openstack/neutron
Code Issues Proposed changes
Files
f92c677b5691d5ec89c04c0dd66835308a85e428
neutron/doc/source/admin/config-service-subnets.rst
Brian Haley e63cdd216b Alphabetize some of the admin and contrib docs 
Over time docs were added or updated such that they were
no longer in alphabetical order based on the index order
or their title strings. Tried to fix it up a bit along
with some capitalization.

Trivialfix

Change-Id: I948b2a1c86faaffed07adcf0198a3fba72401abe
2023-09-18 13:12:31 -04:00

350 lines
19 KiB
ReStructuredText
Raw Blame History

.. _config-service-subnets:
===============
Service Subnets
===============
Service subnets enable operators to define valid port types for each
subnet on a network without limiting networks to one subnet or manually
creating ports with a specific subnet ID. Using this feature, operators
can ensure that ports for instances and router interfaces, for example,
always use different subnets.
Operation
~~~~~~~~~
Define one or more service types for one or more subnets on a particular
network. Each service type must correspond to a valid device owner within
the port model in order for it to be used.
During IP allocation, the :ref:`IPAM <config-ipam>` driver returns an
address from a subnet with a service type matching the port device
owner. If no subnets match, or all matching subnets lack available IP
addresses, the IPAM driver attempts to use a subnet without any service
types to preserve compatibility. If all subnets on a network have a
service type, the IPAM driver cannot preserve compatibility. However, this
feature enables strict IP allocation from subnets with a matching device
owner. If multiple subnets contain the same service type, or a subnet
without a service type exists, the IPAM driver selects the first subnet
with a matching service type. For example, a floating IP agent gateway port
uses the following selection process:
* ``network:floatingip_agent_gateway``
* ``None``
.. note::
Ports with the device owner ``network:dhcp`` are exempt from the above IPAM
logic for subnets with ``dhcp_enabled`` set to ``True``. This preserves the
existing automatic DHCP port creation behaviour for DHCP-enabled subnets.
Creating or updating a port with a specific subnet skips this selection
process and explicitly uses the given subnet.
Usage
~~~~~
.. note::
Creating a subnet with a service type requires administrative
privileges.
Example 1 - Proof-of-concept
----------------------------
This following example is not typical of an actual deployment. It is shown
to allow users to experiment with configuring service subnets.
#. Create a network.
.. code-block:: console
$ openstack network create demo-net1
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| description | |
| headers | |
| id | b5b729d8-31cc-4d2c-8284-72b3291fec02 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1450 |
| name | demo-net1 |
| port_security_enabled | True |
| project_id | a3db43cd0f224242a847ab84d091217d |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 110 |
| revision_number | 1 |
| router:external | Internal |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | [] |
+---------------------------+--------------------------------------+
#. Create a subnet on the network with one or more service types. For
example, the ``compute:nova`` service type enables instances to use
this subnet.
.. code-block:: console
$ openstack subnet create demo-subnet1 --subnet-range 192.0.2.0/24 \
--service-type 'compute:nova' --network demo-net1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| id | 6e38b23f-0b27-4e3c-8e69-fd23a3df1935 |
| ip_version | 4 |
| cidr | 192.0.2.0/24 |
| name | demo-subnet1 |
| network_id | b5b729d8-31cc-4d2c-8284-72b3291fec02 |
| revision_number | 1 |
| service_types | ['compute:nova'] |
| tags | [] |
| tenant_id | a8b3054cc1214f18b1186b291525650f |
+-------------------+--------------------------------------+
#. Optionally, create another subnet on the network with a different service
type. For example, the ``compute:foo`` arbitrary service type.
.. code-block:: console
$ openstack subnet create demo-subnet2 --subnet-range 198.51.100.0/24 \
--service-type 'compute:foo' --network demo-net1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| id | ea139dcd-17a3-4f0a-8cca-dff8b4e03f8a |
| ip_version | 4 |
| cidr | 198.51.100.0/24 |
| name | demo-subnet2 |
| network_id | b5b729d8-31cc-4d2c-8284-72b3291fec02 |
| revision_number | 1 |
| service_types | ['compute:foo'] |
| tags | [] |
| tenant_id | a8b3054cc1214f18b1186b291525650f |
+-------------------+--------------------------------------+
#. Launch an instance using the network. For example, using the ``cirros``
image and ``m1.tiny`` flavor.
.. code-block:: console
$ openstack server create demo-instance1 --flavor m1.tiny \
--image cirros --nic net-id=b5b729d8-31cc-4d2c-8284-72b3291fec02
+--------------------------------------+-----------------------------------------------+
| Field | Value |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | instance-00000009 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | Fn85skabdxBL |
| config_drive | |
| created | 2016-09-19T15:07:42Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 04222b73-1a6e-4c2a-9af4-ef3d17d521ff |
| image | cirros (4aaec87d-c655-4856-8618-b2dada3a2b11) |
| key_name | None |
| name | demo-instance1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | d44c19e056674381b86430575184b167 |
| properties | |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| updated | 2016-09-19T15:07:42Z |
| user_id | 331afbeb322d4c559a181e19051ae362 |
+--------------------------------------+-----------------------------------------------+
#. Check the instance status. The ``Networks`` field contains an IP address
from the subnet having the ``compute:nova`` service type.
.. code-block:: console
$ openstack server list
+--------------------------------------+-----------------+---------+---------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-----------------+---------+---------------------+--------+---------+
