From 58349641541cc0e3b502311344d290c2afde7da5 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Wed, 8 Jul 2015 10:49:51 -0400 Subject: Support network isolation without external nets This patch adds extra heat environments that can be used to enable network isolation without using the external network. Instead of a separate external network the ctlplane will be used for all of the external/public traffic. Change-Id: Ia542cee02121771d7d57ac701b62d7608e8d1855 --- environments/net-bond-with-vlans-no-external.yaml | 26 +++++ .../net-single-nic-with-vlans-no-external.yaml | 25 +++++ network/config/bond-with-vlans/README.md | 12 +++ .../bond-with-vlans/controller-no-external.yaml | 114 +++++++++++++++++++++ network/config/single-nic-vlans/README.md | 12 +++ .../single-nic-vlans/controller-no-external.yaml | 99 ++++++++++++++++++ 6 files changed, 288 insertions(+) create mode 100644 environments/net-bond-with-vlans-no-external.yaml create mode 100644 environments/net-single-nic-with-vlans-no-external.yaml create mode 100644 network/config/bond-with-vlans/controller-no-external.yaml create mode 100644 network/config/single-nic-vlans/controller-no-external.yaml diff --git a/environments/net-bond-with-vlans-no-external.yaml b/environments/net-bond-with-vlans-no-external.yaml new file mode 100644 index 00000000..0da119d9 --- /dev/null +++ b/environments/net-bond-with-vlans-no-external.yaml @@ -0,0 +1,26 @@ +# This template configures each role to use a pair of bonded nics (nic2 and +# nic3) and configures an IP address on each relevant isolated network +# for each role. + +# This template assumes use of network-isolation.yaml and should be specified +# last on the CLI as a Heat environment so as to override specific +# registry settings in the network-isolation registry. +# +# FIXME: if/when we add functionality to heatclient to include heat +# environment files we should think about using it here to automatically +# include network-isolation.yaml. +resource_registry: + + # Set external ports to noop + OS::TripleO::Network::External: ../network/noop.yaml + OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/noop.yaml + + OS::TripleO::BlockStorage::Net::SoftwareConfig: ../network/config/bond-with-vlans/cinder-storage.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../network/config/bond-with-vlans/compute.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../network/config/bond-with-vlans/controller-no-external.yaml + OS::TripleO::ObjectStorage::Net::SoftwareConfig: ../network/config/bond-with-vlans/swift-storage.yaml + OS::TripleO::CephStorage::Net::SoftwareConfig: ../network/config/bond-with-vlans/ceph-storage.yaml + +# NOTE: with no external interface we should be able to use the +# default Neutron l3_agent.ini setting for the external bridge (br-ex) +# i.e. No need to set: NeutronExternalNetworkBridge: "''" diff --git a/environments/net-single-nic-with-vlans-no-external.yaml b/environments/net-single-nic-with-vlans-no-external.yaml new file mode 100644 index 00000000..a173df4e --- /dev/null +++ b/environments/net-single-nic-with-vlans-no-external.yaml @@ -0,0 +1,25 @@ +# This template configures each role to use Vlans on a single nic for +# each isolated network. +# This template assumes use of network-isolation.yaml and should be specified +# last on the CLI as a Heat environment so as to override specific +# registry settings in the network-isolation registry. +# +# FIXME: if/when we add functionality to heatclient to include heat +# environment files we should think about using it here to automatically +# include network-isolation.yaml. +resource_registry: + + # Set external ports to noop + OS::TripleO::Network::External: ../network/noop.yaml + OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/noop.yaml + + # Configure other ports as normal + OS::TripleO::BlockStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/cinder-storage.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../network/config/single-nic-vlans/compute.