openstack team mailing list archive

[Christian Parpart <trapni@xxxxxxxxx>]

On Wed, Aug 15, 2012 at 4:16 AM, Lorin Hochstein
<lorin@xxxxxxxxxxxxxxxxxx>wrote:

> On Jul 5, 2012, at 11:47 AM, Christian Parpart <trapni@xxxxxxxxx> wrote:
>
> Hi all,
>
> I am running multiple compute nodes and a single nova-network node, that
> is to act
> as a central gateway for the tenant's VMs.
>
> However, since this nova-network node (of course) knows all routes, every
> VM of
> any tenant can talk to each other, including to the physical nodes, which
> I highly disagree with and would like to restrict that. :-)
>
>
> If you add this to nova.conf:
>
> allow_same_net_traffic=false
>
> It should prevent the VMs from communicating with each other. From
>
>
> http://docs.openstack.org/essex/openstack-compute/admin/content/compute-options-reference.html#d6e3133
>

Hey Lorin,

according to this rather short documentation for that flag, it is
unfortunately very unclear what they meant with "from same network" - I
hope to misread that line :-)

That is, it sounds like it does prevent communication with ANY of the other
VMs, but I just want to disallow communication from one tenant to another.
Like, having a production tenant and a staging tenant, they should not be
able to talk to each other but a VM from the production tenant should be
able to
talk to another VM within the same tenant.

It might be helpful, if one may want to find some more clear words to this
flag within the flag reference :-)

I would also like to know on what physical hosts I need this flag to be
applied, too. I mean, is it just the nova-network node(s) or all compute
nodes, that this flag takes affect?

Many thanks in advance,
Christian Parpart.