--- /dev/null
+docs/_build
--- /dev/null
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS =
+SPHINXBUILD = sphinx-build
+PAPER =
+BUILDDIR = _build
+
+# Internal variables.
+PAPEROPT_a4 = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
+
+help:
+ @echo "Please use \`make <target>' where <target> is one of"
+ @echo " html to make standalone HTML files"
+ @echo " dirhtml to make HTML files named index.html in directories"
+ @echo " singlehtml to make a single large HTML file"
+ @echo " pickle to make pickle files"
+ @echo " json to make JSON files"
+ @echo " htmlhelp to make HTML files and a HTML help project"
+ @echo " qthelp to make HTML files and a qthelp project"
+ @echo " devhelp to make HTML files and a Devhelp project"
+ @echo " epub to make an epub"
+ @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+ @echo " latexpdf to make LaTeX files and run them through pdflatex"
+ @echo " text to make text files"
+ @echo " man to make manual pages"
+ @echo " texinfo to make Texinfo files"
+ @echo " info to make Texinfo files and run them through makeinfo"
+ @echo " gettext to make PO message catalogs"
+ @echo " changes to make an overview of all changed/added/deprecated items"
+ @echo " linkcheck to check all external links for integrity"
+ @echo " doctest to run all doctests embedded in the documentation (if enabled)"
+
+clean:
+ -rm -rf $(BUILDDIR)/*
+
+html:
+ $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+dirhtml:
+ $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+ @echo
+ @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+singlehtml:
+ $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+ @echo
+ @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+pickle:
+ $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+ @echo
+ @echo "Build finished; now you can process the pickle files."
+
+json:
+ $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+ @echo
+ @echo "Build finished; now you can process the JSON files."
+
+htmlhelp:
+ $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+ @echo
+ @echo "Build finished; now you can run HTML Help Workshop with the" \
+ ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+qthelp:
+ $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+ @echo
+ @echo "Build finished; now you can run "qcollectiongenerator" with the" \
+ ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+ @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/snf-network.qhcp"
+ @echo "To view the help file:"
+ @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/snf-network.qhc"
+
+devhelp:
+ $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+ @echo
+ @echo "Build finished."
+ @echo "To view the help file:"
+ @echo "# mkdir -p $$HOME/.local/share/devhelp/snf-network"
+ @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/snf-network"
+ @echo "# devhelp"
+
+epub:
+ $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+ @echo
+ @echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+latex:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo
+ @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+ @echo "Run \`make' in that directory to run these through (pdf)latex" \
+ "(use \`make latexpdf' here to do that automatically)."
+
+latexpdf:
+ $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+ @echo "Running LaTeX files through pdflatex..."
+ $(MAKE) -C $(BUILDDIR)/latex all-pdf
+ @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+text:
+ $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+ @echo
+ @echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+man:
+ $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+ @echo
+ @echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+texinfo:
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo
+ @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+ @echo "Run \`make' in that directory to run these through makeinfo" \
+ "(use \`make info' here to do that automatically)."
+
+info:
+ $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+ @echo "Running Texinfo files through makeinfo..."
+ make -C $(BUILDDIR)/texinfo info
+ @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+gettext:
+ $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+ @echo
+ @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+changes:
+ $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+ @echo
+ @echo "The overview file is in $(BUILDDIR)/changes."
+
+linkcheck:
+ $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+ @echo
+ @echo "Link check complete; look for any errors in the above output " \
+ "or in $(BUILDDIR)/linkcheck/output.txt."
+
+doctest:
+ $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+ @echo "Testing of doctests in the sources finished, look at the " \
+ "results in $(BUILDDIR)/doctest/output.txt."
--- /dev/null
+# -*- coding: utf-8 -*-
+#
+# snf-network documentation build configuration file, created by
+# sphinx-quickstart on Mon Jan 20 18:25:17 2014.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.insert(0, os.path.abspath('.'))
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.pngmath', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'snf-network'
+copyright = u'2010-2013, GRNET S.A. All rights reserved'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '0.12'
+# The full version, including alpha/beta/rc tags.
+release = '0.12.2'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages. See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further. For a list of options available for each theme, see the
+# documentation.
