Hi All,
I have drafted a basic approach for security group synching in release D
and it is as follows.
- Get list of secgroups with rules for a tenant from all the regions
which do not have remote group references(currently, we ignore remote
secgroup references as there can be lot nested dependencies).
- Traverse each region and do the following
- Get the list of secgroup which are present in all the regions
except the current region, These are the secgroups which we need to sync
in current region: say it GRP_TO_BE_SYNCED
- There can be case where the secgroup from GRP_TO_BE_SYNCED may
have the same rules as the secgroup in current region(If not initially but
which will obviously happen after a sync job).
- Traverse through the GRP_TO_BE_SYNCED and check if there are
such secgroups(rules overlapping groups), if there, ignore it. After this
filtering, the remaining secgroup will be the final list of secgroup which
should be created for the current region.
- Create the secgroup with the final list of secgroups in the
region.
- Repeat the process for all the tenant in batches.
The default security group is not syned, as I feel region specific default
secgroup has to there in each region.
We must use neutron to perform all our operations as with neutron we have
total control over it.
For creating a security group we need the following information
--tenant-id TENANT_ID
The owner tenant ID.
--description DESCRIPTION
Description of security group rule.
--direction {ingress,egress}
Direction of traffic: ingress/egress.
--ethertype ETHERTYPE
IPv4/IPv6
--protocol PROTOCOL Protocol of packet. Allowed values are [icmp,
icmpv6,
tcp, udp] and integer representations [0-255]
--port-range-min PORT_RANGE_MIN
Starting port range. For ICMP it is type.
--port-range-max PORT_RANGE_MAX Ending port range. For ICMP it is
code.
--remote-ip-prefix REMOTE_IP_PREFIX
CIDR to match on.
We have all these details with us available.
Let us take this forward, Please review/comment.
Regards
Ashish Singh
Tata Consultancy Services
Cell:- 9030419618
Mailto: [email protected]
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
_______________________________________________
opnfv-tech-discuss mailing list
[email protected]
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
