nova network, the dirty details 041613
TRANSCRIPT
![Page 1: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/1.jpg)
April 2013
nova-‐network:The Dirty Details
Ryan Richard, RHCAOpenStack Architect -‐ Private Cloud
[email protected]@rackninja
Tuesday, April 16, 13
![Page 2: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/2.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Why nova-‐network?
Pre-‐existing installs
Folsom Deployments
Quantum:
http://docs.openstack.org/trunk/openstack-‐network/admin/content/ch_overview.html
https://wiki.openstack.org/wiki/Quantum
Tuesday, April 16, 13
![Page 3: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/3.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Provides networking for instances
flat, flatDHCP,flatVLAN
iptables, ebtables, linux bridge
“behind the scenes” -‐ no direct API
http://docs.openstack.org/folsom/openstack-‐compute/admin/content/list-‐of-‐compute-‐config-‐options.html
Tuesday, April 16, 13
![Page 4: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/4.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Host Network -‐ Physical server communication, management network
Fixed Network -‐ L3 network range for instances, instance to instance communication
Tuesday, April 16, 13
![Page 5: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/5.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 6: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/6.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 7: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/7.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 8: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/8.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 9: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/9.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 10: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/10.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 11: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/11.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network overview
Tuesday, April 16, 13
![Page 12: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/12.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network options
50+ options for networking config
multi_host = multiple nova-‐network processes ( 1 per compute host)
DNS, DHCP, public_interface, dmz_cidr
Tuesday, April 16, 13
![Page 13: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/13.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
public interface
Decides which interface the default SNAT rule applies
# iptables -‐t nat -‐nvL nova-‐network-‐snat
public internet access
Tuesday, April 16, 13
![Page 14: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/14.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network options
dnsmasq options
DHCP Lease
Hardware Gateway
DNS domain
Tuesday, April 16, 13
![Page 15: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/15.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
nova-‐network options
DMZ_CIDR
NAT exclusion list
ACCEPT rule in iptables NAT
# iptables -‐t nat -‐nvL nova-‐network-‐POSTROUTING
Tuesday, April 16, 13
![Page 16: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/16.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
iptables & ebtables
iptables
Security Groups implementation -‐ 1 chain per instance
Default: Restrict all access
Responsible for NAT
Chain example: nova-‐compute-‐inst-‐771
Tuesday, April 16, 13
![Page 17: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/17.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
iptables & ebtables
ebtables
IP/MAC/ARP spoofing protections
Only 1 IP per instance
defined in /etc/libvirt/nwfilter/ (libvirt implementations)
Tuesday, April 16, 13
![Page 18: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/18.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
floating IPs
Easy to Add
MUST be associated with the public_interface flag
Don’t get assigned inside the instance but instead rely on iptables (SNAT/DNAT)
Dynamically assigned
Tuesday, April 16, 13
![Page 19: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/19.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
floating IPs
Tuesday, April 16, 13
![Page 20: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/20.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
floating IPs
Tuesday, April 16, 13
![Page 21: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/21.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Integrating
Difficult
OpenStack is IPAM (partially)
DNS integration is lacking
Tuesday, April 16, 13
![Page 22: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/22.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Example
Tuesday, April 16, 13
![Page 23: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/23.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Example
Tuesday, April 16, 13
![Page 24: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/24.jpg)
RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Open to discussions/thoughts/questions
Tuesday, April 16, 13
![Page 25: Nova network, the dirty details 041613](https://reader033.vdocuments.site/reader033/viewer/2022052907/5590e4191a28ab0e388b46e7/html5/thumbnails/25.jpg)
RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM
RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM
Rackspace is hiring
www.rackertalent.com
Tuesday, April 16, 13