From 126f8f4e54f6714418927a2af06ace5fadc8b604 Mon Sep 17 00:00:00 2001 From: Dimitris Aragiorgis Date: Tue, 25 Feb 2014 12:44:41 +0200 Subject: [PATCH] Add docs Signed-off-by: Dimitris Aragiorgis --- .gitignore | 1 + docs/Makefile | 153 ++++++++++++++++++++++++++++++ docs/conf.py | 269 ++++++++++++++++++++++++++++++++++++++++++++++++++++ docs/index.rst | 285 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ docs/make.bat | 190 +++++++++++++++++++++++++++++++++++++ 5 files changed, 898 insertions(+) create mode 100644 .gitignore create mode 100644 docs/Makefile create mode 100644 docs/conf.py create mode 100644 docs/index.rst create mode 100644 docs/make.bat diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..accb26a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +docs/_build diff --git a/docs/Makefile b/docs/Makefile new file mode 100644 index 0000000..bbd4dbd --- /dev/null +++ b/docs/Makefile @@ -0,0 +1,153 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = _build + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + +clean: + -rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/snf-network.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/snf-network.qhc" + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/snf-network" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/snf-network" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." diff --git a/docs/conf.py b/docs/conf.py new file mode 100644 index 0000000..527ff73 --- /dev/null +++ b/docs/conf.py @@ -0,0 +1,269 @@ +# -*- coding: utf-8 -*- +# +# snf-network documentation build configuration file, created by +# sphinx-quickstart on Mon Jan 20 18:25:17 2014. +# +# This file is execfile()d with the current directory set to its containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys, os + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +#sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ----------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +#needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be extensions +# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = ['sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.pngmath', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode'] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'snf-network' +copyright = u'2010-2013, GRNET S.A. All rights reserved' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '0.12' +# The full version, including alpha/beta/rc tags. +release = '0.12.2' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = '' +# Else, today_fmt is used as the format for a strftime call. +#today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +#add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + + +# -- Options for HTML output --------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'default' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +html_theme_options = { + 'collapsiblesidebar': 'true', + 'footerbgcolor': '#55b577', + 'footertextcolor': '#000000', + 'sidebarbgcolor': '#ffffff', + 'sidebarbtncolor': '#f2f2f2', + 'sidebartextcolor': '#000000', + 'sidebarlinkcolor': '#328e4a', + 'relbarbgcolor': '#55b577', + 'relbartextcolor': '#ffffff', + 'relbarlinkcolor': '#ffffff', + 'bgcolor': '#ffffff', + 'textcolor': '#000000', + 'headbgcolor': '#ffffff', + 'headtextcolor': '#000000', + 'headlinkcolor': '#c60f0f', + 'linkcolor': '#328e4a', + 'visitedlinkcolor': '#63409b', + 'codebgcolor': '#eeffcc', + 'codetextcolor': '#333333' +} + +# Add any paths that contain custom themes here, relative to this directory. +#html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +#html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +#html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +#html_domain_indices = True + +# If false, no index is generated. +#html_use_index = True + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'snf-networkdoc' + + +# -- Options for LaTeX output -------------------------------------------------- + +latex_elements = { +# The paper size ('letterpaper' or 'a4paper'). +#'papersize': 'letterpaper', + +# The font size ('10pt', '11pt' or '12pt'). +#'pointsize': '10pt', + +# Additional stuff for the LaTeX preamble. +#'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass [howto/manual]). +latex_documents = [ + ('index', 'snf-network.tex', u'snf-network Documentation', + u'Synnefo Development', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +#latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +#latex_show_pagerefs = False + +# If true, show URL addresses after external links. +#latex_show_urls = False + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +#latex_domain_indices = True + + +# -- Options for manual page output -------------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'snf-network', u'snf-network Documentation', + [u'Synnefo Development'], 1) +] + +# If true, show URL addresses after external links. +#man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------------ + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'snf-network', u'snf-network Documentation', + u'Synnefo Development', 'snf-network', 'One line description of project.