Story: 2011027 Task: 50147 Change-Id: Ic8688741c99af0c85c62e293e8f21f19831a51cf Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
12 KiB
IPv4/IPv6 Dual-Stack Network
Dual-stack networking facilitates the simultaneous use of both IPv4 and IPv6 addresses, or continue to use each IP version independently. To accomplish this, platform networks can be associated with 1 or 2 address pools, one for each IP version (IPv4 or IPv6). The first pool is linked to the network upon creation and cannot be subsequently removed. The second pool can be added or removed to transition the system between dual-stack and single-stack modes.
The boot network is an exception, as it currently only supports IPv4. Other platform networks can be configured as either single-stack or dual-stack based on specific requirements. For internal management communication among controllers, workers, and storage nodes, the primary address pool is used as encryption is currently only available for the primary pool on the management network.
Once created, a network's primary address pool family cannot be modified. Reinstalling the system is necessary to change it. While it is possible to edit address pool addresses for management, , and admin networks, all addresses within a pool must belong to the same address family.
API and Command Line Interface Considerations
The following system APIs handle the association between network and address pool:
- network-addrpool-assign: creates the association between a network and address pool
- network-addrpool-remove: removes the association between a network and address pool
- network-addrpool-list: lists all associations
- network-addrpool-show: shows a specific association
The first association is done internally when the network is created using the command format:
~(keystone_admin)]$ system network-add <network_name> <network type> <dynamic> <pool_uuid>
The addrpool-modify
command allows to edit all its
parameters with the CLI. Follows the command format:
~(keystone_admin)]$ system addrpool-modify [--name <name>] [--network <network address>] [--prefix <network prefix>] [--ranges <ranges>] [--order <sequential | random>] [--floating-address <floating address>] [--controller0-address <controller0 address>] [--controller1-address <controller1 address>] [--gateway-address <gateway address>] <address_pool uuid>
Install a System in Dual-Stack
It is possible to install a system in dual-stack by adding the secondary subnets into the bootstrap variables with comma separated values as shown in the following example:
pxeboot_subnet: 198.51.100.0/24
management_subnet: fd01::/64,198.51.0.0/24
management_start_address: fd01::2,198.51.0.2
management_end_address: fd01::ffff,198.51.0.200
management_gateway_address: fd01::1,198.51.0.1
external_oam_subnet: fd00::/64,10.20.5.0/24
external_oam_gateway_address: fd00::1,10.20.5.1
external_oam_floating_address: fd00::3,10.20.5.3
external_oam_node_0_address: fd00::4,10.20.5.4
external_oam_node_1_address: fd00::5,10.20.5.5
cluster_host_subnet: aefd:100::/64,198.51.100.0/24
cluster_pod_subnet: aefd:206::/64,203.0.113.0/24
cluster_service_subnet: aefd:207::/112,10.96.0.0/12
The order in which networks are listed determines the primary and secondary address pools. It is important to note that all primary address pools must use the same address family. For example, if the primary address pool for one subnet is IPv6, all other subnet’s primary pools must also be IPv6 (as in the example above).
Configure DNS Server
It is optional to configure servers with both IPv4 and IPv6 addresses. This can be achieved using the command format:
~(keystone_admin)]$ system dns-modify nameservers=<IPv6 DNS server>,<IPv4 DNS server>
or
~(keystone_admin)]$ system dns-modify nameservers=<IPv4 DNS server>,<IPv6 DNS server>
If the selected servers support both A
and
AAAA
records, specifying an address for each address family
is unnecessary.
Distributed Cloud Operations
Subclouds can be installed in a dual-stack configuration, if its version supports the feature. All operational communication between the system controller and subclouds uses the primary address pool. While the system controller and subclouds can operate in different network modes (single-stack or dual-stack), they must share the same primary address family. Geo redundancy uses the primary address pools to communicate.
Public Endpoint Considerations
All available public endpoints can be accessed through the secondary address using the same L4 port. Proxy is used to map these external requests to the corresponding internal endpoints.
Modify Network Addresses
- Supported Networks
-
Only the , Admin, and Management networks can be modified using the
addrpool-modify
command during runtime. - Other Networks
-
For other networks, reinstallation is required to make changes.
External API and Command Line Interface Considerations
- Deprecated
-
The
external-OAM
API is marked as deprecated but can be used to modify the network primary pool. - CLI
-
The corresponding CLIs are:
~(keystone_admin)]$ system oam-modify <path=value> [<path=value> ...] ~(keystone_admin)]$ system oam-show
Enable Kubernetes in Dual-stack
To enable dual-stack functionality in Kubernetes, the , cluster-host,
cluster-service, and cluster-pod networks must be configured to support
it. Making these changes at runtime triggers a quick restart for the
kube-API-server
and kube-controller-manager
pods.
If converted during runtime, newly created pods will automatically receive both primary and secondary addresses. Existing pods retain their current primary addresses but will not acquire a secondary address until they are restarted. The same happens from a dual-stack to single-stack configuration, previously existing pods will retain their secondary address until restart.
