<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Thiago, <br>
<br>
Thanks for your info and sharing scripts. I don't have similar
config in our firewall, are there other alternatives ? <br>
<br>
Thanks,<br>
Xin<br>
<br>
<br>
On 10/9/2013 6:17 PM, Martinx - ジェームズ wrote:<br>
</div>
<blockquote
cite="mid:CAJSM8J3SPLWdik_Y04Nsn30p-vOGWS9vNoqtAefkGGUL0XVYjQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Xin,
<div><br>
</div>
<div>I don't know if it can help you out but, I'm using "Name
Resolution" for all my OpenStack services, this means that
doesn't matter the IP of the endpoint, even if it is IPv4 or
IPv6, it will work out-of-the-box (in most of my tests)...</div>
<div><br>
</div>
<div>So, when people tries to resolve your Quantum endpoint from
the Internet, you'll provide your ISP IP and, with a NAT rule
at your firewall, you'll redirect it (DNAT) to the
internal-only endpoint IP address. And, when people tries to
resolve the endpoint from within your network, you should
provide your internal IP for them.</div>
<div><br>
</div>
<div>I can say that: it works for me.</div>
<div><br>
</div>
<div><br>
</div>
<div>Please, check my Keystone scripts (you can see where I use
Name Resolution instead of IPs):</div>
<div><br>
</div>
<div>
<div>wget <a moz-do-not-send="true"
href="https://gist.github.com/tmartinx/5453358/raw/f132d27eeab0c3c25d5b3e65bfec6704503e84b6/keystone_basic.sh">https://gist.github.com/tmartinx/5453358/raw/f132d27eeab0c3c25d5b3e65bfec6704503e84b6/keystone_basic.sh</a></div>
<div> </div>
<div>wget <a moz-do-not-send="true"
href="https://gist.github.com/tmartinx/5453336/raw/eded917b78213123c46b62be18f55f3c7aac558e/keystone_endpoints_basic.sh">https://gist.github.com/tmartinx/5453336/raw/eded917b78213123c46b62be18f55f3c7aac558e/keystone_endpoints_basic.sh</a></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>NOTE: When with IPv6, this is much more easy to achieve,
since there is no need to deal with creepy NAT rules. Which
means that your endpoints will always have a public IP address
(if you have IPv6). Keep it in mind!</div>
<div><br>
</div>
<div><br>
</div>
<div>Cheers!</div>
<div>Thiago</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 9 October 2013 12:28, Xin Zhao <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:xzhao@bnl.gov" target="_blank">xzhao@bnl.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks for all the reply. <br>
<br>
One more question though: when defining endpoint for
network service, the IP should be for the network host,
not the controller host (we have them in separate hosts,
as most doc suggest). <br>
But the network host doesn't have a single out-facing IP
assigned to it, the doc says the out-facing NIC should
have a range of IPs assigned to it from the external
provider network. In this case, <br>
how to define the publicurl for the quantum service
endpoint? If the info of endpoints is only used by the
other openstack components, can I just put the internal
IP in for the publicurl ? <br>
<br>
Thanks,<br>
Xin
<div>
<div class="h5"><br>
<br>
On 10/7/2013 12:07 PM, JuanFra Rodriguez Cardoso
wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">Yes, internal and adminurl are
normally the same address.<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>---</div>
JuanFra</div>
<br>
<br>
<div class="gmail_quote">2013/10/7 Razique Mahroua
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:razique.mahroua@gmail.com"
target="_blank">razique.mahroua@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> Hi,<br>
yes :)<br>
Internal and adminiurl should be the private
network, and "public" the "out-facing" IP<br>
<br>
Razique<br>
<br>
Le 7 oct. 2013 à 17:30, Xin Zhao <<a
moz-do-not-send="true"
href="mailto:xzhao@bnl.gov" target="_blank">xzhao@bnl.gov</a>>
a écrit :<br>
<div>
<div><br>
> Hello,<br>
><br>
> Our openstack controller has two IPs,
one out-facing, the other is internal only
(on the management network).<br>
> When it comes to define service
endpoints in keystone, the publicurl entry
should be the out-facing IP, and the<br>
> internalurl and adminurl should be
the internal IP, right?<br>
><br>
> Thanks,<br>
> Xin<br>
><br>
>
_______________________________________________<br>
> Mailing list: <a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a
moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"
target="_blank">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org"
target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>