root / docs / networks.rst @ a4451f59
History | View | Annotate | Download (16.9 kB)
1 | b11446c1 | Constantinos Venetsanopoulos | .. _networks: |
---|---|---|---|
2 | b11446c1 | Constantinos Venetsanopoulos | |
3 | b11446c1 | Constantinos Venetsanopoulos | Network Service (part of Cyclades) |
4 | b11446c1 | Constantinos Venetsanopoulos | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 | b11446c1 | Constantinos Venetsanopoulos | |
6 | b11446c1 | Constantinos Venetsanopoulos | Network setup overview |
7 | b11446c1 | Constantinos Venetsanopoulos | ====================== |
8 | b11446c1 | Constantinos Venetsanopoulos | |
9 | b11446c1 | Constantinos Venetsanopoulos | Currently the Network Service is part of Cyclades and comes along with the |
10 | b11446c1 | Constantinos Venetsanopoulos | Cyclades software components. |
11 | b11446c1 | Constantinos Venetsanopoulos | |
12 | b11446c1 | Constantinos Venetsanopoulos | Networking is deployment-specific and must be customized based on the specific |
13 | b11446c1 | Constantinos Venetsanopoulos | needs of the system administrator. However, to do so, the administrator needs |
14 | b11446c1 | Constantinos Venetsanopoulos | to understand how each level handles Virtual Networks, to be able to setup the |
15 | b11446c1 | Constantinos Venetsanopoulos | backend appropriately. |
16 | b11446c1 | Constantinos Venetsanopoulos | |
17 | 8f0fc472 | Dimitris Aragiorgis | Since v0.11 Synnefo supports multiple Ganeti clusters (backends). Having in |
18 | 8f0fc472 | Dimitris Aragiorgis | mind that every backend has its locality, there is a high possibility each |
19 | 8f0fc472 | Dimitris Aragiorgis | cluster to have different infrastracture (wires, routers, subnets, gateways, |
20 | 8f0fc472 | Dimitris Aragiorgis | etc.). |
21 | 8f0fc472 | Dimitris Aragiorgis | |
22 | 8f0fc472 | Dimitris Aragiorgis | In the following sections we investigate in a top-down approach, the way |
23 | 8f0fc472 | Dimitris Aragiorgis | networks are defined from the Cyclades, Ganeti, and Backend persperctive. |
24 | 8f0fc472 | Dimitris Aragiorgis | |
25 | b11446c1 | Constantinos Venetsanopoulos | Network @ Cyclades level |
26 | b11446c1 | Constantinos Venetsanopoulos | ------------------------ |
27 | b11446c1 | Constantinos Venetsanopoulos | |
28 | b11446c1 | Constantinos Venetsanopoulos | Cyclades understands two types of Virtual Networks: |
29 | b11446c1 | Constantinos Venetsanopoulos | |
30 | 8f0fc472 | Dimitris Aragiorgis | a) Public Networks |
31 | 8f0fc472 | Dimitris Aragiorgis | b) Private Networks |
32 | 8f0fc472 | Dimitris Aragiorgis | |
33 | 8f0fc472 | Dimitris Aragiorgis | Public Networks are created by the administrator via `snf-manage` commands |
34 | 8f0fc472 | Dimitris Aragiorgis | and can be used by all end-users. Each public network is assigned to a |
35 | 8f0fc472 | Dimitris Aragiorgis | single backend but one backend can have multiple public networks. |
36 | 8f0fc472 | Dimitris Aragiorgis | |
37 | 8f0fc472 | Dimitris Aragiorgis | Private Networks are created by the end-user from the Web UI or the kamaki |
38 | 8f0fc472 | Dimitris Aragiorgis | client and provide isolated Layer 2 connectivity to the end-user. With regard |
39 | 8f0fc472 | Dimitris Aragiorgis | to the fact that a user's VMs may be allocated across different Ganeti clusters |
40 | 8f0fc472 | Dimitris Aragiorgis | (backends), private networks are created in all backends to ensure VMs |
41 | 8f0fc472 | Dimitris Aragiorgis | connectivity. |
42 | 8f0fc472 | Dimitris Aragiorgis | |
43 | 8f0fc472 | Dimitris Aragiorgis | Both types of networks are created dynamically. |
44 | 8f0fc472 | Dimitris Aragiorgis | |
45 | 8f0fc472 | Dimitris Aragiorgis | From the VM perspective, each NIC is attached to a specific Network. |
46 | 8f0fc472 | Dimitris Aragiorgis | |
47 | 8f0fc472 | Dimitris Aragiorgis | When a new VM is created the backend allocator (in Cyclades) decides in which |
48 | 8f0fc472 | Dimitris Aragiorgis | backend to spawn it. Depending on the chosen backend, Synnefo finds the first |
49 | 8f0fc472 | Dimitris Aragiorgis | non-full public Network that exists in the backend. Then attaches the VM's |
