root / docs / networks.rst @ c1afcb74
History | View | Annotate | Download (19.5 kB)
1 | b11446c1 | Constantinos Venetsanopoulos | .. _networks: |
---|---|---|---|
2 | b11446c1 | Constantinos Venetsanopoulos | |
3 | b11446c1 | Constantinos Venetsanopoulos | Network Service (part of Cyclades) |
4 | b11446c1 | Constantinos Venetsanopoulos | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
5 | b11446c1 | Constantinos Venetsanopoulos | |
6 | b11446c1 | Constantinos Venetsanopoulos | Network setup overview |
7 | b11446c1 | Constantinos Venetsanopoulos | ====================== |
8 | b11446c1 | Constantinos Venetsanopoulos | |
9 | b11446c1 | Constantinos Venetsanopoulos | Currently the Network Service is part of Cyclades and comes along with the |
10 | b11446c1 | Constantinos Venetsanopoulos | Cyclades software components. |
11 | b11446c1 | Constantinos Venetsanopoulos | |
12 | b11446c1 | Constantinos Venetsanopoulos | Networking is deployment-specific and must be customized based on the specific |
13 | b11446c1 | Constantinos Venetsanopoulos | needs of the system administrator. However, to do so, the administrator needs |
14 | b11446c1 | Constantinos Venetsanopoulos | to understand how each level handles Virtual Networks, to be able to setup the |
15 | b11446c1 | Constantinos Venetsanopoulos | backend appropriately. |
16 | b11446c1 | Constantinos Venetsanopoulos | |
17 | 8f0fc472 | Dimitris Aragiorgis | In the following sections we investigate in a top-down approach, the way |
18 | a19cbc67 | Christos Stavrakakis | networks are defined from the Cyclades, Ganeti, and Backend persperctive. For |
19 | a19cbc67 | Christos Stavrakakis | an introduction to the concepts of Cyclades networking and the exposed API see |
20 | a19cbc67 | Christos Stavrakakis | :doc:`Cyclades networking design document <design/cyclades-networking>`. |
21 | 8f0fc472 | Dimitris Aragiorgis | |
22 | b11446c1 | Constantinos Venetsanopoulos | Network @ Cyclades level |
23 | b11446c1 | Constantinos Venetsanopoulos | ------------------------ |
24 | b11446c1 | Constantinos Venetsanopoulos | |
25 | 5031beee | Christos Stavrakakis | Cyclades networks support a range of different options to cover the specific |
26 | 5031beee | Christos Stavrakakis | needs of each deployment. |
27 | 5031beee | Christos Stavrakakis | |
28 | 5031beee | Christos Stavrakakis | First of all, as far as visibility and accessibility is concerned, a network |
29 | 5031beee | Christos Stavrakakis | can be either `public` or `private`. Public networks are created by the |
30 | f1575211 | Ilias Tsitsimpis | administrator via the command line interface (`snf-manage network-create`) and |
31 | b1e82987 | Christos Stavrakakis | are visible to all end-users. On the other hand, private networks are created |
32 | b1e82987 | Christos Stavrakakis | by the end-user from the Web UI or the kamaki client and provide isolated Layer |
33 | b1e82987 | Christos Stavrakakis | 2 connectivity to the end-user. |
34 | 5031beee | Christos Stavrakakis | |
35 | 5031beee | Christos Stavrakakis | Both networks can have an IPv4 subnet or/and an IPv6 subnet along with the |
36 | b1e82987 | Christos Stavrakakis | corresponding gateway. When a virtual server is connected to a virtual network |
37 | b1e82987 | Christos Stavrakakis | it will be assigned an IP address from each of the subnets of the network. By |
38 | b1e82987 | Christos Stavrakakis | default the allocation pool of the network covers all IP addresses in the CIDR, |
39 | b1e82987 | Christos Stavrakakis | excluding the address for the subnet gateway. However, for IPv4 subnets, |
40 | b1e82987 | Christos Stavrakakis | allocation pools can be limited to specific ranges using the 'allocation-pool' |
41 | b1e82987 | Christos Stavrakakis | option of `snf-manage network-create` command. For example, the following |
42 | b1e82987 | Christos Stavrakakis | command will create a virtual network that will assign IPs only in the range |
43 | b1e82987 | Christos Stavrakakis | [192.168.2.10, 192.168.2.20] and [192.168.2.30, 192.168.2.40]: |
44 | b1e82987 | Christos Stavrakakis | |
45 | b1e82987 | Christos Stavrakakis | .. code-block:: console |
46 | b1e82987 | Christos Stavrakakis | |
47 | b1e82987 | Christos Stavrakakis | snf-manage network-create --subnet=192.168.2.0 --gateway=192.168.2.1 --allocation-pool=192.168.2.10,192.168.2.20 --allocation-pool=192.168.2.30,192.168.2.40 |
48 | b1e82987 | Christos Stavrakakis | |
49 | b1e82987 | Christos Stavrakakis | |
50 | b1e82987 | Christos Stavrakakis | By default, Cyclades will assign IP addresses to virtual servers by responding |