+html_theme_options = {
+ 'collapsiblesidebar': 'true',
+ 'footerbgcolor': '#55b577',
+ 'footertextcolor': '#000000',
+ 'sidebarbgcolor': '#ffffff',
+ 'sidebarbtncolor': '#f2f2f2',
+ 'sidebartextcolor': '#000000',
+ 'sidebarlinkcolor': '#328e4a',
+ 'relbarbgcolor': '#55b577',
+ 'relbartextcolor': '#ffffff',
+ 'relbarlinkcolor': '#ffffff',
+ 'bgcolor': '#ffffff',
+ 'textcolor': '#000000',
+ 'headbgcolor': '#ffffff',
+ 'headtextcolor': '#000000',
+ 'headlinkcolor': '#c60f0f',
+ 'linkcolor': '#328e4a',
+ 'visitedlinkcolor': '#63409b',
+ 'codebgcolor': '#eeffcc',
+ 'codetextcolor': '#333333'
+}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents. If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar. Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+#html_show_copyright = True
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it. The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'snf-networkdoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+latex_elements = {
+# The paper size ('letterpaper' or 'a4paper').
+#'papersize': 'letterpaper',
+
+# The font size ('10pt', '11pt' or '12pt').
+#'pointsize': '10pt',
+
+# Additional stuff for the LaTeX preamble.
+#'preamble': '',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+ ('index', 'snf-network.tex', u'snf-network Documentation',
+ u'Synnefo Development', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+ ('index', 'snf-network', u'snf-network Documentation',
+ [u'Synnefo Development'], 1)
+]
+
+# If true, show URL addresses after external links.
+#man_show_urls = False
+
+
+# -- Options for Texinfo output ------------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+# dir menu entry, description, category)
+texinfo_documents = [
+ ('index', 'snf-network', u'snf-network Documentation',
+ u'Synnefo Development', 'snf-network', 'One line description of project.',
+ 'Miscellaneous'),
+]
+
+# Documents to append as an appendix to all manuals.
+#texinfo_appendices = []
+
+# If false, no module index is generated.
+#texinfo_domain_indices = True
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#texinfo_show_urls = 'footnote'
+
+# If true, do not generate a @detailmenu in the "Top" node's menu.
+#texinfo_no_detailmenu = False
+
+
+# Example configuration for intersphinx: refer to the Python standard library.
+intersphinx_mapping = {'http://docs.python.org/': None}
--- /dev/null
+.. snf-network documentation master file, created by
+ sphinx-quickstart on Wed Feb 12 20:00:16 2014.
+ You can adapt this file completely to your liking, but it should at least
+ contain the root `toctree` directive.
+
+Welcome to snf-network's documentation!
+=======================================
+
+snf-network is a set of scripts that handle the network configuration of
+an instance inside a Ganeti cluster. It takes advantange of the
+variables that Ganeti exports to their execution environment and issue
+all the necessary commands to ensure network connectivity to the instance
+based on the requested setup.
+
+Environment
+-----------
+
+Ganeti supports `IP pool management
+<http://docs.ganeti.org/ganeti/master/html/design-network.html>`_
+so that end-user can put instances inside networks and get all information
+related to the network in scripts. Specifically the following options are
+exported:
+
+* IP
+* MAC
+* MODE
+* LINK
+
+are per NIC specific, whereas:
+
+* NETWORK_SUBNET
+* NETWORK_GATEWAY
+* NETWORK_MAC_PREFIX
+* NETWORK_TAGS
+* NETWORK_SUBNET6
+* NETWORK_GATEWAY6
+
+are inherited by the network in which a NIC resides (optional).
+
+Scripts
+-------
+
+The scripts can be devided into two categories:
+
+1. The scripts that are invoked explicitly by Ganeti upon NIC creation.
+
+2. The scripts that are invoked by Ganeti Hooks Manager before or after an
+ opcode execution.
+
+The first group has the exact NIC info that is about to be configured where
+the latter one has the info of the whole instance. The big difference is that
+instance configuration (from the master perspective) might vary or be total
+different from the one that is currently running. The reason is that some
+modifications can take place without hotplug.
+
+
+kvm-ifup-custom
+^^^^^^^^^^^^^^^
+
+Ganeti upon instance startup and NIC hotplug creates the TAP devices to
+reflect to the instance's NICs. After that it invokes the Ganeti's `kvm-ifup`
+script with the TAP name as first argument and an environment including
+all NIC's and the corresponding network's info. This script searches for
+a user provided one under `/etc/ganeti/kvm-ifup-custom` and executes it
+instead.
