OpenStack Neutron's Distributed Virtual Router

Distributed Virtual Router
Introduced in the Juno Release of OpenStack Neutron
Carl Baldwin
DVR Illustrations courtesy of Jack McCann
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

DVR Architecture

Neutron deployment architecture without DVR
neutron-server
API
auth
ML2 plug-in
database
Network Service Node(s)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject 3 to change without notice.
Compute hosts
DHCP agent
L3 agent
message
queue
Metadata agent
ovs agent
Nova metadata
ovs agent
Open
vSwitch
Open
vSwitch

Neutron deployment architecture with DVR
neutron-server
API
auth
ML2 plug-in
database
Metadata agent
L3 agent
message
queue
Network Service Node(s)
Compute hosts
DHCP agent
Metadata agent Nova metadata
L3 agent agent_mode = dvr
ovs agent
w/dvr agent
Nova metadata
ovs agent
Open
vSwitch
Open
vSwitch
enable_distibuted_routing = True
programs DVR flow handling
external network
compute nodes on external
network

API extension
Adds ‘distributed’ attribute to ‘router’ object
• Can be set by admin user through the API
• Global default is set as “router_distributed” in neutron.conf
• Default is False
• The attribute is only visible to admin tenant in GET
• Cannot be updated
• Work in progress to allow update from False to True

DVR – East-West (subnet-to-subnet)
“VM1-1
QRouter-X
S1.1 S2.1
br-int
patch-tun
eth0
ARP for gw
kept local
“VM2-1
br-int
patch-tun
eth0
QRouter-X
S1.1 S2.1
same gw IP/MAC
on each node
no remote bcast
in to routers

DVR – North-South (floating IP)
“VM1-1
“VM2-1
br-int
QRouter-Y
qr rfp-y
floating IP namespace
br-ex
external-vlan
eth0
QRouter-X
qr rfp-x
floating IP NAT in router ns
default route via FIP-NS
local addressing connects QR to FIP-NS
floating IP host routes pointing to QR
proxy-arp for floating IPs on br-ex
(future option: BGP route injection)
fpr-x fpr-y
fg-u

DVR – North-South (default SNAT)
br-int
snat-Y
qr qg-x
br-ex
external-vlan
eth0
snat-X
qr qg-x
default SNAT in snat namespace
default route via br-ex

Database
router_extra_attributes
router_id string uuid
distributed boolean
dvr_host_macs
host string 255
mac_address string 32
ml2_dvr_port_bindings - port binding for all the
ports associated to a DVR identified by router_id
port_id string uuid
host string
vif_type string
vif_details string
vnic_type string
profile string
cap_port_filter boolean
driver string
segment string
status string
csnat_l3_agent_bindings
l3_agent_id string uuid
host_id string
csnat_gw_port_id string uuid

config file options
neutron.conf
[DEFAULT]
router_distributed = False
dvr_base_mac = fa:16:3f:00:00:00
ovs_neutron_plugin.ini
[agent]
enable_distributed_routing = False # Make the l2 agent run in dvr mode
l3_agent.ini
[DEFAULT]
agent_mode = legacy # legacy, dvr, or dvr_snat

OVS Flow Handling
How to Distribute the Router’s Internal Port
• ARP Requests to Router Port are Blocked from the Tunnel
• These ARP requests should only be seen by the local port
• Source Mac is Mapped to Host Mac on Overlay Network
• All traffic generated by the
• A mac address is allocated for each compute host
• Mapping must be done on both ends of the tunnel
• Destination Mac Blocked from Overlay
• These should go to the local port
• They would create mac ambiguity in the overly
• L2 Pre-Population is Required
• “Prevent(s) multiple unicast of routed packets destined to remove VMs.”

DVR Limitations

Default SNAT still centralized
snat-Y
qr qg-x
br-ex
external-vlan
eth1
“VM1-1
qrouter-X
S1.1 S2.1
br-int
patch-tun
eth0
br-int
patch-tun
eth0

Floating IP Namespace
• Pros
• Eliminates Need for Public Address/IR
• Keeps IR Macs Off External Net
• Cons
• Extra Complexity in L3 Agent
• Still Consumes a Public Address / CN
QRouter-Y
qr rfp-y
fpr-x fpr-y
floating IP namespace
fg-u
eth0
QRouter-X
qr rfp-x
br-ex
external-vlan

Heavy L2 Integration
• Led to Initial Dependence on OVS and Tunnel Protocols
• Mitigate Scope Creep
• Distributed Port Concept Needs to be Abstracted

Firewall as a Service (FWaaS) Complexity
• External Net Connects to Hypervisors
• FWaaS is Needed There Too.
• Asymmetric Routing Problem
• E/W Routing
“VM1-1
QRouter-X
S1.1 S2.1
br-int
patch-tun
eth0
“VM2-1
br-int
patch-tun
eth0
QRouter-X
S1.1 S2.1

Contributing DVR

Initial Development on Havana
Pros and Cons
• Stable Code Base
• No Risk of External Regression
• Very Large Effort to Integrate
• Upstream Moves Quickly
• Subject to Regression
• Comm. Standard Enforcment
• Code Style
• No Demand for Unit or Functional Tests

Initial Development on Havana
If We had to do it Over Again…
• Contribute Smaller, More Focused Patches to Trunk
• Start with Pure Refactoring Needed to Ease Development
• Develop Unit Tests for Code that will be Modified
• Move Gradually Beyond Refactoring to Other Improvements
• Divide Implementation According to Themes
• Develop Unit Tests (TDD) and Functional Tests to Prevent Regression

Divided in to 7 Patches
• Division According to Component
• Patches Added Unused Code for Later Patches
• Indicates there are themes that cross patch boundaries
• Each Patch Had Multiple Active Authors
• Indicates possibly more than one theme in the patch

Handling Multiple Changes
• Dependency Order Not Linear
• Should it be?

It is Never Linear!!!

Enemy Number One!
• Automatic Rebase Feature
• Default behavior of “git review”
• Most of the Time it is Disruptive
• Sometimes it is Destructive

Enemy Number One!
• Clobbered API Extension!!
• Happened More than Once
• Use --no-rebase Always
• Rebase on Merge Conflict
• Work from the bottom up
• Merge Faster
• Smaller, more focused patches
• Continuous community involvement

OpenStack Neutron's Distributed Virtual Router

More Related Content

OpenStack Neutron's Distributed Virtual Router