<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body ocsi="0" fpstyle="1" class="" style="word-wrap:break-word">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Do consider another use case, that of a private docker cluster...<br>
<br>
I may want to use magnum to deploy a docker cluster in a private neutron network for a mid/backend tier as a component of a larger scalable cloud application. Floating ip's would not be used in this case since the machines that would need to talk to the docker
 cluster would be on the same private neutron network. So I'd rather use RFC-1918 space in the private network and ensure the public networks never can reach it.<br>
<br>
Thanks,<br>
Kevin<br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF569432"><font face="Tahoma" size="2" color="#000000"><b>From:</b> Adrian Otto [adrian.otto@rackspace.com]<br>
<b>Sent:</b> Tuesday, June 16, 2015 10:12 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [Magnum] TLS Support in Magnum<br>
</font><br>
</div>
<div></div>
<div>Clint,
<div class=""><br class="">
</div>
<div class="">Hi! It’s good to hear from you!</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jun 16, 2015, at 8:58 PM, Clint Byrum <<a href="mailto:clint@fewbar.com" class="" target="_blank">clint@fewbar.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">I
 don't understand at all what you said there.</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">If
 my kubernetes minions are attached to a gateway which has a direct</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">route
 to Magnum, let's say they're at, 192.0.2.{100,101,102}, and</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">Magnum
 is at 198.51.100.1, then as long as the minions' gateway knows</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">how
 to find 198.51.100.0/24, and Magnum's gateway knows how to route to</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">192.0.2.0/24,
 then you can have two-way communication and no floating</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">ips
 or NAT. This seems orthogonal to how external users find the minions.</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
</div>
</blockquote>
<div><br class="">
</div>
That’s correct. Keep in mind that large clouds use layer 3 routing protocols to get packets around, especially for north/south traffic where public IP addresses are typically used. Injecting new routes into the network fabric each time we create a bay might
 cause reluctance from network administrators to allow the adoption of Magnum. Pre-allocating tons of RFC-1918 addresses to Magnum may also be impractical on networks that use those addresses extensively. Steve’s explanation of using routable addresses as floating
 IP addresses is one approach to leverage the prevailing SDN in the cloud’s network to address this concern.</div>
<div><br class="">
</div>
<div>Let’s not get too far off topic on this thread. We are discussing the implementation of TLS as a mechanism of access control for API services that run on networks that are reachable by the public. We got a good suggestion to use an approach that can work
 regardless of network connectivity between the Magnum control plane and the Nova instances (Magnum Nodes) and the containers that run on them. I’d like to see if we could use cloud-init to get the keys into the bay nodes (docker hosts). That way we can avoid
 the requirement for end-to-end network connectivity between bay nodes and the Magnum control plane.</div>
<div><br class="">
</div>
<div>Thanks,</div>
<div><br class="">
</div>
<div>Adrian</div>
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class=""><span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">Excerpts
 from Steven Dake (stdake)'s message of 2015-06-16 19:40:25 -0700:</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<blockquote type="cite" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
Clint,<br class="">
<br class="">
Answering Clint’s question, yes there is a reason all nodes must expose a floating IP address.<br class="">
<br class="">
In a Kubernetes cluster, each minion has a port address space.  When an external service contacts the floating IP’s port, the request is routed over the internal network to the correct container using a proxy mechanism.  The problem then is, how do you know
 which minion to connect to with your external service?  The answer is you can connect to any of them.  Kubernetes only has one port address space, so Kubernetes suffers from a single namespace problem (which Magnum solves with Bays).<br class="">
<br class="">
Longer term it may make sense to put the minion external addresses on a RFC1918 network, and put a floating VIF with a load balancer to connect to them.  Then no need for floating address per node.  We are blocked behind kubernetes implementing proper support
 for load balancing in OpenStack to even consider this work.<br class="">
<br class="">
Regards<br class="">
-steve<br class="">
<br class="">
From: <Fox>, Kevin M <<a href="mailto:Kevin.Fox@pnnl.gov" class="" target="_blank">Kevin.Fox@pnnl.gov</a><<a href="mailto:Kevin.Fox@pnnl.gov" class="" target="_blank">mailto:Kevin.Fox@pnnl.gov</a>>><br class="">
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" class="" target="_blank">openstack-dev@lists.openstack.org</a><<a href="mailto:openstack-dev@lists.openstack.org" class="" target="_blank">mailto:openstack-dev@lists.openstack.org</a>>><br class="">
Date: Tuesday, June 16, 2015 at 6:36 AM<br class="">
To: "OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" class="" target="_blank">openstack-dev@lists.openstack.org</a><<a href="mailto:openstack-dev@lists.openstack.org" class="" target="_blank">mailto:openstack-dev@lists.openstack.org</a>>><br class="">
Subject: Re: [openstack-dev] [Magnum] TLS Support in Magnum<br class="">
<br class="">
Out of the box, vms usually can contact the controllers though the routers nat, but not visa versa. So its preferable for guest agents to make the connection, not the controller connect to the guest agents. No floating ips, security group rules or special networks
 are needed then.<br class="">
<br class="">
Thanks,<br class="">
Kevin<br class="">
<br class="">
________________________________<br class="">
From: Clint Byrum<br class="">
Sent: Monday, June 15, 2015 6:10:27 PM<br class="">
To: openstack-dev<br class="">
Subject: Re: [openstack-dev] [Magnum] TLS Support in Magnum<br class="">
<br class="">
Excerpts from Fox, Kevin M's message of 2015-06-15 15:59:18 -0700:<br class="">
<blockquote type="cite" class="">No, I was confused by your statement:<br class="">
"When we create a bay, we have an ssh keypair that we use to inject the ssh public key onto the nova instances we create."<br class="">
<br class="">
It sounded like you were using that keypair to inject a public key. I just misunderstood.<br class="">
<br class="">
It does raise the question though, are you using ssh between the controller and the instance anywhere? If so, we will still run into issues when we go to try and test it at our site. Sahara does currently, and we're forced to put a floating ip on every instance.
 Its less then ideal...<br class="">
<br class="">
</blockquote>
<br class="">
Why not just give each instance a port on a network which can route<br class="">
directly to the controller's network? Is there some reason you feel<br class="">
"forced" to use a floating IP?<br class="">
<br class="">
</blockquote>
<br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">__________________________________________________________________________</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">OpenStack
 Development Mailing List (not for usage questions)</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">Unsubscribe:<span class="Apple-converted-space"> </span></span><a href="mailto:OpenStack-dev-request@lists.openstack.org" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px" target="_blank">OpenStack-dev-request@lists.openstack.org</a><span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">?subject:unsubscribe</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-variant:normal; font-weight:normal; letter-spacing:normal; line-height:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</body>
</html>