51 | b1e82987 | Christos Stavrakakis | to DHCP requests via the `nfdhcp` daemon. This functionality can be disabled by |
52 | b1e82987 | Christos Stavrakakis | using the `--dhcp=False` option during network creation. |
53 | 5031beee | Christos Stavrakakis | |
54 | 5031beee | Christos Stavrakakis | A public network can also be marked as a floating IP pool with the |
55 | 5031beee | Christos Stavrakakis | `--floating-ip-pool` option. Floating IPs, are IPv4 addresses that can be |
56 | 5031beee | Christos Stavrakakis | dynamically by added and removed from running VMs. A user can reserve and |
57 | 5031beee | Christos Stavrakakis | release a floating IP address that he can later add and remove it from running |
58 | b1e82987 | Christos Stavrakakis | VMs. Also the user can release a floating IP if it not used by any of his VMs. |
59 | b1e82987 | Christos Stavrakakis | |
60 | b1e82987 | Christos Stavrakakis | Since private networks and floating IPs must be accesible to all virtual |
61 | b1e82987 | Christos Stavrakakis | servers that may be distributed accross different Ganeti backends, networks |
62 | b1e82987 | Christos Stavrakakis | must also be available to all Ganeti backends. Specially for private networks, |
63 | b1e82987 | Christos Stavrakakis | to avoid the overhead of creating the network to all backends, Cyclades create |
64 | b1e82987 | Christos Stavrakakis | these networks on demand, when an instance that lives in a backend tries to |
65 | b1e82987 | Christos Stavrakakis | connect to this network. |
66 | b1e82987 | Christos Stavrakakis | |
67 | b1e82987 | Christos Stavrakakis | The administrator may also want to connect instances to force connection to |
68 | b1e82987 | Christos Stavrakakis | some networks (e.g. a public IPv6 network or a network that contains a special |
69 | b1e82987 | Christos Stavrakakis | metadata server). This can be achieved by setting the |
70 | b1e82987 | Christos Stavrakakis | `CYCLADES_FORCED_SERVER_NETWORKS` setting to the list of the selected networks. |
71 | b1e82987 | Christos Stavrakakis | Each member of the list may be a network UUID, a tuple of network UUIDs, |
72 | b1e82987 | Christos Stavrakakis | "SNF:ANY_PUBLIC_IPV4" [any public network with an IPv4 subnet defined], |
73 | b1e82987 | Christos Stavrakakis | "SNF:ANY_PUBLIC_IPV6 [any public network with only an IPV6 subnet defined], or |
74 | b1e82987 | Christos Stavrakakis | "SNF:ANY_PUBLIC" [any public network]. For this setting, no access control or |
75 | b1e82987 | Christos Stavrakakis | quota policy are enforced. The server will get all IPv4/IPv6 addresses needed |
76 | b1e82987 | Christos Stavrakakis | to connect to the networks specified in CYCLADES_FORCED_SERVER_NETWORKS, |
77 | b1e82987 | Christos Stavrakakis | regardless of the state of the floating IP pool of the user, and without |
78 | b1e82987 | Christos Stavrakakis | allocating any floating IPs. |
79 | b1e82987 | Christos Stavrakakis | |
80 | b1e82987 | Christos Stavrakakis | Also, the administrator can set the `CYCLADES_DEFAULT_SERVER_NETWORKS` setting, |
81 | b1e82987 | Christos Stavrakakis | which has the exact same format with `CYCLADES_FORCED_SERVER_NETWORKS` and |
82 | b1e82987 | Christos Stavrakakis | contains a list of networks to connect a newly created server to, if the user |
83 | b1e82987 | Christos Stavrakakis | has not specified them explicitly in the POST /server API call. Access |
84 | b1e82987 | Christos Stavrakakis | control and quota policy are enforced, just as if the user had specified the |
85 | b1e82987 | Christos Stavrakakis | value of CYCLADES_DEFAULT_SERVER_NETWORKS in the content of the POST /call, |
86 | b1e82987 | Christos Stavrakakis | after processing of "SNF:\*" directives. |
87 | 5031beee | Christos Stavrakakis | |
88 | 5031beee | Christos Stavrakakis | Another distinction between networks is their flavor. Flavor is a way to |
89 | 5031beee | Christos Stavrakakis | abstract infrastructure specific options, that are used to ensure connectivity |
90 | 5031beee | Christos Stavrakakis | and isolation to the VMs connected to the network. It is a set of options that |
91 | 5031beee | Christos Stavrakakis | eventually will guide scripts to set up rules, while creating virtual |
92 | 5031beee | Christos Stavrakakis | interfaces in the node level. Each of these flavors define attributes that will |
93 | 5031beee | Christos Stavrakakis | be used at Ganeti level to create the physical network. These attributes are: |
94 | 5031beee | Christos Stavrakakis | |
95 | 5031beee | Christos Stavrakakis | * ``mode``: Whether the network is in 'bridged' or 'routed' mode. |
96 | 5031beee | Christos Stavrakakis | * ``link``: Bridge for 'bridged' networks and routing table for 'routed' |
