Skip to content

Instantly share code, notes, and snippets.

@ianunruh

ianunruh/dvr.md

Last active August 29, 2015 14:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ianunruh/3764db4d9f0c3edcfd46 to your computer and use it in GitHub Desktop.
Save ianunruh/3764db4d9f0c3edcfd46 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dvr.md

Neutron Distributed Virtual Router (DVR)

The L3 agent provided with Neutron uses the Linux networking stack to perform L3 forwarding and NAT between tenant networks and external networks. Before the Juno release of OpenStack, the L3 agent could only be made highly available using Pacemaker (active/passive). It could not be scaled out natively. However, in the Juno release, the concept of distributed routing was introduced. With distributed routing enabled, the L3 agent will on all the compute nodes and on a centralized "service" node.

On the compute nodes, the L3 agent provides NAT for instances that are associated with a floating IP address. This means that ingress traffic (traffic from external to tenant networks) capacity scales out with each additional compute node. It also means that when an instance is migrated off of a compute node (because of maintenance or failure), the floating IP address will be moved to the new compute node.

On the service nodes, the L3 agent provides NAT for egress traffic (traffic from the tenant to external networks).

Deployment

This deployment guide assumes the following architecture.

  • 1+ service nodes
  • 1+ compute nodes
  • Flat external network
  • VXLAN tenant networks

All nodes

Prepare the Linux networking stack

  1. Edit the /etc/sysctl.conf file to contain the following parameters:

     net.ipv4.ip_forward=1
 net.ipv4.conf.all.rp_filter=0
 net.ipv4.conf.default.rp_filter=0

  2. Apply the changes:

     $ sysctl -p

Install and configure Neutron components

  1. Install packages

     $ apt-get install neutron-plugin-openvswitch-agent neutron-l3-agent

  2. Change /etc/neutron/neutron.conf to reflect the following:

     [DEFAULT]
 ...
 core_plugin = ml2
 service_plugins = router
 allow_overlapping_ips = True
 router_distributed = True

 rpc_backend = rabbit
 rabbit_host = CONTROLLER
 rabbit_password = RABBIT_PASS

 auth_strategy = keystone

 [keystone_authtoken]
 auth_uri = http://CONTROLLER:5000/v2.0
 identity_uri = http://CONTROLLER:35357
 admin_tenant_name = service
 admin_user = neutron
 admin_password = NEUTRON_PASS

  3. Change /etc/neutron/plugins/ml2/ml2_conf.ini to reflect the following:

     [ml2]
 type_drivers = flat,vxlan
 tenant_network_types = vxlan
 mechanism_drivers = openvswitch,l2population

 [ml2_type_flat]
 flat_networks = external

 [ml2_type_vxlan]
 vni_ranges = 1:1000

 [securitygroup]
 enable_security_group = True
 enable_ipset = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

 [agent]
 enable_distributed_routing = True
 l2_population = True
 tunnel_types = vxlan
 
 [ovs]
 local_ip = INSTANCE_TUNNELS_INTERACE_IP_ADDRESS
 tunnel_type = vxlan
 tenant_network_type = vxlan
 enable_tunneling = True
 bridge_mappings = external:br-ex

  4. Change /etc/neutron/l3_agent.ini to reflect the following:

    On the service node, use dvr_snat for the agent mode instead of dvr.

     [DEFAULT]
 ...
 interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
 use_namespaces = True
 agent_mode = dvr

  5. Configure the metadata agent as normal

  6. Restart all Neutron services

     $ service neutron-plugin-openvswitch-agent restart
 $ service neutron-l3-agent restart
 $ service neutron-metadata-agent restart

Known issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment