[ovn]: port forwarding -- documentation
This is a subset of the changes for implementing the floating IP port forwarding feature in neutron, using OVN as the backend. This changeset covers the documentation updates for the feature, as well as a high-level description of how OVN implements it. Partially-implements: ovn/port_forwarding Partially-implements: blueprint portforwarding-description Partial-Bug: #1877447 Change-Id: I2059a011f650dd7070a74dc6107aab2b15ca7104
This commit is contained in:
parent
73557abefc
commit
e2060a2f0b
@ -25,7 +25,7 @@ services:
|
|||||||
|
|
||||||
* DPDK
|
* DPDK
|
||||||
|
|
||||||
OVN and ovn mechanism driver may be used with OVS using either the Linux
|
OVN and the OVN mechanism driver may be used with OVS using either the Linux
|
||||||
kernel datapath or the DPDK datapath.
|
kernel datapath or the DPDK datapath.
|
||||||
|
|
||||||
* Trunk driver
|
* Trunk driver
|
||||||
@ -36,7 +36,7 @@ services:
|
|||||||
|
|
||||||
* VLAN tenant networks
|
* VLAN tenant networks
|
||||||
|
|
||||||
The ovn driver does support VLAN tenant networks when used
|
The OVN driver does support VLAN tenant networks when used
|
||||||
with OVN version 2.11 (or higher).
|
with OVN version 2.11 (or higher).
|
||||||
|
|
||||||
* DNS
|
* DNS
|
||||||
@ -44,6 +44,12 @@ services:
|
|||||||
Native implementation. Since the version 2.8 OVN contains a built-in
|
Native implementation. Since the version 2.8 OVN contains a built-in
|
||||||
DNS implementation.
|
DNS implementation.
|
||||||
|
|
||||||
|
* Port Forwarding
|
||||||
|
|
||||||
|
The OVN driver supports port forwarding as an extension of floating
|
||||||
|
IPs. Enable the 'port_forwarding' service plugin in neutron configuration
|
||||||
|
files to use this feature.
|
||||||
|
|
||||||
|
|
||||||
The following Neutron API extensions are supported with OVN:
|
The following Neutron API extensions are supported with OVN:
|
||||||
|
|
||||||
@ -100,3 +106,5 @@ The following Neutron API extensions are supported with OVN:
|
|||||||
+----------------------------------+---------------------------+
|
+----------------------------------+---------------------------+
|
||||||
| Domain Name System (DNS) | dns_integration |
|
| Domain Name System (DNS) | dns_integration |
|
||||||
+----------------------------------+---------------------------+
|
+----------------------------------+---------------------------+
|
||||||
|
| Port Forwarding | port_forwarding |
|
||||||
|
+----------------------------------+---------------------------+
|
||||||
|
@ -8,27 +8,6 @@ It is not a complete list, but is enough to be used as a starting point for
|
|||||||
implementors working on closing these gaps. A TODO list for OVN is located
|
implementors working on closing these gaps. A TODO list for OVN is located
|
||||||
at [1]_.
|
at [1]_.
|
||||||
|
|
||||||
* Port forwarding
|
|
||||||
|
|
||||||
Currently ML2/OVS supports Port Forwarding in the North/South plane.
|
|
||||||
Specific L4 Ports of the Floating IP can be directed to a specific
|
|
||||||
FixedIP:PortNumber of a VM, so that different services running in a VM
|
|
||||||
can be isolated, and can communicate with external networks easily.
|
|
||||||
|
|
||||||
This is a relatively new extension, support would need to be added to OVN.
|
|
||||||
|
|
||||||
One possible way would be to use the OVN native load balancing feature.
