Connectivity to the VLAD OpenStack Management Network

[Mike Freemon <mfreemon@xxxxxxxxxxxx>]

Here is my proposal for addressing the network connectivity to the 
OpenStack management API endpoints on the VLAD cluster.

Problem Statement

The OpenStack management APIs for the VLAD cluster are on a private 
subnet, accessible only from the vlad-mgmt node.  This prevents 
development and deployment of the NDS Web Services application on any 
machine other than the vlad-mgmt node.

Considerations

We cannot simply change the OS_AUTH_URL string, because the compute 
(nova) API URL is dynamically retrieved from the OpenStack management 
server and is not visible to the application.

Solution

Use an iptables rule to redirect traffic with a destination address of 
10.10.236.1 (the VLAD management network) generated by the NDS 
application to localhost.

That traffic is then forwarded via a ssh tunnel from localhost (for the 
specific OpenStack ports) to the real VLAD management network.

The commands to do this are:

# iptables -A OUTPUT -t nat -p tcp -d 10.10.236.1 -j DNAT --to 127.0.0.1
# ssh -L localhost:5000:localhost:5000 -L localhost:8774:localhost:8774 
-4 -nNT vlad-mgmt &

Benefits

*     Development and deployment of the NDS Web Services application can 
occur on any machine, not just on the vlad-mgmt server.  This includes 
developer laptops, openstack instances, or anywhere else.
*     There is no special application code needed.  The application 
believes it has normal network connectivity to the API endpoints on the 
OpenStack management node.
*     The same application code runs regardless of the environment in 
which it's running (i.e. the same application runs in the same way in 
the VLAD OpenStack cluster, the NCSA production OpenStack cluster, and 
any other OpenStack clusters.

https://wiki.ncsa.illinois.edu/display/NDS/Connectivity+to+the+VLAD+OpenStack+Management+Network

- Mike