openstack-manuals/doc/admin-guide/source/compute-networking-nova.rst
qiaomin 84b1a2ffed [admin-guide] Use "project" to replace "tenant" term in admin-guide
This patch use "project" to replace "tenant" term in admin-guide for
cleanup.

Change-Id: I879a6c1ecfbbed2d8db0a02457d06375a268b176
Partial-Bug: #1475005
2016-09-22 14:15:50 +00:00

1038 lines
36 KiB
ReStructuredText

============================
Networking with nova-network
============================
Understanding the networking configuration options helps you design the
best configuration for your Compute instances.
You can choose to either install and configure ``nova-network`` or use the
OpenStack Networking service (neutron). This section contains a brief
overview of ``nova-network``. For more information about OpenStack
Networking, see :ref:`networking`.
Networking concepts
~~~~~~~~~~~~~~~~~~~
Compute assigns a private IP address to each VM instance. Compute makes
a distinction between fixed IPs and floating IP. Fixed IPs are IP
addresses that are assigned to an instance on creation and stay the same
until the instance is explicitly terminated. Floating IPs are addresses
that can be dynamically associated with an instance. A floating IP
address can be disassociated and associated with another instance at any
time. A user can reserve a floating IP for their project.
.. note::
Currently, Compute with ``nova-network`` only supports Linux bridge
networking that allows virtual interfaces to connect to the outside
network through the physical interface.
The network controller with ``nova-network`` provides virtual networks to
enable compute servers to interact with each other and with the public
network. Compute with ``nova-network`` supports the following network modes,
which are implemented as Network Manager types:
Flat Network Manager
In this mode, a network administrator specifies a subnet. IP
addresses for VM instances are assigned from the subnet, and then
injected into the image on launch. Each instance receives a fixed IP
address from the pool of available addresses. A system administrator
must create the Linux networking bridge (typically named ``br100``,
although this is configurable) on the systems running the
``nova-network`` service. All instances of the system are attached to
the same bridge, which is configured manually by the network
administrator.
.. note::
Configuration injection currently only works on Linux-style
systems that keep networking configuration in
``/etc/network/interfaces``.
Flat DHCP Network Manager
In this mode, OpenStack starts a DHCP server (dnsmasq) to allocate
IP addresses to VM instances from the specified subnet, in addition
to manually configuring the networking bridge. IP addresses for VM
instances are assigned from a subnet specified by the network
administrator.
Like flat mode, all instances are attached to a single bridge on the
compute node. Additionally, a DHCP server configures instances
depending on single-/multi-host mode, alongside each ``nova-network``.
In this mode, Compute does a bit more configuration. It attempts to
bridge into an Ethernet device (``flat_interface``, eth0 by
default). For every instance, Compute allocates a fixed IP address
and configures dnsmasq with the MAC ID and IP address for the VM.
Dnsmasq does not take part in the IP address allocation process, it
only hands out IPs according to the mapping done by Compute.
Instances receive their fixed IPs with the :command:`dhcpdiscover` command.
These IPs are not assigned to any of the host's network interfaces,
only to the guest-side interface for the VM.
In any setup with flat networking, the hosts providing the
``nova-network`` service are responsible for forwarding traffic from the
private network. They also run and configure dnsmasq as a DHCP
server listening on this bridge, usually on IP address 10.0.0.1 (see
:ref:`compute-dnsmasq`). Compute can determine
the NAT entries for each network, although sometimes NAT is not
used, such as when the network has been configured with all public
IPs, or if a hardware router is used (which is a high availability
option). In this case, hosts need to have ``br100`` configured and
physically connected to any other nodes that are hosting VMs. You
must set the ``flat_network_bridge`` option or create networks with
the bridge parameter in order to avoid raising an error. Compute
nodes have iptables or ebtables entries created for each project and
instance to protect against MAC ID or IP address spoofing and ARP
poisoning.