|
|
||||||
An OVN load balancer is expressed in the OVN northbound load_balancer
|
|
||||||
table. Normally the VIP and its members are expressed as [2]_:
|
|
||||||
|
|
||||||
.. code-block:: console
|
|
||||||
|
|
||||||
VIP:PORT = MEMBER1:MPORT1, MEMBER2:MPORT2
|
|
||||||
|
|
||||||
The same could be extended for port forwarding as:
|
|
||||||
|
|
||||||
FIP:PORT = PRIVATE_IP:PRIV_PORT
|
|
||||||
|
|
||||||
* Security Groups logging API
|
* Security Groups logging API
|
||||||
|
|
||||||
Currently ML2/OVS, with the OpenvSwitch firewall, supports a log file where
|
Currently ML2/OVS, with the OpenvSwitch firewall, supports a log file where
|
||||||
@ -48,9 +27,9 @@ at [1]_.
|
|||||||
|
|
||||||
Currently the Neutron L3-agent supports floating IP and gateway IP bandwidth
|
Currently the Neutron L3-agent supports floating IP and gateway IP bandwidth
|
||||||
limiting based on Linux TC. Networking-ovn L3 had a prototype
|
limiting based on Linux TC. Networking-ovn L3 had a prototype
|
||||||
implementation [3]_ based on the meter of openvswitch [4]_ utility that
|
implementation [2]_ based on the meter of openvswitch [3]_ utility that
|
||||||
has been abandoned. This is supported in user space datapath only, or
|
has been abandoned. This is supported in user space datapath only, or
|
||||||
kernel versions 4.15+ [5]_.
|
kernel versions 4.15+ [4]_.
|
||||||
|
|
||||||
* QoS Minimum Bandwidth support
|
* QoS Minimum Bandwidth support
|
||||||
|
|
||||||
@ -67,7 +46,7 @@ at [1]_.
|
|||||||
The core OVN DHCP server implementation does not have support for
|
The core OVN DHCP server implementation does not have support for
|
||||||
sending different boot options based on the ``gpxe`` DHCP Option
|
sending different boot options based on the ``gpxe`` DHCP Option
|
||||||
(no. 175). Also, Ironic uses dnsmasq syntax when configuring the DHCP
|
(no. 175). Also, Ironic uses dnsmasq syntax when configuring the DHCP
|
||||||
options for Neutron [6]_ which is not understood by the OVN driver.
|
options for Neutron [5]_ which is not understood by the OVN driver.
|
||||||
|
|
||||||
* Availability Zones
|
* Availability Zones
|
||||||
|
|
||||||
@ -78,7 +57,7 @@ at [1]_.
|
|||||||
to see how they would fit in the OVN model. For example, in the router
|
to see how they would fit in the OVN model. For example, in the router
|
||||||
availability zone case, the OVN driver should schedule the router
|
availability zone case, the OVN driver should schedule the router
|
||||||
ports on a Chassis (a "node" in OVN terms) where the availability
|
ports on a Chassis (a "node" in OVN terms) where the availability
|
||||||
zones match with the router availability zones [7]_.
|
zones match with the router availability zones [6]_.
|
||||||
|
|
||||||
* Routed provider networks
|
* Routed provider networks
|
||||||
|
|
||||||
@ -86,17 +65,16 @@ at [1]_.
|
|||||||
represent multiple L2 domains (segments). The OVN driver does not
|
represent multiple L2 domains (segments). The OVN driver does not
|
||||||
understand this feature yet and will need to account for multiple
|
understand this feature yet and will need to account for multiple
|
||||||
physical networks associated with a single OVN Logical Switch (a
|
physical networks associated with a single OVN Logical Switch (a
|
||||||
network in Neutron terms) [8]_.
|
network in Neutron terms) [7]_.
