1. Egress default policy rules is send to the firewall provider. It is up to the
provider to configure the rules.
2. The default policy rules are send for both allow and deny default policy.
3. On network shutdown rules for delete are send.
4. For VR and SRX, by default deny the traffic. So no default rule to deny traffic is required.
This patch adds support for trust chains in the netscaler.
I initially planned on using the 10.1 API's "bundle" feature but during
my testing I found that was not working. So I am doing the chain linking
myself. Also NS can have only one entity of a certificate ie lets say
two different users try to add the same certificate on the netscaler
only one of them will go through. The other one says resouce already
exists even though they have different files.
This can be a problem in trust chains where the chain can be shared
between multiple accounts/certificates. So, I am using the figerprint as
an identifier of a certificate and making sure that we delete it only
when no one references it.
Added a field to the command for serviceOfferingId and changed the internal interface to accept the service offering as parameter
Applied automated code cleanup
This patch adds a network plugin to support Palo Alto Networks firewall (their appliance and their VM series firewall).
More information in the FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration
Features supported are:
- List/Add/Delete Palo Alto service provider
- List/Add/Delete Palo Alto network service offering
- List/Add/Delete Palo Alto network with above service offering
- Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
- List/Add/Delete Ingress Firewall rule
- List/Add/Delete Egress Firewall rule
- List/Add/Delete Port Forwarding rule
- List/Add/Delete Static Nat rule
- Supports Palo Alto Networks 'Log Forwarding' profile globally per device (additional docs to come)
- Supports Palo Alto Networks 'Security Profile Groups' functionality globally per device (additional docs to come)
Knowns limitations:
- Only supports one public IP range in CloudStack.
- Currently not verifying SSL certificates when creating a connection between CloudStack and the Palo Alto Networks firewall.
- Currently not tracking usage on Public IPs.
Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
Now VPN connection can be created as "passive", which would enable the ability
of remote peer initiate the connection. So it's possible for VPC VR to
establish the connection to another VPC VR of CloudStack.
Test case also included.
The test case would create 2 vpcs and using VPN to connect them.
Initial patch for VXLAN support.
Fully functional, hopefully, for GuestNetwork - AdvancedZone.
Patch Note:
in cloudstack-server
- Add isolation method VXLAN
- Add VxlanGuestNetworkGuru as plugin for VXLAN isolation
- Modify NetworkServiceImpl to handle extended vNet range for VXLAN isolation
- Add VXLAN isolation option in zoneWizard UI
in cloudstack-agent (kvm)
- Add modifyvxlan.sh script that handle bridge/vxlan interface manipulation script
-- Usage is exactly same to modifyvlan.sh
- BridgeVifDriver will call modifyvxlan.sh instead of modifyvlan.sh when VXLAN is used for isolation
Database changes:
- No change in database structure.
- VXLAN isolation uses same tables that VLAN uses to store vNet allocation status.
Known Issue and/or TODO:
- Some resource still says 'VLAN' in log even if VXLAN is used
- in UI, "Network - GuestNetworks" dosen't display VNI
-- VLAN ID field displays "N/A"
- Documentation!
Signed-off-by : Toshiaki Hatano <haeena@haeena.net>
Initial patch for VXLAN support.
Fully functional, hopefully, for GuestNetwork - AdvancedZone.
Patch Note:
in cloudstack-server
- Add isolation method VXLAN
- Add VxlanGuestNetworkGuru as plugin for VXLAN isolation
- Modify NetworkServiceImpl to handle extended vNet range for VXLAN isolation
- Add VXLAN isolation option in zoneWizard UI
in cloudstack-agent (kvm)
- Add modifyvxlan.sh script that handle bridge/vxlan interface manipulation script
-- Usage is exactly same to modifyvlan.sh
- BridgeVifDriver will call modifyvxlan.sh instead of modifyvlan.sh when VXLAN is used for isolation
Database changes:
- No change in database structure.
- VXLAN isolation uses same tables that VLAN uses to store vNet allocation status.
Known Issue:
- Some resource still says 'VLAN' in log even if VXLAN is used
- in UI, "Network - GuestNetworks" dosen't display VNI
-- VLAN ID field displays "N/A"
in case of networks with external devices after GC
add an exception for networks that use external networking devices and has
secondary guest IP's allocated. On network GC, when network goes through
implement phase a new vlan is allocated, based on the acquired VLAN id cidr
of the network is decided in case of external networking case. While NIC
uses reservation strategy 'Start' which ensures that new primary ip is
allocated for the NiC from the new CIDR. Secondary IP's have hardcoded
IP's in network rules. So prevent network GC.
Stratosphere SSP is an SDN solution which creates virtual L2
networks backed by vxlan and vlan. SSP will ask hypervisor to set a
specific vlan, then SSP will interact with openflow switches and
put vxlan/vlan translation flow rules.
This plugin provides SSP as "connctivity" service provider.
Signed-off-by: Hiroaki KAWAI <kawai@stratosphere.co.jp>
for number of commands participating in Vm deployment process, as parallel deployment is supported on the hypervisor side.
The behavior is controlled by global config varirables:
"execute.in.sequence.hypervisor.commands" (false by default) sets/resets the synchronization for commands:
=========================
StartCommand
StopCommand
CreateCommand
CopyVolumeCommand
"execute.in.sequence.network.element.commands" (false by default) sets/resets the synchronization for commands:
==========================
DhcpEntryCommand
SavePasswordCommand
UserDataCommand
VmDataCommand
As a part of the fix, increased the global lock timeout to 30 mins in several VR scripts:
===========================
edithosts.sh
savepassword.sh
userdata.sh
to support situations when multiple concurrent calls to the script are being made.
associated with account
Unlike public ip which gets dis-associated (released) with the account
on network/VPC delete, portable IP should continue to be associated with
the account even when the network/VPC with which it is currently
associated in deleted. This fix ensures portable IP are associated to
account even after network/vpc is deleted.
