The correct name of this post is supposed to be "Nova and Neutron workflow && CLI for HAProxy/Keepalived 3 Node Controller RDO Liberty in an appropriate amount of detail". It follows up http://lxer.com/module/newswire/view/222164/index.html . All environment has been built via Nova and Neutron CLI ( no Horizon involvement ).
Neutron work-flow on Controller is described including OVS flow rules on external brigge created by flat external network provider and eth0 external interface as VLAN OVS port of bridge br-eth0.
First create keystonerc_admin to provide admin ability manage via CLI
[root@hacontroller1 ~(keystone_admin)]# cat keystonerc_admin
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PROJECT_NAME=admin
export OS_REGION_NAME=regionOne
export OS_PASSWORD=keystonetest
export OS_AUTH_URL=http://controller-vip.example.com:35357/v2.0/
export OS_SERVICE_ENDPOINT=http://controller-vip.example.com:35357/v2.0 export OS_SERVICE_TOKEN=$(cat /root/keystone_service_token)
export PS1='[\u@\h \W(keystone_admin)]\$ '
Neutron work-flow on Controller is described including OVS flow rules on external brigge created by flat external network provider and eth0 external interface as VLAN OVS port of bridge br-eth0.
First create keystonerc_admin to provide admin ability manage via CLI
[root@hacontroller1 ~(keystone_admin)]# cat keystonerc_admin
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PROJECT_NAME=admin
export OS_REGION_NAME=regionOne
export OS_PASSWORD=keystonetest
export OS_AUTH_URL=http://controller-vip.example.com:35357/v2.0/
export OS_SERVICE_ENDPOINT=http://controller-vip.example.com:35357/v2.0 export OS_SERVICE_TOKEN=$(cat /root/keystone_service_token)
export PS1='[\u@\h \W(keystone_admin)]\$ '
[root@hacontroller1 ~(keystone_admin)]# cat keystonerc_demo
export OS_USERNAME=demo
export OS_TENANT_NAME=demo
export OS_PROJECT_NAME=demo
export OS_REGION_NAME=regionOne
export OS_PASSWORD=redhat
export OS_AUTH_URL=http://controller-vip.example.com:5000/v2.0/
export PS1='[\u@\h \W(keystone_demo)]\$ '
[root@hacontroller1 ~(keystone_admin)]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| b2be742697534c3188bdc5ec56038853 | admin | True |
| efe017b919c1487bab8c58281fcaceeb | demo | True |
| 4cd322b30ca947eeb86c0a883e549a27 | services | True |
+----------------------------------+----------+---------+
****************************************************
Creating HA Neutron router belongs tenant demo
****************************************************
[root@hacontroller1 ~(keystone_admin)]# neutron router-create --ha True \
--tenant-id efe017b919c1487bab8c58281fcaceeb RouterDMS
[root@hacontroller1 ~(keystone_admin)]# neutron l3-agent-list-hosting-router RouterDMS
+--------------------------------------+---------------------------+----------------+-------+----------+
| id | host | admin_state_up | alive | ha_state |
+--------------------------------------+---------------------------+----------------+-------+----------+
| 9c83e688-e7b4-4101-97df-844510d0ee52 | hacontroller1.example.com | True | :-) | active |
| a7bdf03e-4550-4f1b-ae6f-25744894086d | hacontroller2.example.com | True | :-) | standby |
+--------------------------------------+---------------------------+----------------+-------+-------
**************************************
Creating private network as demo
**************************************
[root@hacontroller2 ~(keystone_demo)]# neutron net-create private
[root@hacontroller2 ~(keystone_demo)]# neutron subnet-create private \
30.0.0.0/24 --dns_nameservers list=true 83.221.202.254
**************************************
Creating public network as admin
**************************************
[root@hacontroller1 ~(keystone_admin)]# neutron net-create public --shared \
--provider:network_type flat --provider:physical_network physnet1 --router:external
[root@hacontroller1 ~(keystone_admin)]# neutron subnet-create --gateway 10.10.10.1 \
--allocation-pool start=10.10.10.100,end=10.10.10.150 --disable-dhcp \
--name public_subnet public 10.10.10.0/24
[root@hacontroller1 neutron(keystone_demo)]# cat l3_agent.ini | grep -v ^# | grep -v ^$
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
handle_internal_only_routers = True
send_arp_for_ha = 3
metadata_ip = controller-vip.example.com
external_network_bridge =
[AGENT]
[root@hacontroller1 ml2(keystone_admin)]# cat openvswitch_agent.ini | grep -v ^#|grep -v ^$
[ovs]
local_ip = 192.169.142.221
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
bridge_mappings = physnet1:br-eth0
network_vlan_ranges = physnet1
[agent]
tunnel_types = vxlan
vxlan_udp_port = 4789
l2_population = False
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
When "external_network_bridge = " , Neutron places the external
interface of the router into the OVS bridge specified by the
"provider_network" provider attribute in the Neutron network. Traffic is
processed by Open vSwitch flow rules. In this configuration it is
possible to utilize flat and VLAN provider networks.
