[openstack-dev] [neutron] Are routed TAP interfaces (and DHCP for them) in scope for Neutron?
Neil Jerram
Neil.Jerram at metaswitch.com
Thu May 7 11:21:34 UTC 2015
Hi Carl,
I think I already answered your questions in my previous email below -
but possibly that just means that I am misunderstanding exactly what you
are asking! More inline....
On 06/05/15 18:13, Carl Baldwin wrote:
> This brings up something I'd like to discuss. We have a config option
> called "allow_overlapping_ips" which actually defaults to False. It
> has been suggested [1] that this should be removed from Neutron and
> I've just started playing around with ripping it out [2] to see what
> the consequences are.
>
> A purely L3 routed network, like Calico, is a case where it is more
> complex to implement allowing overlapping ip addresses.
Well, yes. At least it means needing per-address space namespaces on
the compute host. Because there might be two VMs on the same host and
with the same IP, in different private address spaces, and there
couldn't possibly be a way of routing both of those correctly, without
putting their TAP interfaces into different namespaces.
Then there's still the question of how to route across the fabric to the
destination compute host (or to a border gateway), and how to
communicate, to that compute host, the address space that it should
route it. To solve that, in Calico, we're thinking of using stateless
464XLAT.
There's a fuller exposition of all this, if you'd like more detail, at
http://docs.projectcalico.org/en/latest/overlap-ips.html.
> If we deprecate and eventually remove allow_overlapping_ips, will this
> be a problem for Calico?
I don't think so, but I'm not sure I've fully grasped the implications.
For people using Calico today, we'd simply document and advertise that
overlapping IPs aren't supported yet, and that would be the same
regardless of whether allow_overlapping_ips still exists.
(More broadly, there are other things in the Neutron API that Calico has
a different take on. For example floating IPs - where Calico's approach
is that if you want a VM to be publically addressable, you just give it
an IP from a public range. We currently try to cover those things via
documentation, as here:
http://docs.projectcalico.org/en/latest/calico-neutron-api.html. But a
longer term view would be for us to suggest evolving some of the Neutron
API's concepts such that they have interpretations that make sense for
both traditional Neutron networks and for Calico-like routed networks.
Hence the question that I asked when starting this thread: are routed
TAP interfaces [or perhaps I should have said 'routed networking'] in
scope for Neutron? If they are, that might eventually have consequences
for how the Neutron API should be expressed.)
Then, in the hopefully not-too-distant future, Calico _will_ support
overlapping IPs, and then it certainly won't be a problem if
allow_overlapping_ips no longer exists.
> Is the shared address space in Calico
> confined to a single flat network
Yes.
> or do you already support tenant
> private networks with this technology?
No, not yet.
> If I recall from previous
> discussions, I think that it only supports Neutron's flat network
> model in the current form, so I don't think it should be a problem.
> Am I correct? Please confirm.
Correct.
Many thanks for your interest and reply!
Neil
>
> [1] http://lists.openstack.org/pipermail/openstack-dev/2014-May/036336.html
> [2] https://review.openstack.org/#/c/179953/
>
> On Fri, May 1, 2015 at 8:22 AM, Neil Jerram <Neil.Jerram at metaswitch.com> wrote:
>> Thanks for your reply, Kevin, and sorry for the delay in following up.
>>
>> On 21/04/15 09:40, Kevin Benton wrote:
>>>
>>> Is it compatible with overlapping IPs? i.e. Will it give two different
>>> VMs the same IP address if the reservations are setup that way?
>>
>>
>> No, not as I've described it below, and as we've implemented Calico so far.
>> Calico's first target is a shared address space without overlapping IPs, so
>> that we can handle everything within the default namespace.
>>
>> But we do also anticipate a future Calico release to support private address
>> spaces with overlapping IPs, while still routing all VM data rather than
>> bridging. That will need the private address TAP interfaces to go into a
>> separate namespace (per address space), and have their data routed there;
>> and we'd run a Dnsmasq in that namespace to provide that space's IP
>> addresses.
>>
>> Within each namespace - whether the default one or private ones - we'd still
>> use the other changes I've described below for how the DHCP agent creates
>> the ns-XXX interface and launches Dnsmasq.
>>
>> Does that make sense? Do you think that this kind of approach could be in
>> scope under the Neutron umbrella, as an alternative to bridging the TAP
>> interfaces?
>>
>> Thanks,
>> Neil
>>
>>
>>> On 16/04/15 15:12, Neil Jerram wrote:
>>>
>>> I have a Neutron DHCP agent patch whose purpose is to launch dnsmasq
>>> with options such that it works (=> provides DHCP service) for TAP
>>> interfaces that are _not_ bridged to the DHCP interface (ns-XXX). For
>>> the sake of being concrete, this involves:
>>>
>>> - creating the ns-XXX interface as a dummy, instead of as a veth pair
>>>
>>> - launching dnsmasq with --bind-dynamic --listen=ns-XXX --listen=tap*
>>> --bridge-interface=ns-XXX,tap*
>>>
>>> - not running in a separate namespace
>>>
>>> - running the DHCP agent on every compute host, instead of only on the
>>> network node
>>>
>>> - using the relevant subnet's gateway IP on the ns-XXX interface (on
>>> every host), instead of allocating a different IP for each ns-XXX
>>> interface.
>>>
>>> I proposed a spec for this in the Kilo cycle [1], but it didn't get
>>> enough traction, and I'm now wondering what to do with this
>>> work/function. Specifically, whether to look again at integrating it
>>> into Neutron during the Liberty cycle, or whether to maintain an
>>> independent DHCP agent for my project outside the upstream Neutron
>>> tree.
>>> I would very much appreciate any comments or advice on this.
>>>
>>> For answering that last question, I suspect the biggest factor is
>>> whether routed TAP interfaces - i.e. forms of networking
>>> implementation
>>> that rely on routing data between VMs instead of bridging it - is in
>>> scope for Neutron, at all. If it is, I understand that there could be
>>> a
>>> lot more detail to work on, such as how it meshes with other Neutron
>>> features such as DVR and the IPAM work, and that it might end up being
>>> quite different from the blueprint linked below. But it would be good
>>> to know whether this would ultimately be in scope and of interest for
>>> Neutron at all.
>>>
>>> Please do let me now what you think.
>>>
>>> Many thanks,
>>> Neil
>>>
>>> [1] https://blueprints.launchpad.net/neutron/+spec/dhcp-for-routed-ifs
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list