OVN network¶

OVN is a software-defined networking system that supports virtual network abstraction. You can use it to build your own private cloud. See www.ovn.org for more information.

The ovn network type allows to create logical networks using the OVN SDN. This kind of network can be useful for labs and multi-tenant environments where the same logical subnets are used in multiple discrete networks.

A LXD OVN network can be connected to an existing managed Bridge network or Physical network to gain access to the wider network. By default, all connections from the OVN logical networks are NATed to an IP allocated from the uplink network.

See How to set up OVN with LXD for basic instructions for setting up an OVN network.

Note

Static DHCP assignments depend on the client using its MAC address as the DHCP identifier. This method prevents conflicting leases when copying an instance, and thus makes statically assigned leases work properly.

OVN networking architecture¶

The following figure shows the OVN network traffic flow in a LXD cluster:

../../_images/ovn_networking_1.svg — OVN networking (one network)¶

The OVN network connects the different cluster members. Network traffic between the cluster members passes through the NIC for inter-cluster traffic (eth1 in the figure) and is transmitted through an OVN tunnel. This traffic between cluster members is referred to as OVN east/west traffic.

For outside connectivity, the OVN network requires an uplink network (a Bridge network or a Physical network). The OVN network uses a virtual router to connect to the uplink network through the NIC for uplink traffic (eth0 in the figure). The virtual router is active on only one of the cluster members, and can move to a different member at any time. Independent of where the router resides, the OVN network is available on all cluster members.

Every instance on any cluster member can connect to the OVN network through its virtual NIC (usually eth0 for containers and enp5s0 for virtual machines). The traffic between the instances and the uplink network is referred to as OVN north/south traffic.

The strengths of using OVN become apparent when looking at a networking architecture with more than one OVN network:

../../_images/ovn_networking_2.svg — OVN networking (two networks)¶

In this case, both depicted OVN networks are completely independent. Both networks are available on all cluster members (with each virtual router being active on one random cluster member). Each instance can use either of the networks, and the traffic on either network is completely isolated from the other network.

Configuration options¶

The following configuration key namespaces are currently supported for the ovn network type:

bridge (L2 interface configuration)
dns (DNS server and resolution configuration)
ipv4 (L3 IPv4 configuration)
ipv6 (L3 IPv6 configuration)
security (network ACL configuration)
user (free-form key/value for user metadata)

Note

LXD uses the CIDR notation where network subnet information is required, for example, 192.0.2.0/24 or 2001:db8::/32. This does not apply to cases where a single address is required, for example, local/remote addresses of tunnels, NAT addresses or specific addresses to apply to an instance.

The following configuration options are available for the ovn network type:

bridge.hwaddr

MAC address for the bridge

Key:	`bridge.hwaddr`
Type:	string

bridge.mtu

Bridge MTU

Key:	`bridge.mtu`
Type:	integer
Default:	`1442`

The default value allows the host to host Geneve tunnels.

dns.domain

Domain to advertise to DHCP clients and use for DNS resolution

Key:	`dns.domain`
Type:	string
Default:	`lxd`

dns.search

Full domain search list

Key:	`dns.search`
Type:	string
Default:	`dns.domain` value

Specify a comma-separated list of domains.

dns.zone.forward

DNS zone names for forward DNS records

Key:	`dns.zone.forward`
Type:	string

Specify a comma-separated list of DNS zone names.

dns.zone.reverse.ipv4

DNS zone name for IPv4 reverse DNS records

Key:	`dns.zone.reverse.ipv4`
Type:	string

dns.zone.reverse.ipv6

DNS zone name for IPv6 reverse DNS records

Key:	`dns.zone.reverse.ipv6`
Type:	string

ipv4.address

IPv4 address for the bridge

Key:	`ipv4.address`
Type:	string
Default:	initial value on creation: `auto`
Condition:	standard mode

Use CIDR notation.

You can set the option to none to turn off IPv4, or to auto to generate a new random unused subnet.

ipv4.dhcp

Whether to allocate IPv4 addresses using DHCP

Key:	`ipv4.dhcp`
Type:	bool
Default:	`true`
Condition:	IPv4 address

ipv4.l3only

Whether to enable layer 3 only mode for IPv4

Key:	`ipv4.l3only`
Type:	bool
Default:	`false`
Condition:	IPv4 address

ipv4.nat

Whether to use NAT for IPv4

Key:	`ipv4.nat`
Type:	bool
Default:	`false` (initial value on creation if `ipv4.address` is set to `auto`: `true`)
Condition:	IPv4 address

ipv4.nat.address

Source address used for outbound traffic from the network

Key:	`ipv4.nat.address`
Type:	string
Condition:	IPv4 address; requires uplink `ovn.ingress_mode=routed`

ipv6.address

IPv6 address for the bridge

Key:	`ipv6.address`
Type:	string
Default:	initial value on creation: `auto`
Condition:	standard mode

Use CIDR notation.

You can set the option to none to turn off IPv6, or to auto to generate a new random unused subnet.

ipv6.dhcp

Whether to provide additional network configuration over DHCP

Key:	`ipv6.dhcp`
Type:	bool
Default:	`true`
Condition:	IPv6 address

ipv6.dhcp.stateful

Whether to allocate IPv6 addresses using DHCP

Key:	`ipv6.dhcp.stateful`
Type:	bool
Default:	`false`
Condition:	IPv6 DHCP

ipv6.l3only

Whether to enable layer 3 only mode for IPv6

Key:	`ipv6.l3only`
Type:	bool
Default:	`false`
Condition:	IPv6 DHCP stateful

ipv6.nat

Whether to use NAT for IPv6

Key:	`ipv6.nat`
Type:	bool
Default:	`false` (initial value on creation if `ipv6.address` is set to `auto`: `true`)
Condition:	IPv6 address

ipv6.nat.address

Source address used for outbound traffic from the network

Key:	`ipv6.nat.address`
Type:	string
Condition:	IPv6 address; requires uplink `ovn.ingress_mode=routed`

network

Uplink network to use for external network access

Key:	`network`
Type:	string

security.acls

Network ACLs to apply to NICs connected to this network

Key:	`security.acls`
Type:	string

Specify a comma-separated list of network ACLs.

security.acls.default.egress.action

Default action to use for egress traffic

Key:	`security.acls.default.egress.action`
Type:	string
Default:	`reject`
Condition:	`security.acls`

The specified action is used for all egress traffic that doesn’t match any ACL rule.

security.acls.default.egress.logged

Whether to log egress traffic that doesn’t match any ACL rule

Key:	`security.acls.default.egress.logged`
Type:	bool
Default:	`false`
Condition:	`security.acls`

security.acls.default.ingress.action

Default action to use for ingress traffic

Key:	`security.acls.default.ingress.action`
Type:	string
Default:	`reject`
Condition:	`security.acls`

The specified action is used for all ingress traffic that doesn’t match any ACL rule.

security.acls.default.ingress.logged

Whether to log ingress traffic that doesn’t match any ACL rule

Key:	`security.acls.default.ingress.logged`
Type:	bool
Default:	`false`
Condition:	`security.acls`

user.*

User-provided free-form key/value pairs

Key:	`user.*`
Type:	string

Supported features¶

The following features are supported for the ovn network type: