Octavia OpenStack Load Balancing New Features Deep Dive OpenStack - - PowerPoint PPT Presentation

octavia
SMART_READER_LITE
LIVE PREVIEW

Octavia OpenStack Load Balancing New Features Deep Dive OpenStack - - PowerPoint PPT Presentation

Aug 24, 2023 1.06k likes •1.26k views

May 2019 Octavia OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver Adam Harwell - Train PTL - Verizon Media Carlos Goncalves - Red Hat Michael Johnson - Red Hat What is Octavia? Network Load Balancing as a Service for

slide-1
SLIDE 1

Octavia

OpenStack Load Balancing New Features Deep Dive OpenStack Summit - Denver

May 2019

Adam Harwell - Train PTL - Verizon Media Carlos Goncalves - Red Hat Michael Johnson - Red Hat

slide-2
SLIDE 2

What is Octavia?

Network Load Balancing as a Service for OpenStack.

  • Octavia provides scalable, on demand, and self-service

access to network load balancer services, in a technology agnostic manner, for OpenStack.

  • The reference load balancing driver provides a highly

available load balancer that scales with your compute environment.

  • Founded during the Juno release of OpenStack.
  • 88 contributors from 29 companies for latest release
  • Moved from a Neutron sub-project to a top level

OpenStack project during the Ocata series.

  • #1 Neutron feature “actively using, interested in using, or

looking forward to using” for previous OpenStack user surveys.

slide-3
SLIDE 3

Backup Members

Backup members, sometimes called “sorry servers”, are pool members that are only used when all of the non-backup members of a pool are down. Instead of users getting an HTTP 503 error, since there are no member servers available in the pool, they will get served content from the backup member servers. These servers will typically have static content saying the “Site is down for maintenance”. These servers may not even be running in the same cloud.

slide-4
SLIDE 4

Listener Timeouts

User configurable timeouts were a highly requested feature. In Rocky we added:

  • timeout_client_data

○ Frontend client inactivity timeout in milliseconds. Default: 50000.

  • timeout_member_connect

○ Backend member connection timeout in milliseconds. Default: 5000.

  • timeout_member_data

○ Backend member inactivity timeout in milliseconds. Default: 50000.

  • timeout_tcp_inspect

○ Time, in milliseconds, to wait for additional TCP packets for content inspection. Default: 0.

Usage examples: long-lived connections, performance optimization

slide-5
SLIDE 5

Provider Drivers

Provider drivers allow users to select alternate backend load balancing engine. Octavia comes with a reference driver, the amphora driver, but operators can load additional drivers or even replace the reference driver.

slide-6
SLIDE 6

UDP Protocol Load Balancing

  • Useful for IoT applications, such as Constrained Application Protocol (CoAP) and Data Distribution

Service (DDS).

  • Supports LEAST_CONNECTIONS, ROUND_ROBIN, and SOURCE_IP load balancing algorithms.
  • SOURCE_IP session persistence is supported.
  • A new health monitor type of UDP-CONNECT has been added.

○ This works by sending an empty packet to the UDP port. If the load balancer receives an “ICMP

unreachable”, the member is considered down. If no “ICMP unreachable” is received, the member is considered up.

○ Note: Hosts, firewalls, and security groups must be carefully configured to allow the ICMP

responses.

  • Provides full statistics and status functionality.
  • Currently does not support IPv4 VIP with IPv6 UDP members.
slide-7
SLIDE 7

Octavia Dashboard Enhancements

slide-8
SLIDE 8

Flavors

Flavors allow administrators to define “flavors” of load balancers that users can select from at load balancer creation. Each provider driver exposes a set of “capabilities” that administrators can configure in flavors.

slide-9
SLIDE 9

Flavors - Flavor Profiles

Administrators can build flavor profiles with the desired provider capabilities settings. By default, flavor profiles are only visible to administrators. Usage example: abstract users from providers, offer different SLAs

slide-10
SLIDE 10

Flavors - continued

Finally the administrator creates the user visible flavor.

slide-11
SLIDE 11

TLS Client Authentication

TERMINATED_HTTPS listeners can now be configured for TLS client authentication. When an HTTPS connection is requested on the VIP, the load balancer can request a client certificate and validate it against a Certificate Authority (CA) certificate and Certificate Revocation List (CRL). There are now the following new headers the load balancer can insert into the HTTP flow when TLS client authentication is enabled:

  • X-SSL-Client-Verify
  • X-SSL-Client-Has-Cert
  • X-SSL-Client-DN
  • X-SSL-Client-CN
  • X-SSL-Issuer
  • X-SSL-Client-SHA1
  • X-SSL-Client-Not-Before
  • X-SSL-Client-Not-After

We have also added new L7 rules for TLS client authentication:

  • SSL_CONN_HAS_CERT
  • SSL_VERIFY_RESULT
  • SSL_DN_FIELD
slide-12
SLIDE 12

TLS Backend Re-Encryption

Pools can now be configured to establish TLS connections to member servers. The TLS certificate presented by the member server can optionally be validated against a Certificate Authority (CA) and Certificate Revocation List (CRL). Users can also, optionally, provide a certificate that the load balancer will present to the member servers for TLS client authentication. All of the TLS certificates and CRLs are stored in a Castellan-compatible key store such as OpenStack Barbican.

slide-13
SLIDE 13

Object Tags

Object tags are arbitrary strings that can be associated with the load balancer objects. These tags can then be used to filter results returned by the API. Octavia supports the following query filter types: For example, if you would like to get the list of load balancers with both the “red” and “blue” tags you would request: GET /v2/lbaas/loadbalancers?tags=red,blue To get a list of load balancers that have the “red” or “blue” tag, you would request: GET /v2/lbaas/loadbalancers?tags-any=red,blue Usage example: find all resources with certain tag and run actions, track resources created by Heat.

  • tags
  • tags-any
  • not-tags
  • not-tags-any
slide-14
SLIDE 14

L7 Policy REDIRECT_PREFIX Action

The new L7 Policy action REDIRECT_PREFIX allows users to redirect requests to an alternate protocol and/or host while keeping the the URL path intact. For example, you might want to redirect users to a specific secure webserver: http://www.octavia.cloud/octavia/latest Can be redirected to: https://docs.openstack.org/octavia/latest

slide-15
SLIDE 15

Past

  • Octavia - Project Update
  • Tue 30, 2:10pm - 2:30pm
  • Video recording and slides will be published
  • Octavia - Project Onboarding
  • Tue 30, 5:10pm - 5:50pm
  • Video recording and slides will be published

Other sessions

slide-16
SLIDE 16

@OpenStack

Q&A

Thank you!

  • penstack
  • penstack

OpenStackFoundation