<div dir="ltr">George and Anne,<div><br></div><div>Thank you. I'll dig into the security guide and look forward to the architecture guide next month.</div><div><br></div><div>//Daniel</div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, Jun 12, 2014 at 4:07 PM, Anne Gentle <span dir="ltr"><<a href="mailto:anne@openstack.org" target="_blank">anne@openstack.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Thu, Jun 12, 2014 at 8:51 AM, George Mihaiescu <span dir="ltr"><<a href="mailto:George.Mihaiescu@q9.com" target="_blank">George.Mihaiescu@q9.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div lang="EN-US" link="blue" vlink="blue">
<div>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Hi Daniel,<u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">It’s recommended to separate the external
traffic reaching the Dashboard from the management, so the Dashboard server(s)
should have at least two NICs (public and management).<u></u><u></u></span></font></p>
<p class="MsoNormal"><u></u><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">The</span></font><u></u><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"> installation guide covers only one of the multitudes of possible
deployment scenarios, and in this case it describes a single NIC deployment
model.<u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><u></u><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">The</span></font><u></u><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"> security recommendations for the Keystone endpoints are discussed
in the Security guide (<a href="http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html" target="_blank">http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html</a>)
which is a must-read before deploying Openstack in production.</span></font></p></div></div></blockquote><div><br></div></div><div>Was just going to say something similar. The Install Guide is to get people going quickly. </div>
<div><br></div><div>Read the Operations Guide for two real-world deployment architectures, and read the Security Guide for securing endpoints and the rest of the cloud. </div><div><br></div><div>Next month we'll have an Architecture Guide to give even more input and guidance for production clouds. </div>
<div><br></div><div>Anne</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><div lang="EN-US" link="blue" vlink="blue"><div><p class="MsoNormal">
<font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">George<u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><font size="3" face="Times New Roman"><span style="font-size:12.0pt">
<hr size="2" width="100%" align="center">
</span></font></div>
<p class="MsoNormal"><b><font face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma;font-weight:bold">From:</span></font></b><font face="Tahoma"><span style="font-size:10.0pt;font-family:Tahoma"> Daniel Petersen
[mailto:<a href="mailto:daniel.petersen@hpc2n.umu.se" target="_blank">daniel.petersen@hpc2n.umu.se</a>] <br>
<b><span style="font-weight:bold">Sent:</span></b> Thursday, June 12, 2014 3:20
AM<br>
<b><span style="font-weight:bold">To:</span></b> <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
<b><span style="font-weight:bold">Subject:</span></b> [Openstack] Adapting the
install guide network setup for production</span></font><u></u><u></u></p>
</div><div><div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><br clear="all">
<u></u><u></u></span></font></p>
<div>
<p class="MsoNormal"><font size="3" face="Arial"><span style="font-size:12.0pt;font-family:Arial">edit: failed to add '[Openstack]' to the subject line
previously. Hopefully avoiding everyone's spam filter this time around!</span></font><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">Hi,</span></font><u></u><u></u></p>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">Using the network strategy from the 'Installation Guide for
Ubuntu' here:<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><a href="http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html" target="_blank">http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html</a><u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">How might one adapt this for a production setup,
particularly with security in mind?<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">A couple of thoughts that lead to this question:<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">*With the controller node having only one NIC, all
management communication is passing through the same NIC as user API or
dashboard traffic. Wouldn't it be better to move user facing services, such as
the dashboard to another 'external' interface, thus keeping the management
network and interface isolated from external traffic?<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">*Possibly related, how would the API service endpoint URLs
be affected by this change, or how should they be configured? (publicurl,
internalurl, adminurl) <u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">As an aside, where might I find a good explanation of the
respective roles of these URLs? <u></u>The<u></u>
CLI Reference only states the obvious, e.g.: "--publicurl - Public URL endpoint"<u></u><u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">Regards,<br clear="all">
<u></u><u></u></span></font></p>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial"><u></u> <u></u></span></font></p>
</div>
<div>
<p class="MsoNormal"><font size="1" face="Arial"><span style="font-size:8.5pt;font-family:Arial">Daniel<u></u><u></u></span></font></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><font size="3" face="Times New Roman"><span style="font-size:12.0pt"><u></u> <u></u></span></font></p>
</div>
</div>
</div>
</div></div></div>
</div>
<br></div>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div>Daniel Petersen</div><div>Systems Engineer</div><div>HPC2N, Umeå University</div><div>Tel +46907866455</div><div><a href="https://www.hpc2n.umu.se/" target="_blank">https://www.hpc2n.umu.se/</a></div>
<div><br></div></div>
</div>