IP address. []'s, Silvano Buback On Mon, Jul 21, 2014 at 5:48 PM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: Do you want to acquire IPs for the VIP (front-end)? From: Silvano Nogueira Buback silv...@corp.globo.commailto: silv...@corp.globo.com Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Monday, July 14, 2014 at 2:59 PM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: [DISCUSS] Acquire New Ip from a different range on shared networks Hi guys, At Globo.com we are working in a load balancer plugin for Cloudstack with a network api developed internally. This api manages shared networks and is working with cloudstack 4.3 (as a network guru implementation). Our load balancers are in a different network, so to implement a network element of load balancer, first I need to acquire an IP from the load balancers network. What is the best way to do this? I looked at portable IPs and that makes sense to me, but I would prefer a solution where my guru can give this IP to the network. Is there any other way? Thanks in advance, Silvano Buback
Re: [PROPOSAL] OAuth2 Single SignOn Integration
the difference between oauth2.credentials.url and oauth2.baseurl, the later is redirect uri? If yes, Where will have redirect uri hosted? 5. referring to the statement When oauth2.baseurl, oauth2.client.id and oauth2.client.secret are not set (default), oauthRequestUrl returns empty response and OAuth2 authentication is turned off., can we use a flag to denote whether to use oauth flow or not? If set to false, dont use it otherwise continue with default. 6. What about refresh token,i believe access token has limited life time? Any call back mechanism to update with latest token if it gets expired? 7. Details like clientid,clientsecret needs to be encrypted when stored and retrieved from global config? 8. How do we map the user logged in to roles and hierarchy inside CS? based on email mapping? 9. What is the significance of these two parameters mentioned? oauth2.credentials.parameter.email (defaults to email) * oauth2.domainid 10. clientid and clientsecret key are based upon per tenant basis, so what if we want to oauth mechanism from multiple tenants at any stage? 11. Default values for clientid and clientsecret are loaded at which stage? during initial installation and for which tenant? 12. How do we verify the validity of clientid and clientsecret values? If they are revoked? possibility of revoke is there? 13. If we understand, it is only to authenticate a user through oauth flow, we dont need authorization part inside of cs? I mean, what do we mean by authorization from tenant once access key is granted? 14. If access key is not stored, how do we get refresh token? 15. What is the default sequence of authentication in case if oauth fails? and order in which a given authentication mechanism will be chosen? 16. Can we also show a ui, where user can enable\disable oauth setting for a given account? here, possibility of mismatch with emailid based upon current implementation and oauth retrieved emailid post authentication is there? how do we handle it? 17. Last, what is the significance of this feature, apart from authentication support from third party clients? Thanks! Santhosh From: Silvano Nogueira Buback [silv...@corp.globo.com] Sent: Monday, July 14, 2014 4:59 PM To: dev@cloudstack.apache.org Subject: [PROPOSAL] OAuth2 Single SignOn Integration Hi gyus, I need to implement OAuth2 integration to provide single sign-on with others tools in my company. I can share this implementation with the community if you are interested. I suggest these changes in code: 1. Create a new javascript called oauth2.js. This javascript is responsible for calling the new command called oauthRequestUrl that reads the global option oauth2.baseurl and returns this url plus /authorize with oauth2 parameters. After receiving the answer, javascript redirects user to oauth2 server. 2. Once user is authorized by oauth2 server, javascript code reads parameters in url and call oauthAuthorizeToken command. This command asks the oauth2 server by the access token, and if everything is ok, calls oauth2.credentials.url about user email and finds this user in the database, like ldap implementation does and returns authentication data. 3. Javascript fills g_loginResponse with answer from command and user is logged in. What do you think about this approach? More details Alternative flows: * When the url has parameter direct=true, the login dialog is shown. * When oauth2.baseurl, oauth2.client.id and oauth2.client.secret are not set (default), oauthRequestUrl returns empty response and OAuth2 authentication is turned off. * If authorization token is invalid, user is redirected again to oauth2 server. Commands: * oauthRequestUrl * oauthAuthorizeToken Global Options: * oauth2.baseurl * oauth2.client.id * oauth2.client.secret * oauth2.credentials.url: defaults to /oauth2/v2/userinfo * oauth2.credentials.parameter.email (defaults to email) * oauth2.domainid Restrictions: * Domain Id will be a global option * Users are always redirected to oauth2 server. Access tokens are not stored. * Before using Cloudstack, the administrator must insert user in an account.
