archive/vxlan/en-US/plugin-vxlan-config-hypervisor.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
<!ENTITY % xinclude SYSTEM "http://www.docbook.org/xml/4.4/xinclude.mod">
%xinclude;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at
 http://www.apache.org/licenses/LICENSE-2.0.
 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
-->
<section id="plugin-vxlan-config-hypervisor">
  <title>Configure hypervisor</title>
  <section id="plugin-vxlan-config-hypervisor-kvm">
    <title>Configure hypervisor: KVM</title>
    <para>
      In addition to "KVM Hypervisor Host Installation" in "&PRODUCT; Installation Guide", you have to configure the following item on the host.
    </para>
    <section id="plugin-vxlan-config-hypervisor-kvm-bridge">
      <title>Create bridge interface with IPv4 address</title>
      <para>
        This plugin requires an IPv4 address on the KVM host to terminate and originate VXLAN traffic.
        The address should be assinged to a physical interface or a bridge interface bound to a physical interface.
        Both a private address or a public address are fine for the purpose.
        It is not required to be in the same subnet for all hypervisors in a zone, but they should be able to reach each other via IP multicast with UDP/8472 port.
        A name of a physical interface or a name of a bridge interface bound to a physical interface can be used as a traffic label.
        Physical interface name fits for almost all cases, but if physical interface name differs per host, you may use a bridge to set a same name.
        If you would like to use a bridge name as a traffic label, you may create a bridge in this way.
      </para>
      <para>
        Let <parameter>cloudbr1</parameter> be the bridge interface for the instances' private network.
      </para>
      <section id="plugin-vxlan-config-hypervisor-kvm-bridge-rhel">
        <title>Configure in RHEL or CentOS</title>
        <para>
          When you configured the <parameter>cloudbr1</parameter> interface as below,
        </para>
        <programlisting language="Bash">$ sudo vi /etc/sysconfig/network-scripts/ifcfg-cloudbr1
        </programlisting>
        <programlisting language="Bash">DEVICE=cloudbr1
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes
        </programlisting>
        <para>
          you would change the configuration similar to below.
        </para>
        <programlisting language="Bash">DEVICE=cloudbr1
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.0.2.X
NETMASK=255.255.255.0
IPV6INIT=no
IPV6_AUTOCONF=no
DELAY=5
STP=yes
        </programlisting>
        
      </section>
      <section id="plugin-vxlan-config-hypervisor-kvm-bridge-ubuntu">
        <title>Configure in Ubuntu</title>
        <para>
          When you configured <parameter>cloudbr1</parameter> as below,
        </para>
        <programlisting language="Bash">$ sudo vi /etc/network/interfaces
        </programlisting>
        <programlisting language="Bash">auto lo
iface lo inet loopback

# The primary network interface
auto eth0.100
iface eth0.100 inet static
    address 192.168.42.11
    netmask 255.255.255.240
    gateway 192.168.42.1
    dns-nameservers 8.8.8.8 8.8.4.4
    dns-domain lab.example.org

# Public network
auto cloudbr0
iface cloudbr0 inet manual
    bridge_ports eth0.200
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1

# Private network
auto cloudbr1
iface cloudbr1 inet manual
    bridge_ports eth0.300
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1
        </programlisting>
        <para>
          you would change the configuration similar to below.
        </para>
        <programlisting language="Bash">auto lo
iface lo inet loopback

# The primary network interface
auto eth0.100
iface eth0.100 inet static
    address 192.168.42.11
    netmask 255.255.255.240
    gateway 192.168.42.1
    dns-nameservers 8.8.8.8 8.8.4.4
    dns-domain lab.example.org

# Public network
auto cloudbr0
iface cloudbr0 inet manual
    bridge_ports eth0.200
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1

# Private network
auto cloudbr1
iface cloudbr1 inet static
    addres 192.0.2.X
    netmask 255.255.255.0
    bridge_ports eth0.300
    bridge_fd 5
    bridge_stp off
    bridge_maxwait 1
        </programlisting>
      </section>
    </section>
    <section id="plugin-vxlan-config-hypervisor-kvm-iptables">
      <title>Configure iptables to pass XVLAN packets</title>
        <para>
          Since VXLAN uses UDP packet to forward encapsulated the L2 frames, UDP/8472 port must be opened.
        </para>
      <section id="plugin-vxlan-config-hypervisor-kvm-iptables-rhel">
        <title>Configure in RHEL or CentOS</title>
   	    <para>
	      RHEL and CentOS use iptables for firewalling the system, you can open extra ports by executing the following iptable commands:
	    </para>
	    <programlisting language="Bash">$ sudo iptables -I INPUT -p udp -m udp --dport 8472 -j ACCEPT
	    </programlisting>
	    <para>
	      These iptable settings are not persistent accross reboots, we have to save them first.
	    </para>
	    <programlisting language="Bash">$ sudo iptables-save > /etc/sysconfig/iptables
	    </programlisting>
	    <para>
	      With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.
   	    </para>
	    <programlisting language="Bash">$ sudo service network restart
	$ sudo reboot
	    </programlisting>
	    <warning>
	      <para>
	        Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!
	     </para>
	    </warning>
	  </section>
      <section id="plugin-vxlan-config-hypervisor-kvm-iptables-ubuntu">
        <title>Configure in Ubuntu</title>
        <para>
          The default firewall under Ubuntu is UFW (Uncomplicated FireWall), which is a Python wrapper around iptables.
        </para>
        <para>
          To open the required ports, execute the following commands:
        </para>
        <programlisting language="Bash">$ sudo ufw allow proto udp from any to any port 8472
        </programlisting>
        <note>
          <para>
            By default UFW is not enabled on Ubuntu. Executing these commands with the firewall disabled does not enable the firewall.
          </para>
        </note>
        <para>
          With this configuration you should be able to restart the network, although a reboot is recommended to see if everything works properly.
        </para>
        <programlisting language="Bash">$ sudo service networking restart
$ sudo reboot
        </programlisting>
        <warning>
          <para>
            Make sure you have an alternative way like IPMI or ILO to reach the machine in case you made a configuration error and the network stops functioning!
          </para>
        </warning>
	  </section>
    </section>
  </section>
</section>