On Wed, 2010-05-12 at 16:49 +0100, [email protected] wrote:
> This is a first draught of a "network_services" model for core API. A
> network service allows you to connect to a running instance; this will
> mean different things for different clouds... in ec2 this means
> setting up the firewall/security group to allow connections from a
> IP/range to a specific port, in terremark this means creating a new
> "node service".
>
> At present a network service has a public IP address, public port,
> private IP address and port (of the instance) and a protocol (e.g.
> tcp/udp). The first patch is the terremark driver and the second adds
> the network_service as well as required haml and relevant bits of
> base_driver, server etc so you can see how this model works in the
> terremark case.
>
> Please reply with any thoughts about how this model works/not for a
> given cloud so we can reformulate the model as appropriate.
Reading a little bit about EC2 makes me wonder how much we can unify the
two models of applying firewall rules: in EC2, an instance is placed
into one or more security groups when it is launched (and it seems
there's no way to change the security groups of an instane after
launch). Placing an instance into a security group has two effects: (1)
all instances in the same security group can talk to each other without
restriction (2) ports as specificed in the security group are opened up
on the public addresses of those instances.
Is a network service applied to a terremark instance upon launch or can
it be applied afterwards ?
Either way, we need to model two different things now:
* A 'firewall table'[1], i.e. a list of rules that describe what
ports to open, and how
* For an instance, a list of firewall tables that have been
applied to the instance
EC2 and Terremark differ in what kind of rules go into such a table: EC2
wants a protocol, port range, and list of incoming IP addresses;
Terremark seems to be more into port forwarding.
Before we get any deeper into modeling this, we should see what
mechanisms other clouds provide. From a brief glance at Rackspace docs,
there doesn't seem to be anything.
David
[1] We should probably switch terminology and call these things a
firewall table: 'network service' sounds to me more like a daemon that
listens on some port, not a firewall rule.
_______________________________________________
deltacloud-devel mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/deltacloud-devel