[PROPOSAL] OAuth2 Single SignOn Integration
Hi gyus, I need to implement OAuth2 integration to provide single sign-on with others tools in my company. I can share this implementation with the community if you are interested. I suggest these changes in code: 1. Create a new javascript called oauth2.js. This javascript is responsible for calling the new command called oauthRequestUrl that reads the global option oauth2.baseurl and returns this url plus /authorize with oauth2 parameters. After receiving the answer, javascript redirects user to oauth2 server. 2. Once user is authorized by oauth2 server, javascript code reads parameters in url and call oauthAuthorizeToken command. This command asks the oauth2 server by the access token, and if everything is ok, calls oauth2.credentials.url about user email and finds this user in the database, like ldap implementation does and returns authentication data. 3. Javascript fills g_loginResponse with answer from command and user is logged in. What do you think about this approach? More details Alternative flows: * When the url has parameter direct=true, the login dialog is shown. * When oauth2.baseurl, oauth2.client.id and oauth2.client.secret are not set (default), oauthRequestUrl returns empty response and OAuth2 authentication is turned off. * If authorization token is invalid, user is redirected again to oauth2 server. Commands: * oauthRequestUrl * oauthAuthorizeToken Global Options: * oauth2.baseurl * oauth2.client.id * oauth2.client.secret * oauth2.credentials.url: defaults to /oauth2/v2/userinfo * oauth2.credentials.parameter.email (defaults to email) * oauth2.domainid Restrictions: * Domain Id will be a global option * Users are always redirected to oauth2 server. Access tokens are not stored. * Before using Cloudstack, the administrator must insert user in an account.
[DISCUSS] Acquire New Ip from a different range on shared networks
Hi guys, At Globo.com we are working in a load balancer plugin for Cloudstack with a network api developed internally. This api manages shared networks and is working with cloudstack 4.3 (as a network guru implementation). Our load balancers are in a different network, so to implement a network element of load balancer, first I need to acquire an IP from the load balancers network. What is the best way to do this? I looked at portable IPs and that makes sense to me, but I would prefer a solution where my guru can give this IP to the network. Is there any other way? Thanks in advance, Silvano Buback
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi guys, I think you are busy because 4.4 release tasks, but I'm worried about the time to 4.5 feature freeze. I put the documentation of feature in wiki as requested and I hoped people read there and make some comments here. To help, I will put design issues that are in document, one by one, and we can discuss in this thread. After each discussion I will change the document. I have one question about removing DNS domain when network has been deleted. In my current implementation I remove DNS domain when network is removed. But if the DNS domain is shared with another network or maybe is a dns domain used outside ACS this can be a problem. What I can do with DNS domain when network is removed: 1. Keep the current implementation. Always deleted DNS domain when network is removed (works well if the ACS is the only manager for the DNS (one network domain per network). 2. Remove DNS domain only if the domain was created by ACS. This can be a problem if someone put records after ACS creation. 3. Remove DNS domain only if there is no more records there. Maybe DNS domain can stay forever there because an inconsistency that keep only one record. Which one is the best? []'s, Silvano Buback On Thu, Jun 26, 2014 at 11:34 AM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Thank you David. I put design documents on wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Bind+and+PowerDNS+integration+by+Globo+DNSAPI. I create an issue https://issues.apache.org/jira/browse/CLOUDSTACK-6998 too. I look forward to hearing your feedbacks. []'s, Silvano Buback On Wed, Jun 25, 2014 at 5:50 PM, David Nalley da...@gnsa.us wrote: On Wed, Jun 25, 2014 at 4:38 PM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi guys, I finish the first version of design document: https://docs.google.com/document/d/1kbPQJrBC87ZtR-t7LwHFDzAmT436ShtjwKE84FVfByM/pub . Someone could give me access to put design documents in wiki? Bellow the username of people work with Cloudstack in Globo.com and need access. snbuback silv...@corp.globo.com daniel.simoes daniel.sim...@corp.globo.com lokama - lok...@gmail.com Regards, Silvano Buback On Thu, Jun 19, 2014 at 11:29 AM, Silvano Buback snbub...@gmail.com wrote: Of course, I forgotten my account info: snbuback / silv...@corp.globo.com Done. --David
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Thank you David. I put design documents on wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Bind+and+PowerDNS+integration+by+Globo+DNSAPI. I create an issue https://issues.apache.org/jira/browse/CLOUDSTACK-6998 too. I look forward to hearing your feedbacks. []'s, Silvano Buback On Wed, Jun 25, 2014 at 5:50 PM, David Nalley da...@gnsa.us wrote: On Wed, Jun 25, 2014 at 4:38 PM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi guys, I finish the first version of design document: https://docs.google.com/document/d/1kbPQJrBC87ZtR-t7LwHFDzAmT436ShtjwKE84FVfByM/pub . Someone could give me access to put design documents in wiki? Bellow the username of people work with Cloudstack in Globo.com and need access. snbuback silv...@corp.globo.com daniel.simoes daniel.sim...@corp.globo.com lokama - lok...@gmail.com Regards, Silvano Buback On Thu, Jun 19, 2014 at 11:29 AM, Silvano Buback snbub...@gmail.com wrote: Of course, I forgotten my account info: snbuback / silv...@corp.globo.com Done. --David
