openstack-ansible-os_neutron/doc/source/app-ovn.rst
Satish Patel 91a42e9e60 Fix documentation formating
Change-Id: Ia8b2daebb42513b219d39a8bc15aaf04fb33d9c8
2021-04-06 13:17:03 +00:00

346 lines
12 KiB
ReStructuredText

========================================
Scenario - Open Virtual Network (OVN)
========================================
Overview
~~~~~~~~
Operators can choose to utilize the Open Virtual Network (OVN) mechanism
driver instead of Linux bridges or plain Open vSwitch for the Neutron ML2
plugin. This offers the possibility to deploy virtual networks and routers
using OVN with Open vSwitch, which replaces the agent-based model used by
the aforementioned architectures. This document outlines how to set it up in
your environment.
.. warning::
The current implementation of OVN in OpenStack-Ansible is experimental
and not production ready.
The following architectural assumptions have been made:
* Each compute node will act as an OVN controller
* Each compute node is eligible to serve as an OVN gateway node
.. note::
Physical VTEP integration is not supported.
Recommended reading
~~~~~~~~~~~~~~~~~~~
Since this is an extension of the basic Open vSwitch scenario, it is worth
reading that scenario to get some background. It is also recommended to be
familiar with OVN and networking-ovn projects and their configuration.
* `Scenario: Open vSwitch <app-openvswitch.html>`_
* `OVN Architecture <http://www.openvswitch.org/support/dist-docs/ovn-architecture.7.html>`_
* `Networking-ovn <https://github.com/openstack/networking-ovn>`_
Prerequisites
~~~~~~~~~~~~~
* Open vSwitch >= 2.10.0
* A successful deployment of OVN requires a dedicated network
interface be attached to the OVS provider bridge. This is not
handled automatially and may require changes to the network
interface configuration file.
OpenStack-Ansible user variables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create a group var file for your network hosts
``/etc/openstack_deploy/group_vars/network_hosts``. It has to include:
.. code-block:: yaml
# Ensure the openvswitch kernel module is loaded
openstack_host_specific_kernel_modules:
- name: "openvswitch"
pattern: "CONFIG_OPENVSWITCH"
Copy the neutron environment overrides to
``/etc/openstack_deploy/env.d/neutron.yml`` to disable the creation of the
neutron agents container and implement the ``neutron_ovn_northd_container``
hosts group containing all network nodes:
.. code-block:: yaml
component_skel:
neutron_ovn_controller:
belongs_to:
- neutron_all
neutron_ovn_northd:
belongs_to:
- neutron_all
container_skel:
neutron_agents_container:
contains: {}
neutron_ovn_northd_container:
belongs_to:
- network_containers
contains:
- neutron_ovn_northd
Copy the nova environment overrides to
``/etc/openstack_deploy/env.d/nova.yml`` to implement the
``neutron_ovn_controller`` hosts group containing all compute nodes:
.. code-block:: yaml
container_skel:
nova_compute_container:
belongs_to:
- compute_containers
- kvm-compute_containers
- lxd-compute_containers
- qemu-compute_containers
contains:
- neutron_ovn_controller
- nova_compute
properties:
is_metal: true
Specify provider network definitions in your
``/etc/openstack_deploy/openstack_user_config.yml`` that define
one or more Neutron provider bridges and related configuration:
.. note::
Bridges specified here will be created automatically. If
``network_interface`` is defined, the interface will be placed into
the bridge automatically. Only VLAN network types are supported at
this time.
.. code-block:: yaml
- network:
container_bridge: "br-privatenet"
container_type: "veth"
type: "vlan"
range: "101:200,301:400"
net_name: "private"
network_interface: "bond2"
group_binds:
- neutron_ovn_controller
- network:
container_bridge: "br-publicnet"
container_type: "veth"
type: "vlan"
range: "203:203,467:500"
net_name: "public"
network_interface: "bond1"
group_binds:
- neutron_ovn_controller
Specify an overlay network definition in your
``/etc/openstack_deploy/openstack_user_config.yml`` that defines
overlay network-related configuration:
.. note::
The bridge name should correspond to a pre-created Linux bridge.
