Configuring Network Isolation in Virtualized Environments

Introduction

This document describes how to configure a virtualized development environment for use with network isolation. To make things as easy as possible we will use the single-nic-with-vlans network isolation templates to create isolated VLANs on top of the single NIC already used for the provisioning/ctlplane.

The single_nic_vlans.j2 template work well for many virtualized environments because they do not require adding any extra NICs. Additionally, Open vSwitch automatically trunks VLANs for us, so there is no extra switch configuration required.

Create an External VLAN on Your Undercloud

By default all instack undercloud machines have a br-ctlplane which is used as the provisioning network. We want to add an interface on the 10.0.0.0/24 network which is used as the default “external” (public) network for the overcloud. The default VLAN for the external network is vlan10 so we create an interface file to do this. Create the following file /etc/sysconfig/network-scripts/ifcfg-vlan10:

DEVICE=vlan10
ONBOOT=yes
HOTPLUG=no
TYPE=OVSIntPort
OVS_BRIDGE=br-ctlplane
OVS_OPTIONS="tag=10"
BOOTPROTO=static
IPADDR=10.0.0.1
PREFIX=24
NM_CONTROLLED=no

And then run ifup vlan10 on your undercloud.

Create a Custom Environment File

When using network isolation most of the network/config templates configure static IPs for the ctlplane. To ensure connectivity with Heat and Ec2 metadata, we need to specify a couple of extra Heat parameters. Create a file called /home/stack/custom.yaml with the following contents:

parameter_defaults:
  EC2MetadataIp: 192.168.24.1
  ControlPlaneDefaultRoute: 192.168.24.1

Note that the specified IP addresses 192.168.24.1 are the same as the undercloud IP address.

Modify Your Overcloud Deploy to Enable Network Isolation

At this point we are ready to create the overcloud using the network isolation defaults. The example command below demonstrates how to enable network isolation by using Heat templates for network isolation, a custom set of network config templates (single NIC VLANs), and our custom.yaml config file from above:

TEMPLATES=/path/to/openstack-tripleo-heat-templates
openstack overcloud deploy \
--templates=$TEMPLATES \
-e $TEMPLATES/environments/network-isolation.yaml \
-e $TEMPLATES/environments/net-single-nic-with-vlans.yaml \
-e /home/stack/custom.yaml

After creating the stack you should now have a working virtualized development environment with network isolation enabled.