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi guys, I finish the first version of design document: https://docs.google.com/document/d/1kbPQJrBC87ZtR-t7LwHFDzAmT436ShtjwKE84FVfByM/pub . Someone could give me access to put design documents in wiki? Bellow the username of people work with Cloudstack in Globo.com and need access. snbuback silv...@corp.globo.com daniel.simoes daniel.sim...@corp.globo.com lokama - lok...@gmail.com Regards, Silvano Buback On Thu, Jun 19, 2014 at 11:29 AM, Silvano Buback snbub...@gmail.com wrote: Of course, I forgotten my account info: snbuback / silv...@corp.globo.com On Thu, Jun 19, 2014 at 11:20 AM, Rohit Yadav bhais...@apache.org wrote: On Thu, Jun 19, 2014 at 7:36 PM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi Rohit, I started the documentation and I think on next wednesday I'm with the first version ready for community feedback. I will put the details of how plugin work with DNSAPI and how DNSAPI work with bind. That would be nice. I don't have permission to create new pages on wiki. I submit the documentation to here or someone will give me access to update wiki? Create a user account on cwiki.a.o and share with us your account/username/email. I don't have admin access but I'm sure someone such as Daan or Chip would be able to help you. Cheers. []'s, Silvano Buback On Fri, Jun 13, 2014 at 7:53 AM, Rohit Yadav bhais...@apache.org wrote: Hi Silvano, On Fri, Jun 13, 2014 at 10:51 AM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. Thanks for the proposal. I recommend that you document your design goals in 4.5 or above design docs wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/4.5+Design+Documents I saw the video you shared, it looked seamless but I could not figure out how the ACS plugin interacts with the DNS provider. The API library you mentioned is written in Ruby, so how does it integrate or work with the dns plugin in ACS, is it over HTTP or RPC/Thrift? Regards. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, thanks in advance PS: Sorry about duplicated e-mail in mailing list, but I forget to use DISCUSS and send using company e-mail)
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi Ilya, I put the plugin code in https://github.com/globocom/cloudstack/tree/4.3.0-globo/plugins/network-elements/dns-api. We use it with Shared/Advanced network zones. But in order to communicate with other networks (bind server network, for example), it is necessary to define and implement an ACL. In Globo.com this is made automatically by our NetworkAPI that has common ACLs to new networks that allow all virtual machines to access DNSAPI on port 53. The IP of bind managed by DNSAPI is the same of internal DNS configured in the zone. DNSAPI works without NetworkAPI as well, you just have to configure ACLs manually. I will prepare the Design Document, which will explain all changes made and send it to this mailing list. We are working to improve DNS-API Documentation too. You can check it out now, but we're still working on it: https://github.com/globocom/Dns-Api. We intend to make NetworkAPI code open source too to manage shared networks. Using NetworkAPI, shared network are created by regular users, because this api are responsible to choose ip address and vlan number, and to create network in different equipment too. I want to talk about this in another thread, when I submit the code of NetworkAPI to community. Inside Globo we are working in our own tool of Database as a Service ( https://github.com/globocom/database-as-a-service). The module you saw at github is responsible to provision new VMs using Cloudstack. We are developing an connector to Cloud Portal Business Manager too. If you want more information about DBaaS, you can send an e-mail to db...@corp.globo.com. People there can explain detail about the implementation / feature and plans. I'm in that list too. Regards, Silvano Buback Globo.com Infra-structure Expert On Fri, Jun 13, 2014 at 3:24 AM, ilya musayev ilya.mailing.li...@gmail.com wrote: Hi Silvano, I really liked what you did. I'm curious if this DNS provider will work with non-isolated/shared advanced network zones as well. Otherwise, great approach to solving the last DNS puzzle. I now wonder how easy it would be to add other DNS Providers support into CloudStack besides Bind. Can you share the changes you've made to your cloudstack env to support DNSApis? Also noticed DBaaS-CloudStack in github, sounds interesting, what is it based on? If you can, please kindly explain. Regards ilya On 6/12/14, 10:21 PM, Silvano Nogueira Buback wrote: Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, thanks in advance PS: Sorry about duplicated e-mail in mailing list, but I forget to use DISCUSS and send using company e-mail)
