Thoughts about the firewaller

roger peppe roger.peppe at canonical.com
Thu Oct 11 10:11:02 UTC 2012 

On 10 October 2012 17:34, Gustavo Niemeyer
<gustavo.niemeyer at canonical.com> wrote:
> On Wed, Oct 10, 2012 at 11:49 AM, Frank Mueller
> <frank.mueller at canonical.com> wrote:
>> - problem: we have a bad scaling due to the re-opening of all needed ports after a restart
>
> This is actually not a problem we have to solve now, because it's
> actually not even a problem we really have at the moment. The
> number of security groups is limited to a very low number by Amazon
> itself, so it's impossible for now to pass through that limit to a
> scale where this would be visible.
>
> The ideas that follow also seem to address the firewaller general
> implementation, while I'm hoping we can keep our focus on implementing
> global mode support without introducing further problems.
>
> Here is what I suggest we try to do, and why:

These seem like excellent suggestions in general. I have
a few comments below.

> 1) Introduce FwInstance, so that we can tell outside of the providers
> what the default mode is. We can't ever use FwDefault outside of the
> provider, since default in this case means the *provider's* default,
> which we cannot tell what it is without asking the provider itself.

+1

> 2) In the EnvironProvider.Validate methods of ec2 and dummy, transform
> FwDefault into FwInstance

I'm not sure about this. Why do we need FwDefault at all? The usual way
of specifying a default value is by omitting the value from the configuration,
and it seems like that might work OK here.

> 3) Introduce EnvironProvider.OpenPort, ClosePort, and OpenedPorts.
> These methods act on the global group at all times, and return an
> error in case the provider does not support the global mode

s/EnvironProvider/Environ/ presumably?

> 4) Rollback the changes we did to ec2 and dummy to have FwGlobal
> changing what Instance.OpenPort means. If we ask to open a port on an
> instance, we should open the port on *that* instance, not everywhere.

emphatic +1.

> 5) Make Instance.OpenPort, ClosePort and OpenedPorts fail if the
> provider does not support FwInstance.

+1

> 6) Change the firewaller so that it checks the mode. If it is
> FwGlobal, it should start by asking the provider about all the opened
> ports, and should open and close ports against the provider itself as
> necessary, rather than against the individual instances.

+1

that all seems much cleaner.

More information about the Juju-dev mailing list