Hi Russell, To add on Farhad's point, with current neutron and nova, we cannot create a multi-tenant VNF. Currently, nova checks whether the neutron port belongs to the same tenant as the VM itself. You attach a network interface (neutron port) to a VM using nova interface-attach, if the port and the VM are in different tenants, an error is given.
As to the sub-ports feature of Neutron, although it allows the sub-ports to associate with different networks, it seems these networks need to all belong to the same tenant according to vlan-aware-vms spec http://specs.openstack.org/openstack/neutron-specs/specs/newton/vlan-aware-vms.html. It is not clear whether it can work properly if these networks belong to different tenants. DO you know this? We may need to send an email to Neutron team for clarification on this. Thanks, Cathy -----Original Message----- From: dev [mailto:dev-boun...@openvswitch.org] On Behalf Of Farhad Sunavala Sent: Tuesday, July 12, 2016 7:59 PM To: dev@openvswitch.org Subject: Re: [ovs-dev] SFC-Summary: MultiTenant >I was thinking this could be handled with child / sub-ports. We do >this today for containers in VMs. We can have a single VIF for a VM >that is connected to multiple networks that are owned by separate >tenants. Some sort of encapsulation (VLAN ID, MPLS header, whatever) >would be used to differentiate the traffic for each networking in/out >of that VIF. I had started adding the ability to use MPLS for this in >my prototype for this reason, as that was what networking-sfc had defined. I have a quick question on the above. (multi-tenancy).Yes, I know the containers can be in different networks of the same tenant.How does it work when the containers are in different tenants ? Below is the latest spec for vlan-aware-vms https://specs.openstack.org/openstack/neutron-specs/specs/liberty/vlan-aware-vms.html The trick is to create neutron ports (for the subports) and then link them to the trunk port using neutron trunk-subport-add TRUNK \ PORT[,SEGMENTATION-TYPE,SEGMENTATION-ID] \ [PORT,...] In the above command all the neutron ports (trunk ports and subports) must be in the same tenant.As far as I know, a tenant will not see neutron ports from another tenant. Or will this command allow neutron ports from different tenants to be attached ? E.g. VM "X" consists of containers C1 in Tenant 1 with portID = C10000 (network dn1)container C2 in Tenant 2 with portID = C20000 (network dn2)The trunk port of VM "X" is in tenant 100 with portID = T10000 (network dt) The above command will be neutron trunk-subport-add T10000 \ A vlan 10000 \ B vlan 20000 Is my understanding correct? thanks,Farhad. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
