Yong,<div><br></div><div>Regarding the comments you had on whether the owner of the public network should own the ports attached on it as well, and kind of 'assign' them to other tenants.</div><div>Although I recognize this as a viable approach, I do believe an approach in which a tenant actually still owns the port even if it is on a public network leads to a simpler model, as we won't need to add any attribute to the existing model classes, and operations will still have the current semantics. With the other approach, for instance, we would need to add an attribute to port (something like 'assigned_to') and change the semantics of index for ports in a way such that if net-id was a public network id it should have returned the ports for which assigned-to matched the tenant, instead of tenant-id.</div>
<div><br></div><div>On another note, the proposed approach allows for making the actual policy enforce completely configurable. For instance, while by default we disallow manipulation of mac and ips on public networks, the quantum admin can change the policy by editing policy.json.</div>
<div>Similarly, the quantum administrators can decide that only a given subset of users can plug VIFs into public networks, and it might also give to some particular users, say "power users" the power of creating public networks.</div>
<div><br></div><div>Regards,</div><div>Salvatore</div><div><br></div><div>[fwd to openstack-dev - please ensure it is kept in the recipient list]</div><div><br></div><div><br></div><div><br></div><div><br><br><div class="gmail_quote">
On 17 July 2012 15:04, Salvatore Orlando <span dir="ltr"><<a href="mailto:sorlando@nicira.com" target="_blank">sorlando@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Gary, <div>I think your are making a very good point here.</div><div>It is true that the way in which the proposed design (and related patch in gerrit) addresses only the 'model' problem at the API layer.</div><div>
I think it is outside of the scope of this blueprint how the plugins, and then more specifically their agents, should then react to a "public" network as opposed to a "private" one. </div><div><br></div>
<div>I reckon Bob's "part II' of the provider network problem is moving in the right direction for addressing this problem by having an extension that adds an attribute which will let the plugin implements the network differently according to their nature (for instance flat vs tagged). Another approach would be that plugins might leverage the "public" attribute and automatically activate anti-spoofing rules on interfaces attached to such networks. In both cases, it is my opinion that we can address this problem with a separate blueprint.</div>
<span class="HOEnZb"><font color="#888888">
<div><br></div><div>Salvatore</div></font></span><div class="HOEnZb"><div class="h5"><div><br><div class="gmail_quote">On 14 July 2012 23:10, Gary Kotton <span dir="ltr"><<a href="mailto:gkotton@redhat.com" target="_blank">gkotton@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000"><div>
On 07/12/2012 06:39 PM, Salvatore Orlando wrote:
<blockquote type="cite">Thank you again for your feedback.
<div><br>
</div>
<div>On the discussion about two or three-way logic, I understand
Yong's point of being able to fetch public and private networks
in one call, but I also I agree with Endre that using a boolean
flag for something which is actually Yes/No/Whatever sounds
confusing and is different by what the Openstack CLI usually
does.</div>
<div><br>
</div>
<div>Hence, if we have a large agreement on the need of being able
to specify whether we want public networks, private networks or
both, I'd go for the approach #3 in the design proposal, as
suggested by Gary, and the CLI option would became something
like --network_type={public|private|both}.</div>
<div><br>
</div>
<div>On the agent issue raised by Gary - I'm afraid I don't
understand. Gary, could you please elaborate more?</div>
</blockquote>
<br></div>
The current implementation of the open source agents makes use of
one network interface with the network isolation being done by vlan
tagging. It may be required that a agent can connect to a public non
secure network and a private secure network. The first layer of
network isolation may be done by the physical network interfaces.
The API that you are proposing enables the quantum service to
provide the support, but what about the agents? Will the agents be
able to differentiate between a private and public network. Taking
this further will the agents be able to assign these networks to
different network interfaces. Maybe it is not in the scope of the
work that you are proposing.<br>
<br>
Thanks<span><font color="#888888"><br>
Gary</font></span><div><div><br>
<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>Regards,</div>
<div>Salvatore<br>
<br>
<div class="gmail_quote">On 12 July 2012 05:37, Yong Sheng Gong
<span dir="ltr"><<a href="mailto:gongysh@cn.ibm.com" target="_blank">gongysh@cn.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif"><br>
If we just use one flag, it can represent just two values
True or False. If we want to represent three values True,
False or not specified, we have to use --public True or
--public False or nothing at all.<br>
<br>
So it is a three-values logic.<br>
<span></span><br>
<br>
<font color="#990099">-----openstack-bounces+gongysh=<a href="mailto:cn.ibm.com@lists.launchpad.net" target="_blank">cn.ibm.com@lists.launchpad.net</a>
wrote: -----</font>
<div style="padding-left:5px">
<div style="padding-right:0px;padding-left:5px;border-left:2px solid black">To: <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
From: Endre Karlson <br>
Sent by: <a href="mailto:openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net" target="_blank">openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net</a><br>
Date: 07/12/2012 07:53PM<br>
Subject: [Openstack] Fwd: [Quantum] Public Network
spec proposal
<div>
<div><br>
<br>
Why not just --public or not ? Why do you need
--public True ? That just adds confusion...<br>
<div class="gmail_quote">
<span><font color="#888888"><br>
Endre.</font></span>
<div>
<div>
<br>
<br>
<div class="gmail_quote">2012/7/12 Gary
Kotton <span dir="ltr"><<a href="mailto:gkotton@redhat.com" target="_blank">gkotton@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
Hi,<br>
1. Is this also applicable to the
agents? Say for example a user wants
to ensure that a public network is
attached to network interface em1 and
the private network attached to em2.
Is this something that will be
addressed by the blueprint?<br>
2. I prefer option #3. This seems to
be a cleaner approach for the user
interface.<br>
Thanks<br>
Gary
<div>
<div><br>
<br>
On 07/12/2012 01:52 AM, Salvatore
Orlando wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>Hi,
<div><br>
</div>
<div>A proposal for the
implementation of the public
networks feature has been
published.</div>
<div>It can be reached from the
quantum-v2-public-networks
blueprint page [1].</div>
<div>Feedback is more than
welcome!</div>
<div><br>
</div>
<div>Regards,</div>
<div>Salvatore</div>
<div><br>
</div>
<div>[1]: <a href="https://blueprints.launchpad.net/quantum/+spec/quantum-v2-public-networks" target="_blank">https://blueprints.launchpad.net/quantum/+spec/quantum-v2-public-networks</a></div>
</div>
</div>
<div><font face="Courier
New,Courier,monospace">
<fieldset></fieldset>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a>
<div>
<br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div>
</font></div>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<div><font face="Courier New,Courier,monospace">_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</font></div>
</div>
</div>
</div>
</div>
</font>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>