<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 24, 2018, 3:33 PM Engelmann Florian <<a href="mailto:florian.engelmann@everyware.ch">florian.engelmann@everyware.ch</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" style="font-size:10pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>On the network nodes we've got a dedicated interface to deploy VLANs (like the provider network for internet access). What about creating another VLAN on the network nodes, give that bridge a IP which is part of the subnet of lb-mgmt-net and start the octavia
worker, healthmanager and controller on the network nodes binding to that IP?<br>
</p>
<p></p></div></blockquote></div></div><div dir="auto"><span style="font-family:sans-serif">The problem with that is you can't out an IP in the vlan interface and also use it as an OVS bridge, so the Octavia processes would have nothing to bind to.</span><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" style="font-size:10pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif"><p><br>
</p>
<div style="color:rgb(33,33,33)">
<hr style="display:inline-block;width:98%">
<div id="m_-293592360272347719divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Erik McCormick <<a href="mailto:emccormick@cirrusseven.com" target="_blank" rel="noreferrer">emccormick@cirrusseven.com</a>><br>
<b>Sent:</b> Wednesday, October 24, 2018 6:18 PM<br>
<b>To:</b> Engelmann Florian<br>
<b>Cc:</b> openstack-operators<br>
<b>Subject:</b> Re: [Openstack-operators] [octavia][rocky] Octavia and VxLAN without DVR</font>
<div> </div>
</div>
<div>
<div dir="auto">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Oct 24, 2018, 12:02 PM Florian Engelmann <<a href="mailto:florian.engelmann@everyware.ch" target="_blank" rel="noreferrer">florian.engelmann@everyware.ch</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 10/24/18 um 2:08 PM schrieb Erik McCormick:<br>
> <br>
> <br>
> On Wed, Oct 24, 2018, 3:14 AM Florian Engelmann <br>
> <<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a> <mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a>>>
<br>
> wrote:<br>
> <br>
> Ohoh - thank you for your empathy :)<br>
> And those great details about how to setup this mgmt network.<br>
> I will try to do so this afternoon but solving that routing "puzzle"<br>
> (virtual network to control nodes) I will need our network guys to help<br>
> me out...<br>
> <br>
> But I will need to tell all Amphorae a static route to the gateway that<br>
> is routing to the control nodes?<br>
> <br>
> <br>
> Just set the default gateway when you create the neutron subnet. No need <br>
> for excess static routes. The route on the other connection won't <br>
> interfere with it as it lives in a namespace.<br>
<br>
<br>
My compute nodes have no br-ex and there is no L2 domain spread over all <br>
compute nodes. As far as I understood lb-mgmt-net is a provider network <br>
and has to be flat or VLAN and will need a "physical" gateway (as there <br>
is no virtual router).<br>
So the question - is it possible to get octavia up and running without a <br>
br-ex (L2 domain spread over all compute nodes) on the compute nodes?<br>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto"><span style="font-family:sans-serif">Sorry, I only meant it was *like* br-ex on your network nodes. You don't need that on your computes.</span><br>
</div>
<div dir="auto"><span style="font-family:sans-serif"><br>
</span></div>
<div dir="auto"><span style="font-family:sans-serif">The router here would be whatever does routing in your physical network. Setting the gateway in the neutron subnet simply adds that to the DHCP information sent to the amphorae.</span></div>
<div dir="auto"><span style="font-family:sans-serif"><br>
</span></div>
<div dir="auto"><span style="font-family:sans-serif">This does bring up another thingI forgot though. You'll probably want to add the management network / bridge to your network nodes or wherever you run the DHCP agents. When you create the subnet, be sure
to leave some space in the address scope for the physical devices with static IPs.</span></div>
<div dir="auto"><span style="font-family:sans-serif"><br>
</span></div>
<div dir="auto"><font face="sans-serif">As for multiple L2 domains, I can't think of a way to go about that for the lb-mgmt network. It's a single network with a single subnet. Perhaps you could limit load balancers to an AZ in a single rack? Seems not very
HA friendly.</font></div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
</blockquote>
</div>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> <br>
> <br>
> <br>
> Am 10/23/18 um 6:57 PM schrieb Erik McCormick:<br>
> > So in your other email you said asked if there was a guide for<br>