.. note::
In single-host Flat DHCP mode you will be able to ping VMs
through their fixed IP from the ``nova-network`` node, but you
cannot ping them from the compute nodes. This is expected
behavior.
VLAN Network Manager
This is the default mode for OpenStack Compute. In this mode,
Compute creates a VLAN and bridge for each project. For
multiple-machine installations, the VLAN Network Mode requires a
switch that supports VLAN tagging (IEEE 802.1Q). The project gets a
range of private IPs that are only accessible from inside the VLAN.
In order for a user to access the instances in their project, a
special VPN instance (code named ``cloudpipe``) needs to be created.
Compute generates a certificate and key for the user to access the
VPN and starts the VPN automatically. It provides a private network
segment for each project's instances that can be accessed through a
dedicated VPN connection from the internet. In this mode, each
project gets its own VLAN, Linux networking bridge, and subnet.
The subnets are specified by the network administrator, and are
assigned dynamically to a project when required. A DHCP server is
started for each VLAN to pass out IP addresses to VM instances from
the subnet assigned to the project. All instances belonging to one
project are bridged into the same VLAN for that project. OpenStack
Compute creates the Linux networking bridges and VLANs when
required.
These network managers can co-exist in a cloud system. However, because
you cannot select the type of network for a given project, you cannot
configure multiple network types in a single Compute installation.
All network managers configure the network using network drivers. For
example, the Linux L3 driver (``l3.py`` and ``linux_net.py``), which
makes use of ``iptables``, ``route`` and other network management
facilities, and the libvirt `network filtering
facilities <http://libvirt.org/formatnwfilter.html>`__. The driver is
not tied to any particular network manager; all network managers use the
same driver. The driver usually initializes only when the first VM lands
on this host node.
All network managers operate in either single-host or multi-host mode.
This choice greatly influences the network configuration. In single-host
mode, a single ``nova-network`` service provides a default gateway for VMs
and hosts a single DHCP server (dnsmasq). In multi-host mode, each
compute node runs its own ``nova-network`` service. In both cases, all
traffic between VMs and the internet flows through ``nova-network``. Each
mode has benefits and drawbacks. For more on this, see the Network
Topology section in the `OpenStack Operations Guide
<http://docs.openstack.org/ops-guide/arch-network-design.html#network-topology>`__.
All networking options require network connectivity to be already set up
between OpenStack physical nodes. OpenStack does not configure any
physical network interfaces. All network managers automatically create
VM virtual interfaces. Some network managers can also create network
bridges such as ``br100``.
The internal network interface is used for communication with VMs. The
interface should not have an IP address attached to it before OpenStack
installation, it serves only as a fabric where the actual endpoints are
VMs and dnsmasq. Additionally, the internal network interface must be in
``promiscuous`` mode, so that it can receive packets whose target MAC
address is the guest VM, not the host.
All machines must have a public and internal network interface
(controlled by these options: ``public_interface`` for the public
interface, and ``flat_interface`` and ``vlan_interface`` for the
internal interface with flat or VLAN managers). This guide refers to the
public network as the external network and the private network as the
internal or project network.
For flat and flat DHCP modes, use the :command:`nova network-create` command
to create a network:
.. code-block:: console
$ nova network-create vmnet \
--fixed-range-v4 10.0.0.0/16 --fixed-cidr 10.0.20.0/24 --bridge br100
This example uses the following parameters:
--fixed-range-v4 specifies the network subnet.
--fixed-cidr specifies a range of fixed IP addresses to allocate,
and can be a subset of the ``--fixed-range-v4``
argument.
--bridge specifies the bridge device to which this network is
connected on every compute node.
.. _compute-dnsmasq:
DHCP server: dnsmasq
~~~~~~~~~~~~~~~~~~~~
The Compute service uses
`dnsmasq <http://www.thekelleys.org.uk/dnsmasq/doc.html>`__ as the DHCP
server when using either Flat DHCP Network Manager or VLAN Network
Manager. For Compute to operate in IPv4/IPv6 dual-stack mode, use at
least dnsmasq v2.63. The ``nova-network`` service is responsible for
starting dnsmasq processes.
