[openstack-dev] VM level HA. Changes in firewall.py question.

Belmiro Moreira moreira.belmiro.email.lists at gmail.com
Mon Dec 10 22:47:10 UTC 2012

Hi Georgy,
we faced exactly the same problem.

I really like your solution especially binding the virtual IP feature to an instance flavor.
The way I envision this feature is to have some tenants where virtual IPs are allowed but this can be done having private flavors with this feature enabled. 
Also, It could be interesting to have different virtual IP ranges for different tenants.

Belmiro Moreira

On Dec 7, 2012, at 10:33 PM, Georgy Okrokvertskhov <gokrokvertskhov at mirantis.com> wrote:

> Hi,
> We are working on a project which requires to have HA setup for VM instances. HA setup will use pacemaker and shared IP between two VMs.
> When we tried to create such setup we faced the issue with firewall rules which prevents ip-spoofing. Whith these rules enabled a secondary IP assigned to the network interface does not work. As VIP dynamical assignment is a typical way to create HA we want to modify libvirt\firewall.py in order to have this working.
> Here is a brief description of our solution. It looks simple, but I want to make sure that we did not miss anything important, which might prevent to get this done. Any comments and feedback will be highly appreciated.
> Environment
> 	• OpenStack Folsom
> 	• nova-network based networking, no Quantum service involved
> 	• libvirt-interfaced hypervisor
> 	• Flat/FlatDHCP/VLAN networking mode configured
> OpenStack Modifications Required
> 	• Configuration parameters for nova-compute
> 		• vip_enable - enabled/disables the feature
> 		• vip_net_range - the network range to be used for virtual IP allocation
> 		• check if virtual IP feature is enabled
> 		• check if virtual IP feature is allowed on the instance (by looking up it’s flavor’s extra_specs dictionary)
> 		• if yes then apply a less restrictive filter set to instance’s NIC which preserves IP spoofing for the configured virtual IP network range
> User Perspective
> 	• Configure a desired virtual IP network range in nova configuration file, enable the virtual IP feature
> 	• Create a security group which allows access to application specific ports from inside the tenant network
> 	• Spawn several new instances tagged as allowed to have a virtual IP, by selecting a special  flavor (there can be several flavor of different sizes) in the CLI/UI
> 	• Assign the security group(s) to the instance(s)
> 	• Set up a pacemaker service at the instances
> Regards,
> Georgy Okrokvertskhov
> Technical Program Manager,
> Cloud and Infrastructure Services,
> Mirantis
> http://www.mirantis.com
> Tel. +1 650 963 9828
> Mob. +1 650 996 3284
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list