Derive IP ranges from new ADDRS_SAFE_TO_USE vars
The switch to using subnetpools caused quite a bit of confusion
because it didn't respect the value of FIXED_RANGE. This caused
conflicts in the gate with it's default IPv4 value of 10.0.0.0/8.
This patch does a few things to address the issue:
* It introduces the IPV4_ADDRS_SAFE_TO_USE and IPV6_ADDRS_SAFE_TO_USE
values and adjusts all of the FIXED_RANGE and SUBNETPOOL_PREFIX values
to dervive from them by default.
* This addresses the concern that was raised about implying that
SUBNETPOOL_PREFIX and FIXED_RANGE are equivalent when setting
SUBNETPOOL_PREFIX=FIXED_RANGE by default. Now we have a new value
for the operator specify a chunk of addresses that are safe to
use for private networks without implementation implications.
* Backwards compatibility is maintained by alloing users to override
override all of these values.
* The default for IPV4_ADDRS_SAFE_TO_USE uses /22 instead of /24
* Because we want to be able to use subnetpools for auto allocated
topologies and we want to be able to have a large chunk of
instances on each network, we needed a little more breathing room
in the default v4 network size.
* SUBNET_POOL_SIZE_V4 default is changed from 24 to 26
* In conjuction with this change and the one above, the default
subnetpool will support up to 16 64-address allocations.
* This should be enough to cover any regular gate scenarios.
* If someone wants a bigger/smaller subnet, they can ask for that
in the API request, change this value themselves, or use a different
network entirely.
* FIXED_RANGE_V6 defaults to a max prefix of /64 from IPV6_ADDRS_SAFE_TO_USE
* This avoids the private subnet in the non-subnetpool case from being
larger than /64 to avoid issues identified in rfc 7421.
* Users can still explicitly set this value to whatever they want.
This 'max' behavior is only for the default.
* This allows IPV6_ADDRS_SAFE_TO_USE to default to a /56, which leaves
tons of room for v6 subnetpools.
Closes-Bug: #1629133
Change-Id: I7b32804d47bec743c0b13e434e6a7958728896ea
Kevin Benton authored on 2016/11/16 10:26:05Showing 5 changed files
- doc/source/configuration.rst
- doc/source/guides/neutron.rst
- doc/source/networking.rst
- lib/neutron_plugins/services/l3
- stackrc
| ... | ... |
@@ -63,7 +63,7 @@ exists it will be used instead to preserve backward-compatibility. |
| 63 | 63 |
:: |
| 64 | 64 |
|
| 65 | 65 |
[[local|localrc]] |
| 66 |
- FIXED_RANGE=10.254.1.0/24 |
|
| 66 |
+ IPV4_ADDRS_SAFE_TO_USE=10.254.1.0/24 |
|
| 67 | 67 |
ADMIN_PASSWORD=speciale |
| 68 | 68 |
LOGFILE=$DEST/logs/stack.sh.log |
| 69 | 69 |
|
| ... | ... |
@@ -161,8 +161,8 @@ values that most often need to be set. |
| 161 | 161 |
|
| 162 | 162 |
- no logging |
| 163 | 163 |
- pre-set the passwords to prevent interactive prompts |
| 164 |
-- move network ranges away from the local network (``FIXED_RANGE`` and |
|
| 165 |
- ``FLOATING_RANGE``, commented out below) |
