Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-23 Thread John Belamaric
On 3/22/15, 8:05 PM, Ian Wells ijw.ubu...@cack.org.ukmailto:ijw.ubu...@cack.org.uk wrote: Seems to me that an address pool corresponds to a network area that you can route across (because routing only works over a network with unique addresses and that's what an address pool does for you).

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-23 Thread Jay Pipes
On Sun, Mar 22, 2015 at 05:05:17PM -0700, Ian Wells wrote: On 22 March 2015 at 07:48, Jay Pipes jaypi...@gmail.com wrote: On 03/20/2015 05:16 PM, Kevin Benton wrote: To clarify a bit, we obviously divide lots of things by tenant (quotas, network listing, etc). The difference is that we

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-23 Thread Salvatore Orlando
I think that moving the discussion in whether a pool represents a tenant's routable address space, or whether we need a new (another?!) API entity do deal with it probably does not really fall within the scope of this thread. I am pretty sure Carl will soon push a specification for address scope

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-23 Thread Carl Baldwin
On Mon, Mar 23, 2015 at 9:52 AM, Salvatore Orlando sorla...@nicira.com wrote: I think the goal of subnet pools is to use these environments as units of isolations and ensure no overlapping CIDRs there. However, since there is no way to identify such environments at the API layers, API clients

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-22 Thread Jay Pipes
On 03/20/2015 05:16 PM, Kevin Benton wrote: To clarify a bit, we obviously divide lots of things by tenant (quotas, network listing, etc). The difference is that we have nothing right now that has to be unique within a tenant. Are there objects that are uniquely scoped to a tenant in

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-22 Thread Ian Wells
On 22 March 2015 at 07:48, Jay Pipes jaypi...@gmail.com wrote: On 03/20/2015 05:16 PM, Kevin Benton wrote: To clarify a bit, we obviously divide lots of things by tenant (quotas, network listing, etc). The difference is that we have nothing right now that has to be unique within a tenant.

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-20 Thread Jay Pipes
On 03/11/2015 06:48 PM, John Belamaric wrote: This has been settled and we're not moving forward with it for Kilo. I agree tenants are an administrative concept, not a networking one so using them for uniqueness doesn't really make sense. In Liberty we are proposing a new grouping mechanism, as

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-20 Thread Carl Baldwin
On Fri, Mar 20, 2015 at 12:31 PM, Jay Pipes jaypi...@gmail.com wrote: This is a question purely out of curiousity. Why is Neutron averse to the concept of using tenants as natural ways of dividing up the cloud -- which at its core means multi-tenant, on-demand computing and networking? From

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-20 Thread Jay Pipes
On 03/20/2015 03:37 PM, Carl Baldwin wrote: On Fri, Mar 20, 2015 at 12:31 PM, Jay Pipes jaypi...@gmail.com wrote: This is a question purely out of curiousity. Why is Neutron averse to the concept of using tenants as natural ways of dividing up the cloud -- which at its core means multi-tenant,

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-20 Thread Jeremy Stanley
On 2015-03-20 13:37:49 -0600 (-0600), Carl Baldwin wrote: From what I've heard others say both in this thread and privately to me, there are already a lot of cases where a tenant will use the same address range to stamp out identical topologies. It occurred to me that we might even being

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-20 Thread Kevin Benton
To clarify a bit, we obviously divide lots of things by tenant (quotas, network listing, etc). The difference is that we have nothing right now that has to be unique within a tenant. Are there objects that are uniquely scoped to a tenant in Nova/Glance/etc? On Fri, Mar 20, 2015 at 12:50 PM, Jay

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-12 Thread Carl Baldwin
On Tue, Mar 10, 2015 at 12:06 PM, Ryan Moats rmo...@us.ibm.com wrote: While I'd personally like to see this be restricted (Carl's position), I know of at least one existence proof where management applications are doing precisely what Gabriel is suggesting - reusing the same address range to