Only GENEVE overlay network types are supported at this time.
.. code-block:: yaml
- network:
container_bridge: "br-vxlan"
container_type: "veth"
container_interface: "eth10"
ip_from_q: "tunnel"
type: "geneve"
range: "1:1000"
net_name: "geneve"
group_binds:
- neutron_ovn_controller
Set the following user variables in your
``/etc/openstack_deploy/user_variables.yml``:
.. code-block:: yaml
neutron_plugin_type: ml2.ovn
neutron_plugin_base:
- neutron.services.ovn_l3.plugin.OVNL3RouterPlugin
neutron_ml2_drivers_type: "vlan,local,geneve"
The overrides are instructing Ansible to deploy the OVN mechanism driver and
associated OVN components. This is done by setting ``neutron_plugin_type``
to ``ml2.ovn``.
The ``neutron_plugin_base`` override instructions Neutron to use OVN for
routing functions rather than the standard L3 agent model.
The ``neutron_ml2_drivers_type`` override provides support for all type
drivers supported by OVN.
If provider network overrides are needed on a global or per-host basis,
the following format can be used in ``user_variables.yml`` or per-host
in ``openstack_user_config.yml``.
.. note::
These overrides are not normally required.
.. code-block:: yaml
# When configuring Neutron to support geneve tenant networks and
# vlan provider networks the configuration may resemble the following:
neutron_provider_networks:
network_types: "geneve"
network_geneve_ranges: "1:1000"
network_vlan_ranges: "public"
network_mappings: "public:br-publicnet"
network_interface_mappings: "br-publicnet:bond1"
# When configuring Neutron to support only vlan tenant networks and
# vlan provider networks the configuration may resemble the following:
neutron_provider_networks:
network_types: "vlan"
network_vlan_ranges: "public:203:203,467:500"
network_mappings: "public:br-publicnet"
network_interface_mappings: "br-publicnet:bond1"
# When configuring Neutron to support multiple vlan provider networks
# the configuration may resemble the following:
neutron_provider_networks:
network_types: "vlan"
network_vlan_ranges: "public:203:203,467:500,private:101:200,301:400"
network_mappings: "public:br-publicnet,private:br-privatenet"
network_interface_mappings: "br-publicnet:bond1,br-privatenet:bond2"
(Optional) DVR or Distributed L3 routing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DVR will be used for floating IPs if the ovn / enable_distributed_floating_ip
flag is configured to True in the neutron server configuration.
Create a group var file for neutron server
``/etc/openstack_deploy/group_vars/neutron_server.yml``. It has to include:
.. code-block:: yaml
# DVR/Distributed L3 routing support
neutron_neutron_conf_overrides:
ovn:
enable_distributed_floating_ip: True
Open Virtual Network (OVN) commands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following commands can be used to provide useful information about the
state of Open vSwitch networking and configurations.
