From 75b90a5ddb249b8ce9c5dc4a4acf95c3040e76c1 Mon Sep 17 00:00:00 2001 From: OctopusZhang Date: Tue, 15 Nov 2016 12:01:44 +0800 Subject: [PATCH] Update multitenancy docs Add a warning to remind user to configure provisioning and cleaning network as non-shared network. Add a note to remind user not to use provision network for instance spawning. Change-Id: Ifd7218fc24386097ed072195de8712d600399f09 Related-Bug: #1634573 --- doc/source/deploy/multitenancy.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/doc/source/deploy/multitenancy.rst b/doc/source/deploy/multitenancy.rst index aa4226662b..492d11b084 100644 --- a/doc/source/deploy/multitenancy.rst +++ b/doc/source/deploy/multitenancy.rst @@ -86,6 +86,20 @@ interface as stated above): Please refer to `Configure the Bare Metal service for cleaning`_ for more information about cleaning. + .. warning:: + Please make sure ironic is exclusive to the provisioning and cleaning + network. Spawning instances by non-admin users in these networks and + getting access to ironic control plane is a security risk. For this + reason, the provisioning and cleaning network should be configured as + non-shared network in the admin tenant. + + .. note:: + Spawning a bare metal instance onto the provisioning network is + impossible, the deployment will fail. The node should be deployed onto a + different network than the provisioning network. When you boot a bare + metal instance from nova, you should choose a different network in + neutron for your instance. + .. note:: The "provisioning" and "cleaning" networks may be the same neutron provider network, or may be distinct networks. To ensure communication