|
||||||
|
|
||||||
|
|
||||||
References
|
References
|
||||||
----------
|
----------
|
||||||
|
|
||||||
.. [1] https://github.com/ovn-org/ovn/blob/master/TODO.rst
|
.. [1] https://github.com/ovn-org/ovn/blob/master/TODO.rst
|
||||||
.. [2] https://github.com/ovn-org/ovn/blob/master/ovn-nb.ovsschema#L160
|
.. [2] https://review.opendev.org/#/c/539826/
|
||||||
.. [3] https://review.opendev.org/#/c/539826/
|
.. [3] https://github.com/openvswitch/ovs/commit/66d89287269ca7e2f7593af0920e910d7f9bcc38
|
||||||
.. [4] https://github.com/openvswitch/ovs/commit/66d89287269ca7e2f7593af0920e910d7f9bcc38
|
.. [4] https://github.com/torvalds/linux/blob/master/net/openvswitch/meter.h
|
||||||
.. [5] https://github.com/torvalds/linux/blob/master/net/openvswitch/meter.h
|
.. [5] https://github.com/openstack/ironic/blob/123cb22c731f93d0c608d791b41e05884fe18c04/ironic/common/pxe_utils.py#L447-L462>
|
||||||
.. [6] https://github.com/openstack/ironic/blob/123cb22c731f93d0c608d791b41e05884fe18c04/ironic/common/pxe_utils.py#L447-L462>
|
.. [6] https://docs.openstack.org/neutron/latest/admin/config-az.html
|
||||||
.. [7] https://docs.openstack.org/neutron/latest/admin/config-az.html
|
.. [7] https://bugs.launchpad.net/neutron/+bug/1865889
|
||||||
.. [8] https://bugs.launchpad.net/neutron/+bug/1865889
|
|
||||||
|
@ -9,6 +9,7 @@ OVN Driver
|
|||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
migration.rst
|
migration.rst
|
||||||
|
port_forwarding.rst
|
||||||
gaps.rst
|
gaps.rst
|
||||||
dhcp_opts.rst
|
dhcp_opts.rst
|
||||||
faq/index.rst
|
faq/index.rst
|
||||||
|
105
doc/source/ovn/port_forwarding.rst
Normal file
105
doc/source/ovn/port_forwarding.rst
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
.. _port_forwarding:
|
||||||
|
|
||||||
|
ML2/OVN Port forwarding
|
||||||
|
=======================
|
||||||
|
|
||||||
|
ML2/OVN supports Port Forwarding (PF) across the North/South data plane.
|
||||||
|
Specific L4 Ports of the Floating IP (FIP) can be directed to a specific
|
||||||
|
FixedIP:PortNumber of a VM, so that different services running in a VM
|
||||||
|
can be isolated, and can communicate with external networks easily.
|
||||||
|
|
||||||
|
OVN's native load balancing (LB) feature is used for providing this
|
||||||
|
functionality. An OVN load balancer is expressed in the OVN northbound
|
||||||
|
load_balancer table for all mappings for a given FIP+protocol. All PFs
|
||||||
|
for the same FIP+protocol are kept as Virtual IP (VIP) mappings inside a
|
||||||
|
LB entry. See the diagram below for an example of how that looks like:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
VIP:PORT = MEMBER1:MPORT1, MEMBER2:MPORT2
|
||||||
|
|
||||||
|
The same is extended for port forwarding as:
|
||||||
|
|
||||||
|
FIP:PORT = PRIVATE_IP:PRIV_PORT
|
||||||
|
|
||||||
|
Neutron DB OVN Northbound DB
|
||||||
|
|
||||||
|
+---------------------+ +---------------------------------+
|
||||||
|
| Floating IP AA | | Load Balancer AA UDP |
|
||||||
|
| | | |
|
||||||
|
| +-----------------+ | | |
|
||||||
|
| | Port Forwarding | | +----------->AA:portA => internal IP1:portX |
|
||||||
|
| | | | | | |
|
||||||
|
| | External PortA +-----+ +------->AA:portB => internal IP2:portX |
|
||||||
|
| | Fixed IP1 PortX | | | | |
|
||||||
|
| | Protocol: UDP | | | +---------------------------------+
|
||||||
|
| +-----------------+ | |
|
||||||
|
