Derive IP ranges from new ADDRS_SAFE_TO_USE vars

The switch to using subnetpools caused quite a bit of confusion because it didn't respect the value of FIXED_RANGE. This caused conflicts in the gate with it's default IPv4 value of 10.0.0.0/8. This patch does a few things to address the issue: * It introduces the IPV4_ADDRS_SAFE_TO_USE and IPV6_ADDRS_SAFE_TO_USE values and adjusts all of the FIXED_RANGE and SUBNETPOOL_PREFIX values to dervive from them by default. * This addresses the concern that was raised about implying that SUBNETPOOL_PREFIX and FIXED_RANGE are equivalent when setting SUBNETPOOL_PREFIX=FIXED_RANGE by default. Now we have a new value for the operator specify a chunk of addresses that are safe to use for private networks without implementation implications. * Backwards compatibility is maintained by alloing users to override override all of these values. * The default for IPV4_ADDRS_SAFE_TO_USE uses /22 instead of /24 * Because we want to be able to use subnetpools for auto allocated topologies and we want to be able to have a large chunk of instances on each network, we needed a little more breathing room in the default v4 network size. * SUBNET_POOL_SIZE_V4 default is changed from 24 to 26 * In conjuction with this change and the one above, the default subnetpool will support up to 16 64-address allocations. * This should be enough to cover any regular gate scenarios. * If someone wants a bigger/smaller subnet, they can ask for that in the API request, change this value themselves, or use a different network entirely. * FIXED_RANGE_V6 defaults to a max prefix of /64 from IPV6_ADDRS_SAFE_TO_USE * This avoids the private subnet in the non-subnetpool case from being larger than /64 to avoid issues identified in rfc 7421. * Users can still explicitly set this value to whatever they want. This 'max' behavior is only for the default. * This allows IPV6_ADDRS_SAFE_TO_USE to default to a /56, which leaves tons of room for v6 subnetpools. Closes-Bug: #1629133 Change-Id: I7b32804d47bec743c0b13e434e6a7958728896ea
2016-11-15 17:26:05 -08:00 · 2016-11-15 17:26:05 -08:00 · 4bfbc291ee
commit 4bfbc291ee
parent 7976f31fb9
5 changed files with 43 additions and 20 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -63,7 +63,7 @@ exists it will be used instead to preserve backward-compatibility.
 ::

    [[local|localrc]]
-    FIXED_RANGE=10.254.1.0/24
+    IPV4_ADDRS_SAFE_TO_USE=10.254.1.0/24
    ADMIN_PASSWORD=speciale
    LOGFILE=$DEST/logs/stack.sh.log

@ -161,8 +161,8 @@ values that most often need to be set.

 -  no logging
 -  pre-set the passwords to prevent interactive prompts
-  move network ranges away from the local network (``FIXED_RANGE`` and
-   ``FLOATING_RANGE``, commented out below)
+-  move network ranges away from the local network (``IPV4_ADDRS_SAFE_TO_USE``
+   and ``FLOATING_RANGE``, commented out below)
 -  set the host IP if detection is unreliable (``HOST_IP``, commented
   out below)

@ -173,7 +173,7 @@ values that most often need to be set.
    DATABASE_PASSWORD=$ADMIN_PASSWORD
    RABBIT_PASSWORD=$ADMIN_PASSWORD
    SERVICE_PASSWORD=$ADMIN_PASSWORD
-    #FIXED_RANGE=172.31.1.0/24
+    #IPV4_ADDRS_SAFE_TO_USE=172.31.1.0/24
    #FLOATING_RANGE=192.168.20.0/25
    #HOST_IP=10.3.4.5

@ -537,12 +537,12 @@ behavior:

        IPV6_RA_MODE=slaac
        IPV6_ADDRESS_MODE=slaac
-        FIXED_RANGE_V6=fd$IPV6_GLOBAL_ID::/64
+        IPV6_ADDRS_SAFE_TO_USE=fd$IPV6_GLOBAL_ID::/56
        IPV6_PRIVATE_NETWORK_GATEWAY=fd$IPV6_GLOBAL_ID::1

-*Note*: ``FIXED_RANGE_V6`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` can be
-configured with any valid IPv6 prefix. The default values make use of
-an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193.
+*Note*: ``IPV6_ADDRS_SAFE_TO_USE`` and ``IPV6_PRIVATE_NETWORK_GATEWAY``
+can be configured with any valid IPv6 prefix. The default values make
+use of an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193.

 Service Version
 ~~~~~~~~~~~~~~~
--- a/doc/source/guides/neutron.rst
+++ b/doc/source/guides/neutron.rst
@ -79,7 +79,7 @@ serving as a hypervisor for guest instances.
        ## Neutron options
        Q_USE_SECGROUP=True
        FLOATING_RANGE="172.18.161.0/24"
-        FIXED_RANGE="10.0.0.0/24"
+        IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/22"
        Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254
        PUBLIC_NETWORK_GATEWAY="172.18.161.1"
        PUBLIC_INTERFACE=eth0
@ -387,17 +387,17 @@ controller node.

        ## Neutron Networking options used to create Neutron Subnets

-        FIXED_RANGE="203.0.113.0/24"
+        IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24"
        NETWORK_GATEWAY=203.0.113.1
        PROVIDER_SUBNET_NAME="provider_net"
        PROVIDER_NETWORK_TYPE="vlan"
        SEGMENTATION_ID=2010
        USE_SUBNETPOOL=False

-In this configuration we are defining FIXED_RANGE to be a
+In this configuration we are defining IPV4_ADDRS_SAFE_TO_USE to be a
 publicly routed IPv4 subnet. In this specific instance we are using
 the special TEST-NET-3 subnet defined in `RFC 5737 <http://tools.ietf.org/html/rfc5737>`_,
-which is used for documentation.  In your DevStack setup, FIXED_RANGE
+which is used for documentation.  In your DevStack setup, IPV4_ADDRS_SAFE_TO_USE
 would be a public IP address range that you or your organization has
 allocated to you, so that you could access your instances from the
 public internet.
@ -524,7 +524,7 @@ setup, with small modifications for the interface mappings.
    ## Neutron options
    Q_USE_SECGROUP=True
    FLOATING_RANGE="172.18.161.0/24"
-    FIXED_RANGE="10.0.0.0/24"
+    IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/24"
    Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254
    PUBLIC_NETWORK_GATEWAY="172.18.161.1"
    PUBLIC_INTERFACE=eth0
@ -573,7 +573,7 @@ you do not require them.
    Q_AGENT=macvtap
    PHYSICAL_NETWORK=default

-    FIXED_RANGE="203.0.113.0/24"
+    IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24"
    NETWORK_GATEWAY=203.0.113.1
    PROVIDER_SUBNET_NAME="provider_net"
    PROVIDER_NETWORK_TYPE="vlan"
--- a/doc/source/networking.rst
+++ b/doc/source/networking.rst
@ -15,7 +15,8 @@ If you don't specify any configuration you will get the following:
 * neutron (including l3 with openvswitch)
 * private project networks for each openstack project
 * a floating ip range of 172.24.4.0/24 with the gateway of 172.24.4.1
-* the demo project configured with fixed ips on 10.0.0.0/24
+* the demo project configured with fixed ips on a subnet allocated from
+  the 10.0.0.0/22 range
 * a ``br-ex`` interface controlled by neutron for all it's networking
  (this is not connected to any physical interfaces).
 * DNS resolution for guests based on the resolv.conf for you host
@ -95,3 +96,21 @@ the range of floating ips that will be handed out. As we are sharing
 your existing network, you'll want to give it a slice that your local
