[Openstack] Adapting the install guide network setup for production

George Mihaiescu George.Mihaiescu at Q9.com
Thu Jun 12 13:51:30 UTC 2014 

Hi Daniel,

 

It's recommended to separate the external traffic reaching the Dashboard from the management, so the Dashboard server(s) should have at least two NICs (public and management).

The installation guide covers only one of the multitudes of possible deployment scenarios, and in this case it describes a single NIC deployment model.

 

The security recommendations for the Keystone endpoints are discussed in the Security guide (http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html) which is a must-read before deploying Openstack in production.

 

George

 

________________________________

From: Daniel Petersen [mailto:daniel.petersen at hpc2n.umu.se] 
Sent: Thursday, June 12, 2014 3:20 AM
To: openstack at lists.openstack.org
Subject: [Openstack] Adapting the install guide network setup for production

 




edit: failed to add '[Openstack]' to the subject line previously. Hopefully avoiding everyone's spam filter this time around!

 

Hi,

 

Using the network strategy from the 'Installation Guide for Ubuntu' here:

 

http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html

 

How might one adapt this for a production setup, particularly with security in mind?

 

A couple of thoughts that lead to this question:

 

*With the controller node having only one NIC, all management communication is passing through the same NIC as user API or dashboard traffic. Wouldn't it be better to move user facing services, such as the dashboard to another 'external' interface, thus keeping the management network and interface isolated from external traffic?

 

*Possibly related, how would the API service endpoint URLs be affected by this change, or how should they be configured? (publicurl, internalurl, adminurl) 

As an aside, where might I find a good explanation of the respective roles of these URLs? The CLI Reference only states the obvious, e.g.: "--publicurl - Public URL endpoint"

 

Regards,


 

Daniel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140612/12537dbe/attachment.html>

More information about the Openstack mailing list