Merge "[network] Clean up address scopes section"

2016-06-07 09:28:31 +00:00 · 2016-06-07 09:28:31 +00:00 · d58a0705e1
commit d58a0705e1
parent 9f786cfffa c9a4407db0
1 changed files with 267 additions and 290 deletions
--- a/doc/networking-guide/source/adv-config-address-scopes.rst
+++ b/doc/networking-guide/source/adv-config-address-scopes.rst
@ -2,93 +2,79 @@
 Address scopes
 ==============
-Address scopes have been made available since the Mitaka release. They build
+This page serves as an introduction to the address scopes feature of the
-from subnet pools added in Kilo. While subnet pools provide a mechanism for
+Networking service.
 controlling the allocation of addresses to subnets, address scopes provide a
 way to know where addresses are viable. Like subnet pools, they also prevent
 using overlapping addresses in any two subnets.
-Why you need them
+The basics
-~~~~~~~~~~~~~~~~~
+~~~~~~~~~~
-With address scopes, OpenStack Networking knows where addresses can be routed
+Address scopes build from subnet pools. While subnet pools provide a mechanism
-essentially because all of the allocated addresses within the scope are
+for controlling the allocation of addresses to subnets, address scopes show
-non-overlapping and they are under the control of the address scope owner.
+where addresses can be routed between networks, preventing the use of
 overlapping addresses in any two subnets. Because all addresses allocated in
 the address scope do not overlap, neutron routers do not NAT between your
 tenants' network and your external network. As long as the addresses within
 an address scope match, the Networking service performs simple routing
 between networks.
-You can set up the address scopes for tenants to pull addresses from. Then,
+Accessing address scopes
-since neutron routers understand address scopes, they will not NAT between
+~~~~~~~~~~~~~~~~~~~~~~~~
 these networks and your external network as long as the scopes match. They will
 just do simple routing.
-How it works
+Anyone with access to the Networking service can create their own address
-~~~~~~~~~~~~
+scopes. However, network administrators can create shared address scopes,
 allowing other projects to create networks within that address scope.
-Anyone can create an address scope. Admins can create shared address
+Access to addresses in a scope are managed through subnet pools.
-scopes seen by all tenants.
+Subnet pools can either be created in an address scope, or updated to belong
 to an address scope.
-Access to addresses in a scope is managed through subnet pools. You can
+With subnet pools, all addresses in use within the address
-create a subnet pool in an address scope or you can update existing
+scope are unique from the point of view of the address scope owner. Therefore,
-subnet pools to belong to a scope.
+add more than one subnet pool to an address scope if the
 pools have different owners, allowing for delegation of parts of the
 address scope. Delegation prevents address overlap across the
 whole scope. Otherwise, you receive an error if two pools have the same
 address ranges.
-It may be useful to add more than one subnet pool to an address scope if
+Each router interface is associated with an address scope by looking at
-the pools have different owners. This allows delegation of parts of the
+subnets connected to the network. When a router connects
-address scope. Address overlap is prevented across the whole scope so
+to an external network with matching address scopes, network traffic routes
-you will get an error if two pools have some of the same address ranges
+between without Network address translation (NAT).
-in them.
+The router marks all traffic connections originating from each interface
 with its corresponding address scope. If traffic leaves an interface in the
 wrong scope, the router blocks the traffic.
-A Neutron router connects at least a couple of networks. Each router
+Backwards compatibility
-interface is associated with an address scope by looking at the subnets
+~~~~~~~~~~~~~~~~~~~~~~~
 on the network its connected to. The router internally marks all
 traffic connections originating from each interface with the
 corresponding address scope to track it. If traffic tries to leave an
 interface in the wrong scope, it is blocked.
-When a router connects to two networks with the same address scope, it
+Networks created before the Mitaka release do not
-knows that these networks can be routed without any kind of address
+contain explicitly named address scopes, unless the network contains
-translation. Also, since subnet pools are part of the foundation of
+subnets from a subnet pool that belongs to a created or updated
-address scopes, Neutron knows that all of the addresses in use within an
+address scope. The Networking service preserves backwards compatibility with
-address scope are unique and legitimate from the address scope owner's
+pre-Mitaka networks through special address scope properties so that
-point of view.
+these networks can perform advanced routing:
 No scope
 ~~~~~~~~
 OpenStack Networking preserves backwards compatibility with pre-Mitaka
 Networking. You will not notice any difference until you decide to begin using
 hem so you will not be forced to change your behavior.
 When subnets are not explicitly part of an explicit address scope.  They can be
 considered part of a catch all implicit scope which is different in a few ways
 to preserve backwards compatibility.
