Hi Everyone, We have been discussing on multi-tenant VNF for service chain on the OVN mailing alias. We are thinking about leveraging the vlan-aware-VM for supporting this.
AFAIK, with current nova, we cannot create a multi-tenant VNF. Currently, nova checks whether the neutron port belongs to the same tenant as the VM itself. You attach a network interface (neutron port) to a VM using nova interface-attach, if the port and the VM are in different tenants, an error is given. With the introduction of the trunk-port/sub-port feature of Neutron, the sub-ports of a VM are allowed to associate with different networks. But it seems these networks need to all belong to the same tenant if we read the vlan-aware-vm spec correctly (http://specs.openstack.org/openstack/neutron-specs/specs/newton/vlan-aware-vms.html). Is our understanding correct? Does it work properly if these networks belong to different tenants? Thanks, Cathy -----Original Message----- From: dev [mailto:dev-boun...@openvswitch.org] On Behalf Of Farhad Sunavala Sent: Tuesday, July 12, 2016 7:59 PM To: d...@openvswitch.org Subject: Re: [ovs-dev] SFC-Summary: MultiTenant >I was thinking this could be handled with child / sub-ports. We do >this today for containers in VMs. We can have a single VIF for a VM >that is connected to multiple networks that are owned by separate >tenants. Some sort of encapsulation (VLAN ID, MPLS header, whatever) >would be used to differentiate the traffic for each networking in/out >of that VIF. I had started adding the ability to use MPLS for this in >my prototype for this reason, as that was what networking-sfc had defined. I have a quick question on the above. (multi-tenancy).Yes, I know the containers can be in different networks of the same tenant.How does it work when the containers are in different tenants ? Below is the latest spec for vlan-aware-vms https://specs.openstack.org/openstack/neutron-specs/specs/liberty/vlan-aware-vms.html The trick is to create neutron ports (for the subports) and then link them to the trunk port using neutron trunk-subport-add TRUNK \ PORT[,SEGMENTATION-TYPE,SEGMENTATION-ID] \ [PORT,...] In the above command all the neutron ports (trunk ports and subports) must be in the same tenant.As far as I know, a tenant will not see neutron ports from another tenant. Or will this command allow neutron ports from different tenants to be attached ? E.g. VM "X" consists of containers C1 in Tenant 1 with portID = C10000 (network dn1)container C2 in Tenant 2 with portID = C20000 (network dn2)The trunk port of VM "X" is in tenant 100 with portID = T10000 (network dt) The above command will be neutron trunk-subport-add T10000 \ A vlan 10000 \ B vlan 20000 Is my understanding correct? thanks,Farhad. _______________________________________________ dev mailing list d...@openvswitch.org http://openvswitch.org/mailman/listinfo/dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