The location of the virtual machine is provided by DeployDestination, which will
be passed in NetworkGuru#reserve and NetworkElement#prepare.
During the virtual machine migration, it actually changes DeployDestination and
it looks like that it will tell that event to network components as it has
NetworkManager#prepareNicForMigration. The problem is that althogh the interface
has that method, NetworkManagerImpl does not tell the DeployDestination changes
to network components.
So IMHO, we need to add calls of NetworkGuru#reserve and NetworkElement#prepare
in NetworkManagerImpl#prepareNicForMigration . And then, we also need to add
calls NetworkGuru#release and NetworkElement#release after the migration,
otherwise the network resources that plugin reserved will be kept even when the
vm leaves off.
(Sheng Yang: rebase code, add license header)
Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
Squashed commit of the following:
commit f244f9ce7982db16984dd87c31545f1c0240c704
Merge: 993cbb0 f5c8e38
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 20 18:54:05 2013 +0530
Merge branch 'master' into portablepublicip
Conflicts:
server/src/com/cloud/server/ManagementServerImpl.java
server/test/org/apache/cloudstack/networkoffering/ChildTestConfiguration.java
commit 993cbb0df9fa6e64b96b18ed775b73cdf4a8f5d7
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 20 18:49:54 2013 +0530
introduce 'transferPortableIP' interface method in network manger. This
method will transfer association of portable ip from one network to
another network.
commit 0c1c2652c1b39e9a81ca35464360e11ed9ef23f1
Merge: a718d35a29e393
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Fri May 17 02:48:54 2013 +0530
Merge branch 'master' into portablepublicip
Conflicts:
utils/src/com/cloud/utils/net/NetUtils.java
commit a718d353f7
Merge: ecca117c211818
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 13 21:22:19 2013 +0530
Merge branch 'master' into portablepublicip
Conflicts:
api/src/org/apache/cloudstack/api/ResponseGenerator.java
server/src/com/cloud/api/ApiResponseHelper.java
server/src/com/cloud/network/NetworkServiceImpl.java
server/src/com/cloud/network/addr/PublicIp.java
server/src/com/cloud/server/ManagementServerImpl.java
server/test/com/cloud/network/MockNetworkManagerImpl.java
server/test/com/cloud/vpc/MockConfigurationManagerImpl.java
server/test/com/cloud/vpc/MockNetworkManagerImpl.java
setup/db/db/schema-410to420.sql
commit ecca117e34
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 13 20:05:29 2013 +0530
added integration tests for testing portable ip ranges
commit 895a27c277
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 13 15:12:19 2013 +0530
- establish model for transferring portable IP association from a network
with which it is associated to another network.
- enabling static nat api, extended to transfer potrtable IP across the
networks if the VM/network is different from the current associate
network of the portable ip
commit 51509751b2
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Mon May 13 12:05:33 2013 +0530
seperate out associate/disassociate with guest network operations from
alloc and release of portable ip
commit bd058f58c2
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sun May 12 21:14:48 2013 +0530
enhance disasociateIPAddr API to release protable IP associated with a
guest network or VPC
commit 27504d9098
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sun May 12 16:53:45 2013 +0530
enhance asociateIPAddr API to acquire a protable IP and associate with a
guest network or VPC
commit f82c6a8431
Merge: 3dbfb440749013
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sat May 11 23:32:13 2013 +0530
Merge branch 'master' into portablepublicip
Conflicts:
api/src/com/cloud/network/IpAddress.java
api/src/org/apache/cloudstack/api/ResponseGenerator.java
client/tomcatconf/commands.properties.in
server/src/com/cloud/api/ApiResponseHelper.java
server/src/com/cloud/configuration/ConfigurationManagerImpl.java
server/src/com/cloud/server/ManagementServerImpl.java
server/test/org/apache/cloudstack/affinity/AffinityApiTestConfiguration.java
server/test/org/apache/cloudstack/networkoffering/ChildTestConfiguration.java
setup/db/db/schema-410to420.sql
commit 3dbfb44eb5
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sat May 11 20:33:19 2013 +0530
- add 'portable' boolean as property of IpAddress, persist the property in
IPAddressVO, return the property in IpAddressResponse
- add ability to request portable IP in associateIpAddress api
commit bf3cb274cf
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sat May 11 16:08:40 2013 +0530
add the status of each portable IP (its state, details of associated data
center/VPC/guest network etc) in the PortableIpRangeResponse returned by
listPortableIpRanges API
commit e7b2fb2255
Author: Murali Reddy <muralimmreddy@gmail.com>
Date: Sat May 11 14:36:01 2013 +0530
Introdcues notion of 'portable IP' pool at region level.
Introduces root admin only API's to provision portable ip to a region
- createPortableIpRange
- deletePortableIpRange
- listPortableIpRanges
Jayapal
tuna
Kishan Kavala
Syed Ahmed
Alex Huang
Laszlo Hornyak
Rajesh Battala
Hugo Trippaers
Will Stevens
Pedro Marques
Sheng Yang
ynojima
Daan Hoogland
Toshiaki Hatano
Alena Prokharchyk
Bharat Kumar
Murali Reddy
Hiroaki KAWAI
Jayapal