The behavior of dnsmasq can be customized by creating a dnsmasq
configuration file. Specify the configuration file using the
``dnsmasq_config_file`` configuration option:
.. code-block:: ini
dnsmasq_config_file=/etc/dnsmasq-nova.conf
For more information about creating a dnsmasq configuration file, see
the `OpenStack Configuration
Reference <http://docs.openstack.org/mitaka/config-reference/>`__,
and `the dnsmasq
documentation <http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example>`__.
Dnsmasq also acts as a caching DNS server for instances. You can specify
the DNS server that dnsmasq uses by setting the ``dns_server``
configuration option in ``/etc/nova/nova.conf``. This example configures
dnsmasq to use Google's public DNS server:
.. code-block:: ini
dns_server=8.8.8.8
Dnsmasq logs to syslog (typically ``/var/log/syslog`` or
``/var/log/messages``, depending on Linux distribution). Logs can be
useful for troubleshooting, especially in a situation where VM instances
boot successfully but are not reachable over the network.
Administrators can specify the starting point IP address to reserve with
the DHCP server (in the format n.n.n.n) with this command:
.. code-block:: console
$ nova-manage fixed reserve --address IP_ADDRESS
This reservation only affects which IP address the VMs start at, not the
fixed IP addresses that ``nova-network`` places on the bridges.
Configure Compute to use IPv6 addresses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using OpenStack Compute with ``nova-network``, you can put
Compute into dual-stack mode, so that it uses both IPv4 and IPv6
addresses for communication. In dual-stack mode, instances can acquire
their IPv6 global unicast addresses by using a stateless address
auto-configuration mechanism [RFC 4862/2462]. IPv4/IPv6 dual-stack mode
works with both ``VlanManager`` and ``FlatDHCPManager`` networking
modes.
In ``VlanManager`` networking mode, each project uses a different 64-bit
global routing prefix. In ``FlatDHCPManager`` mode, all instances use
one 64-bit global routing prefix.
This configuration was tested with virtual machine images that have an
IPv6 stateless address auto-configuration capability. This capability is
required for any VM to run with an IPv6 address. You must use an EUI-64
address for stateless address auto-configuration. Each node that
executes a ``nova-*`` service must have ``python-netaddr`` and ``radvd``
installed.
**Switch into IPv4/IPv6 dual-stack mode**
#. For every node running a ``nova-*`` service, install python-netaddr:
.. code-block:: console
# apt-get install python-netaddr
#. For every node running ``nova-network``, install ``radvd`` and configure
IPv6 networking:
.. code-block:: console
# apt-get install radvd
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
#. On all nodes, edit the ``nova.conf`` file and specify
``use_ipv6 = True``.
#. Restart all ``nova-*`` services.
**IPv6 configuration options**
You can use the following options with the :command:`nova network-create`
command:
- Add a fixed range for IPv6 addresses to the :command:`nova network-create`
command. Specify ``public`` or ``private`` after the ``network-create``
parameter.
.. code-block:: console
$ nova network-create public --fixed-range-v4 FIXED_RANGE_V4 \
--vlan VLAN_ID --vpn VPN_START --fixed-range-v6 FIXED_RANGE_V6
- Set the IPv6 global routing prefix by using the
``--fixed_range_v6`` parameter. The default value for the parameter
is ``fd00::/48``.
