From d9ccf7d771afc6ad886182cdd7fbc956632e4935 Mon Sep 17 00:00:00 2001 From: Bin Hu Date: Wed, 19 Aug 2015 18:07:01 -0700 Subject: JIRA: IPVSIX-17 Change-Id: I5ba22e211b75407f93463b6184335306ae90e613 Signed-off-by: Bin Hu --- images/ipv6-poc-1.png | Bin 0 -> 85313 bytes vrouter/Service_VM_as_vRouter.txt | 44 +++++++++ vrouter/setup_ipv6_vrouter.txt | 122 +++++++++++++++++++++++ vrouter/setup_service_vm.txt | 198 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 364 insertions(+) create mode 100644 images/ipv6-poc-1.png create mode 100644 vrouter/Service_VM_as_vRouter.txt create mode 100644 vrouter/setup_ipv6_vrouter.txt create mode 100644 vrouter/setup_service_vm.txt diff --git a/images/ipv6-poc-1.png b/images/ipv6-poc-1.png new file mode 100644 index 0000000..f4fdcf4 Binary files /dev/null and b/images/ipv6-poc-1.png differ diff --git a/vrouter/Service_VM_as_vRouter.txt b/vrouter/Service_VM_as_vRouter.txt new file mode 100644 index 0000000..8592323 --- /dev/null +++ b/vrouter/Service_VM_as_vRouter.txt @@ -0,0 +1,44 @@ +================================== +Exercising Service VM as a vRouter +================================== + +There are 3 steps to set up a service VM as a vRouter: + +- Step 1: `Get a service VM running`_ + +- Step 2: `Handling Neutron Security Group Feature`_ + +- Step 3: `Set up an IPv6 vRouter on the Service VM`_ + +*************************** +_`Get a Service VM Running` +*************************** + +Please click `Set up Service VM`_ page for instructions to get a service VM running. + +.. _`Set up Service VM`: ./setup_service_vm.html + +****************************************** +_`Handling Neutron Security Group Feature` +****************************************** + +------------------------------ +Disable Security Group Feature +------------------------------ + +If Open Stack is integrated and running with Open Daylight, we need to completely disable Security Group feature in Open Stack because Open Daylight doesn’t support it. + +---------------------------------------------------------- +Use Neutron ML2 Port Security Extension (Kilo and Liberty) +---------------------------------------------------------- + +For Open Stack Kilo or Liberty with ML2 OVS only (without Open Daylight), we need to use Port Security Extension of Neutron and disable Anti-spoofing Rule on the service VM. + +******************************************* +_`Set up an IPv6 vRouter on the Service VM` +******************************************* + +Please click `Set up IPv6 vRouter`_ page for instructions to set up an IPv6 vRouter on a Service VM. + +.. _`Set up IPv6 vRouter`: ./setup_ipv6_vrouter.html + diff --git a/vrouter/setup_ipv6_vrouter.txt b/vrouter/setup_ipv6_vrouter.txt new file mode 100644 index 0000000..06d2de8 --- /dev/null +++ b/vrouter/setup_ipv6_vrouter.txt @@ -0,0 +1,122 @@ +====================================== +Set up an IPv6 vRouter on a Service VM +====================================== + +| Here you will find the steps involved in creating a ServiceVM that acts as an IPv6 vRouter. In this example, we will be using a CentOS7 image as vRouter (we should be able to use other OS as well) and devstack for OpenStack installation. We need to enable Port Security Extension as the extension_drivers in ML2 configuration file. + +| Following is a sample configuration of devstack local.conf file. + +| **# [[local|localrc]]** +| `DATA_DIR=$DEST/data` +| `SCREEN_LOGDIR=$DATA_DIR/logs` +| `LOGFILE=$SCREEN_LOGDIR/stack.sh.log` +| `ADMIN_PASSWORD=password` +| `MYSQL_PASSWORD=password` +| `RABBIT_PASSWORD=password` +| `SERVICE_PASSWORD=password` +| `SERVICE_TOKEN=token` +| `disable_service n-net tempest h-eng h-api h-api-cfn h-api-cw` +| `enable_service q-svc q-dhcp