Hi,


Dnia piątek, 13 września 2024 15:11:12 CEST frantisek.reznicek.szn@gmail.com pisze:

> Dear upstream OpenStack colleagues,

> we recently identified a lot of allocated "network:floatingip_agent_gateway ports" as we were running in pure dvr / dvr_snat modes (compute/network nodes) as also discussed in thread [1].

>

> As we want to reduce amount of "network:floatingip_agent_gateway ports", our approach is to migrate majority of compute nodes from L3 agent `dvr` to `dvr_no_external` mode.

> Although we have success with empty nodes where we can see the node working as expected so north/south traffic now goes via network nodes on the non-empty compute nodes we struggle.

>

> The reconfiguration steps we are taking:

> 1. our maintenance per each compute node (still in `dvr` mode)

> 1.1. we first identify all VMs with FIP addresses, keep track of the FIPs and connected ports

> 1.2. we disconnect each FIP from port

> 1.3. all VMs on the compute node does not have FIPs

> 1.4. compute node L3 agent configuration is switched `dvr` -> `dvr_no_external`

> 1.5 delete `hypervisor network:floatingip_agent_gateway` port

> 1.6. re-attach all tracked FIPs

> 1.7. test FIP traffic

>

> At the step 1.7. we can see FIPs are not accessible after L3 agent re-configuration. Revert of the L3 agent configuration into `dvr` mode helps to get back the FIP connectivity.


You don't have connectivity because You set agent into the mode where it don't have external connectivity. That's why it not works for you :)


>

> Our questions are:

>

> 1. Principally, can we get rid of `hypervisor network:floatingip_agent_gateway` ports by switching L3 agent to dvr_no_external mode? Can you think of a better way?


Using ML2/ovs with DVR requires to use one such IP address per compute node per external network. You can't avoid that. You can configure some 'special' subnet in the network to use IPs from that subnet for that purpose. See https://docs.openstack.org/neutron/latest/admin/config-service-subnets.html

You can also e.g. migrate to ML2/OVN backend which don't have this limitation.


> 2. Would you recommend other steps how to migrate drom `dvr` to `dvr_no_external`? [2] Is it necesary to restart whole neutron / OVS or reconfigured L3 agent is just enough?

>

> Hope for your reply.  ;-)

>

> Kind Regards,

> František

>

> [1] https://lists.openstack.org/pipermail/openstack-dev/2016-June/096384.html

> [2] https://opendev.org/openstack/neutron/src/branch/master/releasenotes/notes/dvr-configure-centralized-floatingip-with-new-agent-type-05361f1f78853cf7.yaml#L18-L21

>

>



--

Slawek Kaplonski

Principal Software Engineer

Red Hat