Open Stack

George and Anne,

Thank you. I'll dig into the security guide and look forward to the
architecture guide next month.

//Daniel


On Thu, Jun 12, 2014 at 4:07 PM, Anne Gentle <anne at openstack.org> wrote:

>
>
>
> On Thu, Jun 12, 2014 at 8:51 AM, George Mihaiescu <George.Mihaiescu at q9.com
> > wrote:
>
>>   Hi Daniel,
>>
>>
>>
>> It’s recommended to separate the external traffic reaching the Dashboard
>> from the management, so the Dashboard server(s) should have at least two
>> NICs (public and management).
>>
>> The installation guide covers only one of the multitudes of possible
>> deployment scenarios, and in this case it describes a single NIC deployment
>> model.
>>
>>
>>
>> The security recommendations for the Keystone endpoints are discussed in
>> the Security guide (
>> http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html)
>> which is a must-read before deploying Openstack in production.
>>
>
> Was just going to say something similar. The Install Guide is to get
> people going quickly.
>
> Read the Operations Guide for two real-world deployment architectures, and
> read the Security Guide for securing endpoints and the rest of the cloud.
>
> Next month we'll have an Architecture Guide to give even more input and
> guidance for production clouds.
>
> Anne
>
>
>>
>>
>> George
>>
>>
>>  ------------------------------
>>
>> *From:* Daniel Petersen [mailto:daniel.petersen at hpc2n.umu.se]
>> *Sent:* Thursday, June 12, 2014 3:20 AM
>> *To:* openstack at lists.openstack.org
>> *Subject:* [Openstack] Adapting the install guide network setup for
>> production
>>
>>
>>
>>
>>  edit: failed to add '[Openstack]' to the subject line previously.
>> Hopefully avoiding everyone's spam filter this time around!
>>
>>
>>
>> Hi,
>>
>>
>>
>> Using the network strategy from the 'Installation Guide for Ubuntu' here:
>>
>>
>>
>>
>> http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html
>>
>>
>>
>> How might one adapt this for a production setup, particularly with
>> security in mind?
>>
>>
>>
>> A couple of thoughts that lead to this question:
>>
>>
>>
>> *With the controller node having only one NIC, all management
>> communication is passing through the same NIC as user API or dashboard
>> traffic. Wouldn't it be better to move user facing services, such as the
>> dashboard to another 'external' interface, thus keeping the management
>> network and interface isolated from external traffic?
>>
>>
>>
>> *Possibly related, how would the API service endpoint URLs be affected by
>> this change, or how should they be configured? (publicurl, internalurl,
>> adminurl)
>>
>> As an aside, where might I find a good explanation of the respective
>> roles of these URLs? The CLI Reference only states the obvious, e.g.:
>> "--publicurl - Public URL endpoint"
>>
>>
>>
>> Regards,
>>
>>
>>
>> Daniel
>>
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>


-- 
Daniel Petersen
Systems Engineer
HPC2N, Umeå University
Tel +46907866455
https://www.hpc2n.umu.se/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140613/1a99a47b/attachment.html>