OVN network

OVN is a software-defined networking system that supports virtual network abstraction. You can use it to build your own private cloud. See www.ovn.org for more information.

The ovn network type allows to create logical networks using the OVN SDN. This kind of network can be useful for labs and multi-tenant environments where the same logical subnets are used in multiple discrete networks.

An Incus OVN network can be connected to an existing managed Bridge network or Physical network to gain access to the wider network. By default, all connections from the OVN logical networks are NATed to an IP allocated from the uplink network.

See How to set up OVN with Incus for basic instructions for setting up an OVN network.

Note

Static DHCP assignments depend on the client using its MAC address as the DHCP identifier. This method prevents conflicting leases when copying an instance, and thus makes statically assigned leases work properly.

Configuration options

The following configuration key namespaces are currently supported for the ovn network type:

  • bridge (L2 interface configuration)

  • dns (DNS server and resolution configuration)

  • ipv4 (L3 IPv4 configuration)

  • ipv6 (L3 IPv6 configuration)

  • security (network ACL configuration)

  • user (free-form key/value for user metadata)

Note

Incus uses the CIDR notation where network subnet information is required, for example, 192.0.2.0/24 or 2001:db8::/32. This does not apply to cases where a single address is required, for example, local/remote addresses of tunnels, NAT addresses or specific addresses to apply to an instance.

The following configuration options are available for the ovn network type:

bridge.external_interfaces

Comma-separated list of unconfigured network interfaces to include in the bridge

Key: bridge.external_interfaces
Type:

string

bridge.hwaddr

MAC address for the virtual bridge interface

Key: bridge.hwaddr
Type:

string

bridge.mtu

Bridge MTU (default allows host to host Geneve tunnels)

Key: bridge.mtu
Type:

integer

Default:

1442

dns.domain

Domain to advertise to DHCP clients and use for DNS resolution

Key: dns.domain
Type:

string

Default:

incus

dns.nameservers

DNS server IPs to advertise to DHCP clients and via Router Advertisements. Both IPv4 and IPv6 addresses get pushed via DHCP, and the first IPv6 address is also advertised as RDNSS via RA.

Key: dns.nameservers
Type:

string

Default:

Uplink DNS servers (IPv4 and IPv6 address if no uplink is configured)

dns.search

Full comma-separated domain search list, defaulting to dns.domain value

Key: dns.search
Type:

string

dns.zone.forward

Comma-separated list of DNS zone names for forward DNS records

Key: dns.zone.forward
Type:

string

dns.zone.reverse.ipv4

DNS zone name for IPv4 reverse DNS records

Key: dns.zone.reverse.ipv4
Type:

string

dns.zone.reverse.ipv6

DNS zone name for IPv6 reverse DNS records

Key: dns.zone.reverse.ipv6
Type:

string

ipv4.address

IPv4 address for the bridge (use none to turn off IPv4 or auto to generate a new random unused subnet) (CIDR)

Key: ipv4.address
Type:

string

Default:

(initial value on creation: auto)

Condition:

standard mode

ipv4.dhcp

Whether to allocate addresses using DHCP

Key: ipv4.dhcp
Type:

bool

Default:

true

Condition:

IPv4 address

ipv4.dhcp.expiry

When to expire DHCP leases

Key: ipv4.dhcp.expiry
Type:

string

Default:

1h

Condition:

IPv4 DHCP

ipv4.dhcp.ranges

Comma-separated list of IP ranges to use for DHCP (FIRST-LAST format)

Key: ipv4.dhcp.ranges
Type:

string

Default:

all addresses

Condition:

IPv4 DHCP

ipv4.dhcp.routes

Static routes to provide via DHCP option 121, as a comma-separated list of alternating subnets (CIDR) and gateway addresses (same syntax as dnsmasq and OVN)

Key: ipv4.dhcp.routes
Type:

string

Condition:

IPv4 DHCP

ipv4.l3only

Whether to enable layer 3 only mode.

Key: ipv4.l3only
Type:

bool

Default:

false

Condition:

IPv4 address

ipv4.nat

Whether to NAT

Key: ipv4.nat
Type:

bool

Default:

false initial value on creation if ipv4.address is set to auto: true)

Condition:

IPv4 address

ipv4.nat.address

The source address used for outbound traffic from the network (requires uplink ovn.ingress_mode=routed)

Key: ipv4.nat.address
Type:

string

Condition:

IPv4 address

ipv6.address

IPv6 address for the bridge (use none to turn off IPv6 or auto to generate a new random unused subnet) (CIDR)

Key: ipv6.address
Type:

string

Default:

(initial value on creation: auto)

Condition:

standard mode

ipv6.dhcp

Whether to provide additional network configuration over DHCP

Key: ipv6.dhcp
Type:

bool

Default:

true

Condition:

IPv6 address

ipv6.dhcp.stateful

Whether to allocate addresses using DHCP

Key: ipv6.dhcp.stateful
Type:

bool

Default:

false

Condition:

IPv6 DHCP

ipv6.l3only

Whether to enable layer 3 only mode.

Key: ipv6.l3only
Type:

bool

Default:

false

Condition:

IPv6 DHCP stateful

ipv6.nat

Whether to NAT

Key: ipv6.nat
Type:

bool

Default:

false (initial value on creation if ipv6.address is set to auto: true)

Condition:

IPv6 address

ipv6.nat.address

The source address used for outbound traffic from the network (requires uplink ovn.ingress_mode=routed)

Key: ipv6.nat.address
Type:

string

Condition:

IPv6 address

network

Uplink network to use for external network access or none to keep isolated

Key: network
Type:

string

security.acls

Comma-separated list of Network ACLs to apply to NICs connected to this network

Key: security.acls
Type:

string

security.acls.default.egress.action

Action to use for egress traffic that doesn’t match any ACL rule

Key: security.acls.default.egress.action
Type:

string

Default:

reject

Condition:

security.acls

security.acls.default.egress.logged

Whether to log egress traffic that doesn’t match any ACL rule

Key: security.acls.default.egress.logged
Type:

bool

Default:

false

Condition:

security.acls

security.acls.default.ingress.action

Action to use for ingress traffic that doesn’t match any ACL rule

Key: security.acls.default.ingress.action
Type:

string

Default:

reject

Condition:

security.acls

security.acls.default.ingress.logged

Whether to log ingress traffic that doesn’t match any ACL rule

Key: security.acls.default.ingress.logged
Type:

bool

Default:

false

Condition:

security.acls

user.*

User-provided free-form key/value pairs

Key: user.*
Type:

string

Supported features

The following features are supported for the ovn network type: