Open Stack

Hello,

This is quite a long story and I hope I could get feedback from someone 
in similar position
because despite all the efforts I'm really lost in configuration and 
documentation.

I work for a hosting provider as an administrator and I've recently been 
checking out
OpenStack as a replacement for our current no-so-very-flexible VM management
solution. It's not very important what was wrong with it but OpenStack 
seemed to be
a good replacement so I decided to give it a try.

It indeed turned out to be sort of what we were looking for but after 
setting up a test
multi-host deployment I realized that things get complicated with flat 
provider networks.
The problems I encountered so far are inability to properly set up 
provider network using
VLANs (because then DHCP server fails to assign IP for reason I could 
not reliably
determine, possibly due to incorrect configuration of hardware but I 
double-checked
and it seemed to be valid) and broken MAC/IP/ARP spoofing protection.

I don't really care about VLANs because each instance is gonna have 
fixed public IP
address anyway and I have separate interface for external networking so 
the problem
that bothers me is security. I did some scouting around and I found out 
the following
things:

* Nova adds filtering rules to FORWARD table but the packets don't pass 
this table
(because they go though bridge). Instead, rules should be added though 
ebtables but
they, apparently, aren't.

* While libvirt provides a way to configure such a filtering, OpenStack 
doesn't make
use of it. I don't even quite get how it's supposed to work.

* Despite br-int (being integration bridge) and br-provider (being 
provider interface bridge)
being down, the networking in instances seems to work fine (they can 
even access the
Internet).

So, about configuration.
The networking was configured according to CentOS setup guide:
http://docs.openstack.org/kilo/install-guide/install/yum/content/ch_preface.html
with an exception that then the configuration was changed to something 
similar to what is provided there:
http://docs.openstack.org/networking-guide/scenario_provider_ovs.html

Only the basic configuration was set up with two nodes: one being 
controller node,
the other being compute node.

Controller node is running Postgres, RabbitMQ, MongoDB, Keystone and the
corresponding controller components of Nova, Glance, Cinder, Ceilometer and
Neutron.

The compute node is running the corresponding compute components of
Nova, Neutron, Ceilometer and Cinder.

Sorry, if I've missed something. I don't want to copy-paste everything here
so feel free to request specific parts, if needed.

I hope there's someone out there in similar or at least remotely similar 
situation.
I would very much like to hear about their experience setting up this 
configuration.

Thanks in advance,
Mark