I have come across a few people with effectively this use case over the years. My thoughts have always been that it would good to be able to reserve IPs or ranges for SSVM & CPVM in the same way that we can reserve IPs or ranges for an account or domain...
Kind regards, Paul Angus paul.an...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -----Original Message----- From: Erik Weber [mailto:terbol...@gmail.com] Sent: 17 January 2017 08:27 To: dev@cloudstack.apache.org Subject: Re: Dedicated IP range for SSVM/CPVM Hi Nitin, There are legit reasons for separating VR public pool from SSVM and CPVM. For instance if you run a private cloud and don't want to have your cpvm/ssvm publically available, but still want to have the VRs accessible Erik tir. 17. jan. 2017 kl. 05.37 skrev Nitin Kumar Maharana < nitinkumar.mahar...@accelerite.com>: > Hi Rene, > > > > The default pool, which means are you mentioning the public IP range? > > > > If it is a public IP range, user VMs won’t be consuming any IP from there. > > Only system VMs(CPVM/SSVM/VR) will be consuming. VRs will be providing > public access to the user VMs. > > > > > > Thanks, > > Nitin > > > On 16-Jan-2017, at 8:56 PM, Rene Moser <m...@renemoser.net> wrote: > > > > > > Hi > > > > > > We would like to make a change proposal for SSVM/CPVM. > > > > > > Currently, the SSVM/CPVM get an IP from the "default" pool of > > > vlaniprange which is the from the account "system" > > > > > > > > > "vlaniprange": [ > > > { > > > "account": "system", > > > "domain": "ROOT", > > > "endip": "10.101.0.250", > > > "forvirtualnetwork": true, > > > "gateway": "10.101.0.1", > > > "netmask": "255.255.255.0", > > > "startip": "10.101.0.11", > > > ... > > > > > > }, > > > > > > > > > "systemvm": [ > > > { > > > "activeviewersessions": 0, > > > "gateway": "10.101.0.1", > > > "hypervisor": "VMware", > > > "id": "d9a8abe5-b1e0-47d6-8f39-01b48ff1e0fa", > > > "name": "v-5877-VM", > > > "privatenetmask": "255.255.255.0", > > > "publicip": "10.101.0.113", > > > "publicnetmask": "255.255.255.0", > > > "state": "Running", > > > ... > > > }, > > > > > > > > > For security considerations we would like to define a dedicated IP > > range > > > for SSVM/CPVM, which, preferably, should not have any relation to > > the > > > default pool range. > > > > > > The default pool range should be used for userVMs only. To indicate > > the > > > use I propolse 2 new flags, which only considered for "account=system" > > > and indicate if the range can be used for userVMs or/and systemVMs. > > > > > > For backwards compatibility this would be the default > > > > > > "foruservms": true, > > > "forsystemvms": true, > > > > > > > > > to have a separate range for UserVMs/SystemVMs, it would look like > > > > > > > > > "vlaniprange": [ > > > { > > > "account": "system", > > > "domain": "ROOT", > > > "foruservms": true, > > > "forsystemvms": false, > > > "endip": "192.160.123.250", > > > "forvirtualnetwork": true, > > > "gateway": "192.160.123.1", > > > "netmask": "255.255.255.0", > > > "startip": "192.160.123.11", > > > ... > > > > > > }, > > > > > > "vlaniprange": [ > > > { > > > "account": "system", > > > "domain": "ROOT", > > > "foruservms": false, > > > "forsystemvms": true, > > > "endip": "10.101.0.250", > > > "forvirtualnetwork": true, > > > "gateway": "10.101.0.1", > > > "netmask": "255.255.255.0", > > > "startip": "10.101.0.11", > > > ... > > > > > > }, > > > > > > > > > Does anyone has see any conflicts with this proposal? > > > > > > Regards > > > René > > > > > > > > > > > > > DISCLAIMER > > ========== > > This e-mail may contain privileged and confidential information which > is the property of Accelerite, a Persistent Systems business. It is > intended only for the use of the individual or entity to which it is > addressed. If you are not the intended recipient, you are not > authorized to read, retain, copy, print, distribute or use this > message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Accelerite, a > Persistent Systems business does not accept any liability for virus infected > mails. > >