50 | 8f0fc472 | Dimitris Aragiorgis | first NIC to this network. |
51 | 8f0fc472 | Dimitris Aragiorgis | |
52 | 8f0fc472 | Dimitris Aragiorgis | Once the VM is created, the user is able to connect the VM to multiple |
53 | 8f0fc472 | Dimitris Aragiorgis | private networks, that himself has already created. |
54 | 8f0fc472 | Dimitris Aragiorgis | |
55 | 8f0fc472 | Dimitris Aragiorgis | A Network can have the following attributes: |
56 | 8f0fc472 | Dimitris Aragiorgis | |
57 | 8f0fc472 | Dimitris Aragiorgis | - IPv4 subnet (mandatory) |
58 | 8f0fc472 | Dimitris Aragiorgis | - IPv4 gateway |
59 | 8f0fc472 | Dimitris Aragiorgis | - IPv6 subnet |
60 | 8f0fc472 | Dimitris Aragiorgis | - IPv6 gateway |
61 | 8f0fc472 | Dimitris Aragiorgis | - public/private flag |
62 | 8f0fc472 | Dimitris Aragiorgis | - flavor |
63 | 8f0fc472 | Dimitris Aragiorgis | |
64 | 8f0fc472 | Dimitris Aragiorgis | Flavor is a way to abstact infrastructure specific options, that are used to |
65 | 8f0fc472 | Dimitris Aragiorgis | ensure connectivity and isolation to the VMs connected to the network. It is a |
66 | 8f0fc472 | Dimitris Aragiorgis | set of options that eventually will guide scripts to set up rules, while |
67 | 8f0fc472 | Dimitris Aragiorgis | creating virtual interfaces in the node level. The available flavors and their |
68 | 8f0fc472 | Dimitris Aragiorgis | options can be found in the Synnefo settings and are configurable. |
69 | 8f0fc472 | Dimitris Aragiorgis | |
70 | 8f0fc472 | Dimitris Aragiorgis | To ensure L2 isolation, Synnefo supports two different mechanisms (see also Node |
71 | 8f0fc472 | Dimitris Aragiorgis | Level section): |
72 | 8f0fc472 | Dimitris Aragiorgis | |
73 | 8f0fc472 | Dimitris Aragiorgis | - assigning one physical VLAN per network |
74 | 8f0fc472 | Dimitris Aragiorgis | - assigning one MAC prefix per network, so that every NIC attached to this |
75 | 8f0fc472 | Dimitris Aragiorgis | network will have this prefix. Isolation is then achieved by filtering |
76 | 026b4844 | Christos Stavrakakis | rules (via `ebtables`) based on a specific mask (ff:ff:f0:00:00:00, see Node |
77 | 8f0fc472 | Dimitris Aragiorgis | Level section for more details). |
78 | 8f0fc472 | Dimitris Aragiorgis | |
79 | 8f0fc472 | Dimitris Aragiorgis | Having this in mind and in order to prevent assignment of duplicate VLAN/MAC |
80 | 8f0fc472 | Dimitris Aragiorgis | prefix to different networks, Synnefo supports two types of Pools: |
81 | 8f0fc472 | Dimitris Aragiorgis | |
82 | 8f0fc472 | Dimitris Aragiorgis | - Bridge Pool (corresponding to a number of VLANs bridged to those bridges) |
83 | 8f0fc472 | Dimitris Aragiorgis | - MAC prefix Pool |
84 | b11446c1 | Constantinos Venetsanopoulos | |
85 | 8f0fc472 | Dimitris Aragiorgis | For Pool handling refer to the corresponding doc section. |
86 | b11446c1 | Constantinos Venetsanopoulos | |
87 | 8f0fc472 | Dimitris Aragiorgis | Finally, each supported flavor must declare the following options (see also |
88 | 8f0fc472 | Dimitris Aragiorgis | Ganeti Level section): |
89 | b11446c1 | Constantinos Venetsanopoulos | |
90 | 8f0fc472 | Dimitris Aragiorgis | - ``mode`` ('bridged' or 'routed'), |
91 | 8f0fc472 | Dimitris Aragiorgis | - ``link`` ('br100', 'rt200', 'pool') |
92 | 8f0fc472 | Dimitris Aragiorgis | - ``mac_prefix`` ('aa:00:05', 'pool', None) |
93 | 8f0fc472 | Dimitris Aragiorgis | - ``tags`` (['ip-less-routed' or 'mac-filtered' or 'physical-vlan' or None]) |
94 | b11446c1 | Constantinos Venetsanopoulos | |
95 | 8f0fc472 | Dimitris Aragiorgis | Existing network flavors are the following: |
96 | b11446c1 | Constantinos Venetsanopoulos | |
97 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
98 | 026b4844 | Christos Stavrakakis | Flavor Name Mode Link MAC prefix Tags |
99 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
100 | 026b4844 | Christos Stavrakakis | IP_LESS_ROUTED routed ``DEFAULT_ROUTING_TABLE`` ``DEFAULT_MAC_PREFIX`` 'ip-less-routed' |
101 | 026b4844 | Christos Stavrakakis | MAC_FILTERED bridged ``DEFAULT_MAC_FILTERED_BRIDGE`` 'pool' 'private'filtered' |
