<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/17/2014 12:43 PM, Devananda van
der Veen wrote:<br>
<br>
Thanks for the reply!<br>
<br>
</div>
<blockquote
cite="mid:CAExZKEoj0x3Z1RjHA8wxSxJfU-KomQ+ENs8X4nOTOvd1BHVF2g@mail.gmail.com"
type="cite">On Wed Nov 12 2014 at 2:41:27 PM Chuck Carlino <<a
moz-do-not-send="true" href="mailto:chuckjcarlino@gmail.com">chuckjcarlino@gmail.com</a>>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
I'm working on the neutron side of a couple of ironic
issues, and I need some help. Here are the issues.<br>
<ol>
<li>If a nic on an ironic server fails and is replaced by
a nic with a different mac address, neutron's dhcp
service will not serve it the same ip address. This can
be worked around by deleting the neutron port and
creating a new one, but it leaves a window wherein the
ip address could be lost to an unrelated port creation
happening at the same time.<br>
</li>
<li>While performing large deployments, a random nic
failure can cause the failure of the entire deploy. The
ability to retry a failed boot with a different nic has
been requested.<br>
</li>
</ol>
<p>It has been proposed that both issues could be at least
partially addressed by adding the ability to use dhcp
client id to neutron. In this solution, the dhcp client
is configured to use a dhcp client id, and the server
associates this client id (instead of mac address) with
the ip address. Note that this idea just came up today,
so no code exists yet to try things out.<br>
</p>
<p>My questions:<br>
</p>
<p>For 1, the mac address of the neutron port will be left
different from the actual nic's mac address. Is that a
problem for ironic? It makes me feel uneasy, and might
confuse users, but that's all I got.<br>
</p>
</div>
</blockquote>
<div>I think that's a show-stopper, actually. Not just because
it would be very confusing for operators to see a fake MAC in
Nova and the real MAC in Ironic. Neutron's lack of knowledge
of the physical MAC(s) would seem to prevent it performing
physical switch configuration (via ml2 plugins) for those who
choose to use Ironic in a multi-tenant environment (eg,
OnMetal).<br>
</div>
</div>
</blockquote>
<br>
Good to know.<br>
<br>
<blockquote
cite="mid:CAExZKEoj0x3Z1RjHA8wxSxJfU-KomQ+ENs8X4nOTOvd1BHVF2g@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>In general, does using dhcp client id present any issues
for booting an ironic server? I've done a bit of web
searching and from a protocol perspective it looks
feasible, but I don't get a sense of whether it's a good
general solution.<br>
</p>
</div>
</blockquote>
<div>A few things come to mind:</div>
<div><br>
</div>
<div>- How does the instance know what DHCP client ID to include
in its request, before it has an IP by which to contact the
metadata service? It sounds like this feature would only work
if Ironic has a pre-boot way to pass in data (eg,
configdrive). Not all our drivers support that today.</div>
</div>
</blockquote>
<br>
So using dhcp client id may not be a general solution.<br>
<br>
<blockquote
cite="mid:CAExZKEoj0x3Z1RjHA8wxSxJfU-KomQ+ENs8X4nOTOvd1BHVF2g@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>- Is it possible / desirable to group multiple NICs under a
single DHCP client ID? If so, then again, it would seem like
neutron would need to know the physical MACs. (I recall us
chatting about port bonding at some point, but I'm not sure if
these were related conversations.)</div>
</div>
</blockquote>
<br>
I'd rather not confuse the issue with any details around how bonding
or link aggregation works, so let's just say that in case #2 above,
the guest may or may not be bonding the interfaces. Since bonding
occurs after boot, the bonding itself is not pertinent. But yes,
all NICs through which network boot can be attempted must present
the same dhcp_client_id for this solution to work. I don't see the
connection to neutron needing correct mac addresses, though, since
the client id effectively replaces the mac address for ip address
lookup.<br>
<br>
<blockquote
cite="mid:CAExZKEoj0x3Z1RjHA8wxSxJfU-KomQ+ENs8X4nOTOvd1BHVF2g@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div>- What prevents some other server from spoofing the DHCP
client ID in a multi-tenant environment? Again, folks using an
ML2 plugin today are able to do MAC filtering on traffic at
the switch. Removing knowledge of the node's physical MACs
looks like it breaks this.</div>
</div>
</blockquote>
<br>
Googling around, it looks like spoofing can be addressed as in
<a class="moz-txt-link-freetext" href="https://www.ietf.org/rfc/rfc3046.txt">https://www.ietf.org/rfc/rfc3046.txt</a> (needs a trusted component). I
agree that neutron needs the correct mac address here.<br>
<br>
Thanks,<br>
Chuck<br>
<br>
<blockquote
cite="mid:CAExZKEoj0x3Z1RjHA8wxSxJfU-KomQ+ENs8X4nOTOvd1BHVF2g@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<p>If you have any off-the-top 'there's no chance that'll
work' or better things to try kind of feedback, it would
be great to hear it now since I'm about to start a POC to
try it out.<br>
</p>
<p>Thanks,<br>
Chuck<br>
</p>
</div>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>