Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Private external network is visible to other tenant

I am trying to create an external network for a dedicate tenant. I have 2 external network created. One is created within admin tenant for all tenants usage. It works well. The 2nd is created like : neutron net-create ext_net2 --provider:network_type flat --provider:physical_network physnet2 --router:external=True --tenant-id 71caaafeaf9446acb134cd337d13d1d5

Per this link: https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks ext-net2 should be private to tenant 71caaafeaf9446acb134cd337d13d1d5, but all other tenants can create router and set gateway to this external network.

Could anybody help me on this issue?

Thanks

Private external network is visible to other tenant

I am trying to create an external network for a dedicate tenant. I have 2 external network created. One is created within admin tenant for all tenants usage. It works well. The 2nd is created like : neutron net-create ext_net2 --provider:network_type flat --provider:physical_network physnet2 --router:external=True --tenant-id 71caaafeaf9446acb134cd337d13d1d5

Per this link: https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks ext-net2 should be private to tenant 71caaafeaf9446acb134cd337d13d1d5, but all other tenants can create router and set gateway to this external network.

UPDATE 1
oot@network:~# ovs-vsctl show 
aacb4736-666f-4e3d-b3eb-7a002db35481
Bridge br-tun 
Port patch-int 
Interface patch-int 
type: patch 
options: {peer=patch-tun} 
Port br-tun 
Interface br-tun 
type:internal 
Port "gre-c0a80207" 
Interface "gre-c0a80207" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.7"} 
Port "gre-c0a80205" 
Interface "gre-c0a80205" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.5"} 
Bridge "br-eth3" 
Port "br-eth3" 
Interface "br-eth3" 
type: internal 
Port "eth3" 
Interface "eth3" 
Port "phy-br-eth3" 
Interface "phy-br-eth3" 
type: patch 
options: {peer="int-br-eth3"} 
Bridge br-int 
fail_mode: secure 
Port int-br-ex 
Interface int-br-ex 
type:patch 
options: {peer=phy-br-ex} 
Port "int-br-eth3" 
Interface "int-br-eth3" 
type: patch options: {peer="phy-br-eth3"} 
Port br-int 
Interface br-int 
type: internal 
Port patch-tun 
Interface patch-tun 
type: patch 
options: {peer=patch-int} 
Bridge br-ex 
Port "eth2" 
Interface "eth2" 
Port br-ex 
Interface br-ex 
type: internal 
Port phy-br-ex 
Interface phy-br-ex 
type: patch 
options: {peer=int-br-ex} 

ovs_version: "2.0.2"

Could anybody help me on this issue?

Thanks

Private external network is visible to other tenant

I am trying to create an external network for a dedicate tenant. I have 2 external network created. One is created within admin tenant for all tenants usage. It works well. The 2nd is created like : neutron net-create ext_net2 --provider:network_type flat --provider:physical_network physnet2 --router:external=True --tenant-id 71caaafeaf9446acb134cd337d13d1d5

Per this link: https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks ext-net2 should be private to tenant 71caaafeaf9446acb134cd337d13d1d5, but all other tenants can create router and set gateway to this external network.

UPDATE 1
oot@network:~# ovs-vsctl show 
aacb4736-666f-4e3d-b3eb-7a002db35481
Bridge br-tun 
Port patch-int 
Interface patch-int 
type: patch 
options: {peer=patch-tun} 
Port br-tun 
Interface br-tun 
type:internal 
Port "gre-c0a80207" 
Interface "gre-c0a80207" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.7"} 
Port "gre-c0a80205" 
Interface "gre-c0a80205" 
type:gre 
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.5"} 
Bridge "br-eth3" 
Port "br-eth3" 
Interface "br-eth3" 
type: internal 
Port "eth3" 
Interface "eth3" 
Port "phy-br-eth3" 
Interface "phy-br-eth3" 
type: patch 
options: {peer="int-br-eth3"} 
Bridge br-int 
fail_mode: secure 
Port int-br-ex 
Interface int-br-ex 
type:patch 
options: {peer=phy-br-ex} 
Port "int-br-eth3" 
Interface "int-br-eth3" 
type: patch options: {peer="phy-br-eth3"} 
Port br-int 
Interface br-int 
type: internal 
Port patch-tun 
Interface patch-tun 
type: patch 
options: {peer=patch-int} 
Bridge br-ex 
Port "eth2" 
Interface "eth2" 
Port br-ex 
Interface br-ex 
type: internal 
Port phy-br-ex 
Interface phy-br-ex 
type: patch 
options: {peer=int-br-ex} 

ovs_version: "2.0.2"

Could anybody help me on this issue?

Thanks

UPDATE 1
root@network:~# ifconfig
br-eth3   Link encap:Ethernet  HWaddr e6:c8:33:27:c5:46  
      inet6 addr: fe80::28bf:70ff:fe89:18f3/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:5 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:238 (238.0 B)  TX bytes:648 (648.0 B)

br-ex     Link encap:Ethernet  HWaddr ba:60:05:be:8d:49  
      inet6 addr: fe80::2469:79ff:fea4:8625/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:1070 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:60570 (60.5 KB)  TX bytes:648 (648.0 B)

br-int    Link encap:Ethernet  HWaddr be:a1:0f:63:15:40  
      inet6 addr: fe80::74e8:2cff:fe48:cd9f/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:71 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:5542 (5.5 KB)  TX bytes:648 (648.0 B)

br-tun    Link encap:Ethernet  HWaddr 7a:37:5e:0a:22:4b  
      inet6 addr: fe80::3470:24ff:fe47:5754/64 Scope:Link
      UP BROADCAST RUNNING  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

eth0      Link encap:Ethernet  HWaddr fa:16:3e:f2:c2:e3  
      inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
      inet6 addr: fe80::f816:3eff:fef2:c2e3/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:357933 errors:0 dropped:0 overruns:0 frame:0
      TX packets:641835 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:41160966 (41.1 MB)  TX bytes:140611604 (140.6 MB)

eth1      Link encap:Ethernet  HWaddr fa:16:3e:87:68:fd  
      inet addr:192.168.2.6  Bcast:192.168.2.255  Mask:255.255.255.0
      inet6 addr: fe80::f816:3eff:fe87:68fd/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:119 errors:0 dropped:0 overruns:0 frame:0
      TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:6636 (6.6 KB)  TX bytes:2924 (2.9 KB)

eth2      Link encap:Ethernet  HWaddr fa:16:3e:f8:78:ba  
      inet6 addr: fe80::f816:3eff:fef8:78ba/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
      TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:58562 (58.5 KB)  TX bytes:3014 (3.0 KB)

eth3      Link encap:Ethernet  HWaddr fa:16:3e:19:a4:6f  
      inet6 addr: fe80::f816:3eff:fe19:a46f/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:0 (0.0 B)  TX bytes:1492 (1.4 KB)

lo        Link encap:Local Loopback  
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:56 errors:0 dropped:0 overruns:0 frame:0
      TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:17749 (17.7 KB)  TX bytes:17749 (17.7 KB)


root@network:~# more /etc/neutron/plugins/ml2/ml2_conf.ini

[ml2]
type_drivers = flat,gre

tenant_network_types = gre
mechanism_drivers = openvswitch

[ml2_type_flat]
flat_networks = physnet1,physnet2

[ml2_type_vlan]

[ml2_type_gre]
tunnel_id_ranges = 1:1000

[ml2_type_vxlan]

[securitygroup]
enable_security_group = True

enable_ipset = True

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

[ovs]
local_ip = 192.168.2.6
tunnel_type = gre
enable_tunneling = True
bridge_mappings = physnet1:br-ex,physnet2:br-eth3