102 | 026b4844 | Christos Stavrakakis | PHYSICAL_VLAN bridged 'pool' ``DEFAULT_MAC_PREFIX`` 'physical-vlan' |
103 | 026b4844 | Christos Stavrakakis | CUSTOM bridged ``DEFAULT_BRIDGE`` ``DEFAULT_MAC_PREFIX`` |
104 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
105 | b11446c1 | Constantinos Venetsanopoulos | |
106 | 026b4844 | Christos Stavrakakis | ``DEFAULT_ROUTING_TABLE``, ``DEFAULT_MAC_PREFIX``, ``DEFAULT_BRIDGE``, ``DEFAULT_MAC_FILTERED_BRIDGE`` |
107 | 026b4844 | Christos Stavrakakis | are all configurable settings in ``/etc/synnefo/20-snf-cyclades-app-api.conf``. 'pool' is used |
108 | 026b4844 | Christos Stavrakakis | to denote that a link or MAC prefix will be allocated from the corresponging Pool. |
109 | 026b4844 | Christos Stavrakakis | |
110 | 026b4844 | Christos Stavrakakis | The administrator is able to create any of the above flavors |
111 | f30db88d | Constantinos Venetsanopoulos | and override their default values by explicitly passing mode, link, etc. using |
112 | f30db88d | Constantinos Venetsanopoulos | the `snf-manage network-create` command. |
113 | f30db88d | Constantinos Venetsanopoulos | |
114 | f30db88d | Constantinos Venetsanopoulos | The end-user is allowed to create only networks of flavor ``MAC_FILTERED`` and |
115 | f30db88d | Constantinos Venetsanopoulos | ``PHYSICAL_VLAN``. Currently, only ``MAC_FILTERED`` and ``PHYSICAL_VLAN`` can |
116 | f30db88d | Constantinos Venetsanopoulos | use existing pools and cannot be overriden. |
117 | b11446c1 | Constantinos Venetsanopoulos | |
118 | b11446c1 | Constantinos Venetsanopoulos | Network @ Ganeti level |
119 | b11446c1 | Constantinos Venetsanopoulos | ---------------------- |
120 | b11446c1 | Constantinos Venetsanopoulos | |
121 | f30db88d | Constantinos Venetsanopoulos | Currently, stable Ganeti does not support IP Pool management. However, the |
122 | f30db88d | Constantinos Venetsanopoulos | functionality has been merged in the official Ganeti master branch and will |
123 | f30db88d | Constantinos Venetsanopoulos | appear on Ganeti 2.7.0. So, you can either checkout the Ganeti master branch |
124 | f30db88d | Constantinos Venetsanopoulos | and build your packages, or clone our local repo |
125 | f30db88d | Constantinos Venetsanopoulos | https://code.grnet.gr/git/ganeti-local and checkout the |
126 | f30db88d | Constantinos Venetsanopoulos | `stable-2.6-ippool-hotplug-esi` branch. This is the Ganeti stable branch with |
127 | f30db88d | Constantinos Venetsanopoulos | IP pool management, Hotplugging and ExtStorage Interface features merged on top |
128 | f30db88d | Constantinos Venetsanopoulos | of it. The last two features are not a hard Synnefo requirement, but will |
129 | f30db88d | Constantinos Venetsanopoulos | enable you to do neat things when you get experienced with Synnefo. They are |
130 | f30db88d | Constantinos Venetsanopoulos | going to be pushed for review upstream sometime soon. |
131 | b11446c1 | Constantinos Venetsanopoulos | |
132 | 8f0fc472 | Dimitris Aragiorgis | Any network created in Synnefo is also created in one (for public networks) or |
133 | 8f0fc472 | Dimitris Aragiorgis | all (for private networks) Ganeti backends. In Ganeti a network can have the |
134 | 8f0fc472 | Dimitris Aragiorgis | following options: |
135 | b11446c1 | Constantinos Venetsanopoulos | |
136 | 8f0fc472 | Dimitris Aragiorgis | - network (192.168.0.0/24, mandatory) |
137 | 8f0fc472 | Dimitris Aragiorgis | - gateway (192.168.0.1) |
138 | 8f0fc472 | Dimitris Aragiorgis | - network6 (2001:648:2ffc:1201::/64) |
139 | 8f0fc472 | Dimitris Aragiorgis | - gateway6 (2001:648:2ffc:1201::1) |
140 | 8f0fc472 | Dimitris Aragiorgis | - mac_prefix (aa:00:01) |
141 | 8f0fc472 | Dimitris Aragiorgis | - type (private, public) |
142 | 8f0fc472 | Dimitris Aragiorgis | - tags |
143 | b11446c1 | Constantinos Venetsanopoulos | |
144 | 8f0fc472 | Dimitris Aragiorgis | Networks in Ganeti cannot be used unless they are connected to a nodegroup in |
145 | 8f0fc472 | Dimitris Aragiorgis | order to define the connectivity mode and link. Synnefo, after creating a |
146 | 8f0fc472 | Dimitris Aragiorgis | network, connects it to all nodegroups of the Ganeti cluster(s) with the given |