> > deploying it with Kolla ansible...<br>
> ><br>
> > Oh boy. No there's not. I don't know if you've seen my recent<br>
> mails on<br>
> > Octavia, but I am going through this deployment process with<br>
> > kolla-ansible right now and it is lacking in a few areas.<br>
> ><br>
> > If you plan to use different CA certificates for client and server in<br>
> > Octavia, you'll need to add that into the playbook. Presently it only<br>
> > copies over ca_01.pem, cacert.key, and client.pem and uses them for<br>
> > everything. I was completely unable to make it work with only one CA<br>
> > as I got some SSL errors. It passes gate though, so I aasume it must<br>
> > work? I dunno.<br>
> ><br>
> > Networking comments and a really messy kolla-ansible / octavia<br>
> how-to below...<br>
> ><br>
> > On Tue, Oct 23, 2018 at 10:09 AM Florian Engelmann<br>
> > <<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a><br>
> <mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a>>> wrote:<br>
> >><br>
> >> Am 10/23/18 um 3:20 PM schrieb Erik McCormick:<br>
> >>> On Tue, Oct 23, 2018 at 7:53 AM Florian Engelmann<br>
> >>> <<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a><br>
> <mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a>>> wrote:<br>
> >>>><br>
> >>>> Hi,<br>
> >>>><br>
> >>>> We did test Octavia with Pike (DVR deployment) and everything was<br>
> >>>> working right our of the box. We changed our underlay network to a<br>
> >>>> Layer3 spine-leaf network now and did not deploy DVR as we<br>
> don't wanted<br>
> >>>> to have that much cables in a rack.<br>
> >>>><br>
> >>>> Octavia is not working right now as the lb-mgmt-net does not<br>
> exist on<br>
> >>>> the compute nodes nor does a br-ex.<br>
> >>>><br>
> >>>> The control nodes running<br>
> >>>><br>
> >>>> octavia_worker<br>
> >>>> octavia_housekeeping<br>
> >>>> octavia_health_manager<br>
> >>>> octavia_api<br>
> >>>><br>
> Amphorae-VMs, z.b.<br>
> <br>
> lb-mgmt-net <a href="http://172.16.0.0/16" rel="noreferrer noreferrer noreferrer" target="_blank">
172.16.0.0/16</a> <<a href="http://172.16.0.0/16" rel="noreferrer noreferrer noreferrer" target="_blank">http://172.16.0.0/16</a>> default GW<br>
> >>>> and as far as I understood octavia_worker,<br>
> octavia_housekeeping and<br>
> >>>> octavia_health_manager have to talk to the amphora instances.<br>
> But the<br>
> >>>> control nodes are spread over three different leafs. So each<br>
> control<br>
> >>>> node in a different L2 domain.<br>
> >>>><br>
> >>>> So the question is how to deploy a lb-mgmt-net network in our<br>
> setup?<br>
> >>>><br>
> >>>> - Compute nodes have no "stretched" L2 domain<br>
> >>>> - Control nodes, compute nodes and network nodes are in L3<br>
> networks like<br>
> >>>> api, storage, ...<br>
> >>>> - Only network nodes are connected to a L2 domain (with a<br>
> separated NIC)<br>
> >>>> providing the "public" network<br>
> >>>><br>
> >>> You'll need to add a new bridge to your compute nodes and create a<br>
> >>> provider network associated with that bridge. In my setup this is<br>
> >>> simply a flat network tied to a tagged interface. In your case it<br>
> >>> probably makes more sense to make a new VNI and create a vxlan<br>
> >>> provider network. The routing in your switches should handle<br>
> the rest.<br>
> >><br>
> >> Ok that's what I try right now. But I don't get how to setup<br>
> something<br>
> >> like a VxLAN provider Network. I thought only vlan and flat is<br>
> supported<br>
> >> as provider network? I guess it is not possible to use the tunnel<br>
> >> interface that is used for tenant networks?<br>
> >> So I have to create a separated VxLAN on the control and compute<br>
> nodes like:<br>
> >><br>
> >> # ip link add vxoctavia type vxlan id 42 dstport 4790 group<br>
> 239.1.1.1<br>
> >> dev vlan3535 ttl 5<br>
> >> # ip addr add <a href="http://172.16.1.11/20" rel="noreferrer noreferrer noreferrer" target="_blank">
172.16.1.11/20</a> <<a href="http://172.16.1.11/20" rel="noreferrer noreferrer noreferrer" target="_blank">http://172.16.1.11/20</a>> dev vxoctavia<br>
> >> # ip link set vxoctavia up<br>
> >><br>
> >> and use it like a flat provider network, true?<br>
> >><br>
> > This is a fine way of doing things, but it's only half the battle.<br>
> > You'll need to add a bridge on the compute nodes and bind it to that<br>
> > new interface. Something like this if you're using openvswitch:<br>
> ><br>
> > docker exec openvswitch_db<br>
> > /usr/local/bin/kolla_ensure_openvswitch_configured br-mgmt vxoctavia<br>
> ><br>
> > Also you'll want to remove the IP address from that interface as it's<br>
> > going to be a bridge. Think of it like your public (br-ex) interface<br>