Runtime Configuration
To add dual-stack in a running system the following sequence is suggested (in the example below the system was installed as IPv6). The network's primary family can be seen with:
~(keystone_admin)]$ system network-list
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+
| id | uuid... | name | type | dynamic | pool_uuid | primary_pool_family |
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+
| 4 | 196d...3 | multicast | multicast | False | 7c445f38-067c-4b3c-a511-d8e00da5791c | IPv6 |
| 5 | 43fe...3 | cluster-host | cluster-host | True | 6250edb8-15f5-4204-80f1-8e54b9e28a5a | IPv6 |
| 3 | 9996...9 | oam | oam | False | b46512d7-5404-4daa-a64d-fc510e0c5864 | IPv6 |
| 6 | a374...7 | cluster-pod | cluster-pod | False | f4c9560c-47e5-46bd-aff5-18642831b1da | IPv6 |
| 7 | afc1...d | cluster-service | cluster-service | False | a6366aab-b3c1-4947-97e5-f5171e0e2f3e | IPv6 |
| 1 | b565...9 | mgmt | mgmt | True | 412aebff-9a86-40b1-a379-752f00a0c3a0 | IPv6 |
| 2 | bbb1...2 | pxeboot | pxeboot | True | 05fde56d-f26a-4ea4-8b32-1ebf868743e2 | IPv4 |
+----+-----...--+-----------------+-----------------+---------+--------------------------------------+---------------------+
Configure OAM Network
Add an address pool for :
~(keystone_admin)]$ system addrpool-add oam-ipv4 171.168.204.0 24 --order random --ranges 171.168.204.1-171.168.204.254 --floating-address 171.168.204.1 --controller0-address 171.168.204.2 --controller1-address 171.168.204.3
Then assign the newly created pool to the network:
~(keystone_admin)]$ system network-addrpool-assign oam oam-ipv4
If the system is AIO-SX, the new configuration is applied immediately, otherwise it is necessary to lock/unlock both controllers.
Configure Cluster (pod/service/host) Network
The cluster networks in dual-stack converts kubernetes to dual-stack operation, in this case, first make sure the network is already configured in dual-stack and then start by adding the correspondent pools:
~(keystone_admin)]$ system addrpool-add cluster-pod-subnet-ipv4 172.16.0.0 16 --order random --ranges 172.16.0.1-172.16.254.254
~(keystone_admin)]$ system addrpool-add cluster-service-subnet-ipv4 10.96.0.0 12 --order random --ranges 10.96.0.1-10.96.254.254
~(keystone_admin)]$ system addrpool-add cluster-host-subnet-ipv4 192.168.204.0 24 --order random --ranges 192.168.204.1-192.168.204.254 --floating-address 192.168.204.1 --controller0-address 192.168.204.2 --controller1-address 192.168.204.3
Then associate the new pools to each network (there is no preferred order among the three networks):
~(keystone_admin)]$ system network-addrpool-assign cluster-service cluster-service-subnet-ipv4
~(keystone_admin)]$ system network-addrpool-assign cluster-pod cluster-pod-subnet-ipv4
~(keystone_admin)]$ system network-addrpool-assign cluster-host cluster-host-subnet-ipv4
After the third cluster network receives dual-stack kubernetes and
calico will be reconfigured with the
kube-apiserver-controller
and
kube-controller-manager-controller
restarts. The entire
operation will be performed without the need of a node lock/unlock
cycle.
Configure Management Network
As stated, the internal communication is done through the primary pool, but it is possible to add dual-stack configuration by first adding the new pool:
~(keystone_admin)]$ system addrpool-add management-ipv4 20.20.20.0 24 --order random --ranges 20.20.20.1-20.20.20.254 --floating-address 20.20.20.1 --controller0-address 20.20.20.2 --controller1-address 20.20.20.3
Then create the association:
~(keystone_admin)]$ system network-addrpool-assign management management-ipv4
A Configuration Out-Of-Date
alarm is raised for the
affected nodes and a node lock/unlock cycle will clean the alarm.
Configure Admin Network
This network is used by subclouds to communicate with its system-controller and that is done through the primary pool. To add a dual-stack configuration start with a new pool:
~(keystone_admin)]$ system addrpool-add admin-ipv4 30.30.30.0 24 --order random --ranges 30.30.30.1-30.30.30.254 --floating-address 30.30.30.1 --controller0-address 30.30.30.2 --controller1-address 30.30.30.3
Then create the association:
~(keystone_admin)]$ system network-addrpool-assign admin admin-ipv4
This is done in runtime on the affected controllers, no lock/unlock cycle is required.
Revert to Single-stack
By removing the network association with the address pool the single-stack configuration operates in a similar fashion that was done to configure dual-stack. If the configuration was done at runtime, or if a node lock/unlock cycle was required to configure dual-stack, the same happens when configuring single-stack.
To remove a address pool association with a network use
network-addrpool-remove
, for example:
~(keystone_admin)]$ ADDR_POOL_NAME=”cluster-pod-ipv6"
~(keystone_admin)]$ DEL=$(system network-addrpool-list | awk '$6 == $ADDR_POOL_NAME { print $2 }') && system network-addrpool-remove $DEL