Neutron Port Binding and Impact of Unbound Ports on DVR Routers with - - PowerPoint PPT Presentation

neutron port binding and impact of unbound ports on dvr
SMART_READER_LITE
LIVE PREVIEW

Neutron Port Binding and Impact of Unbound Ports on DVR Routers with - - PowerPoint PPT Presentation

Sep 19, 2022 42 likes •277 views

Neutron Port Binding and Impact of Unbound Ports on DVR Routers with Floating IPs Presenters Brian Haley - Red Hat Swaminathan Vasudevan - SUSE Agenda Introduction Proposed Approach to handle the Neutron Port Binding Unbound

slide-1
SLIDE 1

Neutron Port Binding and Impact of Unbound Ports on DVR Routers with Floating IPs

Presenters Brian Haley - Red Hat Swaminathan Vasudevan - SUSE

slide-2
SLIDE 2

Agenda

➢ Introduction ➢ Neutron Port Binding ➢ DVR Router scheduling ➢ Handling Floating IPs with DVR ➢ DVR Limitation on Unbound ports (Current issues with Octavia and VRRP use case) ➢ Proposed Approach to handle the Unbound ports for DVR ➢ Design considerations for unbound ports with FIP ➢ Future plans for scheduler change for Floating IPs with DVR

slide-3
SLIDE 3

Bug 1583694

https://bugs.launchpad.net/neutron/+bug/1583694

DVR support for Allowed_address_pair port that is bound to multiple ACTIVE VM ports

slide-4
SLIDE 4

Centralized Virtual Router (CVR)

br-tun

qrouter

br-ex Network Node Compute Node 1 Compute Node2 br-tun br-tun br-int

VM2 VM1

br-int br-int

VM4 VM3

Private_net Public_net

slide-5
SLIDE 5

Distributed Virtual Router (DVR)

slide-6
SLIDE 6

Floating IP

  • How to access an instance from a public network

○ DNAT from public IP to private fixed IP address

  • With Centralized Routers, floating IPs are configured on the network node
  • With Distributed Routers, they are configured on the compute node

○ Direct access to the external network Modifying port association is much different between the two!

slide-7
SLIDE 7

Allowed Address Pairs

  • Allowed address pairs is a port attribute extension that allows an arbitrary

MAC address/IP address pair to pass through a port regardless of the subnet associated with the network

  • Needed because by default neutron ports only allow traffic through that

matches the MAC address and fixed-IP fields on a port (which is done to enforce anti-spoofing)

slide-8
SLIDE 8

Virtual Router Redundancy Protocol

  • The Virtual Router Redundancy Protocol (VRRP) is a computer networking

protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts 1

  • VRRP works by having hosts participate in a group which share a configured

virtual IP address. One node is elected master and is the only node that will respond on that given address. The other nodes are slaves and just monitor the current master node periodically to ensure that it is still running.

1. https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol

slide-9
SLIDE 9

Neutron Port Binding

Port Binding

  • ML2 Port Binding for Legacy Routers.
  • ML2 Port Binding for DVR Routers

Port Binding attributes

  • device_owner
  • binding:hostid
slide-10
SLIDE 10

DVR Router Scheduling

  • DVR Routers are always scheduled to the ‘dvr_snat’ agents. (Network node)
  • Update (router_update) notifications (Create/Update and Delete) are sent to

the hosts that have valid dvr service ports based on host binding.

slide-11
SLIDE 11

DVR Scheduling

Network Node Compute Node 1 Compute Node 2 Neutron server Neutron scheduler Create router Add interface Router update Schedules Router to Network node If valid service port and host binding, Notify_host to create routers If valid service port and host binding, Notify_host to create routers FloatingIP Router update If valid service port and host binding,Notify_host to create routers Sync_data

slide-12
SLIDE 12

DVR Limitation on Unbound Ports

  • DVR routers have a tight dependency on ports host binding to be scheduled

in compute hosts.

  • Unbound Ports are untouched or unscheduled by DVR routers
  • VRRP ports or the Allowed-address-pair ports are not bound to any

permanent host.

  • When Floating IP’s are configured on an unbound port, in the case of a VRRP

port or Allowed-address-pair port, it is untouched by the agent, since the server does not send a notification message to the agents.

slide-13
SLIDE 13

Handling Floating IPs with DVR

  • Floating IPs are host bound and created when required
  • Floating IPs are implemented in the shared FIP Namespaces
  • Floating IPs require an agent gateway port on every compute node
  • Floating IPs are also created on the SNAT node’s FIP Namespace if

nova-compute is enabled on SNAT node ( Unique test only case).

slide-14
SLIDE 14

Handling Floating IPs with DVR

slide-15
SLIDE 15

Handling Floating IPs with DVR

slide-16
SLIDE 16

Design considerations for centralized vs distributing the unbound port (VRRP/Allowed-address-pair) Floating IPs

Distributed Model:

  • Slow failover

○ Compute Node -> Compute Node teardown/setup takes time.

  • Router namespace should receive the ARP update for the VRRP port
  • ARP poll for the IP in the router-namespace.
  • Trigger the GARP for the floating IP from the current host.

○ Lost gratuitous ARP can cause packet loss.

Centralized Model:

Fast failover, reliable, uses existing gateway port and no single point of failure or packet loss. Can take advantage of the DVR SNAT high availability.

slide-17
SLIDE 17

Proposed Approach to Handle Unbound Ports with DVR

  • Unbound Floating IP ports are to be scheduled to Network Node
  • Floating IP (DNAT) rules for unbound VRRP ports are to be deployed in

SNAT Namespace at the Network Node

  • The Floating IP for unbound VRRP ports utilizes the ‘qg-interface’ and there is

no need for the ‘fg-interface’ similar to the compute hosts.

  • Current patch under review:
  • https://review.openstack.org/#/c/437970/ (Server side patch)
  • https://review.openstack.org/#/c/437986/ (Agent side patch)
slide-18
SLIDE 18

DVR Scheduling for unbound ports

Network Node Compute Node 1 Compute Node 2 Neutron server Neutron scheduler Create router Add interface Router update Schedules Router to Network node If unbound port and device owner is lbaas or ‘None’ then notify snat_node to create floatingip FloatingIP Router update On get_sync_data, reply with the flag set to ‘snat_bound’

slide-19
SLIDE 19

Proposed Approach to Handle the Unbound Ports with DVR

br-int br-int br-tun br-tun br-tun

VM1 VM2 VM3 VM4

SNAT

VR VR VR

br-ex br-ex br-ex FloatingIP Allowed-Address-pair / VRRP IP Network Node Compute Node Compute Node br-int Private_net Public_net

slide-20
SLIDE 20

Network Node Namespace change for VRRP FIP

sg-interface qg-interface qr-interface qg-interface qr-interface SNAT VRRP IP DNAT br-int br-ex SNAT DNAT Network Node (‘dvr_snat’)

slide-21
SLIDE 21

Network Node Namespace with unbound port FIP and bound port FIP

sg-interface qg-interface qr-interface qg-interface qr-interface rfp-interface fpr-interface fg-interface SNAT VRRP IP DNAT br-int br-ex DNAT SNAT DNAT Network Node (‘dvr_snat’)

slide-22
SLIDE 22

Future plans for scheduling the FIP (bound ports and unbound ports)

  • Unbound ports always end up on the Network Node.
  • Bound ports with Floating IPs can be distributed or centralized based on a

config option or possibly API-based.

  • https://bugs.launchpad.net/neutron/+bug/1667877 (RFE)
slide-23
SLIDE 23

Thank You and Questions