[apic-mapping] Need single_tenant_mode similar to ML2 for Cisco IT

Cisco IT wants to create all the GBP resources under a single APIC tenant. After discussion we decided to introduce the single_tenant_mode from ML2 to GBP. And below is the related email thread.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Kent Wu <email address hidden>

Oct 20 (7 days ago)

to Jishnu, Mandeep, Sumit, Amit
Just to clarify: this potential issue already exists as of today and has nothing to do with this feature. Basically openStack allows objects with the same name as internally they use uuid to distinguish however in APIC they will all map to the same object....

-Kent

On Thu, Oct 20, 2016 at 4:12 PM, Jishnu Banerjee <email address hidden> wrote:

    Referring to my reply.. the caveat will happen if the PTGs are in the same tenant(project)

    On Thu, Oct 20, 2016 at 4:07 PM, Jishnu Banerjee <email address hidden> wrote:

        Incase of use_name + GBP mode, we have a bug/caveat here:

        Say user:
        1.Creates a ptg: A, hosts a VM
        2.Later point in time, he 'by mistake' creates another PTG but with same name as #1. Please note: this step will NOT create any new EPG on the APIC
        3. He decides to delete the #2 ptg

        Effect: Traffic will stop from the above VM. Expectation: not to impact anything other than deleting the 2nd PTG

        Reason: We apparently delete the ptg-A from the ACI since the POST req to APIC contains the data-set in which the 'rn" attribute of fvAEPg is the name of the ptg

        data = {"fvTenant": {"attributes": {"rn": "tn-_noirolab_admin"}, "children": [{"fvAp": {"attributes": {"rn": "ap-noirolab_app"}, "children": [{"fvAEPg": {"attributes": {"status": "deleted", "rn": "epg-<ptgName>"}, "children": []}}]}}]}}

        Regards,
        jishnu

        On Thu, Oct 20, 2016 at 10:53 AM, Mandeep Dhami <email address hidden> wrote:

            Sadly True. With nameAlias implementation, we will "eventually" get rid of it. For now, they are both production. In fact CiscoIT will be using use_name :-(

            On Thu, Oct 20, 2016 at 10:30 AM, Kent Wu <email address hidden> wrote:

                Based on my conversation with Mandeep and Jishnu, use_uuid/use_name are both supported in production.

                -Kent

                On Wed, Oct 19, 2016 at 9:23 PM, Sumit Naiksatam <email address hidden> wrote:

                    On Wed, Oct 19, 2016 at 4:38 PM, Kent Wu <email address hidden> wrote:
                    > Another option 2.c for GBP is to always enable use_uuid when
                    > single_tenant_mode is on to avoid the collisions. I just tried and it will
                    > create PTG like kent_ptg_XXXXX where XXXXX is the leading bits of the uuid.
                    >

                    Is use_name something we even support for production deployments? I
                    thought that option was only for demos, no?

                    > -Kent
                    >
                    >
                    > On Wed, Oct 19, 2016 at 4:00 PM, Kent Wu <email address hidden> wrote:
                    >>
                    >> Hi guys,
                    >>
                    >> There are a few options but I think its more straightforward and
                    >> especially flexible to re-use single_tenant_mode but introduce a new
                    >> parameter like shared_tenant_name (it will be "common" for cisco IT) to
                    >> specify the desired APIC tenant name. So here is how it works:
                    >>
                    >> For ML2:
                    >> 1. If no shared_tenant_name parameter is given or its empty, then by
                    >> default it will use the apic_system_id as the single APIC tenant name. Then
                    >> this behavior is exactly the same as the existing single_tenant_mode.
                    >> 2. when the shared_tenant_name parameter is given, then all the resources
                    >> will be created under this APIC tenant instead.
                    >>
                    >> For GBP:
                    >> 1. Will need to introduce single_tenant_mode and shared_tenant_name
                    >> parameters here. The behavior will be similar to ML2.
                    >> 2. one tricky part here is that in GBP, the APIC application profile name
                    >> is specified in the config file like "noirolab_app" for example. This means
                    >> when single_tenant_mode is enabled, all the resources will be created under
                    >> the same APIC tenant/app_profile.... Then we have 2 options here:
                    >> a. error it out when user tries to create the resource with the same
                    >> name. For example, if user already has a PTG called kent_ptg under pepsi
                    >> project then he is not allowed to create another kent_ptg even if its under
                    >> coke project.
                    >> b. add another layer of scoping. For example, kent_ptg under pepsi
                    >> project will become pepsi_kent_ptg in APIC while its coke_kent_ptg for the
                    >> coke project.
                    >>
                    >> I'm more inclined to option (a) right now to keep things simple but I'm
                    >> also open here if you guys think (b) is actually a better option.
                    >>
                    >> Any thoughts/comments/catches in this approach then?
                    >>
                    >> Thx.
                    >>
                    >> -Kent