Difference between revisions of "Networks"

From CAC Documentation wiki
Jump to navigation Jump to search
(warning on using two networks for one instance.)
(Revise the content for clarity)
Line 3: Line 3:
  
  
Use the 'public' net if you want some form of public (but possibly restricted) access from the internet and don't care about having an extremely stable IP. Somewhat counter-intuitively, you want a 'private' network if you want to get a stable "floating" IP address (called an elastic IP address in Eucalyptus and AWS); this is also highly reccomended if you plan to have a registered domain name pointing to the instance. You can also use a private network if you want some or all of the instances on the private network to not be directly accessible from the internet.  The list of networks for the currently selected project can be viewed in [https://redcloud.cac.cornell.edu/dashboard/project/networks/ OpenStack Horizon].
+
OpenStack provides two kinds of networks, 'public' and 'private'.
 +
Public networks provide public (but possibly restricted) access from the internet
 +
but are not guaranteed to use the same IP addresses
 +
for instances have been shelved and then unshelved.
 +
Private networks, somewhat counter-intuitively, also provide public access from the internet
 +
but additionally maintain stable IP addresses for instances.
 +
Each project initially has one default public network, and private networks must be created.
  
While you can actually have an instance that is both part of the 'public' network and a 'private' network, this is unlikely to work, and will likely need to snapshot your instance to recover it as a new cloned instance.
+
Each instance on a private network can be assigned a "floating" IP address
 +
(called an elastic IP address in Eucalyptus and AWS).
 +
Having an assigned IP address makes it more convenient to access an instance
 +
and is highly recommended if you plan to have a registered domain name pointing to the instance. You can also use a private network to prevent some or all of the instances on the private network from being directly accessible from the internet.
 +
A list of the current project's networks can be viewed in [https://redcloud.cac.cornell.edu/dashboard/project/networks/ OpenStack Horizon].
  
=== Public Net ===
+
It is a best practice to create any necessary private networks
 +
before creating the instances that will use them.
 +
While an instance that was initially attached to a public network
 +
can later be attached to a private network, this can lead to problems.
 +
If you would like to move an instance from a public to a private network,
 +
you should clone the instance (take a snapshot of it and create a new instance from the snapshot) and attach the clone to the private network.
 +
 
 +
=== Using the Public Network ===
 
:* No action is needed to use this, other than selecting it.
 
:* No action is needed to use this, other than selecting it.
 
:* This should be acceptable for many uses, e.g. compute instances.
 
:* This should be acceptable for many uses, e.g. compute instances.
 
:* IP address will be stable through reboots, but not necessarily through hard shutdowns (e.g. shelving).
 
:* IP address will be stable through reboots, but not necessarily through hard shutdowns (e.g. shelving).
:* You can not assign a floating IP to an instance via its membership in a public network. Please do not allocate floating IP addresses on a public network.
+
:* You cannot assign a floating IP address to an instance via its membership in a public network. Please do not allocate floating IP addresses on a public network.
  
=== Private Network ===
+
=== Creating a Private Network ===
  
Setting up your own private network
+
Set up your own private network by doing the following:
* ssh into linuxlogin.cac.cornell.edu; this can be done using your CU netid and CAC password: <code>ssh netid@linuxlogin.cac.cornell.edu</code>.
+
:* ssh into linuxlogin.cac.cornell.edu.  This can be done using your CU netid and CAC password: <code>ssh netid@linuxlogin.cac.cornell.edu</code>.
* Set the required environment variables for accessing Red Cloud by sourcing the <code>/opt/openstack/login-redcloud.sh</code> file like this:
+
:* Set some environment variables that are required for accessing Red Cloud by sourcing the <code>/opt/openstack/login-redcloud.sh</code> file and responding to its prompts, like this:
 
   -bash-4.2$ '''source /opt/openstack/login-redcloud.sh'''  
 
   -bash-4.2$ '''source /opt/openstack/login-redcloud.sh'''  
 
