From e2060a2f0b317aadc41443accfbdc5cafae44f44 Mon Sep 17 00:00:00 2001 From: Flavio Fernandes Date: Tue, 14 Jul 2020 08:57:52 -0400 Subject: [PATCH] [ovn]: port forwarding -- documentation This is a subset of the changes for implementing the floating IP port forwarding feature in neutron, using OVN as the backend. This changeset covers the documentation updates for the feature, as well as a high-level description of how OVN implements it. Partially-implements: ovn/port_forwarding Partially-implements: blueprint portforwarding-description Partial-Bug: #1877447 Change-Id: I2059a011f650dd7070a74dc6107aab2b15ca7104 --- doc/source/admin/ovn/features.rst | 12 +++- doc/source/ovn/gaps.rst | 44 +++--------- doc/source/ovn/index.rst | 1 + doc/source/ovn/port_forwarding.rst | 105 +++++++++++++++++++++++++++++ 4 files changed, 127 insertions(+), 35 deletions(-) create mode 100644 doc/source/ovn/port_forwarding.rst diff --git a/doc/source/admin/ovn/features.rst b/doc/source/admin/ovn/features.rst index 492609646c5..8a220691e10 100644 --- a/doc/source/admin/ovn/features.rst +++ b/doc/source/admin/ovn/features.rst @@ -25,7 +25,7 @@ services: * DPDK - OVN and ovn mechanism driver may be used with OVS using either the Linux + OVN and the OVN mechanism driver may be used with OVS using either the Linux kernel datapath or the DPDK datapath. * Trunk driver @@ -36,7 +36,7 @@ services: * VLAN tenant networks - The ovn driver does support VLAN tenant networks when used + The OVN driver does support VLAN tenant networks when used with OVN version 2.11 (or higher). * DNS @@ -44,6 +44,12 @@ services: Native implementation. Since the version 2.8 OVN contains a built-in DNS implementation. +* Port Forwarding + + The OVN driver supports port forwarding as an extension of floating + IPs. Enable the 'port_forwarding' service plugin in neutron configuration + files to use this feature. + The following Neutron API extensions are supported with OVN: @@ -100,3 +106,5 @@ The following Neutron API extensions are supported with OVN: +----------------------------------+---------------------------+ | Domain Name System (DNS) | dns_integration | +----------------------------------+---------------------------+ +| Port Forwarding | port_forwarding | ++----------------------------------+---------------------------+ diff --git a/doc/source/ovn/gaps.rst b/doc/source/ovn/gaps.rst index 4e414db6a93..9a795b23223 100644 --- a/doc/source/ovn/gaps.rst +++ b/doc/source/ovn/gaps.rst @@ -8,27 +8,6 @@ It is not a complete list, but is enough to be used as a starting point for implementors working on closing these gaps. A TODO list for OVN is located at [1]_. -* Port forwarding - - Currently ML2/OVS supports Port Forwarding in the North/South plane. - Specific L4 Ports of the Floating IP can be directed to a specific - FixedIP:PortNumber of a VM, so that different services running in a VM - can be isolated, and can communicate with external networks easily. - - This is a relatively new extension, support would need to be added to OVN. - - One possible way would be to use the OVN native load balancing feature. - An OVN load balancer is expressed in the OVN northbound load_balancer - table. Normally the VIP and its members are expressed as [2]_: - - .. code-block:: console - - VIP:PORT = MEMBER1:MPORT1, MEMBER2:MPORT2 - - The same could be extended for port forwarding as: - - FIP:PORT = PRIVATE_IP:PRIV_PORT - * Security Groups logging API Currently ML2/OVS, with the OpenvSwitch firewall, supports a log file where @@ -48,9 +27,9 @@ at [1]_. Currently the Neutron L3-agent supports floating IP and gateway IP bandwidth limiting based on Linux TC. Networking-ovn L3 had a prototype - implementation [3]_ based on the meter of openvswitch [4]_ utility that + implementation [2]_ based on the meter of openvswitch [3]_ utility that has been abandoned. This is supported in user space datapath only, or - kernel versions 4.15+ [5]_. + kernel versions 4.15+ [4]_. * QoS Minimum Bandwidth support @@ -67,7 +46,7 @@ at [1]_. The core OVN DHCP server implementation does not have support for sending different boot options based on the ``gpxe`` DHCP Option (no. 175). Also, Ironic uses dnsmasq syntax when configuring the DHCP - options for Neutron [6]_ which is not understood by the OVN driver. + options for Neutron [5]_ which is not understood by the OVN driver. * Availability Zones @@ -78,7 +57,7 @@ at [1]_. to see how they would fit in the OVN model. For example, in the router availability zone case, the OVN driver should schedule the router ports on a Chassis (a "node" in OVN terms) where the availability - zones match with the router availability zones [7]_. + zones match with the router availability zones [6]_. * Routed provider networks @@ -86,17 +65,16 @@ at [1]_. represent multiple L2 domains (segments). The OVN driver does not understand this feature yet and will need to account for multiple physical networks associated with a single OVN Logical Switch (a - network in Neutron terms) [8]_. + network in Neutron terms) [7]_. References ---------- .. [1] https://github.com/ovn-org/ovn/blob/master/TODO.rst -.. [2] https://github.com/ovn-org/ovn/blob/master/ovn-nb.ovsschema#L160 -.. [3] https://review.opendev.org/#/c/539826/ -.. [4] https://github.com/openvswitch/ovs/commit/66d89287269ca7e2f7593af0920e910d7f9bcc38 -.. [5] https://github.com/torvalds/linux/blob/master/net/openvswitch/meter.h -.. [6] https://github.com/openstack/ironic/blob/123cb22c731f93d0c608d791b41e05884fe18c04/ironic/common/pxe_utils.py#L447-L462> -.. [7] https://docs.openstack.org/neutron/latest/admin/config-az.html -.. [8] https://bugs.launchpad.net/neutron/+bug/1865889 +.. [2] https://review.opendev.org/#/c/539826/ +.. [3] https://github.com/openvswitch/ovs/commit/66d89287269ca7e2f7593af0920e910d7f9bcc38 +.. [4] https://github.com/torvalds/linux/blob/master/net/openvswitch/meter.h +.. [5] https://github.com/openstack/ironic/blob/123cb22c731f93d0c608d791b41e05884fe18c04/ironic/common/pxe_utils.py#L447-L462> +.. [6] https://docs.openstack.org/neutron/latest/admin/config-az.html +.. [7] https://bugs.launchpad.net/neutron/+bug/1865889 diff --git a/doc/source/ovn/index.rst b/doc/source/ovn/index.rst index e034ccf7824..05e571520e2 100644 --- a/doc/source/ovn/index.rst +++ b/doc/source/ovn/index.rst @@ -9,6 +9,7 @@ OVN Driver :maxdepth: 1 migration.rst + port_forwarding.rst gaps.rst dhcp_opts.rst faq/index.rst diff --git a/doc/source/ovn/port_forwarding.rst b/doc/source/ovn/port_forwarding.rst new file mode 100644 index 00000000000..f0c53fc775a --- /dev/null +++ b/doc/source/ovn/port_forwarding.rst @@ -0,0 +1,105 @@ +.. _port_forwarding: + +ML2/OVN Port forwarding +======================= + +ML2/OVN supports Port Forwarding (PF) across the North/South data plane. +Specific L4 Ports of the Floating IP (FIP) can be directed to a specific +FixedIP:PortNumber of a VM, so that different services running in a VM +can be isolated, and can communicate with external networks easily. + +OVN's native load balancing (LB) feature is used for providing this +functionality. An OVN load balancer is expressed in the OVN northbound +load_balancer table for all mappings for a given FIP+protocol. All PFs +for the same FIP+protocol are kept as Virtual IP (VIP) mappings inside a +LB entry. See the diagram below for an example of how that looks like: + + .. code-block:: none + + VIP:PORT = MEMBER1:MPORT1, MEMBER2:MPORT2 + + The same is extended for port forwarding as: + + FIP:PORT = PRIVATE_IP:PRIV_PORT + + Neutron DB OVN Northbound DB + + +---------------------+ +---------------------------------+ + | Floating IP AA | | Load Balancer AA UDP | + | | | | + | +-----------------+ | | | + | | Port Forwarding | | +----------->AA:portA => internal IP1:portX | + | | | | | | | + | | External PortA +-----+ +------->AA:portB => internal IP2:portX | + | | Fixed IP1 PortX | | | | | + | | Protocol: UDP | | | +---------------------------------+ + | +-----------------+ | | + | | | +---------------------------------+ + | +-----------------+ | | | Load Balancer AA TCP | + | | Port Forwarding | | | | | + | | | | | | | + | | External PortB +---------+ +--->AA:portC => internal IP3:portX | + | | Fixed IP2 PortX | | | | | + | | Protocol: UDP | | | +---------------------------------+ + | +-----------------+ | | + | | | + | +-----------------+ | | + | | Port Forwarding | | | + | | | | | +---------------------------------+ + | | External PortC | | | | Load Balancer BB TCP | + | | Fixed IP3 PortX +-------------+ | | + | | Protocol: TCP | | | | + | +-----------------+ | +---------->BB:portD => internal IP4:portX | + | | | | | + +---------------------+ | +---------------------------------+ + | + | +-------------------+ + | | Logical Router X1 | + +---------------------+ | | | + | Floating IP BB | | | Load Balancers: | + | | | | AA UDP, AA TCP | + | +-----------------+ | | +-------------------+ + | | Port Forwarding | | | + | | | | | +-------------------+ + | | External PortD | | | | Logical Router Z1 | + | | Fixed IP4 PortX +------+ | | + | | Protocol: TCP | | | Load Balancers: | + | +-----------------+ | | BB TCP | + +---------------------+ +-------------------+ + +The OVN LB entries have names that include the id of the FIP and a protocol suffix. +That protocol portion is needed because a single FIP can have multiple UDP and TCP port +forwarding entries while a given LB entry can either be one or the other protocol (not both). +Based on that, the format used to specify an LB entry is: + + .. code-block:: ini + + pf-floatingip-- + +A revision value is present in external_ids of each OVN load balancer entry. +That number is synchronized with floating IP entries (NOT the port forwarding!) of the Neutron +database. + +In order to differentiate a load balancer entry that was created by port forwarding +vs load balancer entries maintained by ovn-octavia-provider, the external_ids field also +has an owner value: + + .. code-block:: python + + external_ids = { + ovn_const.OVN_DEVICE_OWNER_EXT_ID_KEY: PORT_FORWARDING_PLUGIN, + ovn_const.OVN_FIP_EXT_ID_KEY: pf_obj.floatingip_id, + ovn_const.OVN_ROUTER_NAME_EXT_ID_KEY: rtr_name, + neutron:revision_number: fip_obj.revision_number, + } + +The following registry (API) neutron events trigger the OVN backend to map port forwarding +into LB: + + .. code-block:: python + + @registry.receives(PORT_FORWARDING_PLUGIN, [events.AFTER_INIT]) + def register(self, resource, event, trigger, payload=None): + registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_CREATE) + registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_UPDATE) + registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_DELETE)