[Rdo-list] Openstack Liberty with DVR and VLAN overlay

Mon Mar 21 14:25:22 UTC 2016

And finally...

I have worked out why I am seeing this behavior in the first place -

I was setting NeutronExternalNetworkBridge: "''"  on my overcloud 
deployment, which was correctly setting 'external_network_bridge = ' 
(unset) in my controllers enabling VLAN provider networks to work.
But when you enable DVR the setting also becomes relevant on the compute 
nodes, and by default  'external_network_bridge =  br-ex' was set on my 
compute nodes ( I found NeutronExternalNetworkBridge: "''" does not have 
any impact on compute nodes). This bound the fg interfaces directly to 
br-ex and not br-int, forcing me to apply the workaround of ovs fake 
bridges.
So all I needed to do was unset 'external_network_bridge = '  on the 
compute nodes and the fg interfaces bound to br-int and all worked.

Charles

On 21/03/2016 10:20, Charles Short wrote:
> An update on this -
>
> My issue was having to manually add the external VLAN tag to the fg 
> interface everytime a new FIP namespace was created (FIP namespaces 
> are deleted when there are no more instances on a compute node with 
> floating ips)
>
> I discovered that you can create a virtual bridge within a bridge with 
> a default VLAN tag. So when a port is dynamically created in this new 
> bridge it automatically get the external VLAN tag.
>
>  sudo ovs-vsctl add-br br-vlan1041 br-ex 1041
>
> This solves the issue. I just point the neutron config to the new 
> external bridge and the fg ports get created on the new virtual bridge 
> tagged with 1041
>
> Charles
>
>
> On 02/03/2016 09:34, Charles Short wrote:
>> Hi,
>>
>> I have a simple single nic bare metal set up much like this -
>>
>> https://answers.launchpad.net/neutron/+question/228376
>>
>> Tenant networks are VLANs, and the external network a VLAN provider 
>> network.
>> This enables me to have one bridge which allows the VLAN overlays to 
>> pass between nodes/physical switches, and importantly allows external 
>> access via floating ip through the external provider network VLAN.
>>
>> This was all working fine, but I wanted to install DVR. I saw that 
>> DVR functionality had relatively recently been added for VLAN 
>> overlays (Kilo and beyond)
>>
>> https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
>>
>> So I enabled DVR, noting that for VLAN overlays l2population is not 
>> required.
>> I created two instances, two tenant networks one with a normal router 
>> (non DVR) and one with a DVR router.
>>
>> I first tested SNAT on both. Worked fine (I could ping externally 
>> from the instances)
>> I then applied a FIP to the non DVR routed instance. I could ping the 
>> instance from the external network, so all working fine.
>>
>> I then applied a FIP to the DVR routed instance. This is where the 
>> problems began. I could not ping externally from the instance, and I 
>> could not ping the instance from the external network.
>> I looked at the traffic flow schematic outlined here for North/South 
>> FIP (allowing for the fact I am not using tunneling) -
>>
>> http://docs.openstack.org/liberty/networking-guide/scenario_dvr_ovs.html
>>
>> I noticed that the fg interface from the FIP namespace in my compute 
>> node was NOT attached to br-int as in the guide, but was attached to 
>> my VLAN bridge. This seemed odd.
>> I thought that maybe this would have an effect on the tagging, so 
>> tried manually adding the tag for the external provider network VLAN 
>> to the fg port on the VLAN bridge
>>
>> ovs-vsctl set port fg-15df2853-c2 tag=1041
>>
>> Suddenly it all started working.  I could now ping externally from 
>> the DVR routed instance, and I could ping the instance from the 
>> external network.
>>
>>
>> Please can someone explain why I am seeing this behavior?
>>
>> Thanks
>>
>> Charles
>>
>

-- 
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205