[root@hacontroller1 ~(keystone_admin)]# ovs-ofctl show br-eth0
OFPT_FEATURES_REPLY (xid=0x2): dpid:00003e31a75b624a
n_tables:254, n_buffers:256
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst mod_nw_src mod_nw_dst mod_nw_tos mod_tp_src mod_tp_dst
1(eth0): addr:52:54:00:41:74:39
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
2(phy-br-eth0): addr:de:0e:37:e4:28:49
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
LOCAL(br-eth0): addr:3e:31:a7:5b:62:4a
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
[root@hacontroller1 ~(keystone_admin)]# ovs-ofctl dump-flows br-eth0
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=6785.707s, table=0, n_packets=18476, n_bytes=1202867, idle_age=3, priority=4,
in_port=2,dl_vlan=3 actions=strip_vlan,NORMAL <==== VLAN tag is stripped
cookie=0x0, duration=6977.001s, table=0, n_packets=13639, n_bytes=766402, idle_age=1, priority=2,in_port=2 actions=drop
cookie=0x0, duration=6977.041s, table=0, n_packets=11557, n_bytes=10607506, idle_age=1, priority=0 actions=NORMAL
[root@hacontroller1 ~(keystone_admin)]# ovs-vsctl show
eae701a9-447e-4b75-98b5-4f7ce026ddbb
Bridge br-tun
fail_mode: secure
Port "vxlan-c0a98ee0"
Interface "vxlan-c0a98ee0"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="192.169.142.221", out_key=flow, remote_ip="192.169.142.224"}
Port br-tun
Interface br-tun
type: internal
Port "vxlan-c0a98ede"
Interface "vxlan-c0a98ede"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="192.169.142.221", out_key=flow, remote_ip="192.169.142.222"}
Port "vxlan-c0a98edf"
Interface "vxlan-c0a98edf"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="192.169.142.221", out_key=flow, remote_ip="192.169.142.223"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge "br-eth0"
Port "br-eth0"
Interface "br-eth0"
type: internal
Port "eth0"
Interface "eth0"<=============
Port "phy-br-eth0"
Interface "phy-br-eth0"
type: patch
options: {peer="int-br-eth0"}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "ha-013404f6-0b"
tag: 2
Interface "ha-013404f6-0b"
type: internal
Port "int-br-eth0"
Interface "int-br-eth0"
type: patch
options: {peer="phy-br-eth0"}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qr-dd6507fd-73"
tag: 1
Interface "qr-dd6507fd-73"
type: internal
Port "qg-a37e106e-70" ===============>
tag: 3
Interface "qg-a37e106e-70"
type: internal
Port "tap7e8e240c-aa"
tag: 1
Interface "tap7e8e240c-aa"
type: internal
ovs_version: "2.4.0"
The packet exits the qg-a37e106e-70 (which is outgoing interface of
corresponding qrouter-namespace attached to br-int due to external network provider involvment)
interface, where it is assigned the VLAN tag associated with the external network 3.
The packet is delivered to the external bridge, where a flow rule strip the VLAN tag 3.
The packet is sent out the physical interface associated with the bridge.
