Trove network isolation

Isolate bussiness network from management network

This document aims to help administrator to configure network_isolation in trove.

Before Bobcat release, trove didn’t isolate the management network from bussiness network, sometimes, this may cause network performance issue or security issue.

Since Bobcat release, trove adds a new configure option(network_isolation) to configure network isolation.

network_isolation has the following behaviors and requirements:

  • Trove will not check the overlap between management networks cidrs and bussiness networks cidrs anymore. as trove allows the same cidrs between management network and bussiness network.

  • Cloud administrator must configure the management_networks in config file. Management network is responsible for connecting with rabbitMQ, as well as docker registry. Even though you have set network_isolation to true, if your management_networks is not configured, Trove will still not plug the network interface into the container.

Configure network isolation

  • Setting management_networks in /etc/trove/trove.conf, typically, this is a neutron provider network with a gateway configured. see the management network

[DEFAULT]
management_networks = <your-network-id>
  • Setting network_isolation to True(default is False)

[network]
network_isolation: True

Upgrade

This feature is not backward compatible with older Trove guest images; you need to re-build the guest image with the updated code. see the build image