q-meta q-agt q-l3 n-novnc` +| **# [[post-config|/$Q_PLUGIN_CONF_FILE]]** +| **# [ml2]** +| `extension_drivers=port_security` + +| After successful installation of OpenStack with the above configuration, we shall create the necessary neutron networks/subnets/ports etc. +| `cd devstack` +| `./stack.sh` + +| # Source the tenant credentials. +| `source openrc admin demo` +| # Create a Neutron router which provides external connectivity. +| `neutron router-create router1` +| # Create an external network using the appropriate values based on the data-center physical network setup. +| `neutron net-create --provider:network_type --provider:physical_network --provider:segmentation_id --router:external ext-net` +| # Configure ipv6_gateway= in the Neutron L3 agent configuration file. +| # Associate the ext-net to the neutron router. +| `neutron router-gateway-set router1 ext-net` +| # Create an IPv6 internal network. +| `neutron net-create ipv6-internal-network` +| # Create an IPv6 subnet in the internal network. +| `neutron subnet-create --name ipv6-int-subnet --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac ipv6-internal-network 2001:db8:0:1::/64` +| # Associate the internal subnet to a neutron router. +| `neutron router-interface-add router1 ipv6-int-subnet` + +| Now we shall create an isolated network which is the internal network of vRouter. +| # Create an isolated router for the tenant internal network. +| `neutron router-create router2` +| # Create a Neutron Internal Network. +| `neutron net-create tenant-internal-network` +| # Create an IPv4 subnet in the internal network. +| `neutron subnet-create --name ipv4-int-subnet tenant-internal-network 10.0.0.1/24` +| # Associate the router2 to IPv4 subnet created above. +| `neutron router-interface-add ` + +| Mapping this configuration to `PoC-1`_. + +.. _`PoC-1`: /ipv6/images/ipv6-poc-1.png + +- `ipv6-internal-network and ext-net is the Red colored network.` +- `tenant-internal-network is the Green colored network.` + +| Lets create two neutron ports one from ext-net and the other from tenant-internal-network for the vRouter VM +| `neutron port-create ipv6-internal-network --port-security-enabled=False --name enp0s3-port` +| `neutron port-create tenant-internal-network --port-security-enabled=False --name enp0s8-port` + +| Download the Centos7 image which is used as vRouter. +| `glance image-create --name 'Centos7' --disk-format qcow2 --container-format bare --is-public true --copy-from http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2` + +| Create a keypair. +| `nova keypair-add vRouterKey > ~/vRouterKey` + +| Spawn the Centos7 image with two nics (i.e., enp0s3-port and enp0s8-port) +| `nova boot --image –flavor m1.small --nic port-id=$(neutron port-show -f value -F id enp0s3-port) –nic --nic port-id=$(neutron port-show -f value -F id enp0s8-port) --key-name vRouterKey CentOSvRouter` + +| Verify that CentOSvRouter boots up successfully and keypair is injected. +| `nova list` +| `nova console-log CentOSvRouter` + +| After the image boots up successfully, from the router1 namespace, ssh to vRouter using the keypair. +| `sudo ip netns` +| `sudo ip netns exec bash` +| `ssh -i ~/vRouterKey centos@` + +| As a one time job, before we can create the snapshot, execute the steps (i.e., SLAAC setup) mentioned at the following link. +| `https://wiki.opnfv.org/ipv6_opnfv_project/vm_as_router` + +| In order to verify that the setup is working, lets create some cirros VMs on the "tenant-internal-network" (i.e., vRouter internal network). +| `nova boot --image --flavor m1.tiny --nic net-id= VM1` +| `nova boot --image --flavor m1.tiny --nic net-id= VM2` + +| Confirm that both the VMs have successfully booted up. +| `nova list` +| `nova