   Please enter your CAC project: ''Enter CAC project name''
 
   Please enter your CAC project: ''Enter CAC project name''
 
   Please enter your user name for your CAC project <Your CAC project name>: ''Enter CAC user name''
 
   Please enter your user name for your CAC project <Your CAC project name>: ''Enter CAC user name''
 
   Please enter your password for project <Your CAC project name> as user <Your CAC user name>: ''Enter CAC password''
 
   Please enter your password for project <Your CAC project name> as user <Your CAC user name>: ''Enter CAC password''
* Run the network creation script with a single argument (network name), e.g.: <code> /opt/openstack/create-private-net.sh my-net-name</code>.
+
:* Run the network creation script with a single argument (network name), e.g.: <code> /opt/openstack/create-private-net.sh my-net-name</code>.
  
You can switch an instance from public to private by doing attach interface / detach interface from the instance dropdown menu.
+
Note that network names are not unique, but network IDs are.
 +
Networks and subnets can both be renamed through the Horizon web UI.
 +
A network can be renamed without renaming its subnet, which can be renamed separately.
  
Note that network names are not unique, but IDs are. You can rename a network without renaming the subnet (but you can rename it too, separately), all possible via the Horizon web UI. The subnets are private, and exposed externally by a Router. Networks and routers won't be deleted if there are any active connections on them. There is also a delete network script that should be used instead of the Horizon web UI for a cleaner deletion: <code>/opt/openstack/delete-private-net.sh</code>.
+
Networks and routers can't be deleted if there are any active connections on them.
 +
For the cleanest results, network deletions should be performed
 +
using the 'delete network' script rather than through the Horizon web UI:
 +
<code>/opt/openstack/delete-private-net.sh</code>.
  
=== Floating IP ===
+
=== Assigning a Floating IP Address ===
  
If you want to assign a floating IP to an existing instance, '''it is highly advised to create a new (cloned) instance''' by creating a snapshot of the existing instance. Otherwise, the instance will have two IPs on the same network which could result in a bad network configuration. The new instance will then select the private network at creation, instead of the public network.
+
The steps below can be used to create and assign a new floating IP address
 +
to an instance that is attached to a private network.
 +
As noted before, if you have an instance attached to a public network
 +
and want to assign an IP address to it, you will need to move the instance to a private network.
 +
To do this, create a new (cloned) instance by taking a snapshot of the existing instance
 +
and then launching a new instance (attached to the private network) from it.
 +
Just switching the network from a public one to a private one
 +
has been shown to produce undesirable results.
  
Steps for getting a floating (stable) IP:
+
Steps for creating and assigning a floating (stable) IP address:
:* See the prerequisite steps above for "Setting up your own private network"
+
:* See the prerequisite steps above for "Creating a private network"
 
:* In Horizon, under the Networks tab, select "Floating IPs", which should send you [https://redcloud.cac.cornell.edu/dashboard/project/floating_ips/ here].
 
:* In Horizon, under the Networks tab, select "Floating IPs", which should send you [https://redcloud.cac.cornell.edu/dashboard/project/floating_ips/ here].
 
:* Click "Allocate IP to Project"
 
:* Click "Allocate IP to Project"
 
:* The only pool will be "public"; click "allocate".
 
:* The only pool will be "public"; click "allocate".
 
:* From the list of floating IPs, click "Associate"; make sure you pick a "port" that is an instance's interface on a previously created private network, '''NOT a public network'''.
 
:* From the list of floating IPs, click "Associate"; make sure you pick a "port" that is an instance's interface on a previously created private network, '''NOT a public network'''.
:* Note that if you not longer need the floating IP, '''please release''' it back to the pool by selecting the "Release Floating IP" from the Actions dropdown menu.
+
:* Once you no longer need the floating IP, '''please release''' it back to the pool by selecting the "Release Floating IP" from the Actions dropdown menu.
 
