On Thu, Mar 19, 2015 at 07:31:06AM -0700, Gurucharan Shetty wrote: > The design was come up after inputs and discussions with multiple > people, including (in alphabetical order) Aaron Rosen, Ben Pfaff, > Ganesan Chandrashekhar, Justin Pettit, Russell Bryant and Somik Behera. > > Signed-off-by: Gurucharan Shetty <gshe...@nicira.com>
> +Integration of Containers with OVN and OpenStack > +------------------------------------------------ > + > +In a multi-tenant environment, creating containers directly on hypervisors > +has many risks. A container application can break out and make changes to > +the Open vSwitch flows and thus impact other tenants. This document > +describes creation of containers inside VMs and how they can be made part > +of the logical networks securely. The created logical network can include > VMs, > +containers and physical machines as endpoints. To better understand the > +proposed integration of containers with OVN and OpenStack, this document > +describes the end to end workflow with an example. We've heard varying assessments of risk from different companies and groups. Some of them seem entirely comfortable with multiple tenants on top of a single kernel. I don't think it's really our job to try to convince people of the risks one way or another, so I'd tend to tone down the first two sentences of the above paragraph, maybe to: "Isolation between containers is weaker than isolation between VMs, so some environments deploy containers for different tenants in separate VMs as an additional security measure." which I think is entirely objective. I'll have more comments later. Thanks, Ben. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
