d2072ae0ae
Use Anchor for certificate signing to make the octavia communication more secure. Anchor Ref url: https://github.com/openstack/anchor Co-Authored-By: bharath <bharath.stacker@gmail.com> Co-Authored-By: German Eichberger <german.eichberger@hp.com> Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
170 lines
8.2 KiB
ReStructuredText
170 lines
8.2 KiB
ReStructuredText
================
|
|
Octavia Glossary
|
|
================
|
|
As the Octavia project evolves, it's important that people working on Octavia,
|
|
users using Octavia, and operators deploying Octavia use a common set of
|
|
terminology in order to avoid misunderstandings and confusion. To that end, we
|
|
are providing the following glossary of terms.
|
|
|
|
Note also that many of these terms are expanded upon in design documents in
|
|
this same repository. What follows is a brief but necessarily incomplete
|
|
description of these terms.
|
|
|
|
.. glossary:: :sorted:
|
|
|
|
Amphora
|
|
Virtual machine, container, dedicated hardware, appliance or device
|
|
that actually performs the task of load balancing in the Octavia
|
|
system. More specifically, an amphora takes requests from clients on
|
|
the front-end and distributes these to back-end systems. Amphorae
|
|
communicate with their controllers over the LB Network through a driver
|
|
interface on the controller.
|
|
|
|
Amphora Load Balancer Driver
|
|
Component of the controller that does all the communication with
|
|
amphorae. Drivers communicate with the controller through a generic
|
|
base class and associated methods, and translate these into control
|
|
commands appropriate for whatever type of software is running on the
|
|
back-end amphora corresponding with the driver. This communication
|
|
happens over the LB network.
|
|
|
|
Anchor
|
|
Is an OpenStack project for an ephemeral PKI system (see
|
|
https://wiki.openstack.org/wiki/Security/Projects/Anchor). In Octavia
|
|
we can use Anchor to sign the certificates we use to authenticate/secure
|
|
controller <-> amphora communication.
|
|
|
|
Apolocation
|
|
Term used to describe when two or more amphorae are not colocated on
|
|
the same physical hardware (which is often essential in HA topologies).
|
|
May also be used to describe two or more loadbalancers which are not
|
|
colocated on the same amphora.
|
|
|
|
Controller
|
|
Daemon with access to both the LB Network and OpenStack components
|
|
which coordinates and manages the overall activity of the Octavia load
|
|
balancing system. Controllers will usually use an abstracted driver
|
|
interface (usually a base class) for communicating with various other
|
|
components in the OpenStack environment in order to facilitate loose
|
|
coupling with these other components. These are the "brains" of the
|
|
Octavia system.
|
|
|
|
HAProxy
|
|
Load balancing software used in the reference implementation for
|
|
Octavia. (See http://www.haproxy.org/ ). HAProxy processes run on
|
|
amphorae and actually accomplish the task of delivering the load
|
|
balancing service.
|
|
|
|
Health Monitor
|
|
An object that defines a check method for each member of the pool.
|
|
The health monitor itself is a pure-db object which describes the
|
|
method the load balancing software on the amphora should use to
|
|
monitor the health of back-end members of the pool with which the
|
|
health monitor is associated.
|
|
|
|
L7 Policy
|
|
Layer 7 Policy
|
|
Collection of L7 rules that get logically ANDed together as well as a
|
|
routing policy for any given HTTP or terminated HTTPS client requests
|
|
which match said rules. An L7 Policy is associated with exactly one
|
|
HTTP or terminated HTTPS listener.
|
|
|
|
For example, a user could specify an L7 policy that any client request
|
|
that matches the L7 rule "request URI starts with '/api'" should
|
|
get routed to the "api" pool.
|
|
|
|
L7 Rule
|
|
Layer 7 Rule
|
|
Single logical expression used to match a condition present in a given
|
|
HTTP or terminated HTTPS request. L7 rules typically match against
|
|
a specific header or part of the URI and are used in conjuncion with
|
|
L7 policies to accomplish L7 switching. An L7 rule is associated with
|
|
exactly one L7 policy.
