I don't think that's what Anthony is saying. I think he is saying that if a VM is in security groups X,Y,Z, then ALL nics of the VM are in security groups X,Y,Z.
The AWS-compatible way is that nics are associated with the security group. So, VM's eth0 can be in security group Z and eth1 can be in security group X I think we should do it this way. On 1/16/13 5:35 PM, "kdam...@apache.org" <kdam...@apache.org> wrote: >So the VM will determine it's own participation level. A VM can have >networks with SG and without at the same time. If that's the case this >feature proposal just got more awesome! > >-kd > > >>-----Original Message----- >>From: Anthony Xu [mailto:xuefei...@citrix.com] >>Sent: Wednesday, January 16, 2013 5:21 PM >>To: cloudstack-dev@incubator.apache.org >>Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >> >>Correct, >>there are several types of guest shared network, Zone-wide guest shared >>network Domain-wide guest shared network Account-specific guest share >>network >> >>One VM can be on multiple networks, >>SG is on VM level, means SG will be applied to all NICs of this VM. >> >> >>Cheers, >>Anthony >> >>> -----Original Message----- >>> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] On >>> Behalf Of kdam...@apache.org >>> Sent: Wednesday, January 16, 2013 5:17 PM >>> To: cloudstack-dev@incubator.apache.org >>> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >>> >>> Got it, >>> >>> So we are still only talking about SG on advanced shared networks. >>> >>> Thanks. >>> >>> >>> -kd >>> >>> >>> >-----Original Message----- >>> >From: Anthony Xu [mailto:xuefei...@citrix.com] >>> >Sent: Wednesday, January 16, 2013 5:11 PM >>> >To: cloudstack-dev@incubator.apache.org >>> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >>> > >>> >In this spec, security group is only supported in shared guest >>> >network, >>> we >>> >might add isolated guest network support later. I have a concern >>> >about >>> this, >>> >normally there is firewall for isolated network, if security group is >>> added >>> to >>> >isolated network, that means if user wants to allow some kind ingress >>> traffic , >>> >he might need to program both security group and firewall, it might >>> >be inconvenient for user. >>> > >>> >As for ACL, are you referring to ACL in VPC? in this spec, VPC is not >>> supported >>> >due to the similar reason of isolated guest network, user might need >>> to >>> >handle ACL and security group at the same time. >>> > >>> > >>> >Anthony >>> > >>> > >>> >> -----Original Message----- >>> >> From: Kelcey Damage (BT) [mailto:kel...@backbonetechnology.com] >>> >> Sent: Wednesday, January 16, 2013 4:55 PM >>> >> To: cloudstack-dev@incubator.apache.org >>> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >>> >> >>> >> So to catch myself up, this will allow functional security group >>> >> isolation/ACLs on both 'shared' and 'isolated' networks? >>> >> >>> >> -kd >>> >> >>> >> >>> >> >-----Original Message----- >>> >> >From: Animesh Chaturvedi [mailto:animesh.chaturv...@citrix.com] >>> >> >Sent: Wednesday, January 16, 2013 1:36 PM >>> >> >To: cloudstack-dev@incubator.apache.org >>> >> >Subject: RE: [DISCUSS] Security Groups Isolation in Advanced Zone >>> >> > >>> >> >Folks please pass on comments if any, otherwise it is assumed that >>> >> >the >>> >> spec >>> >> is >>> >> >approved by the community >>> >> > >>> >> >> -----Original Message----- >>> >> >> From: Anthony Xu [mailto:xuefei...@citrix.com] >>> >> >> Sent: Friday, January 11, 2013 3:53 PM >>> >> >> To: cloudstack-dev@incubator.apache.org >>> >> >> Subject: RE: [DISCUSS] Security Groups Isolation in Advanced >>> >> >> Zone >>> >> >> >>> >> >> >>> >> >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Isolation+based >>> >> >> +on+ >>> >> >> Security+Groups+in+Advance+zone >>> >> >> >>> >> >> >>> >> >> This is upgraded spec , >>> >> >> Compared to original one, following are major changes >>> >> >> >>> >> >> 1. SG enabled is zone wide parameter, if this zone is SG >>> >> >> enabled, >>> >> all >>> >> >> guest networks in this zone must be SG enabled. >>> >> >> 2. support all shared network types, includes zone-wide shared >>> >> >> network, domain-wide shared networks and account-specific share >>> >> >> networks 3. support multiple SG enabled networks in one SG >>> enabled >>> >> zone. >>> >> >> 4. VM can be on multiple SG enabled networks 5. SG rules apply >>> to >>> >> >> all NICs for a VM 6. support both KVM and XenServer. >>> >> >> >>> >> >> Comments, question, suggestion and flame are welcome! >>> >> >> >>> >> >> >>> >> >> Thanks, >>> >> >> Anthony >>> >> >> >>> >> >> >>> >> >> > -----Original Message----- >>> >> >> > From: Dave Cahill [mailto:dcah...