97 | 5031beee | Christos Stavrakakis | networks. e.g. 'br100', 'rt200' |
98 | 5031beee | Christos Stavrakakis | * ``mac_prefix``: A MAC prefix for the network. e.g. 'aa:00:05' |
99 | 5031beee | Christos Stavrakakis | * ``tags``: A list of tags to be used at the Ganeti level. |
100 | 8f0fc472 | Dimitris Aragiorgis | |
101 | 8f0fc472 | Dimitris Aragiorgis | To ensure L2 isolation, Synnefo supports two different mechanisms (see also Node |
102 | 8f0fc472 | Dimitris Aragiorgis | Level section): |
103 | 8f0fc472 | Dimitris Aragiorgis | |
104 | 5031beee | Christos Stavrakakis | * assigning one physical VLAN per network |
105 | 5031beee | Christos Stavrakakis | * assigning one MAC prefix per network, so that every NIC attached to this |
106 | 5031beee | Christos Stavrakakis | network will have this prefix. Isolation is then achieved by filtering |
107 | 5031beee | Christos Stavrakakis | rules (via `ebtables`) based on a specific mask (ff:ff:f0:00:00:00, see Node |
108 | 5031beee | Christos Stavrakakis | Level section for more details). |
109 | 8f0fc472 | Dimitris Aragiorgis | |
110 | 8f0fc472 | Dimitris Aragiorgis | Having this in mind and in order to prevent assignment of duplicate VLAN/MAC |
111 | 8f0fc472 | Dimitris Aragiorgis | prefix to different networks, Synnefo supports two types of Pools: |
112 | 8f0fc472 | Dimitris Aragiorgis | |
113 | 5031beee | Christos Stavrakakis | - Bridge Pool (corresponding to a number of VLANs bridged to those bridges) |
114 | 5031beee | Christos Stavrakakis | - MAC prefix Pool |
115 | b11446c1 | Constantinos Venetsanopoulos | |
116 | 5031beee | Christos Stavrakakis | For Pool handling refer to the corresponding doc section. To use this pools, |
117 | 5031beee | Christos Stavrakakis | set either `--link` or `--mac-prefix` to the reserved keyword `pool`. |
118 | b11446c1 | Constantinos Venetsanopoulos | |
119 | 8f0fc472 | Dimitris Aragiorgis | Existing network flavors are the following: |
120 | b11446c1 | Constantinos Venetsanopoulos | |
121 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
122 | 026b4844 | Christos Stavrakakis | Flavor Name Mode Link MAC prefix Tags |
123 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
124 | e4def9d6 | Christos Stavrakakis | IP_LESS_ROUTED routed ``snf-link-$network_id`` ``DEFAULT_MAC_PREFIX`` 'ip-less-routed' |
125 | 026b4844 | Christos Stavrakakis | MAC_FILTERED bridged ``DEFAULT_MAC_FILTERED_BRIDGE`` 'pool' 'private'filtered' |
126 | 026b4844 | Christos Stavrakakis | PHYSICAL_VLAN bridged 'pool' ``DEFAULT_MAC_PREFIX`` 'physical-vlan' |
127 | 026b4844 | Christos Stavrakakis | CUSTOM bridged ``DEFAULT_BRIDGE`` ``DEFAULT_MAC_PREFIX`` |
128 | 026b4844 | Christos Stavrakakis | ============== ======= =============================== ====================== ================== |
129 | b11446c1 | Constantinos Venetsanopoulos | |
130 | e4def9d6 | Christos Stavrakakis | ``DEFAULT_MAC_PREFIX``, ``DEFAULT_BRIDGE``, |
131 | 5031beee | Christos Stavrakakis | ``DEFAULT_MAC_FILTERED_BRIDGE`` are all configurable settings in |
132 | 5031beee | Christos Stavrakakis | ``/etc/synnefo/20-snf-cyclades-app-api.conf``. 'pool' is used to denote that a |
133 | 5031beee | Christos Stavrakakis | link or MAC prefix will be allocated from the corresponding Pool. Finally, |
134 | 5031beee | Christos Stavrakakis | most of these attributes, may be overridden when creating networks with |
135 | 5031beee | Christos Stavrakakis | `snf-manage network-create command`. |
136 | 026b4844 | Christos Stavrakakis | |
137 | 026b4844 | Christos Stavrakakis | The administrator is able to create any of the above flavors |
138 | f30db88d | Constantinos Venetsanopoulos | and override their default values by explicitly passing mode, link, etc. using |
139 | b1e82987 | Christos Stavrakakis | the `snf-manage network-create` command. |
140 | f30db88d | Constantinos Venetsanopoulos | |
141 | 5031beee | Christos Stavrakakis | The administrator can create networks of any flavor, but end-users is allowed |
142 | 5031beee | Christos Stavrakakis | to create via API only networks with flavors that are set in the |
143 | 5031beee | Christos Stavrakakis | `API_ENABLED_NETWORK_FLAVORS` setting. |
144 | b11446c1 | Constantinos Venetsanopoulos | |
145 | b11446c1 | Constantinos Venetsanopoulos | Network @ Ganeti level |
146 | b11446c1 | Constantinos Venetsanopoulos | ---------------------- |
147 | b11446c1 | Constantinos Venetsanopoulos | |
148 | f30db88d | Constantinos Venetsanopoulos | Currently, stable Ganeti does not support IP Pool management. However, the |
149 | f30db88d | Constantinos Venetsanopoulos | functionality has been merged in the official Ganeti master branch and will |
150 | f30db88d | Constantinos Venetsanopoulos | appear on Ganeti 2.7.0. So, you can either checkout the Ganeti master branch |
151 | f30db88d | Constantinos Venetsanopoulos | and build your packages, or clone our local repo |
152 | f30db88d | Constantinos Venetsanopoulos | https://code.grnet.gr/git/ganeti-local and checkout the |
153 | f30db88d | Constantinos Venetsanopoulos | `stable-2.6-ippool-hotplug-esi` branch. This is the Ganeti stable branch with |
154 | f30db88d | Constantinos Venetsanopoulos | IP pool management, Hotplugging and ExtStorage Interface features merged on top |
155 | f30db88d | Constantinos Venetsanopoulos | of it. The last two features are not a hard Synnefo requirement, but will |
156 | f30db88d | Constantinos Venetsanopoulos | enable you to do neat things when you get experienced with Synnefo. They are |
157 | f30db88d | Constantinos Venetsanopoulos | going to be pushed for review upstream sometime soon. |
158 | b11446c1 | Constantinos Venetsanopoulos | |
159 | 8f0fc472 | Dimitris Aragiorgis | Any network created in Synnefo is also created in one (for public networks) or |
160 | 8f0fc472 | Dimitris Aragiorgis | all (for private networks) Ganeti backends. In Ganeti a network can have the |
161 | 8f0fc472 | Dimitris Aragiorgis | following options: |
162 | b11446c1 | Constantinos Venetsanopoulos | |
163 | 8f0fc472 | Dimitris Aragiorgis | - network (192.168.0.0/24, mandatory) |
164 | 8f0fc472 | Dimitris Aragiorgis | - gateway (192.168.0.1) |
165 | 8f0fc472 | Dimitris Aragiorgis | - network6 (2001:648:2ffc:1201::/64) |
166 | 8f0fc472 | Dimitris Aragiorgis | - gateway6 (2001:648:2ffc:1201::1) |
167 | 8f0fc472 | Dimitris Aragiorgis | - mac_prefix (aa:00:01) |
168 | 8f0fc472 | Dimitris Aragiorgis | - type (private, public) |
169 | 8f0fc472 | Dimitris Aragiorgis | - tags |
170 | b11446c1 | Constantinos Venetsanopoulos | |
171 | 8f0fc472 | Dimitris Aragiorgis | Networks in Ganeti cannot be used unless they are connected to a nodegroup in |
172 | 8f0fc472 | Dimitris Aragiorgis | order to define the connectivity mode and link. Synnefo, after creating a |
173 | 8f0fc472 | Dimitris Aragiorgis | network, connects it to all nodegroups of the Ganeti cluster(s) with the given |
174 | 8f0fc472 | Dimitris Aragiorgis | mode and link (defined in the network flavor). |
175 | 8f0fc472 | Dimitris Aragiorgis | |
176 | 8f0fc472 | Dimitris Aragiorgis | Ganeti makes use of environment variables to inform scripts about each NIC's |
177 | 8f0fc472 | Dimitris Aragiorgis | setup. `kvm-vif-script` that comes with `snf-network` sets up the nfdhcpd lease and |
178 | 8f0fc472 | Dimitris Aragiorgis | applies any rules needed depending on the network's mode, link, mac_prefix and |
179 | 8f0fc472 | Dimitris Aragiorgis | tags. |
180 | b11446c1 | Constantinos Venetsanopoulos | |
181 | b11446c1 | Constantinos Venetsanopoulos | Network @ Physical host level |
182 | b11446c1 | Constantinos Venetsanopoulos | ----------------------------- |
183 | b11446c1 | Constantinos Venetsanopoulos | |
184 | 8f0fc472 | Dimitris Aragiorgis | Currently, networking infrastructure must be pre-provisioned before creating |
185 | 8f0fc472 | Dimitris Aragiorgis | networks in Synnefo. According to which flavors you want to support, you should |
186 | 8f0fc472 | Dimitris Aragiorgis | have already setup all your physical hosts correspondingly. This means you |
187 | 8f0fc472 | Dimitris Aragiorgis | need: |
188 | 8f0fc472 | Dimitris Aragiorgis | |
189 | 48f0d8e5 | Dimitris Aragiorgis | - one bridge for the ``CUSTOM`` flavor (br0, see Fig. 1) |
190 | 8f0fc472 | Dimitris Aragiorgis | - one bridge for the ``MAC_FILTERED`` flavor (prv0, see Fig. 2) |
191 | 8f0fc472 | Dimitris Aragiorgis | - a number of bridges and their corresponding VLANs (bridged to them) for |
192 | 8f0fc472 | Dimitris Aragiorgis | the ``PHYSICAL_VLAN`` flavor (prv1..prv100, see Fig. 3) |
193 | 8f0fc472 | Dimitris Aragiorgis | - a routing table for the ``IP_LESS_ROUTED`` flavor (snf_public, see Fig. 4) |
194 | 8f0fc472 | Dimitris Aragiorgis | |
195 | 8f0fc472 | Dimitris Aragiorgis | Please refer to the following figures, which clarify each infrastructure setup |
196 | 8f0fc472 | Dimitris Aragiorgis | and how connectivity and isolation is achieved in every case for every type of |
197 | 8f0fc472 | Dimitris Aragiorgis | network. |
198 | 8f0fc472 | Dimitris Aragiorgis | |
199 | 8f0fc472 | Dimitris Aragiorgis | |
200 | 8f0fc472 | Dimitris Aragiorgis | FLAVORS |
201 | 8f0fc472 | Dimitris Aragiorgis | ======= |
202 | 8f0fc472 | Dimitris Aragiorgis | |
203 | 8f0fc472 | Dimitris Aragiorgis | As mentioned earlier supported flavors are: |