Per https://github.com/beekhof/osp-ha-deploy/commit/b2e01e86ca93cfad9ad01d533b386b4c9607c60d#diff-ee239d1187adb09f970dc4ddcf0df1c2
Assuming eth0 is your interface attached to the external network, create two files in /etc/sysconfig/network-scripts/ as follows (change MTU if you need):
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 ONBOOT=yes DEVICETYPE=ovs TYPE=OVSPort OVS_BRIDGE=br-eth0 ONBOOT=yes BOOTPROTO=none VLAN=yes MTU="9000" NM_CONTROLLED=no EOF cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-br-eth0 DEVICE=br-eth0 DEVICETYPE=ovs OVSBOOTPROTO=none TYPE=OVSBridge ONBOOT=yes BOOTPROTO=static MTU="9000" NM_CONTROLLED=no EOF Restart the network for the changes to take effect
[root@hacontroller1 ~(keystone_admin)]# neutron net-list
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
| b4580386-bc02-4aa7-8792-ea4c40c41573 | public | a2c617b1-17cc-4768-b213-9f0795d07b40 10.10.10.0/24 |
| ab421dc7-27fa-4984-ae21-ba9518887293 | HA network tenant efe017b919c1487bab8c58281fcaceeb | 6886d46c-4947-455d-8656-ff0f2a649632 169.254.192.0/18 |
| 847e5c9c-ce9f-4b2c-86fb-d7597017e8e3 | private | 1c47d964-d7ec-4a72-a5a7-bc390c96359d 30.0.0.0/24 |
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
[root@hacontroller1 ~(keystone_admin)]# neutron subnet-list
+--------------------------------------+---------------------------------------------------+------------------+------------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+---------------------------------------------------+------------------+------------------------------------------------------+
| a2c617b1-17cc-4768-b213-9f0795d07b40 | public_subnet | 10.10.10.0/24 | {"start": "10.10.10.100", "end": "10.10.10.150"} |
| 6886d46c-4947-455d-8656-ff0f2a649632 | HA subnet tenant efe017b919c1487bab8c58281fcaceeb | 169.254.192.0/18 | {"start": "169.254.192.1", "end": "169.254.255.254"} |
| 1c47d964-d7ec-4a72-a5a7-bc390c96359d | | 30.0.0.0/24 | {"start": "30.0.0.2", "end": "30.0.0.254"} |
+--------------------------------------+---------------------------------------------------+------------------+------------------------------------------------------+
[root@hacontroller2 ~(keystone_demo)]# neutron router-gateway-set RouterDMS public
[root@hacontroller2 ~(keystone_demo)]# neutron router-interface-add RouterDMS \
1c47d964-d7ec-4a72-a5a7-bc390c96359d
[root@hacontroller2 ~(keystone_demo)]# neutron router-port-list RouterDMS
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| dd6507fd-73e3-45f6-a935-8bbf29dacbb9 | | fa:16:3e:26:55:06 | {"subnet_id": "1c47d964-d7ec-4a72-a5a7-bc390c96359d", "ip_address": "30.0.0.1"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
[root@hacontroller2 ~(keystone_demo)]# neutron port-show dd6507fd-73e3-45f6-a935-8bbf29dacbb9
+-----------------------+--------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | afe13460-e106-4a0a-abf5-a618f97de6b9 |
| device_owner | network:router_interface |
| dns_assignment | {"hostname": "host-30-0-0-1", "ip_address": "30.0.0.1", "fqdn": "host-30-0-0-1.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "1c47d964-d7ec-4a72-a5a7-bc390c96359d", "ip_address": "30.0.0.1"} |
| id | dd6507fd-73e3-45f6-a935-8bbf29dacbb9 |
| mac_address | fa:16:3e:26:55:06 |
| name | |
| network_id | 847e5c9c-ce9f-4b2c-86fb-d7597017e8e3 |
| security_groups | |
| status | ACTIVE |
| tenant_id | efe017b919c1487bab8c58281fcaceeb |
+-----------------------+--------------------------------------------------------------------------------------------------+
********************************************
Creating security rules for tenant demo
********************************************
[root@hacontroller2 ~(keystone_demo)]# neutron security-group-rule-create --protocol icmp \
--direction ingress --remote-ip-prefix 0.0.0.0/0 default
[root@hacontroller2 ~(keystone_demo)]# neutron security-group-rule-create --protocol tcp \
--port-range-min 22 --port-range-max 22 --direction ingress --remote-ip-prefix 0.0.0.0/0 default
********************************************
Creating ssh keypair for tenant demo
********************************************
[root@hacontroller2 ~(keystone_demo)]# nova keypair-add oskey1 > oskey1.priv
[root@hacontroller2 ~(keystone_demo)]# chmod 600 oskey1.priv
[root@hacontroller2 ~(keystone_demo)]# neutron net-list
+--------------------------------------+---------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+----------------------------------------------------+
| b4580386-bc02-4aa7-8792-ea4c40c41573 | public | a2c617b1-17cc-4768-b213-9f0795d07b40 10.10.10.0/24 |
| 847e5c9c-ce9f-4b2c-86fb-d7597017e8e3 | private | 1c47d964-d7ec-4a72-a5a7-bc390c96359d 30.0.0.0/24 |
+--------------------------------------+---------+--------------------------------------------------
[root@hacontroller2 ~(keystone_demo)]# glance image-list
+--------------------------------------+-----------+
| ID | Name |
+--------------------------------------+-----------+
| 6b4ee270-41ca-4a14-b584-d21f6ff5d6be | cirros |