+
+
+kvm-ifdown-custom
+^^^^^^^^^^^^^^^^^
+
+In order to cleanup or modify the node's setup or the configuration of an
+external component, Ganeti upon instance shutdown, successful instance
+migration on source node and NIC hot-unplug invokes `kvm-ifdown` script
+with the TAP name as first argument and a boolean second argument pointing
+whether we want to do local cleanup only (in case of instance migration) or
+totally unconfigure the interface along with e.g., any DNS entries (in case
+of NIC hot-unplug). This script searches for a user provided one under
+`/etc/ganeti/kvm-ifdown-custom` and executes it instead.
+
+
+vif-custom
+^^^^^^^^^^
+
+Ganeti provides a hypervisor parameter that defines the script to be executed
+per NIC upon instance startup: `vif-script`. Ganeti provides `vif-ganeti` as
+example script which executes `/etc/xen/scripts/vif-custom` if found.
+
+
+snf-network-hook
+^^^^^^^^^^^^^^^^
+
+This hook gets all static info related to an instance from evironment variables
+and issues any commands needed. It was used to fix node's setup upon migration
+when ifdown script was not supported but now it does nothing.
+
+
+snf-network-dnshook
+^^^^^^^^^^^^^^^^^^^
+
+This hook updates an external `DDNS <https://wiki.debian.org/DDNS>`_ setup via
+``nsupdate``. Since we add/remove entries during ifup/ifdown scripts, we use
+this only during instance remove/shutdown/rename. It does not rely on exported
+environment but it queries first the DNS server to obtain current entries and
+then it invokes the neccessary commands to remove them (and the relevant
+reverse ones too).
+
+
+Supported Setups
+----------------
+
+Currently since NICs in Ganeti are not taggable objects, we use network's and
+instance's tags to customize each NIC configuration. NIC inherits the network's
+tags (if attached to any) and further customization can be achieved with
+instance tags e.g. <tag prefix>:<nic uuid or name>:<tag>. In the following
+subsections we will mention all supported tags and their reflected underline
+setup.
+
+
+ip-less-routed
+^^^^^^^^^^^^^^
+
+This setup has the following characteristics:
+
+* An external gateway on the same collition domain with all nodes on some
+ interface (e.g. eth1, eth0.200) is needed.
+* Each node is a router for the hostes VMs
+* The node itself does not have an IP inside the routed network
+* The node does proxy ARP for IPv4 networks
+* The node does proxy NDP for IPv6 networks while RA and NA are
+* RS and NS are served locally by
+ `nfdhcpd <http://www.synnefo.org/docs/nfdhcpd/latest/index.html>`_
+ since the VMs are not on the same link with the router.
+
+Lets analyze a simple PING from an instance to an external IP using this setup.
+We assume the following:
+
+* ``IP`` is the instance's IP
+* ``GW_IP`` is the external router's IP
+* ``NODE_IP`` is the node's IP
+* ``ARP_IP`` is a dummy IP inside the network needed for proxy ARP
+
+* ``MAC`` is the instance's MAC
+* ``TAP_MAC`` is the tap's MAC
+* ``DEV_MAC`` is the host's DEV MAC
+* ``GW_MAC`` is the external router's MAC
+
+* ``DEV`` is the node's device that the router is visible from
+* ``TAP`` is the host interface connected with the instance's eth0
+
+Since we suppose to be on the same link with the router, ARP takes place first:
+
+1) The VM wants to know the GW_MAC. Since the traffic is routed we do proxy ARP.
+
+ - ARP, Request who-has GW_IP tell IP
+ - ARP, Reply GW_IP is-at TAP_MAC ``echo 1 > /proc/sys/net/conf/TAP/proxy_arp``
+ - So `arp -na` insided the VM shows: ``(GW_IP) at TAP_MAC [ether] on eth0``
+
+2) The host wants to know the GW_MAC. Since the node does **not** have an IP
+ inside the network we use the dummy one specified above.
+
+ - ARP, Request who-has GW_IP tell ARP_IP (Created by DEV)
+ ``arptables -I OUTPUT -o DEV --opcode 1 -j mangle --mangle-ip-s ARP_IP``
+ - ARP, Reply GW_IP is-at GW_MAC
+
+3) The host wants to know MAC so that it can proxy it.
