Chapter 8. Basic network isolation
This chapter shows you how to configure the overcloud with the standard network isolation configuration. This includes the following configurations:
-
The environment file to enable network isolation (
/usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml
). -
The environment file to configure network defaults (
/usr/share/openstack-tripleo-heat-templates/environments/network-environment.yaml
). -
A
network_data
file to define network settings such as IP ranges, subnets, and virtual IPs. This example shows you how to create a copy of the default and edit it to suit your own network. - Templates to define your NIC layout for each node. The overcloud core template collection contains a set of defaults for different use cases.
-
An environment file to enable NICs. This example uses a default file located in the
environments
directory. - Any additional environment files to customize your networking parameters.
The following content in this chapter shows how to define each of these aspects.
8.1. Network isolation
The overcloud assigns services to the provisioning network by default. However, the director can divide overcloud network traffic into isolated networks. To use isolated networks, the overcloud contains an environment file that enables this feature. The environments/network-isolation.j2.yaml
file in the director’s core Heat templates is a Jinja2 file that defines all ports and VIPs for each network in your composable network file. When rendered, it results in a network-isolation.yaml
file in the same location with the full resource registry. For example:
resource_registry: # networks as defined in network_data.yaml OS::TripleO::Network::Storage: ../network/storage.yaml OS::TripleO::Network::StorageMgmt: ../network/storage_mgmt.yaml OS::TripleO::Network::InternalApi: ../network/internal_api.yaml OS::TripleO::Network::Tenant: ../network/tenant.yaml OS::TripleO::Network::External: ../network/external.yaml # Port assignments for the VIPs OS::TripleO::Network::Ports::StorageVipPort: ../network/ports/storage.yaml OS::TripleO::Network::Ports::StorageMgmtVipPort: ../network/ports/storage_mgmt.yaml OS::TripleO::Network::Ports::InternalApiVipPort: ../network/ports/internal_api.yaml OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external.yaml OS::TripleO::Network::Ports::RedisVipPort: ../network/ports/vip.yaml # Port assignments by role, edit role definition to assign networks to roles. # Port assignments for the Controller OS::TripleO::Controller::Ports::StoragePort: ../network/ports/storage.yaml OS::TripleO::Controller::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml OS::TripleO::Controller::Ports::InternalApiPort: ../network/ports/internal_api.yaml OS::TripleO::Controller::Ports::TenantPort: ../network/ports/tenant.yaml OS::TripleO::Controller::Ports::ExternalPort: ../network/ports/external.yaml # Port assignments for the Compute OS::TripleO::Compute::Ports::StoragePort: ../network/ports/storage.yaml OS::TripleO::Compute::Ports::InternalApiPort: ../network/ports/internal_api.yaml OS::TripleO::Compute::Ports::TenantPort: ../network/ports/tenant.yaml # Port assignments for the CephStorage OS::TripleO::CephStorage::Ports::StoragePort: ../network/ports/storage.yaml OS::TripleO::CephStorage::Ports::StorageMgmtPort: ../network/ports/storage_mgmt.yaml
The first section of this file has the resource registry declaration for the OS::TripleO::Network::*
resources. By default, these resources use the OS::Heat::None
resource type, which does not create any networks. By redirecting these resources to the YAML files for each network, you enable the creation of these networks.
The next several sections create the IP addresses for the nodes in each role. The controller nodes have IPs on each network. The compute and storage nodes each have IPs on a subset of the networks.
Other functions of overcloud networking, such as Chapter 9, Custom composable networks and Chapter 10, Custom network interface templates rely on this network isolation environment file. As a result, you need to include the name of the rendered file with your deployment commands. For example:
$ openstack overcloud deploy --templates \ ... -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \ ...
8.2. Modifying isolated network configuration
The network_data
file provides a method to configure the default isolated networks. This procedure shows how to create a custom network_data
file and configure it according to your network requirements.
Procedure
Copy the default
network_data
file:$ cp /usr/share/openstack-tripleo-heat-templates/network_data.yaml /home/stack/.
