George and Anne, Thank you. I'll dig into the security guide and look forward to the architecture guide next month.
//Daniel On Thu, Jun 12, 2014 at 4:07 PM, Anne Gentle <a...@openstack.org> wrote: > > > > On Thu, Jun 12, 2014 at 8:51 AM, George Mihaiescu <george.mihaie...@q9.com > > wrote: > >> Hi Daniel, >> >> >> >> It’s recommended to separate the external traffic reaching the Dashboard >> from the management, so the Dashboard server(s) should have at least two >> NICs (public and management). >> >> The installation guide covers only one of the multitudes of possible >> deployment scenarios, and in this case it describes a single NIC deployment >> model. >> >> >> >> The security recommendations for the Keystone endpoints are discussed in >> the Security guide ( >> http://docs.openstack.org/security-guide/content/ch021_paste-and-middleware.html) >> which is a must-read before deploying Openstack in production. >> > > Was just going to say something similar. The Install Guide is to get > people going quickly. > > Read the Operations Guide for two real-world deployment architectures, and > read the Security Guide for securing endpoints and the rest of the cloud. > > Next month we'll have an Architecture Guide to give even more input and > guidance for production clouds. > > Anne > > >> >> >> George >> >> >> ------------------------------ >> >> *From:* Daniel Petersen [mailto:daniel.peter...@hpc2n.umu.se] >> *Sent:* Thursday, June 12, 2014 3:20 AM >> *To:* openstack@lists.openstack.org >> *Subject:* [Openstack] Adapting the install guide network setup for >> production >> >> >> >> >> edit: failed to add '[Openstack]' to the subject line previously. >> Hopefully avoiding everyone's spam filter this time around! >> >> >> >> Hi, >> >> >> >> Using the network strategy from the 'Installation Guide for Ubuntu' here: >> >> >> >> >> http://docs.openstack.org/icehouse/install-guide/install/apt/content/basics-networking-neutron.html >> >> >> >> How might one adapt this for a production setup, particularly with >> security in mind? >> >> >> >> A couple of thoughts that lead to this question: >> >> >> >> *With the controller node having only one NIC, all management >> communication is passing through the same NIC as user API or dashboard >> traffic. Wouldn't it be better to move user facing services, such as the >> dashboard to another 'external' interface, thus keeping the management >> network and interface isolated from external traffic? >> >> >> >> *Possibly related, how would the API service endpoint URLs be affected by >> this change, or how should they be configured? (publicurl, internalurl, >> adminurl) >> >> As an aside, where might I find a good explanation of the respective >> roles of these URLs? The CLI Reference only states the obvious, e.g.: >> "--publicurl - Public URL endpoint" >> >> >> >> Regards, >> >> >> >> Daniel >> >> >> >> _______________________________________________ >> Mailing list: >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> Post to : openstack@lists.openstack.org >> Unsubscribe : >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> >> > -- Daniel Petersen Systems Engineer HPC2N, Umeå University Tel +46907866455 https://www.hpc2n.umu.se/
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