147 | 8f0fc472 | Dimitris Aragiorgis | mode and link (defined in the network flavor). |
148 | 8f0fc472 | Dimitris Aragiorgis | |
149 | 8f0fc472 | Dimitris Aragiorgis | Ganeti makes use of environment variables to inform scripts about each NIC's |
150 | 8f0fc472 | Dimitris Aragiorgis | setup. `kvm-vif-script` that comes with `snf-network` sets up the nfdhcpd lease and |
151 | 8f0fc472 | Dimitris Aragiorgis | applies any rules needed depending on the network's mode, link, mac_prefix and |
152 | 8f0fc472 | Dimitris Aragiorgis | tags. |
153 | b11446c1 | Constantinos Venetsanopoulos | |
154 | b11446c1 | Constantinos Venetsanopoulos | Network @ Physical host level |
155 | b11446c1 | Constantinos Venetsanopoulos | ----------------------------- |
156 | b11446c1 | Constantinos Venetsanopoulos | |
157 | 8f0fc472 | Dimitris Aragiorgis | Currently, networking infrastructure must be pre-provisioned before creating |
158 | 8f0fc472 | Dimitris Aragiorgis | networks in Synnefo. According to which flavors you want to support, you should |
159 | 8f0fc472 | Dimitris Aragiorgis | have already setup all your physical hosts correspondingly. This means you |
160 | 8f0fc472 | Dimitris Aragiorgis | need: |
161 | 8f0fc472 | Dimitris Aragiorgis | |
162 | 48f0d8e5 | Dimitris Aragiorgis | - one bridge for the ``CUSTOM`` flavor (br0, see Fig. 1) |
163 | 8f0fc472 | Dimitris Aragiorgis | - one bridge for the ``MAC_FILTERED`` flavor (prv0, see Fig. 2) |
164 | 8f0fc472 | Dimitris Aragiorgis | - a number of bridges and their corresponding VLANs (bridged to them) for |
165 | 8f0fc472 | Dimitris Aragiorgis | the ``PHYSICAL_VLAN`` flavor (prv1..prv100, see Fig. 3) |
166 | 8f0fc472 | Dimitris Aragiorgis | - a routing table for the ``IP_LESS_ROUTED`` flavor (snf_public, see Fig. 4) |
167 | 8f0fc472 | Dimitris Aragiorgis | |
168 | 8f0fc472 | Dimitris Aragiorgis | Please refer to the following figures, which clarify each infrastructure setup |
169 | 8f0fc472 | Dimitris Aragiorgis | and how connectivity and isolation is achieved in every case for every type of |
170 | 8f0fc472 | Dimitris Aragiorgis | network. |
171 | 8f0fc472 | Dimitris Aragiorgis | |
172 | 8f0fc472 | Dimitris Aragiorgis | |
173 | 8f0fc472 | Dimitris Aragiorgis | FLAVORS |
174 | 8f0fc472 | Dimitris Aragiorgis | ======= |
175 | 8f0fc472 | Dimitris Aragiorgis | |
176 | 8f0fc472 | Dimitris Aragiorgis | As mentioned earlier supported flavors are: |
177 | 8f0fc472 | Dimitris Aragiorgis | |
178 | 48f0d8e5 | Dimitris Aragiorgis | - CUSTOM |
179 | 8f0fc472 | Dimitris Aragiorgis | - IP_LESS_ROUTED |
180 | 8f0fc472 | Dimitris Aragiorgis | - MAC_FILTERED |
181 | 8f0fc472 | Dimitris Aragiorgis | - PHYSICAL_VLAN |
182 | 8f0fc472 | Dimitris Aragiorgis | |
183 | 8f0fc472 | Dimitris Aragiorgis | In the following sections we mention what configuration imposes each flavor from |
184 | 8f0fc472 | Dimitris Aragiorgis | Synnefo, Ganeti and Physical host perspective. |
185 | 8f0fc472 | Dimitris Aragiorgis | |
186 | 8f0fc472 | Dimitris Aragiorgis | |
187 | 8f0fc472 | Dimitris Aragiorgis | |
188 | 48f0d8e5 | Dimitris Aragiorgis | DEFAULT SCENARIO |
189 | 48f0d8e5 | Dimitris Aragiorgis | ---------------- |
190 | 8f0fc472 | Dimitris Aragiorgis | |
191 | 48f0d8e5 | Dimitris Aragiorgis | In this case we will bridge all primary interfaces of the VMs on one bridge that must |
192 | 48f0d8e5 | Dimitris Aragiorgis | be the same collition domain with the router. The router sould then forward packets |
193 | 48f0d8e5 | Dimitris Aragiorgis | (if a public IPv4 Subnet is available) or do NAT in order to provide internet access to |
194 | 48f0d8e5 | Dimitris Aragiorgis | the VMs. |
195 | 8f0fc472 | Dimitris Aragiorgis | |
196 | 48f0d8e5 | Dimitris Aragiorgis | To this end we will use the CUSTOM flavor and pre-provision in each Ganeti |
197 | 48f0d8e5 | Dimitris Aragiorgis | node one bridge (e.g. ``br100``). If we assume that ``eth1`` is the physical interface |
198 | 48f0d8e5 | Dimitris Aragiorgis | connected to the router, run: |
199 | 8f0fc472 | Dimitris Aragiorgis | |
200 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-bridged.png |