|
| 164 |
+- move network ranges away from the local network (``IPV4_ADDRS_SAFE_TO_USE`` |
|
| 165 |
+ and ``FLOATING_RANGE``, commented out below) |
|
| 166 | 166 |
- set the host IP if detection is unreliable (``HOST_IP``, commented |
| 167 | 167 |
out below) |
| 168 | 168 |
|
| ... | ... |
@@ -173,7 +173,7 @@ values that most often need to be set. |
| 173 | 173 |
DATABASE_PASSWORD=$ADMIN_PASSWORD |
| 174 | 174 |
RABBIT_PASSWORD=$ADMIN_PASSWORD |
| 175 | 175 |
SERVICE_PASSWORD=$ADMIN_PASSWORD |
| 176 |
- #FIXED_RANGE=172.31.1.0/24 |
|
| 176 |
+ #IPV4_ADDRS_SAFE_TO_USE=172.31.1.0/24 |
|
| 177 | 177 |
#FLOATING_RANGE=192.168.20.0/25 |
| 178 | 178 |
#HOST_IP=10.3.4.5 |
| 179 | 179 |
|
| ... | ... |
@@ -537,12 +537,12 @@ behavior: |
| 537 | 537 |
|
| 538 | 538 |
IPV6_RA_MODE=slaac |
| 539 | 539 |
IPV6_ADDRESS_MODE=slaac |
| 540 |
- FIXED_RANGE_V6=fd$IPV6_GLOBAL_ID::/64 |
|
| 540 |
+ IPV6_ADDRS_SAFE_TO_USE=fd$IPV6_GLOBAL_ID::/56 |
|
| 541 | 541 |
IPV6_PRIVATE_NETWORK_GATEWAY=fd$IPV6_GLOBAL_ID::1 |
| 542 | 542 |
|
| 543 |
-*Note*: ``FIXED_RANGE_V6`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` can be |
|
| 544 |
-configured with any valid IPv6 prefix. The default values make use of |
|
| 545 |
-an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. |
|
| 543 |
+*Note*: ``IPV6_ADDRS_SAFE_TO_USE`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` |
|
| 544 |
+can be configured with any valid IPv6 prefix. The default values make |
|
| 545 |
+use of an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. |
|
| 546 | 546 |
|
| 547 | 547 |
Service Version |
| 548 | 548 |
~~~~~~~~~~~~~~~ |
| ... | ... |
@@ -79,7 +79,7 @@ serving as a hypervisor for guest instances. |
| 79 | 79 |
## Neutron options |
| 80 | 80 |
Q_USE_SECGROUP=True |
| 81 | 81 |
FLOATING_RANGE="172.18.161.0/24" |
| 82 |
- FIXED_RANGE="10.0.0.0/24" |
|
| 82 |
+ IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/22" |
|
| 83 | 83 |
Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 |
| 84 | 84 |
PUBLIC_NETWORK_GATEWAY="172.18.161.1" |
| 85 | 85 |
PUBLIC_INTERFACE=eth0 |
| ... | ... |
@@ -387,17 +387,17 @@ controller node. |
| 387 | 387 |
|
| 388 | 388 |
## Neutron Networking options used to create Neutron Subnets |
| 389 | 389 |
|
| 390 |
- FIXED_RANGE="203.0.113.0/24" |
|
| 390 |
+ IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" |
|
| 391 | 391 |
NETWORK_GATEWAY=203.0.113.1 |
| 392 | 392 |
PROVIDER_SUBNET_NAME="provider_net" |
| 393 | 393 |
PROVIDER_NETWORK_TYPE="vlan" |
| 394 | 394 |
SEGMENTATION_ID=2010 |
| 395 | 395 |
USE_SUBNETPOOL=False |
| 396 | 396 |
|
| 397 |
-In this configuration we are defining FIXED_RANGE to be a |
|
| 397 |
+In this configuration we are defining IPV4_ADDRS_SAFE_TO_USE to be a |
|
| 398 | 398 |
publicly routed IPv4 subnet. In this specific instance we are using |
| 399 | 399 |
the special TEST-NET-3 subnet defined in `RFC 5737 <http://tools.ietf.org/html/rfc5737>`_, |
