The switch to using subnetpools caused quite a bit of confusion
because it didn't respect the value of FIXED_RANGE. This caused
conflicts in the gate with it's default IPv4 value of 10.0.0.0/8.
This patch does a few things to address the issue:
* It introduces the IPV4_ADDRS_SAFE_TO_USE and IPV6_ADDRS_SAFE_TO_USE
values and adjusts all of the FIXED_RANGE and SUBNETPOOL_PREFIX values
to dervive from them by default.
* This addresses the concern that was raised about implying that
SUBNETPOOL_PREFIX and FIXED_RANGE are equivalent when setting
SUBNETPOOL_PREFIX=FIXED_RANGE by default. Now we have a new value
for the operator specify a chunk of addresses that are safe to
use for private networks without implementation implications.
* Backwards compatibility is maintained by alloing users to override
override all of these values.
* The default for IPV4_ADDRS_SAFE_TO_USE uses /22 instead of /24
* Because we want to be able to use subnetpools for auto allocated
topologies and we want to be able to have a large chunk of
instances on each network, we needed a little more breathing room
in the default v4 network size.
* SUBNET_POOL_SIZE_V4 default is changed from 24 to 26
* In conjuction with this change and the one above, the default
subnetpool will support up to 16 64-address allocations.
* This should be enough to cover any regular gate scenarios.
* If someone wants a bigger/smaller subnet, they can ask for that
in the API request, change this value themselves, or use a different
network entirely.
* FIXED_RANGE_V6 defaults to a max prefix of /64 from IPV6_ADDRS_SAFE_TO_USE
* This avoids the private subnet in the non-subnetpool case from being
larger than /64 to avoid issues identified in rfc 7421.
* Users can still explicitly set this value to whatever they want.
This 'max' behavior is only for the default.
* This allows IPV6_ADDRS_SAFE_TO_USE to default to a /56, which leaves
tons of room for v6 subnetpools.
Closes-Bug: #1629133
Change-Id: I7b32804d47bec743c0b13e434e6a7958728896ea
... | ... |
@@ -63,7 +63,7 @@ exists it will be used instead to preserve backward-compatibility. |
63 | 63 |
:: |
64 | 64 |
|
65 | 65 |
[[local|localrc]] |
66 |
- FIXED_RANGE=10.254.1.0/24 |
|
66 |
+ IPV4_ADDRS_SAFE_TO_USE=10.254.1.0/24 |
|
67 | 67 |
ADMIN_PASSWORD=speciale |
68 | 68 |
LOGFILE=$DEST/logs/stack.sh.log |
69 | 69 |
|
... | ... |
@@ -161,8 +161,8 @@ values that most often need to be set. |
161 | 161 |
|
162 | 162 |
- no logging |
163 | 163 |
- pre-set the passwords to prevent interactive prompts |
164 |
-- move network ranges away from the local network (``FIXED_RANGE`` and |
|
165 |
- ``FLOATING_RANGE``, commented out below) |
|
164 |
+- move network ranges away from the local network (``IPV4_ADDRS_SAFE_TO_USE`` |
|
165 |
+ and ``FLOATING_RANGE``, commented out below) |
|
166 | 166 |
- set the host IP if detection is unreliable (``HOST_IP``, commented |
167 | 167 |
out below) |
168 | 168 |
|
... | ... |
@@ -173,7 +173,7 @@ values that most often need to be set. |
173 | 173 |
DATABASE_PASSWORD=$ADMIN_PASSWORD |
174 | 174 |
RABBIT_PASSWORD=$ADMIN_PASSWORD |
175 | 175 |
SERVICE_PASSWORD=$ADMIN_PASSWORD |
176 |
- #FIXED_RANGE=172.31.1.0/24 |
|
176 |
+ #IPV4_ADDRS_SAFE_TO_USE=172.31.1.0/24 |
|
177 | 177 |
#FLOATING_RANGE=192.168.20.0/25 |
178 | 178 |
#HOST_IP=10.3.4.5 |
179 | 179 |
|
... | ... |
@@ -537,12 +537,12 @@ behavior: |
537 | 537 |
|
538 | 538 |
IPV6_RA_MODE=slaac |
539 | 539 |
IPV6_ADDRESS_MODE=slaac |
540 |
- FIXED_RANGE_V6=fd$IPV6_GLOBAL_ID::/64 |
|
540 |
+ IPV6_ADDRS_SAFE_TO_USE=fd$IPV6_GLOBAL_ID::/56 |
|
541 | 541 |
IPV6_PRIVATE_NETWORK_GATEWAY=fd$IPV6_GLOBAL_ID::1 |
542 | 542 |
|
543 |
-*Note*: ``FIXED_RANGE_V6`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` can be |