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +#texinfo_appendices = [] + +# If false, no module index is generated. +#texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +#texinfo_no_detailmenu = False + + +# Example configuration for intersphinx: refer to the Python standard library. +intersphinx_mapping = {'http://docs.python.org/': None} diff --git a/docs/index.rst b/docs/index.rst new file mode 100644 index 0000000..716d794 --- /dev/null +++ b/docs/index.rst @@ -0,0 +1,285 @@ +.. snf-network documentation master file, created by + sphinx-quickstart on Wed Feb 12 20:00:16 2014. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +Welcome to snf-network's documentation! +======================================= + +snf-network is a set of scripts that handle the network configuration of +an instance inside a Ganeti cluster. It takes advantange of the +variables that Ganeti exports to their execution environment and issue +all the necessary commands to ensure network connectivity to the instance +based on the requested setup. + +Environment +----------- + +Ganeti supports `IP pool management +`_ +so that end-user can put instances inside networks and get all information +related to the network in scripts. Specifically the following options are +exported: + +* IP +* MAC +* MODE +* LINK + +are per NIC specific, whereas: + +* NETWORK_SUBNET +* NETWORK_GATEWAY +* NETWORK_MAC_PREFIX +* NETWORK_TAGS +* NETWORK_SUBNET6 +* NETWORK_GATEWAY6 + +are inherited by the network in which a NIC resides (optional). + +Scripts +------- + +The scripts can be devided into two categories: + +1. The scripts that are invoked explicitly by Ganeti upon NIC creation. + +2. The scripts that are invoked by Ganeti Hooks Manager before or after an + opcode execution. + +The first group has the exact NIC info that is about to be configured where +the latter one has the info of the whole instance. The big difference is that +instance configuration (from the master perspective) might vary or be total +different from the one that is currently running. The reason is that some +modifications can take place without hotplug. + + +kvm-ifup-custom +^^^^^^^^^^^^^^^ + +Ganeti upon instance startup and NIC hotplug creates the TAP devices to +reflect to the instance's NICs. After that it invokes the Ganeti's `kvm-ifup` +script with the TAP name as first argument and an environment including +all NIC's and the corresponding network's info. This script searches for +a user provided one under `/etc/ganeti/kvm-ifup-custom` and executes it +instead. + + +kvm-ifdown-custom +^^^^^^^^^^^^^^^^^ + +In order to cleanup or modify the node's setup or the configuration of an +external component, Ganeti upon instance shutdown, successful instance +migration on source node and NIC hot-unplug invokes `kvm-ifdown` script +with the TAP name as first argument and a boolean second argument pointing +whether we want to do local cleanup only (in case of instance migration) or +totally unconfigure the interface along with e.g., any DNS entries (in case +of NIC hot-unplug). This script searches for a user provided one under +`/etc/ganeti/kvm-ifdown-custom` and executes it instead. + + +vif-custom +^^^^^^^^^^ + +Ganeti provides a hypervisor parameter that defines the script to be executed +per NIC upon instance startup: `vif-script`. Ganeti provides `vif-ganeti` as +example script which executes `/etc/xen/scripts/vif-custom` if found. + + +snf-network-hook +^^^^^^^^^^^^^^^^ + +This hook gets all static info related to an instance from evironment variables +and issues any commands needed. It was used to fix node's setup upon migration +when ifdown script was not supported but now it does nothing. + + +snf-network-dnshook +^^^^^^^^^^^^^^^^^^^ + +This hook updates an external `DDNS `_ setup via +``nsupdate``. Since we add/remove entries during ifup/ifdown scripts, we use +this only during instance remove/shutdown/rename. It does not rely on exported +environment but it queries first the DNS server to obtain current entries and +then it invokes the neccessary commands to remove them (and the relevant +reverse ones too). + + +Supported Setups +---------------- + +Currently since NICs in Ganeti are not taggable objects, we use network's and +instance's tags to customize each NIC configuration. NIC inherits the network's +tags (if attached to any) and further customization can be achieved with +instance tags e.g. ::. In the following +subsections we will mention all supported tags and their reflected underline +setup. + + +ip-less-routed +^^^^^^^^^^^^^^ + +This setup has the following characteristics: + +* An external gateway on the same collition domain with all nodes on some + interface (e.g. eth1, eth0.200) is needed. +* Each node is a router for the hostes VMs +* The node itself does not have an IP inside the routed network +* The node does proxy ARP for IPv4 networks +* The node does proxy NDP for IPv6 networks while RA and NA are +* RS and NS are served locally by + `nfdhcpd `_ + since the VMs are not on the same link with the router. + +Lets analyze a simple PING from an instance to an external IP using this setup. +We assume the following: + +* ``IP`` is the instance's IP +* ``GW_IP`` is the external router's IP +* ``NODE_IP`` is the node's IP +* ``ARP_IP`` is a dummy IP inside the network needed for proxy ARP + +* ``MAC`` is the instance's MAC +* ``TAP_MAC`` is the tap's MAC +* ``DEV_MAC`` is the host's DEV MAC +* ``GW_MAC`` is the external router's MAC + +* ``DEV`` is the node's device that the router is visible from +* ``TAP`` is the host interface connected with the instance's eth0 + +Since we suppose to be on the same link with the router, ARP takes place first: + +1) The VM wants to know the GW_MAC. Since the traffic is routed we do proxy ARP. + + - ARP, Request who-has GW_IP tell IP + - ARP, Reply GW_IP is-at TAP_MAC ``echo 1 > /proc/sys/net/conf/TAP/proxy_arp`` + - So `arp -na` insided the VM shows: ``(GW_IP) at TAP_MAC [ether] on eth0`` + +2) The host wants to know the GW_MAC. Since the node does **not** have an IP + inside the network we use the dummy one specified above. + + - ARP, Request who-has GW_IP tell ARP_IP (Created by DEV) + ``arptables -I OUTPUT -o DEV --opcode 1 -j mangle --mangle-ip-s ARP_IP`` + - ARP, Reply GW_IP is-at GW_MAC + +3) The host wants to know MAC so that it can proxy it. + + - We simulate here that the VM sees **only** GW on the link. + - ARP, Request who-has IP tell GW_IP (Created by TAP) + ``arptables -I OUTPUT -o TAP --opcode 1 -j mangle --mangle-ip-s GW_IP`` + - So `arp -na` inside the host shows: + ``(GW_IP) at GW_MAC [ether] on DEV, (IP) at MAC on TAP`` + +4) GW wants to know who does proxy for IP. + + - ARP, Request who-has IP tell GW_IP + - ARP, Reply IP is-at DEV_MAC (Created by host's DEV) + + +With the above we have a working proxy ARP configuration. The rest is done +via simple L3 routing. Lets assume the following: + +* ``TABLE`` is the extra routing table +* ``SUBNET`` is the IPv4 subnet where the VM's IP reside + +1) Outgoing traffic: + + - Traffic coming out of TAP is routed via TABLE + ``ip rule add dev TAP table TABLE`` + - TABLE states that default route is GW_IP via DEV + ``ip route add default via GW_IP dev DEV`` + +2) Incoming traffic: + + - Packet arrives at router + - Router knows from proxy ARP that the IP is at DEV_MAC. + - Router sends ethernet packet with tgt DEV_MAC + - Host receives the packet from DEV interface + - Traffic coming out DEV is routed via TABLE + ``ip rule add dev DEV table TABLE`` + - Traffic targeting IP is routed to TAP + ``ip route add IP dev TAP`` + +3) Host to VM traffic: + + - Impossible if the VM resides in the host + - Otherwise there is a route for it: ``ip route add SUBNET dev DEV`` + +The IPv6 setup is pretty similar but instead of proxy ARP we have proxy NDP +and RS and NS coming from TAP are served by nfdhpcd. RA contain network's +prefix and has M flag unset in order the VM to obtain its IP6 via SLAAC and +O flag set to obtain static info (nameservers, domain search list) via DHCPv6 +(also served by nfdhcpd). + +Again the VM sees on its link local only TAP which is supposed to be the +Router. The host does proxy for IP6 ``ip -6 neigh add EUI64 dev DEV``. + +When an interface gets up inside a host we should invalidate all entries +related to its IP among other nodes and the router. For proxy ARP we do +``arpsend -U -c 1 -i IP DEV`` and for proxy NDP we do ``ndsend EUI64 DEV`` + + +private-filtered +^^^^^^^^^^^^^^^^ + +In order to provide L2 isolation among several VMs we can use ebtables on a +**single** bridge. The infrastracture must provide a physical VLAN or separate +interaface shared among all nodes in the cluster. All virtual interfaces will +be bridged on a common bridge (e.g. ``prv0``) and filtering will be done via +ebtables and MAC prefix. The concept is that all interfaces on the same L2 +should have the same MAC prefix. MAC prefix uniqueness is quaranteed by +synnefo and passed to Ganeti as a network option. + +To ensure isolation we should allow traffic coming from tap to have specific +source MAC and at the same time allow traffic coming to tap to have a source +MAC in the same MAC prefix. Applying those rules only in FORWARD chain will not +guarantee isolation. The reason is because packets with target MAC a `mutlicast +address `_ go through INPUT and +OUTPUT chains. To sum up the following ebtables rules are applied: + +.. code-block:: console + + # Create new chains + ebtables -t filter -N FROMTAP5 + ebtables -t filter -N TOTAP5 + + # Filter multicast traffic from VM + ebtables -t filter -A INPUT -i tap5 -j FROMTAP5 + + # Filter multicast traffic to VM + ebtables -t filter -A OUTPUT -o tap5 -j TOTAP5 + + # Filter traffic from VM + ebtables -t filter -A FORWARD -i tap5 -j FROMTAP5 + # Filter traffic to VM + ebtables -t filter -A FORWARD -o tap5 -j TOTAP5 + + # Allow only specific src MAC for outgoing traffic + ebtables -t filter -A FROMTAP5 -s ! aa:55:66:1a:ae:82 -j DROP + # Allow only specific src MAC prefix for incoming traffic + ebtables -t filter -A TOTAP5 -s ! aa:55:60:0:0:0/ff:ff:f0:0:0:0 -j DROP + + +dns +^^^ + +snf-network can update an external `DDNS `_ +server. `ifup` and `ifdown` scripts, if `dns` network tag is found, will use +`nsupdate` and add/remove entries related to the interface that is being +managed. + + +Contents: + +.. toctree:: + :maxdepth: 2 + + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` + diff --git a/docs/make.bat b/docs/make.bat new file mode 100644 index 0000000..5a7c956 --- /dev/null +++ b/docs/make.bat @@ -0,0 +1,190 @@ +@ECHO OFF + +REM Command file for Sphinx documentation + +if "%SPHINXBUILD%" == "" ( + set SPHINXBUILD=sphinx-build +) +set BUILDDIR=_build +set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% . +set I18NSPHINXOPTS=%SPHINXOPTS% . +if NOT "%PAPER%" == "" ( + set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS% + set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS% +) + +if "%1" == "" goto help + +if "%1" == "help" ( + :help + echo.Please use `make ^` where ^ is one of + echo. html to make standalone HTML files + echo. dirhtml to make HTML files named index.html in directories + echo. singlehtml to make a single large HTML file + echo. pickle to make pickle files + echo. json to make JSON files + echo. htmlhelp to make HTML files and a HTML help project + echo. qthelp to make HTML files and a qthelp project + echo. devhelp to make HTML files and a Devhelp project + echo. epub to make an epub + echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter + echo. text to make text files + echo. man to make manual pages + echo. texinfo to make Texinfo files + echo. gettext to make PO message catalogs + echo. changes to make an overview over all changed/added/deprecated items + echo. linkcheck to check all external links for integrity + echo. doctest to run all doctests embedded in the documentation if enabled + goto end +) + +if "%1" == "clean" ( + for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i + del /q /s %BUILDDIR%\* + goto end +) + +if "%1" == "html" ( + %SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The HTML pages are in %BUILDDIR%/html. + goto end +) + +if "%1" == "dirhtml" ( + %SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml. + goto end +) + +if "%1" == "singlehtml" ( + %SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml. + goto end +) + +if "%1" == "pickle" ( + %SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle + if errorlevel 1 exit /b 1 + echo. + echo.Build finished; now you can process the pickle files. + goto end +) + +if "%1" == "json" ( + %SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json + if errorlevel 1 exit /b 1 + echo. + echo.Build finished; now you can process the JSON files. + goto end +) + +if "%1" == "htmlhelp" ( + %SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp + if errorlevel 1 exit /b 1 + echo. + echo.Build finished; now you can run HTML Help Workshop with the ^ +.hhp project file in %BUILDDIR%/htmlhelp. + goto end +) + +if "%1" == "qthelp" ( + %SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp + if errorlevel 1 exit /b 1 + echo. + echo.Build finished; now you can run "qcollectiongenerator" with the ^ +.qhcp project file in %BUILDDIR%/qthelp, like this: + echo.^> qcollectiongenerator %BUILDDIR%\qthelp\snf-network.qhcp + echo.To view the help file: + echo.^> assistant -collectionFile %BUILDDIR%\qthelp\snf-network.ghc + goto end +) + +if "%1" == "devhelp" ( + %SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. + goto end +) + +if "%1" == "epub" ( + %SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The epub file is in %BUILDDIR%/epub. + goto end +) + +if "%1" == "latex" ( + %SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex + if errorlevel 1 exit /b 1 + echo. + echo.Build finished; the LaTeX files are in %BUILDDIR%/latex. + goto end +) + +if "%1" == "text" ( + %SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The text files are in %BUILDDIR%/text. + goto end +) + +if "%1" == "man" ( + %SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The manual pages are in %BUILDDIR%/man. + goto end +) + +if "%1" == "texinfo" ( + %SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo. + goto end +) + +if "%1" == "gettext" ( + %SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale + if errorlevel 1 exit /b 1 + echo. + echo.Build finished. The message catalogs are in %BUILDDIR%/locale. + goto end +) + +if "%1" == "changes" ( + %SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes + if errorlevel 1 exit /b 1 + echo. + echo.The overview file is in %BUILDDIR%/changes. + goto end +) + +if "%1" == "linkcheck" ( + %SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck + if errorlevel 1 exit /b 1 + echo. + echo.Link check complete; look for any errors in the above output ^ +or in %BUILDDIR%/linkcheck/output.txt. + goto end +) + +if "%1" == "doctest" ( + %SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest + if errorlevel 1 exit /b 1 + echo. + echo.Testing of doctests in the sources finished, look at the ^ +results in %BUILDDIR%/doctest/output.txt. + goto end +) + +:end -- 1.7.10.4