201 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
202 | 8f0fc472 | Dimitris Aragiorgis | :height: 550px |
203 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
204 | 8f0fc472 | Dimitris Aragiorgis | |
205 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
206 | 8f0fc472 | Dimitris Aragiorgis | |
207 | 8f0fc472 | Dimitris Aragiorgis | # brctl addbr br100 |
208 | 48f0d8e5 | Dimitris Aragiorgis | # brctl addif br100 eth1 |
209 | 8f0fc472 | Dimitris Aragiorgis | # ip link set br100 up |
210 | 8f0fc472 | Dimitris Aragiorgis | |
211 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
212 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
213 | 48f0d8e5 | Dimitris Aragiorgis | br100 8000.8a3c3ede3583 no eth1 |
214 | 8f0fc472 | Dimitris Aragiorgis | |
215 | 8f0fc472 | Dimitris Aragiorgis | |
216 | 8f0fc472 | Dimitris Aragiorgis | |
217 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades run: |
218 | 8f0fc472 | Dimitris Aragiorgis | |
219 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
220 | 8f0fc472 | Dimitris Aragiorgis | |
221 | 48f0d8e5 | Dimitris Aragiorgis | # snf-manage network-create --subnet=5.6.7.0/27 --gateway=5.6.7.1 --subnet6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --public --dhcp --flavor=CUSTOM --link=br100 ----name=default --backend-id=1 |
222 | 8f0fc472 | Dimitris Aragiorgis | |
223 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
224 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
225 | 48f0d8e5 | Dimitris Aragiorgis | 1 default CUSTOM True ACTIVE br100 True 5.6.7.0/27 5.6.7.1 |
226 | 8f0fc472 | Dimitris Aragiorgis | |
227 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
228 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
229 | 8f0fc472 | Dimitris Aragiorgis | |
230 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
231 | 8f0fc472 | Dimitris Aragiorgis | |
232 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=5.6.7.0/27 --gateway=5.6.7.1 --network6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --network-type=public --tags=nfdhcpd snf-net-1 |
233 | 8f0fc472 | Dimitris Aragiorgis | |
234 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-1 default bridged br100 |
235 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-1 |
236 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
237 | 8f0fc472 | Dimitris Aragiorgis | snf-net-1 5.6.7.0/27 5.6.7.1 public None default(bridged, br100) nfdhcpd |
238 | 8f0fc472 | Dimitris Aragiorgis | |
239 | 8f0fc472 | Dimitris Aragiorgis | |
240 | 8f0fc472 | Dimitris Aragiorgis | To enable NAT in a Internal Router if you do not have a public IP range available |
241 | 48f0d8e5 | Dimitris Aragiorgis | but only a public routable IP (e.g 1.2.3.4): |
242 | 8f0fc472 | Dimitris Aragiorgis | |
243 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
244 | 8f0fc472 | Dimitris Aragiorgis | |
245 | 48f0d8e5 | Dimitris Aragiorgis | # ip addr add 5.6.7.1/27 dev eth1 |
246 | 48f0d8e5 | Dimitris Aragiorgis | # iptables -t nat -A POSTROUTING -o eth1 --to-source 1.2.3.4 -j SNAT |
247 | 8f0fc472 | Dimitris Aragiorgis | |
248 | 8f0fc472 | Dimitris Aragiorgis | IP_LESS_ROUTED |
249 | 8f0fc472 | Dimitris Aragiorgis | -------------- |
250 | 8f0fc472 | Dimitris Aragiorgis | |
251 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-routed.png |
252 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
253 | 8f0fc472 | Dimitris Aragiorgis | :height: 580px |
254 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
255 | 8f0fc472 | Dimitris Aragiorgis | |
256 | 8f0fc472 | Dimitris Aragiorgis | To create a network with IP_LESS_ROUTED flavor run you have to pre-provision in |
257 | 8f0fc472 | Dimitris Aragiorgis | each Ganeti node one routing table (e.g. ``snf_public``) that will do all the |
258 | 8f0fc472 | Dimitris Aragiorgis | routing from/to the VMs' taps. Additionally you must enable ``Proxy-ARP`` |
259 | 48f0d8e5 | Dimitris Aragiorgis | support. All traffic will be on a single iterface (e.g. ``eth1``). |
260 | 8f0fc472 | Dimitris Aragiorgis | |
261 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
262 | 8f0fc472 | Dimitris Aragiorgis | |
