In the OpenNebula newsletter it mentioned that we can leave feature requests for the 5.6 roadmap, so here it goes.
OpenNebula security groups (SGs) are nothing more than firewall rules, while SGs on EC2 are a combination of firewall rules and networks. This combination is what is powerful and what allows you to have a flat network structure with flexibility of dynamically isolating instance groups one from each other.
Here is how SGs work in EC2:
-
All VMs in the same SG can communicate between each other (except if a special rule is created to disable that).
- This means that a SG acts sort of like a special network which allows all machines in a SG to communicate with each other.
- It also makes managing rules in a SG much easier, because VMs in a SG can talk to each other, so no additional rules for that.
-
You can put a different SG as a SRC/DEST in a SG rules
- This is the real magic because it allows you for example to create two SGs: sg-app-worker and sg-app-mysql; then in sg-app-mysql you can just add one rule which would allow SRC: sg-app-worker to connect on TCP port 3306, which would allow all the VMs in the sg-app-worker to connect to the MySQL database.
- What is great about this is that you don’t need to care in what networks VMs are, nor what IPs they have, nor how many app-worker VMs will you have in the future, just add them to the correct SG and it will always work, which is extremely flexible.
To be able to allow app workers to connect to MySQL in OpenNebula currently you need to:
- Create a virtual network app-worker-network (which can be a reservation of IPs).
- This means that you need to plan how big this network should be for future growth (this isn’t a problem for local IPs, because you have a lot of them and can make the network very big, but it is problematic with limited public IPs).
- Let’s not forget what complications you can have if the number of VMs in a network outgrows the network size you created.
- The thing is why should I care how many hosts will be there in the future and what IPs do my VMs have, if I don’t have to.
- Create a SG sg-app-mysql which allows all hosts in network app-worker-network to connect to 3306
- Add rules if the VMs in the same security group need to talk to each other (the same for app-worker).
This is a very complicated process which is almost exactly the same as creating VLANs, networks and ACLs on L3 switches; and it’s not dynamic enough for cloud workloads. In EC2 just two simple security groups with 1 rule to allow one SG to connect to the other on a port does the same thing and it scales to as many VMs as you want.
There are two issues already created for this:
- On our request: https://dev.opennebula.org/issues/5317
- Similar issue which existed before: https://dev.opennebula.org/issues/5226
What do you think? How do you deal with this problem?