| e6945bf1-0a0d-4e99-a1fc-64ca45479095 | VF23Cloud |
+--------------------------------------+-----------+
[root@hacontroller2 ~(keystone_demo)]# nova boot --flavor 2 --key_name oskey1 --image \
e6945bf1-0a0d-4e99-a1fc-64ca45479095 --nic net-id=847e5c9c-ce9f-4b2c-86fb-d7597017e8e3 VF23Devs05
+--------------------------------------+--------------------------------------------------+
| Property | Value |
+--------------------------------------+--------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | 8c3HZUTS3jZ3 |
| config_drive | |
| created | 2015-11-28T17:44:02Z |
| flavor | m1.small (2) |
| hostId | |
| id | 68db2410-5d7d-42ca-82ab-6000123ab8d2 |
| image | VF23Cloud (e6945bf1-0a0d-4e99-a1fc-64ca45479095) |
| key_name | oskey1 |
| metadata | {} |
| name | VF23Devs05 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | efe017b919c1487bab8c58281fcaceeb |
| updated | 2015-11-28T17:44:03Z |
| user_id | 426a9a98019f4055a2edb3d145355646 |
+--------------------------------------+--------------------------------------------------+
[root@hacontroller2 ~(keystone_demo)]# nova list
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
| 2b0f822f-be17-43c1-b127-f626d5a62823 | CirrOSDevs | SHUTOFF | - | Shutdown | private=30.0.0.4, 10.10.10.101 |
| 68db2410-5d7d-42ca-82ab-6000123ab8d2 | VF23Devs05 | BUILD | spawning | NOSTATE | |
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
[root@hacontroller2 ~(keystone_demo)]# nova list
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
| 2b0f822f-be17-43c1-b127-f626d5a62823 | CirrOSDevs | SHUTOFF | - | Shutdown | private=30.0.0.4, 10.10.10.101 |
| 68db2410-5d7d-42ca-82ab-6000123ab8d2 | VF23Devs05 | ACTIVE | - | Running | private=30.0.0.10 |
+--------------------------------------+------------+---------+------------+-------------+--------------------------------+
[root@hacontroller2 ~(keystone_demo)]# neutron port-list --device-id \
68db2410-5d7d-42ca-82ab-6000123ab8d2
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
| 879c8ca8-fe8e-42d7-8b6b-34be981d03d0 | | fa:16:3e:32:47:49 | {"subnet_id": "1c47d964-d7ec-4a72-a5a7-bc390c96359d", "ip_address": "30.0.0.10"} |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
[root@hacontroller2 ~(keystone_demo)]# neutron floatingip-create public
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 10.10.10.102 |
| floating_network_id | b4580386-bc02-4aa7-8792-ea4c40c41573 |
| id | aa48fd10-bb25-46ae-8f76-eb90e343b3f1 |
| port_id | |
| router_id | |
| status | DOWN |
| tenant_id | efe017b919c1487bab8c58281fcaceeb |
+---------------------+--------------------------------------+
[root@hacontroller2 ~(keystone_demo)]# neutron floatingip-associate \
aa48fd10-bb25-46ae-8f76-eb90e343b3f1879c8ca8-fe8e-42d7-8b6b-34be981d03d0
Associated floating IP aa48fd10-bb25-46ae-8f76-eb90e343b3f1
[root@hacontroller2 ~(keystone_demo)]# nova list
+--------------------------------------+------------+---------+------------+-------------+---------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------------+---------+------------+-------------+---------------------------------+
| 2b0f822f-be17-43c1-b127-f626d5a62823 | CirrOSDevs | SHUTOFF | - | Shutdown | private=30.0.0.4, 10.10.10.101 |
| 68db2410-5d7d-42ca-82ab-6000123ab8d2 | VF23Devs05 | ACTIVE | - | Running | private=30.0.0.10, 10.10.10.102 |
+--------------------------------------+------------+---------+------------+-------------+---------------------------------+
[root@hacontroller1 ~(keystone_admin)]# ip netns exec qrouter-afe13460-e106-4a0a-abf5-a618f97de6b9 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
8: ha-013404f6-0b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:d5:7e:6f brd ff:ff:ff:ff:ff:ff
inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-013404f6-0b
valid_lft forever preferred_lft forever
inet 169.254.0.1/24 scope global ha-013404f6-0b
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fed5:7e6f/64 scope link
valid_lft forever preferred_lft forever
9: qr-dd6507fd-73: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:26:55:06 brd ff:ff:ff:ff:ff:ff
inet 30.0.0.1/24 scope global qr-dd6507fd-73
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe26:5506/64 scope link nodad
valid_lft forever preferred_lft forever
10: qg-a37e106e-70: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:0e:4b:eb brd ff:ff:ff:ff:ff:ff
inet 10.10.10.100/24 scope global qg-a37e106e-70
valid_lft forever preferred_lft forever
inet 10.10.10.101/32 scope global qg-a37e106e-70
valid_lft forever preferred_lft forever
inet 10.10.10.102/32 scope global qg-a37e106e-70
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe0e:4beb/64 scope link nodad
valid_lft forever preferred_lft forever
Instance started
[root@hacontroller2 ~(keystone_demo)]# nova console-log VF23Devs05
References
1. http://blog.oddbit.com/2015/08/13/provider-external-networks-details/
2. https://github.com/beekhof/osp-ha-deploy/blob/master/keepalived/neutron-config.md