作者:张华 发表于:2014-12-01
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )
Group Based Policy站在应用的角度提供更高层次的抽象,之前的FWaaS更站在程序员的角度一些,这是我的理解。
1, 采用Group Based Policy创建多层应用的流程如下:
a, policy target与policy group关联,并使用policy target创建虚机gbp group-create web
WEB1=$(gbp policy-target-create web-ep-1 --policy-target-group web | awk "/port_id/ {print \$4}")
nova boot --flavor m1.nano --image cirros-0.3.2-x86_64-uec --nic port-id=$WEB1 web-vm-1
b, policy group与policy rule sets动态关联
gbp group-update web --provided-policy-rule-sets "icmp-policy-rule-set=true,web-policy-rule-set=true"
c, policy rule sets中含有policy rules, 定义及更新policy rule sets
gbp policy-rule-set-create web-policy-rule-set --policy-rules web-policy-rule
gbp policy-rule-set-update web-policy-rule-set --policy-rules "secure-web-policy-rule"
d, 根据policy classifier与policy action来定义policy rule
gbp policy-action-create allow --action-type allow
gbp policy-classifier-create web-traffic --protocol tcp --port-range 80 --direction in
gbp policy-rule-create web-policy-rule --classifier web-traffic --actions allow
a, 使用security group来创建虚机
quantum security-group-create ssh
nova boot --image cirros-0.3.1-x86_64-uec --security_groups ssh --flavor 1 jumpbox
b, 创建security group rules, 并允许拥有ssh rule的host可以访问拥有web rule的host
quantum security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 ssh
quantum security-group-rule-create --direction ingress --protocol TCP --port-range-min 80 --port-range-max 80 web
quantum security-group-rule-create --direction ingress --protocol TCP --port-range-min 22 --port-range-max 22 --remote-group-id ssh web
3, 从上面已有的GBP的实现感觉它目前的好处在于:虚机和Policy Group解耦合了, 这样更方便动态调整虚机的policy rules. 下面是Group Based Policy的数据结构
参考:
1, https://wiki.openstack.org/wiki/GroupBasedPolicy/InstallDevstack
2, blog.aaronorosen.com/building-a-multi-tier-application-with-openstack/
3, https://docs.google.com/presentation/d/1Nn1HjghAvk2RTPwvltSrnCUJkidWKWY2ckU7OYAVNpo/edit#slide=id.g1d4b92af0_105