From 4bfbc291eefd92d8b7885f36275b7ff541e067ab Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Tue, 15 Nov 2016 17:26:05 -0800 Subject: [PATCH] Derive IP ranges from new ADDRS_SAFE_TO_USE vars The switch to using subnetpools caused quite a bit of confusion because it didn't respect the value of FIXED_RANGE. This caused conflicts in the gate with it's default IPv4 value of 10.0.0.0/8. This patch does a few things to address the issue: * It introduces the IPV4_ADDRS_SAFE_TO_USE and IPV6_ADDRS_SAFE_TO_USE values and adjusts all of the FIXED_RANGE and SUBNETPOOL_PREFIX values to dervive from them by default. * This addresses the concern that was raised about implying that SUBNETPOOL_PREFIX and FIXED_RANGE are equivalent when setting SUBNETPOOL_PREFIX=FIXED_RANGE by default. Now we have a new value for the operator specify a chunk of addresses that are safe to use for private networks without implementation implications. * Backwards compatibility is maintained by alloing users to override override all of these values. * The default for IPV4_ADDRS_SAFE_TO_USE uses /22 instead of /24 * Because we want to be able to use subnetpools for auto allocated topologies and we want to be able to have a large chunk of instances on each network, we needed a little more breathing room in the default v4 network size. * SUBNET_POOL_SIZE_V4 default is changed from 24 to 26 * In conjuction with this change and the one above, the default subnetpool will support up to 16 64-address allocations. * This should be enough to cover any regular gate scenarios. * If someone wants a bigger/smaller subnet, they can ask for that in the API request, change this value themselves, or use a different network entirely. * FIXED_RANGE_V6 defaults to a max prefix of /64 from IPV6_ADDRS_SAFE_TO_USE * This avoids the private subnet in the non-subnetpool case from being larger than /64 to avoid issues identified in rfc 7421. * Users can still explicitly set this value to whatever they want. This 'max' behavior is only for the default. * This allows IPV6_ADDRS_SAFE_TO_USE to default to a /56, which leaves tons of room for v6 subnetpools. Closes-Bug: #1629133 Change-Id: I7b32804d47bec743c0b13e434e6a7958728896ea --- doc/source/configuration.rst | 16 ++++++++-------- doc/source/guides/neutron.rst | 12 ++++++------ doc/source/networking.rst | 21 ++++++++++++++++++++- lib/neutron_plugins/services/l3 | 11 +++++++---- stackrc | 3 ++- 5 files changed, 43 insertions(+), 20 deletions(-) diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 22809ebd7a..bc3f5584b7 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -63,7 +63,7 @@ exists it will be used instead to preserve backward-compatibility. :: [[local|localrc]] - FIXED_RANGE=10.254.1.0/24 + IPV4_ADDRS_SAFE_TO_USE=10.254.1.0/24 ADMIN_PASSWORD=speciale LOGFILE=$DEST/logs/stack.sh.log @@ -161,8 +161,8 @@ values that most often need to be set. - no logging - pre-set the passwords to prevent interactive prompts -- move network ranges away from the local network (``FIXED_RANGE`` and - ``FLOATING_RANGE``, commented out below) +- move network ranges away from the local network (``IPV4_ADDRS_SAFE_TO_USE`` + and ``FLOATING_RANGE``, commented out below) - set the host IP if detection is unreliable (``HOST_IP``, commented out below) @@ -173,7 +173,7 @@ values that most often need to be set. DATABASE_PASSWORD=$ADMIN_PASSWORD RABBIT_PASSWORD=$ADMIN_PASSWORD SERVICE_PASSWORD=$ADMIN_PASSWORD - #FIXED_RANGE=172.31.1.0/24 + #IPV4_ADDRS_SAFE_TO_USE=172.31.1.0/24 #FLOATING_RANGE=192.168.20.0/25 #HOST_IP=10.3.4.5 @@ -537,12 +537,12 @@ behavior: IPV6_RA_MODE=slaac IPV6_ADDRESS_MODE=slaac - FIXED_RANGE_V6=fd$IPV6_GLOBAL_ID::/64 + IPV6_ADDRS_SAFE_TO_USE=fd$IPV6_GLOBAL_ID::/56 IPV6_PRIVATE_NETWORK_GATEWAY=fd$IPV6_GLOBAL_ID::1 -*Note*: ``FIXED_RANGE_V6`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` can be -configured with any valid IPv6 prefix. The default values make use of -an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. +*Note*: ``IPV6_ADDRS_SAFE_TO_USE`` and ``IPV6_PRIVATE_NETWORK_GATEWAY`` +can be configured with any valid IPv6 prefix. The default values make +use of an auto-generated ``IPV6_GLOBAL_ID`` to comply with RFC4193. Service Version ~~~~~~~~~~~~~~~ diff --git a/doc/source/guides/neutron.rst b/doc/source/guides/neutron.rst index bc6816c7e6..092809a1cf 100644 --- a/doc/source/guides/neutron.rst +++ b/doc/source/guides/neutron.rst @@ -79,7 +79,7 @@ serving as a hypervisor for guest instances. ## Neutron options Q_USE_SECGROUP=True FLOATING_RANGE="172.18.161.0/24" - FIXED_RANGE="10.0.0.0/24" + IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/22" Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 PUBLIC_NETWORK_GATEWAY="172.18.161.1" PUBLIC_INTERFACE=eth0 @@ -387,17 +387,17 @@ controller node. ## Neutron Networking options used to create Neutron Subnets - FIXED_RANGE="203.0.113.0/24" + IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" NETWORK_GATEWAY=203.0.113.1 PROVIDER_SUBNET_NAME="provider_net" PROVIDER_NETWORK_TYPE="vlan" SEGMENTATION_ID=2010 USE_SUBNETPOOL=False -In this configuration we are defining FIXED_RANGE to be a +In this configuration we are defining IPV4_ADDRS_SAFE_TO_USE to be a publicly routed IPv4 subnet. In this specific instance we are using the special TEST-NET-3 subnet defined in `RFC 5737 `_, -which is used for documentation. In your DevStack setup, FIXED_RANGE +which is used for documentation. In your DevStack setup, IPV4_ADDRS_SAFE_TO_USE would be a public IP address range that you or your organization has allocated to you, so that you could access your instances from the public internet. @@ -524,7 +524,7 @@ setup, with small modifications for the interface mappings. ## Neutron options Q_USE_SECGROUP=True FLOATING_RANGE="172.18.161.0/24" - FIXED_RANGE="10.0.0.0/24" + IPV4_ADDRS_SAFE_TO_USE="10.0.0.0/24" Q_FLOATING_ALLOCATION_POOL=start=172.18.161.250,end=172.18.161.254 PUBLIC_NETWORK_GATEWAY="172.18.161.1" PUBLIC_INTERFACE=eth0 @@ -573,7 +573,7 @@ you do not require them. Q_AGENT=macvtap PHYSICAL_NETWORK=default - FIXED_RANGE="203.0.113.0/24" + IPV4_ADDRS_SAFE_TO_USE="203.0.113.0/24" NETWORK_GATEWAY=203.0.113.1 PROVIDER_SUBNET_NAME="provider_net" PROVIDER_NETWORK_TYPE="vlan" diff --git a/doc/source/networking.rst b/doc/source/networking.rst index 1d56c3367e..2301a2e931 100644 --- a/doc/source/networking.rst +++ b/doc/source/networking.rst @@ -15,7 +15,8 @@ If you don't specify any configuration you will get the following: * neutron (including l3 with openvswitch) * private project networks for each openstack project * a floating ip range of 172.24.4.0/24 with the gateway of 172.24.4.1 -* the demo project configured with fixed ips on 10.0.0.0/24 +* the demo project configured with fixed ips on a subnet allocated from + the 10.0.0.0/22 range * a ``br-ex`` interface controlled by neutron for all it's networking (this is not connected