<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size="2"> <span>See inline comments.<br><br>Thanks<br><br></span><br><br><font color="#990099">-----Salvatore Orlando <a class="moz-txt-link-rfc2396E" href="mailto:sorlando@nicira.com"><sorlando@nicira.com></a> wrote: -----</font><div style="padding-left: 5px;"><div style="padding-right: 0px; padding-left: 5px; border-left: 2px solid black;">To: Yong Sheng Gong/China/IBM@IBMCN<br>From: Salvatore Orlando <a class="moz-txt-link-rfc2396E" href="mailto:sorlando@nicira.com"><sorlando@nicira.com></a><br>Date: 07/12/2012 09:11AM<br>Cc: <a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>Subject: Re: [Openstack] [Quantum] Public Network spec proposal<br><br><div>Yong, </div><div>thanks for your feedback. See my comments inline.</div><div><br></div>Sorry for sending the previous email to the wrong list! <div>Yong, thanks for fixing the recipients.<br><br><div class="gmail_quote">
On 11 July 2012 17:38, Yong Sheng Gong <span dir="ltr"><<a href="mailto:gongysh@cn.ibm.com" target="_blank">gongysh@cn.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"> <span>Hi,<br>Thanks for the spec<br>Below is my understanding about it:<br></span><ul><li><span>About POST network:</span></li></ul><span>quantum net-create --tenant_id mynet --public True<br>
</span></font></blockquote><div><br></div><div>Sounds correct, but I think that the convention with boolean attributes is that if they're specified on the command line then they're true, otherwise false.</div><div>
so the above command could become:</div><div><br></div><div><span style="font-family: 'Default Sans Serif',Verdana,Arial,Helvetica,sans-serif;">quantum net-create --tenant_id mynet --public</span> <br>[yong sheng gong] As you know, bool has just two values True or False, we should use three logic here, True, False or not specified.<br>True mean we list only public networks, False means we show only private networks, not specified mean we don't care if the network is public or private.<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span><br></span><ul><li><span>About GET networks:</span></li></ul><span>qantum net-list --tenant_id myid<br>which should return all the networks owned by myid and public networks.<br>
quantum net-list --tenant_id myid --public True<br></span><span>which should return only public networks.</span></font></blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span>quantum net-list --tenant_id myid --public False</span><br><span>which should return the non-public networks owned by myid.<br>quantum net-list<br>
Which should return only public networks if there is no tenant_id in context.<br></span></font></blockquote><div><br></div><div>I am still a bit undecided concerning the CLI syntax for this operation.</div><div>My current thinking is:</div>
<div><br></div><div>quantum net-list --tenant_id myid</div><div>- return private networks for tenant my_id</div><div>quantum net-list --public</div><div>- return public networks (--tenant_id, if specified is ignored).</div>
<div><br></div><div>The drawback is that we will need two calls for knowing all the networks, private and public, a tenant has access to. I have a similar dilemma in the filter discussion on the spec.</div><div>What's your opinion?<br>[yong sheng gong] with my three logics, we need only one call.<br></div>
<div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span></span><ul><li><span>About subnets</span></li>
</ul>Only the public networks' owner can operate(create/list/show/update) subnets for public network. <br></font></blockquote><div><br></div><div>Correct </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span></span><ul><li><span>About create Port</span></li></ul><span>Public networks' owner can create port normally, I mean they can specify fixed_ip, mac and other stuff.<br>
Other tenant can create port under public network but he cannot specify the fixed_ip, mac. How fixed_ip and mac are populated?</span></font> </blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span>Are they still allocated auto just the same way when we create the normal port?<br></span></font></blockquote><div><br></div><div>Correct, they are autogenerated.</div>
<div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span>I think we can disallow other tenant to create port under public network. If they need to use public network's ports, they can get them from public network's owner.<br>
</span></font></blockquote><div><br></div><div>This would simplify a lot the authZ scenario. I am not sure whether this would work for our use cases.</div><div>My concerns are:</div><div>1) If we restrict port creation to the owner of the network we would probably need the owner to "pre allocate" a number of ports for tenants to use<br>[yong sheng gong] if not pre allocate, the port with specified ip will not work since customer tenant cannot create port with specified ip.<br></div>
<div>2) We should still allow the PUT operation to normal tenants, as they will set the device_id of the VM they've attached to the port.<br>[yong sheng gong] Yes. PUT is should be allowed on device_id field of port<br></div><div><br></div><div>Nevertheless, the proposed change to the design is valuable in my opinion, and I am very keen to hear what the other members of the community think of it.</div>
<div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span>So the scenario looks like this:<br>
1. public owner creates public network<br>2. public owner creates subnets under the public network<br>3. public owner creates port, with fixed_ip, mac and other stuff populated.<br>4. other tenant asks for using the port under the public network<br>
5. public owner assigns a port to the customer tenant<br></span></font></blockquote><div><br></div><div>Do you mean that in this step the ownership of the port object is give to the tenant?<br>[Yong sheng gong] I think ownership is not given up. We just add one more field to record who is using this port. After that the 'quantum port-list --tenant_id' should also have --public options to show ports assigned to the tenant.<br></div><div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><span>6. customer tenant associates its instance to the port. At this time, the port's devise_id is populated<br></span><br>With this scenario:<br>1. nova integration<br>
we can specify the ports when booting an instance.<br>so except nova boot --nic net-id=privatenetworkid,ipv4-ip=ip1<br>we have nova boot --nic port-id=portid.<br>where the portid can be a port under a public network and a port under a private network.<br>
<br>Thanks<br>Yong Sheng Gong<br><br><font color="#990099">-----openstack-bounces+gongysh=<a href="mailto:cn.ibm.com@lists.launchpad.net" target="_blank">cn.ibm.com@lists.launchpad.net</a> wrote: -----</font><div style="padding-left: 5px;">
<div style="padding-right: 0px; padding-left: 5px; border-left: 2px solid black;">To: openstack <a href="mailto:openstack@lists.launchpad.net" target="_blank"><openstack@lists.launchpad.net></a><br>From: Salvatore Orlando <u></u><br>
Sent by: <a href="mailto:openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net" target="_blank">openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net</a><br>Date: 07/12/2012 06:59AM<br>Subject: [Openstack] [Quantum] Public Network spec proposal<div>
<div class="h5"><br><br>Hi, <div><br></div><div>A proposal for the implementation of the public networks feature has been published.</div><div>It can be reached from the quantum-v2-public-networks blueprint page [1].</div>
<div>Feedback is more than welcome!</div>
<div><br></div><div>Regards,</div><div>Salvatore</div><div><br></div><div>[1]: <a href="https://blueprints.launchpad.net/quantum/+spec/quantum-v2-public-networks" target="_blank">https://blueprints.launchpad.net/quantum/+spec/quantum-v2-public-networks</a></div>
</div></div><div><font face="Courier New,Courier,monospace">_______________________________________________<br>Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br></font></div><u></u></div></div></font>
</blockquote></div><br></div>
</div></div></font>