[openstack-dev] VM level HA. Changes in firewall.py question.

Georgy Okrokvertskhov gokrokvertskhov at mirantis.com
Fri Dec 7 21:33:56 UTC 2012 

Hi,

We are working on a project which requires to have HA setup for VM instances. HA setup will use pacemaker and shared IP between two VMs.
When we tried to create such setup we faced the issue with firewall rules which prevents ip-spoofing. Whith these rules enabled a secondary IP assigned to the network interface does not work. As VIP dynamical assignment is a typical way to create HA we want to modify libvirt\firewall.py in order to have this working.

Here is a brief description of our solution. It looks simple, but I want to make sure that we did not miss anything important, which might prevent to get this done. Any comments and feedback will be highly appreciated.
Environment

OpenStack Folsom
nova-network based networking, no Quantum service involved
libvirt-interfaced hypervisor
Flat/FlatDHCP/VLAN networking mode configured

OpenStack Modifications Required

Configuration parameters for nova-compute
vip_enable - enabled/disables the feature
vip_net_range - the network range to be used for virtual IP allocation

https://github.com/openstack/nova/blob/stable/folsom/nova/virt/libvirt/firewall.py#L105
check if virtual IP feature is enabled
check if virtual IP feature is allowed on the instance (by looking up it’s flavor’s extra_specs dictionary)
if yes then apply a less restrictive filter set to instance’s NIC which preserves IP spoofing for the configured virtual IP network range


User Perspective

Configure a desired virtual IP network range in nova configuration file, enable the virtual IP feature
Create a security group which allows access to application specific ports from inside the tenant network
Spawn several new instances tagged as allowed to have a virtual IP, by selecting a special  flavor (there can be several flavor of different sizes) in the CLI/UI
Assign the security group(s) to the instance(s)
Set up a pacemaker service at the instances




Regards,
Georgy Okrokvertskhov
Technical Program Manager,
Cloud and Infrastructure Services,
Mirantis
http://www.mirantis.com (http://www.mirantis.com/)
Tel. +1 650 963 9828
Mob. +1 650 996 3284

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121207/f6f3c7b1/attachment.html>

More information about the OpenStack-dev mailing list