console-log VM1` +| `nova console-log VM2` + +| Add the necessary security group ingress rules. +| `source openrc demo demo` +| # SSH access to the VMs +| `neutron security-group-rule-create --direction ingress --protocol tcp --port-range-min 22 --port-range-max 22 --remote-ip-prefix 10.0.0.0/24 default` +| # Permit IPv6 Router Advts from the vRouter internal interface to the VMs. +| `neutron security-group-rule-create --direction ingress --ethertype IPv6 --protocol icmpv6 --port-range-min 134 --remote-ip-prefix fe80::/64 default` + +| SSH to the cirros VMs to check the IPv6 forwarding use-case. +| `sudo ip netns` +| `sudo ip netns exec bash` +| `ssh cirros@` + +| Note: default password of cirros image would be "cubswin:)" + +| Verify that Cirros image has an IPv6 address assigned via SLAAC with a prefix of "2001:db8:0:2::/64" +| `ip address` +| # verify that default route points to the LLA of enp0s8 interface of vRouter. +| `ip -6 route` + +| Try pinging to the internal router interface of router1 (i.e., 2001:db8:0:1::1/64) +| `ping6 2001:db8:0:1::1/64` + +| If all goes well, ping6 should succeed which shows that vRouter is forwarding the IPv6 traffic of instances on the tenant-internal-network. + +| At this state, we can create a snapshot of the CentOSvRouter and use it in any other similar OpenStack setup. +| `nova image-create ` +| `nova image-list #You will find the snapshot you just created above.` + diff --git a/vrouter/setup_service_vm.txt b/vrouter/setup_service_vm.txt new file mode 100644 index 0000000..a9c0a87 --- /dev/null +++ b/vrouter/setup_service_vm.txt @@ -0,0 +1,198 @@ +================================================ +Set up a Service VM Running as a vRouter (SLAAC) +================================================ + +| # Current network setup for IPv6 router VM on local virtualbox setup +| # /etc/sysconfig/network-scripts/ifcfg-enp0s3 +| # Network interface enp0s3 is IPv4 for public internet access +| TYPE="Ethernet" +| BOOTPROTO="dhcp" +| DEFROUTE="yes" +| PEERDNS="yes" +| PEERROUTES="yes" +| IPV4_FAILURE_FATAL="no" +| IPV6INIT="yes" +| IPV6_AUTOCONF="yes" +| IPV6_DEFROUTE="yes" +| IPV6_PEERDNS="yes" +| IPV6_PEERROUTES="yes" +| IPV6_FAILURE_FATAL="no" +| NAME="enp0s3" +| UUID="32bad876-680a-4f78-a364-726eae21bfcf" +| DEVICE="enp0s3" +| ONBOOT="yes" + +| # /etc/sysconfig/network-scripts/ifcfg-enp0s8 +| # Network interface enp0s8 is IPv6 internal interface to provide IPv6 to internal hosts +| BOOTPROTO=static +| IPV6INIT=yes +| IPV6ADDR="2001:db8:0:2::1/64" +| NAME=enp0s8 +| UUID=e931a806-2f76-425d-b035-d37813b81df5 +| DEVICE=enp0s8 +| ONBOOT=yes +| NM_CONTROLLED=no + +| # Disable NetworkManager +| systemctl disable NetworkManager + +| # Install dhcp.x86_64, dhcp-common.x86_64, radvd.x86_64 if not already installed +| yum install dhcp-common +| yum install dhcp +| yum install radvd + +| # /etc/sysctl.conf Set sysctl to enable IPv6 forwarding +| net.ipv6.conf.all.forwarding=1 +| net.ipv6.conf.enp0s3.accept_ra=2 +| net.ipv6.conf.enp0s3.accept_ra_defrtr=1 +| net.ipv6.conf.enp0s3.router_solicitations=1 + +| # /etc/radvd.conf +| interface enp0s8 +| { +| # This is the primary "on switch" for RADVD +| AdvSendAdvert on; +| # +| # These settings determine how often advertisements will be sent every X-Y. +| # X and Y are in seconds. +| # With these settings you will be sending a advert every 60 seconds +| # +| MinRtrAdvInterval 60; +| MaxRtrAdvInterval 180; +| # +| # Disable Mobile IPv6 support +| # +| AdvHomeAgentFlag off; +| # +| # Here we set our managed flags +| # +| AdvManagedFlag on; +| AdvOtherConfigFlag on; +| # +| # Enter our IPv6 prefix and CIDR +| # +| prefix 2001:db8:0:2::/64 +| { +| AdvOnLink on; +| # On link tells the host that the default router is on the same "link" as it is +| AdvAutonomous on; +| AdvRouterAddr off; +| }; +| }; + +# Enable radvd service +systemctl enable radvd + +# In /etc/sysconfig/network add +IPV6FORWARDING=yes + +================================================================= +Set up a Service VM Running as a vRouter (DHCPv6 Stateful Server) +================================================================= + +| # Current network setup for IPv6 router VM on local virtualbox setup +| # /etc/sysconfig/network-scripts/ifcfg-enp0s3 +| # Network interface enp0s3 is IPv4 for public internet access +| TYPE="Ethernet" +| BOOTPROTO="dhcp" +| DEFROUTE="yes" +| PEERDNS="yes" +| PEERROUTES="yes" +| IPV4_FAILURE_FATAL="no" +| IPV6INIT="yes" +| IPV6_AUTOCONF="yes" +| IPV6_DEFROUTE="yes" +| IPV6_PEERDNS="yes" +| IPV6_PEERROUTES="yes" +| IPV6_FAILURE_FATAL="no" +| NAME="enp0s3" +| UUID="32bad876-680a-4f78-a364-726eae21bfcf" +| DEVICE="enp0s3" +| ONBOOT="yes" + +| # /etc/sysconfig/network-scripts/ifcfg-enp0s8 +| # Network interface enp0s8 is IPv6 internal interface to provide IPv6 to internal hosts +| BOOTPROTO=static +| IPV6INIT=yes +| IPV6ADDR="2001:db8:0:2::1/64" +| NAME=enp0s8 +| UUID=e931a806-2f76-425d-b035-d37813b81df5 +| DEVICE=enp0s8 +| ONBOOT=yes +| NM_CONTROLLED=no + +| # Disable NetworkManager +| systemctl disable NetworkManager + +| # Install dhcp.x86_64, dhcp-common.x86_64, radvd.x86_64 if not already installed +| yum install dhcp-common +| yum install dhcp +| yum install radvd + +| # /etc/sysctl.conf Set sysctl to enable IPv6 forwarding +| net.ipv6.conf.all.forwarding=1 +| net.ipv6.conf.enp0s3.accept_ra=2 +| net.ipv6.conf.enp0s3.accept_ra_defrtr=1 +| net.ipv6.conf.enp0s3.router_solicitations=1 + +| # /etc/dhcp/dhcpd6.conf +| # DHCP for IPv6 Server Configuration file. + +| # Enable RFC 5007 support (same than for DHCPv4) + allow leasequery; + +| # IPv6 address valid lifetime +| # (at the end the address is no longer usable by the client) +| # (set to 30 days, the usual IPv6 default) +| default-lease-time 2592000; + +| # IPv6 address preferred lifetime +| # (at the end the address is deprecated, i.e., the client should use +| # other addresses for new connections) +| # (set to 7 days, the usual IPv6 default) +| preferred-lifetime 604800; + +| # T1, the delay before Renew +| # (default is 1/2 preferred lifetime) +| # (set to 1 hour) +| option dhcp-renewal-time 3600; + +| # T2, the delay before Rebind (if Renews failed) +| # (default is 3/4 preferred lifetime) +| # (set to 2 hours) +| option dhcp-rebinding-time 7200; + +| # The path of the lease file +| dhcpv6-lease-file-name "/var/lib/dhcpd/dhcpd6.leases"; + +| # Set preference to 255 (maximum) in order to avoid waiting for +| # additional servers when there is only one +| option dhcp6.preference 255; + +| # Server side command to enable rapid-commit (2 packet exchange) +| option dhcp6.rapid-commit; + +| # The delay before information-request refresh +| # (minimum is 10 minutes, maximum one day, default is to not refresh) +| # (set to 6 hours) + option dhcp6.info-refresh-time 21600; + +| # Set this to `interim` when doing ddns updates +| ddns-update-style interim; +| +| subnet6 2001:db8:0:2::/64 { +| option dhcp6.name-servers 2001:db8:0:2::1; +| option dhcp6.domain-search "opnfv.local"; +| ddns-hostname = concat(binary-to-ascii(10, 8, "-", leased-address), ".wired"); +| ddns-domainname = "opnfv.local"; +| # Our address range 1000 through 1fff +| range6 2001:db8:0:2::1000 2001:db8:0:2::1fff; +| } +| +| # In /etc/sysconfig/network add +| IPV6FORWARDING=yes + +For reference, refer to `How to set up RADVd DHCPv6 and DNS on CentOS 6`_. + +.. _`How to set up RADVd DHCPv6 and DNS on CentOS 6`: http://www.percula.info/archives/196 + -- cgit 1.2.3-korg