Nova-Network The Dirty Details

•

3 likes•1,668 views

The document discusses nova-network, OpenStack's networking component. It provides an overview of nova-network, describing that it provides networking for instances using technologies like iptables, ebtables, and Linux bridges. It also describes some of nova-network's configuration options, such as public interface, DMZ_CIDR, and floating IPs, and challenges integrating it with other components.

Technology Business

nova-‐network:
The
Dirty
Details

Ryan
Richard,
RHCA
OpenStack
Architect
-‐
Private
Cloud
ryan.richard@rackspace.com
@rackninja

April 2013

Tuesday, April 16, 13

Why
nova-‐network?

Pre-‐existing
installs

Folsom
Deployments

Quantum:

http://docs.openstack.org/trunk/openstack-‐
network/admin/content/ch_overview.html

https://wiki.openstack.org/wiki/Quantum

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
overview

Provides
networking
for
instances

ﬂat,
ﬂatDHCP,ﬂatVLAN

iptables,
ebtables,
linux
bridge

“behind
the
scenes”
-‐
no
direct
API

http://docs.openstack.org/folsom/openstack-‐
compute/admin/content/list-‐of-‐compute-‐
conﬁg-‐options.html
RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
overview

Host
Network
-‐
Physical
server

communication,
management
network

Fixed
Network
-‐
L3
network
range
for

instances,
instance
to
instance

communication

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
overview

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
options

50+
options
for
networking
conﬁg

multi_host
=
multiple
nova-‐network
processes

(
1
per
compute
host)

DNS,
DHCP,
public_interface,
dmz_cidr

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

public
interface

Decides
which
interface
the
default
SNAT
rule

applies

#
iptables
-‐t
nat
-‐nvL
nova-‐network-‐snat

public
internet
access

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
options

dnsmasq
options

DHCP
Lease

Hardware
Gateway

DNS
domain

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

nova-‐network
options

DMZ_CIDR

NAT
exclusion
list

ACCEPT
rule
in
iptables
NAT

#
iptables
-‐t
nat
-‐nvL
nova-‐network-‐
POSTROUTING

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

iptables
&
ebtables

iptables

Security
Groups
implementation
-‐
1
chain

per
instance

Default:
Restrict
all
access

Responsible
for
NAT

Chain
example:
nova-‐compute-‐inst-‐771

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

iptables
&
ebtables

ebtables

IP/MAC/ARP
spooﬁng
protections

Only
1
IP
per
instance

deﬁned
in
/etc/libvirt/nwﬁlter/
(libvirt

implementations)

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

ﬂoating
IPs

Easy
to
Add

MUST
be
associated
with
the
public_interface

ﬂag

Don’t
get
assigned
inside
the
instance
but

instead
rely
on
iptables
(SNAT/DNAT)

Dynamically
assigned

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

ﬂoating
IPs

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

Integrating

Diﬃcult

OpenStack
is
IPAM
(partially)

DNS
integration
is
lacking

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

Example

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

Open
to
discussions/thoughts/questions

RACKSPACE® HOSTING | WWW.RACKSPACE.COM

Tuesday, April 16, 13

Rackspace
is
hiring
www.rackertalent.com

RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218
US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM

RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM

Tuesday, April 16, 13

Rackspace’s Enterprise Business Intelligence group (EBI) was looking for a cost-effective way to support the reporting and information needs of its internal users, which include business and operations personnel. It was also looking to scale out new infrastructure in order to meet their increasing business demands, house increasing amounts of data, and customize the collection of data, while seeking a way to move away from their legacy Data Warehouse solution. To do this, Rackspace built the Analytical Compute Grid (ACG) by using Hadoop, Cassandra and PostgreSQL with an OpenStack cloud. Read more about it in this presentation.

As the world of system and application deployment continues to change, the sys admin and security community needs to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. Add in Dev/Ops and the traditional sys admin and security processes just don’t work. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. Rackspace has been developing a tool to help them design, deploy and security assess complex configurations for customers called Checkmate. This talk will cover the concepts behind and the architecture of Checkmate and how it helps minimize the time to deploy systems and verify they have been created to spec and in a secure state. A discussion of how Checkmate has inspired the concept of Test Driven Security based on the Test Driven Development model familiar to the development world.

Neutron scale

Justin Hammond

In this session, we will discuss the operational issues that Rackspace has encountered during and after implementing Neutron at a large scale. Neutron at scale required a significant amount of development and operations effort, some of which resulted in deviations from upstream code. Finally, our team would like to discuss our solutions and our upstream differences for Neutron and OpenStack that we believe are necessary so that it can be more performant at scale.

