<div dir="ltr"><div><div><div>Hi Vish,<br><br></div>You are right, it was a misunderstanding.<br></div>In fact, during in the period of time between my email and you answer, I managed to setup a test environment to capture packets using tcpdump, and could verify in loco the tenant isolation at L2.<br>
</div>PS: I have carried out this verification in a physical box, in a single-server openstack deployment.<br><div><br></div><div>Cheers,<br></div><div>Roni.<br></div><div><br><br></div></div><div class="gmail_extra"><br>
<br><div class="gmail_quote">On 24 January 2013 01:53, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">There is nothing wrong with your setup. L3 routing is done by the network node. L3 is already blocked by security groups. The vlans provide L2 isolation. Essentially we handle this with convention, as in tell your tenants not to open up their firewalls if they don't want to be accessed by other tenants.<div>
<br></div><div>for example:</div><div><br></div><div>nova secgroup-add-rule default tcp 22 22 <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> # or some other restricted range</div><div><br></div><div>instead of:</div>
<div><br></div><div>nova secgroup-add-rule default tcp 22 22 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div><br></div><div>People seem to expect l3 traffic to be totally blocked between tenants. I'm not totally convinced that is good behavior, but it should be possible to produce a patch that will do this. In fact I've put together a potential version here:</div>
<div><br></div><div><a href="https://review.openstack.org/#/c/20362/" target="_blank">https://review.openstack.org/#/c/20362/</a></div><div><br></div><div>Unless I've messed something up, with this patch, you should be able to set:</div>
<div><br></div><div>bridge_forward_inteface=xxx # where xxx is your public_interface</div><div><br></div><div>And get the behavior you expect.</div><div><br></div><div>Vish</div><div><div class="h5"><div><br><div><div><div>
On Jan 23, 2013, at 2:27 PM, Ronivon Costa <<a href="mailto:ronivon.costa@gmail.com" target="_blank">ronivon.costa@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr"><div>Hello,</div><div><br></div>
<div><br></div>I have just installed Folsom in a physical server, and the tenants can also ping and ssh into each others instances. <div>I think there is something wrong with my setup.</div>
<div><br></div><div>Below I provide some info from the deployment.</div><div>Any tip will be very much appreciated.</div><div><br></div><div>Thanks.</div><div>Roni<br><div><br></div><div><br></div><div><div>nova-manage network list</div>
<div>id <span style="white-space:pre-wrap"> </span>IPv4 <span style="white-space:pre-wrap"> </span>IPv6 <span style="white-space:pre-wrap"> </span>start address <span style="white-space:pre-wrap"> </span>DNS1 <span style="white-space:pre-wrap"> </span>DNS2 <span style="white-space:pre-wrap"> </span>VlanID <span style="white-space:pre-wrap"> </span>project <span style="white-space:pre-wrap"> </span>uuid </div>
<div>1 <span style="white-space:pre-wrap"> </span><a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a> <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>10.0.0.3 <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>100 <span style="white-space:pre-wrap"> </span>c0561ee64e6c40b2aea3bdcf47916f18<span style="white-space:pre-wrap"> </span>c417baf7-f989-49d9-973d-f6f2b51a2d5c</div>
<div>2 <span style="white-space:pre-wrap"> </span><a href="http://10.0.1.0/24" target="_blank">10.0.1.0/24</a> <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>10.0.1.3 <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>None <span style="white-space:pre-wrap"> </span>101 <span style="white-space:pre-wrap"> </span>36ae086d927f49039cedfcb046463876<span style="white-space:pre-wrap"> </span>4bff308a-7990-46a4-952b-772d4953cb10</div>
</div><div><br></div><div><br></div><div>--</div><div><br></div><div><div>brctl show</div><div><br></div><div>bridge name<span style="white-space:pre-wrap"> </span>bridge id<span style="white-space:pre-wrap"> </span>STP enabled<span style="white-space:pre-wrap"> </span>interfaces</div>
<div>br100<span style="white-space:pre-wrap"> </span>8000.fa163e7b7397<span style="white-space:pre-wrap"> </span>no<span style="white-space:pre-wrap"> </span>vlan100</div><div><span style="white-space:pre-wrap"> </span>vnet0</div>
<div>br101<span style="white-space:pre-wrap"> </span>8000.fa163e7baec0<span style="white-space:pre-wrap"> </span>no<span style="white-space:pre-wrap"> </span>vlan101</div><div><span style="white-space:pre-wrap"> </span>vnet1</div>
</div><div><br></div><div>-------</div><div><br></div><div><div>br100 Link encap:Ethernet HWaddr fa:16:3e:7b:73:97 </div><div> inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0</div><div> inet6 addr: fe80::b016:8dff:fefa:43db/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:531 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:803 errors:0 dropped:0 overruns:0 carrier:0</div><div>
collisions:0 txqueuelen:0 </div><div> RX bytes:66890 (66.8 KB) TX bytes:90421 (90.4 KB)</div><div><br></div><div>br101 Link encap:Ethernet HWaddr fa:16:3e:7b:ae:c0 </div><div> inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0</div>
<div> inet6 addr: fe80::c41:bbff:fed4:354b/64 Scope:Link</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:422 errors:0 dropped:0 overruns:0 frame:0</div><div>
