[openstack-dev] [neutron] [designate] multi-tenancy in Neutron's DNS integration

Mike Spreitzer mspreitz at us.ibm.com
Mon May 9 20:45:06 UTC 2016


"Hayes, Graham" <graham.hayes at hpe.com> wrote on 05/09/2016 04:08:07 PM:

> ...
> On 09/05/2016 20:55, Mike Spreitzer wrote:
> ...
> > Oh, right, the network gets to specify the rest of the FQDN.  In my 
case
> > I am interested in Neutron Ports on tenant networks.  So with a 
per-port
> > "hostname" (first label) and per-network "domain" (rest of the 
labels),
> > I would get separation between tenants --- at least in the sense that
> > there is no overlap in FQDNs.  Will this work for private tenant 
networks?
> 
> Yes, you could publish the records to Designate for this, or using the
> internal dns resolution side of the integration.
> 
> Pushing the records to designate would make them viewable globally
> (anywhere the DNS servers are accessible)
> 
> 
> > The other part of separation is that I do not want one tenant to even 
be
> > able to look up FQDNs that belong to another tenant.  Is this
> > prohibition possible today?  If not, is anyone else interested in it?
> 
> Do you want to limit this to inside the tenant private network? if so, 
> just allowing users to set the dns_domain on a network, and not enabling 

> the external DNS plugin will work fine.

Ah, that may be what I want.  BTW, I am not planning to use Nova.  I am 
planning to use Swarm and Kubernetes to create containers attached to 
Neutron private tenant networks.  What DNS server would I configure those 
containers to use?

Thanks,
Mike




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160509/18a263ca/attachment.html>


More information about the OpenStack-dev mailing list