Deploy from OpenStack Trunk into a Production EnvironmentOpenStack Foundation

Openstack SAGE-AU

Jakub Krajcovic

Building cloudy appstonytcampbell

Considerations for building your private cloud folsom updateRyan Richard

Openstack & rackspace – yesterday, today and tomorrowsriram_rajan

Sponsor Webinar - OpenStack Summit Vancouver 2018

OpenStack Foundation

OpenStack Summits 101: A Guide For Attendees

OpenStack Foundation

OpenStack Marketing Plan - Community Presentation

OpenStack Foundation

OpenStack 5th Birthday - User Group Parties

OpenStack Foundation

Liberty release: Preliminary marketing materials & messages

OpenStack Foundation

OpenStack Foundation 2H 2015 Marketing Plan

OpenStack Foundation

OpenStack Summit Tokyo Sponsor Webinar

OpenStack Foundation

Cinder Updates - Liberty Edition

OpenStack Foundation

Similar to Nova-Network The Dirty Details

Considerations for Building Your Private Cloud.pdf

OpenStack Foundation

ACG_Rackspace.pdf

OpenStack Foundation

Be a Cloud Native

InnoTech

Why the Cloud is Important for Non-Profit Orgs

Rackspace

DevOpsDays Amsterdam - Monitoring at Service Provider Scale

Chris Jackson

Openstackha 130925132534-phpapp02

Deepak Mane

OpenStack HA

Kenneth Hui

DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012

Matt Tesauro

Neutron scale

Justin Hammond

Deploy from OpenStack Trunk into a Production EnvironmentOpenStack Foundation

Openstack SAGE-AU

Jakub Krajcovic

Building cloudy appstonytcampbell

Considerations for building your private cloud folsom updateRyan Richard

Openstack & rackspace – yesterday, today and tomorrowsriram_rajan

Similar to Nova-Network The Dirty Details (14)

Considerations for Building Your Private Cloud.pdf

ACG_Rackspace.pdf

Be a Cloud Native

Why the Cloud is Important for Non-Profit Orgs

DevOpsDays Amsterdam - Monitoring at Service Provider Scale

Openstackha 130925132534-phpapp02

OpenStack HA

DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012

Neutron scale

Deploy from OpenStack Trunk into a Production Environment

Openstack SAGE-AU

Building cloudy apps

Considerations for building your private cloud folsom update

Openstack & rackspace – yesterday, today and tomorrow

Recently uploaded

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Generating a custom Ruby SDK for your web service or Rails API using Smithy

g2nightmarescribd

Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Knowledge engineering: from people to machines and back

Elena Simperl

Recently uploaded (20)

Essentials of Automations: Optimizing FME Workflows with Parameters

PCI PIN Basics Webinar from the Controlcase Team

Leading Change strategies and insights for effective change management pdf 1.pdf

JMeter webinar - integration with InfluxDB and Grafana

Bits & Pixels using AI for Good.........

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Connector Corner: Automate dynamic content and events by pushing a button

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

UiPath Test Automation using UiPath Test Suite series, part 3

How world-class product teams are winning in the AI era by CEO and Founder, P...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Elevating Tactical DDD Patterns Through Object Calisthenics

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Generating a custom Ruby SDK for your web service or Rails API using Smithy

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Knowledge engineering: from people to machines and back

Nova-Network The Dirty Details

1. nova-‐network: The Dirty Details Ryan Richard, RHCA OpenStack Architect -‐ Private Cloud ryan.richard@rackspace.com @rackninja April 2013 Tuesday, April 16, 13

2. Why nova-‐network? Pre-‐existing installs Folsom Deployments Quantum: http://docs.openstack.org/trunk/openstack-‐ network/admin/content/ch_overview.html https://wiki.openstack.org/wiki/Quantum RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

3. nova-‐network overview Provides networking for instances flat, flatDHCP,flatVLAN iptables, ebtables, linux bridge “behind the scenes” -‐ no direct API http://docs.openstack.org/folsom/openstack-‐ compute/admin/content/list-‐of-‐compute-‐ config-‐options.html RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

4. nova-‐network overview Host Network -‐ Physical server communication, management network Fixed Network -‐ L3 network range for instances, instance to instance communication RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

5. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

6. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

7. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

8. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

9. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

10. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

11. nova-‐network overview RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

12. nova-‐network options 50+ options for networking conﬁg multi_host = multiple nova-‐network processes ( 1 per compute host) DNS, DHCP, public_interface, dmz_cidr RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

13. public interface Decides which interface the default SNAT rule applies # iptables -‐t nat -‐nvL nova-‐network-‐snat public internet access RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

14. nova-‐network options dnsmasq options DHCP Lease Hardware Gateway DNS domain RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

15. nova-‐network options DMZ_CIDR NAT exclusion list ACCEPT rule in iptables NAT # iptables -‐t nat -‐nvL nova-‐network-‐ POSTROUTING RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

16. iptables & ebtables iptables Security Groups implementation -‐ 1 chain per instance Default: Restrict all access Responsible for NAT Chain example: nova-‐compute-‐inst-‐771 RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

17. iptables & ebtables ebtables IP/MAC/ARP spoofing protections Only 1 IP per instance defined in /etc/libvirt/nwfilter/ (libvirt implementations) RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

18. ﬂoating IPs Easy to Add MUST be associated with the public_interface ﬂag Don’t get assigned inside the instance but instead rely on iptables (SNAT/DNAT) Dynamically assigned RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

19. ﬂoating IPs RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

20. ﬂoating IPs RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

21. Integrating Diﬃcult OpenStack is IPAM (partially) DNS integration is lacking RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

22. Example RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

23. Example RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

24. Open to discussions/thoughts/questions RACKSPACE® HOSTING | WWW.RACKSPACE.COM Tuesday, April 16, 13

25. Rackspace is hiring www.rackertalent.com RACKSPACE® HOSTING | 5000 WALZEM ROAD | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM RACKSPACE® HOSTING | © RACKSPACE US, INC. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM Tuesday, April 16, 13

Nova-Network The Dirty Details

Recommended

Recommended

More Related Content

Similar to Nova-Network The Dirty Details

Similar to Nova-Network The Dirty Details (14)

More from OpenStack Foundation

More from OpenStack Foundation (20)

Recently uploaded

Recently uploaded (20)

Nova-Network The Dirty Details