[openstack-dev] [Nova][Neutron] Status of the nova-network to Neutron migration work
Steve Wormley
openstack at wormley.com
Sat Mar 28 00:41:15 UTC 2015
So, I figured I'd weigh in on this as an employee of a nova-network using
company.
Nova-network allowed us to do a couple things simply.
1. Attach openstack networks to our existing VLANs using our existing
firewall/gateway and allow easy access to hardware such as database servers
and storage on the same VLAN.
2. Floating IPs managed at each compute node(multi-host) and via the
standard nova API calls.
3. Access to our instances via their private IP addresses from inside the
company(see 1)
Our forklift replacement to neutron(as we know we can't 'migrate') is at
the following state.
2 meant we can't use pure provider VLAN networks so we had to wait for DVR
VLAN support to work.
Now that that works, I had to go in and convince Neutron to let me
configure my own gateways as the next hop instead of the central SNAT
gateway's assigned IP. This also required making it so the distributed L3
agents could do ARP for the 'real' gateway on the subnet.
Item 3 works fine until a floating IP is assigned. For nova-network this
was trivial connection tracked routing sending packets that reached an
instance via its private IP back out the private VLAN and everything else
via the assigned public IP.
Neutron, OVS and the various veth connections between them means I can't
use packet marking between instances and the router NS, between that and a
whole bunch of other things we had to borrow some IP header bits to track
where a packet came in so if a response to that connection hit the DVR
router it could be sent back out the private network.
And for the next week I get to try and make this all python code so we can
actually finally test it without hand crafted iptables and OVS rules.
For our model most of the Neutron features are wasted, but as we've been
told that nova-network is going away we're going to figure out how to make
Neutron work going forward.
-Steve Wormley
Not really speaking for my employer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150327/90139f2a/attachment.html>
More information about the OpenStack-dev
mailing list