Open Stack

All list and Vish,

 

As we known and test in essex version, nova-network will set the bridge IP
address as the VM default gateway and if VM want to go out, it have to pass
through the host route table, it bring to us two critical problems:

 

1.       The manager of VM could touch the compute host, potential security
risk;

2.       All the VM could touch each other on the same host, potential
security risks.

 

Of course it will also destroy the advantages of multinetwork and vlan
model, although we can use vlan to separate tenant but finally vms come
together have to go one way to go outside, that is very sad.

 

In multi-network + VLAN manger model, For example, when I create
192.168.2.0/24 network for tenant A, 192.168.2.1 would be the default
gateway value in networks table at Nova DB, and the bridge IP is perhaps
192.168.2.3 in the compute host, and when you look at the default gateway of
the vm in this host , it is : 192.168.2.3, not 192.168.2.1(192.168.2.1 was
not allocated to any real site)

 

What we want is: 192.168.2.1 should be the vm's default gateway for all vms
in tenant A and usually, we would set 192.168.2.1 as the VLAN interface IP
address in LAN switch and through this to go outside.

 

Yes,we have a way to modify dnsmasq.conf to set gateway and dns value,but it
only worked for one network, the reality is we would use per tenant per
network model to enhance security and would have more than thousands
networks and tenants.

 

Hence, we only want to give a little code modified to assign 192.168.2.1 as
the default gateway of vm, that means use the lowest ip address of each
tenant network as the default gateway when build up vm, not the bridge ip,
that could give us two benefits:

 

1.       vm visit internet did not tought compute host ip route and network,
it pass through the vlan trunk to lan switch, enhance the security;

2.       all the vms of different tenants/networks in a same compute host
could not touch each other and we would not rely ICMP port control at
security group rules, enhance the security.

 

Of course, if we can achieve this, multinetwork and VLAN model would have
the real meaningful usage, otherwise it would trouble us who want to use
openstack in a production environment.

 

This work is very import to us: we would like to choice multi network and
VLAN model to improve cloud system security and high availability, and of
course, some times in other country we have no enough public ip address and
have to use two NICs with fixed IP address to go out through DNAT port
mapping, would not use floating IP.

 

Certainly,if we can only resolve this problem in F version through quantum,
please let us know.

 

I appreciate if software builders of openstack essex version could give a
help on this.

 

Best regards,

 

Romi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120907/e78a7ddd/attachment.html>