Open Stack

Harshad,

By service instance I referred to the logical entities that Neutron creates (e.g. Neutron's router). I see a service VM as a (virtual) host where one or several service instances can be placed.
The service VM (at least if managed through Nova) will belong to a tenant and the service instances are owned by tenants.

If the service VM tenant is different from service instance tenants (which is a simple way to "hide" the service VM from the tenants owning the service instances) then it is not clear to me how the existing access control in openstack will support pinning the service VM to a particular tenant owning a service instance.

Thanks,
Bob

From: Harshad Nakil <hnakil at contrailsystems.com<mailto:hnakil at contrailsystems.com>>
Reply-To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: onsdag 9 oktober 2013 18:56
To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases

Admin creating service instance for a tenant could common use case. But ownership of service can be controlled via already existing access control mechanism in openstack. If the service instance belonged to a particular project then other tenants should by definition should not be able to use this instance.

On Tue, Oct 8, 2013 at 11:34 PM, Bob Melander (bmelande) <bmelande at cisco.com<mailto:bmelande at cisco.com>> wrote:
For use case 2, ability to "pin" an admin/operator owned VM to a particular tenant can be useful.
I.e., the service VMs are owned by the operator but a particular service VM will only allow service instances from a single tenant.

Thanks,
Bob

From: <Regnier>, Greg J <greg.j.regnier at intel.com<mailto:greg.j.regnier at intel.com>>
Reply-To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: tisdag 8 oktober 2013 23:48
To: "openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [Neutron] Service VM discussion - Use Cases

Hi,

Re: blueprint:  https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms

Before going into more detail on the mechanics, would like to nail down use cases.

Based on input and feedback, here is what I see so far.



Assumptions:



- a 'Service VM' hosts one or more 'Service Instances'

- each Service Instance has one or more Data Ports that plug into Neutron networks

- each Service Instance has a Service Management i/f for Service management (e.g. FW rules)

- each Service Instance has a VM Management i/f for VM management (e.g. health monitor)



Use case 1: Private Service VM

Owned by tenant

VM hosts one or more service instances

Ports of each service instance only plug into network(s) owned by tenant



Use case 2: Shared Service VM

Owned by admin/operator

VM hosts multiple service instances

The ports of each service instance plug into one tenants network(s)

Service instance provides isolation from other service instances within VM



Use case 3: Multi-Service VM

Either Private or Shared Service VM

Support multiple service types (e.g. FW, LB, …)


-          Greg

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131010/b434ddb3/attachment.html>