Re: [Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
Hi Gary, Le 20/03/2013 17:26, Gary Kotton a écrit : Yes, this works. The problem is ensuring the network isolation. That is, someone can make changes in the routing table on the host which will enable one to gain access to the quantum networks. That is why we suggest that they run on different hosts. We have a review that is open to enable one to enforce this when the agents starts (this is disabled by default to ensure backward compatability and to enable one to run an all in one setup - for proof of concepts and testing) Damn, makes sense. Once you explain this, the reasons are clear. So, am I wrong ? What is the terrible thing which could happe in a next few days if still keeping my environment as it is ? No, it is not terrible at all. Great, my mind feels lighter ;-) ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
Yes, this works. The problem is ensuring the network isolation. That is, someone can make changes in the routing table on the host which will enable one to gain access to the quantum networks. That is why we suggest that they run on different hosts. We have a review that is Damn, makes sense. Once you explain this, the reasons are clear. Depending on the setup you could might be able to create policy based routing rules on the quantum l3-node to prevent this. (e.g. traffic originating from the subnets within quantum are always routed to router x on the outside world) Another small issue I can think of is that you might get a-symetrical routing. (traffic returning from the DHCP ip instead of the L3 ip) Not sure if you can fix that with Policy Based Routing, never tried. Cheers, Robert van Leeuwen ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
Hi, As per https://bugs.launchpad.net/quantum/+bug/1155050 and also other litterature, I do see doc alerts saying that Quantum L3 and DHCP agents must be on different hosts. Let me be honest, I successfully installed and configured both on the same physical machine, using GRE tunnels and use_namespaces = False, and everything is running smoothly : my VMs are getting leases and do have floating IPs without trouble. So, am I wrong ? What is the terrible thing which could happe in a next few days if still keeping my environment as it is ? Thanks for clarifying me, -Sylvain ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
Hello Sylvain, Same here, I have grizzly on a single node and it works fine. Using linuxbridge plugin with vlan. So far, so good. If things break I'll let you know. I read you were able to have floating ip's too. May I ask if you could send me the steps you followed to create and assign floating ip. Thanks, Sandeep. On Wed, Mar 20, 2013 at 9:46 PM, Sylvain Bauza sylvain.ba...@digimind.comwrote: Hi, As per https://bugs.launchpad.net/**quantum/+bug/1155050https://bugs.launchpad.net/quantum/+bug/1155050and also other litterature, I do see doc alerts saying that Quantum L3 and DHCP agents must be on different hosts. Let me be honest, I successfully installed and configured both on the same physical machine, using GRE tunnels and use_namespaces = False, and everything is running smoothly : my VMs are getting leases and do have floating IPs without trouble. So, am I wrong ? What is the terrible thing which could happe in a next few days if still keeping my environment as it is ? Thanks for clarifying me, -Sylvain __**_ Mailing list: https://launchpad.net/~**openstackhttps://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~**openstackhttps://launchpad.net/~openstack More help : https://help.launchpad.net/**ListHelphttps://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
On 03/20/2013 06:16 PM, Sylvain Bauza wrote: Hi, As per https://bugs.launchpad.net/quantum/+bug/1155050 and also other litterature, I do see doc alerts saying that Quantum L3 and DHCP agents must be on different hosts. Let me be honest, I successfully installed and configured both on the same physical machine, using GRE tunnels and use_namespaces = False, and everything is running smoothly : my VMs are getting leases and do have floating IPs without trouble. Yes, this works. The problem is ensuring the network isolation. That is, someone can make changes in the routing table on the host which will enable one to gain access to the quantum networks. That is why we suggest that they run on different hosts. We have a review that is open to enable one to enforce this when the agents starts (this is disabled by default to ensure backward compatability and to enable one to run an all in one setup - for proof of concepts and testing) So, am I wrong ? What is the terrible thing which could happe in a next few days if still keeping my environment as it is ? No, it is not terrible at all. Thanks for clarifying me, -Sylvain ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
