Bug 1335995

Summary: [RFE] Multi-tenant bare metal to tenant with Ironic [advanced use case]
Product: Red Hat OpenStack Reporter: Keith Basil <kbasil>
Component: openstack-tripleo-heat-templatesAssignee: Dmitry Tantsur <dtantsur>
Status: CLOSED ERRATA QA Contact: mlammon
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: bfournie, dlbewley, dsneddon, dtantsur, jjoyce, jschluet, kbasil, mburns, mlammon, nlevinki, pneedle, racedoro, rhel-osp-director-maint, robert.h.armstrong, sasha, sclewis, shwu, srevivo, tquinlan, tvvcox
Target Milestone: Upstream M1Keywords: FutureFeature, Reopened, TechPreview, TestOnly, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://docs.openstack.org/ironic/latest/admin/multitenancy.html
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.0.0-0.20180227121938.e0f59ee.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:26:26 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1242593    
Bug Blocks: 1286164, 1330826, 1337767, 1337988, 1340231, 1399441, 1419948, 1422243, 1442136, 1562171    

Description Keith Basil 2016-05-13 18:49:54 UTC 
Description of problem:
Ironic is not multi-tenant out of the box. If you use Ironic to manage 100% of infrastructure that instance of Ironic would see all hardware with root privileges. If you expose that to the overcloud at root level, the fear is that tenants may have exposure to hardware. Additionally, the scheduler within an overcloud may not know which machines are for tenant usage only. We need to support one instance of Ironic within the undercloud for OSP component host deployment AND then a separate instance or Ironic that is exposed to Nova and services within the overcloud.

The problem can be summed up as follows:
- No traffic isolation
- Compute instances would have access to the provisioning plane
- All nodes are in a single L2 domain
- No tenant isolation
Comment 3 Dmitry Tantsur 2016-08-17 09:00:19 UTC 
The actual feature has landed upstream in Newton, so it will be usable with some level of manual configuration. I'm not sure we'll have documentation and potential TripleO bits in time though.
Comment 4 Dmitry Tantsur 2016-08-17 09:19:38 UTC 
Can we close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1330826?
Comment 5 Lucas Alvares Gomes 2016-08-18 08:47:13 UTC 
Duplicated of https://bugzilla.redhat.com/show_bug.cgi?id=1242593 as well
Comment 8 Keith Basil 2016-11-28 13:32:20 UTC 
*** Bug 1340231 has been marked as a duplicate of this bug. ***
Comment 9 Fujitsu osp team 2017-02-06 13:40:57 UTC 
Hello Red Hat,

Could you clarify what is required for this feature to be supported in OSP?

Regards,
Tatsuya Kitamura
Comment 10 Fujitsu osp team 2017-02-07 09:15:03 UTC 
The previous comment was supported to be for BZ#1330826. Sorry.

Tatsuya Kitamura
Comment 11 Dan Sneddon 2017-03-04 00:02:33 UTC 

*** This bug has been marked as a duplicate of bug 1330826 ***
Comment 17 Dmitry Tantsur 2017-04-11 14:59:09 UTC 
Support for neutron networking plugin and provisioning networks landed in https://review.openstack.org/#/c/452837/. Now we're ready to test this feature. A suitable ML2 plugin (not covered by this RFE) is required to actually use this feature.
Comment 29 Bob Fournier 2018-02-12 14:36:09 UTC 
Marking this as TechPreview
Comment 30 Shang Wu 2018-05-11 06:32:30 UTC 
What is the latest status for this. Does it make it into OSP13?
Comment 34 errata-xmlrpc 2018-06-27 13:26:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086