[openstack-dev] [kuryr] Does Kuryr support multi-tenant

Liping Mao (limao) limao at cisco.com
Wed Jan 27 08:07:41 UTC 2016 

Hi Vikas,

> >The question is what you mean by multi-tenancy, if you mean that different tenants each control their own bare-metal

> >server then Kuryr already support this. (by tenant credential configuration)
>
>    I understand kuryr can configure with tenant credential, but we still need neutron-openvswitch-agent on
> the bare-metal server, it need admin account…


> Vikas-- If kuryr is configured with admin credentials same credentials will be passed to neutron client APIs and thus eventually to openvswitch agent.
> Can you please elaborate "need admin account"?

Let me try to make me clear:
AFAIK, docker runs in Bare-metal Server case, we need to install kuryr and neutron-openvswitch-agent in the bare metal server.
We can configure tenant account in this kuryr. And I think all the neutron resource which created in this server will belong this tenant(not admin tenant).
But in neutron-openvswitch-agent, we still need to configure admin account in keystone_authtoken:

[keystone_authtoken]

# auth_host = 127.0.0.1

# auth_port = 35357

# auth_protocol = http

# admin_tenant_name = %SERVICE_TENANT_NAME%

# admin_user = %SERVICE_USER%

# admin_password = %SERVICE_PASSWORD%

And the tenant can login the bare metal server directly, it is not good to configure this kind of things on this server.

Thanks.


Regards,
Liping Mao

From: Vikas Choudhary <choudharyvikas16 at gmail.com<mailto:choudharyvikas16 at gmail.com>>
Reply-To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: 2016年1月27日 星期三 上午10:57
To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [kuryr] Does Kuryr support multi-tenant


On 26 Jan 2016 13:30, "Liping Mao (limao)" <limao at cisco.com<mailto:limao at cisco.com>> wrote:
>
> Hi Gal,
>
> Thanks for your answer.
>
> >The question is what you mean by multi-tenancy, if you mean that different tenants each control their own bare-metal
> >server then Kuryr already support this. (by tenant credential configuration)
>
>    I understand kuryr can configure with tenant credential, but we still need neutron-openvswitch-agent on
> the bare-metal server, it need admin account…


Vikas-- If kuryr is configured with admin credentials same credentials will be passed to neutron client APIs and thus eventually to openvswitch agent.
Can you please elaborate "need admin account"?

Thanks
Vikas

> Thanks.
>
> Regards,
> Liping Mao
>
> From: Gal Sagie <gal.sagie at gmail.com<mailto:gal.sagie at gmail.com>>
> Reply-To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
> Date: 2016年1月26日 星期二 下午12:47
>
> To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
> Subject: Re: [openstack-dev] [kuryr] Does Kuryr support multi-tenant
>
> Hi Liping Mao,
>
> The question is what you mean by multi-tenancy, if you mean that different tenants each control their own bare-metal
> server then Kuryr already support this. (by tenant credential configuration)
>
> If what i think you mean, and thats running multi tenants on the same bare-metal then the problem
> here is that Docker and Kubernetes doesnt support something like that either (mostly for security reasons) and
> the networking is just part of it (Which is what Kuryr focus on).
> For this, you usually pick with what Magnum offer and thats running containers inside tenant VMs.
>
> However, there are some interesting technologies and open source projects which enable
> something like that and we are evaluating them, its definitely a long term goal for us.
>
>
>
> On Tue, Jan 26, 2016 at 5:06 AM, Liping Mao (limao) <limao at cisco.com<mailto:limao at cisco.com>> wrote:
>>
>> Thanks Mohammad for your clear explanation.
>> Do we have any way or roadmap or idea to support kuryr in multi-tenant in bare metal servers now?
>>
>> Thanks.
>>
>> Regards,
>> Liping Mao
>>
>>
>> From: Mohammad Banikazemi <mb at us.ibm.com<mailto:mb at us.ibm.com>>
>> Reply-To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
>> Date: 2016年1月26日 星期二 上午2:35
>> To: OpenStack List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
>> Subject: Re: [openstack-dev] [kuryr] Does Kuryr support multi-tenant
>>
>> Considering that the underlying container technology is not multi-tenant (as of now), your observation is correct in that all neutron resources are made for a single tenant. Until Docker supports multi tenancy, we can possibly use network options and/or wrappers for docker/swarm clients to achieve some kind of multi tenancy support. Having said that, I should add that as of now we do not have such a feature in Kuryr.
>>
>> Best,
>>
>> Mohammad
>>
>>
>> "Liping Mao (limao)" ---01/25/2016 06:39:44 AM---Hi Kuryr guys, I'm a new bee in kuryr, and using devstack to try kuryr now, I notice when I use kur
>>
>> From: "Liping Mao (limao)" <limao at cisco.com<mailto:limao at cisco.com>>
>> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
>> Date: 01/25/2016 06:39 AM
>> Subject: [openstack-dev] [kuryr] Does Kuryr support multi-tenant
>>
>> ________________________________
>>
>>
>>
>> Hi Kuryr guys,
>>
>> I’m a new bee in kuryr, and using devstack to try kuryr now, I notice when I use kuryr to create network/port for container, the resources are in “admin”.
>> Do kuryr support multi-tenant now? For example, if I want try kuryr in demo tenant, how can I do this?
>>
>> Thanks for your help and any help would be appreciated.
>>
>> Regards,
>> Liping Mao__________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> Best Regards ,
>
> The G.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160127/8b07d9d4/attachment-0001.html>

More information about the OpenStack-dev mailing list