263 | 8f0fc472 | Dimitris Aragiorgis | # echo 1 > /proc/sys/net/ipv4/conf/ip_fowarding |
264 | 8f0fc472 | Dimitris Aragiorgis | # echo 10 snf_public >> /etc/iproute2/rt_tables |
265 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add 5.6.7.0/27 dev eth1 |
266 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add 5.6.7.0/27 dev eth1 table snf_public |
267 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add default via 5.6.7.1 dev eth1 table snf_public |
268 | 48f0d8e5 | Dimitris Aragiorgis | # ip rule add iif eth1 lookup snf_public |
269 | 48f0d8e5 | Dimitris Aragiorgis | # arptables -A OUTPUT -o eth1 --opcode 1 --mangle-ip-s 5.6.7.30 # last ip in Subnet |
270 | 8f0fc472 | Dimitris Aragiorgis | |
271 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades run: |
272 | 8f0fc472 | Dimitris Aragiorgis | |
273 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
274 | 8f0fc472 | Dimitris Aragiorgis | |
275 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-create --subnet=5.6.7.0/27 --gateway=5.6.7.1 --subnet6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --public --dhcp --flavor=IP_LESS_ROUTED --name=routed --backend-id=1 |
276 | 8f0fc472 | Dimitris Aragiorgis | |
277 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
278 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
279 | 8f0fc472 | Dimitris Aragiorgis | 2 routed IP_LESS_ROUTED True ACTIVE snf_public True 5.6.7.0/27 5.6.7.1 |
280 | 8f0fc472 | Dimitris Aragiorgis | |
281 | 8f0fc472 | Dimitris Aragiorgis | |
282 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
283 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
284 | 8f0fc472 | Dimitris Aragiorgis | |
285 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
286 | 8f0fc472 | Dimitris Aragiorgis | |
287 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=5.6.7.0/27 --gateway=5.6.7.1 --network6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --network-type=public --tags=nfdhcpd,ip-less-routed snf-net-2 |
288 | 8f0fc472 | Dimitris Aragiorgis | |
289 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-2 default bridged br100 |
290 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-2 |
291 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
292 | 8f0fc472 | Dimitris Aragiorgis | dimara-net-1 62.217.123.128/27 62.217.123.129 public None default(routed, snf_public) nfdhcpd,ip-less-routed |
293 | 8f0fc472 | Dimitris Aragiorgis | |
294 | 8f0fc472 | Dimitris Aragiorgis | |
295 | 8f0fc472 | Dimitris Aragiorgis | |
296 | 8f0fc472 | Dimitris Aragiorgis | |
297 | 8f0fc472 | Dimitris Aragiorgis | MAC_FILTERED |
298 | 8f0fc472 | Dimitris Aragiorgis | ------------ |
299 | 8f0fc472 | Dimitris Aragiorgis | |
300 | 8f0fc472 | Dimitris Aragiorgis | |
301 | 8f0fc472 | Dimitris Aragiorgis | To create a network with MAC_FILTERED flavor you have to pre-provision in each Ganeti |
302 | 48f0d8e5 | Dimitris Aragiorgis | node one bridge (e.g. ``prv0``) that will be bridged with one interface (e.g. ``eth2``) |
303 | 48f0d8e5 | Dimitris Aragiorgis | across the whole cluster. |
304 | 8f0fc472 | Dimitris Aragiorgis | |
305 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-mac.png |
306 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
307 | 8f0fc472 | Dimitris Aragiorgis | :height: 500px |
308 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
309 | 8f0fc472 | Dimitris Aragiorgis | |
310 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
311 | 8f0fc472 | Dimitris Aragiorgis | |
312 | 8f0fc472 | Dimitris Aragiorgis | # brctl addbr prv0 |
313 | 48f0d8e5 | Dimitris Aragiorgis | # brctl addif prv0 eth2 |
314 | 8f0fc472 | Dimitris Aragiorgis | # ip link set prv0 up |
315 | 8f0fc472 | Dimitris Aragiorgis | |
316 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
317 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
318 | 48f0d8e5 | Dimitris Aragiorgis | prv0 8000.8a3c3ede3583 no eth2 |
319 | 8f0fc472 | Dimitris Aragiorgis | |
320 | 8f0fc472 | Dimitris Aragiorgis | |
321 | 8f0fc472 | Dimitris Aragiorgis | |
322 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades first create a pool for MAC prefixes by running: |