 #. Unlimited address overlap is allowed.
 #. Neutron routers, by default, will NAT traffic from internal networks
-   to external networks even if they are all in this scope (unless snat
+   to external networks.
-   is disabled for the router.)
+#. Pre-Mitaka address scopes are not visible through the API. You cannot
-#. This scope is not visible through the API. It will not show up when you
+   list address scopes or show details. Scopes exist
-   list address scopes and you cannot show details. It exists only
+   implicitly as a catch-all for addresses that are not explicitly scoped.
   implicitly to catch all addresses which are not explicitly scoped.
-Demo
+Create shared address scopes as an administrative user
----
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Give it a try. Starting with devstack is recommended.
+This section shows how to set up shared address scopes to
 allow simple routing for project networks with the same subnet pools.
-.. note:: Some irrelevant fields have been trimmed from the output of
+.. note:: Irrelevant fields have been trimmed from the output of
-    these commands just for brevity and to avoid distracting with too
+    these commands for brevity.
    many details.
-Admin commands
+#. Create IPv6 and IPv4 address scopes:
 ______________
 First, as admin, create a couple of shared address scopes, subnet pools to
 manage the addresses inside them, and an external network with subnets from
 these pools so that tenant networks from the same pools will be routed straight
 through.  The following examples show how to accomplish this.
   .. code-block:: console
-    admin> neutron address-scope-create --shared address-scope-ip6 6
+      $ neutron address-scope-create --shared address-scope-ip6 6
      Created a new address_scope:
      +------------+--------------------------------------+
      | Field      | Value                                |
@ -101,7 +87,7 @@ through.  The following examples show how to accomplish this.
   .. code-block:: console
-    admin> neutron address-scope-create --shared address-scope-ip4 4
+      $ neutron address-scope-create --shared address-scope-ip4 4
      Created a new address_scope:
      +------------+--------------------------------------+
      | Field      | Value                                |
@ -112,14 +98,14 @@ through.  The following examples show how to accomplish this.
      | shared     | True                                 |
      +------------+--------------------------------------+
-Next, create subnet pools specifying the name (or UUID) of the address
+#. Create subnet pools specifying the name (or UUID) of the address
-scope that the subnet pool should belong to. If you have existing
+   scope that the subnet pool belongs to. If you have existing
-subnet pools, you can use the subnet-pool-update command to put them in
+   subnet pools, use the ``subnet-pool-update`` command to put them in
-to a new address scope.
+   a new address scope:
   .. code-block:: console
-    admin> neutron subnetpool-create --address-scope address-scope-ip6 \
+      $ neutron subnetpool-create --address-scope address-scope-ip6 \
        --shared --pool-prefix 2001:db8:a583::/48 --default-prefixlen 64 \
        subnet-pool-ip6
      Created a new subnetpool:
@ -137,7 +123,7 @@ to a new address scope.
   .. code-block:: console
-    admin> neutron subnetpool-create --address-scope address-scope-ip4 \
+      $ neutron subnetpool-create --address-scope address-scope-ip4 \
        --shared --pool-prefix 203.0.113.0/21 --default-prefixlen 26 \
        subnet-pool-ip4
      Created a new subnetpool:
@ -153,7 +139,7 @@ to a new address scope.
      | shared            | True                                 |
      +-------------------+--------------------------------------+
-Now that these are created, create subnets on an external network.
+#. Make sure that the subnets use an external network:
   .. code-block:: console
@ -171,12 +157,6 @@ Now that these are created, create subnets on an external network.
      | subnetpool_id     | 14813344-d11a-4896-906c-e4c378291058 |
      +-------------------+--------------------------------------+
 .. note:: In the interest of full disclosure, I didn't explain here how to go
   about creating an external subnets with this subnet pool.  How should we
   handle this in the final docs?  It is pretty much covered in the subnet
   pools doc but it isn't all shown here which could make this little tutorial
   a tiny bit frustrating.
   .. code-block:: console
      $ neutron subnet-show public-subnet
@ -193,17 +173,13 @@ Now that these are created, create subnets on an external network.
      | subnetpool_id     | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
      +-------------------+--------------------------------------+
-This completes the portion of the demo that requires admin privileges.  The
+Routing with address scopes for non-privileged users
-address scope has been created with subnet pools to manage addresses.  Finally,
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 the external network has been created with subnets from the address scope.
-Non-admin tenant commands
+This section shows how non-privileged users can use address scopes to
-_________________________
+route straight to an external network without NAT.