> > on your network nodes.<br>
> ><br>
> > From there you'll need to update the bridge mappings via kolla<br>
> > overrides. This would usually be in /etc/kolla/config/neutron. Create<br>
> > a subdirectory for your compute inventory group and create an<br>
> > ml2_conf.ini there. So you'd end up with something like:<br>
> ><br>
> > [root@kolla-deploy ~]# cat<br>
> /etc/kolla/config/neutron/compute/ml2_conf.ini<br>
> > [ml2_type_flat]<br>
> > flat_networks = mgmt-net<br>
> ><br>
> > [ovs]<br>
> > bridge_mappings = mgmt-net:br-mgmt<br>
> ><br>
> > run kolla-ansible --tags neutron reconfigure to push out the new<br>
> > configs. Note that there is a bug where the neutron containers<br>
> may not<br>
> > restart after the change, so you'll probably need to do a 'docker<br>
> > container restart neutron_openvswitch_agent' on each compute node.<br>
> ><br>
> > At this point, you'll need to create the provider network in the<br>
> admin<br>
> > project like:<br>
> ><br>
> > openstack network create --provider-network-type flat<br>
> > --provider-physical-network mgmt-net lb-mgmt-net<br>
> ><br>
> > And then create a normal subnet attached to this network with some<br>
> > largeish address scope. I wouldn't use <a href="http://172.16.0.0/16" rel="noreferrer noreferrer noreferrer" target="_blank">
172.16.0.0/16</a><br>
> <<a href="http://172.16.0.0/16" rel="noreferrer noreferrer noreferrer" target="_blank">http://172.16.0.0/16</a>> because docker<br>
> > uses that by default. I'm not sure if it matters since the network<br>
> > traffic will be isolated on a bridge, but it makes me paranoid so I<br>
> > avoided it.<br>
> ><br>
> > For your controllers, I think you can just let everything<br>
> function off<br>
> > your api interface since you're routing in your spines. Set up a<br>
> > gateway somewhere from that lb-mgmt network and save yourself the<br>
> > complication of adding an interface to your controllers. If you<br>
> choose<br>
> > to use a separate interface on your controllers, you'll need to make<br>
> > sure this patch is in your kolla-ansible install or cherry pick it.<br>
> ><br>
> ><br>
> <a href="https://github.com/openstack/kolla-ansible/commit/0b6e401c4fdb9aa4ff87d0bfd4b25c91b86e0d60#diff-6c871f6865aecf0057a5b5f677ae7d59" rel="noreferrer noreferrer noreferrer" target="_blank">https://github.com/openstack/kolla-ansible/commit/0b6e401c4fdb9aa4ff87d0bfd4b25c91b86e0d60#diff-6c871f6865aecf0057a5b5f677ae7d59</a><br>
> ><br>
> > I don't think that's been backported at all, so unless you're running<br>
> > off master you'll need to go get it.<br>
> ><br>
> > From here on out, the regular Octavia instruction should serve you.<br>
> > Create a flavor, Create a security group, and capture their UUIDs<br>
> > along with the UUID of the provider network you made. Override<br>
> them in<br>
> > globals.yml with:<br>
> ><br>
> > octavia_amp_boot_network_list: <uuid><br>
> > octavia_amp_secgroup_list: <uuid><br>
> > octavia_amp_flavor_id: <uuid><br>
> ><br>
> > This is all from my scattered notes and bad memory. Hopefully it<br>
> makes<br>
> > sense. Corrections welcome.<br>
> ><br>
> > -Erik<br>
> ><br>
> ><br>
> ><br>
> >><br>
> >><br>
> >>><br>
> >>> -Erik<br>
> >>>><br>
> >>>> All the best,<br>
> >>>> Florian<br>
> >>>> _______________________________________________<br>
> >>>> OpenStack-operators mailing list<br>
> >>>> <a href="mailto:OpenStack-operators@lists.openstack.org" rel="noreferrer noreferrer" target="_blank">
OpenStack-operators@lists.openstack.org</a><br>
> <mailto:<a href="mailto:OpenStack-operators@lists.openstack.org" rel="noreferrer noreferrer" target="_blank">OpenStack-operators@lists.openstack.org</a>><br>
> >>>><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
> <br>
> -- <br>
> <br>
> EveryWare AG<br>
> Florian Engelmann<br>
> Systems Engineer<br>
> Zurlindenstrasse 52a<br>
> CH-8003 Zürich<br>
> <br>
> tel: +41 44 466 60 00<br>
> fax: +41 44 466 60 10<br>
> mail: mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a><br>
> <mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a>><br>
> web: <a href="http://www.everyware.ch" rel="noreferrer noreferrer noreferrer" target="_blank">
http://www.everyware.ch</a><br>
> <br>
<br>
-- <br>
<br>
EveryWare AG<br>
Florian Engelmann<br>
Systems Engineer<br>
Zurlindenstrasse 52a<br>
CH-8003 Zürich<br>
<br>
tel: +41 44 466 60 00<br>
fax: +41 44 466 60 10<br>
mail: mailto:<a href="mailto:florian.engelmann@everyware.ch" rel="noreferrer noreferrer" target="_blank">florian.engelmann@everyware.ch</a><br>
web: <a href="http://www.everyware.ch" rel="noreferrer noreferrer noreferrer" target="_blank">
http://www.everyware.ch</a><br>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote></div></div></div>