Some of the docs use the long hand path for firewall_driver, which might not always work. Change the remaining few examples to use the short hand from setup.cfg instead. Change-Id: I02bcf654e041ff9c1ff27e64b8493c5e13d7e479 Closes-bug: #1809578
5.2 KiB
Distributed Virtual Routing with VRRP
deploy-ovs-ha-dvr
supports augmentation using Virtual Router Redundancy Protocol (VRRP).
Using this configuration, virtual routers support both the
--distributed
and --ha
options.
Similar to legacy HA routers, DVR/SNAT HA routers provide a quick fail over of the SNAT service to a backup DVR/SNAT router on an l3-agent running on a different node.
SNAT high availability is implemented in a manner similar to the
deploy-lb-ha-vrrp
and
deploy-ovs-ha-vrrp
examples where keepalived
uses VRRP to provide quick
failover of SNAT services.
During normal operation, the primary router periodically transmits heartbeat packets over a hidden project network that connects all HA routers for a particular project.
If the DVR/SNAT backup router stops receiving these packets, it
assumes failure of the primary DVR/SNAT router and promotes itself to
primary router by configuring IP addresses on the interfaces in the
snat
namespace. In environments with more than one backup
router, the rules of VRRP are followed to select a new primary
router.
Warning
There is a known bug with keepalived
v1.2.15 and earlier
which can cause packet loss when max_l3_agents_per_router
is set to 3 or more. Therefore, we recommend that you upgrade to
keepalived
v1.2.16 or greater when using this feature.
Configuration example
The basic deployment model consists of one controller node, two or more network nodes, and multiple computes nodes.
Controller node configuration
Add the following to
/etc/neutron/neutron.conf
:[DEFAULT] core_plugin = ml2 service_plugins = router router_distributed = True l3_ha = True l3_ha_net_cidr = 169.254.192.0/18 max_l3_agents_per_router = 3
When the
router_distributed = True
flag is configured, routers created by all users are distributed. Without it, only privileged users can create distributed routers by using--distributed True
.Similarly, when the
l3_ha = True
flag is configured, routers created by all users default to HA.It follows that with these two flags set to
True
in the configuration file, routers created by all users will default to distributed HA routers (DVR HA).The same can explicitly be accomplished by a user with administrative credentials setting the flags in the
openstack router create
command:$ openstack router create name-of-router --distributed --ha
Note
The max_l3_agents_per_router determine the number of backup DVR/SNAT routers which will be instantiated.
Add the following to
/etc/neutron/plugins/ml2/ml2_conf.ini
:[ml2] type_drivers = flat,vxlan tenant_network_types = vxlan mechanism_drivers = openvswitch,l2population extension_drivers = port_security [ml2_type_flat] flat_networks = external [ml2_type_vxlan] vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_ID
Replace
MIN_VXLAN_ID
andMAX_VXLAN_ID
with VXLAN ID minimum and maximum values suitable for your environment.Note
The first value in the
tenant_network_types
option becomes the default project network type when a regular user creates a network.
Network nodes
Configure the Open vSwitch agent. Add the following to
/etc/neutron/plugins/ml2/openvswitch_agent.ini
:[ovs] local_ip = TUNNEL_INTERFACE_IP_ADDRESS bridge_mappings = external:br-ex [agent] enable_distributed_routing = True tunnel_types = vxlan l2_population = True
Replace
TUNNEL_INTERFACE_IP_ADDRESS
with the IP address of the interface that handles VXLAN project networks.Configure the L3 agent. Add the following to
/etc/neutron/l3_agent.ini
:[DEFAULT] ha_vrrp_auth_password = password interface_driver = openvswitch agent_mode = dvr_snat
Compute nodes
Configure the Open vSwitch agent. Add the following to
/etc/neutron/plugins/ml2/openvswitch_agent.ini
:[ovs] local_ip = TUNNEL_INTERFACE_IP_ADDRESS bridge_mappings = external:br-ex [agent] enable_distributed_routing = True tunnel_types = vxlan l2_population = True [securitygroup] firewall_driver = iptables_hybrid
Configure the L3 agent. Add the following to
/etc/neutron/l3_agent.ini
:[DEFAULT] interface_driver = openvswitch agent_mode = dvr
Replace
TUNNEL_INTERFACE_IP_ADDRESS
with the IP address of the interface that handles VXLAN project networks.
Keepalived VRRP health check
Known limitations
- There are certain scenarios where l2pop and distributed HA routers do not interact in an expected manner. These situations are the same that affect HA only routers and l2pop.