Merge "[network] Clean up address scopes section"

This commit is contained in:
Jenkins 2016-06-07 09:28:31 +00:00 committed by Gerrit Code Review
commit d58a0705e1

View File

@ -2,93 +2,79 @@
Address scopes
==============
Address scopes have been made available since the Mitaka release. They build
from subnet pools added in Kilo. While subnet pools provide a mechanism for
controlling the allocation of addresses to subnets, address scopes provide a
way to know where addresses are viable. Like subnet pools, they also prevent
using overlapping addresses in any two subnets.
This page serves as an introduction to the address scopes feature of the
Networking service.
Why you need them
~~~~~~~~~~~~~~~~~
The basics
~~~~~~~~~~
With address scopes, OpenStack Networking knows where addresses can be routed
essentially because all of the allocated addresses within the scope are
non-overlapping and they are under the control of the address scope owner.
Address scopes build from subnet pools. While subnet pools provide a mechanism
for controlling the allocation of addresses to subnets, address scopes show
where addresses can be routed between networks, preventing the use of
overlapping addresses in any two subnets. Because all addresses allocated in
the address scope do not overlap, neutron routers do not NAT between your
tenants' network and your external network. As long as the addresses within
an address scope match, the Networking service performs simple routing
between networks.
You can set up the address scopes for tenants to pull addresses from. Then,
since neutron routers understand address scopes, they will not NAT between
these networks and your external network as long as the scopes match. They will
just do simple routing.
Accessing address scopes
~~~~~~~~~~~~~~~~~~~~~~~~
How it works
~~~~~~~~~~~~
Anyone with access to the Networking service can create their own address
scopes. However, network administrators can create shared address scopes,
allowing other projects to create networks within that address scope.
Anyone can create an address scope. Admins can create shared address
scopes seen by all tenants.
Access to addresses in a scope are managed through subnet pools.
Subnet pools can either be created in an address scope, or updated to belong
to an address scope.
Access to addresses in a scope is managed through subnet pools. You can
create a subnet pool in an address scope or you can update existing
subnet pools to belong to a scope.
With subnet pools, all addresses in use within the address
scope are unique from the point of view of the address scope owner. Therefore,
add more than one subnet pool to an address scope if the
pools have different owners, allowing for delegation of parts of the
address scope. Delegation prevents address overlap across the
whole scope. Otherwise, you receive an error if two pools have the same
address ranges.
It may be useful to add more than one subnet pool to an address scope if
the pools have different owners. This allows delegation of parts of the
address scope. Address overlap is prevented across the whole scope so
you will get an error if two pools have some of the same address ranges
in them.
Each router interface is associated with an address scope by looking at
subnets connected to the network. When a router connects
to an external network with matching address scopes, network traffic routes
between without Network address translation (NAT).
The router marks all traffic connections originating from each interface
with its corresponding address scope. If traffic leaves an interface in the
wrong scope, the router blocks the traffic.
A Neutron router connects at least a couple of networks. Each router
interface is associated with an address scope by looking at the subnets
on the network its connected to. The router internally marks all
traffic connections originating from each interface with the
corresponding address scope to track it. If traffic tries to leave an
interface in the wrong scope, it is blocked.
Backwards compatibility
~~~~~~~~~~~~~~~~~~~~~~~
When a router connects to two networks with the same address scope, it
knows that these networks can be routed without any kind of address
translation. Also, since subnet pools are part of the foundation of
address scopes, Neutron knows that all of the addresses in use within an
address scope are unique and legitimate from the address scope owner's
point of view.
No scope
~~~~~~~~
OpenStack Networking preserves backwards compatibility with pre-Mitaka
Networking. You will not notice any difference until you decide to begin using
hem so you will not be forced to change your behavior.
When subnets are not explicitly part of an explicit address scope. They can be
considered part of a catch all implicit scope which is different in a few ways
to preserve backwards compatibility.
Networks created before the Mitaka release do not
contain explicitly named address scopes, unless the network contains
subnets from a subnet pool that belongs to a created or updated
address scope. The Networking service preserves backwards compatibility with
pre-Mitaka networks through special address scope properties so that
these networks can perform advanced routing:
#. Unlimited address overlap is allowed.
