Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Multus architecture for OpenShift Data Foundation

This section describes processes and configurations that are supported when configuring OpenShift Data Foundation to use the OpenShift multi-network plugin (Multus). This architecture provides information about OpenShift Data Foundation requirements, processes, and features that are relevant to Multus.

For configurations that deviate from this reference architecture, open a support exception using the Jira ticket link: https://issues.redhat.com/projects/SUPPORTEX.

6.1. Assumptions
Copy link

This Multus reference architecture section assumes the following:

  • OpenShift Data Foundation is deployed in internal mode using dedicated storage nodes.

  • OpenShift control plane nodes do not run applications that require OpenShift Data Foundation storage.

    This is not required for supportability, but some node selectors and/or tolerations might need to be modified as needed for other cluster layouts.

  • VLANs are present. VLANs are optional and neither recommended nor discouraged. However, in many instances VLANs are required depending on the user environment.

6.2. Example scenario used
Copy link

This Multus reference architecture uses the following example:

  • Four dedicated OpenShift Data Foundation storage nodes
  • Two OpenShift worker nodes
  • Three Openshift control plane nodes

The following diagram shows the example cluster network architecture in a traditional OpenShift Data Foundation deployment without Multus:

Figure 6.1. Example cluster network architecture without Multus

Example cluster network architecture without Multus

Multus networking for an OpenShift Data Foundation deployment is chosen for one or more of the following reasons:

  • To reduce latency of the storage system by avoiding the OpenShift Pod (software) network
  • To dedicate bandwidth to the storage system to avoid the noisy neighbor problem between storage and applications
  • To segregate the storage network from applications for isolation

Multus is enabled for either or both of the following types of OpenShift Data Foundation storage networks:

  • Public network
  • Cluster network

However, it is recommended to configure only the Multus public network as a starting point.

6.3.1. Multus public network
Copy link

The following diagram shows the cluster network architecture for an OpenShift Data Foundation deployment using the Multus public network:

Figure 6.2. OpenShift Data Foundation deployment using Multus public network

OpenShift Data Foundation deployment using Multus public network

This architecture achieves all the three benefits of Multus networking:

  • Storage latency is reduced by avoiding the software-defined pod network
  • Storage system gets dedicated bandwidth that avoids the noisy-neighbor interference
  • Storage network is isolated from applications that prevent pods from snooping the storage network

However, if the public network has less throughput than the Pod network, storage traffic might not be faster than a traditional deployment.

Public network is the recommended architecture for the majority of OpenShift Data Foundation cluster deployments. In this architecture, all storage traffic uses the dedicated public network, which includes I/O traffic from applications, data replication traffic within the storage system, and data recovery traffic also within the storage system.

6.3.2. Multus public and cluster networks
Copy link

The following diagram shows the cluster network architecture for an OpenShift Data Foundation deployment using both Multus public network and Multus cluster network:

Figure 6.3. Cluster network architecture using both Multus public network and Multus cluster network

Cluster network architecture using both Multus public network and Multus cluster network

When both public and cluster networks are used simultaneously, all three benefits of Multus are achieved. In this case, each storage network performs a specific role in the OpenShift Data Foundation cluster. The public network handles only the I/O traffic from applications and the cluster network handles storage replication and recovery traffic.

The cluster network handles data replication traffic on a regular basis. Assuming OpenShift Data Foundation’s default 3x replication, the cluster network handles 2x the application I/O traffic for each data write to bring the total number of storage data copies up to 3x. During a storage node or zone failure event, the cluster network also handles recovering data in the cluster.

In this architecture, the size of the cluster network is recommended to be 2-3x larger than the public network. Larger sizing keeps the failover times short, but it also results in a large amount of bandwidth being wasted during normal cluster operations. Overall storage bandwidth during a storage failure event might be limited by either the public or cluster network depending on the size of either network.

This architecture is more complicated than the recommended public-only architecture and has many more factors that could affect user SLOs. Hence, as an alternative, OpenShift Data Foundation suggests bonding all storage network interfaces together to create a single, larger public network instead.

6.3.3. Multus cluster network
Copy link

The following diagram shows the cluster network architecture for an OpenShift Data Foundation deployment using Multus cluster network:

Figure 6.4. Cluster network architecture

Cluster network architecture

In the cluster network architecture, Multus benefits are partially achieved. The cluster network takes the replication and recovery roles. The OpenShift Pod network takes the role of handling storage I/O from applications. This ensures noisy-neighbor interference is minimized, but application I/O can still be affected by other application networking, and vice versa.

Application I/O to the storage system is expected to have higher latency than other Multus architectures due to the software-defined Pod network. Similarly, the storage network is not isolated from applications. For example, a privileged Pod could still snoop storage traffic.

