Configuring Network Isolation in Virtualized Environments ========================================================= Introduction ------------ This document describes how to configure a virtualized development environment for use with network isolation. To make things as easy as possible we will use the ``single-nic-with-vlans`` network isolation templates to create isolated VLANs on top of the single NIC already used for the provisioning/``ctlplane``. The ``single-nic-vlans`` templates work well for many virtualized environments because they do not require adding any extra NICs. Additionally, Open vSwitch automatically trunks VLANs for us, so there is no extra switch configuration required. Create an External VLAN on Your Undercloud ------------------------------------------ By default all instack undercloud machines have a ``br-ctlplane`` which is used as the provisioning network. We want to add an interface on the 10.0.0.0/24 network which is used as the default "external" (public) network for the overcloud. The default VLAN for the external network is ``vlan10`` so we create an interface file to do this. Create the following file ``/etc/sysconfig/network-scripts/ifcfg-vlan10``:: DEVICE=vlan10 ONBOOT=yes HOTPLUG=no TYPE=OVSIntPort OVS_BRIDGE=br-ctlplane OVS_OPTIONS="tag=10" BOOTPROTO=static IPADDR=10.0.0.1 PREFIX=24 NM_CONTROLLED=no And then run ``ifup vlan10`` on your undercloud. Create a Custom Environment File -------------------------------- When using network isolation most of the network/config templates configure static IPs for the ``ctlplane``. To ensure connectivity with Heat and Ec2 metadata, we need to specify a couple of extra Heat parameters. Create a file called ``/home/stack/custom.yaml`` with the following contents:: parameter_defaults: EC2MetadataIp: 192.168.24.1 ControlPlaneDefaultRoute: 192.168.24.1 Note that the specified IP addresses ``192.168.24.1`` are the same as the undercloud IP address. Modify Your Overcloud Deploy to Enable Network Isolation -------------------------------------------------------- At this point we are ready to create the overcloud using the network isolation defaults. The example command below demonstrates how to enable network isolation by using Heat templates for network isolation, a custom set of network config templates (single NIC VLANs), and our ``custom.yaml`` config file from above:: TEMPLATES=/path/to/openstack-tripleo-heat-templates openstack overcloud deploy \ --templates=$TEMPLATES \ -e $TEMPLATES/environments/network-isolation.yaml \ -e $TEMPLATES/environments/net-single-nic-with-vlans.yaml \ -e /home/stack/custom.yaml After creating the stack you should now have a working virtualized development environment with network isolation enabled.