Hi James,
Thanks for the explanation.
Another question. As user admin, I do not see these attributes shown in the
help text of “neutron net-create”. Why?
* provider:network_type
* provider:physical_network
* provider:segmentation_id
* router:external
ubuntu@trusty1:~/devstack$ source openrc admin admin
ubuntu@trusty1:~/devstack$ neutron help net-create
usage: neutron net-create [-h] [-f {shell,table,value}] [-c COLUMN]
[--max-width <integer>] [--prefix PREFIX]
[--request-format {json,xml}]
[--tenant-id TENANT_ID] [--admin-state-down]
[--shared]
NAME
Create a network for a given tenant.
positional arguments:
NAME Name of network to create.
optional arguments:
-h, --help show this help message and exit
--request-format {json,xml}
The XML or JSON request format.
--tenant-id TENANT_ID
The owner tenant ID.
--admin-state-down Set admin state up to false.
--shared Set the network as shared.
output formatters:
output formatter options
-f {shell,table,value}, --format {shell,table,value}
the output format, defaults to table
-c COLUMN, --column COLUMN
specify the column(s) to include, can be repeated
table formatter:
--max-width <integer>
Maximum display width, 0 to disable
shell formatter:
a format a UNIX shell can parse (variable="value")
--prefix PREFIX add a prefix to all variable names
Thanks,
Danny
From: James Denton
<[email protected]<mailto:[email protected]>>
Date: Thursday, October 2, 2014 at 11:06 PM
To: Danny Choi <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Cc: "bxb-openstack-dev(mailer list)"
<[email protected]<mailto:[email protected]>>
Subject: RE: [Openstack] What is the difference between provider network and
tenant network?
Hi Danny,
When 'admin' creates a network they are able to specify the following
attributes:
- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface -
physnet1, ph-eth1, etc)
The following attribute that allows the network to be used as an external
network of a router:
- router:external (ie. true/false)
The following attribute that allows the network to be shared amongst tenants:
- shared (ie. true/false)
A tenant does not have the ability to specify any of those attributes. If they
try, they will be rejected. Tenants should have no visibility into the 'type'
of networks they create, and are in fact limited to particular network types
and IDs that are specified in the plugin configuration file or ml2_conf.ini. I
believe the configuration options are 'tenant_network_type' and
'network_vlan_ranges'. That is why you do not see the provider attributes as
the tenant, even though they technically exist for ALL networks, regardless of
who created them.
Admin users are not restricted by the options in the config file, and can
create a network using any network type or segmentation ID that they choose.
In Horizon, you will likely only see networks owned by the tenant when you go
to the 'Project' tab. In the 'Admin' tab, you would see all networks.
Hope that helps,
James
________________________________
From: Danny Choi (dannchoi) [[email protected]<mailto:[email protected]>]
Sent: Thursday, October 02, 2014 8:14 PM
To: [email protected]<mailto:[email protected]>
Cc: bxb-openstack-dev(mailer list)
Subject: [Openstack] What is the difference between provider network and tenant
network?
Hi,
I used devstack to deploy Juno OpenStack.
By default, devstack created 2 users: admin (with role “admin”) and demo.
ubuntu@trusty1:~/devstack$ source openrc admin admin
ubuntu@trusty1:~/devstack$ keystone user-list
+----------------------------------+---------+---------+------------------+
| id | name | enabled | email |
+----------------------------------+---------+---------+------------------+
| 3f09f4a2e2e5476681f7726d1bd7a238 | admin | True | |
<<<<<
| f9b63fc02a2c41c4a99508215d34698e | cinder | True | |
| b31235476f904c968a48a6ed13a4423d | demo | True |
[email protected]<mailto:[email protected]> | <<<<<
| 1379192fe5f7427db0b9550f31ae3c8d | glance | True | |
| 349ef723ec7e40c6bd4b8d8284696a04 | heat | True | |
| db2c4d82c9154d4eb58b3308041e8280 | neutron | True | |
| 87becace86e2459493a5e692b47374a8 | nova | True | |
+----------------------------------+---------+---------+—————————+
ubuntu@trusty1:~/devstack$ keystone user-role-list --user admin --tenant admin
+----------------------------------+------------------+----------------------------------+----------------------------------+
| id | name | user_id
| tenant_id |
+----------------------------------+------------------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |
| 2c9362c08a224154bdcaeee35d740ddc | admin |
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 | <<<<<
| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner |
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |
+----------------------------------+------------------+----------------------------------+----------------------------------+
ubuntu@trusty1:~/devstack$ keystone user-role-list --user demo --tenant demo
+----------------------------------+------------------+----------------------------------+----------------------------------+
| id | name | user_id
| tenant_id |
+----------------------------------+------------------+----------------------------------+----------------------------------+
| 12ff05c09c5d4d1a8cf15d35f84f7a75 | Member |
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |
| 21fcd6d7847f44e6a3b9ad777a27f811 | anotherrole |
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |
| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner |
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |
+----------------------------------+------------------+----------------------------------+----------------------------------+
There are 2 networks created, public (tenant = admin) and private (tenant =
demo).
