Ask Your Question
0

How to implement dhcp, wds and ad servers in openstack ( internal -external network relations)

asked 2015-04-30 03:00:04 -0500

Serge gravatar image

updated 2015-05-05 04:59:49 -0500

Hello,

I am trying to implement network services for our local area network on openstack. These services are a linux dhcp server, and a microsoft active directory and windows deployement server. I use juno with neutron. I have two openstack infrastructure.

  1. One production infra with two servers: one compute node and one network-controller node with neutron
  2. One test server with compute-network-controller node also with neutron

what i did so far:

IMPLEMENTATION WITH THE INTERNAL NETWORK I implement the local area services in a private network with floating ip.

  • dhcp do no work because of network segmentation
  • Active directory is working. I must howether add an entry in the ad dns as AD must know the floating ip adress.
  • Wds is not working : The tftp server is sending the file wdsnbp to the external clients, but it seems it is configured with the internal ip only. Clients cannot download windows installation files (boot.wim).

IMPLEMENTATION WITH THE EXTERNAL NETWORK I implement active directory and wds server on the external network. This is only working with the test infrastructure. (where the compute and the network services are on the same server) I think the reason is network must access the br-ex bridge. When the compute node is only accessible with GRE tunnel, the server won't boot.

The ad server is also implemented with dhcp, and i put an dhcp agent on the external network. Howether there is some strange problems with the existing external dhcp servers. Clients have their ip address from the external dhcp servers, but does not have the dns servers any more.

TCP DUMP (NEW) The download of the file wdsnbp.com is working correctly:

10:39:21.238178 IP PC-131-05.msem.xxx.xx.ah-esp-encap > 162.xx.xx.88.tftp:  36 RRQ "boot\x64\wdsnbp.com" octet tsize 0
10:39:21.255168 ARP, Request who-has PC-131-05.xxx.xxxx.xx tell PC-131-05.msem.xxxx.xxx, length 46
10:39:21.256289 ARP, Reply PC-131-05.msem.xxxxx.xxxx is-at 28:80:23:0a:3f:6d (oui Unknown), length 46
10:39:21.257277 IP 162.xxx.xxx.88.64685 > PC-131-05.msem.xxxx.xxx.ah-esp-encap: UDP, length 14
1

The download of the file pxeboot is NOT working:

10:39:21.320136 IP PC-131-05.msem.xxxx.xxx.bootpc > 162.xxxx.xxxx.88.pxe: BOOTP/DHCP, Request from 88:51:fb:4f:ad:97 (oui Unknown), length 283
10:39:25.817627 IP 162.xxx.xxxx.88.pxe > PC-131-05.msem.xxxx.xxx.bootpc: BOOTP/DHCP, Reply, length 1024
10:39:25.823966 IP PC-131-05.msem.xxxxxx.xxxx > 162.xxxx.xxxx.88: ICMP PC-131-05.msem.xxxxx.xxxx udp port bootpc unreachable, length 36

The port 68,69 and 4011 are open on the security group. And it is working on external network

WHAT I AM PLANNING TO DO: I am planning to use another KVM server for implementing local area services. Perhaps i can find a solution with opentack in the future ? I could send the instances from the kvm server to ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-10-20 03:45:39 -0500

elenhil gravatar image

updated 2015-10-29 03:05:34 -0500

Hello!
well, i am not sure that you still need my answer, but maybe someone other will
The problem is that wds uses DHCP ports to communicate with client, the ports are 68,67 and 4011
And nova don't like any DHCP traffic inside its network besides its own dnsmasq
we could see the requests from client on all interfaces, but replies (from 4011 server port to 68 client port) were blocked on vlan interface on nova-network/compute node

the problem was in ebtables which blocked all traffic on vlan iface for 67 and 68 port:

#ebtables -L
-p IPv4 -o vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP
-p IPv4 -i vlan1004 --ip-proto udp --ip-dport 67:68 -j DROP

when i added rules:

-p IPv4 -i vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT
-p IPv4 -o vlan1004 --ip-proto udp --ip-sport 4011 --ip-dport 68 -j ACCEPT

WDS started working properly

UPDATE:

sadly, it seems that nova has some kind of scheduler which rewrites ebtables rules even if nova-network wasn't restarted.

we edited source code of nova by adding lines in 2 methods in file /usr/lib/python2.7/dist-packages/nova/network/linux_net.py:
line 1765:

def isolate_dhcp_address(interface, address):
   # block arp traffic to address across the interface
   rules = []
   rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
             % (interface, address))
   rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
             % (interface, address))
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   # NOTE(vish): the above is not possible with iptables/arptables
   ensure_ebtables_rules(rules)


def remove_isolate_dhcp_address(interface, address):
   # block arp traffic to address across the interface
   rules = []
   rules.append('INPUT -p ARP -i %s --arp-ip-dst %s -j DROP'
             % (interface, address))
   rules.append('OUTPUT -p ARP -o %s --arp-ip-src %s -j DROP'
             % (interface, address))
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp '
             ' --ip-destination-port 67:68 -j DROP'
             % interface)
   rules.append('FORWARD -p IPv4 -i %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   rules.append('FORWARD -p IPv4 -o %s --ip-protocol udp'
             ' --ip-sport 4011 --ip-dport 68 -j ACCEPT'
             % interface)
   remove_ebtables_rules(rules)
   # NOTE(vish): the above is not possible with iptables/arptables
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-04-30 02:46:08 -0500

Seen: 1,294 times

Last updated: Oct 29 '15