A common problem for people who want to try Openstack without a full blown hardware setup is that they have just one network interface. Openstack identifies three distinct networks
This is where all your inter process communication happens. This is where your mysql-server/queue-server etc are listening and this is where your services exchange information among themselves. On a proper set up this network should be isolated and secured and the interface connected to this network should not be added to any bridge.
This is where your Instances talk to each other and to their network’s l3 and dhcp services. This network again should be isolated and secured. There can be more than one data network. The data networks are mapped to a physical networks which will be available for neutron to use using config file parameters. It is the physical network that you denote as ‘provider:physical_network’ in the ‘neutron net-create‘ API call. You need not worry about choosing the physical_network for each network you create as neutron will choose it for you if you did not.
Present inside the ‘ovs’ section of ‘ml2_conf.ini’. You tell Neutron which physical networks are available for use through this parameter. You also have to tell which bridge to use in order to reach that physical network. Thus ‘bridge_mappings’ is a comma separated list of ‘physical_network:bridge_name’ pairs. You also have to make sure the bridges that you mapped to physical networks exists on the host.
Present under ‘ml2_type_flat’ section. Configured in case of flat networks. This is just a comma separated list of physical networks that are flat(no vlan involved)
Present under ‘ml2_type_vlan’ section. Configured in case of vlan networks. This is similar to flat_networks except that for each physical networks there is a start and an end vlan appended with a ‘:’ between them.
Present under ‘ovs’ section’. In case you are using GRE mode this parameter will tell neutron which IP to bind and run GRE on. This in turn determines which interface and network should be used as data network. So it is a good idea to use an interface other than the one used for internal network.
Finally, unless you are using ‘GRE’ alone, you have to add one of the host’s network interface to every bridge specified so that all physical networks are now bridged to their corresponding data network. Using a little trick you can even map more than one physical network to a data network.
This network is used for two purposes.
- To expose the services(nova-api, glance-api .,etc) to consumers outside of Openstack.
- To allow your Instances to be accessible from outside of Openstack, through floating-ip.
It is a good idea to use two external networks for the above two purposes. That way you can restrict all ports other than those on which your exposed services are listening.
In Neutron and external network is one on which you have ‘router:external’ set to true. Only then can you create foating-ips on it. In all other ways all rules that apply to physical networks also apply here. Normally you would want to chose a flat physical network for creating external network. Otherwise you would have to ask your network administrator to set up vlan on the switch port connecting to the machine running your l3-agent and things start to get ugly.
The host interface connecting to the external network should not have any form of security. You should allow security groups to do that job.
Using the same Interface for all Networks
Finally we arrive at the purpose of this blog. This blog gives you plenty of information and reason why you should not do this but while you are experimenting all is fair.
- eth0 is the only available port
ovs-vsctl add-br br-eth0 ovs-vsctl add-port br-eth0 eth0 ifconfig br-eth0 <ip address of eth0> up ip link set br-eth0 promisc on ip link add proxy-br-eth1 type veth peer name eth1-br-proxy ip link add proxy-br-ex type veth peer name ex-br-proxy ovs-vsctl add-br br-eth1 ovs-vsctl add-br br-ex ovs-vsctl add-port br-eth1 eth1-br-proxy ovs-vsctl add-port br-ex ex-br-proxy ovs-vsctl add-port br-eth0 proxy-br-eth1 ovs-vsctl add-port br-eth0 proxy-br-ex ip link set eth1-br-proxy up promisc on ip link set ex-br-proxy up promisc on ip link set proxy-br-eth1 up promisc on ip link set proxy-br-ex up promisc on
- What we have done is added a new bridge br-eth0 and added eth0 to it.
- Assign eth0’s ip address to br-eth0 and set the interface in promiscuous mode.
- Then we create two veth pairs. In case you are not aware they are like virtual cables.
- We connect br-eth1 and br-ex to br-eth0 using the veth pairs.
- Then we enable promiscuous mode and bring up all the interfaces we use.
Running Controller and Network on same host
Sometimes It is desired to have controller and Network node running on same machine and the machines have only two network interfaces each. The compute node requires only two interfaces as shown in the picture below. However in the network node we can combine the internal and external network by adding eth0 to br-ex and assigning br-ex with the ip address of eth0.
ovs-vsctl add-port br-ex eth0 ifconfig br-ex up ip link set eth0 up promisc on
If both your servers have only a single nic you may follow the below setup.
On network/controller node
#add all bridges ovs-vsctl add-br br-int ovs-vsctl add-br br-ex ovs-vsctl add-br br-eth1 ovs-vsctl add-br br-proxy #Create Veth pairs ip link add proxy-br-eth1 type veth peer name eth1-br-proxy ip link add proxy-br-ex type veth peer name ex-br-proxy #Attach bridges using veth pair ovs-vsctl add-port br-eth1 eth1-br-proxy ovs-vsctl add-port br-ex ex-br-proxy ovs-vsctl add-port br-proxy proxy-br-eth1 ovs-vsctl add-port br-proxy proxy-br-ex #Assign eth0's ip address to br-proxy ifconfig br-proxy up #Bring up the interfaces ip link set eth1-br-proxy up promisc on ip link set ex-br-proxy up promisc on ip link set proxy-br-eth1 up promisc on ip link set proxy-br-ex up promisc on
On the Compute node
ovs-vsctl add-br br-eth1 ovs-vsctl add-port br-eth1 eth0 #Assign eth0's ip addres to br-eth1 ifconfig br-eth1 up #Bring up the interfaces ip link set eth0 up promisc on
The pictorial representation would be something like below