Is it safe to expose openstack horizon on the internet ?

I would recommend you to hide your complete OpenStack management network in a separate VLAN. And then setup a HaProxy as firewall and just forward the needed ports (with a ip whitelist if possible). Or just use a VPN server to access these services.

Horizon does not have protections against brute-force attacks or something like that. The same counts also for the Keystone API.

I cannot create project under api v3

You need to change your user's default project.

Via Horizon: Go to Horizon -> Identity -> Users -> Edit -> Primary Project.

Via CMD: openstack user set [username] --project [project name]

After setting a default project the v3 Identity should work fine for you.

Nova-network with external gateway

I've using now Neutron with Linux Bridge and a Provider Network. It's perfect for our use-case.

Intermittent access when configure using mariadb-galera

I had the same issue with keystone and a MariaDB Galera cluster behind a HAProxy. I've increased the idle_timeout in the keystone configuration to 3600 and I also increased the limits in the my.cnf file to:

max_allowed_packet = 128M

wait_timeout = 3600

2015-10-28 12:44:11 -0600 asked a question Cinder + Ceph - Deduplication?


we've set up a test cluster, we've configured Cinder with Ceph. Ceph has 3 OSD nodes. I've created 3 volumes in Horizon and started 3 instances with a Ubuntu 14.04 image. Everything works fine.

Like I understand Ceph should have deduplication, all 3 block devices on the storage have the same files on it but it seems that the Ceph cluster locating the file space for 3 times (3x ~ 800MB). But I thought it should locate the most blocks only one time on the Ceph storage.

Do I need to change some settings to use the deduplication feature for the block devices or is it not possible with Cinder?

Best regards, Alexander Birkner

2014-05-20 14:24:39 -0600 asked a question Nova-network with external gateway


I need to setup a shared hosting environment. Everything is working fine except the networking. I've created a network with the following command:

nova network-create testnetwork --bridge br100 --multi-host T --fixed-range-v4 --gateway --dns1 --dns2

The result should be that we are using our external gateway in the datacenter. The gateway has many ips and one of them is The complete network except the first ip should be useable on every node host. To reach the instance is not the problem but the instance has no outgoing network connection.

I've seen that one of the node servers got the ip address I don't want to use the node server as gateway. Is there a possibility to use the external gateway? The instance is already in the same network bridge like main interface p4p1.

Would be very awesome if anyone has a idea.

//EDIT: Or is it better to use neutron networking? But I have a very bad feeling about that the complete network traffic runs over one server (ddos).

Best regards, Alexander