When you use ``FlatDHCPManager``, the command uses the original
``--fixed_range_v6`` value. For example:
.. code-block:: console
$ nova network-create public --fixed-range-v4 10.0.2.0/24 \
--fixed-range-v6 fd00:1::/48
- When you use ``VlanManager``, the command increments the subnet ID
to create subnet prefixes. Guest VMs use this prefix to generate
their IPv6 global unicast addresses. For example:
.. code-block:: console
$ nova network-create public --fixed-range-v4 10.0.1.0/24 --vlan 100 \
--vpn 1000 --fixed-range-v6 fd00:1::/48
.. list-table:: Description of IPv6 configuration options
:header-rows: 2
* - Configuration option = Default value
- Description
* - [DEFAULT]
-
* - fixed_range_v6 = fd00::/48
- (StrOpt) Fixed IPv6 address block
* - gateway_v6 = None
- (StrOpt) Default IPv6 gateway
* - ipv6_backend = rfc2462
- (StrOpt) Backend to use for IPv6 generation
* - use_ipv6 = False
- (BoolOpt) Use IPv6
Metadata service
~~~~~~~~~~~~~~~~
Compute uses a metadata service for virtual machine instances to
retrieve instance-specific data. Instances access the metadata service
at ``http://169.254.169.254``. The metadata service supports two sets of
APIs: an OpenStack metadata API and an EC2-compatible API. Both APIs are
versioned by date.
To retrieve a list of supported versions for the OpenStack metadata API,
make a GET request to ``http://169.254.169.254/openstack``:
.. code-block:: console
$ curl http://169.254.169.254/openstack
2012-08-10
2013-04-04
2013-10-17
latest
To list supported versions for the EC2-compatible metadata API, make a
GET request to ``http://169.254.169.254``:
.. code-block:: console
$ curl http://169.254.169.254
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
latest
If you write a consumer for one of these APIs, always attempt to access
the most recent API version supported by your consumer first, then fall
back to an earlier version if the most recent one is not available.
Metadata from the OpenStack API is distributed in JSON format. To
retrieve the metadata, make a GET request to
``http://169.254.169.254/openstack/2012-08-10/meta_data.json``:
.. code-block:: console
$ curl http://169.254.169.254/openstack/2012-08-10/meta_data.json
.. code-block:: json
{
"uuid": "d8e02d56-2648-49a3-bf97-6be8f1204f38",
"availability_zone": "nova",
"hostname": "test.novalocal",
"launch_index": 0,
"meta": {
"priority": "low",
"role": "webserver"
},
"project_id": "f7ac731cc11f40efbc03a9f9e1d1d21f",
"public_keys": {
"mykey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKV\
VRNCRX6BlnNbI+USLGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTH\
bsiyPCIDOKyeHba4MUJq8Oh5b2i71/3BISpyxTBH/uZDHdslW2a+SrPDCe\
uMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated by Nova\n"
},
"name": "test"
}
Instances also retrieve user data (passed as the ``user_data`` parameter
in the API call or by the :option:`--user_data` flag in the
:command:`nova boot` command) through the metadata service, by making a
GET request to ``http://169.254.169.254/openstack/2012-08-10/user_data``:
.. code-block:: console
$ curl http://169.254.169.254/openstack/2012-08-10/user_data
#!/bin/bash
echo 'Extra user data here'
The metadata service has an API that is compatible with version
2009-04-04 of the `Amazon EC2 metadata
service <http://docs.amazonwebservices.com/AWSEC2/2009-04-04/UserGuide/AESDG-chapter-instancedata.html>`__.
This means that virtual machine images designed for EC2 will work
properly with OpenStack.