6.4. Multus networking requirements
Copy link

This section covers the following requirements for using Multus networking on an OpenShift Data Foundation deployment.

  • General requirements
  • Routing requirements
  • Address space sizing requirements

6.4.1. General requirements
Copy link

The general requirements for Multus networking are as follows:

  • Interface used for the storage networks must have the same interface name on each OpenShift storage and worker node.
  • Interfaces must all be connected to the same underlying network.
  • When both public and cluster networks are used, they should not be connected to each other.
  • At least one additional network for storage is required.
  • Storage networks must be at least 10 Gbps. Bonded links are supported and suggested.

OpenShift Data Foundation with Multus creates many virtual MAC addresses on each storage network host interface. This requires network cards and switch hardware to support promiscuous mode. Some smart switches have security processes that inspect each packet, and these switches can bog down significantly due to the high number of MAC addresses for OpenShift Data Foundation. It is best to disable smart switch security features that require advanced processing.

Similarly, virtual or software switches might struggle to process the large number of MAC addresses. Some are not able to disable this functionality. Therefore, do not use virtual switches without a support exception.

6.4.2. Routing requirements
Copy link

For OpenShift Data Foundation Persistent Volume Claims (PVCs) to work properly, the Ceph-CSI driver pods deployed to each OpenShift node (workers and storage) must use host networking. Ceph-CSI drivers must also be able to reach OpenShift Data Foundation Ceph cluster through the Multus public network. This means that each OpenShift node must have a connection to the public network, and vice versa.

To make this as simple as possible without risk of IP overlap issues, select a different subnet (IP range) for node connections to the public network and Pod connections to the public network. Set up routing on the node public subnet and Pod public subnet such that they route to each other. The final result is that the node public subnet and Pod public subnet will act together as a single contiguous public network.

If the cluster network is used, do not route the Pod public network or node public network to the cluster network. The cluster network should be independent and isolated. The diagram below illustrates subnet routing requirements:

Figure 6.5. Subnet routing requirements

Subnet routing requirements

6.4.3. Address space sizing
Copy link

OpenShift Data Foundation with Multus requires an IP address for each OpenShift Data Foundation Ceph storage daemon. Networks must have enough IP addresses to account for the number of storage pods that gets attached to the network, and some additional space to account for failover events. Expanding networks in the future might require downtime, so allocating space for the largest foreseeable cluster size is recommended.

For Multus public network, the following ranges must be planned:

  • The Pod public network address space must include enough IPs for the total number of ODF pods running in the openshift-storage namespace
  • The node public network address space must include enough IPs for the total number of OpenShift nodes (worker + storage)

For Multus cluster network, the following range must be planned:

  • The Pod cluster network address space must include enough IPs for the total number of OSD pods running in the openshift-storage namespace

6.5. Recommendations for Multus networking
Copy link

This section describes the general and address range recommendations for Multus networking on OpenShift Data Foundation deployment.

Red Hat Ceph underpins OpenShift Data Foundation. Red Hat Ceph networking recommendations are useful for understanding more about OpenShift Data Foundation Multus networking and for finding specific recommendations. For more information, see link: Network considerations for Red Hat Ceph Storage that also applies to OpenShift Data Foundation networking.

6.5.2. Address ranges
Copy link

The following table recommends IP ranges for each Multus network or subnetwork:

Expand
Table 6.1. Recommended IP ranges
NetworkNetwork range CIDRApproximate maximumPublic or cluster network

Pod public network

192.168.240.0/21

Total of 1600 OpenShift Data Foundation pods

Public network

Pod cluster network

192.168.248.0/22

800 OSDs

Cluster network

Public node network

192.168.252.0/23

400 OpenShift worker+storage nodes

Public network

This should suffice for most organizations. The recommendation uses the last 6.25% (1/16th) of the reserved private address space (192.168.0.0/16). Approximate maximum ODF and OpenShift sizing is noted, which accounts for 25% overhead to gracefully handle failure events.

6.6. Planning host interface connections
Copy link

OpenShift nodes can be separated into following three types:

  • OpenShift control plane nodes
  • OpenShift worker nodes
  • OpenShift Data Foundation storage nodes.

Each type requires different connections to the storage cluster as follows:

  • All OpenShift nodes require access to the OpenShift machine network

  • Control plane nodes do not require any connection to storage networks

    • If OpenShift Data Foundation PVCs are needed on control plane nodes (not recommended), treat them as worker nodes
    • If control plane nodes are used as OpenShift Data Foundation storage nodes, treat them as storage nodes
  • Worker nodes run Ceph-CSI driver daemons to mount PVC storage to Pods and therefore require a connection to the OpenShift Data Foundation public network (if used)
  • Storage nodes require access to all used storage networks

6.6.1. Example interfaces and connections
Copy link

The following diagram shows example interfaces and connections that might be planned for each node type:

Figure 6.6. Example interfaces and connections

Example interfaces and connections

This example includes cluster network for completeness.

In this example, vlan220 (public) and vlan221 (cluster) are the interfaces to use for OpenShift Data Foundation configuration. If VLANs are unused in the deployed environment, bond1 and bond2 would be used instead. If no bonds or VLANs are used, host interfaces (for example, eth2, eth4) would be used instead. When using Whereabouts IPAM, IP addresses are not required on Multus parent interfaces such as NICs, bonds, or VLANs (for example, eth2eth4, bond1bond2, vlan220vlan221).

Important

The “ODF public network” in the diagram accounts for both the OpenShift Data Foundation Pod public network and OpenShift Data Foundation node public network. The OpenShift machine network is used as a backbone for the OpenShift Pod network and is included for reference only. Do not mistake this network for the ODF node public network. Do not plan or execute routing that involves the machine network.

6.7. Multus network configuration
Copy link

Multus networks are configured with NetworkAttachmentDefinition objects. These objects configure Pod network connections. OpenShift Network Attachment Definitions support many options, however, OpenShift Data Foundation supports only a few that are outlined as follows:

  • macvlan is the only supported CNI plugin
  • whereabouts is the only supported IP Address Management (IPAM) plugin

Diverging from these selections requires a support exception

Address range values must also match those selected for the cluster. The example cluster, example host interfaces, and recommended network ranges are used here. Modify them as needed in the deployed environment.

You can configure your Multus networks to use IPv4 or IPv6. Multus networks can only be configured to use either IPv4 or IPv6. Mixing modes is not supported.

6.7.1. Public NetworkAttachmentDefinition
Copy link

The recommended Pod public network configuration for the example is as follow. Omit this if the Multus public network is not used. Make sure to include the routes section that allows Pods on the public network to reach nodes through the public network. 

apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: public-net
  namespace: openshift-storage
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "type": "macvlan",
      "master": "vlan220", # host public network interface
      "mode": "bridge",
      "ipam": {
        "type": "whereabouts",
        "range": "192.168.240.0/21", # pod public network range
        "routes": [
          {"dst": "192.168.252.0/23"} # node public network range
        ]
      }
    }

6.7.2. Cluster NetworkAttachmentDefinition
Copy link

The recommended Pod cluster network configuration for the example is as follows. Omit this if the Multus cluster network is not used (recommended for most users). This configuration should not have a routes section. 

apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: cluster-net
  namespace: openshift-storage
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "type": "macvlan",
      "master": "vlan221", # host cluster network interface
      "mode": "bridge",
      "ipam": {
        "type": "whereabouts",
        "range": "192.168.248.0/22" # pod cluster network range
      }
    }

OpenShift worker and storage nodes must be configured to route host traffic to the Pods on the public network through the host public network interface.

The recommended way to configure nodes is using OpenShift NodeNetworkConfigurationPolicy objects. This method can be supported for all OpenShift users regardless of deployment strategy. This method requires the NMState Operator to be installed and enabled. For more information, see link: Kubernetes NMState Operator.

Each node must obtain an IP address on the ODF public network in the node public network address range. Static IP address management is the only IPAM method that can be supported for any OpenShift cluster. Thus, static management is OpenShift Data Foundation supports only the static management method. This requires one NodeNetworkConfigurationPolicy object per host. The template that can be used to configure a host is shown below.

Important

This template below creates an interface called “shim” interface on each host. The shim interface uses the host public network interface (for example, vlan220) as a parent. The static IP is then given to the shim interface and not to the parent. Similarly, routing uses the shim. This is a critical detail. Macvlan disallows the virtual network of connected Pods on any given host from reaching the host directly or through switch hairpin. Without the shim interface, OpenShift Data Foundation will not function properly. Do not attempt to set up the OpenShift Data Foundation Multus public network without configuring the shim interface. 

apiVersion: nmstate.io/v1
kind: NodeNetworkConfigurationPolicy
metadata:
  name: ceph-public-net-shim-{{NODE_NAME}}
spec:
  nodeSelector:
    node-role.kubernetes.io/worker: ""
    kubernetes.io/hostname: {{NODE_NAME}}
  desiredState:
    interfaces:
      - name: odf-pub-shim
        description: Shim interface to connect to ODF public network
        type: mac-vlan
        state: up
        mac-vlan:
          base-iface: vlan220 # host public network interface
          mode: bridge
          promiscuous: true
        ipv4:
          enabled: true
          dhcp: false
          address:
            - ip: 192.168.252.1 # static IP in node public network range
              prefix-length: 23 # node public network range mask
    routes:
      config:
        - destination: 192.168.240.0/21 # pod public network range
          next-hop-interface: odf-pub-shim

First, follow comments in the template to update the base template for the environment being deployed. Then, for each node, copy the template, and fill in {{NODE_NAME}} and a unique static IP for each node.