:* When changing the associated floating IPs of an instance, security groups may be dropped, so you may need to edit the security groups after the fact from the instance dropdown menu.
 
:* When changing the associated floating IPs of an instance, security groups may be dropped, so you may need to edit the security groups after the fact from the instance dropdown menu.

Revision as of 17:56, 12 February 2019


OpenStack provides two kinds of networks, 'public' and 'private'. Public networks provide public (but possibly restricted) access from the internet but are not guaranteed to use the same IP addresses for instances have been shelved and then unshelved. Private networks, somewhat counter-intuitively, also provide public access from the internet but additionally maintain stable IP addresses for instances. Each project initially has one default public network, and private networks must be created.

Each instance on a private network can be assigned a "floating" IP address (called an elastic IP address in Eucalyptus and AWS). Having an assigned IP address makes it more convenient to access an instance and is highly recommended if you plan to have a registered domain name pointing to the instance. You can also use a private network to prevent some or all of the instances on the private network from being directly accessible from the internet. A list of the current project's networks can be viewed in OpenStack Horizon.

It is a best practice to create any necessary private networks before creating the instances that will use them. While an instance that was initially attached to a public network can later be attached to a private network, this can lead to problems. If you would like to move an instance from a public to a private network, you should clone the instance (take a snapshot of it and create a new instance from the snapshot) and attach the clone to the private network.

Using the Public Network

  • No action is needed to use this, other than selecting it.
  • This should be acceptable for many uses, e.g. compute instances.
  • IP address will be stable through reboots, but not necessarily through hard shutdowns (e.g. shelving).
  • You cannot assign a floating IP address to an instance via its membership in a public network. Please do not allocate floating IP addresses on a public network.

Creating a Private Network

Set up your own private network by doing the following:

  • ssh into linuxlogin.cac.cornell.edu. This can be done using your CU netid and CAC password: ssh netid@linuxlogin.cac.cornell.edu.
  • Set some environment variables that are required for accessing Red Cloud by sourcing the /opt/openstack/login-redcloud.sh file and responding to its prompts, like this:
 -bash-4.2$ source /opt/openstack/login-redcloud.sh 
 Please enter your CAC project: Enter CAC project name
 Please enter your user name for your CAC project <Your CAC project name>: Enter CAC user name
 Please enter your password for project <Your CAC project name> as user <Your CAC user name>: Enter CAC password
  • Run the network creation script with a single argument (network name), e.g.: /opt/openstack/create-private-net.sh my-net-name.

Note that network names are not unique, but network IDs are. Networks and subnets can both be renamed through the Horizon web UI. A network can be renamed without renaming its subnet, which can be renamed separately.

Networks and routers can't be deleted if there are any active connections on them. For the cleanest results, network deletions should be performed using the 'delete network' script rather than through the Horizon web UI: /opt/openstack/delete-private-net.sh.

Assigning a Floating IP Address

The steps below can be used to create and assign a new floating IP address to an instance that is attached to a private network. As noted before, if you have an instance attached to a public network and want to assign an IP address to it, you will need to move the instance to a private network. To do this, create a new (cloned) instance by taking a snapshot of the existing instance and then launching a new instance (attached to the private network) from it. Just switching the network from a public one to a private one has been shown to produce undesirable results.

Steps for creating and assigning a floating (stable) IP address:

  • See the prerequisite steps above for "Creating a private network"
  • In Horizon, under the Networks tab, select "Floating IPs", which should send you here.
  • Click "Allocate IP to Project"
  • The only pool will be "public"; click "allocate".
  • From the list of floating IPs, click "Associate"; make sure you pick a "port" that is an instance's interface on a previously created private network, NOT a public network.
  • Once you no longer need the floating IP, please release it back to the pool by selecting the "Release Floating IP" from the Actions dropdown menu.
  • When changing the associated floating IPs of an instance, security groups may be dropped, so you may need to edit the security groups after the fact from the instance dropdown menu.