openstack team mailing list archive

Thread
Date

Re: Could s/o clarify if DHCP and L3 agents must be on different hosts if namespaces are disabled ?

To: gkotton@xxxxxxxxxx
From: Sylvain Bauza <sylvain.bauza@xxxxxxxxxxxx>
Date: Thu, 21 Mar 2013 09:18:01 +0100
Cc: "openstack@xxxxxxxxxxxxxxxxxxx \(openstack@xxxxxxxxxxxxxxxxxxx\)" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <5149E34F.2040507@redhat.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

Hi Gary,

Le 20/03/2013 17:26, Gary Kotton a écrit :

Yes, this works. The problem is ensuring the network isolation. That
is, someone can make changes in the routing table on the host which
will enable one to gain access to the quantum networks. That is why we
suggest that they run on different hosts. We have a review that is
open to enable one to enforce this when the agents starts (this is
disabled by default to ensure backward compatability and to enable one
to run an all in one setup - for proof of concepts and testing)


Damn, makes sense. Once you explain this, the reasons are clear.


So, am I wrong ? What is the terrible thing which could happe in a
next few days if still keeping my environment as it is ?


No, it is not terrible at all.


Great, my mind feels lighter ;-)

Follow ups

Re: Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
From: Robert van Leeuwen, 2013-03-21

References

Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
From: Sylvain Bauza, 2013-03-20
Re: Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
From: Gary Kotton, 2013-03-20

openstack team mailing list archive

Re: Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?

Follow ups

References

Re: Could s/o clarify if DHCP and L3 agents must be on different hosts if namespaces are disabled ?