| 400 |
-which is used for documentation. In your DevStack setup, FIXED_RANGE |
|
| 400 |
+which is used for documentation. In your DevStack setup, IPV4_ADDRS_SAFE_TO_USE |
|
| 401 | 401 |
would be a public IP address range that you or your organization has |
| 402 | 402 |
allocated to you, so that you could access your instances from the |
| 403 | 403 |
public internet. |
| ... | ... |
@@ -524,7 +524,7 @@ setup, with small modifications for the interface mappings. |
| 524 | 524 |
## Neutron options |
| 525 | 525 |
Q_USE_SECGROUP=True |
| 526 | 526 |
FLOATING_RANGE="172.18.161.0/24" |
| 527 |
- FIXED_RANGE="10.0.0.0/24" |
|
| 527 |
+ IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/24" |
|
| 528 | 528 |
Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 |
| 529 | 529 |
PUBLIC_NETWORK_GATEWAY="172.18.161.1" |
| 530 | 530 |
PUBLIC_INTERFACE=eth0 |
| ... | ... |
@@ -573,7 +573,7 @@ you do not require them. |
| 573 | 573 |
Q_AGENT=macvtap |
| 574 | 574 |
PHYSICAL_NETWORK=default |
| 575 | 575 |
|
| 576 |
- FIXED_RANGE="203.0.113.0/24" |
|
| 576 |
+ IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" |
|
| 577 | 577 |
NETWORK_GATEWAY=203.0.113.1 |
| 578 | 578 |
PROVIDER_SUBNET_NAME="provider_net" |
| 579 | 579 |
PROVIDER_NETWORK_TYPE="vlan" |
| ... | ... |
@@ -15,7 +15,8 @@ If you don't specify any configuration you will get the following: |
| 15 | 15 |
* neutron (including l3 with openvswitch) |
| 16 | 16 |
* private project networks for each openstack project |
| 17 | 17 |
* a floating ip range of 172.24.4.0/24 with the gateway of 172.24.4.1 |
| 18 |
-* the demo project configured with fixed ips on 10.0.0.0/24 |
|
| 18 |
+* the demo project configured with fixed ips on a subnet allocated from |
|
| 19 |
+ the 10.0.0.0/22 range |
|
| 19 | 20 |
* a ``br-ex`` interface controlled by neutron for all it's networking |
| 20 | 21 |
(this is not connected to any physical interfaces). |
| 21 | 22 |
* DNS resolution for guests based on the resolv.conf for you host |
| ... | ... |
@@ -95,3 +96,21 @@ the range of floating ips that will be handed out. As we are sharing |
| 95 | 95 |
your existing network, you'll want to give it a slice that your local |
| 96 | 96 |
dhcp server is not allocating. Otherwise you could easily have |
| 97 | 97 |
conflicting ip addresses, and cause havoc with your local network. |
| 98 |
+ |
|
| 99 |
+ |
|
| 100 |
+Private Network Addressing |
|
| 101 |
+========================== |
|
| 102 |
+ |
|
| 103 |
+The private networks addresses are controlled by the ``IPV4_ADDRS_SAFE_TO_USE`` |
|
| 104 |
+and the ``IPV6_ADDRS_SAFE_TO_USE`` variables. This allows users to specify one |
|
| 105 |
+single variable of safe internal IPs to use that will be referenced whether or |
|
| 106 |
+not subnetpools are in use. |
|
| 107 |
+ |
|
| 108 |
+For IPv4, ``FIXED_RANGE`` and ``SUBNETPOOL_PREFIX_V4`` will just default to |
|
| 109 |
+the value of ``IPV4_ADDRS_SAFE_TO_USE`` directly. |