204 | 8f0fc472 | Dimitris Aragiorgis | |
205 | 48f0d8e5 | Dimitris Aragiorgis | - CUSTOM |
206 | 8f0fc472 | Dimitris Aragiorgis | - IP_LESS_ROUTED |
207 | 8f0fc472 | Dimitris Aragiorgis | - MAC_FILTERED |
208 | 8f0fc472 | Dimitris Aragiorgis | - PHYSICAL_VLAN |
209 | 8f0fc472 | Dimitris Aragiorgis | |
210 | 8f0fc472 | Dimitris Aragiorgis | In the following sections we mention what configuration imposes each flavor from |
211 | 8f0fc472 | Dimitris Aragiorgis | Synnefo, Ganeti and Physical host perspective. |
212 | 8f0fc472 | Dimitris Aragiorgis | |
213 | 8f0fc472 | Dimitris Aragiorgis | |
214 | 8f0fc472 | Dimitris Aragiorgis | |
215 | 48f0d8e5 | Dimitris Aragiorgis | DEFAULT SCENARIO |
216 | 48f0d8e5 | Dimitris Aragiorgis | ---------------- |
217 | 8f0fc472 | Dimitris Aragiorgis | |
218 | 48f0d8e5 | Dimitris Aragiorgis | In this case we will bridge all primary interfaces of the VMs on one bridge that must |
219 | 48f0d8e5 | Dimitris Aragiorgis | be the same collition domain with the router. The router sould then forward packets |
220 | 48f0d8e5 | Dimitris Aragiorgis | (if a public IPv4 Subnet is available) or do NAT in order to provide internet access to |
221 | 48f0d8e5 | Dimitris Aragiorgis | the VMs. |
222 | 8f0fc472 | Dimitris Aragiorgis | |
223 | 48f0d8e5 | Dimitris Aragiorgis | To this end we will use the CUSTOM flavor and pre-provision in each Ganeti |
224 | 48f0d8e5 | Dimitris Aragiorgis | node one bridge (e.g. ``br100``). If we assume that ``eth1`` is the physical interface |
225 | 48f0d8e5 | Dimitris Aragiorgis | connected to the router, run: |
226 | 8f0fc472 | Dimitris Aragiorgis | |
227 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-bridged.png |
228 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
229 | 8f0fc472 | Dimitris Aragiorgis | :height: 550px |
230 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
231 | 8f0fc472 | Dimitris Aragiorgis | |
232 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
233 | 8f0fc472 | Dimitris Aragiorgis | |
234 | 8f0fc472 | Dimitris Aragiorgis | # brctl addbr br100 |
235 | 48f0d8e5 | Dimitris Aragiorgis | # brctl addif br100 eth1 |
236 | 8f0fc472 | Dimitris Aragiorgis | # ip link set br100 up |
237 | 8f0fc472 | Dimitris Aragiorgis | |
238 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
239 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
240 | 48f0d8e5 | Dimitris Aragiorgis | br100 8000.8a3c3ede3583 no eth1 |
241 | 8f0fc472 | Dimitris Aragiorgis | |
242 | 8f0fc472 | Dimitris Aragiorgis | |
243 | 8f0fc472 | Dimitris Aragiorgis | |
244 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades run: |
245 | 8f0fc472 | Dimitris Aragiorgis | |
246 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
247 | 8f0fc472 | Dimitris Aragiorgis | |
248 | be8c3784 | Christos Stavrakakis | # snf-manage network-create --subnet=5.6.7.0/27 --gateway=5.6.7.1 --subnet6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --public --dhcp=True --flavor=CUSTOM --link=br100 ----name=default --backend-id=1 |
249 | 8f0fc472 | Dimitris Aragiorgis | |
250 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
251 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
252 | 48f0d8e5 | Dimitris Aragiorgis | 1 default CUSTOM True ACTIVE br100 True 5.6.7.0/27 5.6.7.1 |
253 | 8f0fc472 | Dimitris Aragiorgis | |
254 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
255 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
256 | 8f0fc472 | Dimitris Aragiorgis | |
257 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
258 | 8f0fc472 | Dimitris Aragiorgis | |
259 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=5.6.7.0/27 --gateway=5.6.7.1 --network6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --network-type=public --tags=nfdhcpd snf-net-1 |
260 | 8f0fc472 | Dimitris Aragiorgis | |
261 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-1 default bridged br100 |
262 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-1 |
263 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
264 | 8f0fc472 | Dimitris Aragiorgis | snf-net-1 5.6.7.0/27 5.6.7.1 public None default(bridged, br100) nfdhcpd |
265 | 8f0fc472 | Dimitris Aragiorgis | |
266 | 8f0fc472 | Dimitris Aragiorgis | |
267 | 8f0fc472 | Dimitris Aragiorgis | To enable NAT in a Internal Router if you do not have a public IP range available |
268 | 48f0d8e5 | Dimitris Aragiorgis | but only a public routable IP (e.g 1.2.3.4): |
269 | 8f0fc472 | Dimitris Aragiorgis | |
270 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
271 | 8f0fc472 | Dimitris Aragiorgis | |
272 | 48f0d8e5 | Dimitris Aragiorgis | # ip addr add 5.6.7.1/27 dev eth1 |
