Problem Statement

The OpenStack management APIs for the VLAD cluster are on a private subnet, accessible only from the vlad-mgmt node.  This prevents development and deployment of the NDS Web Services application on any machine other than the vlad-mgmt node.


We cannot simply change the OS_AUTH_URL string, because the compute (nova) API URL is dynamically retrieved from the OpenStack management server and is not visible to the application.


Use an iptables rule to redirect traffic with a destination address of (the VLAD management network) generated by the NDS application to localhost.

That traffic is then forwarded via a ssh tunnel from localhost (for the specific OpenStack ports) to the real VLAD management network.

The commands to do this are:

# iptables -A OUTPUT -t nat -p tcp -d -j DNAT --to
# ssh -L localhost:5000:localhost:5000 -L localhost:8774:localhost:8774 -4 -nNT vlad-mgmt &


  • Development and deployment of the NDS Web Services application can occur on any machine, not just on the vlad-mgmt server.  This includes developer laptops, openstack instances, or anywhere else.
  • There is no special application code needed.  The application believes it has normal network connectivity to the API endpoints on the OpenStack management node.
  • The same application code runs regardless of the environment in which it's running (i.e. the same application runs in the same way in the VLAD OpenStack cluster, the NCSA production OpenStack cluster, and any other OpenStack clusters.


  • No labels