openstack/neutron
Code Issues Proposed changes
7d64d0c116
neutron/doc/source/admin/config-dvr-ha-snat.rst
Slawek Kaplonski 4173fb6ca3 [Doc] Remove one of the known DVR HA limitations 
Migration to/from the DVR HA router is now supported
from/to all other router types. All is tests in the
neutron_tempest_plugin.scenario.test_migration module.

Change-Id: Ib156b330c12f75bdb436e64c777425acaf7a9067
2021-06-10 08:04:02 +00:00

179 lines
5.3 KiB
ReStructuredText
Raw Blame History

.. _config-dvr-snat-ha-ovs:
=====================================
Distributed Virtual Routing with VRRP
=====================================
:ref:`deploy-ovs-ha-dvr` supports augmentation
using Virtual Router Redundancy Protocol (VRRP). Using this configuration,
virtual routers support both the ``--distributed`` and ``--ha`` options.
Similar to legacy HA routers, DVR/SNAT HA routers provide a quick fail over of
the SNAT service to a backup DVR/SNAT router on an l3-agent running on a
different node.
SNAT high availability is implemented in a manner similar to the
:ref:`deploy-lb-ha-vrrp` and :ref:`deploy-ovs-ha-vrrp` examples where
``keepalived`` uses VRRP to provide quick failover of SNAT services.
During normal operation, the primary router periodically transmits *heartbeat*
packets over a hidden project network that connects all HA routers for a
particular project.
If the DVR/SNAT backup router stops receiving these packets, it assumes failure
of the primary DVR/SNAT router and promotes itself to primary router by
configuring IP addresses on the interfaces in the ``snat`` namespace. In
environments with more than one backup router, the rules of VRRP are followed
to select a new primary router.
.. warning::
There is a known bug with ``keepalived`` v1.2.15 and earlier which can
cause packet loss when ``max_l3_agents_per_router`` is set to 3 or more.
Therefore, we recommend that you upgrade to ``keepalived`` v1.2.16
or greater when using this feature.
Configuration example
~~~~~~~~~~~~~~~~~~~~~
The basic deployment model consists of one controller node, two or more network
nodes, and multiple computes nodes.
Controller node configuration
-----------------------------
#. Add the following to ``/etc/neutron/neutron.conf``:
.. code-block:: ini
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
router_distributed = True
l3_ha = True
l3_ha_net_cidr = 169.254.192.0/18
max_l3_agents_per_router = 3
When the ``router_distributed = True`` flag is configured, routers created
by all users are distributed. Without it, only privileged users can create
distributed routers by using ``--distributed True``.
Similarly, when the ``l3_ha = True`` flag is configured, routers created
by all users default to HA.
It follows that with these two flags set to ``True`` in the configuration
file, routers created by all users will default to distributed HA routers
(DVR HA).
The same can explicitly be accomplished by a user with administrative
credentials setting the flags in the :command:`openstack router create`
command:
.. code-block:: console
$ openstack router create name-of-router --distributed --ha
.. note::
The *max_l3_agents_per_router* determine the number of backup
DVR/SNAT routers which will be instantiated.
#. Add the following to ``/etc/neutron/plugins/ml2/ml2_conf.ini``:
.. code-block:: ini
[ml2]
type_drivers = flat,vxlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = external
[ml2_type_vxlan]
vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_ID
Replace ``MIN_VXLAN_ID`` and ``MAX_VXLAN_ID`` with VXLAN ID minimum and
maximum values suitable for your environment.
.. note::
The first value in the ``tenant_network_types`` option becomes the
default project network type when a regular user creates a network.
Network nodes
-------------
#. Configure the Open vSwitch agent. Add the following to
``/etc/neutron/plugins/ml2/openvswitch_agent.ini``:
.. code-block:: ini
[ovs]
local_ip = TUNNEL_INTERFACE_IP_ADDRESS
bridge_mappings = external:br-ex
[agent]
enable_distributed_routing = True
tunnel_types = vxlan
l2_population = True
Replace ``TUNNEL_INTERFACE_IP_ADDRESS`` with the IP address of the interface
that handles VXLAN project networks.
#. Configure the L3 agent. Add the following to ``/etc/neutron/l3_agent.ini``:
.. code-block:: ini
[DEFAULT]
ha_vrrp_auth_password = password
interface_driver = openvswitch
agent_mode = dvr_snat
Compute nodes
-------------
#. Configure the Open vSwitch agent. Add the following to
``/etc/neutron/plugins/ml2/openvswitch_agent.ini``:
.. code-block:: ini
[ovs]
local_ip = TUNNEL_INTERFACE_IP_ADDRESS
bridge_mappings = external:br-ex
[agent]
enable_distributed_routing = True
tunnel_types = vxlan
l2_population = True
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
#. Configure the L3 agent. Add the following to ``/etc/neutron/l3_agent.ini``:
.. code-block:: ini
[DEFAULT]
interface_driver = openvswitch
agent_mode = dvr
Replace ``TUNNEL_INTERFACE_IP_ADDRESS`` with the IP address of the interface
that handles VXLAN project networks.
Keepalived VRRP health check
----------------------------
.. include:: shared/keepalived-vrrp-healthcheck.txt
Known limitations
~~~~~~~~~~~~~~~~~
* There are certain scenarios where l2pop and distributed HA routers do not
interact in an expected manner. These situations are the same that affect HA
only routers and l2pop.
View Git Blame Copy Permalink