Fuel for OpenStack

Fuel prevents separation of Public and Floating networks

Bug #1322553 reported by Jesse Pretorius
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Invalid
High
Fuel Library (Deprecated)
Fuel for OpenStack 6.0

Bug Description

Currently Fuel prevents the separation of the Public and Floating networks, justified by the idea that Neutron cannot do its own external routing.

We have a requirement to separate the networks so that we can put the Public services behind reverse proxies and other protections instead of publishing them directly on public IP ranges. The Floating range, however, needs to be a public network.

We don't see why the two need to be on the same CIDR subnet?

For other deployments we've done, we've separated them. The 'Floating' network is setup as is described in http://docs.openstack.org/icehouse/install-guide/install/apt/content/neutron_initial-external-network.html with the gateway set to a suitable public gateway. The 'Public' network is, however, set to a DMZ CIDR and we're then able to put them behind reverse proxies, IPS's, etc.

We therefore see the forced co-location of the two networks as a bug.

Vladimir Kuklin (vkuklin)
Changed in fuel:
milestone: none → 5.1
assignee: nobody → Fuel Python Team (fuel-python)
importance: Undecided → High
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

FYI - I see that there's already a blueprint for this: https://blueprints.launchpad.net/fuel/+spec/separate-public-floating

Revision history for this message
Dima Shulyak (dshulyak) wrote :

As a fix we can remove this validation from nailgun and run separated floating and public

It will implement that blueprint only partially, so i'm not closing this bug

Changed in fuel:
status: New → Confirmed
assignee: Fuel Python Team (fuel-python) → Dima Shulyak (dshulyak)
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

IMHO - Nailgun should ideally adjusted as follows:

Neutron L3 Configuration to include:
 - An 'External Network Gateway' (or 'Floating Network Gateway')
 - An optional VLAN tag

Rules - Both the 'Public' and 'External Network' (L3 Configuration) should:
 - be allowed to have the same gateway, but only if the ranges they use are in the same CIDR
 - be allowed to be on the same VLAN
 - not be allowed to use the same IP range (as is the current rule)

Perhaps there should be a checkbox which gives the option to use the same CIDR for both, which will by default be checked. When unchecked, the options to input the alternative VLAN tag, CIDR and External Network Gateway can be revealed.

Dima Shulyak (dshulyak)
Changed in fuel:
assignee: Dima Shulyak (dshulyak) → Fuel Library Team (fuel-library)
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

Related BP assigned to Fuel python team, so we have to assign this back to the same team as well

Changed in fuel:
milestone: 5.1 → 6.0
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

Both related and dependent BP (advanced networking) are targeted for 6.0, so we should re-target this one as well

Revision history for this message
Dmitry Borodaenko (angdraug) wrote :

Since this is a feature and not really a bug, I'm closing this as Invalid. It is already referenced from the related blueprint: https://blueprints.launchpad.net/fuel/+spec/separate-public-floating

For your reference, here's the correct process to request new features in Fuel:
https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Propose_enhancements

Changed in fuel:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.