Edit the local copy of the
network_data.yaml
file and modify the parameters to suit your networking requirements. For example, the Internal API network contains the following default network details:- name: InternalApi name_lower: internal_api vip: true vlan: 201 ip_subnet: '172.16.2.0/24' allocation_pools: [{'start': '172.16.2.4', 'end': '172.16.2.250'}]
Edit the following for each network:
-
vlan
defines the VLAN ID to use for this network. -
ip_subnet
andip_allocation_pools
set the default subnet and IP range for the network.. -
gateway
sets the gateway for the network. Used mostly to define the default route for the External network, but can be used for other networks if necessary.
Include the custom network_data
file with your deployment using the -n
option. Without the -n
option, the deployment command uses the default network details.
8.3. Network Interface Templates
The overcloud network configuration requires a set of the network interface templates. These templates are standard Heat templates in YAML format. Each role requires a NIC template so the director can configure each node within that role correctly.
All NIC templates contain the same sections as standard Heat templates:
heat_template_version
- The syntax version to use.
description
- A string description of the template.
parameters
- Network parameters to include in the template.
resources
-
Takes parameters defined in
parameters
and applies them to a network configuration script. outputs
- Renders the final script used for configuration.
The default NIC templates in /usr/share/openstack-tripleo-heat-templates/networking/config
take advantage of Jinja2 syntax to help render the template. For example, the following snippet from the single-nic-vlans
configuration renders a set of VLANs for each network:
{%- for network in networks if network.enabled|default(true) and network.name in role.networks %} - type: vlan vlan_id: get_param: {{network.name}}NetworkVlanID addresses: - ip_netmask: get_param: {{network.name}}IpSubnet {%- if network.name in role.default_route_networks %}
For default Compute nodes, this only renders network information for the Storage, Internal API, and Tenant networks:
- type: vlan vlan_id: get_param: StorageNetworkVlanID device: bridge_name addresses: - ip_netmask: get_param: StorageIpSubnet - type: vlan vlan_id: get_param: InternalApiNetworkVlanID device: bridge_name addresses: - ip_netmask: get_param: InternalApiIpSubnet - type: vlan vlan_id: get_param: TenantNetworkVlanID device: bridge_name addresses: - ip_netmask: get_param: TenantIpSubnet
Chapter 10, Custom network interface templates explores how to render the default Jinja2-based templates to standard YAML versions, which you can use as a basis for customization.
8.4. Default network interface templates
The director contains templates in /usr/share/openstack-tripleo-heat-templates/network/config/
to suit most common network scenarios. The following table outlines each NIC template set and the respective environment file to use to enable the templates.
Each environment file for enabling NIC templates uses the suffix .j2.yaml
. This is the unrendered Jinja2 version. Ensure that you include the rendered file name, which only uses the .yaml
suffix, in your deployment.
NIC directory | Description | Environment file |
---|---|---|
|
Single NIC ( |
|
|
Single NIC ( |
|
|
Control plane attached to |
|
|
Control plane attached to |
|
Environment files exist for using no external network, for example, net-bond-with-vlans-no-external.yaml
, and using IPv6, for example, net-bond-with-vlans-v6.yaml
. These are provided for backwards compatibility and do not function with composable networks.
Each default NIC template set contains a role.role.j2.yaml
template. This file uses Jinja2 to render additional files for each composable role. For example, if your overcloud uses Compute, Controller, and Ceph Storage roles, the deployment renders new templates based on role.role.j2.yaml
, such as the following templates:
-
compute.yaml
-
controller.yaml
-
ceph-storage.yaml
.
8.5. Enabling basic network isolation
This procedure shows you how to enable basic network isolation using one of the default NIC templates. In this case, it is the single NIC with VLANs template (single-nic-vlans
).
Procedure
When running the
openstack overcloud deploy
command, ensure that you include the rendered environment file names for the following files:-
The custom
network_data
file. - The rendered file name of the default network isolation.
- The rendered file name of the default network environment file.
- The rendered file name of the default network interface configuration
- Any additional environment files relevant to your configuration.
-
The custom
For example:
$ openstack overcloud deploy --templates \ ... -n /home/stack/network_data.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-environment.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/net-single-nic-with-vlans.yaml \ ...