Difference between revisions of "Xenapi-security-groups"
| Line 12: | Line 12: | ||
Related launchpad blueprint: nova:xenapi-security-groups | Related launchpad blueprint: nova:xenapi-security-groups | ||
| − | This feature has been implemented for the libvirt backend since the early days of nova. Two distinct drivers are provided (called Firewall Drivers): one based on iptables and one on nwfilter.In particular the iptables driver uses the nwfilter driver for enforcing basic filtering rules, which are the equivalent of | + | This feature has been implemented for the libvirt backend since the early days of nova. Two distinct drivers are provided (called Firewall Drivers): one based on iptables and one on nwfilter.In particular the iptables driver uses the nwfilter driver for enforcing basic filtering rules, which are the equivalent of XenServer's [https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst VIF isolation rules]. |
Also note that both drivers also provide another feature, the Provider Firewall Rules; this feature is currently not supported in XenAPI, and will be implemented on top of the functionality offered by the Security groups (blueprint nova:xenapi-provider-firewall) | Also note that both drivers also provide another feature, the Provider Firewall Rules; this feature is currently not supported in XenAPI, and will be implemented on top of the functionality offered by the Security groups (blueprint nova:xenapi-provider-firewall) | ||
Revision as of 07:56, 14 October 2011
XenAPI support for security groups
Summary
This blueprint concerns the implementation of the security groups functionality in Openstack's compute driver for XenAPI. This will fill one of the existing gaps between XenAPI and libvirt.
Background
For an explanation of the concept of security group, please have a look at the nova concepts page Related launchpad blueprint: nova:xenapi-security-groups
This feature has been implemented for the libvirt backend since the early days of nova. Two distinct drivers are provided (called Firewall Drivers): one based on iptables and one on nwfilter.In particular the iptables driver uses the nwfilter driver for enforcing basic filtering rules, which are the equivalent of XenServer's VIF isolation rules.
Also note that both drivers also provide another feature, the Provider Firewall Rules; this feature is currently not supported in XenAPI, and will be implemented on top of the functionality offered by the Security groups (blueprint nova:xenapi-provider-firewall)
As of the diablo release Security Groups are currently managed through the EC2 API only, and cannot be maanged through the dashboard.
Use cases
- A user starts an instance which is associated with one or more security groups (association via project). nova-compute enforces the security group(s)' rules on the host were the instance is spawned;
- A user creates/updates/delete a rule for a security group. nova-compute ensure the rules enforced for this security groups for all interested instances are in sync with the ones specified by the user.
- A user creates a new security groups and associates it with one or more project. The rules for this security groups are then enforced on all the hosts where interested instances are running.