TX packets:574 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:0 </div><div> RX bytes:65212 (65.2 KB) TX bytes:69840 (69.8 KB)</div><div><br></div><div>dummy0 Link encap:Ethernet HWaddr 02:dc:e1:5c:aa:5e </div><div> inet6 addr: fe80::dc:e1ff:fe5c:aa5e/64 Scope:Link</div>
<div> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:169 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div>
<div> RX bytes:0 (0.0 B) TX bytes:23932 (23.9 KB)</div><div><br></div><div>dummy1 Link encap:Ethernet HWaddr 72:2d:2b:59:a2:d1 </div><div> BROADCAST NOARP MTU:1500 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div><div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div><div><br></div><div>dummy2 Link encap:Ethernet HWaddr 72:6f:28:d7:e8:cd </div>
<div> BROADCAST NOARP MTU:1500 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div>
<div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div><div><br></div><div>eth0 Link encap:Ethernet HWaddr 00:1a:92:08:1f:47 </div><div> inet addr:10.100.200.126 Bcast:10.100.200.255 Mask:255.255.255.0</div>
<div> inet6 addr: fe80::21a:92ff:fe08:1f47/64 Scope:Link</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:210280 errors:1 dropped:0 overruns:0 frame:1</div><div>
TX packets:20752 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:1000 </div><div> RX bytes:310541700 (310.5 MB) TX bytes:1983489 (1.9 MB)</div><div><br></div><div>lo Link encap:Local Loopback </div>
<div> inet addr:127.0.0.1 Mask:255.0.0.0</div><div> inet6 addr: ::1/128 Scope:Host</div><div> UP LOOPBACK RUNNING MTU:16436 Metric:1</div><div> RX packets:91449 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:91449 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div><div> RX bytes:600766448 (600.7 MB) TX bytes:600766448 (600.7 MB)</div><div><br></div>
<div>
vlan100 Link encap:Ethernet HWaddr fa:16:3e:7b:73:97 </div><div> inet6 addr: fe80::f816:3eff:fe7b:7397/64 Scope:Link</div><div> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div>
<div> TX packets:71 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div><div> RX bytes:0 (0.0 B) TX bytes:11025 (11.0 KB)</div><div><br></div><div>vlan101 Link encap:Ethernet HWaddr fa:16:3e:7b:ae:c0 </div>
<div> inet6 addr: fe80::f816:3eff:fe7b:aec0/64 Scope:Link</div><div> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:95 errors:0 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:0 </div><div> RX bytes:0 (0.0 B) TX bytes:12033 (12.0 KB)</div><div><br></div><div>vnet0 Link encap:Ethernet HWaddr fe:16:3e:7b:0b:14 </div><div> inet6 addr: fe80::fc16:3eff:fe7b:b14/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:531 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:764 errors:0 dropped:0 overruns:0 carrier:0</div><div>
collisions:0 txqueuelen:500 </div><div> RX bytes:74324 (74.3 KB) TX bytes:84372 (84.3 KB)</div><div><br></div><div>vnet1 Link encap:Ethernet HWaddr fe:16:3e:5c:99:18 </div><div> inet6 addr: fe80::fc16:3eff:fe5c:9918/64 Scope:Link</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:422 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:520 errors:0 dropped:0 overruns:0 carrier:0</div><div>
collisions:0 txqueuelen:500 </div><div> RX bytes:71120 (71.1 KB) TX bytes:63161 (63.1 KB)</div><div><br></div><div>wlan0 Link encap:Ethernet HWaddr 00:24:01:12:c8:6b </div><div> BROADCAST MULTICAST MTU:1500 Metric:1</div>
<div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:1000 </div><div> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</div>
</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 21 January 2013 11:15, Kevin Jackson <span dir="ltr"><<a href="mailto:kevin@linuxservices.co.uk" target="_blank">kevin@linuxservices.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi Roni,<br></div>VirtualBox should honour the VLAN tagging, but it seems its related to the driver type used: e1000 strips the VLAN tag it seems. I don't recall having this issue, but if I get time I'll be happy to spin an environment up and have a play.<br>
<br></div>See this post: <a href="http://humbledown.org/virtualbox-intel-vlan-tag-stripping.xhtml" target="_blank">http://humbledown.org/virtualbox-intel-vlan-tag-stripping.xhtml</a><br><div><br>Regards,<br>Kev<br></div>
</div><div class="gmail_extra">
<br><br><div class="gmail_quote"><div><div>On 20 January 2013 15:32, Ronivon Costa <span dir="ltr"><<a href="mailto:ronivon.costa@gmail.com" target="_blank">ronivon.costa@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
<div dir="ltr">Hello,<div><br></div><div>I am playing with Openstack and VlanManager in a Virtualbox machine. Is it tenant isolation supposed to work in this setup?</div><div><br></div><div>I have several tenants, and the instances for them have landed on different subnets (11.0.1.x, 11.0.2.x, 11.0.3.x, etc).</div>
<div><br></div><div>It is possible to ping and ssh other tenant instances from any tenant! </div><div><br></div><div>Is this the correct behaviour for a virtualized deployement ?</div><div><br>
</div><div>Cheers,</div><div>Roni</div><div><br></div></div>
<br></div></div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br>Kevin Jackson<br>@itarchitectkev
</font></span></div>
</blockquote></div><br></div>
_______________________________________________<br>Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote></div><br></div></div></div></div></div></blockquote></div><br></div>