| | | +---------------------------------+
|
||||||
|
| +-----------------+ | | | Load Balancer AA TCP |
|
||||||
|
| | Port Forwarding | | | | |
|
||||||
|
| | | | | | |
|
||||||
|
| | External PortB +---------+ +--->AA:portC => internal IP3:portX |
|
||||||
|
| | Fixed IP2 PortX | | | | |
|
||||||
|
| | Protocol: UDP | | | +---------------------------------+
|
||||||
|
| +-----------------+ | |
|
||||||
|
| | |
|
||||||
|
| +-----------------+ | |
|
||||||
|
| | Port Forwarding | | |
|
||||||
|
| | | | | +---------------------------------+
|
||||||
|
| | External PortC | | | | Load Balancer BB TCP |
|
||||||
|
| | Fixed IP3 PortX +-------------+ | |
|
||||||
|
| | Protocol: TCP | | | |
|
||||||
|
| +-----------------+ | +---------->BB:portD => internal IP4:portX |
|
||||||
|
| | | | |
|
||||||
|
+---------------------+ | +---------------------------------+
|
||||||
|
|
|
||||||
|
| +-------------------+
|
||||||
|
| | Logical Router X1 |
|
||||||
|
+---------------------+ | | |
|
||||||
|
| Floating IP BB | | | Load Balancers: |
|
||||||
|
| | | | AA UDP, AA TCP |
|
||||||
|
| +-----------------+ | | +-------------------+
|
||||||
|
| | Port Forwarding | | |
|
||||||
|
| | | | | +-------------------+
|
||||||
|
| | External PortD | | | | Logical Router Z1 |
|
||||||
|
| | Fixed IP4 PortX +------+ | |
|
||||||
|
| | Protocol: TCP | | | Load Balancers: |
|
||||||
|
| +-----------------+ | | BB TCP |
|
||||||
|
+---------------------+ +-------------------+
|
||||||
|
|
||||||
|
The OVN LB entries have names that include the id of the FIP and a protocol suffix.
|
||||||
|
That protocol portion is needed because a single FIP can have multiple UDP and TCP port
|
||||||
|
forwarding entries while a given LB entry can either be one or the other protocol (not both).
|
||||||
|
Based on that, the format used to specify an LB entry is:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
pf-floatingip-<NEUTRON_FIP_ID>-<PROTOCOL>
|
||||||
|
|
||||||
|
A revision value is present in external_ids of each OVN load balancer entry.
|
||||||
|
That number is synchronized with floating IP entries (NOT the port forwarding!) of the Neutron
|
||||||
|
database.
|
||||||
|
|
||||||
|
In order to differentiate a load balancer entry that was created by port forwarding
|
||||||
|
vs load balancer entries maintained by ovn-octavia-provider, the external_ids field also
|
||||||
|
has an owner value:
|
||||||
|
|
||||||
|
.. code-block:: python
|
||||||
|
|
||||||
|
external_ids = {
|
||||||
|
ovn_const.OVN_DEVICE_OWNER_EXT_ID_KEY: PORT_FORWARDING_PLUGIN,
|
||||||
|
ovn_const.OVN_FIP_EXT_ID_KEY: pf_obj.floatingip_id,
|
||||||
|
ovn_const.OVN_ROUTER_NAME_EXT_ID_KEY: rtr_name,
|
||||||
|
neutron:revision_number: fip_obj.revision_number,
|
||||||
|
}
|
||||||
|
|
||||||
|
The following registry (API) neutron events trigger the OVN backend to map port forwarding
|
||||||
|
into LB:
|
||||||
|
|
||||||
|
.. code-block:: python
|
||||||
|
|
||||||
|
@registry.receives(PORT_FORWARDING_PLUGIN, [events.AFTER_INIT])
|
||||||
|
def register(self, resource, event, trigger, payload=None):
|
||||||
|
registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_CREATE)
|
||||||
|
registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_UPDATE)
|
||||||
|
registry.subscribe(self._handle_notification, PORT_FORWARDING, events.AFTER_DELETE)
|
Loading…
Reference in New Issue
Block a user