[rdo-users] [tripleo]network isolation

Dan Sneddon dsneddon at redhat.com
Tue Jan 2 21:24:00 UTC 2018


On 12/24/2017 10:55 PM, qinglong.dong at horebdata.cn wrote:
> Hi, all
>         I want to deploy an baremetal environment(pike)
> with network isolation. I have three controller nodes and one compute
> node. Each node has 3 nics. If I set external network as a vlan I
> succeed. But If I set external network on the bridge(using native
> vlan on the trunked interface) I fail. Anyone can help? Thanks!
>         Here are some config of controller nodes. Compute node does not
> have external network and storage management network.
> 
> 
>     *Controller NICs*
> 
> *Bonded Interface *	*Bond Slaves*	
> bond1	eth1, eth2	
> 
> *Networks*	
> 	*NIC*
> Provisioning	
> 	eth0
> External	
> 	bond1 / br-ex
> Internal	
> 	bond1 / vlan201
> Tenant	
> 	bond1 / vlan204
> Storage	
> 	bond1 / vlan202
> Storage Management	
> 	bond1 / vlan203
> 
> *network-environment.yaml*
> resource_registry:
>   OS::TripleO::Compute::Net::SoftwareConfig:
>     ../network/config/bond-with-vlans/compute.yaml
>   OS::TripleO::Controller::Net::SoftwareConfig:
>     ../network/config/bond-with-vlans/controller.yaml
> parameter_defaults:
>   ControlPlaneSubnetCidr: '24'
>   ControlPlaneDefaultRoute: 192.168.24.1
>   EC2MetadataIp: 192.168.24.1 
>   InternalApiNetCidr: 172.17.0.0/24
>   StorageNetCidr: 172.18.0.0/24
>   StorageMgmtNetCidr: 172.19.0.0/24
>   TenantNetCidr: 172.16.0.0/24
>   ExternalNetCidr: 192.168.1.0/24
>   InternalApiNetworkVlanID: 201
>   StorageNetworkVlanID: 202
>   StorageMgmtNetworkVlanID: 203
>   TenantNetworkVlanID: 204
>   InternalApiAllocationPools: [{'start': '172.17.0.10', 'end': '172.17.0.200'}]
>   StorageAllocationPools: [{'start': '172.18.0.10', 'end': '172.18.0.200'}]
>   StorageMgmtAllocationPools: [{'start': '172.19.0.10', 'end': '172.19.0.200'}]
>   TenantAllocationPools: [{'start': '172.16.0.10', 'end': '172.16.0.200'}]
>   ExternalAllocationPools: [{'start': '192.168.1.223', 'end': '192.168.1.235'}]
>   ExternalInterfaceDefaultRoute: 192.168.1.1
>   DnsServers: ["192.168.1.1"]
>   NeutronNetworkType: 'vlan'
>   NeutronTunnelTypes: ''
>   NeutronNetworkVLANRanges: 'datacentre:1:1000'
>   BondInterfaceOvsOptions: "bond_mode=active-backup"
>   NeutronMechanismDrivers: linuxbridge
> 
> *controller.yaml *
> [...]
> resources:
>   OsNetConfigImpl:
>     type: OS::Heat::SoftwareConfig
>     properties:
>       group: script
>       config:
>         str_replace:
>           template:
>             get_file: ../../scripts/run-os-net-config.sh
>           params:
>             $network_config:
>               network_config:
>               - type: interface
>                 name: nic1
>                 use_dhcp: false
>                 addresses:
>                 - ip_netmask:
>                     list_join:
>                     - /
>                     - - get_param: ControlPlaneIp
>                       - get_param: ControlPlaneSubnetCidr
>                 routes:
>                 - ip_netmask: 169.254.169.254/32
>                   next_hop:
>                     get_param: EC2MetadataIp
>               - type: linux_bridge
>                 name: bridge_name
>                 dns_servers:
>                   get_param: DnsServers
>                 use_dhcp: false
>                 addresses:
>                 - ip_netmask:
>                     get_param: ExternalIpSubnet
>                 routes:
>                 - default: true
>                   next_hop:
>                     get_param: ExternalInterfaceDefaultRoute
>                 members:
>                 - type: linux_bond
>                   name: bond1
>                   bonding_options: mode=1
>                   members:
>                   - type: interface
>                     name: nic2
>                     primary: true
>                   - type: interface
>                     name: nic3
>                 - type: vlan
>                   device: bond1
>                   vlan_id:
>                     get_param: InternalApiNetworkVlanID
>                   addresses:
>                   - ip_netmask:
>                       get_param: InternalApiIpSubnet
>                 - type: vlan
>                   device: bond1
>                   vlan_id:
>                     get_param: StorageNetworkVlanID
>                   addresses:
>                   - ip_netmask:
>                       get_param: StorageIpSubnet
>                 - type: vlan
>                   device: bond1
>                   vlan_id:
>                     get_param: StorageMgmtNetworkVlanID
>                   addresses:
>                   - ip_netmask:
>                       get_param: StorageMgmtIpSubnet
>                 - type: vlan
>                   device: bond1
>                   vlan_id:
>                     get_param: TenantNetworkVlanID
>                   addresses:
>                   - ip_netmask:
>                       get_param: TenantIpSubnet
> outputs:
>   OS::stack_id:
>     description: The OsNetConfigImpl resource.
>     value:
>       get_resource: OsNetConfigImpl
> 
> 
> _______________________________________________
> users mailing list
> users at lists.rdoproject.org
> http://lists.rdoproject.org/mailman/listinfo/users
> 
> To unsubscribe: users-unsubscribe at lists.rdoproject.org
> 

The NIC config looks correct for putting the External network on the
native VLAN. If I had to guess what the problem is, I would start at the
switch. The switch configuration will be different when hosting the
External network as a native VLAN rather than a trunked (tagged) VLAN.
Are you certain that the External network was being delivered only as a
native VLAN, and that the switch wasn't adding VLAN tags for the
External network?

What is the reason you would prefer to have the External network on the
native VLAN? The External network is used for hosting the public APIs,
so it should function the same on a tagged VLAN as it does on a native
VLAN. In any case, it should work either way, provided the switch is set
up correctly. You can always use a different VLAN/subnet for Neutron
external network(s) than you do for the public API, if you have separate
IP space. Of course, when you create the Neutron external network, you
would use type 'flat' for native VLAN, or type 'vlan' with the VLAN ID
specified as the 'segmentation_id' for tagged networks.

I also wonder why you are using a Linux bridge? I know the OVS driver
gets a lot more testing, and should have roughly equivalent performance
these days. I know that the Linux bridge worked fine with the External
network on native VLAN back in Icehouse/Juno timeframe, but I've
personally only been testing OVS bridges in recent releases.

-- 
Dan Sneddon         |  Senior Principal Software Engineer
dsneddon at redhat.com |  redhat.com/openstack
dsneddon:irc        |  @dxs:twitter


More information about the users mailing list