Open Stack

On Mon, 2014-01-13 at 11:47 -0800, Rick Jones wrote:
> On 01/13/2014 07:32 AM, Jay Pipes wrote:
> > On Mon, 2014-01-13 at 10:23 +0000, Stephen Gran wrote:
> >> Hi,
> >>
> >> I don't think that's what's being asked for. Just that there be more
> >> than the current check for '(isowner of network) or (shared)'
> >>
> >> If the data point could be 'enabled for network' for a given tenant,
> >> that would be more flexible.
> >
> > Agreed, but I believe Mathieu is thinking more in terms of how such a
> > check could be implemented. What makes this problematic (at least in my
> > simplistic understanding of Neutron wiring) is that there is no
> > guarantee that tenant A's subnet does not overlap with tenant B's
> > subnet. Because Neutron allows overlapping subnets (since Neutron uses
> > network namespaces for isolating traffic), code would need to be put in
> > place that says, basically, "if this network is shared between tenants,
> > then do not allow overlapping subnets, since a single, shared network
> > namespace will be needed that routes traffic between the tenants".
> >
> > Or at least, that's what I *think* is part of the problem...
> 
> Are such checks actually necessary?  That is to say, unless it will 
> completely fubar something internally ina database or something (versus 
> just having confused routing), I would think that it would be but a 
> nicety for Neutron runtime to warn the user(s) they were about to try to 
> connect overlapping subnets to the same router.  Nice to report it 
> perhaps as a warning, but not an absolutely required bit of 
> functionality to go forward.

Sure, good points.

> If Tenant A and Tenant B were separate, recently merged companies, they 
> would have to work-out, in advance, issues of address overlap before 
> they could join their two networks.  At one level at least, we could 
> consider their trying to do the same sort of thing within the context of 
> Neutron as being the same.
> 
> FWIW, here is an intra-tenant attempt to assign two overlapping subnets 
> to the same router.  Of course I'm probably playing with older bits in 
> this particular sandbox and they won't reflect the current top-of-trunk:
> 
> $ nova list
> +--------------------------------------+------------------------+--------+------------+-------------+-------------------------------+
> | ID                                   | Name                   | Status 
> | Task State | Power State | Networks                      |
> +--------------------------------------+------------------------+--------+------------+-------------+-------------------------------+
> | d97a46ed-19eb-4a87-8536-eb9ca4ba3895 | overlap-net0000_lg0000 | ACTIVE 
> | None       | Running     | overlap-net0000=192.168.123.2 |
> | ad8d6c9c-9a4c-442e-aebf-fd30475b7675 | overlap-net0001_lg0000 | ACTIVE 
> | None       | Running     | overlap-net0001=192.168.123.2 |
> +--------------------------------------+------------------------+--------+------------+-------------+-------------------------------+
> $ neutron subnet-list
> +--------------------------------------+--------------------+------------------+------------------------------------------------------+
> | id                                   | name               | cidr 
>         | allocation_pools                                     |
> +--------------------------------------+--------------------+------------------+------------------------------------------------------+
> | d6015301-e5bf-4f1a-b3b3-5bde71a52496 | overlap-subnet0001 | 
> 192.168.123.0/24 | {"start": "192.168.123.2", "end": "192.168.123.254"} |
> | faddcc32-7bb6-4cb2-862e-7738e5c54f6d | overlap-subnet0000 | 
> 192.168.123.0/24 | {"start": "192.168.123.2", "end": "192.168.123.254"} |
> +--------------------------------------+--------------------+------------------+------------------------------------------------------+
> $ neutron router-create overlap-router0001
> Created a new router:
> +-----------------------+--------------------------------------+
> | Field                 | Value                                |
> +-----------------------+--------------------------------------+
> | admin_state_up        | True                                 |
> | external_gateway_info |                                      |
> | id                    | 88339018-d286-45ec-b2d2-ccb78ae78837 |
> | name                  | overlap-router0001                   |
> | status                | ACTIVE                               |
> | tenant_id             | 57367642563150                       |
> +-----------------------+--------------------------------------+
> $ neutron router-interface-add overlap-router0001 overlap-subnet0000
> Added interface b637cb32-c33a-4565-a6f3-b7ea22a02be0 to router 
> overlap-router0001.
> $ neutron router-interface-add overlap-router0001 overlap-subnet0001
> 400-{u'QuantumError': u'Bad router request: Cidr 192.168.123.0/24 of 
> subnet d6015301-e5bf-4f1a-b3b3-5bde71a52496 overlaps with cidr 
> 192.168.123.0/24 of subnet faddcc32-7bb6-4cb2-862e-7738e5c54f6d'}

OK, so it looks like the plumbing is already in place, and all that
would need doing is lifting the restriction that a router only service a
single tenant unless the network is globally shared...

But again, I'm sure there's more to it than that ;)

-jay