273 | 48f0d8e5 | Dimitris Aragiorgis | # iptables -t nat -A POSTROUTING -o eth1 --to-source 1.2.3.4 -j SNAT |
274 | 8f0fc472 | Dimitris Aragiorgis | |
275 | 8f0fc472 | Dimitris Aragiorgis | IP_LESS_ROUTED |
276 | 8f0fc472 | Dimitris Aragiorgis | -------------- |
277 | 8f0fc472 | Dimitris Aragiorgis | |
278 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-routed.png |
279 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
280 | 8f0fc472 | Dimitris Aragiorgis | :height: 580px |
281 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
282 | 8f0fc472 | Dimitris Aragiorgis | |
283 | 8f0fc472 | Dimitris Aragiorgis | To create a network with IP_LESS_ROUTED flavor run you have to pre-provision in |
284 | 8f0fc472 | Dimitris Aragiorgis | each Ganeti node one routing table (e.g. ``snf_public``) that will do all the |
285 | 8f0fc472 | Dimitris Aragiorgis | routing from/to the VMs' taps. Additionally you must enable ``Proxy-ARP`` |
286 | 48f0d8e5 | Dimitris Aragiorgis | support. All traffic will be on a single iterface (e.g. ``eth1``). |
287 | 8f0fc472 | Dimitris Aragiorgis | |
288 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
289 | 8f0fc472 | Dimitris Aragiorgis | |
290 | 8f0fc472 | Dimitris Aragiorgis | # echo 1 > /proc/sys/net/ipv4/conf/ip_fowarding |
291 | 8f0fc472 | Dimitris Aragiorgis | # echo 10 snf_public >> /etc/iproute2/rt_tables |
292 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add 5.6.7.0/27 dev eth1 |
293 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add 5.6.7.0/27 dev eth1 table snf_public |
294 | 48f0d8e5 | Dimitris Aragiorgis | # ip route add default via 5.6.7.1 dev eth1 table snf_public |
295 | 48f0d8e5 | Dimitris Aragiorgis | # ip rule add iif eth1 lookup snf_public |
296 | 48f0d8e5 | Dimitris Aragiorgis | # arptables -A OUTPUT -o eth1 --opcode 1 --mangle-ip-s 5.6.7.30 # last ip in Subnet |
297 | 8f0fc472 | Dimitris Aragiorgis | |
298 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades run: |
299 | 8f0fc472 | Dimitris Aragiorgis | |
300 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
301 | 8f0fc472 | Dimitris Aragiorgis | |
302 | be8c3784 | Christos Stavrakakis | # snf-manage network-create --subnet=5.6.7.0/27 --gateway=5.6.7.1 --subnet6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --public --dhcp=True --flavor=IP_LESS_ROUTED --name=routed --backend-id=1 |
303 | 8f0fc472 | Dimitris Aragiorgis | |
304 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
305 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
306 | 8f0fc472 | Dimitris Aragiorgis | 2 routed IP_LESS_ROUTED True ACTIVE snf_public True 5.6.7.0/27 5.6.7.1 |
307 | 8f0fc472 | Dimitris Aragiorgis | |
308 | 8f0fc472 | Dimitris Aragiorgis | |
309 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
310 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
311 | 8f0fc472 | Dimitris Aragiorgis | |
312 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
313 | 8f0fc472 | Dimitris Aragiorgis | |
314 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=5.6.7.0/27 --gateway=5.6.7.1 --network6=2001:648:2FFC:1322::/64 --gateway6=2001:648:2FFC:1322::1 --network-type=public --tags=nfdhcpd,ip-less-routed snf-net-2 |
315 | 8f0fc472 | Dimitris Aragiorgis | |
316 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-2 default bridged br100 |
317 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-2 |
318 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
319 | 8f0fc472 | Dimitris Aragiorgis | dimara-net-1 62.217.123.128/27 62.217.123.129 public None default(routed, snf_public) nfdhcpd,ip-less-routed |
320 | 8f0fc472 | Dimitris Aragiorgis | |
321 | 8f0fc472 | Dimitris Aragiorgis | |
322 | 8f0fc472 | Dimitris Aragiorgis | |
323 | 8f0fc472 | Dimitris Aragiorgis | |
324 | 8f0fc472 | Dimitris Aragiorgis | MAC_FILTERED |
325 | 8f0fc472 | Dimitris Aragiorgis | ------------ |
326 | 8f0fc472 | Dimitris Aragiorgis | |
327 | 8f0fc472 | Dimitris Aragiorgis | |
328 | 8f0fc472 | Dimitris Aragiorgis | To create a network with MAC_FILTERED flavor you have to pre-provision in each Ganeti |
329 | 48f0d8e5 | Dimitris Aragiorgis | node one bridge (e.g. ``prv0``) that will be bridged with one interface (e.g. ``eth2``) |
330 | 48f0d8e5 | Dimitris Aragiorgis | across the whole cluster. |
331 | 8f0fc472 | Dimitris Aragiorgis | |
332 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-mac.png |
333 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
334 | 8f0fc472 | Dimitris Aragiorgis | :height: 500px |
335 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
336 | 8f0fc472 | Dimitris Aragiorgis | |
337 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
338 | 8f0fc472 | Dimitris Aragiorgis | |