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi Erik, At Globo, network domain always have exclusive names, based on zone name and vlan number, so there is no conflict. At the point of view of plugin, if domain exists it will be used. If a record exists, it will be overwritten. When you delete a network, dns domain will be deleted too, doesn't matter if it exists before network creation or not. Records in this domain will be removed too. []'s, Silvano Buback On Fri, Jun 13, 2014 at 3:52 AM, Erik Weber terbol...@gmail.com wrote: On Fri, Jun 13, 2014 at 7:21 AM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, replying in the right thread this time :-) I like the idea and the fact that the backend is available as open source. That should make it pretty straight forward to convert it to other DNS solutions (PowerDNS for me). - What happens if there is a conflict? - Does it require / assume that the domain is non-existant on the DNS servers? - How does cleanup handle additional records added outside of CloudStack? -- Erik Weber
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi Rohit, I started the documentation and I think on next wednesday I'm with the first version ready for community feedback. I will put the details of how plugin work with DNSAPI and how DNSAPI work with bind. I don't have permission to create new pages on wiki. I submit the documentation to here or someone will give me access to update wiki? []'s, Silvano Buback On Fri, Jun 13, 2014 at 7:53 AM, Rohit Yadav bhais...@apache.org wrote: Hi Silvano, On Fri, Jun 13, 2014 at 10:51 AM, Silvano Nogueira Buback silv...@corp.globo.com wrote: Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. Thanks for the proposal. I recommend that you document your design goals in 4.5 or above design docs wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/4.5+Design+Documents I saw the video you shared, it looked seamless but I could not figure out how the ACS plugin interacts with the DNS provider. The API library you mentioned is written in Ruby, so how does it integrate or work with the dns plugin in ACS, is it over HTTP or RPC/Thrift? Regards. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, thanks in advance PS: Sorry about duplicated e-mail in mailing list, but I forget to use DISCUSS and send using company e-mail)
Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi Chiradeep, Bind server is configured per zone. We did not test with PowerDNS, but I think they are able to talk because API is the same. We are configuring bind server managed by DNSAPI as internal DNS in zone. So VR doesn't provide more name resolution for network. I will put the details in documentation. Regards, Silvano Buback Globo.com Infra-structure Expert On Mon, Jun 16, 2014 at 2:50 AM, Chiradeep Vittal chiradeep.vit...@citrix.com wrote: It looks like the DnsProvider calls the REST API of the RoR-based DNSAPI. +1, but as Rohit said, I’d love to see the design details on the Wiki. This will make it easier for folks like Erik to integrate PowerDns. Does the VR use the Bind server for name resolution? That is, is the Bind server the same as the zone DNS? Is this configured on a region level or a zone level? Or is it strictly per network offering? From: Rohit Yadav bhais...@apache.orgmailto:bhais...@apache.org Reply-To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Date: Friday, June 13, 2014 at 6:53 AM To: dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org dev@cloudstack.apache.orgmailto:dev@cloudstack.apache.org Subject: Re: [DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5) Hi Silvano, On Fri, Jun 13, 2014 at 10:51 AM, Silvano Nogueira Buback silv...@corp.globo.commailto:silv...@corp.globo.com wrote: Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. Thanks for the proposal. I recommend that you document your design goals in 4.5 or above design docs wiki: https://cwiki.apache.org/confluence/display/CLOUDSTACK/4.5+Design+Documents I saw the video you shared, it looked seamless but I could not figure out how the ACS plugin interacts with the DNS provider. The API library you mentioned is written in Ruby, so how does it integrate or work with the dns plugin in ACS, is it over HTTP or RPC/Thrift? Regards. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, thanks in advance PS: Sorry about duplicated e-mail in mailing list, but I forget to use DISCUSS and send using company e-mail)
[DISCUSS] [PROPOSAL] Implementation of DNS Provider for Bind (for 4.5)
Hi there, I work at Globo.com, a media company in Brazil. Here we use a cloudstack private network with an advanced zone setup (isolated vlans). For some couple of reasons, the name of virtual machine needs to be available not only on virtual router network context, but on our internal DNS servers. Our proposal is integrate cloudstack (v 4.5) with DNS server (Bind server) thru an open source API written by globo.com called DNSAPI. More info at https://github.com/globocom/Dns-Api. To make this implementation of DNS provider, we based our plugin on dns-notifier, but we had to add more classes for our implementation. * DnsAPINetworkDAO to manage the networkDomain for each network. * DnsAPIVirtualMachineDAO to manage DNS records for vms. * DnsAPIElement, this class implements the provider itself. * DnsAPIResource, implements all communications with DNSAPI (ServerResource). Besides this classes, another one was necessary to the call to DnsAPIResource and return the answer, and one API command was created to configure the provider in Zone. Above a video that show you how everything was integrated. https://www.youtube.com/watch?v=fAB53T_NZMI We really appreciate all your comments about our implementation, thanks in advance PS: Sorry about duplicated e-mail in mailing list, but I forget to use DISCUSS and send using company e-mail)