<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">

<div>While specification of which networks a service VM has interfaces on indicates which tenant(s) it serves, that by itself does not allow setting constraints on which tenants that VM will accept to serve.</div>

<div>Setting such constraints could be taken a long way, almost like ACL. However, I'm not proposing something that extensive. Ability to flag that a certain VM should only allow to serve a single tenant (but still multiple service instances for that tenant)

 would cover a requirement we've been given in work we've done. </div>

<div><br>

</div>

<div>Thanks,</div>

<div>Bob</div>

<div><br>

</div>

<div><br>

</div>

<span id="OLK_SRC_BODY_SECTION">

<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">

<span style="font-weight:bold">From: </span>Sumit Naiksatam <<a href="mailto:sumitnaiksatam@gmail.com">sumitnaiksatam@gmail.com</a>><br>

<span style="font-weight:bold">Reply-To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>

<span style="font-weight:bold">Date: </span>onsdag 9 oktober 2013 23:09<br>

<span style="font-weight:bold">To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>

<span style="font-weight:bold">Subject: </span>Re: [openstack-dev] [Neutron] Service VM discussion - Use Cases<br>

</div>

<div><br>

</div>

<div>

<div>

<div dir="ltr">Thanks Bob, I agree this is an important aspect of the implementation. However, apart from being able to specify which network(s) the VM has interfaces on, what more needs to be done specifically in the proposed library to achieve the tenant

 level isolation?

<div><br>

</div>

<div>Thanks,</div>

<div>~Sumit.<br>

<div class="gmail_extra"><br>

<br>

<div class="gmail_quote">On Tue, Oct 8, 2013 at 11:34 PM, Bob Melander (bmelande)

<span dir="ltr"><<a href="mailto:bmelande@cisco.com" target="_blank">bmelande@cisco.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">

<div>For use case 2, ability to "pin" an admin/operator owned VM to a particular tenant can be useful.</div>

<div>I.e., the service VMs are owned by the operator but a particular service VM will only allow service instances from a single tenant.</div>

<div><br>

</div>

<div>Thanks,</div>

<div>Bob</div>

<div><br>

</div>

<span>

<div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">

<span style="font-weight:bold">From: </span><Regnier>, Greg J <<a href="mailto:greg.j.regnier@intel.com" target="_blank">greg.j.regnier@intel.com</a>><br>

<span style="font-weight:bold">Reply-To: </span>OpenStack Development Mailing List <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<span style="font-weight:bold">Date: </span>tisdag 8 oktober 2013 23:48<br>

<span style="font-weight:bold">To: </span>"<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>

<span style="font-weight:bold">Subject: </span>[openstack-dev] [Neutron] Service VM discussion - Use Cases<br>

</div>

<div><br>

</div>

<div>

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal">Hi,<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p class="MsoNormal">Re: blueprint:  <a href="https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms" target="_blank">

https://blueprints.launchpad.net/neutron/+spec/adv-services-in-vms</a><u></u><u></u></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Before going into more detail on the mechanics, would like to nail down use cases. 

<u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Based on input and feedback, here is what I see so far. 

<u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><u></u> <u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Assumptions:<u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">- a 'Service VM' hosts one or more 'Service Instances'<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">- each Service Instance has one or more Data Ports that plug into Neutron networks<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">- each Service Instance has a Service Management i/f for Service management (e.g. FW rules)<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">- each Service Instance has a VM Management i/f for VM management (e.g. health monitor)<u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Use case 1: Private Service VM

<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Owned by tenant<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">VM hosts one or more service instances<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Ports of each service instance only plug into network(s) owned by tenant<u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Use case 2: Shared Service VM<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Owned by admin/operator<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">VM hosts multiple service instances<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">The ports of each service instance plug into one tenants network(s)<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Service instance provides isolation from other service instances within VM<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; "> <u></u><u></u></span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Use case 3: Multi-Service VM<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Either Private or Shared Service VM<u></u><u></u></span></p>

<p style="margin-right:0in;margin-bottom:0in;margin-left:27.0pt;margin-bottom:.0001pt">

<span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Support multiple service types (e.g. FW, LB, …)<u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p>

<p style="margin-left:.75in"><span>-<span style="font:7.0pt "Times New Roman"">         

</span></span>Greg<u></u><u></u></p>

</div>

</div>

</div>

</span></div>

<br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

</blockquote>

</div>

<br>

</div>

</div>

</div>

</div>

</div>

</span>

</body>

</html>