Hi, I'd like to get a better understanding of Rackspace's use of the multitenancy network rules in nova's plugins/xenserver/networking directory.
At the moment, as far as I can tell, the vSwitch version of the rules are set up to allow no traffic to leave domain 0 at all. This seems pretty extreme. Also, the vSwitch version of rules are hooked off udev at the moment. There's nothing wrong with that per se, but it wouldn't have been my choice. We're already hooking inside /etc/xensource/scripts/vif for the ebtables version of the rules, so I'd have used the same hook point for the vSwitch rules too. It would be a good idea to make sure that there's a guaranteed ordering between the rest of the code in scripts/vif and these rules, and I'm not sure that hooking off udev gives you that guarantee. So my questions are: * Are you using the vSwitch rules in the form that they are upstream in nova? * Is there a reason to hook off udev, or can I move that? * Is the blocking of traffic from dom0 deliberate? If so, I will create a patch that allows you to configure that as an option. Otherwise, I'll relax the rules unconditionally. Thanks, Ewan.
_______________________________________________ Mailing list: https://launchpad.net/~openstack-xenapi Post to : openstack-xenapi@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack-xenapi More help : https://help.launchpad.net/ListHelp
