will you land this for Grizzly?<br><br><div class="gmail_quote">2012/12/7 Georgy Okrokvertskhov <span dir="ltr"><<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div><div>Hi,</div><div><br></div><div>We are working on a project which requires to have HA setup for VM instances. HA setup will use pacemaker and shared IP between two VMs.</div><div>When we tried to create such setup we faced the issue with firewall rules which prevents ip-spoofing. Whith these rules enabled a secondary IP assigned to the network interface does not work. As VIP dynamical assignment is a typical way to create HA we want to modify libvirt\firewall.py in order to have this working.</div>
<div><br></div><div>Here is a brief description of our solution. It looks simple, but I want to make sure that we did not miss anything important, which might prevent to get this done. Any comments and feedback will be highly appreciated.</div>
<div><b style="font-family:Times"><h2 dir="ltr"><span style="font-size:19px;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Environment</span></h2><br><ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">OpenStack Folsom</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">nova-network based networking, no Quantum service involved</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">libvirt-interfaced hypervisor</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Flat/FlatDHCP/VLAN networking mode configured</span></li>
</ul><h2 dir="ltr"><span style="font-size:19px;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">OpenStack Modifications Required</span></h2><br><ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Configuration parameters for nova-compute</span></li>
<ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">vip_enable - enabled/disables the feature</span></li>
<li dir="ltr" style="list-style-type:circle;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">vip_net_range - the network range to be used for virtual IP allocation</span></li>
</ul><li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><a href="https://github.com/openstack/nova/blob/stable/folsom/nova/virt/libvirt/firewall.py#L105" style="color:rgb(0,106,227)" target="_blank"><span style="color:rgb(17,85,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">https://github.com/openstack/nova/blob/stable/folsom/nova/virt/libvirt/firewall.py#L105</span></a><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></li>
<ul style="margin-top:0pt;margin-bottom:0pt"><li dir="ltr" style="list-style-type:circle;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">check if virtual IP feature is enabled</span></li>
<li dir="ltr" style="list-style-type:circle;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">check if virtual IP feature is allowed on the instance (by looking up it’s flavor’s extra_specs dictionary)</span></li>
<li dir="ltr" style="list-style-type:circle;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">if yes then apply a less restrictive filter set to instance’s NIC which preserves IP spoofing for the configured virtual IP network range</span></li>
</ul></ul><h2 dir="ltr"><span style="font-size:19px;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">User Perspective</span></h2><br><ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Configure a desired virtual IP network range in nova configuration file, enable the virtual IP feature</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Create a security group which allows access to application specific ports from inside the tenant network</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Spawn several new instances tagged as allowed to have a virtual IP, by selecting a special  flavor (there can be several flavor of different sizes) in the CLI/UI</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Assign the security group(s) to the instance(s)</span></li>
<li dir="ltr" style="list-style-type:disc;font-size:15px;font-family:Arial;background-color:transparent;font-weight:normal;vertical-align:baseline"><span style="background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Set up a pacemaker service at the instances</span></li>
<li></li></ul></b></div><div><div><br></div><div>Regards,</div><div>Georgy Okrokvertskhov<br>Technical Program Manager,<br>Cloud and Infrastructure Services,<br>Mirantis<br><a href="http://www.mirantis.com/" style="color:rgb(0,106,227)" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650 963 9828</a><br>Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650 996 3284</a></div></div></div><div>
<br></div>
            <br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br>