I discovered the instances in my home lab were not being protected by the neutron security groups I’d set up for them - what followed was a week-long odyssey to discover the culprit. IPTables rules were being put in place, and every other aspect of Neutron networking was just fine. Making things more mysterious, a test deploy on my own desktop, with the host running Fedora 23 and the containers running CentOS 7, did not manifest the issue.
Use case: We want to deploy instances on a particular set of compute hosts because of their special or specialized capabilities. On the API server(s) ensure that the following scheduler_default_filters are set: AggregateInstanceExtraSpecsFilter,AggregateMultiTenancyIsolation Dedicate Compute Hosts To a Specific Project Create a host aggregate: $ nova aggregate-create DedicatedCompute $ nova aggregate-add-host DedicatedCompute dedicated-compute-host1 $ nova aggregate-add-host DedicatedCompute dedicated-compute-host2 $ nova aggregate-add-host DedicatedCompute dedicated-compute-host3 Add a key=value pair to the host aggregate metadata - we’ll use this to match against later.
Some quick notes for those interested: Install EC2 API TOOLS Set Access and Secret key environment variables: export AWS_ACCESS_KEY=xxxxxxxxxxxxxxx export AWS_SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Set up an S3 bucket and secure it to taste, to be specified later If exporting from OpenStack, remove the cloud-init package Note all prep considerations on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/PreparingYourVirtualMachine.html Export the VM image - I’m using OpenStack (KVM) images in raw format, so these needed no initial conversion. You can also use VHD or VMDK Docs: http://docs.