[openstack-dev] VM level HA. Changes in firewall.py question.
gokrokvertskhov at mirantis.com
Fri Dec 7 21:33:56 UTC 2012
We are working on a project which requires to have HA setup for VM instances. HA setup will use pacemaker and shared IP between two VMs.
When we tried to create such setup we faced the issue with firewall rules which prevents ip-spoofing. Whith these rules enabled a secondary IP assigned to the network interface does not work. As VIP dynamical assignment is a typical way to create HA we want to modify libvirt\firewall.py in order to have this working.
Here is a brief description of our solution. It looks simple, but I want to make sure that we did not miss anything important, which might prevent to get this done. Any comments and feedback will be highly appreciated.
nova-network based networking, no Quantum service involved
Flat/FlatDHCP/VLAN networking mode configured
OpenStack Modifications Required
Configuration parameters for nova-compute
vip_enable - enabled/disables the feature
vip_net_range - the network range to be used for virtual IP allocation
check if virtual IP feature is enabled
check if virtual IP feature is allowed on the instance (by looking up it’s flavor’s extra_specs dictionary)
if yes then apply a less restrictive filter set to instance’s NIC which preserves IP spoofing for the configured virtual IP network range
Configure a desired virtual IP network range in nova configuration file, enable the virtual IP feature
Create a security group which allows access to application specific ports from inside the tenant network
Spawn several new instances tagged as allowed to have a virtual IP, by selecting a special flavor (there can be several flavor of different sizes) in the CLI/UI
Assign the security group(s) to the instance(s)
Set up a pacemaker service at the instances
Technical Program Manager,
Cloud and Infrastructure Services,
Tel. +1 650 963 9828
Mob. +1 650 996 3284
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev