On Wed, Aug 15, 2012 at 4:16 AM, Lorin Hochstein <lo...@nimbisservices.com>wrote:
> On Jul 5, 2012, at 11:47 AM, Christian Parpart <tra...@gmail.com> wrote: > > Hi all, > > I am running multiple compute nodes and a single nova-network node, that > is to act > as a central gateway for the tenant's VMs. > > However, since this nova-network node (of course) knows all routes, every > VM of > any tenant can talk to each other, including to the physical nodes, which > I highly disagree with and would like to restrict that. :-) > > > If you add this to nova.conf: > > allow_same_net_traffic=false > > It should prevent the VMs from communicating with each other. From > > > http://docs.openstack.org/essex/openstack-compute/admin/content/compute-options-reference.html#d6e3133 > Hey Lorin, according to this rather short documentation for that flag, it is unfortunately very unclear what they meant with "from same network" - I hope to misread that line :-) That is, it sounds like it does prevent communication with ANY of the other VMs, but I just want to disallow communication from one tenant to another. Like, having a production tenant and a staging tenant, they should not be able to talk to each other but a VM from the production tenant should be able to talk to another VM within the same tenant. It might be helpful, if one may want to find some more clear words to this flag within the flag reference :-) I would also like to know on what physical hosts I need this flag to be applied, too. I mean, is it just the nova-network node(s) or all compute nodes, that this flag takes affect? Many thanks in advance, Christian Parpart.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp