[Openstack-operators] Service Catalog TNG urls

Fox, Kevin M Kevin.Fox at pnnl.gov
Thu Dec 3 20:45:40 UTC 2015 

Yeah, switching them that way makes a lot of sense.

Thanks,
Kevin

________________________________
From: Dan Sneddon
Sent: Thursday, December 03, 2015 12:39:25 PM
To: Fox, Kevin M; Jesse Keating; Sean Dague
Cc: openstack-operators
Subject: Re: [Openstack-operators] Service Catalog TNG urls

On 12/03/2015 09:46 AM, Fox, Kevin M wrote:
> We use internal to be a private network between the controllers and the
> compute nodes that no one else has access to. Without that, we'd be stuck.
>
> An OpenStack network that's where all the public services go, that
> isn't external to the cloud for billing purposes does make sense too
> though. Maybe all three should be clearly delineated. Maybe something like:
>
> * Public - Available outside. may incur costs to access internally
> * Internal - Available publicly by machines in the cloud. no cost is
> ever incurred from using them.
> * Provider - Not exposed to normal users and intended for backend sorts
> of things.
>
> Hopefully we can make it a strong enough convention that apps can rely
> on it between clouds.
>
> Thanks,
> Kevin
> -----------------------------------------------------------------------
> *From:* Jesse Keating [jlk at bluebox.net]
> *Sent:* Thursday, December 03, 2015 8:09 AM
> *To:* Sean Dague
> *Cc:* openstack-operators
> *Subject:* Re: [Openstack-operators] Service Catalog TNG urls
>
> We make use of http urls internally for services to talk to each other,
> but not for human users. All our human users should be using https
> public url. We don't actually utilize the internalURL framework,
> instead we use /etc/hosts entries to change the domain resolution of
> our publicURL entries, and use other config file controls to reflect
> http vs https.
>
> Partly this is because we don't want to advertise internal IP addresses
> in the catalog. Partly this is because we do not want to advertise an
> http link that a client might accidentally use and pass credentials in
> the clear over the Internet.
>
> I believe we would be perfectly happy to do away with adminURL and
> internalURL. It'd certainly reduce our per-site configuration entries,
> and reduce confusion around what purpose these entries serve.
>
>
> - jlk
>
> On Thu, Dec 3, 2015 at 6:14 AM, Sean Dague <sean at dague.net
> <mailto:sean at dague.net>> wrote:
>
>     For folks that don't know, we've got an effort under way to look at
>     some
>     of what's happened with the service catalog, how it's organically
>     grown,
>     and do some pruning and tuning to make sure it's going to support what
>     we want to do with OpenStack for the next 5 years (wiki page to dive
>     deeper here - https://wiki.openstack.org/wiki/ServiceCatalogTNG).
>
>     One of the early Open Questions is about urls. Today there is a
>     completely free form field to specify urls, and there are conventions
>     about having publicURL, internalURL, adminURL. These are, however, only
>     conventions.
>
>     The only project that's ever really used adminURL has been Keystone, so
>     that's something we feel we can phase out in new representations.
>
>     The real question / concern is around public vs. internal. And
>     something
>     we'd love feedback from people on.
>
>     When this was brought up in Tokyo the answer we got was that internal
>     URL was important because:
>
>     * users trusted it to mean "I won't get changed for bandwidth"
>     * it is often http instead of https, which provides a 20% performance
>     gain for transfering large amounts of data (i.e. glance images)
>
>     The question is, how hard would it be for sites to be configured so
>     that
>     internal routing is used whenever possible? Or is this a concept we
>     need
>     to formalize and make user applications always need to make the
>     decision
>     about which interface they should access?
>
>             -Sean
>
>     --
>     Sean Dague
>     http://dague.net
>
>     _______________________________________________
>     OpenStack-operators mailing list
>     OpenStack-operators at lists.openstack.org
>     <mailto:OpenStack-operators at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>

Kevin,

I'm not sure I'm on board with the three endpoints as listed, but at
the very least I would swap Internal and Provider in your example:

* Public - Available outside. may incur costs to access internally
* Internal - Not exposed to normal users and intended for backend sorts
  of things.
* Provider - Available publicly by machines in the cloud. no cost is
  ever incurred from using them.

Provider would then correspond to a provider network, where it is put
in place for the benefit of the VMs.
--
Dan Sneddon         |  Principal OpenStack Engineer
dsneddon at redhat.com |  redhat.com/openstack
650.254.4025        |  dsneddon:irc   @dxs:twitter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151203/f639ceb2/attachment.html>

More information about the OpenStack-operators mailing list