Spec for Neutron DVR support in Fuel

Implements blueprint neutron-dvr-deployment Change-Id: I666c1d1de9e128147174abc0a178a41828ae5d93
2015-06-10 15:55:47 +03:00 · 2015-06-10 15:55:47 +03:00 · af52304690
commit af52304690
parent b4b03b8730
1 changed files with 372 additions and 0 deletions
--- a/specs/7.0/neutron-dvr-deployment.rst
+++ b/specs/7.0/neutron-dvr-deployment.rst
@ -0,0 +1,372 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ===================
 Neutron DVR support
 ===================
 https://blueprints.launchpad.net/fuel/+spec/neutron-dvr-deployment
 Neutron Distributed Virtual Router implements the L3 Routers across the
 compute nodes, so that tenants intra VM communication will occur without
 hitting the controller node. (East-West Routing)
 Also Neutron Distributed Virtual Router implements the Floating IP namespace
 on every compute node where the VMs are located. In this case the VMs with
 FloatingIPs can forward the traffic to the external network without reaching
 the controller node. (North-South Routing)
 Neutron Distributed Virtual Router provides the legacy SNAT behavior for
 the default SNAT for all private VMs. SNAT service is not distributed,
 it is centralized and the service node will host the service.
 Problem description
 ===================
 Currently Neutron L3 Routers are deployed on specific Nodes (controller nodes)
 where all the compute traffic will flow through.
 * Problem 1: Intra VM traffic flows through the controller node
  In this case even VMs traffic that belong to the same tenant on a different
  subnet has to hit the controller node to get routed between the subnets.
  This would affect performance and scalability.
 * Problem 2: VMs with FloatingIP also receive and send packets through
  the controller node routers
  Today FloatingIP (DNAT) translation is done on the controller node and
  also the external network gateway port is available only at the controller.
  So any traffic that goes to the external network from the VM will
  have to go through the controller node. In this case the controller node
  becomes a single point of failure and also the traffic will heavily load
  the controller node. This would affect the performance and scalability.
 Proposed change
 ===============
 The proposal is to distribute L3 Routers across compute nodes when required
 by VMs. This implies having external network access on each compute node.
 In this case there will be enhanced L3 Agents running on each and every
 compute node (This is not a new agent, this is an updated version of the
 existing L3 Agent). Based on the configuration in the L3 Agent.ini file,
 the enhanced L3 Agent will behave in legacy (centralized router) mode or as
 a distributed router mode.
 Also the FloatingIP will have a new namespace created on the specific
 compute node where the VM is located (this is done by L3 agent itself).
 Each Compute Node will have one new namespace for FloatingIP per external
 network that will be shared among the tenants. Additional namespace and
 external gateway port will also be created on each compute node for the
 external traffic to flow through, in case there are VMs with floating ips
 residing on this node. This port will consume additional IP address from
 external network.
 Default SNAT functionality will still be centralized and will be running on
 controller nodes.
 The Metadata agent will be distributed as well and will be hosted on all
 compute nodes and the Metadata Proxy will be hosted on all the distributed
 routers.
 This implementation is specific to ML2 with OVS driver.
 All three type of segmentation are supported: GRE, VXLAN, VLAN.
 Constraints and Limitations
 ---------------------------
 * No Distributed SNAT
  Neutron Distributed Virtual Router provides the legacy SNAT behavior for the
  default SNAT for all private VMs. SNAT service is not distributed,
  it is centralized and the service node will host the service.
  Thus current DVR architecture is not fully fault tolerant - outbound traffic
  for VMs without floating IPs is still going through one L3_agent node and
  is still prone to failures of a single node.
 * Only with ML2-OVS/L2-pop
  DVR feature is supported only by ML2 plugin with OVS mechanism driver. If
  using tunnel segmentation (VXLAN, GRE) L2 population mechanism should be
  enabled as well.
 * OVS and Kernel versions
  Proper operation of DVR requires OpenvSwitch 2.1 or newer and VXLAN requires
  kernel 3.13 or newer.
 * No bare metal support
  Distributed routers rely on local l3 agent (residing on compute node) for
  address translation, so for bare metal instances only legacy routers should
  be used.
 Deployment impact
 -----------------
 * Architecture changes
  * Neutron L3 and metadata agents will be deployed on all compute nodes and
    managed by Upstart. Agents deployment scheme on controller nodes is not
    changed.