#. Neutron routers, by default, will NAT traffic from internal networks
to external networks even if they are all in this scope (unless snat
is disabled for the router.)
#. This scope is not visible through the API. It will not show up when you
list address scopes and you cannot show details. It exists only
implicitly to catch all addresses which are not explicitly scoped.
to external networks.
#. Pre-Mitaka address scopes are not visible through the API. You cannot
list address scopes or show details. Scopes exist
implicitly as a catch-all for addresses that are not explicitly scoped.
Demo
----
Create shared address scopes as an administrative user
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Give it a try. Starting with devstack is recommended.
This section shows how to set up shared address scopes to
allow simple routing for project networks with the same subnet pools.
.. note:: Some irrelevant fields have been trimmed from the output of
these commands just for brevity and to avoid distracting with too
many details.
.. note:: Irrelevant fields have been trimmed from the output of
these commands for brevity.
Admin commands
______________
First, as admin, create a couple of shared address scopes, subnet pools to
manage the addresses inside them, and an external network with subnets from
these pools so that tenant networks from the same pools will be routed straight
through. The following examples show how to accomplish this.
#. Create IPv6 and IPv4 address scopes:
.. code-block:: console
admin> neutron address-scope-create --shared address-scope-ip6 6
$ neutron address-scope-create --shared address-scope-ip6 6
Created a new address_scope:
+------------+--------------------------------------+
| Field | Value |
@ -101,7 +87,7 @@ through. The following examples show how to accomplish this.
.. code-block:: console
admin> neutron address-scope-create --shared address-scope-ip4 4
$ neutron address-scope-create --shared address-scope-ip4 4
Created a new address_scope:
+------------+--------------------------------------+
| Field | Value |
@ -112,14 +98,14 @@ through. The following examples show how to accomplish this.
| shared | True |
+------------+--------------------------------------+
Next, create subnet pools specifying the name (or UUID) of the address
scope that the subnet pool should belong to. If you have existing
subnet pools, you can use the subnet-pool-update command to put them in
to a new address scope.
#. Create subnet pools specifying the name (or UUID) of the address
scope that the subnet pool belongs to. If you have existing
subnet pools, use the ``subnet-pool-update`` command to put them in
a new address scope:
.. code-block:: console
admin> neutron subnetpool-create --address-scope address-scope-ip6 \
$ neutron subnetpool-create --address-scope address-scope-ip6 \
--shared --pool-prefix 2001:db8:a583::/48 --default-prefixlen 64 \
subnet-pool-ip6
Created a new subnetpool:
@ -137,7 +123,7 @@ to a new address scope.
.. code-block:: console
admin> neutron subnetpool-create --address-scope address-scope-ip4 \
$ neutron subnetpool-create --address-scope address-scope-ip4 \
--shared --pool-prefix 203.0.113.0/21 --default-prefixlen 26 \
subnet-pool-ip4
Created a new subnetpool:
@ -153,7 +139,7 @@ to a new address scope.
| shared | True |
+-------------------+--------------------------------------+
Now that these are created, create subnets on an external network.
#. Make sure that the subnets use an external network:
.. code-block:: console
@ -171,12 +157,6 @@ Now that these are created, create subnets on an external network.
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
+-------------------+--------------------------------------+
.. note:: In the interest of full disclosure, I didn't explain here how to go
about creating an external subnets with this subnet pool. How should we
handle this in the final docs? It is pretty much covered in the subnet
pools doc but it isn't all shown here which could make this little tutorial
a tiny bit frustrating.
.. code-block:: console
$ neutron subnet-show public-subnet
@ -193,17 +173,13 @@ Now that these are created, create subnets on an external network.
| subnetpool_id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
+-------------------+--------------------------------------+
This completes the portion of the demo that requires admin privileges. The
address scope has been created with subnet pools to manage addresses. Finally,
the external network has been created with subnets from the address scope.
Routing with address scopes for non-privileged users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Non-admin tenant commands
_________________________
This section shows how non-privileged users can use address scopes to
route straight to an external network without NAT.
As a tenant, create networks that will be routed straight to the external
network without NAT. Also, create a network the old way to demonstrate how
routing between address scopes is not allowed between tenant networks. Start
by creating a couple of networks to host the subnets.