ubuntu@trusty1:~/devstack$ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| db81f81239f54d5d89293dacc7a284d2 | admin | True | <<<<<
| 181003e05ad44b688925372d97b985c0 | demo | True | <<<<<
| f170d762ab2c471d9a9f522116f8a178 | invisible_to_admin | True |
| d500c4a4ec3d459abfe665bfb886a881 | service | True |
+----------------------------------+--------------------+---------+
ubuntu@trusty1:~/devstack$ neutron net-list
+--------------------------------------+---------+----------------------------------------------------+
| id | name | subnets
|
+--------------------------------------+---------+----------------------------------------------------+
| 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public |
3eb289a4-9686-4a94-a928-8d5ae23b1dd6 172.24.4.0/24 |
| b18a4a3f-7167-4c61-87f5-b21f87118160 | private |
3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24 |
+--------------------------------------+---------+----------------------------------------------------+
ubuntu@trusty1:~/devstack$ neutron net-show public
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 |
| name | public |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 391 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 |
| tenant_id | db81f81239f54d5d89293dacc7a284d2 | <<<<<
+---------------------------+--------------------------------------+
ubuntu@trusty1:~/devstack$ neutron net-show private
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | b18a4a3f-7167-4c61-87f5-b21f87118160 |
| name | private |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 390 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 3f5b84c5-937e-44ae-b645-64758386a501 |
| tenant_id | 181003e05ad44b688925372d97b985c0 | <<<<<
+---------------------------+--------------------------------------+
Notice both networks contain the provider info:
* provider:network_type
* provider:physical_network
* provider:segmentation_id
However, if I change the credentials to demo, these provider info disappear.
ubuntu@trusty1:~/devstack$ source openrc demo demo
ubuntu@trusty1:~/devstack$ neutron net-list
+--------------------------------------+---------+--------------------------------------------------+
| id | name | subnets
|
+--------------------------------------+---------+--------------------------------------------------+
| 5e05170c-ae6c-4b60-8f59-8a6988705ff2 | public |
3eb289a4-9686-4a94-a928-8d5ae23b1dd6 |
| b18a4a3f-7167-4c61-87f5-b21f87118160 | private |
3f5b84c5-937e-44ae-b645-64758386a501 10.0.0.0/24 |
+--------------------------------------+---------+--------------------------------------------------+
ubuntu@trusty1:~/devstack$ neutron net-show public
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 5e05170c-ae6c-4b60-8f59-8a6988705ff2 |
| name | public |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | 3eb289a4-9686-4a94-a928-8d5ae23b1dd6 |
| tenant_id | db81f81239f54d5d89293dacc7a284d2 |
+-----------------+--------------------------------------+
ubuntu@trusty1:~/devstack$ neutron net-show private
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | b18a4a3f-7167-4c61-87f5-b21f87118160 |
| name | private |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 3f5b84c5-937e-44ae-b645-64758386a501 |
| tenant_id | 181003e05ad44b688925372d97b985c0 |
+-----------------+--------------------------------------+
Why the provider info does not exist?
Also, as user demo, I cannot create a network with the provider info specified,
which is possible if it is user admin. Why?
ubuntu@trusty1:~/devstack$ source openrc demo demo
ubuntu@trusty1:~/devstack$ neutron net-create demo_network
--provider:network_type vlan --provider:physical_network physnet1
--provider:segmentation_id 399
Forbidden (HTTP 403) (Request-ID: req-fd2453a8-f82b-410c-9085-e487a4a29694)
<<<<<
ubuntu@trusty1:~/devstack$ source openrc admin admin
ubuntu@trusty1:~/devstack$ neutron net-create admin_network
--provider:network_type vlan --provider:physical_network physnet1
--provider:segmentation_id 399
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | df176962-8c61-4621-ac3a-e978a56b1933 |
| name | admin_network |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 399 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | db81f81239f54d5d89293dacc7a284d2 |
+---------------------------+--------------------------------------+
ubuntu@trusty1:~/devstack$ neutron net-show admin_network
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | df176962-8c61-4621-ac3a-e978a56b1933 |
| name | admin_network |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 399 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | db81f81239f54d5d89293dacc7a284d2 |
+---------------------------+--------------------------------------+
Is it true that to create a provider network, the user has to have the “admin”
role?
###########
Also, in Horizon dashboard, I logged in as user admin.
>From the Projects pulldown, select admin.
At the left pane, Project->Network->Networks, only the “public" network is
shown.
Admin->System->Networks, both “public” and “private” networks are shown.
>From the Projects pulldown, select demo.
At the left pane, Project->Network->Networks, only the “private" network is
shown.
Admin->System->Networks, both “public” and “private” networks are shown.
Is this an expected behavior?
Thanks,
Danny
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
