Hi Daniel,
It's recommended to separate the external traffic reaching the Dashboard from the management, so the Dashboard server(s) should have at least two NICs (public and management). The installation guide covers only one of the multitudes of possible deployment scenarios, and in this case it describes a single NIC deployment model. The security recommendations for the Keystone endpoints are discussed in the Security guide (http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html) which is a must-read before deploying Openstack in production. George ________________________________ From: Daniel Petersen [mailto:daniel.peter...@hpc2n.umu.se] Sent: Thursday, June 12, 2014 3:20 AM To: openstack@lists.openstack.org Subject: [Openstack] Adapting the install guide network setup for production edit: failed to add '[Openstack]' to the subject line previously. Hopefully avoiding everyone's spam filter this time around! Hi, Using the network strategy from the 'Installation Guide for Ubuntu' here: http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html How might one adapt this for a production setup, particularly with security in mind? A couple of thoughts that lead to this question: *With the controller node having only one NIC, all management communication is passing through the same NIC as user API or dashboard traffic. Wouldn't it be better to move user facing services, such as the dashboard to another 'external' interface, thus keeping the management network and interface isolated from external traffic? *Possibly related, how would the API service endpoint URLs be affected by this change, or how should they be configured? (publicurl, internalurl, adminurl) As an aside, where might I find a good explanation of the respective roles of these URLs? The CLI Reference only states the obvious, e.g.: "--publicurl - Public URL endpoint" Regards, Daniel
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