The ``ovs-vsctl list open_vswitch`` command provides information about the
``open_vswitch`` table in the local Open vSwitch database:
.. code-block:: console
root@aio1:~# ovs-vsctl list open_vswitch
_uuid : 855c820b-c082-4d8f-9828-8cab01c6c9a0
bridges : [37d3bd82-d436-474e-89b7-705aea634d7d, a393b2f6-5c3d-4ccd-a2f9-e9817391612a]
cur_cfg : 14
datapath_types : [netdev, system]
db_version : "7.15.1"
external_ids : {hostname="aio1", ovn-bridge-mappings="vlan:br-provider", ovn-encap-ip="172.29.240.100", ovn-encap-type="geneve,vxlan", ovn-remote="tcp:172.29.236.100:6642", rundir="/var/run/openvswitch", system-id="11af26c6-9ec1-4cf7-bf41-2af45bd59b03"}
iface_types : [geneve, gre, internal, lisp, patch, stt, system, tap, vxlan]
manager_options : []
next_cfg : 14
other_config : {}
ovs_version : "2.9.0"
ssl : []
statistics : {}
system_type : ubuntu
system_version : "16.04"
The ``ovn-sbctl show`` command provides information related to southbound
connections. If used outside the ovn_northd container, specify the
connection details:
.. code-block:: console
root@aio1-neutron-ovn-northd-container-57a6f1a9:~# ovn-sbctl show
Chassis "11af26c6-9ec1-4cf7-bf41-2af45bd59b03"
hostname: "aio1"
Encap vxlan
ip: "172.29.240.100"
options: {csum="true"}
Encap geneve
ip: "172.29.240.100"
options: {csum="true"}
root@aio1:~# ovn-sbctl --db=tcp:172.29.236.100:6642 show
Chassis "11af26c6-9ec1-4cf7-bf41-2af45bd59b03"
hostname: "aio1"
Encap vxlan
ip: "172.29.240.100"
options: {csum="true"}
Encap geneve
ip: "172.29.240.100"
options: {csum="true"}
The ``ovn-nbctl show`` command provides information about networks known
to OVN and demonstrates connectivity between the northbound database
and neutron-server.
.. code-block:: console
root@aio1-neutron-ovn-northd-container-57a6f1a9:~# ovn-nbctl show
switch 5e77f29e-5dd3-4875-984f-94bd30a12dc3 (neutron-87ec5a05-9abe-4c93-89bd-c6d40320db87) (aka testnet)
port 65785045-69ec-49e7-82e3-b9989f718a9c
type: localport
addresses: ["fa:16:3e:68:a3:c8"]
The ``ovn-nbctl list Address_Set`` command provides information related to
security groups. If used outside the ovn_northd container, specify the
connection details:
.. code-block:: console
root@aio1-neutron-ovn-northd-container-57a6f1a9:~# ovn-nbctl list Address_Set
_uuid : 575b3015-f83f-4bd6-a698-3fe67e43bec6
addresses : []
external_ids : {"neutron:security_group_id"="199997c1-6f06-4765-89af-6fd064365c6a"}
name : "as_ip4_199997c1_6f06_4765_89af_6fd064365c6a"
_uuid : b6e211af-e52e-4c59-93ce-adf75ec14f46
addresses : []
external_ids : {"neutron:security_group_id"="199997c1-6f06-4765-89af-6fd064365c6a"}
name : "as_ip6_199997c1_6f06_4765_89af_6fd064365c6a"
root@aio1:~# ovn-nbctl --db=tcp:172.29.236.100:6641 list Address_Set
_uuid : 575b3015-f83f-4bd6-a698-3fe67e43bec6
addresses : []
external_ids : {"neutron:security_group_id"="199997c1-6f06-4765-89af-6fd064365c6a"}
name : "as_ip4_199997c1_6f06_4765_89af_6fd064365c6a"
_uuid : b6e211af-e52e-4c59-93ce-adf75ec14f46
addresses : []
external_ids : {"neutron:security_group_id"="199997c1-6f06-4765-89af-6fd064365c6a"}
name : "as_ip6_199997c1_6f06_4765_89af_6fd064365c6a"
Additional commands can be found in upstream OVN documentation.
Notes
~~~~~
The ``ovn-controller`` service on compute nodes will check in as an agent
and can be observed using the ``openstack network agent list`` command:
.. code-block:: console
root@aio1-utility-container-35bebd2a:~# openstack network agent list
+--------------------------------------+------------------------------+------+-------------------+-------+-------+----------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+------------------------------+------+-------------------+-------+-------+----------------+
| 4db288a6-8f8a-4153-b4b7-7eaf44f9e881 | OVN Controller Gateway agent | aio1 | n/a | :-) | UP | ovn-controller |
+--------------------------------------+------------------------------+------+-------------------+-------+-------+----------------+
The HAproxy implementation in use may not properly handle active/backup
failover for ovsdb-server with OVN. Work may be done to implement
pacemaker/corosync or wait for upstream active/active support.