Further clarify networking content

Further clarify installation guide networking content to reduce potential confusion about the purpose of each network. Change-Id: I1c7f79784eb80e317be1f156bc3a0e68ac39df3b Closes-Bug: #1372669 backport: Juno
2014-12-24 13:18:33 -06:00 · 2014-12-24 13:18:33 -06:00 · 29cdefc9f6
commit 29cdefc9f6
parent 2afd5ec6b0
3 changed files with 88 additions and 24 deletions
--- a/doc/install-guide/section_basics-networking-neutron.xml
+++ b/doc/install-guide/section_basics-networking-neutron.xml
@ -19,6 +19,37 @@
    <glossterm>external network</glossterm>. The compute node contains
    one network interface on the management network and one on the
    instance tunnels network.</para>
+  <para>The example architecture assumes use of the following networks:</para>
+  <itemizedlist>
+    <listitem>
+      <para>Management on 10.0.0.0/24 with gateway 10.0.0.1</para>
+      <note>
+        <para>This network requires a gateway to provide Internet
+          access to all nodes for administrative purposes such as
+          package installation, security updates,
+          <glossterm>DNS</glossterm>, and
+          <glossterm baseform="Network Time Protocol (NTP)"
+          >NTP</glossterm>.</para>
+      </note>
+    </listitem>
+    <listitem>
+      <para>Instance tunnels on 10.0.1.0/24 without a gateway</para>
+      <note>
+        <para>This network does not require a gateway because communication
+          only occurs among network and compute nodes in your OpenStack
+          environment.</para>
+      </note>
+    </listitem>
+    <listitem>
+      <para>External on 203.0.113.0/24 with gateway 203.0.113.1</para>
+      <note>
+        <para>This network requires a gateway to provide Internet
+          access to instances in your OpenStack environment.</para>
+      </note>
+    </listitem>
+  </itemizedlist>
+  <para>You can modify these ranges and gateways to work with your
+    particular network infrastructure.</para>
  <note>
    <para>Network interface names vary by distribution. Traditionally,
      interfaces use "eth" followed by a sequential number. To cover all
--- a/doc/install-guide/section_basics-networking-nova.xml
+++ b/doc/install-guide/section_basics-networking-nova.xml
@ -16,6 +16,29 @@
    <glossterm>management network</glossterm>. The compute node contains
    one network interface on the management network and one on the
    <glossterm>external network</glossterm>.</para>
+  <para>The example architecture assumes use of the following networks:</para>
+  <itemizedlist>
+    <listitem>
+      <para>Management on 10.0.0.0/24 with gateway 10.0.0.1</para>
+      <note>
+        <para>This network requires a gateway to provide Internet
+          access to all nodes for administrative purposes such as
+          package installation, security updates,
+          <glossterm>DNS</glossterm>, and
+          <glossterm baseform="Network Time Protocol (NTP)"
+          >NTP</glossterm>.</para>
+      </note>
+    </listitem>
+    <listitem>
+      <para>External on 203.0.113.0/24 with gateway 203.0.113.1</para>
+      <note>
+        <para>This network requires a gateway to provide Internet
+          access to instances in your OpenStack environment.</para>
+      </note>
+    </listitem>
+  </itemizedlist>
+  <para>You can modify these ranges and gateways to work with your
+    particular network infrastructure.</para>
  <note>
    <para>Network interface names vary by distribution. Traditionally,
      interfaces use "eth" followed by a sequential number. To cover all
--- a/doc/install-guide/section_basics-networking.xml
+++ b/doc/install-guide/section_basics-networking.xml
@ -28,6 +28,26 @@
    <link os="sles;opensuse"
    xlink:href="http://activedoc.opensuse.org/book/opensuse-reference/chapter-13-basic-networking"
    >openSUSE documentation.</link></para>
+    <para>All nodes require Internet access for administrative purposes
+      such as package installation, security updates,
+      <glossterm>DNS</glossterm>, and
+      <glossterm baseform="Network Time Protocol (NTP)"
+      >NTP</glossterm>. In most cases, nodes should obtain Internet
+      access through the management network interface. To highlight
+      the importance of network separation, the example architectures
+      use <link xlink:href="https://tools.ietf.org/html/rfc1918"
+      >private address space</link> for the management network and assume
+      that network infrastructure provides Internet access via
+      <glossterm baseform="Network Address Translation (NAT)"
+      >NAT</glossterm>. To illustrate the flexibility of
+      <glossterm>IaaS</glossterm>, the example architectures use public
+      IP address space for the external network and assume that network
+      infrastructure provides direct Internet access to instances in
+      your OpenStack environment. In environments with only one block
+      of public IP address space, both the management and external networks
+      must ultimately obtain Internet access using it. For simplicity, the
+      diagrams in this guide only show Internet access for OpenStack
+      services.</para>
  <procedure os="sles;opensuse">
    <title>To disable Network Manager</title>
    <step>
@ -41,34 +61,24 @@
      </para>
    </step>
  </procedure>
-  <para os="rhel;centos">RHEL and CentOS enable a restrictive
-    <glossterm>firewall</glossterm> by default. During the installation
-    process, certain steps will fail unless you alter or disable the
-    firewall. For more information about securing your environment, refer
-    to the <link xlink:href="http://docs.openstack.org/sec/">OpenStack
-    Security Guide</link>.</para>
-  <para os="opensuse;sles">openSUSE and SLES enable a restrictive
-    <glossterm>firewall</glossterm> by default. During the installation
-    process, certain steps will fail unless you alter or disable the
-    firewall. For more information about securing your environment, refer
-    to the <link xlink:href="http://docs.openstack.org/sec/">OpenStack
-    Security Guide</link>.</para>
-  <para os="ubuntu;debian">Your distribution does not enable a
-    restrictive <glossterm>firewall</glossterm> by default. For more
-    information about securing your environment, refer to the
-    <link xlink:href="http://docs.openstack.org/sec/">OpenStack
-    Security Guide</link>.</para>
+  <note>
+    <para os="rhel;centos;fedora;sles;opensuse">Your distribution enables
+      a restrictive <glossterm>firewall</glossterm> by default. During the
+      installation process, certain steps will fail unless you alter or
+      disable the firewall. For more information about securing your
+      environment, refer to the
+      <link xlink:href="http://docs.openstack.org/sec/">OpenStack
+      Security Guide</link>.</para>
+    <para os="ubuntu;debian">Your distribution does not enable a
+      restrictive <glossterm>firewall</glossterm> by default. For more
+      information about securing your environment, refer to the
+      <link xlink:href="http://docs.openstack.org/sec/">OpenStack
+      Security Guide</link>.</para>
+  </note>
  <para>Proceed to network configuration for the example
    <link linkend="basics-networking-neutron">OpenStack Networking (neutron)
    </link> or <link linkend="basics-networking-nova">legacy
    networking (nova-network)</link> architecture.</para>
-  <note>
-    <para>All nodes require Internet access to install OpenStack packages
-      and perform maintenance tasks such as periodic updates. In most
-      cases, nodes should obtain Internet access through the management
-      network interface. For simplicity, the network diagrams in this guide
-      only show Internet access for OpenStack network services.</para>
-  </note>
  <xi:include href="section_basics-networking-neutron.xml"/>
  <xi:include href="section_basics-networking-nova.xml"/>
 </section>