|
544 |
-configured with any valid IPv6 prefix. The default values make use of |
|
545 |
-an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. |
|
543 |
+*Note*: ``IPV6_ADDRS_SAFE_TO_USE`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` |
|
544 |
+can be configured with any valid IPv6 prefix. The default values make |
|
545 |
+use of an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. |
|
546 | 546 |
|
547 | 547 |
Service Version |
548 | 548 |
~~~~~~~~~~~~~~~ |
... | ... |
@@ -79,7 +79,7 @@ serving as a hypervisor for guest instances. |
79 | 79 |
## Neutron options |
80 | 80 |
Q_USE_SECGROUP=True |
81 | 81 |
FLOATING_RANGE="172.18.161.0/24" |
82 |
- FIXED_RANGE="10.0.0.0/24" |
|
82 |
+ IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/22" |
|
83 | 83 |
Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 |
84 | 84 |
PUBLIC_NETWORK_GATEWAY="172.18.161.1" |
85 | 85 |
PUBLIC_INTERFACE=eth0 |
... | ... |
@@ -387,17 +387,17 @@ controller node. |
387 | 387 |
|
388 | 388 |
## Neutron Networking options used to create Neutron Subnets |
389 | 389 |
|
390 |
- FIXED_RANGE="203.0.113.0/24" |
|
390 |
+ IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" |
|
391 | 391 |
NETWORK_GATEWAY=203.0.113.1 |
392 | 392 |
PROVIDER_SUBNET_NAME="provider_net" |
393 | 393 |
PROVIDER_NETWORK_TYPE="vlan" |
394 | 394 |
SEGMENTATION_ID=2010 |
395 | 395 |
USE_SUBNETPOOL=False |
396 | 396 |
|
397 |
-In this configuration we are defining FIXED_RANGE to be a |
|
397 |
+In this configuration we are defining IPV4_ADDRS_SAFE_TO_USE to be a |
|
398 | 398 |
publicly routed IPv4 subnet. In this specific instance we are using |
399 | 399 |
the special TEST-NET-3 subnet defined in `RFC 5737 <http://tools.ietf.org/html/rfc5737>`_, |
400 |
-which is used for documentation. In your DevStack setup, FIXED_RANGE |
|
400 |
+which is used for documentation. In your DevStack setup, IPV4_ADDRS_SAFE_TO_USE |
|
401 | 401 |
would be a public IP address range that you or your organization has |
402 | 402 |
allocated to you, so that you could access your instances from the |
403 | 403 |
public internet. |
... | ... |
@@ -524,7 +524,7 @@ setup, with small modifications for the interface mappings. |
524 | 524 |
## Neutron options |
525 | 525 |
Q_USE_SECGROUP=True |
526 | 526 |
FLOATING_RANGE="172.18.161.0/24" |
527 |
- FIXED_RANGE="10.0.0.0/24" |
|
527 |
+ IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/24" |
|
528 | 528 |
Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 |
529 | 529 |
PUBLIC_NETWORK_GATEWAY="172.18.161.1" |
530 | 530 |
PUBLIC_INTERFACE=eth0 |
... | ... |
@@ -573,7 +573,7 @@ you do not require them. |
573 | 573 |
Q_AGENT=macvtap |
574 | 574 |
PHYSICAL_NETWORK=default |
575 | 575 |
|
576 |
- FIXED_RANGE="203.0.113.0/24" |
|
576 |
+ IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" |
|
577 | 577 |
NETWORK_GATEWAY=203.0.113.1 |
578 | 578 |
PROVIDER_SUBNET_NAME="provider_net" |
579 | 579 |
PROVIDER_NETWORK_TYPE="vlan" |
... | ... |
@@ -15,7 +15,8 @@ If you don't specify any configuration you will get the following: |
15 | 15 |
* neutron (including l3 with openvswitch) |
16 | 16 |
* private project networks for each openstack project |
17 | 17 |
* a floating ip range of 172.24.4.0/24 with the gateway of 172.24.4.1 |
18 |
-* the demo project configured with fixed ips on 10.0.0.0/24 |
|
18 |
+* the demo project configured with fixed ips on a subnet allocated from |
|
19 |
+ the 10.0.0.0/22 range |
|
19 | 20 |
* a ``br-ex`` interface controlled by neutron for all it's networking |
20 | 21 |
(this is not connected to any physical interfaces). |
21 | 22 |
* DNS resolution for guests based on the resolv.conf for you host |
... | ... |
