Forum Discussion

CraigM_17826's avatar
CraigM_17826
Icon for Altostratus rankAltostratus
Jan 18, 2013

Multi Tenancy on Viprions

Hi,

 

I am not quite sure which forum this questions should go in because it is more about what F5 has in the works for better granular control of partitions in a multi-tenancy environmets. If there is a more suited forum where this should go please let me know.

 

 

Our sitation.

 

We have a pair of BigIPs in house. We have since moved a lot of our kit out into the "private cloud" and our cloud provider uses a pair of Viprions for clients who require BigIP kit. Because we are only one of many of their customers, each customer has their own partition and an account to manage it. What I am finding though is that there are so many restrictions to what we can/can't do which is extremely frustrating when you have full access to your own BigIPs. The main issues that stick out for me are

 

- the inability to sync changes on our partition (we have to get the provider to do it via their support desk)

 

- the inability to access the ltm log because there are no partition specifc ltm logs. (I know we can setup a syslog serv and you can use the log statement to log messages to it, but it won't trap tcl and other error types)

 

- no shell access because it's not restricted to your partition

 

- cannot install/create SSL certificates, we have to send them to the provider who will then install them.

 

- cannot backup our config

 

I am wondering if there are plans within F5 to implement changes so that partitions and all the related files (config files, log files, certs, ect) are stored in their own area so the partition user can be given full access to the files in this partition and have access to more of the management options that are currently blocked becaue they may effect other partition users.

 

 

I realise such fundemental changes are not easy to implement, so I am interested to hear if F5 is considering doing this or something like it or "this is as good as it will get".

 

 

Also, if I have missrepresented anything or if our provider has provided not quite accurate information to me, please do not hesitate to point these out.

 

Lastly, this is not a flame aimed at F5 or our provder, I am just interested if F5 have any plans down the line to improve the multi-tenancy functionality.

 

Regards,

 

Craig

 

 

3 Replies

  • I'm very interested in any answer from F5. The only useful thing I can comment on is the shell access. Certainly tmsh access can be limited to a single partition; however they may not want this as logs etc. that you could view are probably 'global'.
  • Hi Craig,

     

     

    I think that's a very well explained post. Thanks for taking the time to give constructive feedback.

     

     

    I've heard of a few features coming that may improve your situation like folder level config synching. I haven't heard of anything for a few of your issues (though I definitely don't see everything that everyone is working on).

     

     

    I'd encourage you to open a case with F5 Support and submit these issues with proposed improvements as Requests For Enhancements. Support will be able to tell you if there are already existing RFEs. You can then talk with your F5 or partner account team (or your "provider") to get status on upcoming features. If any of this process gets stuck, feel free to email me and I'll try to check on this (aaron at f5 dot com).

     

     

    - the inability to sync changes on our partition (we have to get the provider to do it via their support desk)

     

    >> We should have folder level config sync coming in a future version. I can't say exactly when, but this is a highly requested feature for multi-tenancy.

     

     

    - the inability to access the ltm log because there are no partition specifc ltm logs. (I know we can setup a syslog serv and you can use the log statement to log messages to it, but it won't trap tcl and other error types)

     

    >> Your provider should be able to set up a syslog server (or a chain of them to sort only your tenant logs). They might need to require you to use a custom format or token in your iRule log statements to sort these per tenant.

     

     

    - no shell access because it's not restricted to your partition

     

    >> The only practical solution I see for this is an RFE to give tmsh access with non-admin access to only your admin partition. Or use vCMP with admin CLI access enabled.

     

     

    - cannot install/create SSL certificates, we have to send them to the provider who will then install them.

     

    >> Your provider could potentially give you iControl or tmsh based tools which allow you to install certs.

     

     

    - cannot backup our config

     

    >> Your provider could potentially give you iControl or tmsh based tools which allow you to back up the full config. They could add business logic to the tool . Or they could do an automatically scheduled backup every N hours or days.

     

     

    On a related tangent, right now, the most complete technical solution we offer for allowing service providers to give their tenants admin access to BIG-IP is vCMP. With vCMP the tenant can have full admin rights to the guest instance and restrict the ability to affect other guests.

     

     

    Thanks, Aaron
  • Hi Aaron,

     

     

    thanks for the comprehensive reply. Much appeciated. I'll raise some of the points with them to see what can be done.

     

     

    Regards,

     

     

    Craig