[Openstack] Flat networking, L2 access and externally assigned IP addresses

Robert Collins robertc at robertcollins.net
Sun Nov 3 03:46:01 UTC 2013


On 3 November 2013 12:37, Stuart Longland <stuartl at vrt.com.au> wrote:
> Hi Rob,
> On 24/10/13 11:06, Robert Collins wrote:
>> Hi there.
>>
>> Create a provider network in Neutron to represent your external lan,
>> and either a) use that as your only network - in which case you'll
>> need your external router to handle 169.254.169.254 - the metadata
>> agent - or b) add that as a second network when you spawn instances,
>> in which case the private overlay network you have running will have
>> addresses assigned by neutron - and you'll want to push a host route
>> for 169.254.169.254 as you'll have your default route be via the
>> provider network..
>
> Okay, is this using Flat Networking or something else?

TBH I'm not sure 'flat networking' really is a thing in Neutron, is
it? I mean, you can configure an equivalent setup with provider
networks - which is what I suggest, but it's not a global mode the way
it is in nova-networking.

> What's the significance of the 169.254.169.254 address?  If I were to
> add a host route at the external router, to where do I route it?

To your nova API server. That address is the magic EC2 metadata API
host, which cloud-init queries to do boot-time configuration of your
VMs based on cloud metadata.

>
> Would this give the VM unfettered access to the network?  I found last
> time I tried flat networking, some packet filtering still occurred.

It won't let you spoof traffic; but other than that you should be able
to do anything (just open the appropriate ports in your security
group).

Or - and not recommended IMNSHO - you can use the noop firewall driver
and disable security groups.

-Rob



-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud




More information about the Openstack mailing list