Integrate execution container to Neutron Project / Tenant Networks

Registered by Robert Putt on 2017-02-13

It would be useful to be able to hook up a private project / tenant Neutron network to the container during code execution. This would be beneficial where a tenant / project has a database server / cephfs cluster / redis node or something else the function needs to reach out to in a secure fashion. In it's current state I beleive the execution container would need to reach the project's storage over a public network only which obviously raises security eyebrows.

There are a number of solutions I can imagine here...

a) Joining execution containers direct to the neutron network (seems a silly idea as it could exhaust neutron ports and subnet IPs very quickly on smaller subnets with a large number of concurrent execution jobs)
b) Joining execution containers to a routed Neutron network + subnet (Execution containers join their own network within the tenant which is then routed to the private tenant networks holding the resources via a Neutron router, this method still has alot of creation, attaching and detatching of ports and heavy usage of the dhcp agent)
c) Joining a port to a Neutron router to some network namespace to provide NAT to the execution nodes (Providing some bridge to an execution network external from Neutron and just bridging it via a Neutron router probably takes the strain off the Neutron agents, but would require alot of network management within Picasso itself.)

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Robert Putt
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.