cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alena Prokharchyk <Alena.Prokharc...@citrix.com>
Subject RE: Adding a public range for an account
Date Wed, 25 Apr 2012 17:00:49 GMT
Hi Dan,

Please see the answers inline.

-Alena.

From: dan@soleks.com [mailto:dan@soleks.com]
Sent: Tuesday, April 24, 2012 11:53 PM
To: cloudstack-users@incubator.apache.org; Alena Prokharchyk
Cc: cloudstack-users@incubator.apache.org; 'Clayton Weise'
Subject: RE: Adding a public range for an account


 Hi Alena,

Thanks for so rapid reply and suggested workaround for the broken feature. I have couple questions
about proposed solution. That method will move vlan (and associated public IP network) from
under specific account to zone wide scope, so everybody in the zone technically will be able
to get IP from that network. Is it correct ?

Yes.

It can be solution to utilize IP address space which is "Allocated", but actually not usable
- i agree about it. But on the other hand that method is not allowing to use IP address space
exclusively by specific account, and from my understanding that is main purpose of that type
of  public network - provide full isolation for account on the public and private levels.
Correct me if i misunderstand concept.

As I said, the feature is completely broken in 3.0.1, so only zone wide ranges are working,
and everyone from the zone can use ips from these vlans. In 3.0.2 the range assigned to the
account can be used by account only.

In the documentation you mentioned that if account has more then one private isolated networks
allocation of assigned to that account public network will fail. Is it correct ?

Yes.

Will it be fixed in the future releases ?

I'll file an enhancement bug for that. It will require API changes for createVlanRange command.
Right now you are specifying only account/domainid in the command, and based on this info
we look up Guest Isolated network of this account and assign all Public ips to this guest
network. We are planning to add one more API parameter to createVlanRange explicitly defining
the guest network id.

I think it's very useful feature to have not only one-to-one mapping (public-to-private),
but also one-to-many (one public IP network - to many private IP network) and of cause feature
many-to-many will cover all possible configurations.

We are not planning support one to many mapping. One public ip address can be assigned to
one Guest network only.

Thanks again for so great support !