#. Create a couple of networks to host subnets:
.. code-block:: console
@ -229,8 +205,8 @@ by creating a couple of networks to host the subnets.
| subnets | |
+-------------------------+--------------------------------------+
First, create a subnet the old way, it will not be associated with a
subnetpool nor an address scope.
#. Create a subnet not associated with a subnet pool or
an address scope:
.. code-block:: console
@ -262,8 +238,8 @@ subnetpool nor an address scope.
| subnetpool_id | |
+-------------------+--------------------------------------+
Next, create a subnet using an subnet pool. These subnets come from the
address scope as the external network.
#. Create a subnet using a subnet pool associated with a address scope
from an external network:
.. code-block:: console
@ -296,8 +272,8 @@ address scope as the external network.
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
+-------------------+--------------------------------------+
Note that by creating subnets from scoped subnet pools, the network is
now associated with the address scope.
By creating subnets from scoped subnet pools, the network is
associated with the address scope.
.. code-block:: console
@ -313,8 +289,8 @@ now associated with the address scope.
| | 917f9360-a840-45c1-83a1-2a093bd7b376 |
+-------------------------+--------------------------------------+
Connect a router to each of the tenant subnets that have been created. This
example uses a pre-existing router called router1.
#. Connect a router to each of the tenant subnets that have been created, for
example, using a router called ``router1``:
.. code-block:: console
@ -328,11 +304,16 @@ example uses a pre-existing router called router1.
Added interface f5904a4b-9547-4c08-bc7e-bc5fc71a8db9 to router router1.
Checking connectivity
_____________________
---------------------
Boot two vms, instance1 on network1 and instance2 on network2 and give
them floating ip addresses. Adjust security groups to allow pings and
ssh (both IPv4 and IPv6).
This example shows how to check the connectivity between networks
with address scopes.
#. Launch two instances, ``instance1`` on ``network1`` and
``instance2`` on ``network2``. Associate a floating IP address to both
instances.
#. Adjust security groups to allow pings and SSH (both IPv4 and IPv6):
.. code-block:: console
@ -344,8 +325,8 @@ ssh (both IPv4 and IPv6).
| ceba9638-... | instance2 | network2=203.0.112.3, 2001:db8:a583:0:f816:3eff:fe42:1eeb, 172.24.4.4 |
+--------------+-----------+---------------------------------------------------------------------------+
Regardless of address scopes, the floating IPs are pingable from the
external network.
Regardless of address scopes, the floating IPs can be pinged from the
external network:
.. code-block:: console
@ -354,15 +335,11 @@ external network.
$ ping -c 1 172.24.4.4
1 packets transmitted, 1 received, 0% packet loss, time 0ms
With just a little bit of routing help, the internal network2 is
pingable directly because it is in the the same address scope as the
external network.
You can now ping ``instance2`` directly because ``instance2`` shares the
same address scope as the external network:
.. note:: When I wrote this, I didn't have
the BGP routing work available in Neutron. So, I added a static route
manually. However, now BGP is available which could fill the gap but at the
cost of going through all of that setup. How should we handle this in the
docs?
.. note:: BGP routing can be used to automatically set up a static
route for your instances.
.. code-block:: console
@ -376,8 +353,8 @@ external network.
$ ping6 -c 1 2001:db8:a583:0:f816:3eff:fe42:1eeb
1 packets transmitted, 1 received, 0% packet loss, time 0ms
The other network is not pingable directly because the scopes do not
match.
You cannot ping ``instance1`` directly because the address scopes do not
match:
.. code-block:: console
@ -391,7 +368,7 @@ match.
$ ping6 -c 1 2001:db8:80d2:c4d3:f816:3eff:fe52:b69f
1 packets transmitted, 0 received, 100% packet loss, time 0ms
In general, if address scopes are used and the scope matches between
networks then pings (and other traffic) route directly through. If the
scopes do not match between networks then the router either drops the
traffic or it applies NAT to cross scope boundaries.
If the address scopes match between
networks then pings and other traffic route directly through. If the
scopes do not match between networks, the router either drops the
traffic or applies NAT to cross scope boundaries.