323 | 8f0fc472 | Dimitris Aragiorgis | |
324 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
325 | 8f0fc472 | Dimitris Aragiorgis | |
326 | 48f0d8e5 | Dimitris Aragiorgis | # snf-manage pool-create --type=mac-prefix --base=aa:00:0 --size=65536 |
327 | 8f0fc472 | Dimitris Aragiorgis | |
328 | 8f0fc472 | Dimitris Aragiorgis | and the create the network: |
329 | 8f0fc472 | Dimitris Aragiorgis | |
330 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
331 | 8f0fc472 | Dimitris Aragiorgis | |
332 | 48f0d8e5 | Dimitris Aragiorgis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp --flavor=MAC_FILTERED --link=prv0 --name=mac --backend-id=1 |
333 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
334 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
335 | 8f0fc472 | Dimitris Aragiorgis | 3 mac MAC_FILTERED aa:00:01 True ACTIVE prv0 False 192.168.1.0/24 192.168.1.1 |
336 | 8f0fc472 | Dimitris Aragiorgis | |
337 | 48f0d8e5 | Dimitris Aragiorgis | Edit the synnefo setting `DEFAULT_MAC_FILTERED_BRIDGE` to `prv0`. |
338 | 48f0d8e5 | Dimitris Aragiorgis | |
339 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
340 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
341 | 8f0fc472 | Dimitris Aragiorgis | |
342 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
343 | 8f0fc472 | Dimitris Aragiorgis | |
344 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd,private-filtered snf-net-3 |
345 | 8f0fc472 | Dimitris Aragiorgis | |
346 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-3 default bridged prv0 |
347 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-3 |
348 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
349 | 8f0fc472 | Dimitris Aragiorgis | snf-net-3 192.168.1.0/24 192.168.1.1 private aa:00:01 default(bridged, prv0) nfdhcpd,private-filtered |
350 | 8f0fc472 | Dimitris Aragiorgis | |
351 | 8f0fc472 | Dimitris Aragiorgis | |
352 | 8f0fc472 | Dimitris Aragiorgis | |
353 | 8f0fc472 | Dimitris Aragiorgis | |
354 | 8f0fc472 | Dimitris Aragiorgis | |
355 | 8f0fc472 | Dimitris Aragiorgis | |
356 | 8f0fc472 | Dimitris Aragiorgis | PHYSICAL_VLAN |
357 | 8f0fc472 | Dimitris Aragiorgis | ------------- |
358 | 48f0d8e5 | Dimitris Aragiorgis | |
359 | 48f0d8e5 | Dimitris Aragiorgis | |
360 | 8f0fc472 | Dimitris Aragiorgis | To create a network with PHYSICAL_VALN flavor you have to pre-provision in each Ganeti |
361 | 8f0fc472 | Dimitris Aragiorgis | node a range of bridges (e.g. ``prv1..20``) that will be bridged with the corresponding VLANs (e.g. ``401..420``) |
362 | 48f0d8e5 | Dimitris Aragiorgis | across the whole cluster. To this end if we assume that ``eth3`` is the interface to use, run: |
363 | 8f0fc472 | Dimitris Aragiorgis | |
364 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-vlan.png |
365 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
366 | 8f0fc472 | Dimitris Aragiorgis | :height: 480px |
367 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
368 | 8f0fc472 | Dimitris Aragiorgis | |
369 | 8f0fc472 | Dimitris Aragiorgis | |
370 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
371 | 8f0fc472 | Dimitris Aragiorgis | |
372 | 8f0fc472 | Dimitris Aragiorgis | # for i in {1..20}; do |
373 | 48f0d8e5 | Dimitris Aragiorgis | br=prv$i ; vlanid=$((400+i)) ; vlan=eth3.$vlanid |
374 | 8f0fc472 | Dimitris Aragiorgis | brctl addbr $br ; ip link set $br up |
375 | 8f0fc472 | Dimitris Aragiorgis | vconfig add eth0 vlanid ; ip link set vlan up |
376 | 8f0fc472 | Dimitris Aragiorgis | brctl addif $br $vlan |
377 | 8f0fc472 | Dimitris Aragiorgis | done |
378 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
379 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
380 | 48f0d8e5 | Dimitris Aragiorgis | prv1 8000.8a3c3ede3583 no eth3.401 |
381 | 48f0d8e5 | Dimitris Aragiorgis | prv2 8000.8a3c3ede3583 no eth3.402 |
382 | 8f0fc472 | Dimitris Aragiorgis | ... |
383 | 8f0fc472 | Dimitris Aragiorgis | |
384 | 8f0fc472 | Dimitris Aragiorgis | |
385 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades first create a pool for bridges by running: |
386 | 8f0fc472 | Dimitris Aragiorgis | |
