neutron/doc/source/admin/deploy-lb-ha-vrrp.rst
Sławek Kapłoński b09b44608b Remove deprecated 'external_network_bridge' option
This option is deprecated and marked to be deleted in Ocata. So
as we are now in Stein development cycle I think that it's good time
to remove it.

Change-Id: I07474713206c218710544ad98c08caaa37dbf53a
2019-03-09 22:07:38 +00:00

183 lines
6.5 KiB
ReStructuredText

.. _deploy-lb-ha-vrrp:
==========================================
Linux bridge: High availability using VRRP
==========================================
.. include:: shared/deploy-ha-vrrp.txt
.. warning::
This high-availability mechanism is not compatible with the layer-2
population mechanism. You must disable layer-2 population in the
``linuxbridge_agent.ini`` file and restart the Linux bridge agent
on all existing network and compute nodes prior to deploying the example
configuration.
Prerequisites
~~~~~~~~~~~~~
Add one network node with the following components:
* Three network interfaces: management, provider, and overlay.
* OpenStack Networking layer-2 agent, layer-3 agent, and any
dependencies.
.. note::
You can keep the DHCP and metadata agents on each compute node or
move them to the network nodes.
Architecture
~~~~~~~~~~~~
.. image:: figures/deploy-lb-ha-vrrp-overview.png
:alt: High-availability using Linux bridge with VRRP - overview
The following figure shows components and connectivity for one self-service
network and one untagged (flat) network. The master router resides on network
node 1. In this particular case, the instance resides on the same compute
node as the DHCP agent for the network. If the DHCP agent resides on another
compute node, the latter only contains a DHCP namespace and Linux bridge
with a port on the overlay physical network interface.
.. image:: figures/deploy-lb-ha-vrrp-compconn1.png
:alt: High-availability using Linux bridge with VRRP - components and connectivity - one network
Example configuration
~~~~~~~~~~~~~~~~~~~~~
Use the following example configuration as a template to add support for
high-availability using VRRP to an existing operational environment that
supports self-service networks.
Controller node
---------------
#. In the ``neutron.conf`` file:
* Enable VRRP.
.. code-block:: ini
[DEFAULT]
l3_ha = True
#. Restart the following services:
* Server
Network node 1
--------------
No changes.
Network node 2
--------------
#. Install the Networking service Linux bridge layer-2 agent and layer-3
agent.
#. In the ``neutron.conf`` file, configure common options:
.. include:: shared/deploy-config-neutron-common.txt
#. In the ``linuxbridge_agent.ini`` file, configure the layer-2 agent.
.. code-block:: ini
[linux_bridge]
physical_interface_mappings = provider:PROVIDER_INTERFACE
[vxlan]
enable_vxlan = True
local_ip = OVERLAY_INTERFACE_IP_ADDRESS
[securitygroup]
firewall_driver = iptables
.. warning::
By default, Linux uses UDP port ``8472`` for VXLAN tunnel traffic. This
default value doesn't follow the IANA standard, which assigned UDP port
``4789`` for VXLAN communication. As a consequence, if this node is part
of a mixed deployment, where nodes with both OVS and Linux bridge must
communicate over VXLAN tunnels, it is recommended that a line containing
``udp_dstport = 4789`` be added to the [vxlan] section of all the Linux
bridge agents. OVS follows the IANA standard.
Replace ``PROVIDER_INTERFACE`` with the name of the underlying interface
that handles provider networks. For example, ``eth1``.
Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the
interface that handles VXLAN overlays for self-service networks.
#. In the ``l3_agent.ini`` file, configure the layer-3 agent.
.. code-block:: ini
[DEFAULT]
interface_driver = linuxbridge
#. Start the following services:
* Linux bridge agent
* Layer-3 agent
Compute nodes
-------------
No changes.
Verify service operation
------------------------
#. Source the administrative project credentials.
#. Verify presence and operation of the agents.
.. code-block:: console
$ openstack network agent list
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
| 09de6af6-c5f1-4548-8b09-18801f068c57 | Linux bridge agent | compute2 | None | True | UP | neutron-linuxbridge-agent |
| 188945d1-9e70-4803-a276-df924e0788a4 | Linux bridge agent | compute1 | None | True | UP | neutron-linuxbridge-agent |
| e76c440d-d5f6-4316-a674-d689630b629e | DHCP agent | compute1 | nova | True | UP | neutron-dhcp-agent |
| e67367de-6657-11e6-86a4-931cd04404bb | DHCP agent | compute2 | nova | True | UP | neutron-dhcp-agent |
| e8174cae-6657-11e6-89f0-534ac6d0cb5c | Metadata agent | compute1 | None | True | UP | neutron-metadata-agent |
| ece49ec6-6657-11e6-bafb-c7560f19197d | Metadata agent | compute2 | None | True | UP | neutron-metadata-agent |
| 598f6357-4331-4da5-a420-0f5be000bec9 | L3 agent | network1 | nova | True | UP | neutron-l3-agent |
| f4734e0f-bcd5-4922-a19d-e31d56b0a7ae | Linux bridge agent | network1 | None | True | UP | neutron-linuxbridge-agent |
| 670e5805-340b-4182-9825-fa8319c99f23 | Linux bridge agent | network2 | None | True | UP | neutron-linuxbridge-agent |
| 96224e89-7c15-42e9-89c4-8caac7abdd54 | L3 agent | network2 | nova | True | UP | neutron-l3-agent |
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
Create initial networks
-----------------------
.. include:: shared/deploy-ha-vrrp-initialnetworks.txt
Verify network operation
------------------------
.. include:: shared/deploy-ha-vrrp-verifynetworkoperation.txt
Verify failover operation
-------------------------
.. include:: shared/deploy-ha-vrrp-verifyfailoveroperation.txt
Keepalived VRRP health check
----------------------------
.. include:: shared/keepalived-vrrp-healthcheck.txt
Network traffic flow
~~~~~~~~~~~~~~~~~~~~
This high-availability mechanism simply augments :ref:`deploy-lb-selfservice`
with failover of layer-3 services to another router if the master router
fails. Thus, you can reference :ref:`Self-service network traffic flow
<deploy-lb-selfservice-networktrafficflow>` for normal operation.