  * All compute nodes require bridge to external network
 * Fuel Library related changes
  * Update Neutron Puppet module to support DVR-related options (L3 agent mode,
    L2 population, distributed router option). This step will be done as a part
    of blueprint upgrade-openstack-puppet-modules, when all necessary changes
    will be synced from puppet-neutron project
  * Update Cloud Networking related Puppet modules to deploy Neutron L3 and
    metadata agents on compute nodes with appropriate configuration. This step
    will likely require changes in Granular deployment to execute Neutron
    agents related granulars on compute nodes
  * update Horizon related Puppet modules to add an ability to use Neutron DVR
    options (create either centralized or distributed routers)
 * Fuel Web related changes
  * When Neutron DVR is enabled, a network scheme with external bridges on all
    compute nodes should be generated. astute.yaml possible examples:
   .. code-block:: python
      Compute nodes:
    -----------------
    network_scheme:
      endpoints:
        br-ex:
          IP: none
    -----------------
    quantum_settings:
      DVR: true
    -----------------
    Controller nodes:
    -----------------
    network_scheme:
      endpoints:
        br-ex:
          IP:
          - 172.16.0.3/24
    ----------------
    quantum_settings:
      DVR: true
    ----------------
 Alternatives
 ------------
 None
 Data model impact
 -----------------
 None
 REST API impact
 ---------------
 No FUEL REST API changes.
 Upgrade impact
 --------------
 The upgrade path from legacy to distributed router is supported. It's a 3
 step process:
 * neutron router-update router1 --admin_state_up=False
 * neutron router-update router1 --distributed=True
 * neutron router-update router1 --admin_state_up=True
 distributed->legacy upgrade is not officially supported in Kilo but it may
 work, just needs to be tested.
 Security impact
 ---------------
 None
 Notifications impact
 --------------------
 None
 Other end user impact
 ---------------------
 None
 Performance Impact
 ------------------
 Inter VM traffic between the tenant subnets doesn't need to reach the router
 in the controller node to get routed and will be routed locally from the
 compute node. This would increase the performance substantially.
 Also the Floating IP traffic for a VM from a Compute Node will directly hit
 the external network from the compute node, instead of going through the router
 on the controller node.
 Dataplane testing results from 25 bare metal nodes env show significant
 performance improvement for both East-West and North-South (with floating IPs)
 scenarios.
 Plugin impact
 -------------
 None
 Other deployer impact
 ---------------------
 None
 Developer impact
 ----------------
 None
 Infrastructure impact
 ---------------------
 None
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  obondarev
 Other contributors:
  skolekonov (DE)
  kkuznetsova (QA)
  tnurlygayanov (QA)
 Mandatory design reviewers:
  svasilenko
  vkuklin
  sgolovatiuk
 Work Items
 ----------
 * Patch fuel-lib to enable DVR by default
  * this will enable DVR testing at early stage
 * Scale testing
  * Rally scenarios
  * Shaker scenarios
  * debug
  * bug fixing/backport from upstream
 * Patch fuel-web to add ability to enable/disable DVR
  * disable DVR by default
 Dependencies
 ============
 This will likely depend on enabling l2-population for tunneling which is a
 separate effort. However we will not wait but enable l2 pop as part of DVR
 effort if needed.
 It also correlates with blueprint upgrade-openstack-puppet-modules as all
 required changes might be already in master in upstream manifests.
 Testing
 =======
 Manual Acceptance Tests
 -----------------------
 * On an environment with DVR enabled check that created router has
  “distributed “ attribute set to True via Horizon or CLI
 * Boot a VM on a subnet connected to DVR router. Check external connectivity.
 * Assign Floating IP to the VM. Check external connectivity. Ensure VM is
  reachable from external network.
 * Boot a second VM on a different subnet connected to the same router. Ensure
  inter-subnet connectivity (both VM can reach each other)
 Scale
 -----
 * Environment with DVR enabled should pass all tests currently run on Scale
  Lab with no significant performance degradation
 * No additional Rally scenarios are needed to test specifics of DVR.
 HA/Destructive Tests
 --------------------
 All existing HA/destructive tests should pass on env with DVR enabled.
 Additional scenarios should include:
 * East-West HA Test
  * Have several VM from different subnets running on different compute nodes.
    The subnets should be connected to each other and to an external network by
    a DVR router
  * Shutdown all controllers of the environment
  * Inter-subnet connectivity should be preserved: VMs from different
    subnets/compute nodes should still be able to reach each other
  * No dataplane downtime is expected
 * North-South HA Test
  * Have a VM with Floating IP running on a subnet connected to an external
    network by a DVR router
  * Shutdown all controllers of the environment.
  * External connectivity should be preserved: VMs should still be able to
    reach external network
  * No dataplane downtime is expected
 Data Plane Tests with Shaker
 ----------------------------
 Shaker scenarios should be run on a bare-metal environment with DVR enabled.
 Significant increase in performance is expected for east-west and north-south
 (with Floating IPs) topologies. Some of the results were already obtained
 (see "Performance Impact" section of the this doc)
 Documentation Impact
 ====================
 Ability to enable DVR support in Neutron should be documented in
 Fuel Deployment Guide.
 References
 ==========
 https://blueprints.launchpad.net/fuel/+spec/neutron-dvr-deployment
 https://blueprints.launchpad.net/fuel/+spec/upgrade-openstack-puppet-modules