The EC2 API exposes a separate URL for each metadata element. Retrieve a
listing of these elements by making a GET query to
``http://169.254.169.254/2009-04-04/meta-data/``:
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
kernel-id
local-hostname
local-ipv4
placement/
public-hostname
public-ipv4
public-keys/
ramdisk-id
reservation-id
security-groups
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/meta-data/block-device-mapping/
ami
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/meta-data/placement/
availability-zone
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/meta-data/public-keys/
0=mykey
Instances can retrieve the public SSH key (identified by keypair name
when a user requests a new instance) by making a GET request to
``http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key``:
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/meta-data/public-keys/0/openssh-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDYVEprvtYJXVOBN0XNKVVRNCRX6BlnNbI+US\
LGais1sUWPwtSg7z9K9vhbYAPUZcq8c/s5S9dg5vTHbsiyPCIDOKyeHba4MUJq8Oh5b2i71/3B\
ISpyxTBH/uZDHdslW2a+SrPDCeuMMoss9NFhBdKtDkdG9zyi0ibmCP6yMdEX8Q== Generated\
by Nova
Instances can retrieve user data by making a GET request to
``http://169.254.169.254/2009-04-04/user-data``:
.. code-block:: console
$ curl http://169.254.169.254/2009-04-04/user-data
#!/bin/bash
echo 'Extra user data here'
The metadata service is implemented by either the ``nova-api`` service or
the ``nova-api-metadata`` service. Note that the ``nova-api-metadata`` service
is generally only used when running in multi-host mode, as it retrieves
instance-specific metadata. If you are running the ``nova-api`` service, you
must have ``metadata`` as one of the elements listed in the
``enabled_apis`` configuration option in ``/etc/nova/nova.conf``. The
default ``enabled_apis`` configuration setting includes the metadata
service, so you do not need to modify it.
Hosts access the service at ``169.254.169.254:80``, and this is
translated to ``metadata_host:metadata_port`` by an iptables rule
established by the ``nova-network`` service. In multi-host mode, you can set
``metadata_host`` to ``127.0.0.1``.
For instances to reach the metadata service, the ``nova-network`` service
must configure iptables to NAT port ``80`` of the ``169.254.169.254``
address to the IP address specified in ``metadata_host`` (this defaults
to ``$my_ip``, which is the IP address of the ``nova-network`` service) and
port specified in ``metadata_port`` (which defaults to ``8775``) in
``/etc/nova/nova.conf``.
.. note::
The ``metadata_host`` configuration option must be an IP address,
not a host name.
The default Compute service settings assume that ``nova-network`` and
``nova-api`` are running on the same host. If this is not the case, in the
``/etc/nova/nova.conf`` file on the host running ``nova-network``, set the
``metadata_host`` configuration option to the IP address of the host
where ``nova-api`` is running.
.. list-table:: Description of metadata configuration options
:header-rows: 2
* - Configuration option = Default value
- Description
* - [DEFAULT]
-
* - metadata_cache_expiration = 15
- (IntOpt) Time in seconds to cache metadata; 0 to disable metadata
caching entirely (not recommended). Increasing this should improve
response times of the metadata API when under heavy load. Higher values
may increase memory usage and result in longer times for host metadata
changes to take effect.
* - metadata_host = $my_ip
- (StrOpt) The IP address for the metadata API server
* - metadata_listen = 0.0.0.0
- (StrOpt) The IP address on which the metadata API will listen.
* - metadata_listen_port = 8775
- (IntOpt) The port on which the metadata API will listen.
* - metadata_manager = nova.api.manager.MetadataManager
- (StrOpt) OpenStack metadata service manager
* - metadata_port = 8775
- (IntOpt) The port for the metadata API port
* - metadata_workers = None
- (IntOpt) Number of workers for metadata service. The default will be the number of CPUs available.
* - vendordata_driver = nova.api.metadata.vendordata_json.JsonFileVendorData
- (StrOpt) Driver to use for vendor data
* - vendordata_jsonfile_path = None
- (StrOpt) File to load JSON formatted vendor data from
Enable ping and SSH on VMs
~~~~~~~~~~~~~~~~~~~~~~~~~~
You need to enable ``ping`` and ``ssh`` on your VMs for network access.
This can be done with either the :command:`nova` or :command:`euca2ools`
commands.
.. note::
Run these commands as root only if the credentials used to interact
with ``nova-api`` are in ``/root/.bashrc``. If the EC2 credentials in
the ``.bashrc`` file are for an unprivileged user, you must run
these commands as that user instead.
