We are interested in configuring a fast layer 2 shared services network used by manila to prevent cross tenant backdoors.
Eg.
Manila-NFS-VIP
192.168.103.4
|
SharedNFS Network
(192.168.103.4/24)
/ \
Tenant A Tenant B
| |
SharedNFS NIC SharedNFS NIC
192.168.103.10 192.168.103.20
| |
Instance Instance
| |
Internal NIC Internal NIC
172.16.0.50 192.168.20.20
If openstack neutron supported PVLAN we could configure the uplink of the tenant nic on that network to be exclusively the Manila-NFS vip and stop any potential of backdoor access from other clients on that network.
In my diagram you can see that the storageNFS network is a shared layer 2 domain. At no point can we assume that tenants will do the right thing with regards to security groups.
PVLAN solves this issue by preventing isolate ports from learning about each other, and the destination (in this case the NFS ganesha vip) is set in promiscuous mode.
This is a diagram of PVLAN operation from Cisco:
https://www.cisco.com/c/dam/en/us/td/i/100001-200000/180001-190000/182001-183000/182773.eps/_jcr_content/renditions/182773.jpg
This is the actual writeup by Cisco on this capability: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/layer2/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Layer_2_Switching_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Layer_2_Switching_Configuration_Guide_chapter_0101.html#con_1344155
I spoke with Tom Barron (Manila PTL) and Ryan Tidwell (Neutron Developer) and they both agreed this was a problem that PVLAN could solve. As Symcor is looking to leverage OpenStack with Manila across a multi tenant environment we want to be able to provide high performance Layer 2 access to our StorageNFS network without the security backdoors a regular layer 2 domain creates.
I cant see any of the details of https://bugzilla.redhat.com/show_bug.cgi?id=1474823 or why it was closed but implementing PVLAN in neutron would certainly help our use of the product and also add some fairly powerful capabilty to OpenStack.
We are interested in configuring a fast layer 2 shared services network used by manila to prevent cross tenant backdoors. Eg. Manila-NFS-VIP 192.168.103.4 | SharedNFS Network (192.168.103.4/24) / \ Tenant A Tenant B | | SharedNFS NIC SharedNFS NIC 192.168.103.10 192.168.103.20 | | Instance Instance | | Internal NIC Internal NIC 172.16.0.50 192.168.20.20 If openstack neutron supported PVLAN we could configure the uplink of the tenant nic on that network to be exclusively the Manila-NFS vip and stop any potential of backdoor access from other clients on that network. In my diagram you can see that the storageNFS network is a shared layer 2 domain. At no point can we assume that tenants will do the right thing with regards to security groups. PVLAN solves this issue by preventing isolate ports from learning about each other, and the destination (in this case the NFS ganesha vip) is set in promiscuous mode. This is a diagram of PVLAN operation from Cisco: https://www.cisco.com/c/dam/en/us/td/i/100001-200000/180001-190000/182001-183000/182773.eps/_jcr_content/renditions/182773.jpg This is the actual writeup by Cisco on this capability: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/layer2/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Layer_2_Switching_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Layer_2_Switching_Configuration_Guide_chapter_0101.html#con_1344155 I spoke with Tom Barron (Manila PTL) and Ryan Tidwell (Neutron Developer) and they both agreed this was a problem that PVLAN could solve. As Symcor is looking to leverage OpenStack with Manila across a multi tenant environment we want to be able to provide high performance Layer 2 access to our StorageNFS network without the security backdoors a regular layer 2 domain creates. I cant see any of the details of https://bugzilla.redhat.com/show_bug.cgi?id=1474823 or why it was closed but implementing PVLAN in neutron would certainly help our use of the product and also add some fairly powerful capabilty to OpenStack.