Hi Sang-Min,
On 25/06/11 15:49, Sang-Min Park wrote:
FYI, I looked at the firewall implementation and found that there's an issue
with Eucalyptus driver.
I was confused at first by what you meant as looking at Euca driver
there's no mention of firewalls yet (besides the declaration of 'feature
:instances, :firewalls')
Eucalyptus supports the old parameter convention in
'AuthorizeSecurityGroupIngress' action. I'll try if I can patch AWS to
generate the old parameters as well as the new one.
OK: you shouldn't need to patch aws at all - my additions to aws added
the new 'manage_security_group_ingress' method, BUT did not remove any
of the old code. I'm not sure if thats what you meant by 'generate the
old parameters as well as the new one' but if you mean that your Euca
setup (or Euca in general) relies on the old appoxy/aws interface then
your existing code should be fine - appoxy/aws gem has not removed any
of those earlier methods:
1. authorize_security_group_named_ingress
2. revoke_security_group_named_ingress
3. authorize_security_group_IP_ingress
4. revoke_security_group_IP_ingress
That being said, here's why I implemented the new
'manage_security_groups' method in the appoxy/aws gem:
(https://github.com/appoxy/aws/pull/91): methods 1/2 above don't allow
you to specify fine-grained control over group access - i.e. you can
specify which groups to authorize, but not which protocols/ports to
allow for those groups. Also, 3/4 only allow you to specify a single IP
range at a time - thus if a given firewall rule has a large number of
address ranges then this operation will need to be done for each of
those. Similarly, you can't specify both groups AND IP addresses in a
single call (thus defining an entire firewall rule with a single call).
The earlier implementations of appoxy/aws were based on the 2009 version
of AWS API
http://docs.amazonwebservices.com/AWSEC2/2009-07-15/APIReference/ApiReference-query-AuthorizeSecurityGroupIngress.html
. In the latest version of API, you can specify a number of IP
addresses, or groups, or mix of both, for which the specified rule will
apply. You can now also specify 'from_port' 'to_port' and 'protocol' for
ingress groups in a rule,
marios
Sang-min
On Fri, Jun 17, 2011 at 8:06 AM,<[email protected]> wrote:
This patch uses the new 'Firewalls' collection (I pushed that to trunk
today).
The create_instance operation for the ec2 driver takes an array of firewall
names
for the instance to be 'launched into'. Patch includes:
* necessary modifications to server.rb
* addition of 'firewalls' to the Instance model
* modification of the haml views: html for the create operation, html/xml
for showing
firewalls when inspecting a given instance.
If you aren't using the html interface to create an instance, you can
specify
firewalls using form input : 'firewall#=name' where '#' is any digit. For
example:
curl -F 'image_id=ami-48aa4921' -F 'firewalls1=default' -F
'firewalls2=test'
--user 'ec2_key:ec2_password'
http://localhost:3001/api/instances?format=xml
will create an instance from ami-48aa4921 and place it into firewalls
'default'
and 'test'. EC2 does not support 'moving' an instance between firewalls
once it's
launched so this functionality was not implemented
(http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedirect=1#13)
marios
