mirror of https://github.com/apache/cloudstack.git
bf4f1bbb90
This extends work presented on #2048 on which the ability to extend the management range is provided. Aim This PR allows separating the management network subnet on which SSVM and CPVM are from the virtual routers management subnet. Detailed use case PCI compliance requires that network elements are defined as ‘in scope’ or ‘out of scope’, for compliance purposes. The SSVM and CPVM are both in scope as they allow public HTTP or HTTPS connections. The virtual routers have been defined as out of scope as they have been placed entirely in a firewalled network's segment. However, all of the system VM types share management network. As SSVM and CPVM are both in scope this would bring the virtual routers into scope as well, requiring individual audits of every virtual router. As this is not practical, the ‘management network’ which the SSVM and CPVM are on, and the management network which the virtual routers are on, must be separated by a firewall. Description By this feature it is possible to dedicate a created range for SSVM and CPVM (system vms) and provide a VLAN ID for its range. A new boolean global configuration is added: system.vm.management.ip.reservation.mode.strictness. If enabled, the use of System VMs management IP reservation is strict, preferred if not. Default value is false (preferred). Strict reservation: System VMs should try to get a private IP from a range marked for system vms. If not available, deployment fails Preferred reservation: System VMS will try to get a private IP from a range marked for system vms. If not available, IP for range not marked for system vms is taken. |
||
|---|---|---|
| .. | ||
| css | ||
| images | ||
| l10n | ||
| lib | ||
| modules | ||
| plugins | ||
| scripts | ||
| tests | ||
| error.html | ||
| index.html | ||