339 | 8f0fc472 | Dimitris Aragiorgis | # brctl addbr prv0 |
340 | 48f0d8e5 | Dimitris Aragiorgis | # brctl addif prv0 eth2 |
341 | 8f0fc472 | Dimitris Aragiorgis | # ip link set prv0 up |
342 | 8f0fc472 | Dimitris Aragiorgis | |
343 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
344 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
345 | 48f0d8e5 | Dimitris Aragiorgis | prv0 8000.8a3c3ede3583 no eth2 |
346 | 8f0fc472 | Dimitris Aragiorgis | |
347 | 8f0fc472 | Dimitris Aragiorgis | |
348 | 8f0fc472 | Dimitris Aragiorgis | |
349 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades first create a pool for MAC prefixes by running: |
350 | 8f0fc472 | Dimitris Aragiorgis | |
351 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
352 | 8f0fc472 | Dimitris Aragiorgis | |
353 | 48f0d8e5 | Dimitris Aragiorgis | # snf-manage pool-create --type=mac-prefix --base=aa:00:0 --size=65536 |
354 | 8f0fc472 | Dimitris Aragiorgis | |
355 | 8f0fc472 | Dimitris Aragiorgis | and the create the network: |
356 | 8f0fc472 | Dimitris Aragiorgis | |
357 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
358 | 8f0fc472 | Dimitris Aragiorgis | |
359 | be8c3784 | Christos Stavrakakis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp=True --flavor=MAC_FILTERED --link=prv0 --name=mac --backend-id=1 |
360 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
361 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
362 | 8f0fc472 | Dimitris Aragiorgis | 3 mac MAC_FILTERED aa:00:01 True ACTIVE prv0 False 192.168.1.0/24 192.168.1.1 |
363 | 8f0fc472 | Dimitris Aragiorgis | |
364 | 48f0d8e5 | Dimitris Aragiorgis | Edit the synnefo setting `DEFAULT_MAC_FILTERED_BRIDGE` to `prv0`. |
365 | 48f0d8e5 | Dimitris Aragiorgis | |
366 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
367 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
368 | 8f0fc472 | Dimitris Aragiorgis | |
369 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
370 | 8f0fc472 | Dimitris Aragiorgis | |
371 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd,private-filtered snf-net-3 |
372 | 8f0fc472 | Dimitris Aragiorgis | |
373 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-3 default bridged prv0 |
374 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-3 |
375 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
376 | 8f0fc472 | Dimitris Aragiorgis | snf-net-3 192.168.1.0/24 192.168.1.1 private aa:00:01 default(bridged, prv0) nfdhcpd,private-filtered |
377 | 8f0fc472 | Dimitris Aragiorgis | |
378 | 8f0fc472 | Dimitris Aragiorgis | |
379 | 8f0fc472 | Dimitris Aragiorgis | |
380 | 8f0fc472 | Dimitris Aragiorgis | |
381 | 8f0fc472 | Dimitris Aragiorgis | |
382 | 8f0fc472 | Dimitris Aragiorgis | |
383 | 8f0fc472 | Dimitris Aragiorgis | PHYSICAL_VLAN |
384 | 8f0fc472 | Dimitris Aragiorgis | ------------- |
385 | 48f0d8e5 | Dimitris Aragiorgis | |
386 | 48f0d8e5 | Dimitris Aragiorgis | |
387 | 8f0fc472 | Dimitris Aragiorgis | To create a network with PHYSICAL_VALN flavor you have to pre-provision in each Ganeti |
388 | 8f0fc472 | Dimitris Aragiorgis | node a range of bridges (e.g. ``prv1..20``) that will be bridged with the corresponding VLANs (e.g. ``401..420``) |
389 | 48f0d8e5 | Dimitris Aragiorgis | across the whole cluster. To this end if we assume that ``eth3`` is the interface to use, run: |
390 | 8f0fc472 | Dimitris Aragiorgis | |
391 | 8f0fc472 | Dimitris Aragiorgis | .. image:: images/network-vlan.png |
392 | 8f0fc472 | Dimitris Aragiorgis | :align: right |
393 | 8f0fc472 | Dimitris Aragiorgis | :height: 480px |
394 | 8f0fc472 | Dimitris Aragiorgis | :width: 500px |
395 | 8f0fc472 | Dimitris Aragiorgis | |
396 | 8f0fc472 | Dimitris Aragiorgis | |
397 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
398 | 8f0fc472 | Dimitris Aragiorgis | |
399 | 8f0fc472 | Dimitris Aragiorgis | # for i in {1..20}; do |
400 | 48f0d8e5 | Dimitris Aragiorgis | br=prv$i ; vlanid=$((400+i)) ; vlan=eth3.$vlanid |
401 | 8f0fc472 | Dimitris Aragiorgis | brctl addbr $br ; ip link set $br up |
402 | 8f0fc472 | Dimitris Aragiorgis | vconfig add eth0 vlanid ; ip link set vlan up |
403 | 8f0fc472 | Dimitris Aragiorgis | brctl addif $br $vlan |
404 | 8f0fc472 | Dimitris Aragiorgis | done |
405 | 8f0fc472 | Dimitris Aragiorgis | # brctl show |
406 | 8f0fc472 | Dimitris Aragiorgis | bridge name bridge id STP enabled interfaces |
407 | 48f0d8e5 | Dimitris Aragiorgis | prv1 8000.8a3c3ede3583 no eth3.401 |
408 | 48f0d8e5 | Dimitris Aragiorgis | prv2 8000.8a3c3ede3583 no eth3.402 |
409 | 8f0fc472 | Dimitris Aragiorgis | ... |
410 | 8f0fc472 | Dimitris Aragiorgis | |
411 | 8f0fc472 | Dimitris Aragiorgis | |
