Bug 1335995 - [RFE] Multi-tenant bare metal to tenant with Ironic [advanced use case]
Summary: [RFE] Multi-tenant bare metal to tenant with Ironic [advanced use case]
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M1
: 13.0 (Queens)
Assignee: Dmitry Tantsur
QA Contact: mlammon
URL: https://docs.openstack.org/ironic/lat...
: 1340231 (view as bug list)
Depends On: Red Hat1242593
Blocks: Red Hat1419948 Partner1422243 Red Hat1286164 Partner1330826 1337767 1337988 1340231 Partner1399441 Red Hat1442136 1562171
TreeView+ depends on / blocked
Reported: 2016-05-13 18:49 UTC by Keith Basil
Modified: 2021-12-10 14:49 UTC (History)
20 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.0.0-0.20180227121938.e0f59ee.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-06-27 13:26:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 452837 0 None MERGED Add support for "neutron" Ironic networking plugin 2020-05-06 12:40:48 UTC
Red Hat Issue Tracker OSP-8514 0 None None None 2021-12-10 14:49:08 UTC
Red Hat Product Errata RHEA-2018:2086 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC

Description Keith Basil 2016-05-13 18:49:54 UTC
Description of problem:
Ironic is not multi-tenant out of the box. If you use Ironic to manage 100% of infrastructure that instance of Ironic would see all hardware with root privileges. If you expose that to the overcloud at root level, the fear is that tenants may have exposure to hardware. Additionally, the scheduler within an overcloud may not know which machines are for tenant usage only. We need to support one instance of Ironic within the undercloud for OSP component host deployment AND then a separate instance or Ironic that is exposed to Nova and services within the overcloud.

The problem can be summed up as follows:
- No traffic isolation
- Compute instances would have access to the provisioning plane
- All nodes are in a single L2 domain
- No tenant isolation

Comment 3 Dmitry Tantsur 2016-08-17 09:00:19 UTC
The actual feature has landed upstream in Newton, so it will be usable with some level of manual configuration. I'm not sure we'll have documentation and potential TripleO bits in time though.

Comment 4 Dmitry Tantsur 2016-08-17 09:19:38 UTC
Can we close this as a duplicate of Partnerhttps://bugzilla.redhat.com/show_bug.cgi?id=1330826?

Comment 5 Lucas Alvares Gomes 2016-08-18 08:47:13 UTC
Duplicated of Red Hathttps://bugzilla.redhat.com/show_bug.cgi?id=1242593 as well

Comment 8 Keith Basil 2016-11-28 13:32:20 UTC
*** Bug 1340231 has been marked as a duplicate of this bug. ***

Comment 9 Fujitsu osp team 2017-02-06 13:40:57 UTC
Hello Red Hat,

Could you clarify what is required for this feature to be supported in OSP?

Tatsuya Kitamura

Comment 10 Fujitsu osp team 2017-02-07 09:15:03 UTC
The previous comment was supported to be for PartnerBZ#1330826. Sorry.

Tatsuya Kitamura

Comment 11 Dan Sneddon 2017-03-04 00:02:33 UTC

*** This bug has been marked as a duplicate of Partnerbug 1330826 ***

Comment 17 Dmitry Tantsur 2017-04-11 14:59:09 UTC
Support for neutron networking plugin and provisioning networks landed in https://review.openstack.org/#/c/452837/. Now we're ready to test this feature. A suitable ML2 plugin (not covered by this RFE) is required to actually use this feature.

Comment 29 Bob Fournier 2018-02-12 14:36:09 UTC
Marking this as TechPreview

Comment 30 Shang Wu 2018-05-11 06:32:30 UTC
What is the latest status for this. Does it make it into OSP13?

Comment 34 errata-xmlrpc 2018-06-27 13:26:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.