Hi, this patch series implements 'AccessRules' (the 'firewalling stuff'). This feature is necessary for EC2 and Terremark amongst the clouds we currently support; in both cases, after you create an instance, you need to enable access to that instance (e.g. like creating a firewall rule) otherwise you can't do anything with your vm (e.g. no ssh access). I have implemented 3 operations: list rules (index), create rule, delete rule.
An access_rule has: 'id', 'protocol', 'port', 'instance_group'. Valid values for 'protocol' and 'instance_group' are cloud specific. I give details and any issues for each of ec2 and terremark below: --marios =========================================================== EC2: ----------- list rules: ----------- * We don't list rules that have a 'security group' as source (i.e. only interested in rules towards the outside world - which have a cidr address as source) * id is 'groupname_protocol:ports' eg 'default_tcp:22' * instance_group is the name of the security group to which a rule is/was applied (e.g. 'default') ------------ create rule: ------------ * valid protocols for ec2 rules are: tcp/udp/icmp... * valid ports... for tcp/udp we set from_port == to_port (i.e. no port range.. this could be fixed e.g. input '22-33' to signal a range). When protocol is icmp then ec2 uses ports to signal the icmp 'type' ... '-1' is used to signal all icmp types (and our code currently defaults to this). * group name must be an existing security group. every account gets 'default' group but more can be created... * we set the given rule for all source addresses (cidr 0.0.0.0/0)... we could set this as an ec2 specific option? ------------ delete rule: ------------ * ec2 rules don't have an "id" so to delete a rule must specify the rule exactly including group, protocol, port, cidrip... hence why this info is used as the 'id' of our access_rule ============================= Terremark: ----------- list rules: ----------- * id is 'serviceId_privateIP' e.g. '9582_10.114.71.132' where serviceId is the id terremark uses for the given 'internet service' * instance_group holds the public IP address used for the internet service; this could cause confusion but cant see another way of capturing this info... ------------ create rule: ------------ * valid protocols are tcp/udp/http/https/ftp (http/https/ftp apparently matters, see https://community.vcloudexpress.terremark.com/en-us/discussion_forums/f/60/t/443.aspx) * instance_group is the private IP address of the instance to hold the node service (i.e. ip of the vm) * potential problem... a user could have > 1 ip address.. currently the code picks the 'last one' returned ... this must be addressed somehow... * in terremark setting up access for an instance is like NAT.. map public ip+port to private ip+port... since we only take 1 port parameter we set the public_port==private_port... * name for internet service = 'svc'+randomNumber (7 digits) and for node service 'nod'+random (7 digits)... e.g. svc1094968, nod1824947 ------------ delete rule: ------------ * terremark internet service id is encoded into access_rule id specifically for use with deletion... * only particularity is that if you delete a internet service must also delete all node services that go with that: service X: 211.123.111.123 :80 | | / \ / \ / \ node 1: 192.168.1.1:20 node 2: 192.168.1.2:21 delete all nodes before deleting the service (the code does this by default) _______________________________________________ deltacloud-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/deltacloud-devel
