nova-­‐network:                         The	  Dirty	  Details                              Ryan	  Richard,	  RHCA         ...
Why	  nova-­‐network?                        Pre-­‐existing	  installs                        Folsom	  Deployments        ...
nova-­‐network	  overview                        Provides	  networking	  for	  instances                        flat,	  flat...
nova-­‐network	  overview                        Host	  Network	  -­‐	  Physical	  server	                          commun...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  overview                                                RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday...
nova-­‐network	  options                        	  50+	  options	  for	  networking	  config                        multi_h...
public	  interface                        Decides	  which	  interface	  the	  default	  SNAT	  rule	                      ...
nova-­‐network	  options                        dnsmasq	  options                            DHCP	  Lease                 ...
nova-­‐network	  options                        DMZ_CIDR                            NAT	  exclusion	  list                ...
iptables	  &	  ebtables                        iptables                            Security	  Groups	  implementation	  -­...
iptables	  &	  ebtables                        ebtables                            IP/MAC/ARP	  spoofing	  protections     ...
floating	  IPs                        Easy	  to	  Add                        MUST	  be	  associated	  with	  the	  public_i...
floating	  IPs                                         RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday, April 16, 13
floating	  IPs                                         RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday, April 16, 13
Integrating                        Difficult                        OpenStack	  is	  IPAM	  (partially)                     ...
Example                                  RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday, April 16, 13
Example                                  RACKSPACE® HOSTING   |   WWW.RACKSPACE.COMTuesday, April 16, 13
Open	  to	  discussions/thoughts/questions                                                              RACKSPACE® HOSTING...
Rackspace	  is	  hiring                                            www.rackertalent.com                                   ...
Upcoming SlideShare
Loading in …5
×

Nova-Network The Dirty Details

1,605 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,605
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
89
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Nova-Network The Dirty Details

  1. 1. nova-­‐network: The  Dirty  Details Ryan  Richard,  RHCA OpenStack  Architect  -­‐  Private  Cloud ryan.richard@rackspace.com @rackninja April 2013Tuesday, April 16, 13
  2. 2. Why  nova-­‐network? Pre-­‐existing  installs Folsom  Deployments Quantum:   http://docs.openstack.org/trunk/openstack-­‐ network/admin/content/ch_overview.html https://wiki.openstack.org/wiki/Quantum RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  3. 3. nova-­‐network  overview Provides  networking  for  instances flat,  flatDHCP,flatVLAN iptables,  ebtables,  linux  bridge “behind  the  scenes”  -­‐  no  direct  API http://docs.openstack.org/folsom/openstack-­‐ compute/admin/content/list-­‐of-­‐compute-­‐ config-­‐options.html RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  4. 4. nova-­‐network  overview Host  Network  -­‐  Physical  server   communication,  management  network Fixed  Network  -­‐  L3  network  range  for   instances,  instance  to  instance   communication RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  5. 5. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  6. 6. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  7. 7. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  8. 8. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  9. 9. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  10. 10. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  11. 11. nova-­‐network  overview RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  12. 12. nova-­‐network  options  50+  options  for  networking  config multi_host  =  multiple  nova-­‐network  processes   (  1  per  compute  host) DNS,  DHCP,  public_interface,  dmz_cidr RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  13. 13. public  interface Decides  which  interface  the  default  SNAT  rule   applies #  iptables  -­‐t  nat  -­‐nvL  nova-­‐network-­‐snat public  internet  access RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  14. 14. nova-­‐network  options dnsmasq  options DHCP  Lease Hardware  Gateway   DNS  domain RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  15. 15. nova-­‐network  options DMZ_CIDR NAT  exclusion  list ACCEPT  rule  in  iptables  NAT #  iptables  -­‐t  nat  -­‐nvL  nova-­‐network-­‐ POSTROUTING RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  16. 16. iptables  &  ebtables iptables Security  Groups  implementation  -­‐  1  chain   per  instance Default:  Restrict  all  access Responsible  for  NAT Chain  example:  nova-­‐compute-­‐inst-­‐771 RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  17. 17. iptables  &  ebtables ebtables IP/MAC/ARP  spoofing  protections Only  1  IP  per  instance defined  in  /etc/libvirt/nwfilter/  (libvirt   implementations) RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  18. 18. floating  IPs Easy  to  Add MUST  be  associated  with  the  public_interface   flag Don’t  get  assigned  inside  the  instance  but   instead  rely  on  iptables  (SNAT/DNAT) Dynamically  assigned RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  19. 19. floating  IPs RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  20. 20. floating  IPs RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  21. 21. Integrating Difficult OpenStack  is  IPAM  (partially) DNS  integration  is  lacking RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  22. 22. Example RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  23. 23. Example RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  24. 24. Open  to  discussions/thoughts/questions RACKSPACE® HOSTING | WWW.RACKSPACE.COMTuesday, April 16, 13
  25. 25. Rackspace  is  hiring www.rackertalent.com RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COMTuesday, April 16, 13

×