openstack team mailing list archive

Thread
Date

Re: inter-tenant and VM-to-bare-metal communication policies/restrictions.

To: Christian Parpart <trapni@xxxxxxxxx>
From: Lorin Hochstein <lorin@xxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Aug 2012 22:16:45 -0400
Cc: "<openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CA+qvzFNkyqy7VBaV7aFs9b=1Y38xMLjkkUAUd9uWuJ7Wn=qkKw@mail.gmail.com>

On Jul 5, 2012, at 11:47 AM, Christian Parpart <trapni@xxxxxxxxx> wrote:

> Hi all,
> 
> I am running multiple compute nodes and a single nova-network node, that is to act
> as a central gateway for the tenant's VMs.
> 
> However, since this nova-network node (of course) knows all routes, every VM of
> any tenant can talk to each other, including to the physical nodes, which
> I highly disagree with and would like to restrict that. :-)
> 

If you add this to nova.conf:

allow_same_net_traffic=false

It should prevent the VMs from communicating with each other. From 

http://docs.openstack.org/essex/openstack-compute/admin/content/compute-options-reference.html#d6e3133


Take care,

Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com

Follow ups

Re: inter-tenant and VM-to-bare-metal communication policies/restrictions.
From: Christian Parpart, 2012-08-23

References

inter-tenant and VM-to-bare-metal communication policies/restrictions.
From: Christian Parpart, 2012-07-05