[Openstack-operators] Reserve an external network for 1 tenant
Saverio Proto
zioproto at gmail.com
Mon Oct 3 07:11:28 UTC 2016
Hello Matt,
first of all in the file : plugins/ml2/openvswitch_agent.ini
you need to have bridge mappings, in my case for example:
bridge_mappings = physnet1:br-eth3,physnet2:br-eth4
this will define what physnet1 means in the openstack context. To
create the external network I do:
openstack network create --no-share --project uuid
--provider-physical-network physnet2 --provider-network-type flat
--external NETWORKNAME
Of course the --no-share is useless because being the network external
it will be shared by default.
Saverio
2016-10-03 6:15 GMT+02:00 Matt Kassawara <mkassawara at gmail.com>:
> How are you creating the provider (external) network?
>
> On Thu, Sep 29, 2016 at 6:01 AM, Saverio Proto <zioproto at gmail.com> wrote:
>>
>> Hello,
>>
>> Context:
>> - openstack liberty
>> - ubuntu trusty
>> - neutron networking with vxlan tunnels
>>
>> we have been running Openstack with a single external network so far.
>>
>> Now we have a specific VLAN in our datacenter with some hardware boxes
>> that need a connection to a specific tenant network.
>>
>> To make this possible I changed the configuration of the network node
>> to support multiple external networks. I am able to create a router
>> and set as external network the new physnet where the boxes are.
>>
>> Everything looks nice except that all the projects can benefit from
>> this new external network. In any tenant I can create a router, and
>> set the external network and connect to the boxes. I cannot restrict
>> it to a specific tenant.
>>
>> I found this piece of documentation:
>>
>>
>> https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks
>>
>> So it looks like it is impossible to have a flat external network
>> reserved for 1 specific tenant.
>>
>> I also tried to follow this documentation:
>>
>> http://docs.openstack.org/liberty/networking-guide/adv-config-network-rbac.html
>>
>> But it does not specify if it is possible to specify a policy for an
>> external network to limit the sharing.
>>
>> It did not work for me so I guess this does not work when the secret
>> network I want to create is external.
>>
>> There is an action --action access_as_external that is not clear to me.
>>
>> Also look like this feature is evolving in Newton:
>> http://docs.openstack.org/draft/networking-guide/config-rbac.html
>>
>> Anyone has tried similar setups ? What is the minimum openstack
>> version to get this done ?
>>
>> thank you
>>
>> Saverio
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
More information about the OpenStack-operators
mailing list