|
| 110 |
+ |
|
| 111 |
+For IPv6, ``FIXED_RANGE`` will default to the first /64 of the value of |
|
| 112 |
+``IPV6_ADDRS_SAFE_TO_USE``. If ``IPV6_ADDRS_SAFE_TO_USE`` is /64 or smaller, |
|
| 113 |
+``FIXED_RANGE`` will just use the value of that directly. |
|
| 114 |
+``SUBNETPOOL_PREFIX_V6`` will just default to the value of |
|
| 115 |
+``IPV6_ADDRS_SAFE_TO_USE`` directly. |
| ... | ... |
@@ -70,7 +70,10 @@ IPV6_RA_MODE=${IPV6_RA_MODE:-slaac}
|
| 70 | 70 |
IPV6_ADDRESS_MODE=${IPV6_ADDRESS_MODE:-slaac}
|
| 71 | 71 |
IPV6_PUBLIC_SUBNET_NAME=${IPV6_PUBLIC_SUBNET_NAME:-ipv6-public-subnet}
|
| 72 | 72 |
IPV6_PRIVATE_SUBNET_NAME=${IPV6_PRIVATE_SUBNET_NAME:-ipv6-private-subnet}
|
| 73 |
-FIXED_RANGE_V6=${FIXED_RANGE_V6:-fd$IPV6_GLOBAL_ID::/64}
|
|
| 73 |
+IPV6_ADDRS_SAFE_TO_USE=${IPV6_ADDRS_SAFE_TO_USE:-fd$IPV6_GLOBAL_ID::/56}
|
|
| 74 |
+# if we got larger than a /64 safe to use, we only use the first /64 to |
|
| 75 |
+# avoid side effects outlined in rfc7421 |
|
| 76 |
+FIXED_RANGE_V6=${FIXED_RANGE_V6:-$(echo $IPV6_ADDRS_SAFE_TO_USE | awk -F '/' '{ print ($2>63 ? $2 : 64) }')}
|
|
| 74 | 77 |
IPV6_PRIVATE_NETWORK_GATEWAY=${IPV6_PRIVATE_NETWORK_GATEWAY:-}
|
| 75 | 78 |
IPV6_PUBLIC_RANGE=${IPV6_PUBLIC_RANGE:-2001:db8::/64}
|
| 76 | 79 |
IPV6_PUBLIC_NETWORK_GATEWAY=${IPV6_PUBLIC_NETWORK_GATEWAY:-2001:db8::2}
|
| ... | ... |
@@ -86,10 +89,10 @@ PUBLIC_SUBNET_NAME=${PUBLIC_SUBNET_NAME:-"public-subnet"}
|
| 86 | 86 |
USE_SUBNETPOOL=${USE_SUBNETPOOL:-True}
|
| 87 | 87 |
SUBNETPOOL_NAME=${SUBNETPOOL_NAME:-"shared-default-subnetpool"}
|
| 88 | 88 |
|
| 89 |
-SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/16}
|
|
| 90 |
-SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-2001:db8:8000::/48}
|
|
| 89 |
+SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-$IPV4_ADDRS_SAFE_TO_USE}
|
|
| 90 |
+SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-$IPV6_ADDRS_SAFE_TO_USE}
|
|
| 91 | 91 |
|
| 92 |
-SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-24}
|
|
| 92 |
+SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-26}
|
|
| 93 | 93 |
SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64}
|
| 94 | 94 |
|
| 95 | 95 |
default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}')
|
| ... | ... |
@@ -765,7 +765,8 @@ ENABLE_DEBUG_LOG_LEVEL=$(trueorfalse True ENABLE_DEBUG_LOG_LEVEL) |
| 765 | 765 |
# Note that setting ``FIXED_RANGE`` may be necessary when running DevStack |
| 766 | 766 |
# in an OpenStack cloud that uses either of these address ranges internally. |
| 767 | 767 |
FLOATING_RANGE=${FLOATING_RANGE:-172.24.4.0/24}
|
| 768 |
-FIXED_RANGE=${FIXED_RANGE:-10.0.0.0/24}
|
|
| 768 |
+IPV4_ADDRS_SAFE_TO_USE=${IPV4_ADDRS_SAFE_TO_USE:-10.0.0.0/22}
|
|
| 769 |
+FIXED_RANGE=${FIXED_RANGE:-$IPV4_ADDRS_SAFE_TO_USE}
|
|
| 769 | 770 |
FIXED_NETWORK_SIZE=${FIXED_NETWORK_SIZE:-256}
|
| 770 | 771 |
HOST_IP_IFACE=${HOST_IP_IFACE:-}
|
| 771 | 772 |
HOST_IP=${HOST_IP:-}
|