Difference between revisions of "XenServerOVS"
| Line 5: | Line 5: | ||
== Summary == | == Summary == | ||
| + | |||
| + | Adds support for the Open vSwitch in [[XenServer]]. This allows for the transition away from the standard Linux Bridge in [[XenServer]] and gives us more granular networking protections without having to utilize iptables, arptables, or ebtables for the host. OVS will also provide better IPv6 protections which will enable us to prevent things like NDP attacks which we currently can't properly protect against with the Liunx bridge. | ||
== Release Note == | == Release Note == | ||
| − | + | OVS is currently bundled into the [[XenServer]] platform. ACLs would be fired on instance create and teardown to protect the guest. If a blanket set of security rules are used, then this can run independent of Nova in dom0. | |
| − | + | == Rationale == | |
| − | + | Out of the box, [[XenServer]] is built for a single Enterprise and is not really built with the concept of being multi-tennant which is typically what Service Providers require. In order to fully secure the guests from each other, certain networking rules need to be applied to the virtual interfaces of each guest from the hypervisor. This ensures better security and an overall better experience for the guests. | |
== User stories == | == User stories == | ||
== Assumptions == | == Assumptions == | ||
| + | |||
| + | User is running [[XenServer]]. | ||
| + | User wants to isolate and protect the networking of all of their instances. | ||
| + | User wants to use Open vSwitch instead of Linux Bridge. | ||
== Design == | == Design == | ||
Revision as of 20:12, 31 January 2011
- Launchpad Entry: NovaSpec:xs-ovs
- Created:
- Contributors:
Summary
Adds support for the Open vSwitch in XenServer. This allows for the transition away from the standard Linux Bridge in XenServer and gives us more granular networking protections without having to utilize iptables, arptables, or ebtables for the host. OVS will also provide better IPv6 protections which will enable us to prevent things like NDP attacks which we currently can't properly protect against with the Liunx bridge.
Release Note
OVS is currently bundled into the XenServer platform. ACLs would be fired on instance create and teardown to protect the guest. If a blanket set of security rules are used, then this can run independent of Nova in dom0.
Rationale
Out of the box, XenServer is built for a single Enterprise and is not really built with the concept of being multi-tennant which is typically what Service Providers require. In order to fully secure the guests from each other, certain networking rules need to be applied to the virtual interfaces of each guest from the hypervisor. This ensures better security and an overall better experience for the guests.
User stories
Assumptions
User is running XenServer. User wants to isolate and protect the networking of all of their instances. User wants to use Open vSwitch instead of Linux Bridge.
Design
You can have subsections that better describe specific parts of the issue.
Implementation
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:
UI Changes
Should cover changes required to the UI, or specific UI that is required to implement this
Code Changes
Code changes should include an overview of what needs to change, and in some cases even the specific details.
Migration
Include:
- data migration, if any
- redirects from old URLs to new ones, if any
- how users will be pointed to the new way of doing things, if necessary.
Test/Demo Plan
This need not be added or completed until the specification is nearing beta.
Unresolved issues
This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.
BoF agenda and discussion
Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.
