Hi Andrei, On 4/16/25 4:29 PM, Thomas Goirand wrote:
Hi Andrei,
On 4/16/25 12:23, Andrei RADU wrote:
Hello,
This is my first interaction with Openstck mailinglists so hopefully I am sending this question to the correct place😊
That's the correct place. Welcome!
The question is simple: does Openstack(Neutron) natively support DHCP relay?
Short answer: currently, no, and it's not a good idea to do that anyways. See below for more details.
Thanks for answering Thomas, and I would agree it's probably not a good idea to support DHCP relays. That said, the Neutron team is always willing to talk about new features if there is a good need behind it - like there is some functionality we just cannot get with what we have.
We have currently a (test) deployment using OVS driver but we may think switching to OVN. We would like to use an external DHCP server(BlueCat) that is already handling the rest of our network DHCP.
OVN has a built-in DHCP server, and with ML2/OVS you can use DHCP in a distributed config, both of which do all the work directly on the compute nodes. That greatly simplifies the architecture, so I'm not sure we'd want to undo that. So the question comes down to "what problem are you trying to solve?". Please don't take that in a snarky way can't think of a better way to ask it. Thanks, -Brian
I could not find anything related to this in docs.
I found this spec: https://review.opendev.org/c/openstack/neutron-specs/ +/105660 <https://review.opendev.org/c/openstack/neutron-specs/+/105660> which seems to have been abandoned.
It also shows in the spec: Neutron doesn't only provide a DHCP (using dnsmasq, by the way), it also provides tenant isolation. Meaning that for example, 2 projects may use the same 10.0.0.0/24 subnet range without any collision.
To achieve this, Neutron makes sure that VMs cannot use IPs that they don't "own", and does this by checking the IP vs the MAC address given to the VM. Any traffic that's not matching the pair will be dropped by OpenVSwitch. This makes sure it's impossible to do IP spoofing.
Under this condition, Neutron must know *in advance* what IP address the DHCP server will provide to the VM, and therefore, using a DHCP relay to an external DHCP server that Neutron doesn't control is not a good idea, unless one sacrifice the security I described above (in Neutron, that's called "port security", which can be disabled by an admin, but not a normal user).
So, with port security off, it should be possible to bind a DHCP relay in a VM of a subnet, but I would not recommend doing this at all, as anyone would be able to do IP spoofing then. So there's no need to ask something special from OpenStack Neutron, just deploy that if you don't care about port security.
I hope the above answers correctly to your question. If not, I'm sure someone else will correct what I wrote (to the best of my knowledge).
Cheers,
Thomas Goirand (zigo)