Ask Your Question
0

Private external network is visible to other tenant

asked 2014-11-17 05:59:21 -0500

Huaming gravatar image

updated 2014-11-19 01:57:13 -0500

I am trying to create an external network for a dedicate tenant. I have 2 external network created. One is created within admin tenant for all tenants usage. It works well. The 2nd is created like : neutron net-create ext_net2 --provider:network_type flat --provider:physical_network physnet2 --router:external=True --tenant-id 71caaafeaf9446acb134cd337d13d1d5

Per this link: https://wiki.openstack.org/wiki/Neutr... ext-net2 should be private to tenant 71caaafeaf9446acb134cd337d13d1d5, but all other tenants can create router and set gateway to this external network.

UPDATE 1
oot@network:~# ovs-vsctl show 
aacb4736-666f-4e3d-b3eb-7a002db35481
Bridge br-tun 
Port patch-int 
Interface patch-int 
type: patch 
options: {peer=patch-tun} 
Port br-tun 
Interface br-tun 
type:internal 
Port "gre-c0a80207" 
Interface "gre-c0a80207" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.7"} 
Port "gre-c0a80205" 
Interface "gre-c0a80205" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.5"} 
Bridge "br-eth3" 
Port "br-eth3" 
Interface "br-eth3" 
type: internal 
Port "eth3" 
Interface "eth3" 
Port "phy-br-eth3" 
Interface "phy-br-eth3" 
type: patch 
options: {peer="int-br-eth3"} 
Bridge br-int 
fail_mode: secure 
Port int-br-ex 
Interface int-br-ex 
type:patch 
options: {peer=phy-br-ex} 
Port "int-br-eth3" 
Interface "int-br-eth3" 
type: patch options: {peer="phy-br-eth3"} 
Port br-int 
Interface br-int 
type: internal 
Port patch-tun 
Interface patch-tun 
type: patch 
options: {peer=patch-int} 
Bridge br-ex 
Port "eth2" 
Interface "eth2" 
Port br-ex 
Interface br-ex 
type: internal 
Port phy-br-ex 
Interface phy-br-ex 
type: patch 
options: {peer=int-br-ex} 

ovs_version: "2.0.2"

Could anybody help me on this issue?

Thanks

UPDATE 1
root@network:~# ifconfig
br-eth3   Link encap:Ethernet  HWaddr e6:c8:33:27:c5:46  
      inet6 addr: fe80::28bf:70ff:fe89:18f3/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:5 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:238 (238.0 B)  TX bytes:648 (648.0 B)

br-ex     Link encap:Ethernet  HWaddr ba:60:05:be:8d:49  
      inet6 addr: fe80::2469:79ff:fea4:8625/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:1070 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:60570 (60.5 KB)  TX bytes:648 (648.0 B)

br-int    Link encap:Ethernet  HWaddr be:a1:0f:63:15:40  
      inet6 addr: fe80::74e8:2cff:fe48:cd9f/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:71 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:5542 (5.5 KB)  TX bytes:648 (648.0 B)

br-tun    Link encap:Ethernet  HWaddr 7a:37:5e:0a:22:4b  
      inet6 addr: fe80::3470:24ff:fe47:5754/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes ...
(more)
edit retag flag offensive close merge delete

Comments

How many l3-agents are you running ? Please post l3_agent.ini ( or all of them )
as UPDATE 1 to question.

dbaxps gravatar imagedbaxps ( 2014-11-17 07:09:43 -0500 )edit

You should be running at least two l3-agents , unless you implemented approach developed in
http://blog.oddbit.com/2014/05/28/mul...
working for IceHouse ( Juno ).

dbaxps gravatar imagedbaxps ( 2014-11-17 07:44:08 -0500 )edit

Quoting this blog :

  When external_network_bridge is set, each L3 agent can be associated
   with no more than one external network. This value should be set to the UUID
   of that external network.
dbaxps gravatar imagedbaxps ( 2014-11-17 07:46:08 -0500 )edit

I am using Juno and Icehouse, with which one L3 agent should be able to handle multiple external networks by adding second br-ex2. And I leave external_network_bridge and gateway_external_network_id empty based on manual guidance.

Huaming gravatar imageHuaming ( 2014-11-19 00:11:32 -0500 )edit

Please, post ovs-vsctl show and ifconfig on network node and ml2_conf.ini on network node.

dbaxps gravatar imagedbaxps ( 2014-11-19 00:32:15 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-11-19 01:31:08 -0500

Huaming gravatar image

My current issue is that all tenants are able to see and set gateway on both of these 2 external networks. Based on the blueprint link, external network should be able to set to private for dedicate tenant.

edit flag offensive delete link more
0

answered 2014-11-18 07:28:59 -0500

dbaxps gravatar image

Handling multiple l3_conf.ini and configuration OVS external bridges is described in step by step detailed manner here
https://www.softwareab.net/wordpress/...

edit flag offensive delete link more

Comments

Thanks dbaxps, I am about to create 2 external networks in my icehouse and juno. Just not able to map one of them to dedicate tenants. Do you have any idea about that?

Huaming gravatar imageHuaming ( 2014-11-19 00:31:56 -0500 )edit

Would like to see you configuration ovs-vsctl show and ml2_conf.ini on network node.
I would guess something in configuration affects assigning ext_net2 to particular tenant.

dbaxps gravatar imagedbaxps ( 2014-11-19 00:38:00 -0500 )edit

Information was updated.

Huaming gravatar imageHuaming ( 2014-11-26 10:07:33 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-17 05:59:21 -0500

Seen: 311 times

Last updated: Nov 19 '14