<div dir="ltr">We also use 2 VIPs. public and internal, with admin being a CNAME for internal.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 12, 2016 at 7:28 AM, Fox, Kevin M <span dir="ltr"><<a href="mailto:Kevin.Fox@pnnl.gov" target="_blank">Kevin.Fox@pnnl.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
We usually use two vips.<br>
<br>
Thanks,<br>
Kevin <strong>
<div><font face="Tahoma" color="#000000" size="2"> </font></div>
</strong>
<hr>
<font face="Tahoma" size="2"><b>From:</b> Steven Dake (stdake)<br>
<b>Sent:</b> Friday, February 12, 2016 6:04:45 AM<br>
<b>To:</b> <a href="mailto:openstack-operators@lists.openstack.org" target="_blank">openstack-operators@lists.openstack.org</a><br>
<b>Subject:</b> [Openstack-operators] [kolla] Question about how Operators deploy<br>
</font><div><div class="h5"><br>
<div></div>
<div>
<div>Hi folks,</div>
<div><br>
</div>
<div>Unfortunately I won't be able to make it to the Operator midcycle because of budget constraints or I would find the answer to this question there. The Kolla upstream is busy sorting out external ssl termination and a question arose in the Kolla community
around operator requirements for public<span style="font-style:italic">URL vs internal</span>URL VIP management.</div>
<div><br>
</div>
<div>At present, Kolla creates 3 Haproxy containers across 3 HA nodes with one VIP managed by keepalived. The VIP is used for internal communication only. Our PUBLIC_URL is set to a DNS name, and we expect the Operator to sort out how to map that DNS name
to the internal VIP used by Kolla. The way I do this in my home lab is to use NAT to NAT my public_URL from the internet (hosted by dyndns) to my internal VIP that haproxies to my 3 HA control nodes. This is secure assuming someone doesn't bust through my
NAT.</div>
<div><br>
</div>
<div>An alternative has been suggested which is to use TWO vips. One for internal_url, one for public_url. Then the operator would only be responsible for selecting where to to allocate the public_url endpoint's VIP. I think this allows more flexibility
without necessarily requiring NAT while still delivering a secure solution.</div>
<div><br>
</div>
<div>Not having ever run an OpenStack cloud in production, how do the Operators want it? Our deciding factor here is what Operators want, not what is necessarily currently in the code base. We still have time to make this work differently for Mitaka, but
I need feedback/advice quickly.</div>
<div><br>
</div>
<div>The security guide seems to imply two VIPs are the way to Operate: (big diagram):</div>
<div>
<div><a href="http://docs.openstack.org/security-guide/networking/architecture.html" target="_blank">http://docs.openstack.org/security-guide/networking/architecture.html</a></div>
</div>
<div><br>
</div>
<div>The IRC discussion is here for reference:</div>
<div><a href="http://eavesdrop.openstack.org/irclogs/%23kolla/%23kolla.2016-02-12.log.html#t2016-02-12T12:09:08" target="_blank">http://eavesdrop.openstack.org/irclogs/%23kolla/%23kolla.2016-02-12.log.html#t2016-02-12T12:09:08</a></div>
<div><br>
</div>
<div>Thanks in Advance!</div>
<div>-steve</div>
<div><br>
</div>
</div>
</div></div></div>
<br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div>