Multiple IP address per NIC

Introduction:

The feature describes about the adding multiple IP address per NIC.

The current guest VM have default one guest network interface and this interface get primary IP address which is acquired from the cloudstack DHCP server on boot time.

If user needs another IP address for the guest VM NIC, currently there is no provision from the cloudstack.

Using this feature users can request the cloudstack for additional IP address for the guest VM NIC.

Requirement:

https://issues.apache.org/jira/browse/CLOUDSTACK-24

• This requirement is for CloudStack to provide the ability to associate multiple IP addresses per NIC
• User requests  for the association/dissociation of the IP address for the guest VM NIC via CS API/UI. CS reserves an IP and gives to the User.
• User can specify the  IP address from the guest subnet, if user does not specify, CS picks the IP from the guest subnet
• Supported for all network configurations - Basic, Advanced and VPC
• Allow for up to 256 IP addresses per interface
• Security groups, ELB, Static NAT, LB and Port forwarding  can be supported for configuring on these secondary IPs (acquired private IPs)
• Users should be able to view through UI, the VMs and associated NICs, IP addresses
• These additional guest IPs can be NAT-able using firewall - i.e. should be able to configure the NAT through the CloudPlatform UI.
• Users need to provide to which NIC, the IP should be associated as well as manually configure the requested IP for the NIC in the VM. Cloudstack will not configure the IP for VM

Here is the workflow we envision -

 User requests a VM

                As part of this, he requests one or more isolated networks

User optionally could add more networks for the VM

User "acquires guest IPs" (new feature)

                Specifies the VM NIC to which he want additional IP address

                Optionally specifies the ip address (or we automatically assign from the CIDR)

Out of band (manual) he ifconfigs the acquired guest IP on a (VM,NIC)

User can "acquire IP" (public ip) like he does today

                Associate the public IP with the guest IP (CS does the NAT)

"release" public IP, if acquired

"release" guest IP, if acquired (cannot release if still mapped to a public IP)

 The workflow is similar for shared net

Use case:

• Host multiple SSL websites on a single instance. You can install multiple SSL certificates on a single instance, each associated with a distinct IP address.
• Build network appliances. Network appliances such as firewalls and load balancers generally work best when they have access to multiple IP addresses on a network interface.
• Move private IP addresses between interfaces or instances. Applications that are bound to specific IP addresses can be moved between instances
  

Design description:

User can request the CS for additional secondary  IP addresses for the guest VM NIC.

User can request the CS for secondary IP using the API/UI, CS will reserves the IP address from the VM guest network.

User has to manually configure this IP address on the guest VM network interface. Cloudstack only reserves the IP address for the guest VM NIC.

The acquired secondary guest IPs can be NATable using firewall.

As part of this feature the role of CS is below.

   Cloudstack:

1. User requests  for the association/dissociation of the IP address for the guest VM NIC via CS API/UI. CS reserves an IP and gives to the User.
2. One NIC can be associated with multiple IP address.

          Note: User can specify the  IP address from the guest subnet  if not CS picks the IP from the guest subnet.

   User Role:

1. User need to manually configure the requested IP for the NIC in the VM.

      2.  Cloudstack will not configures the IP for VM.

      3. User need to provide to which NIC, the IP should be associated.

Supported networks:

1. Advanced Isolated
2. VPC
3. Advanced shared
4. Shared networks (Basic Zone) 

The seconary IPs can be configured to map port fowarding, static NAT, load balancing and ELB services.

APIs:

addIpToNic:   add an IP address to nic from the guest subnet.

removeIpFromNic: removes the ip address reserved for the nic

listNics: lists the user vm nic details, this API response contains secondary ip addresses of the nic also.

*parameters in bold are required

DB changes:

A new table* nic_secondary_ips* is created to store the nic and ip address configuration.

 nic_secondary_ips:

New columns for existing tables:

PF, Static NAT  chagnes:

Currently there is only one (primary) IP address per NIC so  PF  Static NAT  APIs are taking the VM id as argument to configure the rules on the private IP.

With this feature we are going to have more than one IP address per NIC so the PF, Static NAT  APIs are added an extra optional parameter 'vmguestip'  address to 

indicate the NAT to be configured on the primary ip or secondary IP.

If vmguestip address is passed

          -CS configures the NAT to that private IP

if not passedd

         -CS configures to the VM primary IP address.

Security group changes in shared networks:

The current security groups rules are configured with the VM primary ip address. So we need to update the these rules with the secondary IP addresses.

*1. *Anti-spoofing rules need to be updated, when secondary IP is associate/dissociate to NIC.

2. When secondary IP associate/dissociate to NIC, the related security group rule based on account/security group need to be resent to reflect the IP change in this security group.

Supported Hypervisors:

1. Xenserver
2. KVM
3. VmWare (basic zone security groups are not supported in this)

Upgrade scenario:

On upgrade the existing tables nics, user_ip_addres tables are updated with above new coloums.

UI changes:

New changes:

Page to requesting additional IP address for the guest VM is shown in the guest VM NIC details page.

In this page user fills ip address (optional) and clicks button for requesting association of  IP for the NIC.

This page also lists the previously configured IP address for this NIC.

Secondary IP address can also removed (deassociated) from this page.

Changes to existing pages:

PF, and static nat currently showing only the VM to select. For this feature the pages should show VM to select  and drop down with primary and secondary ip addresses, default is primary ip.

Enhancements:

1. Updating Load balancing configuration for this (MIPN) feature.

2. Nic Secondary IP address meta data info

Caveat:

In a shared network, how does a user know what is used up and what is not? So, he could go through a sequence of steps only to get an error message back that it is not possible (and keep

doing this until success). One possibility is telling him what is available - it may not be a big deal to reveal the used/unused IPs in isolated network (although it would be hard to show from a large CIDR what is used/available), but we wont even be able to tell him what is used/unused in a shared network

Sub tasks:

Task1: Isolated networks - 2 days 1/18/2013

Implemented basic configuration of MIPN (Multiple IP address per NIC) using APIs for isoated networks

Task2: Isolated networks - 2 days

Update PF, Static NAT and LB for the Isolated networks.

Task3: VPC networks  - 1 day

Implement the MIPN feature for VPC networks.

Task4: Shared networks - 2 days

Implement the MIPN feature for the shared networks using the APIs.

Task5: Shared networks - 3 to 4 days

Update the security group rules for the secondary IPs.

Task6: Advanced shared networks - 2 days

Implement the MIPN, security groups changes for Advanced shared networks.

Task7: Upgrade 1/2 day

       Adding db changes for upgrade.

Taks8: Hypervisors - 2 days   2/7/2013

Support for KVM and VmWare Hypervisors

Task9: Estimation I don't have idea

      Writing the marvin test cases for build.