Re: modify neutron.conf

yyzkevin · ‎12-21-2016

I have been looking to allow multiple fixed-ip on a single vm port, and I was running into the error message indicating reaching max limit (1), so after poking around I discovered max_fixed_ips_per_port, which I see some discussions about it being removed from openstack but not sure where that stands.

Having said that, this is not a "production system" so I modified max_fixed_ips_per_port from 1 to 5 and restarted neutron-server on each controller, and on the surface this seems to work fine as long as the subnet being specified does not have dhcp enabled, if dhcp is enabled it will add the IP however bail out during dhcp process and leave you in an inconsistent state where openstack shows the IP assigned but some other neutron/nsx steps have not taken place so the traffic is still filtered inside nsx/hypervisor somewhere.

From /etc/neutron/neutron.conf on the controllers:

# Maximum number of fixed ips per port. This option is deprecated and will be

# removed in the N release. (integer value)

# This option is deprecated for removal.

# Its value may be silently ignored in the future.

max_fixed_ips_per_port = 1

If there is some other way I should be trying to accomplish this I would love to hear, but this is a specific situation where I have vm's that attach to a vlan based network which has an external physical router, and they need to allocate multiple public ip's directly on the single interface, floating ip's / nat will not work in this situation, I will use the topology of floating ip's etc as I onboard new projects where it is appropriate.

SO, long story short, is there an appropriate way for me to make this modification to neutron.conf in a way that it will not be overwritten during future updates etc, should I be modifying the ansible template on the management -server?

Thanks!

lserpietri · ‎12-22-2016

I assume we're dealing with an NSX deployment...have you tried with the allowed_address_pair configuration for your port? Run something like:

neutron port-update <port_you_want_to_modify> --allowed-address-pairs type=dict list=true ip_address=<IP#1> ip_address=<IP#2> ip_address=<IP#3>

This way you're also updating the spoofguard policy to allow those new IPs (otherwise the policy would disable the port the moment a new IP shows up). Ref. vmware-nsx/plugin.py at e2201c71f08dbd5aab2fcf92000c924059963551 · openstack/vmware-nsx · GitHub

If you modify the neutron.conf template in the ansible repo on the OMS you'll ensure that each VIO deployment you'll drive with that OMS will use the same neutron.conf file but there's no way to ensure that this modified file will persist through updates.

VMware ensures that customizations performed through the custom.yml file persist through upgrade but I highly doubt that the max_fixed_ips_per_port parameter is in that file..

yyzkevin · ‎12-22-2016

Yes this is an NSX deployment.

Thanks for letting me know about allowed-address-pairs, this will come in handy in some particular existing workloads that I will move into VIO, situations where client is using CARP or other redundancy protocol etc, or they have ip blocks routed to them from outside of openstack...

My issue with this by itself however is, when I set max_fixed_ips_per_port to something greater than 1, I am then able to set multiple ip's (depending on the limit I set obviously) in openstack, and it handles allocating the IP's from the subnet and avoiding overlapping etc, and shows all the fixed-ips on all lists, without need to separately make a call to each port to get a list of allowed address pairs.

If i were to try to solve my issue with allowed-address-pairs alone, I believe I would need to implement my own method outside of VIO allocating and avoiding IP conflicts, and create some of my own user interfaces to allow management by my users, but part of the attraction of VIO is to put measured amounts of control into their hands with as little customization as possible. This would be less of an issue if I was doing this for new clients where I could set the allocation pool range for the subnet to be used exclusive for the first fixed-ip and then use my own method to allocate additional ip's from the range outside of the pool, but these are existing vm's where the allocated ip's are all over the place as they were added as requested.

Is there a specific and critical reason VIO would require me to keep max_fixed_ips_per port at 1? As long as dhcp is not enabled on the subnet it does not crash out and does properly update NSX to allow the ip's on the port, if dhcp is enabled though as mentioned, it crashes out before it does the nsx configuration.

I will do more research on my end about the future of max_fixed_ips_per_port in openstack in general, but would like to try and get some better understanding of any negative impact on VIO specifically.

groundsea · ‎12-23-2016

In my use case(our VM worked as a router, so it has many loopback addresses), I just set --port_security_enabled=False to solve this issue.

lserpietri · ‎12-23-2016

groundsea yes, that disables spoofguard on NSX so you will be able to allow multiple IPs on the same interface without port security disabling the port itself..

lserpietri · ‎12-23-2016

yyzkevin Yeah I agree with you that implementing IPAM to use the address-pairs configuration would be too much of an hassle..

Still, in your case, if I understood that correctly, you're using DHCP for assigning multiple IPs to the same interface. DHCP maps IPs based on the MAC address so I guess you're not able to perform the operation because you're mapping multiple IPs on the same MAC address.

I'm not aware of any alternatives to DHCP overcoming this limitation, how about creating instances with macvlan interfaces? Would that be a viable option?

Thank you!
Luca

All

modify neutron.conf