 dhcp server is not allocating. Otherwise you could easily have
 conflicting ip addresses, and cause havoc with your local network.
+
+
+Private Network Addressing
+==========================
+
+The private networks addresses are controlled by the ``IPV4_ADDRS_SAFE_TO_USE``
+and the ``IPV6_ADDRS_SAFE_TO_USE`` variables. This allows users to specify one
+single variable of safe internal IPs to use that will be referenced whether or
+not subnetpools are in use.
+
+For IPv4, ``FIXED_RANGE`` and ``SUBNETPOOL_PREFIX_V4`` will just default to
+the value of ``IPV4_ADDRS_SAFE_TO_USE`` directly.
+
+For IPv6, ``FIXED_RANGE`` will default to the first /64 of the value of
+``IPV6_ADDRS_SAFE_TO_USE``. If ``IPV6_ADDRS_SAFE_TO_USE`` is /64 or smaller,
+``FIXED_RANGE`` will just use the value of that directly.
+``SUBNETPOOL_PREFIX_V6`` will just default to the value of
+``IPV6_ADDRS_SAFE_TO_USE`` directly.
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@ -70,7 +70,10 @@ IPV6_RA_MODE=${IPV6_RA_MODE:-slaac}
 IPV6_ADDRESS_MODE=${IPV6_ADDRESS_MODE:-slaac}
 IPV6_PUBLIC_SUBNET_NAME=${IPV6_PUBLIC_SUBNET_NAME:-ipv6-public-subnet}
 IPV6_PRIVATE_SUBNET_NAME=${IPV6_PRIVATE_SUBNET_NAME:-ipv6-private-subnet}
-FIXED_RANGE_V6=${FIXED_RANGE_V6:-fd$IPV6_GLOBAL_ID::/64}
+IPV6_ADDRS_SAFE_TO_USE=${IPV6_ADDRS_SAFE_TO_USE:-fd$IPV6_GLOBAL_ID::/56}
+# if we got larger than a /64 safe to use, we only use the first /64 to
+# avoid side effects outlined in rfc7421
+FIXED_RANGE_V6=${FIXED_RANGE_V6:-$(echo $IPV6_ADDRS_SAFE_TO_USE | awk -F '/' '{ print ($2>63 ? $2 : 64) }')}
 IPV6_PRIVATE_NETWORK_GATEWAY=${IPV6_PRIVATE_NETWORK_GATEWAY:-}
 IPV6_PUBLIC_RANGE=${IPV6_PUBLIC_RANGE:-2001:db8::/64}
 IPV6_PUBLIC_NETWORK_GATEWAY=${IPV6_PUBLIC_NETWORK_GATEWAY:-2001:db8::2}
@ -86,10 +89,10 @@ PUBLIC_SUBNET_NAME=${PUBLIC_SUBNET_NAME:-"public-subnet"}
 USE_SUBNETPOOL=${USE_SUBNETPOOL:-True}
 SUBNETPOOL_NAME=${SUBNETPOOL_NAME:-"shared-default-subnetpool"}

-SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/16}
-SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-2001:db8:8000::/48}
+SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-$IPV4_ADDRS_SAFE_TO_USE}
+SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-$IPV6_ADDRS_SAFE_TO_USE}

-SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-24}
+SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-26}
 SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64}

 default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}')
--- a/3
+++ b/3
@ -765,7 +765,8 @@ ENABLE_DEBUG_LOG_LEVEL=$(trueorfalse True ENABLE_DEBUG_LOG_LEVEL)
 # Note that setting ``FIXED_RANGE`` may be necessary when running DevStack
 # in an OpenStack cloud that uses either of these address ranges internally.
 FLOATING_RANGE=${FLOATING_RANGE:-172.24.4.0/24}
-FIXED_RANGE=${FIXED_RANGE:-10.0.0.0/24}
+IPV4_ADDRS_SAFE_TO_USE=${IPV4_ADDRS_SAFE_TO_USE:-10.0.0.0/22}
+FIXED_RANGE=${FIXED_RANGE:-$IPV4_ADDRS_SAFE_TO_USE}
 FIXED_NETWORK_SIZE=${FIXED_NETWORK_SIZE:-256}
 HOST_IP_IFACE=${HOST_IP_IFACE:-}
 HOST_IP=${HOST_IP:-}