[openstack-dev] [lbaas][octavia] Security/networking questions

Michael Johnson johnsomor at gmail.com
Mon Feb 8 20:34:20 UTC 2016

1. Octavia can run under it's own account with the required roles
added to that account.
2. Currently the process would be to update the amphora image in
glance and trigger a failover of the amphora.
3. It is required.  It is a private network between the Octavia
controller and the amphora.  We would like to put the haproxy instance
in it's own namespace be we are not there yet.


On Mon, Feb 8, 2016 at 7:55 AM, Major Hayden <major at mhtx.net> wrote:
> Hash: SHA256
> Hey there,
> I've been doing some work to research how best to implement LBaaSv2 and Octavia within the OpenStack-Ansible project.  During that research, I've come up with a few questions.
> 1) Is it possible for octavia to operate without providing it with admin credentials?
> 2) If a user has amphora LB's deployed and a serious vulnerability is released for OpenSSL/haproxy, what should the user do to patch those load balancers?
> 3) Is a load balancer management network required?  Putting a LB onto an admin tenant network as well as a customer tenant network is challenging and bridging those networks could allow an attacker to gain access to other things on that admin tenant network.
> Thanks in advance for your time.
> - --
> Major Hayden
> Version: GnuPG v2
> DRQCcpEEljIu3O4pU8sF6yGEZX/CIoI3WXGaOBR2g0phWxEus5lhy0DdkPw4ctAa
> +UJ7da/s0C7fDbbl09TvWDe3eBoohIunLOm6ABpMT48YipfM0zJLLDEy9kQpDcFg
> qg68S5xgtC9zP9CeK1Gvsq5EwjwyX6Mt0a3+G1NMFbUoARLpDDof06YHrNFw73Td
> 25AxqToR09yRRXsJfadrjjP9/lGWNBF5f5Oh5WoPnEAiThqN08Ico3geHKIr9s2r
> Ift5NueWovCI5MUzOzqwsazKgnVgQXrgaaQwRotl5WdZbstUfWJLO+2If5/z4z8d
> AArWLXwsCgIv+I6ZyJ4R3YzJVP3KBY8+8gDswjdMV4Jfy7YV9aragy96ofCEwjuH
> p6QOGAKJZASD3cQpOdqVqQt4BaWBXMqm70sNDjfzKRBwweuOZgpNRInluDMbhngs
> Yqdj2LGUhuij50gQLa21cYJ5pcuA6yY7KNoiiPLkNbFDJtQo6cjVt/McVFPxN3mu
> RKRXpZNBgzf5UAKtrMIyPbw1wioAhbt7lgevfvCOLxHCmu0VxsLzRmOdiON5Exmg
> vopL518GJSUx93GhA0cwnqT/ilcTvDxFxPXQrvQK/XPtEQq4U3wBF/kZALK1/4tu
> 7hi/GjugHBcixIZGE5sI
> =XI9V
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list