[pve-devel] RFC: sdn: add ip management (IPAM -DHCP) ideas
Alexandre DERUMIER
aderumier at odiso.com
Mon Jun 15 14:08:58 CEST 2020
Hi,
the sdn beta seem to works fine currently, I think the model is good enough to handle users need.
I'm already thinking about the next step: ip management (ipam) && dhcp.
The main idea is to be able to defined subnets with pools of address ip on vnets, and when user create a vm
on this vnet, he's only able to use an ip address from available pools.
The ip address management can be done internal in the cluster, or use an external source through plugin. (racktables, netbox, phpipam,...).
This is really needed for big company like me, where you have multiple proxmox cluster but also physicals servers, kubernetes cluster,...
where all ips addresses are registred to a central software.
When user will create a new vm or add a nic to the vm, he could choose ip address "auto", and the next available ip addresse will be returned
with the ipam driver.
User could also choose a specific ip address with verification of availability.
In second step, we could also add dhcp server features, with static ip/mac leases. (Kea dhcp seem a good candidate).
with 1 local dhcp server by node. (only responding to local vms)
for bgp-evpn it's easy because we already have a anycast gateway ip, so it can be use by dhcp server.
for vlan && layer2 plugin, I wonder if we could also assign some kind of anycast ip (same ip on each host/vnet), but with filtering (iptables,ebtables,....)
I could also works to implement cloudinit network metadata.
Here some implementations doc in openstack && openebula
-------------------------------------------------------
openstack
---------
https://specs.openstack.org/openstack/neutron-specs/specs/liberty/neutron-ipam.html
https://www.youtube.com/watch?v=l_JSXSIRr6M
https://www.youtube.com/watch?v=smbs0Up87Y4
opennebula
----------
https://docs.opennebula.io/5.10/integration/infrastructure_integration/devel-ipam.html#devel-ipam
https://docs.opennebula.io/5.10/operation/network_management/manage_vnets.html#managing-address-ranges
Somes notes/ideas for the implementation/config:
----------------------------------------------
/etc/pve/sdn/subnets.cfg
-------------------------
subnet: subnet1
cidr 192.168.0.0/24
allocation-pools 192.168.0.10-17, 192.168.0.70-10, 192.168.0.100 (default is the full cidr without network/broadcast address)
(I'm not sure, maybe allocation-pools should be differents objects to manage permissions on them)
vnet vnet1
ipam internal (default)
dhcp 1 -> generate dhcp configuration
subnet: subnet2
cidr 192.168.1.0/24
vnet vnet1
ipam netbox
subnet: subnet3
vnet vnet2
ipam netbox
/etc/pve/sdn/ipam.cfg
---------------------
netbox: mynetboximap
api http://netbox.com/api/
login: ...
password: ...
firewall :
-----------
- allowing only src/dst subnet on vnet by default ?
- add vnets rules option ?
- dhcp filtering rules (ebtables, dhcp snooping)
add a new intermediate vnet chain : ->PVEFW-FWBR-IN->VNET-VNETID-IN--> TAP ?
or add rules in each vm tap chain?
vm|ct nic gui:
--------------
- display all available ips in a list ? (maybe too huge with big subnets)
or
-> choose vnet -> choose available subnet -> field ip address: "auto|next free ip" -> api find_next_ip && record to ipam on submit.
-> specify a specific ip address -> add_ip (with verification if still available)
ipam driver api
---------------
- add_subnet
- add_ip
- del_ip
- add_next_ip
ipam internal database (yml ?):
---------------------------------
simply ip array
-subnet1
- 192.168.0.1
- 192.168.0.2
- 192.168.0.3
or array of hash with more infos ?
-subnet2
- ip: 192.168.1.1
vm: 100
net: 0
More information about the pve-devel
mailing list