15
15
License for the specific language governing permissions and limitations
23
* document hardware specific commands (maybe in admin guide?) (todd)
24
* document a map between flags and managers/backends (todd)
27
The :mod:`nova.network.manager` Module
28
--------------------------------------
30
.. automodule:: nova.network.manager
36
The :mod:`nova.network.linux_net` Driver
37
----------------------------------------
39
.. automodule:: nova.network.linux_net
48
The :mod:`network_unittest` Module
49
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
51
.. automodule:: nova.tests.network_unittest
21
61
The nova networking components manage private networks, public IP addressing, VPN connectivity, and firewall rules.
25
65
There are several key components:
27
* NetworkController (Manages address and vlan allocation)
67
* NetworkController (Manages address and vlan allocation)
28
68
* RoutingNode (NATs public IPs to private IPs, and enforces firewall rules)
29
69
* AddressingNode (runs DHCP services for private networks)
30
70
* BridgingNode (a subclass of the basic nova ComputeNode)
31
71
* TunnelingNode (provides VPN connectivity)
41
81
[RoutingNode] ... [RN] [TunnelingNode] ... [TN]
44
[AddressingNode]-- (VLAN) ... | (VLAN)... (VLAN) --- [AddressingNode]
84
[AddressingNode]-- (VLAN) ... | (VLAN)... (VLAN) --- [AddressingNode]
47
87
[BridgingNode] ... [BridgingNode]
50
90
[NetworkController] ... [NetworkController]
55
[CloudController]...[CloudController]
95
[CloudController]...[CloudController]
57
While this diagram may not make this entirely clear, nodes and controllers communicate exclusively across the message bus (AMQP, currently).
97
While this diagram may not make this entirely clear, nodes and controllers communicate exclusively across the message bus (AMQP, currently).
61
101
Network State consists of the following facts:
63
103
* VLAN assignment (to a project)
64
* Private Subnet assignment (to a security group) in a VLAN
104
* Private Subnet assignment (to a security group) in a VLAN
65
105
* Private IP assignments (to running instances)
66
106
* Public IP allocations (to a project)
67
107
* Public IP associations (to a private IP / running instance)
69
While copies of this state exist in many places (expressed in IPTables rule chains, DHCP hosts files, etc), the controllers rely only on the distributed "fact engine" for state, queried over RPC (currently AMQP). The NetworkController inserts most records into this datastore (allocating addresses, etc) - however, individual nodes update state e.g. when running instances crash.
109
While copies of this state exist in many places (expressed in IPTables rule chains, DHCP hosts files, etc), the controllers rely only on the distributed "fact engine" for state, queried over RPC (currently AMQP). The NetworkController inserts most records into this datastore (allocating addresses, etc) - however, individual nodes update state e.g. when running instances crash.
71
111
The Public Traffic Path
72
112
-----------------------
78
<NAT> <-- [RoutingNode]
118
<NAT> <-- [RoutingNode]
80
120
[AddressingNode] --> |
82
122
| <-- [BridgingNode]
86
The RoutingNode is currently implemented using IPTables rules, which implement both NATing of public IP addresses, and the appropriate firewall chains. We are also looking at using Netomata / Clusto to manage NATting within a switch or router, and/or to manage firewall rules within a hardware firewall appliance.
88
Similarly, the AddressingNode currently manages running DNSMasq instances for DHCP services. However, we could run an internal DHCP server (using Scapy ala Clusto), or even switch to static addressing by inserting the private address into the disk image the same way we insert the SSH keys. (See compute for more details).
126
The RoutingNode is currently implemented using IPTables rules, which implement both NATing of public IP addresses, and the appropriate firewall chains. We are also looking at using Netomata / Clusto to manage NATting within a switch or router, and/or to manage firewall rules within a hardware firewall appliance.
128
Similarly, the AddressingNode currently manages running DNSMasq instances for DHCP services. However, we could run an internal DHCP server (using Scapy ala Clusto), or even switch to static addressing by inserting the private address into the disk image the same way we insert the SSH keys. (See compute for more details).