-As a tenant, create networks that will be routed straight to the external
+#. Create a couple of networks to host subnets:
 network without NAT.  Also, create a network the old way to demonstrate how
 routing between address scopes is not allowed between tenant networks.  Start
 by creating a couple of networks to host the subnets.
   .. code-block:: console
@ -229,8 +205,8 @@ by creating a couple of networks to host the subnets.
      | subnets                 |                                      |
      +-------------------------+--------------------------------------+
-First, create a subnet the old way, it will not be associated with a
+#. Create a subnet not associated with a subnet pool or
-subnetpool nor an address scope.
+   an address scope:
   .. code-block:: console
@ -262,8 +238,8 @@ subnetpool nor an address scope.
      | subnetpool_id     |                                      |
      +-------------------+--------------------------------------+
-Next, create a subnet using an subnet pool.  These subnets come from the
+#. Create a subnet using a subnet pool associated with a address scope
-address scope as the external network.
+   from an external network:
   .. code-block:: console
@ -296,8 +272,8 @@ address scope as the external network.
      | subnetpool_id     | 14813344-d11a-4896-906c-e4c378291058 |
      +-------------------+--------------------------------------+
-Note that by creating subnets from scoped subnet pools, the network is
+   By creating subnets from scoped subnet pools, the network is
-now associated with the address scope.
+   associated with the address scope.
   .. code-block:: console
@ -313,8 +289,8 @@ now associated with the address scope.
      |                         | 917f9360-a840-45c1-83a1-2a093bd7b376 |
      +-------------------------+--------------------------------------+
-Connect a router to each of the tenant subnets that have been created.  This
+#. Connect a router to each of the tenant subnets that have been created, for
-example uses a pre-existing router called router1.
+   example, using a router called ``router1``:
   .. code-block:: console
@ -328,11 +304,16 @@ example uses a pre-existing router called router1.
      Added interface f5904a4b-9547-4c08-bc7e-bc5fc71a8db9 to router router1.
 Checking connectivity
-_____________________
+---------------------
-Boot two vms, instance1 on network1 and instance2 on network2 and give
+This example shows how to check the connectivity between networks
-them floating ip addresses. Adjust security groups to allow pings and
+with address scopes.
-ssh (both IPv4 and IPv6).
+
 #. Launch two instances, ``instance1`` on ``network1`` and
   ``instance2`` on ``network2``. Associate a floating IP address to both
   instances.
 #. Adjust security groups to allow pings and SSH (both IPv4 and IPv6):
   .. code-block:: console
@ -344,8 +325,8 @@ ssh (both IPv4 and IPv6).
      | ceba9638-... | instance2 | network2=203.0.112.3, 2001:db8:a583:0:f816:3eff:fe42:1eeb, 172.24.4.4     |
      +--------------+-----------+---------------------------------------------------------------------------+
-Regardless of address scopes, the floating IPs are pingable from the
+Regardless of address scopes, the floating IPs can be pinged from the
-external network.
+external network:
 .. code-block:: console
@ -354,15 +335,11 @@ external network.
    $ ping -c 1 172.24.4.4
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
-With just a little bit of routing help, the internal network2 is
+You can now ping ``instance2`` directly because ``instance2`` shares the
-pingable directly because it is in the the same address scope as the
+same address scope as the external network:
 external network.
-.. note:: When I wrote this, I didn't have
+.. note:: BGP routing can be used to automatically set up a static
-   the BGP routing work available in Neutron.  So, I added a static route
+   route for your instances.
   manually.  However, now BGP is available which could fill the gap but at the
   cost of going through all of that setup.  How should we handle this in the
   docs?
 .. code-block:: console
@ -376,8 +353,8 @@ external network.
    $ ping6 -c 1 2001:db8:a583:0:f816:3eff:fe42:1eeb
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
-The other network is not pingable directly because the scopes do not
+You cannot ping ``instance1`` directly because the address scopes do not
-match.
+match:
 .. code-block:: console
@ -391,7 +368,7 @@ match.
    $ ping6 -c 1 2001:db8:80d2:c4d3:f816:3eff:fe52:b69f
    1 packets transmitted, 0 received, 100% packet loss, time 0ms
-In general, if address scopes are used and the scope matches between
+If the address scopes match between
-networks then pings (and other traffic) route directly through. If the
+networks then pings and other traffic route directly through. If the
-scopes do not match between networks then the router either drops the
+scopes do not match between networks, the router either drops the
-traffic or it applies NAT to cross scope boundaries.
+traffic or applies NAT to cross scope boundaries.