Neutron Group Based Policy 印象 (by quqi99)
2014-12-01 16:05
405 查看
作者:张华 发表于:2014-12-01
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )
Group Based Policy站在应用的角度提供更高层次的抽象,之前的FWaaS更站在程序员的角度一些,这是我的理解。1, 采用Group Based Policy创建多层应用的流程如下:
a, policy target与policy group关联,并使用policy target创建虚机
gbp group-create web
WEB1=$(gbp policy-target-create web-ep-1 --policy-target-group web | awk "/port_id/ {print \$4}")
nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$WEB1 web-vm-1
b, policy group与policy rule sets动态关联
gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"
c, policy rule sets中含有policy rules, 定义及更新policy rule sets
gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule
gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"
d, 根据policy classifier与policy action来定义policy rule
gbp policy-action-create allow --action-type allow
gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in
gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow
2, 采用老的FWaaS创建多层应用的流程如下:
a, 使用security group来创建虚机
quantum security-group-create ssh
nova boot --image cirros-0.3.1-x86_64-uec --security_groups ssh --flavor 1 jumpbox
b, 创建security group rules, 并允许拥有ssh rule的host可以访问拥有web rule的host
quantum security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 ssh
quantum security-group-rule-create --direction ingress --protocol TCP --port-range-min 80 --port-range-max 80 web
quantum security-group-rule-create --direction ingress --protocol TCP --port-range-min 22 --port-range-max 22 --remote-group-id ssh web
3, 从上面已有的GBP的实现感觉它目前的好处在于:虚机和Policy Group解耦合了, 这样更方便动态调整虚机的policy rules. 下面是Group Based Policy的数据结构
参考:
1, https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallDevstack 2, blog.aaronorosen.com/building-a-multi-tier-application-with-openstack/
3, https://docs.google.com/presentation/d/1Nn1HjghAvk2RTPwvltSrnCUJkidWKWY2ckU7OY***Npo/edit#slide=id.g1d4b92af0_105
相关文章推荐
- Win7开机出现group policy client拒绝访问的解决方法
- Neutron 理解 (8): Neutron 是如何实现虚机防火墙的 [How Neutron Implements Security Group]
- Becoming an WPA Xpert Part 11: Troubleshooting Long Group Policy Processing
- Working with Group Policy Objects Programmatically - simple C++ example illustrating how to modify a
- 一种Neutron部署拓扑 (by quqi99)
- Modern C++ Design 第一章 Policy-Based Class Design
- Neutron 理解 (9): OpenStack 是如何实现 Neutron 网络 和 Nova虚机 防火墙的 [How Nova Implements Security Group and How
- OU/Group/Group Policy组织单元、组和组策略
- 一种Neutron部署拓扑 (by quqi99)
- 云安全之 Neutron 网络 和 Nova虚机 防火墙的 [How Nova Implements Security Group and How Neutron Impleme
- Three Steps to Migrate Group Policy Between Active Directory Domains or Forests Using PowerShell
- 用外部物理路由器时使用Neutron dhcp-agent提供的metadata服务(by quqi99)
- group policy client服务未能登录,拒绝访问
- how to create shortcut through grouppolicy
- Neutron中的L3 HA特性(by quqi99)
- Modern C++ Design 学习笔记之Policy Based Class Design
- logback TimeBasedRollingPolicy遇到的问题
- group policy troubleshooting