@midokura.jp] >>> >> >> > Sent: Thursday, January 10, 2013 5:29 PM >>> >> >> > To: cloudstack-dev@incubator.apache.org >>> >> >> > Subject: Re: [DISCUSS] Security Groups Isolation in Advanced >>> Zone >>> >> >> > >>> >> >> > Hi Anthony, >>> >> >> > >>> >> >> > Understood - thanks for the update. >>> >> >> > >>> >> >> > Dave. >>> >> >> > >>> >> >> > >>> >> >> > On Fri, Jan 11, 2013 at 2:54 AM, Anthony Xu >>> >> >> > <xuefei...@citrix.com> >>> >> >> > wrote: >>> >> >> > >>> >> >> > > Hi Dave, >>> >> >> > > >>> >> >> > > For 4.1 , this feature is only for shared network on >>> >> >> > > advanced zone, >>> >> >> > both >>> >> >> > > XenServer and KVM are supported. >>> >> >> > > Will upgrade FS soon. >>> >> >> > > >>> >> >> > > >>> >> >> > > Anthony >>> >> >> > > >>> >> >> > > > -----Original Message----- >>> >> >> > > > From: Dave Cahill [mailto:dcah...@midokura.jp] >>> >> >> > > > Sent: Thursday, January 10, 2013 12:33 AM >>> >> >> > > > To: cloudstack-dev@incubator.apache.org >>> >> >> > > > Subject: Re: [DISCUSS] Security Groups Isolation in >>> Advanced >>> >> >> > > > Zone >>> >> >> > > > >>> >> >> > > > Hi Manan, >>> >> >> > > > >>> >> >> > > > I'm interested in this feature - when (roughly) are you >>> >> planning >>> >> >> > > > to commit this to master? >>> >> >> > > > >>> >> >> > > > Are you planning the full list of features from your >>> >> >> > > > requirements >>> >> >> > doc >>> >> >> > > > (including support for Adavnced, Isolated networks) in 4.1? >>> >> >> > > > >>> >> >> > > > Thanks in advance, >>> >> >> > > > Dave. >>> >> >> > > > >>> >> >> > > > >>> >> >> > > > On Sat, Jan 5, 2013 at 7:01 AM, Manan Shah >>> >> >> > > > <manan.s...@citrix.com> >>> >> >> > > > wrote: >>> >> >> > > > >>> >> >> > > > > Yes, FS definitely needs updating. Please also look at >>> the >>> >> >> > "Future" >>> >> >> > > > > section of Alena's FS. >>> >> >> > > > > >>> >> >> > > > > Regards, >>> >> >> > > > > Manan Shah >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > > On 1/4/13 1:57 PM, "Prasanna Santhanam" >>> >> >> > > > <prasanna.santha...@citrix.com> >>> >> >> > > > > wrote: >>> >> >> > > > > >>> >> >> > > > > >On Sat, Jan 05, 2013 at 12:16:44AM +0530, Manan Shah >>> wrote: >>> >> >> > > > > >> Hi Chip, >>> >> >> > > > > >> >>> >> >> > > > > >> As Alena had mentioned in her FS, her focus was to >>> >> >> > > > > >> initially >>> >> >> > > > support >>> >> >> > > > > >>only >>> >> >> > > > > >> the functionality that was enabled in CS 2.2. She had >>> >> >> > > > > >>created >>> >> >> > a >>> >> >> > > > section >>> >> >> > > > > >>in >>> >> >> > > > > >> her FS that talked about Future release plans. >>> >> >> > > > > >> >>> >> >> > > > > >> My requirements page covers requirements for both, >>> >> >> > > > > >> the CS >>> >> >> > > > > >> 2.2 >>> >> >> > use >>> >> >> > > > case >>> >> >> > > > > >>as >>> >> >> > > > > >> well as the broader use case. >>> >> >> > > > > >> >>> >> >> > > > > >> Let me know if you have additional questions. >>> >> >> > > > > >> >>> >> >> > > > > >Thanks - Alena's FS lists only support for KVM while >>> >> >> > > > > >you >>> >> have >>> >> >> > listed >>> >> >> > > > > >support for XenServer and KVM. Guess the FS needs >>> updating? >>> >> >> > > > > > >>> >> >> > > > > >-- >>> >> >> > > > > >Prasanna., >>> >> >> > > > > >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > > -- >>> >> >> > > > Thanks, >>> >> >> > > > Dave. >>> >> >> > > >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > -- >>> >> >> > Thanks, >>> >> >> > Dave. >>> > >