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread John Belamaric
Here is a compromise option. The pluggable IPAM will be optionally enabled in Kilo. We could introduce the restriction, but only when pluggable IPAM is enabled. Support for having a tenant with overlapping IP space, along with pluggable IPAM would wait until Liberty, when we can fully implement

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread John Belamaric
On 3/12/15, 12:46 AM, Carl Baldwin c...@ecbaldwin.net wrote: When talking with external IPAM to get a subnet, Neutron will pass both the cidr as the primary identifier and the subnet_id as an alternate identifier. External systems that do not allow overlap can Recall that IPAM driver

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread John Belamaric
On 3/12/15, 2:33 AM, Carl Baldwin c...@ecbaldwin.net wrote: John, I think our proposals fit together nicely. This thread is about allowing overlap within a pool. I think it is fine for an external IPAM driver to disallow such overlap for now. However, the reference implementation must

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread Carl Baldwin
On Wed, Mar 11, 2015 at 2:54 PM, John Belamaric jbelama...@infoblox.com wrote: I was proposing that the reference driver not support it either, and we only handle that use case via the non-pluggable implementation in Kilo, waiting until Liberty to handle it in the pluggable implementation.

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread Carl Baldwin
John, I think our proposals fit together nicely. This thread is about allowing overlap within a pool. I think it is fine for an external IPAM driver to disallow such overlap for now. However, the reference implementation must support it for backward compatibility and so my proposal will

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread Kevin Benton
My concern is that we are introducing new objects in Neutron that are scoped to a tenant and we don't have anything else like that right now. For example, I can create 100 3-tier topologies (router + 3 subnets/networks) with duplicated names, CIDRs, etc between all of them and it doesn't matter if

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread John Belamaric
@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant My concern is that we are introducing new objects in Neutron that are scoped to a tenant and we don't have anything else like that right now. For example, I can create 100 3-tier

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-11 Thread Ihar Hrachyshka
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2015 06:34 PM, Gabriel Bezerra wrote: Em 10.03.2015 14:24, Carl Baldwin escreveu: Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a single tenant. For example, if a tenant

[openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Carl Baldwin
Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a single tenant. For example, if a tenant chooses to use 10.0.0.0/24 on more than one subnet, he or she is free to do so. Problems will arise when trying to connect a router between

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Fawad Khaliq
On Tue, Mar 10, 2015 at 10:38 PM, Gabriel Bezerra gabri...@lsd.ufcg.edu.br wrote: Em 10.03.2015 14:34, Gabriel Bezerra escreveu: Em 10.03.2015 14:24, Carl Baldwin escreveu: Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Ryan Moats
Gabriel Bezerra gabri...@lsd.ufcg.edu.br wrote on 03/10/2015 12:34:30 PM: Em 10.03.2015 14:24, Carl Baldwin escreveu: Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a single tenant. For example, if a tenant chooses to use

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Gabriel Bezerra
Em 10.03.2015 14:34, Gabriel Bezerra escreveu: Em 10.03.2015 14:24, Carl Baldwin escreveu: Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a single tenant. For example, if a tenant chooses to use 10.0.0.0/24 on more than one

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Gabriel Bezerra
Em 10.03.2015 14:24, Carl Baldwin escreveu: Neutron currently does not enforce the uniqueness, or non-overlap, of subnet cidrs within the address scope for a single tenant. For example, if a tenant chooses to use 10.0.0.0/24 on more than one subnet, he or she is free to do so. Problems will

Re: [openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

2015-03-10 Thread Carl Baldwin
On Tue, Mar 10, 2015 at 11:34 AM, Gabriel Bezerra gabri...@lsd.ufcg.edu.br wrote: Em 10.03.2015 14:24, Carl Baldwin escreveu: I'd vote for allowing against such restriction, but throwing an error in case of creating a router between the subnets. I can imagine a tenant running multiple