| 20181f46-5cd2-4af8-9af0-f4cf5c983008 | demo-instance1 | ACTIVE | demo-net1=192.0.2.3 | cirros | m1.tiny |
+--------------------------------------+-----------------+---------+---------------------+--------+---------+
Example 2 - DVR configuration
-----------------------------
The following example outlines how you can configure service subnets in
a DVR-enabled deployment, with the goal of minimizing public IP
address consumption. This example uses three subnets on the same external
network:
* 192.0.2.0/24 for instance floating IP addresses
* 198.51.100.0/24 for floating IP agent gateway IPs configured on compute nodes
* 203.0.113.0/25 for all other IP allocations on the external network
This example uses again the private network, ``demo-net1``
(b5b729d8-31cc-4d2c-8284-72b3291fec02) which was created in
`Example 1 - Proof-of-concept`_.
.. note:
The output of the commands is not always shown since it
is very similar to the above.
#. Create an external network:
.. code-block:: console
$ openstack network create --external demo-ext-net
#. Create a subnet on the external network for the instance floating IP
addresses. This uses the ``network:floatingip`` service type.
.. code-block:: console
$ openstack subnet create demo-floating-ip-subnet \
--subnet-range 192.0.2.0/24 --no-dhcp \
--service-type 'network:floatingip' --network demo-ext-net
#. Create a subnet on the external network for the floating IP agent
gateway IP addresses, which are configured by DVR on compute nodes.
This will use the ``network:floatingip_agent_gateway`` service type.
.. code-block:: console
$ openstack subnet create demo-floating-ip-agent-gateway-subnet \
--subnet-range 198.51.100.0/24 --no-dhcp \
--service-type 'network:floatingip_agent_gateway' \
--network demo-ext-net
#. Create a subnet on the external network for all other IP addresses
allocated on the external network. This will not use any service
type. It acts as a fall back for allocations that do not match
either of the above two service subnets.
.. code-block:: console
$ openstack subnet create demo-other-subnet \
--subnet-range 203.0.113.0/25 --no-dhcp \
--network demo-ext-net
#. Create a router:
.. code-block:: console
$ openstack router create demo-router
#. Add an interface to the router on demo-subnet1:
.. code-block:: console
$ openstack router add subnet demo-router demo-subnet1
#. Set the external gateway for the router, which will create an
interface and allocate an IP address on demo-ext-net:
.. code-block:: console
$ openstack router set --external-gateway demo-ext-net demo-router
#. Launch an instance on a private network and retrieve the neutron
port ID that was allocated. As above, use the ``cirros``
image and ``m1.tiny`` flavor:
.. code-block:: console
$ openstack server create demo-instance1 --flavor m1.tiny \
--image cirros --nic net-id=b5b729d8-31cc-4d2c-8284-72b3291fec02
$ openstack port list --server demo-instance1
+--------------------------------------+------+-------------------+--------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+--------------------------------------------------+--------+
| a752bb24-9bf2-4d37-b9d6-07da69c86f19 | | fa:16:3e:99:54:32 | ip_address='203.0.113.130', | ACTIVE |
| | | | subnet_id='6e38b23f-0b27-4e3c-8e69-fd23a3df1935' | |
+--------------------------------------+------+-------------------+--------------------------------------------------+--------+
#. Associate a floating IP with the instance port and verify it was
allocated an IP address from the correct subnet:
.. code-block:: console
$ openstack floating ip create --port \
a752bb24-9bf2-4d37-b9d6-07da69c86f19 demo-ext-net
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | 203.0.113.130 |
| floating_ip_address | 192.0.2.12 |
| floating_network_id | 02d236d5-dad9-4082-bb6b-5245f9f84d13 |
| id | f15cae7f-5e05-4b19-bd25-4bb71edcf3de |
| port_id | a752bb24-9bf2-4d37-b9d6-07da69c86f19 |
| project_id | d44c19e056674381b86430575184b167 |
| revision_number | 1 |
| router_id | 5a8ca19f-3703-4f81-bc29-db6bc2f528d6 |
| status | ACTIVE |
| tags | [] |
+---------------------+--------------------------------------+
#. As the `admin` user, verify the neutron routers are allocated IP
addresses from their correct subnets. Use ``openstack port list``
to find ports associated with the routers.
First, the router gateway external port:
.. code-block:: console
$ openstack port show f148ffeb-3c26-4067-bc5f-5c3dfddae2f5
+-----------------------+--------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------+
| admin_state_up | UP |
| device_id | 5a8ca19f-3703-4f81-bc29-db6bc2f528d6 |
| device_owner | network:router_gateway |
| extra_dhcp_opts | |
| fixed_ips | ip_address='203.0.113.11', |
| | subnet_id='67c251d9-2b7a-4200-99f6-e13785b0334d' |
| id | f148ffeb-3c26-4067-bc5f-5c3dfddae2f5 |
| mac_address | fa:16:3e:2c:0f:69 |
| network_id | 02d236d5-dad9-4082-bb6b-5245f9f84d13 |
| revision_number | 1 |
| project_id | |
| status | ACTIVE |
| tags | [] |
+-----------------------+--------------------------------------------------------------------------+
Second, the router floating IP agent gateway external port:
.. code-block:: console
$ openstack port show a2d1e756-8ae1-4f96-9aa1-e7ea16a6a68a
+-----------------------+--------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------+
| admin_state_up | UP |
| device_id | 3d0c98eb-bca3-45cc-8aa4-90ae3deb0844 |
| device_owner | network:floatingip_agent_gateway |
| extra_dhcp_opts | |
| fixed_ips | ip_address='198.51.100.10', |
| | subnet_id='67c251d9-2b7a-4200-99f6-e13785b0334d' |
| id | a2d1e756-8ae1-4f96-9aa1-e7ea16a6a68a |
| mac_address | fa:16:3e:f4:5d:fa |
| network_id | 02d236d5-dad9-4082-bb6b-5245f9f84d13 |
| project_id | |
| revision_number | 1 |
| status | ACTIVE |
| tags | [] |
+-----------------------+--------------------------------------------------------------------------+
View Git Blame Copy Permalink