On 12 December 2013 19:48, Clint Byrum <cl...@fewbar.com> wrote: > Excerpts from Jay Pipes's message of 2013-12-12 10:15:13 -0800: > > On 12/10/2013 03:49 PM, Ian Wells wrote: > > > On 10 December 2013 20:55, Clint Byrum <cl...@fewbar.com > > > <mailto:cl...@fewbar.com>> wrote: > > I've read through this email thread with quite a bit of curiosity, and I > > have to say what Ian says above makes a lot of sense to me. If Neutron > > can handle the creation of a "management vNIC" that has some associated > > iptables rules governing it that provides a level of security for guest > > <-> host and guest <-> $OpenStackService, then the transport problem > > domain is essentially solved, and Neutron can be happily ignorant (as it > > should be) of any guest agent communication with anything else. > > > > Indeed I think it could work, however I think the NIC is unnecessary. > > Seems likely even with a second NIC that said address will be something > like 169.254.169.254 (or the ipv6 equivalent?). >
There *is* no ipv6 equivalent, which is one standing problem. Another is that (and admittedly you can quibble about this problem's significance) you need a router on a network to be able to get to 169.254.169.254 - I raise that because the obvious use case for multiple networks is to have a net which is *not* attached to the outside world so that you can layer e.g. a private DB service behind your app servers. Neither of these are criticisms of your suggestion as much as they are standing issues with the current architecture. -- Ian.
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev