[Openstack] Total Network Confusion

Joe Warren-Meeks joe.warren.meeks at gmail.com
Tue Jan 15 16:43:41 UTC 2013


Hey James,

I had exactly your requirement too, and it took me many weeks to get to a
solution. Hopefully, you won't have to. I have installed and reinstalled it
so, so many times. For a while I thought I'd lost the ability to
*computer*. Feel free to contact me offlist if you need any other guidance,
I'd be very happy to help.

Firstly, if you can use a different NIC for the bridges, I'd strongly
recommend it.

You need to configure nova to work as multi_host, this will enable you to
dish out your switch/router IP as the default route via dnsmasq. You also
need to lightly hack linux_net.py so that this works.

You also need to slighly hack Iptables to stop it SNATting your instances
out.

Follow
http://cssoss.files.wordpress.com/2012/05/openstackbookv3-0_csscorp2.pdf up
to chapter 2.2.7.

Once you've installed all the Nova packages, stop then.

0. Linux stuff
^^^^^^^^^^^^^^
Before you start, apt-get install vlan and add 8021q to the end of
/etc/modules
If you are using an unconfigured interface as the bridge device, add
/sbin/ifconfig ethX up
to /etc/rc.local

1. Linux net
^^^^^^^^^^^^
You need to copy the attached linux_net.py over
/usr/share/pyshared/nova/network/linux_net.py
(Do a diff first, so you can see it isn't trojaned :-)

2. dnsmasq
^^^^^^^^^^
You need to tell dnsmasq to send out a different IP for your router
tailor the following and put it into /etc/dnsmasq-nova.conf

================
#
# Set the default route for all networks to be the firewall
#
dhcp-option=tag:'production',option:router,10.0.31.1
dhcp-option=tag:'dmz',option:router,10.0.21.1
dhcp-option=tag:'development',option:router,10.0.41.1

# devsupp
dhcp-host=fa:16:3e:66:05:c2,10.0.21.7
=================

You need to change the tag to match the network label you use when you set
up the network later on.

3. nova.conf
^^^^^^^^^^^^
I've attached my nova.conf for you. I'll mark the bits you might need to
change. Search for ### in there.

4. Continue with the install
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Restart all the Nova services as soon as you have done the 'nova-manage db
sync'

5. Create networks
^^^^^^^^^^^^^^^^^^
nova-manage network create --label=production
--fixed_range_v4=10.0.31.0/24--vlan=31 --bridge_interface=eth3
--multi_host=T
--project_id=79433bbfc2674bf9bff257a5e0f21581

The important bits are the label, which must match dnsmasq-nova.conf, the
vlan, bridge interface and multi_host=T


So, now you should be done. However, Openstack will try to add in a SNAT
rule to SNAT some outbound traffic. Vish suggested leaving
--routing_source_ip= in nova.conf set to nothing, but that doesn't work, it
throws an error when setting up the iptables rules.

Hope that helps!

 -- joe.



On 15 January 2013 14:31, Jay Pipes <jaypipes at gmail.com> wrote:

> On 01/15/2013 05:31 AM, James Condron wrote:
> > Jay, Guys,
> >
> > The Vlan Manager stuff looks spot on for my needs but I am a tad
> confused.
> >
> > (Perhaps Folsom addresses these; I'm just on a deadline to get a PoC
> running and I don't want to look like I've been wasting time building this).
> >
> > Assuming I configure my vlan on my switch, set my switchport to trunk
> and use vlanmanager do Scenarios 6 and 7 extend out to hosts *not* on
> OpenStack/ not configured via OpenStack?
> >
> > Would I be able to, say, connect from my PC vlan to one of the vlans
> configured via OpenStack? Would this also allow me to configure bridges on
> Open Stack to route via their own IPs and Vlans?
>
> Not quite sure, actually. I'm certainly no networking guru, sorry :( I'd
> imagine you *could* do this, but it would take manually modifying
> iptables on the individual compute nodes -- which would mess with the
> nova-network controller on the compute nodes IIUC...
>
> -jay
>
> > Thanks,
> >
> > James
> >
> >
> > On 14 Jan 2013, at 18:11, Jay Pipes <jaypipes at gmail.com> wrote:
> >
> >> I'd recommend Folsom over Essex :) And I'd highly recommend these
> >> articles from Mirantis which really step through the networking setup in
> >> VLANManager. Read through them in the following order and I promise at
> >> the end you will have a much better understanding of networking in Nova.
> >>
> >>
> http://www.mirantis.com/blog/openstack-networking-flatmanager-and-flatdhcpmanager/
> >>
> http://www.mirantis.com/blog/openstack-networking-single-host-flatdhcpmanager/
> >> http://www.mirantis.com/blog/openstack-networking-vlanmanager/
> >> http://www.mirantis.com/blog/vlanmanager-network-flow-analysis/
> >>
> >> All the best,
> >> -jay
> >>
> >> On 01/14/2013 11:52 AM, James Condron wrote:
> >>> Hi all,
> >>>
> >>> I've recently started playing with (and working with) OpenStack with a
> >>> view to migrate our production infrastructure from esx 4 to Essex.
> >>>
> >>> My issue, or at least utter idiocy, is in the network configuration.
> >>> Basically I can't work out whether in the configuration of OpenStack I
> >>> have done something daft, on the network something daft or I've not
> >>> understood the technology properly.
> >>>
> >>> *NB: *I can get to the outside world form my VMs; I don't want to
> >>> confuse things further.
> >>>
> >>> As attached is a diagram I knocked up to hopefully make this simpler,
> >>> though I hope I can explain it simply with:
> >>>
> >>> *************
> >>> *Given both public and private interfaces on my server being on the
> same
> >>> network and infrastructure how would one go about accessing VMs via
> >>> their internal IP and not have to worry about a VPN or Public IPs?*
> >>> *************
> >>>
> >>> My corporate network  works on simple vlans; I have a vlan for my
> >>> production boxen, one for development, one for PCs, telephony, etc.
> etc.
> >>> These are pretty standard.
> >>>
> >>> The public, eth0 NIC on my compute node (Single node setup, nothing
> >>> overly fancy; pretty vanilla) is on my production vlan and everything
> is
> >>> accessible.
> >>> the second nic, eth1, is supposedly on a vlan for this specific
> purpose.
> >>>
> >>> I am hoping to be able to access these internal IPs on their...
> Internal
> >>> IPs (For want of a better phrase). Is this possible? I'm reasonably
> >>> confident this isn't a routing issue as I can ping the eth1 IP from the
> >>> switch:
> >>>
> >>> #ping 10.12.0.1
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 5, 100-byte ICMP Echos to 10.12.0.1, timeout is 2 seconds:
> >>> !!!!!
> >>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
> >>>
> >>> But none of the ones assigned to VMs:
> >>>
> >>> #ping 10.12.0.4
> >>>
> >>> Type escape sequence to abort.
> >>> Sending 5, 100-byte ICMP Echos to 10.12.0.4, timeout is 2 seconds:
> >>> .....
> >>> Success rate is 0 percent (0/5)
> >>>
> >>> Or.... for those looking at the attached diagram: vlan101 is great and
> >>> works fine; what do I need to do (If at all possible) to get vlan102
> >>> listening?
> >>>
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to     : openstack at lists.launchpad.net
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help   : https://help.launchpad.net/ListHelp
> >>>
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~openstack
> >> Post to     : openstack at lists.launchpad.net
> >> Unsubscribe : https://launchpad.net/~openstack
> >> More help   : https://help.launchpad.net/ListHelp
> >
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130115/12ac649a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux_net.py
Type: application/octet-stream
Size: 46401 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130115/12ac649a/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nova.conf
Type: application/octet-stream
Size: 2032 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130115/12ac649a/attachment-0001.obj>


More information about the Openstack mailing list