to any physical interfaces). * DNS resolution for guests based on the resolv.conf for you host @@ -95,3 +96,21 @@ the range of floating ips that will be handed out. As we are sharing your existing network, you'll want to give it a slice that your local dhcp server is not allocating. Otherwise you could easily have conflicting ip addresses, and cause havoc with your local network. + + +Private Network Addressing +========================== + +The private networks addresses are controlled by the ``IPV4_ADDRS_SAFE_TO_USE`` +and the ``IPV6_ADDRS_SAFE_TO_USE`` variables. This allows users to specify one +single variable of safe internal IPs to use that will be referenced whether or +not subnetpools are in use. + +For IPv4, ``FIXED_RANGE`` and ``SUBNETPOOL_PREFIX_V4`` will just default to +the value of ``IPV4_ADDRS_SAFE_TO_USE`` directly. + +For IPv6, ``FIXED_RANGE`` will default to the first /64 of the value of +``IPV6_ADDRS_SAFE_TO_USE``. If ``IPV6_ADDRS_SAFE_TO_USE`` is /64 or smaller, +``FIXED_RANGE`` will just use the value of that directly. +``SUBNETPOOL_PREFIX_V6`` will just default to the value of +``IPV6_ADDRS_SAFE_TO_USE`` directly. diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3 index ddc615589f..56eb22387b 100644 --- a/lib/neutron_plugins/services/l3 +++ b/lib/neutron_plugins/services/l3 @@ -70,7 +70,10 @@ IPV6_RA_MODE=${IPV6_RA_MODE:-slaac} IPV6_ADDRESS_MODE=${IPV6_ADDRESS_MODE:-slaac} IPV6_PUBLIC_SUBNET_NAME=${IPV6_PUBLIC_SUBNET_NAME:-ipv6-public-subnet} IPV6_PRIVATE_SUBNET_NAME=${IPV6_PRIVATE_SUBNET_NAME:-ipv6-private-subnet} -FIXED_RANGE_V6=${FIXED_RANGE_V6:-fd$IPV6_GLOBAL_ID::/64} +IPV6_ADDRS_SAFE_TO_USE=${IPV6_ADDRS_SAFE_TO_USE:-fd$IPV6_GLOBAL_ID::/56} +# if we got larger than a /64 safe to use, we only use the first /64 to +# avoid side effects outlined in rfc7421 +FIXED_RANGE_V6=${FIXED_RANGE_V6:-$(echo $IPV6_ADDRS_SAFE_TO_USE | awk -F '/' '{ print ($2>63 ? $2 : 64) }')} IPV6_PRIVATE_NETWORK_GATEWAY=${IPV6_PRIVATE_NETWORK_GATEWAY:-} IPV6_PUBLIC_RANGE=${IPV6_PUBLIC_RANGE:-2001:db8::/64} IPV6_PUBLIC_NETWORK_GATEWAY=${IPV6_PUBLIC_NETWORK_GATEWAY:-2001:db8::2} @@ -86,10 +89,10 @@ PUBLIC_SUBNET_NAME=${PUBLIC_SUBNET_NAME:-"public-subnet"} USE_SUBNETPOOL=${USE_SUBNETPOOL:-True} SUBNETPOOL_NAME=${SUBNETPOOL_NAME:-"shared-default-subnetpool"} -SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-10.0.0.0/16} -SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-2001:db8:8000::/48} +SUBNETPOOL_PREFIX_V4=${SUBNETPOOL_PREFIX_V4:-$IPV4_ADDRS_SAFE_TO_USE} +SUBNETPOOL_PREFIX_V6=${SUBNETPOOL_PREFIX_V6:-$IPV6_ADDRS_SAFE_TO_USE} -SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-24} +SUBNETPOOL_SIZE_V4=${SUBNETPOOL_SIZE_V4:-26} SUBNETPOOL_SIZE_V6=${SUBNETPOOL_SIZE_V6:-64} default_v4_route_devs=$(ip -4 route | grep ^default | awk '{print $5}') diff --git a/stackrc b/stackrc index ea8b044faf..8210eb9ad2 100644 --- a/stackrc +++ b/stackrc @@ -765,7 +765,8 @@ ENABLE_DEBUG_LOG_LEVEL=$(trueorfalse True ENABLE_DEBUG_LOG_LEVEL) # Note that setting ``FIXED_RANGE`` may be necessary when running DevStack # in an OpenStack cloud that uses either of these address ranges internally. FLOATING_RANGE=${FLOATING_RANGE:-172.24.4.0/24} -FIXED_RANGE=${FIXED_RANGE:-10.0.0.0/24} +IPV4_ADDRS_SAFE_TO_USE=${IPV4_ADDRS_SAFE_TO_USE:-10.0.0.0/22} +FIXED_RANGE=${FIXED_RANGE:-$IPV4_ADDRS_SAFE_TO_USE} FIXED_NETWORK_SIZE=${FIXED_NETWORK_SIZE:-256} HOST_IP_IFACE=${HOST_IP_IFACE:-} HOST_IP=${HOST_IP:-}