After all the previous sections have been planned or executed, OpenShift Data Foundation preinstallation can begin. The following checklist of preinstallation items should be completed before proceeding further:

  1. Read the Multus architecture document in its entirety.
  2. Select which OpenShift Data Foundation Multus networks to use.
  3. Plan host interface connections.
  4. Deploy OpenShift.
  5. Select network address ranges to use.
  6. Write NetworkAttachmentDefinition manifests for Pods.
  7. Write NodeNetworkConfigurationPolicy manifests for nodes.
  8. Deploy the manifests to the OpenShift cluster
  9. Install OpenShift Data Foundation, but do not deploy a StorageCluster yet
  10. Run the Multus validation tool to check preinstallation deployments (covered in the next section)

6.9. Validating and debugging Multus configuration
Copy link

OpenShift Data Foundation has a tool to perform basic connectivity tests prior to OpenShift Data Foundation StorageCluster deployment. This Multus validation tool is intended to be a self-help tool that returns a list of details that might be incorrect based on the validation steps that pass or fail.

This tool performs basic connection and IP availability checking. It cannot detect every possible misconfiguration, and it cannot detect network performance issues. Ensure due diligence for each cluster deployment.

For more information, see link: Appendix A. Multus prerequisites validation tool.

When encountering an issue with the tool, check the tool output for suggestions. Use events associated with Pods that the tool runs (for example, using oc -n openshift-storage describe pods) to debug further. If issues persist despite debugging, collect OpenShift Data Foundation must-gather, and open an OpenShift Data Foundation help ticket that includes full tool output and the must-gather tarball. For more information, see link: Downloading log files and diagnostic information using must-gather.

For best results, use a configuration file with the Multus validation tool. The following configuration is recommended, which can be updated by following the comments as needed. 

publicNetwork: "public-net" # comment out if public network is unused
# clusterNetwork: "cluster-net" # uncomment if used


# for airgapped environments, mirror this image, then update this config to reference the mirror
nginxImage: "quay.io/nginx/nginx-unprivileged:stable-alpine"

namespace: "openshift-storage"
serviceAccountName: "rook-ceph-system"

nodeTypes:
  storage-nodes:
    osdsPerNode: 12 # set to the max number of OSDs per storage node
    otherDaemonsPerNode: 16
    placement:
      nodeSelector:
        cluster.ocs.openshift.io/openshift-storage: ""
      tolerations:
        - {"key":"node.ocs.openshift.io/storage","value":"true"}
  worker-nodes:
    osdsPerNode: 0
    otherDaemonsPerNode: 6
    placement:
      nodeSelector:
      tolerations:

If this recommendation proves to be inadequate or out of date, use the tool to generate a new configuration using ./rook multus validation config dedicated-storage-nodes.

After validating the connectivity using the Multus validation tool, OpenShift Data Foundation storage cluster can be deployed. Refer to OpenShift Data Foundation documentation and make sure to select the appropriate Multus networks during deployment.

6.10.1. Post-installation checks
Copy link

In addition to the OpenShift Data Foundation health checking, ensure that Multus is configured as expected by performing the following:

  • Using the ODF toolbox or odf-cli tool, run ceph osd dump to verify that OSDs have an IP in the cluster network.

    In the output, ensure that OSD daemons have an IP in the public network (if used). OSDs should additionally have an IP in the cluster network, if the Multus cluster network was used. If it was left empty, OSDs should only list public network IPs. If a filesystem has been deployed, ensure that MDS daemons have an IP in the public network (if used).

  • Create a test application Deployment in a new namespace that uses ODF PVCs.

    Ensure that the test application Pod can write to the mounted PVC volumes. Delete the Deployment’s Pod, then wait for it to reschedule to a new node. Ensure that the previous data can be read back, and ensure new data can be written.

  • Run some test load generators in the cluster to write to OpenShift Data Foundation PVCs. After the OpenShift Data Foundation cluster has filled to 20%, induce a hard failure of a node or failure zone. Leave the node or zone in failure state for an hour, and observe the OpenShift Data Foundation cluster status and OpenShift Data Foundation Pod statuses. Cluster health can be expected to show HEALTH_WARN, but it should not show HEALTH_ERR. One or two OpenShift Data Foundationd Pod failures may be okay, but several failures could indicate a problem.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top