<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body dir="auto">
<div>Possibly but not necessarily. Some VMs have a large footprint, have multi-service capability and physical devices with capabilities sufficient for tenant isolation are not that rare (especially if tenants can only indirectly "control" them through a cloud
 service API).</div>
<div><br>
</div>
<div>My point is that if we take into account, in the design, the case where multiple service instances are hosted by a single service VM we'll be well positioned to support other use cases. But that is not to say the implementation effort should target that
 aspect initially.</div>
<div><br>
Thanks,</div>
<div> Bob</div>
<div><br>
10 okt 2013 kl. 15:12 skrev "Harshad Nakil" <<a href="mailto:hnakil@contrailsystems.com">hnakil@contrailsystems.com</a>>:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>Won't it be simpler to keep service instance  as one or more VMs, rather than 1VM being many service instances?</div>
<div>Usually a appliance is collectively (all it's functions) providing a service. Like firewall or load balancer. A appliance is packaged as VM. </div>
<div>It will be easier to manage</div>
<div>it will be easier for the provider to charge. </div>
<div>It will be easier to control resource allocation. </div>
<div>Once a appliance is physical device than you have all of the above issues and usually multi-tenancy implementation is weak in most of physical appliances. <br>
<br>
Regards
<div>-Harshad</div>
<div><br>
</div>
</div>
<div><br>
On Oct 10, 2013, at 12:44 AM, "Bob Melander (bmelande)" <<a href="mailto:bmelande@cisco.com">bmelande@cisco.com</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>Harshad,</div>
<div><br>
</div>
<div>By service instance I referred to the logical entities that Neutron creates (e.g. Neutron's router). I see a service VM as a (virtual) host where one or several service instances can be placed.</div>
<div>The service VM (at least if managed through Nova) will belong to a tenant and the service instances are owned by tenants.</div>
<div><br>
</div>
<div>If the service VM tenant is different from service instance tenants (which is a simple way to "hide" the service VM from the tenants owning the service instances) then it is not clear to me how the existing access control in openstack will support pinning
 the service VM to a particular tenant owning a service instance. </div>
<div><br>
</div>
<div>Thanks,</div>
<div>Bob</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Harshad Nakil <<a href="mailto:hnakil@contrailsystems.com">hnakil@contrailsystems.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>onsdag 9 oktober 2013 18:56<br>
<span style="font-weight:bold">To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div class="gmail_extra">Admin creating service instance for a tenant could common use case. But ownership of service can be controlled via already existing access control mechanism in openstack. If the service instance belonged to a particular project then
 other tenants should by definition should not be able to use this instance.<br>
<br>
<div class="gmail_quote">On Tue, Oct 8, 2013 at 11:34 PM, Bob Melander (bmelande)
<span dir="ltr"><<a href="mailto:bmelande@cisco.com" target="_blank">bmelande@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>For use case 2, ability to "pin" an admin/operator owned VM to a particular tenant can be useful.</div>
<div>I.e., the service VMs are owned by the operator but a particular service VM will only allow service instances from a single tenant.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Bob</div>
<div><br>
</div>
<span>
<div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">
<span style="font-weight:bold">From: </span><Regnier>, Greg J <<a href="mailto:greg.j.regnier@intel.com" target="_blank">greg.j.regnier@intel.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>tisdag 8 oktober 2013 23:48<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>[openstack-dev] [Neutron] Service VM discussion - Use Cases<br>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Re: blueprint:  <a href="https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms" target="_blank">
https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms</a><u></u><u></u></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Before going into more detail on the mechanics, would like to nail down use cases. 
<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Based on input and feedback, here is what I see so far. 
<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Assumptions:<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">- a 'Service VM' hosts one or more 'Service Instances'<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">- each Service Instance has one or more Data Ports that plug into Neutron networks<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">- each Service Instance has a Service Management i/f for Service management (e.g. FW rules)<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">- each Service Instance has a VM Management i/f for VM management (e.g. health monitor)<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Use case 1: Private Service VM
<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Owned by tenant<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">VM hosts one or more service instances<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Ports of each service instance only plug into network(s) owned by tenant<u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Use case 2: Shared Service VM<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Owned by admin/operator<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">VM hosts multiple service instances<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">The ports of each service instance plug into one tenants network(s)<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Service instance provides isolation from other service instances within VM<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif"> <u></u><u></u></span></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11pt;font-family:Calibri,sans-serif">Use case 3: Multi-Service VM<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Either Private or Shared Service VM<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Support multiple service types (e.g. FW, LB, …)<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p style="margin-left:.75in"><span>-<span style="font:7.0pt "Times New Roman"">         
</span></span>Greg<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</span></div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>OpenStack-dev mailing list</span><br>
<span><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a></span><br>
<span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>OpenStack-dev mailing list</span><br>
<span><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a></span><br>
<span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><br>
</div>
</blockquote>
</body>
</html>