Enable ping and SSH with :command:`nova secgroup-add-rule` commands:
.. code-block:: console
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
Enable ping and SSH with ``euca2ools``:
.. code-block:: console
$ euca-authorize -P icmp -t -1:-1 -s 0.0.0.0/0 default
$ euca-authorize -P tcp -p 22 -s 0.0.0.0/0 default
If you have run these commands and still cannot ping or SSH your
instances, check the number of running ``dnsmasq`` processes, there
should be two. If not, kill the processes and restart the service with
these commands:
.. code-block:: console
# killall dnsmasq
# service nova-network restart
Configure public (floating) IP addresses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes how to configure floating IP addresses with
``nova-network``. For information about doing this with OpenStack
Networking, see :ref:`L3-routing-and-NAT`.
Private and public IP addresses
-------------------------------
In this section, the term floating IP address is used to refer to an IP
address, usually public, that you can dynamically add to a running
virtual instance.
Every virtual instance is automatically assigned a private IP address.
You can choose to assign a public (or floating) IP address instead.
OpenStack Compute uses network address translation (NAT) to assign
floating IPs to virtual instances.
To be able to assign a floating IP address, edit the
``/etc/nova/nova.conf`` file to specify which interface the
``nova-network`` service should bind public IP addresses to:
.. code-block:: ini
public_interface=VLAN100
If you make changes to the ``/etc/nova/nova.conf`` file while the
``nova-network`` service is running, you will need to restart the service to
pick up the changes.
.. note::
Floating IPs are implemented by using a source NAT (SNAT rule in
iptables), so security groups can sometimes display inconsistent
behavior if VMs use their floating IP to communicate with other VMs,
particularly on the same physical host. Traffic from VM to VM across
the fixed network does not have this issue, and so this is the
recommended setup. To ensure that traffic does not get SNATed to the
floating range, explicitly set:
.. code-block:: ini
dmz_cidr=x.x.x.x/y
The ``x.x.x.x/y`` value specifies the range of floating IPs for each
pool of floating IPs that you define. This configuration is also
required if the VMs in the source group have floating IPs.
Enable IP forwarding
--------------------
IP forwarding is disabled by default on most Linux distributions. You
will need to enable it in order to use floating IPs.
.. note::
IP forwarding only needs to be enabled on the nodes that run
``nova-network``. However, you will need to enable it on all compute
nodes if you use ``multi_host`` mode.
To check if IP forwarding is enabled, run:
.. code-block:: console
$ cat /proc/sys/net/ipv4/ip_forward
0
Alternatively, run:
.. code-block:: console
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
In these examples, IP forwarding is disabled.
To enable IP forwarding dynamically, run:
.. code-block:: console
# sysctl -w net.ipv4.ip_forward=1
Alternatively, run:
.. code-block:: console
# echo 1 > /proc/sys/net/ipv4/ip_forward
To make the changes permanent, edit the ``/etc/sysctl.conf`` file and
update the IP forwarding setting:
.. code-block:: ini
net.ipv4.ip_forward = 1
Save the file and run this command to apply the changes:
.. code-block:: console
# sysctl -p
You can also apply the changes by restarting the network service:
- on Ubuntu, Debian:
.. code-block:: console
# /etc/init.d/networking restart
- on RHEL, Fedora, CentOS, openSUSE and SLES:
.. code-block:: console
# service network restart
Create a list of available floating IP addresses
------------------------------------------------
Compute maintains a list of floating IP addresses that are available for
assigning to instances. Use the :command:`nova-manage floating` commands
to perform floating IP operations:
- Add entries to the list:
.. code-block:: console
# nova-manage floating create --pool nova --ip_range 68.99.26.170/31
- List the floating IP addresses in the pool:
.. code-block:: console
# nova-manage floating list
- Create specific floating IPs for either a single address or a
subnet:
.. code-block:: console
# nova-manage floating create --pool POOL_NAME --ip_range CIDR
- Remove floating IP addresses using the same parameters as the create
command:
.. code-block:: console
# nova-manage floating delete CIDR
For more information about how administrators can associate floating IPs
with instances, see `Manage IP
addresses <http://docs.openstack.org/admin-guide/cli-admin-manage-ip-addresses.html>`__
in the OpenStack Administrator Guide.
