~0x44/nova/bug838466

In this mode, each project gets its own VLAN, Linux networking bridge, and subnet. The subnets are specified by the network administrator, and are assigned dynamically to a project when required. A DHCP Server is started for each VLAN to pass out IP addresses to VM instances from the subnet assigned to the project. All instances belonging to one project are bridged into the same VLAN for that project. The Linux networking bridges and VLANs are created by Nova when required, described in more detail in Nova VLAN Network Management Implementation.

(this text revised above)

Because the flat network and flat DhCP network are simple to understand and yet do not scale well enough for real-world cloud systems, this section focuses on the VLAN network implementation by the VLAN Network Manager.

In the VLAN network mode, all the VM instances of a project are connected together in a VLAN with the specified private subnet. Each running VM instance is assigned an IP address within the given private subnet.

.. image:: /images/Novadiagram.png

:width: 790

While network traffic between VM instances belonging to the same VLAN is always open, Nova can enforce isolation of network traffic between different projects by enforcing one VLAN per project.

In addition, the network administrator can specify a pool of public IP addresses that users may allocate and then assign to VMs, either at boot or dynamically at run-time. This capability is similar to Amazon's 'elastic IPs'. A public IP address may be associated with a running instances, allowing the VM instance to be accessed from the public network. The public IP addresses are accessible from the network host and NATed to the private IP address of the project.

.. todo:: Describe how a public IP address could be associated with a project (a VLAN)

This is the default networking mode and supports the most features. For multiple machine installation, it requires a switch that supports host-managed vlan tagging. In this mode, nova will create a vlan and bridge for each project. The project gets a range of private ips that are only accessible from inside the vlan. In order for a user to access the instances in their project, a special vpn instance (code named :ref:`cloudpipe <cloudpipe>`) needs to be created. Nova generates a certificate and key for the user to access the vpn and starts the vpn automatically. More information on cloudpipe can be found :ref:`here <cloudpipe>`.

The following diagram illustrates how the communication that occurs between the vlan (the dashed box) and the public internet (represented by the two clouds)

.. image:: /images/cloudpipe.png

:width: 100%

Goals

-----

For our implementation of Nova, our goal is that each project is in a protected network segment. Here are the specifications we keep in mind for meeting this goal.

* RFC-1918 IP space

* public IP via NAT

* no default inbound Internet access without public NAT

* limited (project-admin controllable) outbound Internet access

* limited (project-admin controllable) access to other project segments

* all connectivity to instance and cloud API is via VPN into the project segment

We also keep as a goal a common DMZ segment for support services, meaning these items are only visible from project segment:

* metadata

* dashboard

Limitations

-----------

We kept in mind some of these limitations:

* Projects / cluster limited to available VLANs in switching infrastructure

* Requires VPN for access to project segment

Implementation

--------------

Currently Nova segregates project VLANs using 802.1q VLAN tagging in the

switching layer. Compute hosts create VLAN-specific interfaces and bridges

as required.

The network nodes act as default gateway for project networks and contain

all of the routing and firewall rules implementing security groups. The

network node also handles DHCP to provide instance IPs for each project.

VPN access is provided by running a small instance called CloudPipe

on the IP immediately following the gateway IP for each project. The

network node maps a dedicated public IP/port to the CloudPipe instance.

Compute nodes have per-VLAN interfaces and bridges created as required.

These do NOT have IP addresses in the host to protect host access.

Compute nodes have iptables/ebtables entries created per project and

instance to protect against IP/MAC address spoofing and ARP poisoning.

The network assignment to a project, and IP address assignment to a VM instance, are triggered when a user starts to run a VM instance. When running a VM instance, a user needs to specify a project for the instances, and the security groups (described in Security Groups) when the instance wants to join. If this is the first instance to be created for the project, then Nova (the cloud controller) needs to find a network controller to be the network host for the project; it then sets up a private network by finding an unused VLAN id, an unused subnet, and then the controller assigns them to the project, it also assigns a name to the project's Linux bridge (br100 stored in the Nova database), and allocating a private IP within the project's subnet for the new instance.

If the instance the user wants to start is not the project's first, a subnet and a VLAN must have already been assigned to the project; therefore the system needs only to find an available IP address within the subnet and assign it to the new starting instance. If there is no private IP available within the subnet, an exception will be raised to the cloud controller, and the VM creation cannot proceed.

External Infrastructure

100

-----------------------

101

102

Nova assumes the following is available:

103

104

* DNS

105

* NTP

106

* Internet connectivity

107

108

109

Example

110

-------

111

112

This example network configuration demonstrates most of the capabilities

113

of VLAN Mode. It splits administrative access to the nodes onto a dedicated

114

management network and uses dedicated network nodes to handle all

115

routing and gateway functions.

116

117

It uses a 10GB network for instance traffic and a 1GB network for management.

118

119

120

Hardware

121

~~~~~~~~

122

123

* All nodes have a minimum of two NICs for management and production.

124

125

* management is 1GB

126

* production is 10GB

127

* add additional NICs for bonding or HA/performance

128

129

* network nodes should have an additional NIC dedicated to public Internet traffic

130

* switch needs to support enough simultaneous VLANs for number of projects

131

* production network configured as 802.1q trunk on switch

132

133

134

Operation

135

~~~~~~~~~

136

137

The network node controls the project network configuration:

138

139

* assigns each project a VLAN and private IP range

140

* starts dnsmasq on project VLAN to serve private IP range

141

* configures iptables on network node for default project access

142

* launches CloudPipe instance and configures iptables access

143

144

When starting an instance the network node:

145

146

* sets up a VLAN interface and bridge on each host as required when an

147

instance is started on that host

148

* assigns private IP to instance

149

* generates MAC address for instance

150

* update dnsmasq with IP/MAC for instance

151

152

When starting an instance the compute node:

153

154

* sets up a VLAN interface and bridge on each host as required when an

155

instance is started on that host

156

157

158

Setup

159

~~~~~

160

161

* Assign VLANs in the switch:

162

163

* public Internet segment

164

* production network

165

* management network

166

* cluster DMZ

167

168

* Assign a contiguous range of VLANs to Nova for project use.

169

* Configure management NIC ports as management VLAN access ports.

170

* Configure management VLAN with Internet access as required

171

* Configure production NIC ports as 802.1q trunk ports.

172

* Configure Nova (need to add specifics here)

173

174

* public IPs

175

* instance IPs

176

* project network size

177

* DMZ network

178

179

.. todo:: need specific Nova configuration added

Older »