[openstack-dev] VM level HA. Changes in firewall.py question.
Endre Karlson
endre.karlson at gmail.com
Fri Dec 7 22:04:20 UTC 2012
will you land this for Grizzly?
2012/12/7 Georgy Okrokvertskhov <gokrokvertskhov at mirantis.com>
> Hi,
>
> We are working on a project which requires to have HA setup for VM
> instances. HA setup will use pacemaker and shared IP between two VMs.
> When we tried to create such setup we faced the issue with firewall rules
> which prevents ip-spoofing. Whith these rules enabled a secondary IP
> assigned to the network interface does not work. As VIP dynamical
> assignment is a typical way to create HA we want to modify
> libvirt\firewall.py in order to have this working.
>
> Here is a brief description of our solution. It looks simple, but I want
> to make sure that we did not miss anything important, which might prevent
> to get this done. Any comments and feedback will be highly appreciated.
> *Environment
>
> - OpenStack Folsom
> - nova-network based networking, no Quantum service involved
> - libvirt-interfaced hypervisor
> - Flat/FlatDHCP/VLAN networking mode configured
>
> OpenStack Modifications Required
>
> - Configuration parameters for nova-compute
> - vip_enable - enabled/disables the feature
> - vip_net_range - the network range to be used for virtual IP
> allocation
> -
> https://github.com/openstack/nova/blob/stable/folsom/nova/virt/libvirt/firewall.py#L105
> - check if virtual IP feature is enabled
> - check if virtual IP feature is allowed on the instance (by
> looking up it’s flavor’s extra_specs dictionary)
> - if yes then apply a less restrictive filter set to instance’s NIC
> which preserves IP spoofing for the configured virtual IP network range
>
> User Perspective
>
> - Configure a desired virtual IP network range in nova configuration
> file, enable the virtual IP feature
> - Create a security group which allows access to application specific
> ports from inside the tenant network
> - Spawn several new instances tagged as allowed to have a virtual IP,
> by selecting a special flavor (there can be several flavor of different
> sizes) in the CLI/UI
> - Assign the security group(s) to the instance(s)
> - Set up a pacemaker service at the instances
> -
>
> *
>
> Regards,
> Georgy Okrokvertskhov
> Technical Program Manager,
> Cloud and Infrastructure Services,
> Mirantis
> http://www.mirantis.com
> Tel. +1 650 963 9828
> Mob. +1 650 996 3284
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121207/5bce3612/attachment.html>
More information about the OpenStack-dev
mailing list