Neutron tenant networks

asked 2017-07-10 12:14:05 -0500

Alex Usov gravatar image

updated 2017-07-10 12:16:40 -0500

Hi everyone,

I know that regular users can't specify network type during network creation in their projects, so Neutron simply goes through values listed in tenant_network_types in order, until all ranges of segmentation are exhausted. So how an unprivileged user can get a network of a particular type? I see 2 solutions:

  • Placing the desired network type first in tenant_network_types and restarting neutron-server. Impractical and cumbersome.
  • Having admin create the network for a user.

I suppose the right way is the latter, but there are questions regarding interaction of resources in different tenants:

  • What if I specify different values for --tenant-id when creating a network and a subnet inside it? I know they should be the same, but why am I even allowed to specify --tenant-id for the subnet, why not simply inherit it from the parent network? I always thought of a network and its subnet as inseparable entities.
  • If I choose to create tenant networks (and other resources) as admin to be able to specify network type, I must specify --tenant-id in every command, correct?
edit retag flag offensive close merge delete

Comments

Second question: If you don't specify --tenant-id or --project, the network, subnet etc will be owned by the admin project.

First question: I am guessing, but you might have a shared network owned by admin, and subnets owned by different projects. Not sure if there is a use case for this.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-11 00:27:39 -0500 )edit
1

Just tried this on a Liberty cloud I have lying around. I can create a shared network owned by admin, then subnets owned by different projects. However, I can launch an instance on the subnet of another project without problems. Subnet ownership doesn't seem to mean much.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-11 00:35:26 -0500 )edit

Thanks for the experiment, interesting. So, if I want to create a network of particular type (vxlan, for example) for a tenant, the only way is to create it as admin on behalf of the tenant (with --tenant-id), right?

Alex Usov gravatar imageAlex Usov ( 2017-07-11 07:20:23 -0500 )edit

That's right. Normal users can't select implementation details, of which the network type is an example.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-11 07:25:25 -0500 )edit

Thanks for the help.

Alex Usov gravatar imageAlex Usov ( 2017-07-11 07:29:48 -0500 )edit