Automatically add floating IPs
------------------------------
You can configure ``nova-network`` to automatically allocate and assign a
floating IP address to virtual instances when they are launched. Add
this line to the ``/etc/nova/nova.conf`` file:
.. code-block:: ini
auto_assign_floating_ip=True
Save the file, and restart ``nova-network``
.. note::
If this option is enabled, but all floating IP addresses have
already been allocated, the :command:`nova boot` command will fail.
Remove a network from a project
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You cannot delete a network that has been associated to a project. This
section describes the procedure for dissociating it so that it can be
deleted.
In order to disassociate the network, you will need the ID of the
project it has been associated to. To get the project ID, you will need
to be an administrator.
Disassociate the network from the project using the
:command:`nova-manage project scrub` command,
with the project ID as the final parameter:
.. code-block:: console
# nova-manage project scrub --project ID
Multiple interfaces for instances (multinic)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The multinic feature allows you to use more than one interface with your
instances. This is useful in several scenarios:
- SSL Configurations (VIPs)
- Services failover/HA
- Bandwidth Allocation
- Administrative/Public access to your instances
Each VIP represents a separate network with its own IP block. Every
network mode has its own set of changes regarding multinic usage:
.. figure:: figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-manager.jpg
:width: 600
.. figure:: figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-Flat-DHCP-manager.jpg
:width: 600
.. figure:: figures/SCH_5007_V00_NUAC-multi_nic_OpenStack-VLAN-manager.jpg
:width: 600
Using multinic
--------------
In order to use multinic, create two networks, and attach them to the
project (named ``project`` on the command line):
.. code-block:: console
$ nova network-create first-net --fixed-range-v4 20.20.0.0/24 --project-id $your-project
$ nova network-create second-net --fixed-range-v4 20.20.10.0/24 --project-id $your-project
Each new instance will now receive two IP addresses from their
respective DHCP servers:
.. code-block:: console
$ nova list
+-----+------------+--------+----------------------------------------+
| ID | Name | Status | Networks |
+-----+------------+--------+----------------------------------------+
| 124 | Server 124 | ACTIVE | network2=20.20.0.3; private=20.20.10.14|
+-----+------------+--------+----------------------------------------+
.. note::
Make sure you start the second interface on the instance, or it
won't be reachable through the second IP.
This example demonstrates how to set up the interfaces within the
instance. This is the configuration that needs to be applied inside the
image.
Edit the ``/etc/network/interfaces`` file:
.. code-block:: bash
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp
If the Virtual Network Service Neutron is installed, you can specify the
networks to attach to the interfaces by using the :option:`--nic` flag with
the :command:`nova boot` command:
.. code-block:: console
$ nova boot --image ed8b2a37-5535-4a5f-a615-443513036d71 --flavor 1 --nic net-id=NETWORK1_ID --nic net-id=NETWORK2_ID test-vm1
Troubleshooting Networking
~~~~~~~~~~~~~~~~~~~~~~~~~~
Cannot reach floating IPs
-------------------------
Problem
-------
You cannot reach your instances through the floating IP address.
Solution
--------
- Check that the default security group allows ICMP (ping) and SSH
(port 22), so that you can reach the instances:
.. code-block:: console
$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
- Check the NAT rules have been added to iptables on the node that is
running ``nova-network``:
.. code-block:: console
# iptables -L -nv -t nat
-A nova-network-PREROUTING -d 68.99.26.170/32 -j DNAT --to-destination 10.0.0.3
-A nova-network-floating-snat -s 10.0.0.3/32 -j SNAT --to-source 68.99.26.170
- Check that the public address (`68.99.26.170 <68.99.26.170>`__ in
this example), has been added to your public interface. You should
see the address in the listing when you use the :command:`ip addr` command:
.. code-block:: console
$ ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether xx:xx:xx:17:4b:c2 brd ff:ff:ff:ff:ff:ff
inet 13.22.194.80/24 brd 13.22.194.255 scope global eth0
inet 68.99.26.170/32 scope global eth0
inet6 fe80::82b:2bf:fe1:4b2/64 scope link
valid_lft forever preferred_lft forever
.. note::
You cannot use ``SSH`` to access an instance with a public IP from within
the same server because the routing configuration does not allow
it.