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../network/config/single-nic-vlans/controller-no-external.yaml + OS::TripleO::ObjectStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/swift-storage.yaml + OS::TripleO::CephStorage::Net::SoftwareConfig: ../network/config/single-nic-vlans/ceph-storage.yaml + +# NOTE: with no external interface we should be able to use the +# default Neutron l3_agent.ini setting for the external bridge (br-ex) +# i.e. No need to set: NeutronExternalNetworkBridge: "''" diff --git a/network/config/bond-with-vlans/README.md b/network/config/bond-with-vlans/README.md index 1679df3c..98879b4f 100644 --- a/network/config/bond-with-vlans/README.md +++ b/network/config/bond-with-vlans/README.md @@ -1,6 +1,12 @@ This directory contains Heat templates to help configure Vlans on a bonded pair of NICs for each Overcloud role. +There are two versions of the controller role template, one with +an external network interface, and another without. If the +external network interface is not configured the ctlplane address +ranges will be used for external (public) network traffic. + + Configuration ------------- @@ -13,3 +19,9 @@ something like this: OS::TripleO::Controller::Net::SoftwareConfig: network/config/bond-with-vlans/controller.yaml OS::TripleO::ObjectStorage::Net::SoftwareConfig: network/config/bond-with-vlans/swift-storage.yaml OS::TripleO::CephStorage::Net::SoftwareConfig: network/config/bond-with-vlans/ceph-storage.yaml + +Configuration with no External Network +-------------------------------------- +Same as above except set the following value for the controller role: + + OS::TripleO::Controller::Net::SoftwareConfig: network/config/bond-with-vlans/controller-no-external.yaml diff --git a/network/config/bond-with-vlans/controller-no-external.yaml b/network/config/bond-with-vlans/controller-no-external.yaml new file mode 100644 index 00000000..22579e8f --- /dev/null +++ b/network/config/bond-with-vlans/controller-no-external.yaml @@ -0,0 +1,114 @@ +heat_template_version: 2015-04-30 + +description: > + Software Config to drive os-net-config with 2 bonded nics on a bridge + with VLANs attached for the controller role. + +parameters: + ExternalIpSubnet: + default: '' + description: IP address/subnet on the external network + type: string + InternalApiIpSubnet: + default: '' + description: IP address/subnet on the internal API network + type: string + StorageIpSubnet: + default: '' + description: IP address/subnet on the storage network + type: string + StorageMgmtIpSubnet: + default: '' + description: IP address/subnet on the storage mgmt network + type: string + TenantIpSubnet: + default: '' + description: IP address/subnet on the tenant network + type: string + BondInterfaceOvsOptions: + default: '' + description: The ovs_options string for the bond interface. Set things like + lacp=active and/or bond_mode=balance-slb using this option. + type: string + ExternalNetworkVlanID: + default: 10 + description: Vlan ID for the external network traffic. + type: number + InternalApiNetworkVlanID: + default: 20 + description: Vlan ID for the internal_api network traffic. + type: number + StorageNetworkVlanID: + default: 30 + description: Vlan ID for the storage network traffic. + type: number + StorageMgmtNetworkVlanID: + default: 40 + description: Vlan ID for the storage mgmt network traffic. + type: number + TenantNetworkVlanID: + default: 50 + description: Vlan ID for the tenant network traffic. + type: number + ExternalInterfaceDefaultRoute: + default: '10.0.0.1' + description: default route for the external network + type: string + +resources: + OsNetConfigImpl: + type: OS::Heat::StructuredConfig + properties: + group: os-apply-config + config: + os_net_config: + network_config: + - + type: ovs_bridge + name: {get_input: bridge_name} + members: + - + type: ovs_bond + name: bond1 + ovs_options: {get_param: BondInterfaceOvsOptions} + members: + - + type: interface + name: nic2 + primary: true + - + type: interface + name: nic3 + - + type: vlan + device: bond1 + vlan_id: {get_param: InternalApiNetworkVlanID} + addresses: + - + ip_netmask: {get_param: InternalApiIpSubnet} + - + type: vlan + device: bond1 + vlan_id: {get_param: StorageNetworkVlanID} + addresses: + - + ip_netmask: {get_param: StorageIpSubnet} + - + type: vlan + device: bond1 + vlan_id: {get_param: StorageMgmtNetworkVlanID} + addresses: + - + ip_netmask: {get_param: StorageMgmtIpSubnet} + - + type: vlan + device: bond1 + vlan_id: {get_param: TenantNetworkVlanID} + addresses: + - + ip_netmask: {get_param: TenantIpSubnet} + +outputs: + OS::stack_id: + description: The OsNetConfigImpl resource. + value: {get_resource: OsNetConfigImpl} diff --git a/network/config/single-nic-vlans/README.md b/network/config/single-nic-vlans/README.md index e3e16574..6f128650 100644 --- a/network/config/single-nic-vlans/README.md +++ b/network/config/single-nic-vlans/README.md @@ -1,6 +1,11 @@ This directory contains Heat templates to help configure Vlans on a single NICs for each Overcloud role. +There are two versions of the controller role template, one with +an external network interface, and another without. If the +external network interface is not configured the ctlplane address +ranges will be used for external (public) network traffic. + Configuration ------------- @@ -17,3 +22,10 @@ something like this: Or use this Heat environment file: environments/net-single-nic-with-vlans.yaml + + +Configuration with no External Network +-------------------------------------- +Same as above except set the following value for the controller role: + + OS::TripleO::Controller::Net::SoftwareConfig: network/config/single-nic-vlans/controller-no-external.yaml diff --git a/network/config/single-nic-vlans/controller-no-external.yaml b/network/config/single-nic-vlans/controller-no-external.yaml new file mode 100644 index 00000000..faf9e9c2 --- /dev/null +++ b/network/config/single-nic-vlans/controller-no-external.yaml @@ -0,0 +1,99 @@ +heat_template_version: 2015-04-30 + +description: > + Software Config to drive os-net-config to configure VLANs for the + controller role. No external IP is configured. + +parameters: + ExternalIpSubnet: + default: '' + description: IP address/subnet on the external network + type: string + InternalApiIpSubnet: + default: '' + description: IP address/subnet on the internal API network + type: string + StorageIpSubnet: + default: '' + description: IP address/subnet on the storage network + type: string + StorageMgmtIpSubnet: + default: '' + description: IP address/subnet on the storage mgmt network + type: string + TenantIpSubnet: + default: '' + description: IP address/subnet on the tenant network + type: string + ExternalNetworkVlanID: + default: 10 + description: Vlan ID for the external network traffic. + type: number + InternalApiNetworkVlanID: + default: 20 + description: Vlan ID for the internal_api network traffic. + type: number + StorageNetworkVlanID: + default: 30 + description: Vlan ID for the storage network traffic. + type: number + StorageMgmtNetworkVlanID: + default: 40 + description: Vlan ID for the storage mgmt network traffic. + type: number + TenantNetworkVlanID: + default: 50 + description: Vlan ID for the tenant network traffic. + type: number + ExternalInterfaceDefaultRoute: + default: '10.0.0.1' + description: default route for the external network + type: string + +resources: + OsNetConfigImpl: + type: OS::Heat::StructuredConfig + properties: + group: os-apply-config + config: + os_net_config: + network_config: + - + type: ovs_bridge + name: {get_input: bridge_name} + use_dhcp: true + members: + - + type: interface + name: nic1 + # force the MAC address of the bridge to this interface + primary: true + - + type: vlan + vlan_id: {get_param: InternalApiNetworkVlanID} + addresses: + - + ip_netmask: {get_param: InternalApiIpSubnet} + - + type: vlan + vlan_id: {get_param: StorageNetworkVlanID} + addresses: + - + ip_netmask: {get_param: StorageIpSubnet} + - + type: vlan + vlan_id: {get_param: StorageMgmtNetworkVlanID} + addresses: + - + ip_netmask: {get_param: StorageMgmtIpSubnet} + - + type: vlan + vlan_id: {get_param: TenantNetworkVlanID} + addresses: + - + ip_netmask: {get_param: TenantIpSubnet} + +outputs: + OS::stack_id: + description: The OsNetConfigImpl resource. + value: {get_resource: OsNetConfigImpl} -- cgit 1.2.3-korg