[openstack-dev] [Neutron] Partially Shared Networks
jaypipes at gmail.com
Mon Jan 13 15:32:17 UTC 2014
On Mon, 2014-01-13 at 10:23 +0000, Stephen Gran wrote:
> I don't think that's what's being asked for. Just that there be more
> than the current check for '(isowner of network) or (shared)'
> If the data point could be 'enabled for network' for a given tenant,
> that would be more flexible.
Agreed, but I believe Mathieu is thinking more in terms of how such a
check could be implemented. What makes this problematic (at least in my
simplistic understanding of Neutron wiring) is that there is no
guarantee that tenant A's subnet does not overlap with tenant B's
subnet. Because Neutron allows overlapping subnets (since Neutron uses
network namespaces for isolating traffic), code would need to be put in
place that says, basically, "if this network is shared between tenants,
then do not allow overlapping subnets, since a single, shared network
namespace will be needed that routes traffic between the tenants".
Or at least, that's what I *think* is part of the problem...
> On 13/01/14 10:06, Mathieu Rohon wrote:
> > Hi,
> > This is something that we potentially could implement during the
> > implementation of the isolated-network bp 
> > Basically, on an isolated network, an ARP responder will respond to
> > ARP request. For an L2 network which is totally isolated, ARP
> > responder will only respond to arp-request of the gateway, other
> > broadcast requests will be dropped (except for DHCP requests)
> > We could enhance this feature to populate the arp-responder so that if
> > tenant A and tenant B wants to be able to communicate on this shared
> > and isolated network, ARP responder for the VM of tenant A will be
> > populated with Mac address of VM of the Tenant B, and vice versa.
> >  https://blueprints.launchpad.net/neutron/+spec/isolated-network
> > On Fri, Jan 10, 2014 at 10:00 PM, Jay Pipes <jaypipes at gmail.com> wrote:
> >> On Fri, 2014-01-10 at 17:06 +0000, CARVER, PAUL wrote:
> >>> If anyone is giving any thought to networks that are available to
> >>> multiple tenants (controlled by a configurable list of tenants) but
> >>> not visible to all tenants I’d like to hear about it.
> >>> I’m especially thinking of scenarios where specific networks exist
> >>> outside of OpenStack and have specific purposes and rules for who can
> >>> deploy servers on them. We’d like to enable the use of OpenStack to
> >>> deploy to these sorts of networks but we can’t do that with the
> >>> current “shared or not shared” binary choice.
> >> Hi Paul :) Please see here:
> >> https://firstname.lastname@example.org/msg07268.html
> >> for a similar discussion.
> >> best,
> >> -jay
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev