Skip to content

Instantly share code, notes, and snippets.

@gnuoy

gnuoy/net.md

Created July 31, 2023 14:10
Show Gist options
  • Save gnuoy/d0d5ee217ab73e2fbce576b1cb9c490f to your computer and use it in GitHub Desktop.
Save gnuoy/d0d5ee217ab73e2fbce576b1cb9c490f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
net.md

Single node networking

This reference explains how network access to guests is achieved when deploying microstack using local access to the guests (normal for a single node deployment).

If the defaults are chosen sunbeam will have setup an external subnet within OpenStack which will be used to allocate floating IPs.

$ openstack subnet show -c allocation_pools -c cidr external-subnet
+------------------+-------------------------+
| Field            | Value                   |
+------------------+-------------------------+
| allocation_pools | 10.20.20.2-10.20.20.254 |
| cidr             | 10.20.20.0/24           |
+------------------+-------------------------+

The sunbeam installation adds a route to the machine that will route traffic for this range to the bridge br-ex.

$ sudo ip route
...
10.20.20.0/24 dev br-ex proto kernel scope link src 10.20.20.1 
...

In turn br-ex is configured with the first ip from the floating ip cidr (in this case 10.20.20.1), this IP is not included in the allocation range of the external-subnet.

$ sudo ip addr show br-ex
48: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 12:73:07:2f:9c:47 brd ff:ff:ff:ff:ff:ff
    inet 10.20.20.1/24 scope global br-ex
       valid_lft forever preferred_lft forever
    inet6 fe80::1073:7ff:fe2f:9c47/64 scope link 
       valid_lft forever preferred_lft forever

br-ex is then wired in the normal way with external access through br-ex and tap devices for the guests attached to br-int:

$ sudo openstack-hypervisor.ovs-vsctl show 
fbea0320-e3dd-49ca-8406-a15da3bb7347
    Bridge br-ex
        datapath_type: system
        Port patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int
            Interface patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int
                type: patch
                options: {peer=patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee}
        Port br-ex
            Interface br-ex
                type: internal
    Bridge br-int
        fail_mode: secure
        datapath_type: system
        Port br-int
            Interface br-int
                type: internal
        Port tap44e1126e-d4
            Interface tap44e1126e-d4
        Port tap0c44773d-70
            Interface tap0c44773d-70
        Port patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee
            Interface patch-br-int-to-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee
                type: patch
                options: {peer=patch-provnet-11a65cde-a791-4644-899d-fb9b28ab84ee-to-br-int}
    ovs_version: "3.1.0"

There is also an iptables rule for the floating ip network to allow egress traffic from the quest.

$ sudo iptables-legacy -t nat -L POSTROUTING -n -v | grep -Ev 'cali|kubernetes'
Chain POSTROUTING (policy ACCEPT 53445 packets, 3302K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   26  1896 MASQUERADE  all  --  *      *       10.20.20.0/24        0.0.0.0/0            /* openstack-hypervisor external network rule */
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment