openstack/nova-specs
Code Issues Proposed changes
Files
1032743e5410088b770bb454eda794b6f1d50a99
nova-specs/specs/train/approved/vm-boot-with-unaddressed-port.rst
Rodolfo Alonso Hernandez 8c4ba3b53d Boot a VM with an unaddressed port 
Currently Nova only allows to boot a VM if all ports attached:
- Have an IP assigned.
- The IP allocation is deferred.

But Nova doesn't allow to spawn a VM with a port without an IP assigned.
However, some kind of applications (e.g.: routers) need a port which may
be receiving traffic for several addresses, already configured in other
devices.

At the moment, Neutron permits to create a port, assigned to a network
with the corresponding subnetworks and IP pools, without an IP.

bp boot-vm-with-unaddressed-port

Change-Id: I48c7ddab4dae201530231d9061f2ade0aa600c07
2019-07-17 14:12:35 +00:00

204 lines
6.6 KiB
ReStructuredText
Raw Blame History

..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
==================================
Boot a VM with an unaddressed port
==================================
https://blueprints.launchpad.net/nova/+spec/boot-vm-with-unaddressed-port
This blueprint aims to allow a VM to boot with an attached port without any IP
assigned.
Problem description
===================
Currently Neutron permits users to create a port assigned to a network with
corresponding subnets and IP pools, without an IP address assigned. However
Nova only allows users to create a VM with a port without an IP only if this
address assignment is deferred; that means that the port is expected to have
an IP address but Neutron deferred the IP allocation until the host to which
the port will be bound is populated.
However, there are some network applications (e.g.: service function
forwarding, service function classifier, CMTS) that often forward traffic that
is not intended for them. Those applications have an interface without a
primary L3 address which may be receiving traffic for so many disparate
addresses that configuring all of them in Neutron is a burden.
Use Cases
---------
A typical use case is when a user wishes to deploy a VM which accepts traffic
that is neither IPv4 nor IPv6 in nature. For example, a CMTS (Cable Modem
Termination System).
Another use case could be a VM that accepts traffic for a very wide address
range (for either forwarding or termination) and where the port has no primary
address. In such cases, the VM is not a conventional application VM.
Proposed change
===============
This spec proposes to allow to spawn a VM with a manually created port without
IP address assignation.
When a port in Neutron is created with the option "--no-fixed-ip", the port
parameter ``ip_allocation`` [1]_ will be populated with "none" [2]_. This way
Neutron marks a port not to have an IP address. Nova, during the instance
creation, validates the build options; in particular the ports provided to be
bound to this new VM. To be able to use an unaddressed port, Nova needs to
modify the logic where IP assignation is tested [3]_.
Alternatives
------------
As commented in the use cases, some applications will accept traffic that is
neither IPv4 nor IPv6. Having an IP address is irrelevant on those ports but
doesn't affect the application.
In other cases, like in a routing application, there is no alternative. It's
not possible to define in Neutron all the possible IP addresses.
Data model impact
-----------------
None
The Neutron port contains the information needed in the ``ip_allocation``
parameter and the ``connectivity`` parameter inside the
``binding:vif_details``.
REST API impact
---------------
None
Security impact
---------------
Those ports without an assigned IP don't work with the Neutron in-tree
firewalls (iptables and OVS Open Flows based). Both firewalls will filter the
egress and the ingress traffic depending on several parameters, including the
IP address. To let the traffic come into the virtual interface, the firewall
should be disabled in the compute node hosting the VM. This mandatory
configuration will be documented.
Once the Nova feature is implemented and tested, a new feature will be
requested to Neutron, in order to allow those ports without an IP address to
work correctly with the in-tree firewalls.
Notifications impact
--------------------
None
Other end user impact
---------------------
To be able to remotely access to the created VM, the user needs to add an
addressed port to the VM. This "management" port must have an IP address.
Performance Impact
------------------
None
Other deployer impact
---------------------
Some L2 driver, like "l2-pop", may have problems when dealing with this kind of
port because they use proxy ARP to answer ARP requests from known IP address.
The ["novnc"] service won't work with a port without an IP address. This is why
it's recommended to create a VM with at least one management port, with an
assigned IP address.
Developer impact
----------------
None
Upgrade impact
--------------
None
Implementation
==============
Assignee(s)
-----------
Primary assignee:
Rodolfo Alonso <rodolfo-alonso-hernandez> (ralonsoh@redhat.com)
Work Items
----------
Work items:
- Change the logic of how the IP assignation is tested [3]_.
- Implement the tempest test described.
- Create a new Neutron feature request to change the in-tree firewalls to work
correctly with those ports without IP address assigned.
Dependencies
============
Implement the approved spec "Port binding event extended information for
Nova" [4]_. This feature will provide to Nova the type of back-end the port
is bound, with the parameter ``connectivity``, included now in
``binding:vif_details``. If the driver back-end has "l2" connectivity, the a
port without an IP address can be assigned to a virtual machine.
Neutron has the ability to create an unaddressed port and mark it, by
populating the "ip_allocation" parameter with "none". This feature was
implemented in "Allow vm to boot without l3 address(subnet)" [5]_.
Testing
=======
Apart from the needed functional and unit testing, a tempest test could cover
this feature. This tempest test will spawn three VMs, each one with a
management port, to be able to SSH to the machine. Then two traffic networks
will be created, net1 and net2.
The first machine will have a port, with an IP assigned, connected to net1.
The third machine will have a port, with an IP assigned, connected to net2.
And finally, the second machine, in the middle of the first and the third one,
with be connected to net1 and net2 with two ports without an IP address.
The second machine will have the needed iptables rules to NAT the traffic
between the first VM and the third VM port.
Both the first and the third machine will need a manual entry in the ARP table
to force the traffic going out trough the traffic port.
Documentation Impact
====================
- Make a reference of this feature in the user document "Launch instances"
[6]_.
References
==========
.. [1] https://github.com/openstack/neutron/blob/stable/rocky/releasenotes/notes/add-port-ip-allocation-attr-294a580641998240.yaml
.. [2] https://github.com/openstack/neutron/blob/stable/rocky/neutron/db/db_base_plugin_v2.py#L1323
.. [3] https://github.com/openstack/nova/blob/stable/rocky/nova/network/neutronv2/api.py#L2078-L2086
.. [4] https://review.opendev.org/#/c/645173/
.. [5] https://blueprints.launchpad.net/neutron/+spec/vm-without-l3-address
.. [6] https://github.com/openstack/nova/blob/stable/rocky/doc/source/user/launch-instances.rst
View Git Blame Copy Permalink