@@ -95,3 +96,21 @@ the range of floating ips that will be handed out. As we are sharing |
95 | 95 |
your existing network, you'll want to give it a slice that your local |
96 | 96 |
dhcp server is not allocating. Otherwise you could easily have |
97 | 97 |
conflicting ip addresses, and cause havoc with your local network. |
98 |
+ |
|
99 |
+ |
|
100 |
+Private Network Addressing |
|
101 |
+========================== |
|
102 |
+ |
|
103 |
+The private networks addresses are controlled by the ``IPV4_ADDRS_SAFE_TO_USE`` |
|
104 |
+and the ``IPV6_ADDRS_SAFE_TO_USE`` variables. This allows users to specify one |
|
105 |
+single variable of safe internal IPs to use that will be referenced whether or |
|
106 |
+not subnetpools are in use. |
|
107 |
+ |
|
108 |
+For IPv4, ``FIXED_RANGE`` and ``SUBNETPOOL_PREFIX_V4`` will just default to |
|
109 |
+the value of ``IPV4_ADDRS_SAFE_TO_USE`` directly. |
|
110 |
+ |
|
111 |
+For IPv6, ``FIXED_RANGE`` will default to the first /64 of the value of |
|
112 |
+``IPV6_ADDRS_SAFE_TO_USE``. If ``IPV6_ADDRS_SAFE_TO_USE`` is /64 or smaller, |
|
113 |
+``FIXED_RANGE`` will just use the value of that directly. |
|
114 |
+``SUBNETPOOL_PREFIX_V6`` will just default to the value of |
|
115 |
+``IPV6_ADDRS_SAFE_TO_USE`` directly. |
... | ... |
@@ -70,7 +70,10 @@ IPV6_RA_MODE=${IPV6_RA_MODE:-slaac} |
70 | 70 |
IPV6_ADDRESS_MODE=${IPV6_ADDRESS_MODE:-slaac} |
71 | 71 |
IPV6_PUBLIC_SUBNET_NAME=${IPV6_PUBLIC_SUBNET_NAME:-ipv6-public-subnet} |
72 | 72 |
IPV6_PRIVATE_SUBNET_NAME=${IPV6_PRIVATE_SUBNET_NAME:-ipv6-private-subnet} |
73 |
-FIXED_RANGE_V6=${FIXED_RANGE_V6:-fd$IPV6_GLOBAL_ID::/64} |
|
73 |
+IPV6_ADDRS_SAFE_TO_USE=${IPV6_ADDRS_SAFE_TO_USE:-fd$IPV6_GLOBAL_ID::/56} |
|
74 |
+# if we got larger than a /64 safe to use, we only use the first /64 to |
|
75 |
+# avoid side effects outlined in rfc7421 |
|
76 |
+FIXED_RANGE_V6=${FIXED_RANGE_V6:-$(echo $IPV6_ADDRS_SAFE_TO_USE | awk -F '/' '{ print ($2>63 ? $2 : 64) }')} |
|
74 | 77 |
IPV6_PRIVATE_NETWORK_GATEWAY=${IPV6_PRIVATE_NETWORK_GATEWAY:-} |
75 | 78 |
IPV6_PUBLIC_RANGE=${IPV6_PUBLIC_RANGE:-2001:db8::/64} |
76 | 79 |
IPV6_PUBLIC_NETWORK_GATEWAY=${IPV6_PUBLIC_NETWORK_GATEWAY:-2001:db8::2} |
... | ... |
@@ -86,10 +89,10 @@ PUBLIC_SUBNET_NAME=${PUBLIC_SUBNET_NAME:-"public-subnet"} |
86 | 86 |
USE_SUBNETPOOL=${USE_SUBNETPOOL:-True} |
87 | 87 |
SUBNETPOOL_NAME=${SUBNETPOOL_NAME:-"shared-default-subnetpool"} |
88 | 88 |
|
89 |
-SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/16} |
|
90 |
-SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-2001:db8:8000::/48} |
|
89 |
+SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-$IPV4_ADDRS_SAFE_TO_USE} |
|
90 |
+SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-$IPV6_ADDRS_SAFE_TO_USE} |
|
91 | 91 |
|
92 |
-SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-24} |
|
92 |
+SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-26} |
|
93 | 93 |
SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64} |
94 | 94 |
|
95 | 95 |
default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}') |
... | ... |
@@ -765,7 +765,8 @@ ENABLE_DEBUG_LOG_LEVEL=$(trueorfalse True ENABLE_DEBUG_LOG_LEVEL) |
765 | 765 |
# Note that setting ``FIXED_RANGE`` may be necessary when running DevStack |
766 | 766 |
# in an OpenStack cloud that uses either of these address ranges internally. |
767 | 767 |
FLOATING_RANGE=${FLOATING_RANGE:-172.24.4.0/24} |
768 |
-FIXED_RANGE=${FIXED_RANGE:-10.0.0.0/24} |
|
768 |
+IPV4_ADDRS_SAFE_TO_USE=${IPV4_ADDRS_SAFE_TO_USE:-10.0.0.0/22} |
|
769 |
+FIXED_RANGE=${FIXED_RANGE:-$IPV4_ADDRS_SAFE_TO_USE} |
|
769 | 770 |
FIXED_NETWORK_SIZE=${FIXED_NETWORK_SIZE:-256} |
770 | 771 |
HOST_IP_IFACE=${HOST_IP_IFACE:-} |
771 | 772 |
HOST_IP=${HOST_IP:-} |