Hello,
This is quite a long story and I hope I could get feedback from someone
in similar position
because despite all the efforts I'm really lost in configuration and
documentation.
I work for a hosting provider as an administrator and I've recently been
checking out
OpenStack as a replacement for our current no-so-very-flexible VM management
solution. It's not very important what was wrong with it but OpenStack
seemed to be
a good replacement so I decided to give it a try.
It indeed turned out to be sort of what we were looking for but after
setting up a test
multi-host deployment I realized that things get complicated with flat
provider networks.
The problems I encountered so far are inability to properly set up
provider network using
VLANs (because then DHCP server fails to assign IP for reason I could
not reliably
determine, possibly due to incorrect configuration of hardware but I
double-checked
and it seemed to be valid) and broken MAC/IP/ARP spoofing protection.
I don't really care about VLANs because each instance is gonna have
fixed public IP
address anyway and I have separate interface for external networking so
the problem
that bothers me is security. I did some scouting around and I found out
the following
things:
* Nova adds filtering rules to FORWARD table but the packets don't pass
this table
(because they go though bridge). Instead, rules should be added though
ebtables but
they, apparently, aren't.
* While libvirt provides a way to configure such a filtering, OpenStack
doesn't make
use of it. I don't even quite get how it's supposed to work.
* Despite br-int (being integration bridge) and br-provider (being
provider interface bridge)
being down, the networking in instances seems to work fine (they can
even access the
Internet).
So, about configuration.
The networking was configured according to CentOS setup guide:
http://docs.openstack.org/kilo/install-guide/install/yum/content/ch_preface.html
with an exception that then the configuration was changed to something
similar to what is provided there:
http://docs.openstack.org/networking-guide/scenario_provider_ovs.html
Only the basic configuration was set up with two nodes: one being
controller node,
the other being compute node.
Controller node is running Postgres, RabbitMQ, MongoDB, Keystone and the
corresponding controller components of Nova, Glance, Cinder, Ceilometer and
Neutron.
The compute node is running the corresponding compute components of
Nova, Neutron, Ceilometer and Cinder.
Sorry, if I've missed something. I don't want to copy-paste everything here
so feel free to request specific parts, if needed.
I hope there's someone out there in similar or at least remotely similar
situation.
I would very much like to hear about their experience setting up this
configuration.
Thanks in advance,
Mark
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