> Follow up on Account specific public ip range.
>
> 1) The feature is broken in 3.0.1. Here is the workaround to switch
> account specific vlans to regular vlans - requires DB changes.
>
> * get vlan id - select id from vlan;
>
> * delete the vlan-account ref using the query:
>
> delete from account_vlan_map where vlan_db_id=<vlanId>
>
> * mark all ip addresses as free in user_ip_address table using the query:
>
> update user_ip_address set account_id=null, domain_id=null,
> source_nat=0, allocated=null, state='Free', network_id=null where
> vlan_db_id=<vlanId>;
>
>
>
> 2) The feature is fixed in 3.0.2 branch (release date is next week).
> Here is the doc explaining the feature use cases:
>
> http://wiki.cloudstack.org/display/RelOps/Adding+public+Vlan+per+account
>
>
> Let me know if you have any problems switching account specific
> ranges to zone wide in 3.0.1
>
> -Alena.
>
> -----Original Message-----
> From: Alena Prokharchyk [mailto:Alena.Prokharchyk@citrix.com]<mailto:[mailto:Alena.Prokharchyk@citrix.com]>
> Sent: Tuesday, April 24, 2012 11:34 AM
> To: 'dan@soleks.com'
> Cc: cloudstack-users@incubator.apache.org<mailto:cloudstack-users@incubator.apache.org>
> Subject: RE: Adding a public range for an account
>
> Dan/all,
>
> I?ve just done code review and some testing for the feature. Looks
> like it?s broken in 3.0.1.
>
> 4) mentioned in your email should display ips as available for rules
> creation. But due to the bug in 3.0.1, the ips are being associated
> with the wrong network (Public network instead of Guest), therefore
> you don?t see it under your Guest network tab.
>
> The feature will be fixed in 3.0.2 - planning to be released next week.
>
> -Alena.
>
> From: dan@soleks.com<mailto:dan@soleks.com> [mailto:dan@soleks.com]<mailto:[mailto:dan@soleks.com]>
> Sent: Tuesday, April 24, 2012 12:06 PM
> To: Alena Prokharchyk
> Cc: cloudstack-users@incubator.apache.org<mailto:cloudstack-users@incubator.apache.org>
> Subject: RE: Adding a public range for an account
>
> Alena,
>
> Here is not clear.
>
> Ok, step by step with results i have.
>
> 1) Created domain and created domain administrator account.
> 2) Login as account form step 1), created isolated guest network with
> NAT service - network is 10.1.2.0/24
> 3) Login as cloud admin, created public network and assigned it to
> account from step 1), public network is 192.168.233.0/24, gw
> 192.168.233.254, vlan 101 (default zone wide network is
> 192.168.232.0/24, vlan 100)
> 4) Login as account from step 1), I can't do firewall/PF/LB
> manipulation at this moment because i don't have any public IPs yet
> 5) Requesting public IP for my guest network which is 10.1.2.0/24 and
> getting IP from 192.168.232.0/24 which zone wide network.
>
> At this point i don't see any options to get IP from 192.168.233.0/24.
>
>> Dan,
>>
>> First of all, adding public ip range per account will work only for
>> the case when the account owns only one Guest Isolated network. Or if
>> account doesn?t have any, we should automatically create Guest network
>> for him (based on your findings, this part is broken).
>> Ip addresses from account specific network are Allocated and
>> associated to the account?s guest network from the moment the range is
>> added, so you can start using them for PF/LB/Static nat rules creation
>> right away.
>>
>> When you request a new ip, it can be taken from Public (zone wide) ip
>> addresses pool ? and only Free ips can be taken for consideration.
>>
>> We should have done a better job by documenting all these cases, I?ll
>> make sure it?s created today and passed to the community right away.
>>
>> -Alena.
>>
>> From: dan@soleks.com<mailto:dan@soleks.com<mailto:dan@soleks.com%3cmailto:dan@soleks.com>>
>> [mailto:dan@soleks.com]<mailto:[mailto:dan@soleks.com]><mailto:[mailto:dan@soleks.com]>
>> Sent: Tuesday, April 24, 2012 11:21 AM
>> To: Alena Prokharchyk
>> Cc:
>> cloudstack-users@incubator.apache.org<mailto:cloudstack-users@incubato<mailto:cloudstack-users@incubator.apache.org%3cmailto:cloudstack-users@incubato>
>> r.apache.org>
>> Subject: RE: Adding a public range for an account
>>
>> Alena,
>> Ok, that is pretty clear and logically, but why when I'm requesting
>> new IP using account with associated network, provided IP is coming
>> from default network, but not from allocated for that account.
>>
>>> Dan,
>>>
>>> When public ip address range is created per account, all ip addresses
>>> from this range immediately get allocated to the account . You can't
>>> release single ip from account specific range with
>>> disassociateIpAddress command. The only one way to release account
>>> specific ips - delete the entire range (using deleteVlanIpRange api).
>>>
>>> I'll make sure we create document for this feature, and I'll pass it
>>> to you/community once it's done.
>>>
>>> -Alena.
>>>
>>> -----Original Message-----
>>> From:
>>> dan@soleks.com<mailto:dan@soleks.com<mailto:dan@soleks.com%3cmailto:d<mailto:dan@soleks.com%3cmailto:dan@soleks.com%3cmailto:dan@soleks.com%3cmailto:d>
>>> an@soleks.com<mailto:an@soleks.com>>>
>>> [mailto:dan@soleks.com]<mailto:[mailto:dan@soleks.com]><mailto:[mailto:dan@soleks.com]><mailto:[mailt
<mailto:[mailt%0b>>>> o:dan@soleks.com]>
>>> Sent: Tuesday, April 24, 2012 10:52 AM
>>> To:
>>> cloudstack-users@incubator.apache.org<mailto:cloudstack-users@incubat<mailto:cloudstack-users@incubator.apache.org%3cmailto:cloudstack-users@incubat>
>>> or.apache.org<mailto:cloudstack-users@incubator.apache.org%3cmailto:c
<mailto:cloudstack-users@incubator.apache.org%3cmailto:c%0b>>>> loudstack-users@incubator.apache.org<mailto:loudstack-users@incubator.apache.org>>>
>>> Subject: Re: Adding a public range for an account
>>>
>>> Clayton, it's borei, can you please post mine
>>>
>>> Hi All,
>>> I created new public network via infrastructure->zone->physical
>>> network->public->IP range menu and assigned it to account in non-root
>>> domain. Private network was also created for that account. When i use
>>> that account and trying to request IP, IP was chosen from default
>>> public network, not from created above. Dashboard also shows that all
>>> IPs in that new network occupied. I looked into database and found
>>> that all IPs are in the "Allocated" state and there is no UUID for
>>> them. Can somebody gimme explanation how should it work and what is
>>> correct behaviour.
>>>
>>>> In CS 3.0.1 with advanced networking.  I was trying to add a new
>>>> public IP range for a specific account.  I went into the physical
>>>> network, added a new range and specified the domain and account that
>>>> it was to belong to.  It was a brand new account so it didn't have
>>>> any existing instances, nor did it have a virtual router.  When
>>>> adding the first instance I got the following error:
>>>>
>>>> http://paste.cloudstack.org/SSEO/
>>>>
>>>> Did I do something wrong?  Is there an additional step I should have
>>>> done in order to associate a new IP range with a specific account?
>>>>
>>>> Thanks,
>>>> Clayton
>>>>
>>>
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message