412 | 8f0fc472 | Dimitris Aragiorgis | Then in Cyclades first create a pool for bridges by running: |
413 | 8f0fc472 | Dimitris Aragiorgis | |
414 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
415 | 8f0fc472 | Dimitris Aragiorgis | |
416 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage pool-create --type=bridge --base=prv --size=20 |
417 | 8f0fc472 | Dimitris Aragiorgis | |
418 | 8f0fc472 | Dimitris Aragiorgis | and the create the network: |
419 | 8f0fc472 | Dimitris Aragiorgis | |
420 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
421 | 8f0fc472 | Dimitris Aragiorgis | |
422 | be8c3784 | Christos Stavrakakis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp=True --flavor=PHYSICAL_VLAN --name=vlan --backend-id=1 |
423 | 8f0fc472 | Dimitris Aragiorgis | |
424 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
425 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
426 | 8f0fc472 | Dimitris Aragiorgis | 4 vlan PHYSICAL_VLAN True ACTIVE prv1 False 192.168.1.0/24 192.168.1.1 |
427 | 8f0fc472 | Dimitris Aragiorgis | |
428 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
429 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
430 | 8f0fc472 | Dimitris Aragiorgis | |
431 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
432 | 8f0fc472 | Dimitris Aragiorgis | |
433 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd,physica-vlan snf-net-4 |
434 | 8f0fc472 | Dimitris Aragiorgis | |
435 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-4 default bridged prv1 |
436 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-4 |
437 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
438 | 8f0fc472 | Dimitris Aragiorgis | snf-net-4 192.168.1.0/24 192.168.1.1 private None default(bridged, prv1) nfdhcpd,physical-vlan |
439 | 8f0fc472 | Dimitris Aragiorgis | |
440 | 8f0fc472 | Dimitris Aragiorgis | |
441 | 8f0fc472 | Dimitris Aragiorgis | |
442 | 48f0d8e5 | Dimitris Aragiorgis | ADVANCED SCENARIO |
443 | 48f0d8e5 | Dimitris Aragiorgis | ----------------- |
444 | 8f0fc472 | Dimitris Aragiorgis | |
445 | 8f0fc472 | Dimitris Aragiorgis | To create a network with CUSTOM flavor you have to pass your self mode, link, |
446 | 8f0fc472 | Dimitris Aragiorgis | mac prefix, tags for the network. You are not allowed to use the existing pools |
447 | 8f0fc472 | Dimitris Aragiorgis | (only MAC_FILTERED, PHYSICAL_VLAN use them) so link and mac prefix uniqueness |
448 | 8f0fc472 | Dimitris Aragiorgis | cannot be guaranteed. |
449 | 8f0fc472 | Dimitris Aragiorgis | |
450 | f30db88d | Constantinos Venetsanopoulos | Lets assume a bridge ``br200`` that serves a VPN network to GRNET already exists |
451 | f30db88d | Constantinos Venetsanopoulos | on Ganeti nodes and we want to create for a certain user a private network so |
452 | 8f0fc472 | Dimitris Aragiorgis | that he can access the VPN. Then we run in Cyclades: |
453 | 8f0fc472 | Dimitris Aragiorgis | |
454 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
455 | 8f0fc472 | Dimitris Aragiorgis | |
456 | be8c3784 | Christos Stavrakakis | # snf-manage network-create --subnet=192.168.1.0/24 --gateway=192.168.1.0/24 --dhcp=True --flavor=CUSTOM --mode=bridged --link=br200 --mac-prefix=bb:00:44 --owner=user@grnet.gr --tags=nfdhcpd,vpn --name=vpn --backend-id=1 |
457 | 8f0fc472 | Dimitris Aragiorgis | |
458 | 8f0fc472 | Dimitris Aragiorgis | # snf-manage network-list |
459 | 8f0fc472 | Dimitris Aragiorgis | id name flavor owner mac_prefix dhcp state link vms public IPv4 Subnet IPv4 Gateway |
460 | 8f0fc472 | Dimitris Aragiorgis | 5 vpn CUSTOM user@grnet.gr bb:00:44 True ACTIVE br200 False 192.168.1.0/24 192.168.1.1 |
461 | 8f0fc472 | Dimitris Aragiorgis | |
462 | 8f0fc472 | Dimitris Aragiorgis | This will add a network in Synnefo DB and create a network in Ganeti backend by |
463 | 8f0fc472 | Dimitris Aragiorgis | issuing: |
464 | 8f0fc472 | Dimitris Aragiorgis | |
465 | 8f0fc472 | Dimitris Aragiorgis | .. code-block:: console |
466 | 8f0fc472 | Dimitris Aragiorgis | |
467 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network add --network=192.168.1.0/24 --gateway=192.168.1.1 --network-type=private --tags=nfdhcpd snf-net-5 |
468 | 8f0fc472 | Dimitris Aragiorgis | |
469 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network connect snf-net-5 default bridged br200 |
470 | 8f0fc472 | Dimitris Aragiorgis | # gnt-network list snf-net-5 |
471 | 8f0fc472 | Dimitris Aragiorgis | Network Subnet Gateway NetworkType MacPrefix GroupList Tags |
472 | 8f0fc472 | Dimitris Aragiorgis | snf-net-5 192.168.1.0/24 192.168.1.1 private bb:00:55 default(bridged, br200) nfdhcpd,private-filtered |
473 | 8f0fc472 | Dimitris Aragiorgis |