- Use ``tcpdump`` to identify if packets are being routed to the
inbound interface on the compute host. If the packets are reaching
the compute hosts but the connection is failing, the issue may be
that the packet is being dropped by reverse path filtering. Try
disabling reverse-path filtering on the inbound interface. For
example, if the inbound interface is ``eth2``, run:
.. code-block:: console
# sysctl -w net.ipv4.conf.ETH2.rp_filter=0
If this solves the problem, add the following line to
``/etc/sysctl.conf`` so that the reverse-path filter is persistent:
.. code-block:: ini
net.ipv4.conf.rp_filter=0
Temporarily disable firewall
----------------------------
Problem
-------
Networking issues prevent administrators accessing or reaching VM's
through various pathways.
Solution
--------
You can disable the firewall by setting this option
in ``/etc/nova/nova.conf``:
.. code-block:: ini
firewall_driver=nova.virt.firewall.NoopFirewallDriver
.. :warning:
We strongly recommend you remove this line to re-enable the firewall
once your networking issues have been resolved.
Packet loss from instances to nova-network server (VLANManager mode)
--------------------------------------------------------------------
Problem
-------
If you can access your instances with ``SSH`` but the network to your instance
is slow, or if you find that running certain operations are slower than
they should be (for example, ``sudo``), packet loss could be occurring
on the connection to the instance.
Packet loss can be caused by Linux networking configuration settings
related to bridges. Certain settings can cause packets to be dropped
between the VLAN interface (for example, ``vlan100``) and the associated
bridge interface (for example, ``br100``) on the host running
``nova-network``.
Solution
--------
One way to check whether this is the problem is to open three terminals
and run the following commands:
#. In the first terminal, on the host running ``nova-network``, use
``tcpdump`` on the VLAN interface to monitor DNS-related traffic
(UDP, port 53). As root, run:
.. code-block:: console
# tcpdump -K -p -i vlan100 -v -vv udp port 53
#. In the second terminal, also on the host running ``nova-network``, use
``tcpdump`` to monitor DNS-related traffic on the bridge interface.
As root, run:
.. code-block:: console
# tcpdump -K -p -i br100 -v -vv udp port 53
#. In the third terminal, use ``SSH`` to access the instance and generate DNS
requests by using the :command:`nslookup` command:
.. code-block:: console
$ nslookup www.google.com
The symptoms may be intermittent, so try running :command:`nslookup`
multiple times. If the network configuration is correct, the command
should return immediately each time. If it is not correct, the
command hangs for several seconds before returning.
#. If the :command:`nslookup` command sometimes hangs, and there are packets
that appear in the first terminal but not the second, then the
problem may be due to filtering done on the bridges. Try disabling
filtering, and running these commands as root:
.. code-block:: console
# sysctl -w net.bridge.bridge-nf-call-arptables=0
# sysctl -w net.bridge.bridge-nf-call-iptables=0
# sysctl -w net.bridge.bridge-nf-call-ip6tables=0
If this solves your issue, add the following line to
``/etc/sysctl.conf`` so that the changes are persistent:
.. code-block:: ini
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-ip6tables=0
KVM: Network connectivity works initially, then fails
-----------------------------------------------------
Problem
-------
With KVM hypervisors, instances running Ubuntu 12.04 sometimes lose
network connectivity after functioning properly for a period of time.
Solution
--------
Try loading the ``vhost_net`` kernel module as a workaround for this
issue (see `bug
#997978 <https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/997978/>`__)
. This kernel module may also `improve network
performance <http://www.linux-kvm.org/page/VhostNet>`__ on KVM. To load
the kernel module:
.. code-block:: console
# modprobe vhost_net
.. note::
Loading the module has no effect on running instances.