proxmox 7.0 sdn beta test

ok, I'll wait for the next version.

We are using EfficientIP as IPam, so as soon as it will be available,
I'll surely take some time to make this IPam available for proxmox.
I just send a poc for lxc to the dev mailing list.
The ipam management itself is already done, with internal ipam but also external ipam like netbox,phpipam,... We just need to implement it for lxc/qemu.

BTW, if you have special needs for ipam, you can contact me directly to my email : aderumier@odiso.com. (I'm French ;)
 
We are using EfficientIP as IPam, so as soon as it will be available,
is it an opensource ipam ? I don't have added yet support for custom plugin (like for storage), but it could be easy to add.

currently, ipam plugins are really simple to implement, with 5 functions:

add_subnet($subnet)
del_subnet($subnet)
add_ip($ip)
del_ip($ip)
add_next_freeip()
 
Unfortunately EfficientIP it's not opensource.

I've checked your code and it should be rather easy to add EfficientIP support as they have a REST API.
Event for DNS support this should not be difficult.

My idea is : when creating a VM, IPam should provide an IP within the correct subnet and register DNS with the provided VM name.
 
Unfortunately EfficientIP it's not opensource.

I've checked your code and it should be rather easy to add EfficientIP support as they have a REST API.
Event for DNS support this should not be difficult.
ok, so no problem here.

My idea is : when creating a VM, IPam should provide an IP within the correct subnet and register DNS with the provided VM name.
Yes, this is how I have implemented it for lxc.

It'll try to find first available ip in subnet(s) defined on a vnet where the nic is plugged.
and register dns, with the hostname of the vm. (it's also possible to add dns prefix by vnet (like myhostname.proxmox.mydomain.com), if you have multiple ip by vms)

for dns, I have implemented powerdns plugin currently.
the proxmox dns plugin is optionnal too ( maybe EfficientIP can manage dns directly ? )
 
Yes EfficientIP is also handling DNSrecords.

In fact this can be done in a single operation :
Unfortunately no perl native support but see python example :https://www.efficientip.com/python-library/
ok, seem that api have all features needed, and it's 100% restfull, so almost the same than other plugins.
looking at this page:
https://www.efficientip.com/solidserver-api-for-it-automation/

I don't have found the doc about the api, but I'm seeing compatibility with openapi && swagger:
https://www.efficientip.com/wp-cont...for-IT-Swagger-2020-06-02-154006-1024x492.png

so, calling the rest server directly with a browser, should give the api endpoints && params.
 
mmm, ok, I think I understand.
Why not simply do , instead your conf:

Code:
auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp5s4f0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.100
iface vmbr0.100 inet manual
    vlan-id 100


auto vmbr1
iface vmbr1 inet static
    address 10.2.0.223/24
    gateway 10.2.0.1
    bridge-ports enp6s5f0 enp6s5f1 vmbr0.100
    bridge-stp off
    bridge-fd 0
#Downlink para gest

this (tagging vlan on physical interfaces)

Code:
auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp5s4f0  enp6s5f0.100 enp6s5f1.100
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.100
iface vmbr0.100 inet static
    address 10.2.0.223/24
    gateway 10.2.0.1

or using vlan-aware feature (with ifupdown2 package)

Code:
auto enp6s5f0
iface enp6s5f0
    bridge-access 100

auto enp6s5f1
iface enp6s5f1
    bridge-access 100

auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp5s4f0  enp6s5f0 enp6s5f1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.100
iface vmbr0.100 inet static
    address 10.2.0.223/24
    gateway 10.2.0.1

OK, had the opportunity to test. Applied the second option "bridge-access" because the first proposal seemed to cover a trunk scenario (tagged vlan). Checking it seems to configure the proper access mode in the required vlan:

Code:
root@bigiron:~# bridge vlan show dev enp6s5f1
port    vlan ids
enp6s5f1         100 PVID Egress Untagged

root@bigiron:~# bridge vlan show dev enp6s5f0
port    vlan ids
enp6s5f0         100 PVID Egress Untagged

Now, on the web interface I cannot see that configuration (access mode for those ports), and it makes me wonder:

1- Could I have configured that through the web interface?
2- Will it break next time I change something with the web interface?.
 
Now, on the web interface I cannot see that configuration (access mode for those ports), and it makes me wonder:

1- Could I have configured that through the web interface?
2- Will it break next time I change something with the web interface?.
1) yes, bridge-access is not yet supported in the web interface. so you cant see it.
2) I'm not sure, try to do a change on any interface, the configuration should be rewriten in /etc/network/interfaces.new (and not apply), and the diff is displayed in the gui.
 
Hi,

is there any news on the SDN side ?
Is there something I can do to help ?
I have published almost all patches to pve-devel mailing list,
but they are not yet all applied.
Maybe ask to proxmox dev on pve-devel mailing list ;)

(The last missing thing is auto ip attribution for qemu machines, I should have finished for the end of the month).
 
(The last missing thing is auto ip attribution for qemu machines, I should have finished for the end of the month).
Does this mean SDN would be moving towards production after that point or do you have some guess on what timescale it is going to production?

Also big thanks for all the effort you've done for SDN and Proxmox otherwise :)
 
Does this mean SDN would be moving towards production after that point or do you have some guess on what timescale it is going to production?

Also big thanks for all the effort you've done for SDN and Proxmox otherwise :)
I really don't known the roadmap, maybe ask to proxmox devs directly ;)

I'm still working on qemu ip allocation and cloudinit. Some part of the dev has already been applied to git, but not yet released because of other needed change.

I'm not sure, but maybe it'll be production ready for proxmox7 when debian11 will be released, but I'm hoping a new beta soon to test subnet/ipam management.
 
  • Like
Reactions: cville and guletz
Hi,

I have some bigger clean-ups still planned, especially merging a few related config files to avoid to many of those.
I plan to get that done until the next point release, if I had to guess that could be at the start of Q2.
Further (educated) guessing would be first switch from opt-in to always installed (but still a tech preview -> no enterprise support) and one or two releases after that, when all seems stable and a bit more polished we could release it as stable.

That's my current view, SDN is a complex feature, so it always needs a bit of time to get into it to have a full picture, that and the fact that is not out as stable yet is why it gets a bit more easily showed to the back burner (at least for me, which has done the main review work up until now) and I hate that a bit as I find it a really cool feature. Many thanks here to @spirit which continues to pour in lots of good effort in such enterprise class features!
 
Hi,

I have some bigger clean-ups still planned, especially merging a few related config files to avoid to many of those.
I plan to get that done until the next point release, if I had to guess that could be at the start of Q2.
Don't hesitate to ask me if it need some rework, or if I can help.

Further (educated) guessing would be first switch from opt-in to always installed (but still a tech preview -> no enterprise support) and one or two releases after that, when all seems stable and a bit more polished we could release it as stable.

That's my current view, SDN is a complex feature, so it always needs a bit of time to get into it to have a full picture, that and the fact that is not out as stable yet is why it gets a bit more easily showed to the back burner (at least for me, which has done the main review work up until now) and I hate that a bit as I find it a really cool feature.
Yes, better to have something stable and polished first.

Many thanks here to @spirit which continues to pour in lots of good effort in such enterprise class features!
thanks to you for the reviews and your time ;)
 
Hi Guys,

I have picked an issue in the latest Proxmox version, Im trying to add a vnet to a QinQ zone with a vlan id 13, this vlan is also used in another different QinQ with different Svlan id

Below is the error I get


create sdn vnet object failed: error during cfs-locked 'file-sdn__version' operation: tag 13 already exist in vnet broll13 at /usr/share/perl5/PVE/Network/SDN/VnetPlugin.pm line 115. (500)


pveversion -v
proxmox-ve: 6.3-1 (running kernel: 5.4.106-1-pve)
pve-manager: 6.3-6 (running version: 6.3-6/2184247e)
pve-kernel-5.4: 6.3-8
pve-kernel-helper: 6.3-8
pve-kernel-5.4.106-1-pve: 5.4.106-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.1.0-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 3.0.0-1+pve3
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.20-pve1
libproxmox-acme-perl: 1.0.8
libproxmox-backup-qemu0: 1.0.3-1
libpve-access-control: 6.1-3
libpve-apiclient-perl: 3.1-3
libpve-common-perl: 6.3-5
libpve-guest-common-perl: 3.1-5
libpve-http-server-perl: 3.1-1
libpve-network-perl: 0.4-6
libpve-storage-perl: 6.3-8
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.6-2
lxcfs: 4.0.6-pve1
novnc-pve: 1.1.0-1
openvswitch-switch: 2.12.3-1
proxmox-backup-client: 1.0.13-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.4-9
pve-cluster: 6.2-1
pve-container: 3.3-4
pve-docs: 6.3-1
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-3
pve-firmware: 3.2-2
pve-ha-manager: 3.1-1
pve-i18n: 2.3-1
pve-qemu-kvm: 5.2.0-5
pve-xtermjs: 4.7.0-3
qemu-server: 6.3-10
smartmontools: 7.2-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 2.0.4-pve1
 
Hi Guys,

I have picked an issue in the latest Proxmox version, Im trying to add a vnet to a QinQ zone with a vlan id 13, this vlan is also used in another different QinQ with different Svlan id

Below is the error I get


create sdn vnet object failed: error during cfs-locked 'file-sdn__version' operation: tag 13 already exist in vnet broll13 at /usr/share/perl5/PVE/Network/SDN/VnetPlugin.pm line 115. (500)


pveversion -v
proxmox-ve: 6.3-1 (running kernel: 5.4.106-1-pve)
pve-manager: 6.3-6 (running version: 6.3-6/2184247e)
pve-kernel-5.4: 6.3-8
pve-kernel-helper: 6.3-8
pve-kernel-5.4.106-1-pve: 5.4.106-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.1.0-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: residual config
ifupdown2: 3.0.0-1+pve3
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.20-pve1
libproxmox-acme-perl: 1.0.8
libproxmox-backup-qemu0: 1.0.3-1
libpve-access-control: 6.1-3
libpve-apiclient-perl: 3.1-3
libpve-common-perl: 6.3-5
libpve-guest-common-perl: 3.1-5
libpve-http-server-perl: 3.1-1
libpve-network-perl: 0.4-6
libpve-storage-perl: 6.3-8
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.6-2
lxcfs: 4.0.6-pve1
novnc-pve: 1.1.0-1
openvswitch-switch: 2.12.3-1
proxmox-backup-client: 1.0.13-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.4-9
pve-cluster: 6.2-1
pve-container: 3.3-4
pve-docs: 6.3-1
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-3
pve-firmware: 3.2-2
pve-ha-manager: 3.1-1
pve-i18n: 2.3-1
pve-qemu-kvm: 5.2.0-5
pve-xtermjs: 4.7.0-3
qemu-server: 6.3-10
smartmontools: 7.2-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 2.0.4-pve1
Hi, yes, on the current version, the vlan tag is unique across zones.

This is fixed in next coming version, where tag are unique by zone.

Thanks for the report !
 
  • Like
Reactions: pieteras.meyer
Hello all,

is there a way to add SDN resources to a pool, like one can do with VMs and storage resources?

Cheers,
luphi
 
Hey @spirit, first off: Thanks for creating this plugin, I'm using it since November in production without any issues and this plugin made me learn so much about how SDN works (way more than my internship, which is also related to sdn, heh) and it works so well!

And now here's a question: Is it possible to use a specific failover IP for VXLAN?

Example: I have two interfaces: vmbr0 and vmbr0:1, my IP bound to vmbr0 which is sadly getting DDoS'd which can cause issues due to host providers (example: OVH, ReliableSite, etc) mitigating DDoS traffic and thinking that the VXLAN traffic is a DDoS attack.

So I wanted to route VXLAN traffic with my failover IP bound to "vmbr0:1", and because it is on a different IP, it won't be attacked by pesky DDoS attacks... but how can I do that?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!