Open Stack

út 17. 10. 2017 v 13:06 odesílatel Dan Prince <dprince at redhat.com> napsal:

> On Tue, 2017-10-17 at 10:06 +0000, milanisko k wrote:
> >
> > Does it mean dnsmasq was run from a stand-alone container?
>
> Yes. There are separate containers for the ironic-inspector and
> dnsmasq.
>
> >
> > Could you please point me (in the patch probably) to the spot where
> > we configure inspector container to be able to talk to the iptables
> > to filter the DHCP traffic for dnsmasq?
>
> Both services (ironic-inspector and dnsmasq) are using --net=host and
> --privileged. This essentially has them on the same shared host network
> thus the services can interact with the same iptables rules.
>
> >
> > I guess this configuration binds the dnsmasq container to be
> > "scheduled" together with inspector container on the same node
> > (because of the iptables).
>
> Both services are controlled via the same Heat template and as such
> even though they are in separate containers we can guarantee they
> should always get launched on the same machine.
>

How about the shared container? Wouldn't it be better not have to rely on
t-h-t especially if we're "scheduling" (and probably configuring) the
services as a single logical entity? Also would allow us to get rid of
iptables and better encapsulate the inspector services.

--
milan


> Dan
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171017/0226c447/attachment.html>