[Openstack] how to forbid the instances communicating on the same host but different bridges and vlans?

romizhang1968 romizhang1968 at 163.com
Sat Jun 2 05:30:34 UTC 2012 

Vish,


Thanks for your replay.
Yes,I allowed icmp ping from 0.0.0.0/0, but the question is , i think the different instance in different tenant and vlan on the same compute node should not touch each other, admin03(192.168.2.3) in VLAN 200 and 201 should only could get ip touch to the same tenant instance, should not can touch aipu01(192.168.3.3) in VLAN 300 and aipuTenant even on the same compute node.
I check the route table, openstack creates route item to each bridge on the node, but in admin03,the route table only shows about how to go 192.168.2.0 and 192.168.21.0, have no way to touch the net of 192.168.3.0. but in admin03,it could ping aipu01, that means it use the node route table, i did not know why.
so I want to know is there a way in openstack command to stop this situation, not replay me to delete the compute node route item. and I think, each VM should connect to the "access port" and go through trunk port(eth1 or eth2) to communicate with others.
here is my wants. 
regards,
Romi




At 2012-06-02 00:47:49,"Vishvananda Ishaya" <vishvananda at gmail.com> wrote:
Broadcast traffic should be blocked via the vlan separation and direct traffic should be blocked via security groups. Do you have a security group that allows ping traffic from 0.0.0.0/0?


Vish


On Jun 1, 2012, at 1:38 AM, romi zhang wrote:


Hi,
 
I use following command to create 2 NICs for the instances of adminTenant and 1 NICs for aipuTenant:
 
nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c
 
nova-manage network create --label=admin_ssl --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 --bridge_interface=eth2 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c
 
nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=ee29f5730caa40958bf4812a0fbec3d9
 
But the result is:
1.       the instance of admin03(192.168.2.3 192.168.21.3,belong adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) on the same compute node(NC01,network+compute service) .
2.       Of course,admin03 could not ping successfully aipu03(192.168.3.6) on the another compute node(NC02,network+compute service).
 
Is there a way or setting to forbid the IP touching between the instances of different tenant in different bridges and VLANs on the same compute node?
 
Romi
 
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120602/4d123092/attachment.html>

More information about the Openstack mailing list