May 2019 Octavia OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver Adam Harwell - Train PTL - Verizon Media Carlos Goncalves - Red Hat Michael Johnson - Red Hat
What is Octavia? Network Load Balancing as a Service for OpenStack. ● Octavia provides scalable, on demand, and self-service access to network load balancer services, in a technology agnostic manner, for OpenStack. ● The reference load balancing driver provides a highly available load balancer that scales with your compute environment. ● Founded during the Juno release of OpenStack. ● 88 contributors from 29 companies for latest release ● Moved from a Neutron sub-project to a top level OpenStack project during the Ocata series. ● #1 Neutron feature “actively using, interested in using, or looking forward to using” for previous OpenStack user surveys.
Backup Members Backup members, sometimes called “sorry servers”, are pool members that are only used when all of the non-backup members of a pool are down. Instead of users getting an HTTP 503 error, since there are no member servers available in the pool, they will get served content from the backup member servers. These servers will typically have static content saying the “Site is down for maintenance”. These servers may not even be running in the same cloud.
Listener Timeouts User configurable timeouts were a highly requested feature. In Rocky we added: ● timeout_client_data ○ Frontend client inactivity timeout in milliseconds. Default: 50000. ● timeout_member_connect ○ Backend member connection timeout in milliseconds. Default: 5000. ● timeout_member_data ○ Backend member inactivity timeout in milliseconds. Default: 50000. ● timeout_tcp_inspect ○ Time, in milliseconds, to wait for additional TCP packets for content inspection. Default: 0. Usage examples: long-lived connections, performance optimization
Provider Drivers Provider drivers allow users to select alternate backend load balancing engine. Octavia comes with a reference driver, the amphora driver, but operators can load additional drivers or even replace the reference driver.
UDP Protocol Load Balancing ● Useful for IoT applications, such as Constrained Application Protocol (CoAP) and Data Distribution Service (DDS). ● Supports LEAST_CONNECTIONS, ROUND_ROBIN, and SOURCE_IP load balancing algorithms. ● SOURCE_IP session persistence is supported. ● A new health monitor type of UDP-CONNECT has been added. ○ This works by sending an empty packet to the UDP port. If the load balancer receives an “ICMP unreachable”, the member is considered down. If no “ICMP unreachable” is received, the member is considered up. ○ Note: Hosts, firewalls, and security groups must be carefully configured to allow the ICMP responses. ● Provides full statistics and status functionality. ● Currently does not support IPv4 VIP with IPv6 UDP members.
Octavia Dashboard Enhancements
Flavors Flavors allow administrators to define “flavors” of load balancers that users can select from at load balancer creation. Each provider driver exposes a set of “capabilities” that administrators can configure in flavors.
Flavors - Flavor Profiles Administrators can build flavor profiles with the desired provider capabilities settings. By default, flavor profiles are only visible to administrators. Usage example: abstract users from providers, offer different SLAs
Flavors - continued Finally the administrator creates the user visible flavor.
TLS Client Authentication TERMINATED_HTTPS listeners can now be configured for TLS client authentication. When an HTTPS connection is requested on the VIP, the load balancer can request a client certificate and validate it against a Certificate Authority (CA) certificate and Certificate Revocation List (CRL). There are now the following new headers the load balancer can insert into the HTTP flow when TLS client authentication is enabled: ● X-SSL-Client-Verify ● X-SSL-Issuer ● X-SSL-Client-Has-Cert ● X-SSL-Client-SHA1 ● X-SSL-Client-DN ● X-SSL-Client-Not-Before ● X-SSL-Client-CN ● X-SSL-Client-Not-After We have also added new L7 rules for TLS client authentication: ● SSL_CONN_HAS_CERT ● SSL_VERIFY_RESULT ● SSL_DN_FIELD
TLS Backend Re-Encryption Pools can now be configured to establish TLS connections to member servers. The TLS certificate presented by the member server can optionally be validated against a Certificate Authority (CA) and Certificate Revocation List (CRL). Users can also, optionally, provide a certificate that the load balancer will present to the member servers for TLS client authentication. All of the TLS certificates and CRLs are stored in a Castellan-compatible key store such as OpenStack Barbican.
Object Tags Object tags are arbitrary strings that can be associated with the load balancer objects. These tags can then be used to filter results returned by the API. Octavia supports the following query filter types: ● tags ● not-tags ● tags-any ● not-tags-any For example, if you would like to get the list of load balancers with both the “red” and “blue” tags you would request: GET /v2/lbaas/loadbalancers?tags=red,blue To get a list of load balancers that have the “red” or “blue” tag, you would request: GET /v2/lbaas/loadbalancers?tags-any=red,blue Usage example: find all resources with certain tag and run actions, track resources created by Heat.
L7 Policy REDIRECT_PREFIX Action The new L7 Policy action REDIRECT_PREFIX allows users to redirect requests to an alternate protocol and/or host while keeping the the URL path intact. For example, you might want to redirect users to a specific secure webserver: http://www.octavia.cloud/octavia/latest Can be redirected to: https://docs.openstack.org/octavia/latest
Other sessions Past • Octavia - Project Update • Tue 30, 2:10pm - 2:30pm • Video recording and slides will be published • Octavia - Project Onboarding • Tue 30, 5:10pm - 5:50pm • Video recording and slides will be published
Q&A Thank you! openstack @OpenStack openstack OpenStackFoundation
Recommend
More recommend
