[Openstack] Adapting the install guide network setup for production

Anne Gentle anne at openstack.org
Thu Jun 12 14:07:01 UTC 2014


On Thu, Jun 12, 2014 at 8:51 AM, George Mihaiescu <George.Mihaiescu at q9.com>
wrote:

>   Hi Daniel,
>
>
>
> It’s recommended to separate the external traffic reaching the Dashboard
> from the management, so the Dashboard server(s) should have at least two
> NICs (public and management).
>
> The installation guide covers only one of the multitudes of possible
> deployment scenarios, and in this case it describes a single NIC deployment
> model.
>
>
>
> The security recommendations for the Keystone endpoints are discussed in
> the Security guide (
> http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html)
> which is a must-read before deploying Openstack in production.
>

Was just going to say something similar. The Install Guide is to get people
going quickly.

Read the Operations Guide for two real-world deployment architectures, and
read the Security Guide for securing endpoints and the rest of the cloud.

Next month we'll have an Architecture Guide to give even more input and
guidance for production clouds.

Anne


>
>
> George
>
>
>  ------------------------------
>
> *From:* Daniel Petersen [mailto:daniel.petersen at hpc2n.umu.se]
> *Sent:* Thursday, June 12, 2014 3:20 AM
> *To:* openstack at lists.openstack.org
> *Subject:* [Openstack] Adapting the install guide network setup for
> production
>
>
>
>
>  edit: failed to add '[Openstack]' to the subject line previously.
> Hopefully avoiding everyone's spam filter this time around!
>
>
>
> Hi,
>
>
>
> Using the network strategy from the 'Installation Guide for Ubuntu' here:
>
>
>
>
> http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html
>
>
>
> How might one adapt this for a production setup, particularly with
> security in mind?
>
>
>
> A couple of thoughts that lead to this question:
>
>
>
> *With the controller node having only one NIC, all management
> communication is passing through the same NIC as user API or dashboard
> traffic. Wouldn't it be better to move user facing services, such as the
> dashboard to another 'external' interface, thus keeping the management
> network and interface isolated from external traffic?
>
>
>
> *Possibly related, how would the API service endpoint URLs be affected by
> this change, or how should they be configured? (publicurl, internalurl,
> adminurl)
>
> As an aside, where might I find a good explanation of the respective roles
> of these URLs? The CLI Reference only states the obvious, e.g.:
> "--publicurl - Public URL endpoint"
>
>
>
> Regards,
>
>
>
> Daniel
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140612/81cb38d6/attachment.html>


More information about the Openstack mailing list