All list and Vish,
As we known and test in essex version, nova-network will set the bridge IP address as the VM default gateway and if VM want to go out, it have to pass through the host route table, it bring to us two critical problems: 1. The manager of VM could touch the compute host, potential security risk; 2. All the VM could touch each other on the same host, potential security risks. Of course it will also destroy the advantages of multinetwork and vlan model, although we can use vlan to separate tenant but finally vms come together have to go one way to go outside, that is very sad. In multi-network + VLAN manger model, For example, when I create 192.168.2.0/24 network for tenant A, 192.168.2.1 would be the default gateway value in networks table at Nova DB, and the bridge IP is perhaps 192.168.2.3 in the compute host, and when you look at the default gateway of the vm in this host , it is : 192.168.2.3, not 192.168.2.1(192.168.2.1 was not allocated to any real site) What we want is: 192.168.2.1 should be the vm's default gateway for all vms in tenant A and usually, we would set 192.168.2.1 as the VLAN interface IP address in LAN switch and through this to go outside. Yes,we have a way to modify dnsmasq.conf to set gateway and dns value,but it only worked for one network, the reality is we would use per tenant per network model to enhance security and would have more than thousands networks and tenants. Hence, we only want to give a little code modified to assign 192.168.2.1 as the default gateway of vm, that means use the lowest ip address of each tenant network as the default gateway when build up vm, not the bridge ip, that could give us two benefits: 1. vm visit internet did not tought compute host ip route and network, it pass through the vlan trunk to lan switch, enhance the security; 2. all the vms of different tenants/networks in a same compute host could not touch each other and we would not rely ICMP port control at security group rules, enhance the security. Of course, if we can achieve this, multinetwork and VLAN model would have the real meaningful usage, otherwise it would trouble us who want to use openstack in a production environment. This work is very import to us: we would like to choice multi network and VLAN model to improve cloud system security and high availability, and of course, some times in other country we have no enough public ip address and have to use two NICs with fixed IP address to go out through DNAT port mapping, would not use floating IP. Certainly,if we can only resolve this problem in F version through quantum, please let us know. I appreciate if software builders of openstack essex version could give a help on this. Best regards, Romi
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp