Allow multi_host compute nodes to share dhcp ip

This adds a new flag: share_dhcp_address which if enabled in
multihost mode will allow all compute nodes to share an ip on
guest network. The code will isolate the address using iptables
and ebtables so it is only visible to the vms.

This patch has two benefits:

a) we don't have to use an ip address from every network for each
compute node. This is especially valuable in vlan mode where the
networks are generally small

b) we can improve security by blocking all access to the ip on the
guest network from outside the compute node. While we could do similar
blocking using a different ip for each node, it makes dhcp setup
much more complicated if a vm is migrated to another node.

Implements blueprint shared-dhcp-ip

Change-Id: Iaf84c0ad2848921122866956105eb44c074450dc

1 files changed, 5 insertions, 0 deletions

diff --git a/etc/nova/rootwrap.d/network.filters b/etc/nova/rootwrap.d/network.filters
index c635f12e4..3a46080fa 100644
--- a/etc/nova/rootwrap.d/network.filters
+++ b/etc/nova/rootwrap.d/network.filters
@@ -34,6 +34,11 @@ ovs-vsctl: CommandFilter, /usr/bin/ovs-vsctl, root
 # nova/network/linux_net.py: 'ovs-ofctl', ....
 ovs-ofctl: CommandFilter, /usr/bin/ovs-ofctl, root
 
+# nova/network/linux_net.py: 'ebtables', '-D' ...
+# nova/network/linux_net.py: 'ebtables', '-I' ...
+ebtables: CommandFilter, /sbin/ebtables, root
+ebtables_usr: CommandFilter, /usr/sbin/ebtables, root
+
 # nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
 iptables-save: CommandFilter, /sbin/iptables-save, root
 iptables-save_usr: CommandFilter, /usr/sbin/iptables-save, root