387 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
388 | 8f0fc472 | Dimitris Aragiorgis | |
389 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage pool-create --type=bridge --base=prv --size=20 |
390 | 8f0fc472 | Dimitris Aragiorgis | |
391 | 8f0fc472 | Dimitris Aragiorgis | and the create the network: |
392 | 8f0fc472 | Dimitris Aragiorgis | |
393 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
394 | 8f0fc472 | Dimitris Aragiorgis | |
395 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp --flavor=PHYSICAL_VLAN --name=vlan --backend-id=1 |
396 | 8f0fc472 | Dimitris Aragiorgis | |
397 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
398 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
399 | 8f0fc472 | Dimitris Aragiorgis | 4 vlan PHYSICAL_VLAN True ACTIVE prv1 False 192.168.1.0/24 192.168.1.1 |
400 | 8f0fc472 | Dimitris Aragiorgis | |
401 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
402 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
403 | 8f0fc472 | Dimitris Aragiorgis | |
404 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
405 | 8f0fc472 | Dimitris Aragiorgis | |
406 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd,physica-vlan snf-net-4 |
407 | 8f0fc472 | Dimitris Aragiorgis | |
408 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-4 default bridged prv1 |
409 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-4 |
410 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
411 | 8f0fc472 | Dimitris Aragiorgis | snf-net-4 192.168.1.0/24 192.168.1.1 private None default(bridged, prv1) nfdhcpd,physical-vlan |
412 | 8f0fc472 | Dimitris Aragiorgis | |
413 | 8f0fc472 | Dimitris Aragiorgis | |
414 | 8f0fc472 | Dimitris Aragiorgis | |
415 | 48f0d8e5 | Dimitris Aragiorgis | ADVANCED SCENARIO |
416 | 48f0d8e5 | Dimitris Aragiorgis | ----------------- |
417 | 8f0fc472 | Dimitris Aragiorgis | |
418 | 8f0fc472 | Dimitris Aragiorgis | To create a network with CUSTOM flavor you have to pass your self mode, link, |
419 | 8f0fc472 | Dimitris Aragiorgis | mac prefix, tags for the network. You are not allowed to use the existing pools |
420 | 8f0fc472 | Dimitris Aragiorgis | (only MAC_FILTERED, PHYSICAL_VLAN use them) so link and mac prefix uniqueness |
421 | 8f0fc472 | Dimitris Aragiorgis | cannot be guaranteed. |
422 | 8f0fc472 | Dimitris Aragiorgis | |
423 | f30db88d | Constantinos Venetsanopoulos | Lets assume a bridge ``br200`` that serves a VPN network to GRNET already exists |
424 | f30db88d | Constantinos Venetsanopoulos | on Ganeti nodes and we want to create for a certain user a private network so |
425 | 8f0fc472 | Dimitris Aragiorgis | that he can access the VPN. Then we run in Cyclades: |
426 | 8f0fc472 | Dimitris Aragiorgis | |
427 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
428 | 8f0fc472 | Dimitris Aragiorgis | |
429 | 48f0d8e5 | Dimitris Aragiorgis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp --flavor=CUSTOM --mode=bridged --link=br200 --mac-prefix=bb:00:44 --owner=user@grnet.gr --tags=nfdhcpd,vpn --name=vpn --backend-id=1 |
430 | 8f0fc472 | Dimitris Aragiorgis | |
431 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
432 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
433 | 8f0fc472 | Dimitris Aragiorgis | 5 vpn CUSTOM user@grnet.gr bb:00:44 True ACTIVE br200 False 192.168.1.0/24 192.168.1.1 |
434 | 8f0fc472 | Dimitris Aragiorgis | |
435 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
436 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
437 | 8f0fc472 | Dimitris Aragiorgis | |
438 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
439 | 8f0fc472 | Dimitris Aragiorgis | |
440 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd snf-net-5 |
441 | 8f0fc472 | Dimitris Aragiorgis | |
442 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-5 default bridged br200 |
443 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-5 |
444 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
445 | 8f0fc472 | Dimitris Aragiorgis | snf-net-5 192.168.1.0/24 192.168.1.1 private bb:00:55 default(bridged, br200) nfdhcpd,private-filtered |
446 | 8f0fc472 | Dimitris Aragiorgis |