+
+ - We simulate here that the VM sees **only** GW on the link.
+ - ARP, Request who-has IP tell GW_IP (Created by TAP)
+ ``arptables -I OUTPUT -o TAP --opcode 1 -j mangle --mangle-ip-s GW_IP``
+ - So `arp -na` inside the host shows:
+ ``(GW_IP) at GW_MAC [ether] on DEV, (IP) at MAC on TAP``
+
+4) GW wants to know who does proxy for IP.
+
+ - ARP, Request who-has IP tell GW_IP
+ - ARP, Reply IP is-at DEV_MAC (Created by host's DEV)
+
+
+With the above we have a working proxy ARP configuration. The rest is done
+via simple L3 routing. Lets assume the following:
+
+* ``TABLE`` is the extra routing table
+* ``SUBNET`` is the IPv4 subnet where the VM's IP reside
+
+1) Outgoing traffic:
+
+ - Traffic coming out of TAP is routed via TABLE
+ ``ip rule add dev TAP table TABLE``
+ - TABLE states that default route is GW_IP via DEV
+ ``ip route add default via GW_IP dev DEV``
+
+2) Incoming traffic:
+
+ - Packet arrives at router
+ - Router knows from proxy ARP that the IP is at DEV_MAC.
+ - Router sends ethernet packet with tgt DEV_MAC
+ - Host receives the packet from DEV interface
+ - Traffic coming out DEV is routed via TABLE
+ ``ip rule add dev DEV table TABLE``
+ - Traffic targeting IP is routed to TAP
+ ``ip route add IP dev TAP``
+
+3) Host to VM traffic:
+
+ - Impossible if the VM resides in the host
+ - Otherwise there is a route for it: ``ip route add SUBNET dev DEV``
+
+The IPv6 setup is pretty similar but instead of proxy ARP we have proxy NDP
+and RS and NS coming from TAP are served by nfdhpcd. RA contain network's
+prefix and has M flag unset in order the VM to obtain its IP6 via SLAAC and
+O flag set to obtain static info (nameservers, domain search list) via DHCPv6
+(also served by nfdhcpd).
+
+Again the VM sees on its link local only TAP which is supposed to be the
+Router. The host does proxy for IP6 ``ip -6 neigh add EUI64 dev DEV``.
+
+When an interface gets up inside a host we should invalidate all entries
+related to its IP among other nodes and the router. For proxy ARP we do
+``arpsend -U -c 1 -i IP DEV`` and for proxy NDP we do ``ndsend EUI64 DEV``
+
+
+private-filtered
+^^^^^^^^^^^^^^^^
+
+In order to provide L2 isolation among several VMs we can use ebtables on a
+**single** bridge. The infrastracture must provide a physical VLAN or separate
+interaface shared among all nodes in the cluster. All virtual interfaces will
+be bridged on a common bridge (e.g. ``prv0``) and filtering will be done via
+ebtables and MAC prefix. The concept is that all interfaces on the same L2
+should have the same MAC prefix. MAC prefix uniqueness is quaranteed by
+synnefo and passed to Ganeti as a network option.
+
+To ensure isolation we should allow traffic coming from tap to have specific
+source MAC and at the same time allow traffic coming to tap to have a source
+MAC in the same MAC prefix. Applying those rules only in FORWARD chain will not
+guarantee isolation. The reason is because packets with target MAC a `mutlicast
+address <http://en.wikipedia.org/wiki/Multicast_address>`_ go through INPUT and
+OUTPUT chains. To sum up the following ebtables rules are applied:
+
+.. code-block:: console
+
+ # Create new chains
+ ebtables -t filter -N FROMTAP5
+ ebtables -t filter -N TOTAP5
+
+ # Filter multicast traffic from VM
+ ebtables -t filter -A INPUT -i tap5 -j FROMTAP5
+
+ # Filter multicast traffic to VM
+ ebtables -t filter -A OUTPUT -o tap5 -j TOTAP5
+
+ # Filter traffic from VM
+ ebtables -t filter -A FORWARD -i tap5 -j FROMTAP5
+ # Filter traffic to VM
+ ebtables -t filter -A FORWARD -o tap5 -j TOTAP5
+
+ # Allow only specific src MAC for outgoing traffic
+ ebtables -t filter -A FROMTAP5 -s ! aa:55:66:1a:ae:82 -j DROP
+ # Allow only specific src MAC prefix for incoming traffic
+ ebtables -t filter -A TOTAP5 -s ! aa:55:60:0:0:0/ff:ff:f0:0:0:0 -j DROP
+
+
+dns
+^^^
+
+snf-network can update an external `DDNS <https://wiki.debian.org/DDNS>`_
+server. `ifup` and `ifdown` scripts, if `dns` network tag is found, will use
+`nsupdate` and add/remove entries related to the interface that is being
+managed.
