Re: Dedicated IP range for SSVM/CPVM

2017-01-19 Thread Rene Moser 
https://issues.apache.org/jira/browse/CLOUDSTACK-9750

Re: Dedicated IP range for SSVM/CPVM

2017-01-18 Thread Rene Moser 
Hi Will

On 01/17/2017 06:13 AM, Will Stevens wrote:
> Rene, this is probably not going to solve your problem, but I use this
> trick for other use cases.  You can setup more than one range.  ACS seems
> to always exhaust one range before moving on to the next range.  If it is a
> new install, then you can do a range with only 2 IPs in it and make it
> first.  Since the first two IPs which will be provisioned when ACS is setup
> is the SSVM and CPVM, they will automatically take the two IPs from that
> special range.
> 
> I am pretty sure I have tested this.  Later when other IPs have been used
> from the other range, if you destroy the SSVM or CPVM, they will come back
> up on one of the two IPs that they were on before because they will be free
> again and they will be used first again.  If your system is really active,
> then you will be in a race condition while the SSVM and CPVM get bounced to
> get the same IPs back.
> 
> Anyway, I figured I would mention it because it may be a workaround you can
> make use of.  I do this in dev/staging environments which need real public
> IPs, but I don't need the SSVM and CPVM to have real public IPs.  This lets
> me preserve two real public IPs by using private IPs for that first range
> for the SSVM and CPVM.

Thanks for the hint, ;).Bbut it is an existing production setup, so it
won't help in my case.

René

Re: Dedicated IP range for SSVM/CPVM

2017-01-18 Thread Rene Moser 
Hi

On 01/17/2017 05:37 AM, Nitin Kumar Maharana wrote:
> Hi Rene,
> 
> The default pool, which means are you mentioning the public IP range?
> 
> If it is a public IP range, user VMs won’t be consuming any IP from there.
> Only system VMs(CPVM/SSVM/VR) will be consuming. VRs will be providing public 
> access to the user VMs.

I referred the public IP assignment for the isolated networks for static
NATs and port forwarding to the VMs L2.

This assignment is going to use the "default" system IP range pool if no
dedicated pool is assigned to the account/project.

And the SSVM/CPVM also get an IP from this pool.

Regards
René

Re: Dedicated IP range for SSVM/CPVM

2017-01-16 Thread Will Stevens 
Rene, this is probably not going to solve your problem, but I use this
trick for other use cases.  You can setup more than one range.  ACS seems
to always exhaust one range before moving on to the next range.  If it is a
new install, then you can do a range with only 2 IPs in it and make it
first.  Since the first two IPs which will be provisioned when ACS is setup
is the SSVM and CPVM, they will automatically take the two IPs from that
special range.

I am pretty sure I have tested this.  Later when other IPs have been used
from the other range, if you destroy the SSVM or CPVM, they will come back
up on one of the two IPs that they were on before because they will be free
again and they will be used first again.  If your system is really active,
then you will be in a race condition while the SSVM and CPVM get bounced to
get the same IPs back.

Anyway, I figured I would mention it because it may be a workaround you can
make use of.  I do this in dev/staging environments which need real public
IPs, but I don't need the SSVM and CPVM to have real public IPs.  This lets
me preserve two real public IPs by using private IPs for that first range
for the SSVM and CPVM.

Cheers,

*Will STEVENS*
Lead Developer



On Mon, Jan 16, 2017 at 11:37 PM, Nitin Kumar Maharana <
nitinkumar.mahar...@accelerite.com> wrote:

> Hi Rene,
>
> The default pool, which means are you mentioning the public IP range?
>
> If it is a public IP range, user VMs won’t be consuming any IP from there.
> Only system VMs(CPVM/SSVM/VR) will be consuming. VRs will be providing
> public access to the user VMs.
>
>
> Thanks,
> Nitin
> > On 16-Jan-2017, at 8:56 PM, Rene Moser  wrote:
> >
> > Hi
> >
> > We would like to make a change proposal for SSVM/CPVM.
> >
> > Currently, the SSVM/CPVM get an IP from the "default" pool of
> > vlaniprange which is the from the account "system"
> >
> >
> >  "vlaniprange": [
> >{
> >  "account": "system",
> >  "domain": "ROOT",
> >  "endip": "10.101.0.250",
> >  "forvirtualnetwork": true,
> >  "gateway": "10.101.0.1",
> >  "netmask": "255.255.255.0",
> >  "startip": "10.101.0.11",
> >  ...
> >
> >},
> >
> >
> >  "systemvm": [
> >{
> >  "activeviewersessions": 0,
> >  "gateway": "10.101.0.1",
> >  "hypervisor": "VMware",
> >  "id": "d9a8abe5-b1e0-47d6-8f39-01b48ff1e0fa",
> >  "name": "v-5877-VM",
> >  "privatenetmask": "255.255.255.0",
> >  "publicip": "10.101.0.113",
> >  "publicnetmask": "255.255.255.0",
> >  "state": "Running",
> >  ...
> >},
> >
> >
> > For security considerations we would like to define a dedicated IP range
> > for SSVM/CPVM, which, preferably, should not have any relation to the
> > default pool range.
> >
> > The default pool range should be used for userVMs only. To indicate the
> > use I propolse 2 new flags, which only considered for "account=system"
> > and indicate if the range can be used for userVMs or/and systemVMs.
> >
> > For backwards compatibility this would be the default
> >
> > "foruservms": true,
> > "forsystemvms": true,
> >
> >
> > to have a separate range for UserVMs/SystemVMs, it would look like
> >
> >
> >  "vlaniprange": [
> >{
> >  "account": "system",
> >  "domain": "ROOT",
> >  "foruservms": true,
> >  "forsystemvms": false,
> >  "endip": "192.160.123.250",
> >  "forvirtualnetwork": true,
> >  "gateway": "192.160.123.1",
> >  "netmask": "255.255.255.0",
> >  "startip": "192.160.123.11",
> >  ...
> >
> >},
> >
> >  "vlaniprange": [
> >{
> >  "account": "system",
> >  "domain": "ROOT",
> >  "foruservms": false,
> >  "forsystemvms": true,
> >  "endip": "10.101.0.250",
> >  "forvirtualnetwork": true,
> >  "gateway": "10.101.0.1",
> >  "netmask": "255.255.255.0",
> >  "startip": "10.101.0.11",
> >  ...
> >
> >},
> >
> >
> > Does anyone has see any conflicts with this proposal?
> >
> > Regards
> > René
> >
>
>
>
>
> DISCLAIMER
> ==
> This e-mail may contain privileged and confidential information which is
> the property of Accelerite, a Persistent Systems business. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Accelerite, a Persistent Systems business does not accept any
> liability for virus infected mails.
>

Re: Dedicated IP range for SSVM/CPVM

2017-01-16 Thread Nitin Kumar Maharana 
Hi Rene,

The default pool, which means are you mentioning the public IP range?

If it is a public IP range, user VMs won’t be consuming any IP from there.
Only system VMs(CPVM/SSVM/VR) will be consuming. VRs will be providing public 
access to the user VMs.


Thanks,
Nitin
> On 16-Jan-2017, at 8:56 PM, Rene Moser  wrote:
> 
> Hi
> 
> We would like to make a change proposal for SSVM/CPVM.
> 
> Currently, the SSVM/CPVM get an IP from the "default" pool of
> vlaniprange which is the from the account "system"
> 
> 
>  "vlaniprange": [
>{
>  "account": "system",
>  "domain": "ROOT",
>  "endip": "10.101.0.250",
>  "forvirtualnetwork": true,
>  "gateway": "10.101.0.1",
>  "netmask": "255.255.255.0",
>  "startip": "10.101.0.11",
>  ...
> 
>},
> 
> 
>  "systemvm": [
>{
>  "activeviewersessions": 0,
>  "gateway": "10.101.0.1",
>  "hypervisor": "VMware",
>  "id": "d9a8abe5-b1e0-47d6-8f39-01b48ff1e0fa",
>  "name": "v-5877-VM",
>  "privatenetmask": "255.255.255.0",
>  "publicip": "10.101.0.113",
>  "publicnetmask": "255.255.255.0",
>  "state": "Running",
>  ...
>},
> 
> 
> For security considerations we would like to define a dedicated IP range
> for SSVM/CPVM, which, preferably, should not have any relation to the
> default pool range.
> 
> The default pool range should be used for userVMs only. To indicate the
> use I propolse 2 new flags, which only considered for "account=system"
> and indicate if the range can be used for userVMs or/and systemVMs.
> 
> For backwards compatibility this would be the default
> 
> "foruservms": true,
> "forsystemvms": true,
> 
> 
> to have a separate range for UserVMs/SystemVMs, it would look like
> 
> 
>  "vlaniprange": [
>{
>  "account": "system",
>  "domain": "ROOT",
>  "foruservms": true,
>  "forsystemvms": false,
>  "endip": "192.160.123.250",
>  "forvirtualnetwork": true,
>  "gateway": "192.160.123.1",
>  "netmask": "255.255.255.0",
>  "startip": "192.160.123.11",
>  ...
> 
>},
> 
>  "vlaniprange": [
>{
>  "account": "system",
>  "domain": "ROOT",
>  "foruservms": false,
>  "forsystemvms": true,
>  "endip": "10.101.0.250",
>  "forvirtualnetwork": true,
>  "gateway": "10.101.0.1",
>  "netmask": "255.255.255.0",
>  "startip": "10.101.0.11",
>  ...
> 
>},
> 
> 
> Does anyone has see any conflicts with this proposal?
> 
> Regards
> René
> 




DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Accelerite, a Persistent Systems business. It is intended only for 
the use of the individual or entity to which it is addressed. If you are not 
the intended recipient, you are not authorized to read, retain, copy, print, 
distribute or use this message. If you have received this communication in 
error, please notify the sender and delete all copies of this message. 
Accelerite, a Persistent Systems business does not accept any liability for 
virus infected mails.