diff options
Diffstat (limited to '2 areas/Werk/Openstack/Add new provider networks.md')
| -rw-r--r-- | 2 areas/Werk/Openstack/Add new provider networks.md | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/2 areas/Werk/Openstack/Add new provider networks.md b/2 areas/Werk/Openstack/Add new provider networks.md new file mode 100644 index 0000000..6a92363 --- /dev/null +++ b/2 areas/Werk/Openstack/Add new provider networks.md @@ -0,0 +1,86 @@ +#openstack #network +# Schematic on switch network + ![[Switch-network]] +# Procedure +Kevin configures the switches so that the public network is routed to the correct private network and sets up a VLAN. + +By now we should have a VLAN tag and a private subnet that will be used, for example we will use VLAN tag 150 as well as subnet 10.8.4.0/2. +# Make sure VLAN interface exists on network node +> For new network nodes this is done with Ansible, however for fear of disrupting live traffic we prefer to add additional ones on existing nodes by hand. + +Check whether an interface exists on the bond for the given vlan (e.g `bond0.150` given VLAN tag 150). + +If not add an entry in `/etc/network/interfaces` so it survives reboots: +``` +auto bond0.150 +iface bond0.150 inet manual + vlan-raw-device bond0 +``` +And then of course we add this interface with `sudo ifup bond0.150` with 150 being the VLAN tag we've been given. +# Create switch network on openstack +Define the switch network and OVN mapping in hieradata. Make sure to run Puppet on relevant controllers and network nodes. +```YAML +group/os-onecom-os1.yaml +profile::openstack::neutron::controller::networks: + switch-network-vps4-cph8: + provider_network_type: flat + provider_physical_network: switch-network-vps4-cph8 + router_external: true + shared: false + project_id: bb8fd38613c6464e8c00cbc332e2c67d + +domain/network.env.vps4-cph8.one.com.yaml +profile::openstack::neutron::ovn::controller::bridge_interface_mappings: + - 'ext-br150:bond0.150' +profile::openstack::neutron::ovn::controller::ovn_bridge_mappings: + - 'switch-network-vps4-cph8:ext-br150' +``` + +>When adding an external or public network openstack will automatically create a RBAC policy that allows any project to access it. Make sure it is removed: `openstack network rbac list --target-project '*'` will contain an entry with **object type network**. Show it, make sure it's the switch network, and delete it. + +>The Puppet module used for creating networks assigns the largest possible MTU to a network. We require it to be set to 1500. After changing the MTU to 1500 disable and enable DHCP so that the DHCP server also takes the configuration in effect. +# Create switch subnets on openstack +Once that's taken care of we can add the switch subnets to neutron via hieradata, usually a group yaml (e.g `group/os-onecom-os1) +```yaml +profile::openstack::neutron::controller::subnets: + switch-subnet-vps4-cph8-ipv4: + cidr: 10.8.4.0/24 + ip_version: 4 + allocation_pools: [ 'start=10.8.4.4,end=10.8.4.254' ] + gateway_ip: 10.8.4.1 + network_name: switch-network-vps4-cph8 + project_id: bb8fd38613c6464e8c00cbc332e2c67d + switch-subnet-vps4-cph8-ipv6: + cidr: 2a02:2350:a:105::/64 + ip_version: 6 + allocation_pools: [ 'start=2a02:2350:a:105::4,end=2a02:2350:a:105::ffff' ] + gateway_ip: 2a02:2350:a:105::1 + network_name: switch-network-vps4-cph8 + project_id: bb8fd38613c6464e8c00cbc332e2c67d + ipv6_address_mode: dhcpv6-stateful + ipv6_ra_mode: dhcpv6-stateful +``` + +> We want to have AZ reflected in the switch network name as shown in our example above "switch-network-vps4-cph8". Older switch-networks do not yet follow this convention. + +> We reserve the first three and last one IP in the pool of a given /24. Hence the allocation pool starts at .4 and ends at .254. These IP's are reserved for routers & switches, for example the .1 is assigned to the gateway. + +> When running Puppet on the controller node to create the subnet it can happen that it complains that the subnet overlaps with another. It might be caused because another controller is running Puppet at the same time and it created the subnet before your run. + +# Create router on openstack +`openstack router create --external-gateway switch-network-vps4-cph8 --fixed-ip subnet_id=switch-subnet-vps4-cph8-ipv4,ip-address=10.8.4.4 --fixed-ip=switch-subnet-vps4-cph8-ipv6,ip-address='2a02:2350:a:105::4' --disable-snat switch-network-vps4-cph8` +# Ensure reverse DNS zone +We should make sure the reverse DNS zone is added to the `service.g1-dns.one` zone to ensure PTR records can be added via SysAPI. +```shell +~ +❯ dig +short 25.95.185.in-addr.arpa DS +4550 13 4 6BFEE8B7692B15EC8EE01C17CF3F7FDD68F2F4A7581B7606A0CDB44A BDFE7BB171763C66938DFB285D4BF8680EA81B74 +4550 13 2 ADC65456F034323B3F1F3F010E637A04AB78B59D0176BE2B17702626 22B3AA39 + +~ +❯ dig +short 25.95.185.in-addr.arpa SOA +auth.g1-dns.one. hostmaster.one.com. 2024011601 1800 900 1209600 300 +``` +Should be via `service.g1-dns.one` rather than `auth`. We can make a ticket in SYSDNS to have it corrected; [example](https://group-one.atlassian.net/browse/SYSDNS-510). + +> Do mention in that ticket that we handle RIPE to prevent them from asking :) |