+
+
+Contents:
+
+.. toctree::
+ :maxdepth: 2
+
+
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
+
--- /dev/null
+@ECHO OFF
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+ set SPHINXBUILD=sphinx-build
+)
+set BUILDDIR=_build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
+set I18NSPHINXOPTS=%SPHINXOPTS% .
+if NOT "%PAPER%" == "" (
+ set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
+ set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
+)
+
+if "%1" == "" goto help
+
+if "%1" == "help" (
+ :help
+ echo.Please use `make ^<target^>` where ^<target^> is one of
+ echo. html to make standalone HTML files
+ echo. dirhtml to make HTML files named index.html in directories
+ echo. singlehtml to make a single large HTML file
+ echo. pickle to make pickle files
+ echo. json to make JSON files
+ echo. htmlhelp to make HTML files and a HTML help project
+ echo. qthelp to make HTML files and a qthelp project
+ echo. devhelp to make HTML files and a Devhelp project
+ echo. epub to make an epub
+ echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter
+ echo. text to make text files
+ echo. man to make manual pages
+ echo. texinfo to make Texinfo files
+ echo. gettext to make PO message catalogs
+ echo. changes to make an overview over all changed/added/deprecated items
+ echo. linkcheck to check all external links for integrity
+ echo. doctest to run all doctests embedded in the documentation if enabled
+ goto end
+)
+
+if "%1" == "clean" (
+ for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
+ del /q /s %BUILDDIR%\*
+ goto end
+)
+
+if "%1" == "html" (
+ %SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/html.
+ goto end
+)
+
+if "%1" == "dirhtml" (
+ %SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
+ goto end
+)
+
+if "%1" == "singlehtml" (
+ %SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
+ goto end
+)
+
+if "%1" == "pickle" (
+ %SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can process the pickle files.
+ goto end
+)
+
+if "%1" == "json" (
+ %SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can process the JSON files.
+ goto end
+)
+
+if "%1" == "htmlhelp" (
+ %SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can run HTML Help Workshop with the ^
+.hhp project file in %BUILDDIR%/htmlhelp.
+ goto end
+)
+
+if "%1" == "qthelp" (
+ %SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; now you can run "qcollectiongenerator" with the ^
+.qhcp project file in %BUILDDIR%/qthelp, like this:
+ echo.^> qcollectiongenerator %BUILDDIR%\qthelp\snf-network.qhcp
+ echo.To view the help file:
+ echo.^> assistant -collectionFile %BUILDDIR%\qthelp\snf-network.ghc
+ goto end
+)
+
+if "%1" == "devhelp" (
+ %SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished.
+ goto end
+)
+
+if "%1" == "epub" (
+ %SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The epub file is in %BUILDDIR%/epub.
+ goto end
+)
+
+if "%1" == "latex" (
+ %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
+ goto end
+)
+
+if "%1" == "text" (
+ %SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The text files are in %BUILDDIR%/text.
+ goto end
+)
+
+if "%1" == "man" (
+ %SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The manual pages are in %BUILDDIR%/man.
+ goto end
+)
+
+if "%1" == "texinfo" (
+ %SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
+ goto end
+)
+
+if "%1" == "gettext" (
+ %SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
+ goto end
+)
+
+if "%1" == "changes" (
+ %SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.The overview file is in %BUILDDIR%/changes.
+ goto end
+)
+
+if "%1" == "linkcheck" (
+ %SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Link check complete; look for any errors in the above output ^
+or in %BUILDDIR%/linkcheck/output.txt.
+ goto end
+)
+
+if "%1" == "doctest" (
+ %SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
+ if errorlevel 1 exit /b 1
+ echo.
+ echo.Testing of doctests in the sources finished, look at the ^
+results in %BUILDDIR%/doctest/output.txt.
+ goto end
+)
+
+:end
projects / snf-network / commitdiff