|
|
|
|
For example, a user could specify an L7 rule that matches any request
|
|
URI path that begins with "/api"
|
|
|
|
L7 Switching
|
|
Layer 7 Switching
|
|
This is a load balancing feature specific to HTTP or terminated HTTPS
|
|
sessions, in which different client requests are routed to different
|
|
back-end pools depending on one or more layer 7 policies the user might
|
|
configure.
|
|
|
|
For example, using L7 switching, a user could specify that any
|
|
requests with a URI path that starts with "/api" get routed to the
|
|
"api" back-end pool, and that all other requests get routed to the
|
|
default pool.
|
|
|
|
LB Network
|
|
Load Balancer Network. The network over which the controller(s) and
|
|
amphorae communicate. The LB network itself will usually be a nova or
|
|
neutron network to which both the controller and amphorae have access,
|
|
but is not associated with any one tenant. The LB Network is generally
|
|
also *not* part of the undercloud and should not be directly exposed to
|
|
any OpenStack core components other than the Octavia Controller.
|
|
|
|
Listener
|
|
Object representing the listening endpoint of a load balanced service.
|
|
TCP / UDP port, as well as protocol information and other protocol-
|
|
specific details are attributes of the listener. Notably, though, the
|
|
IP address is not.
|
|
|
|
Load Balancer
|
|
Object describing a logical grouping of listeners on one or more VIPs
|
|
and associated with one or more amphorae. (Our "Loadbalancer" most
|
|
closely resembles a Virtual IP address in other load balancing
|
|
implementations.) Whether the load balancer exists on more than one
|
|
amphora depends on the topology used. The load balancer is also often
|
|
the root object used in various Octavia APIs.
|
|
|
|
Load Balancing
|
|
The process of taking client requests on a front-end interface and
|
|
distributing these to a number of back-end servers according to various
|
|
rules. Load balancing allows for many servers to participate in
|
|
delivering some kind TCP or UDP service to clients in an effectively
|
|
transparent and often highly-available and scalable way (from the
|
|
client's perspective).
|
|
|
|
Member
|
|
Object representing a single back-end server or system that is a
|
|
part of a pool. A member is associated with only one pool.
|
|
|
|
Octavia
|
|
Octavia is an operator-grade open source load balancing solution. Also
|
|
known as the Octavia system or Octavia project. The term by itself
|
|
should be used to refer to the system as a whole and not any
|
|
individual component within the Octavia load balancing system.
|
|
|
|
Pool
|
|
Object representing the grouping of members to which the listener
|
|
forwards client requests. Note that a pool is associated with only
|
|
one listener, but a listener might refer to several pools (and switch
|
|
between them using layer 7 policies).
|
|
|
|
TLS Termination
|
|
Transport Layer Security Termination
|
|
Type of load balancing protocol where HTTPS sessions are terminated
|
|
(decrypted) on the amphora as opposed to encrypted packets being
|
|
forwarded on to back-end servers without being decrypted on the
|
|
amphora. Also known as SSL termination. The main advantages to this
|
|
type of load balancing are that the payload can be read and / or
|
|
manipulated by the amphora, and that the expensive tasks of handling
|
|
the encryption are off-loaded from the back-end servers. This is
|
|
particularly useful if layer 7 switching is employed in the same
|
|
listener configuration.
|
|
|
|
VIP
|
|
Virtual IP Address
|
|
Single service IP address which is associated with a load balancer.
|
|
This is similar to what is described here:
|
|
http://en.wikipedia.org/wiki/Virtual_IP_address
|
|
In a highly available load balancing topology in Octavia, the VIP might
|
|
be assigned to several amphorae, and a layer-2 protocol like CARP,
|
|
VRRP, or HSRP (or something unique to the networking infrastructure)
|
|
might be used to maintain its availability. In layer-3 (routed)
|
|
topologies, the VIP address might be assigned to an upstream networking
|
|
device which routes packets to amphorae, which then load balance
|
|
requests to back-end members.
|
|
|