Revision 5031beee

b/docs/networks.rst
25 25
Network @ Cyclades level
26 26
------------------------
27 27

  
28
Cyclades understands two types of Virtual Networks:
29

  
30
a) Public Networks
31
b) Private Networks
32

  
33
Public Networks are created by the administrator via `snf-manage` commands
34
and can be used by all end-users. Each public network is assigned to a
35
single backend but one backend can have multiple public networks.
36

  
37
Private Networks are created by the end-user from the Web UI or the kamaki
38
client and provide isolated Layer 2 connectivity to the end-user. With regard
39
to the fact that a user's VMs may be allocated across different Ganeti clusters
40
(backends), private networks are created in all backends to ensure VMs
41
connectivity.
42

  
43
Both types of networks are created dynamically.
44

  
45
From the VM perspective, each NIC is attached to a specific Network.
46

  
47
When a new VM is created the backend allocator (in Cyclades) decides in which
48
backend  to spawn it. Depending on the chosen backend, Synnefo finds the first
49
non-full public Network that exists in the backend. Then attaches the VM's
50
first NIC to this network.
51

  
52
Once the VM is created, the user is able to connect the VM to multiple
53
private networks, that himself has already created.
54

  
55
A Network can have the following attributes:
56

  
57
 - IPv4 subnet (mandatory)
58
 - IPv4 gateway
59
 - IPv6 subnet
60
 - IPv6 gateway
61
 - public/private flag
62
 - flavor
63

  
64
Flavor is a way to abstact infrastructure specific options, that are used to
65
ensure connectivity and isolation to the VMs connected to the network. It is a
66
set of options that eventually will guide scripts to set up rules, while
67
creating virtual interfaces in the node level. The available flavors and their
68
options can be found in the Synnefo settings and are configurable.
28
Cyclades networks support a range of different options to cover the specific
29
needs of each deployment.
30

  
31
First of all, as far as visibility and accessibility is concerned, a network
32
can be either `public` or `private`. Public networks are created by the
33
administrator via the command line interface (`snf-manage`) and are visible to
34
all end-users. On the other hand, private networks are created by the end-user
35
from the Web UI or the kamaki client and provide isolated Layer 2 connectivity
36
to the end-user.
37

  
38
Both networks can have an IPv4 subnet or/and an IPv6 subnet along with the
39
corresponding gateway. For IPv4 networks, if the `--dhcp` option is set,
40
Cyclades will treat the IPv4 subnet as an IP pool, and will assign to each VM
41
that is connected to this network an IPv4 address from this pool.
42

  
43
A public network can also be marked as a floating IP pool with the
44
`--floating-ip-pool` option. Floating IPs, are IPv4 addresses that can be
45
dynamically by added and removed from running VMs. A user can reserve and
46
release a floating IP address that he can later add and remove it from running
47
VMs. Also the user can release a floating IP if it not used by any of his
48
VMs.
49

  
50
Private networks and floating IPs must be accessible from all instances across
51
all Ganeti backends. So, such networks must exist in all backends, and
52
are dynamically created when new Ganeti backends are added. Specially for
53
private networks, to avoid the overhead of creating the network to all
54
backends, Cyclades create these networks on demand, when an instance that
55
lives in a backend tries to connect to this network.
56

  
57
The administrator may also want to connect instances to some network, without
58
supporting floating IPs (e.g. to enforce each VM to be connected to a specific
59
network). This can be achieved by setting the `DEFAULT_INSTANCE_NETWORKS`
60
setting to the list of the selected networks. The special keyword
61
`SNF:ANY_PUBLIC` may be used as a network identifier, to indicate to the system
62
to peak any of the public networks that has a free IP address. Public networks
63
that are not floating IP pools, do not need to exist to all Ganeti backends,
64
since the Cyclades backend allocator, will route spawned vms to a Ganeti
65
backend that the selected networks exist. The administrator can choose in
66
which backends to create the network via the `--backends` command line option.
67

  
68
Another distinction between networks is their flavor. Flavor is a way to
69
abstract infrastructure specific options, that are used to ensure connectivity
70
and isolation to the VMs connected to the network. It is a set of options that
71
eventually will guide scripts to set up rules, while creating virtual
72
interfaces in the node level. Each of these flavors define attributes that will
73
be used at Ganeti level to create the physical network. These attributes are:
74

  
75
* ``mode``: Whether the network is in 'bridged' or 'routed' mode.
76
* ``link``: Bridge for 'bridged' networks and routing table for 'routed'
77
  networks. e.g. 'br100', 'rt200'
78
* ``mac_prefix``: A MAC prefix for the network. e.g. 'aa:00:05'
79
* ``tags``: A list of tags to be used at the Ganeti level.
69 80

  
70 81
To ensure L2 isolation, Synnefo supports two different mechanisms (see also Node
71 82
Level section):
72 83

  
73
 - assigning one physical VLAN per network
74
 - assigning one MAC prefix per network, so that every NIC attached to this
75
   network will have this prefix. Isolation is then achieved by filtering
76
   rules (via `ebtables`) based on a specific mask (ff:ff:f0:00:00:00, see Node
77
   Level section for more details).
84
* assigning one physical VLAN per network
85
* assigning one MAC prefix per network, so that every NIC attached to this
86
  network will have this prefix. Isolation is then achieved by filtering
87
  rules (via `ebtables`) based on a specific mask (ff:ff:f0:00:00:00, see Node
88
  Level section for more details).
78 89

  
79 90
Having this in mind and in order to prevent assignment of duplicate VLAN/MAC
80 91
prefix to different networks, Synnefo supports two types of Pools:
81 92

  
82
 - Bridge Pool (corresponding to a number of VLANs bridged to those bridges)
83
 - MAC prefix Pool
84

  
85
For Pool handling refer to the corresponding doc section.
86

  
87
Finally, each supported flavor must declare the following options (see also
88
Ganeti Level section):
93
- Bridge Pool (corresponding to a number of VLANs bridged to those bridges)
94
- MAC prefix Pool
89 95

  
90
 - ``mode`` ('bridged' or 'routed'),
91
 - ``link`` ('br100', 'rt200', 'pool')
92
 - ``mac_prefix`` ('aa:00:05', 'pool', None)
93
 - ``tags`` (['ip-less-routed' or 'mac-filtered' or 'physical-vlan' or None])
96
For Pool handling refer to the corresponding doc section. To use this pools,
97
set either `--link` or `--mac-prefix` to the reserved keyword `pool`.
94 98

  
95 99
Existing network flavors are the following:
96 100

  
......
103 107
CUSTOM           bridged   ``DEFAULT_BRIDGE``                ``DEFAULT_MAC_PREFIX``
104 108
==============   =======   ===============================   ======================  ==================
105 109

  
106
``DEFAULT_ROUTING_TABLE``, ``DEFAULT_MAC_PREFIX``, ``DEFAULT_BRIDGE``, ``DEFAULT_MAC_FILTERED_BRIDGE``
107
are all configurable settings in ``/etc/synnefo/20-snf-cyclades-app-api.conf``. 'pool' is used
108
to denote that a link or MAC prefix will be allocated from the corresponging Pool.
110
``DEFAULT_ROUTING_TABLE``, ``DEFAULT_MAC_PREFIX``, ``DEFAULT_BRIDGE``,
111
``DEFAULT_MAC_FILTERED_BRIDGE`` are all configurable settings in
112
``/etc/synnefo/20-snf-cyclades-app-api.conf``. 'pool' is used to denote that a
113
link or MAC prefix will be allocated from the corresponding Pool. Finally,
114
most of these attributes, may be overridden when creating networks with
115
`snf-manage network-create command`.
109 116

  
110 117
The administrator is able to create any of the above flavors
111 118
and override their default values by explicitly passing mode, link, etc. using
112 119
the `snf-manage network-create` command. 
113 120

  
114
The end-user is allowed to create only networks of flavor ``MAC_FILTERED`` and
115
``PHYSICAL_VLAN``. Currently, only ``MAC_FILTERED`` and ``PHYSICAL_VLAN`` can
116
use existing pools and cannot be overriden.
121
The administrator can create networks of any flavor, but end-users is allowed
122
to create via API only networks with flavors that are set in the
123
`API_ENABLED_NETWORK_FLAVORS` setting.
117 124

  
118 125
Network @ Ganeti level
119 126
----------------------

Also available in: Unified diff