Hi Eric, Greetings from a fellow Midonet refugee. On Wed, Oct 18, 2023, 9:53 PM Eric K. Miller <emiller@genesishosting.com> wrote:
Hi,
We have been deploying OpenStack for quite some time, using Kolla-Ansible, and typically choose DVR and OVS with Amphorae deployed by Octavia for load balancing.
With the issues that DVR has with Octavia's Amphorae and Virtual IPs, with essentially non-functional automated fail-over, we have always wanted to move to OVN since it appears to be the popular approach now.
Just FYI there's no reason you need to use DVR with OVS. You could run vanilla OVS with L3-HA and Octavia Amphorae work great and do proper failover. Is DVR a requirement? I don't have any issues with allowed-address-pairs and OVS but I've never tried to mix in DVR.
I have also read that OVN appears to work properly with
allowed-address-pairs correctly, whereas with DVR, OVS does not, and thus some of the issues with Amphorae Virtual IPs.
However, OVN, from what I understand, has issues with, or doesn't support, VPNaaS, which we use extensively. Plus, it only supports Layer 4 load balancing, whereas with Amphorae, we get Layer 7 load balancing - also used extensively. I'm not sure, though - maybe OVN with Octavia still supports Amphorae if we need Layer 7 load balancing?
Am I wrong regarding any of the comments above? What is the best back-end networking architecture that provides scalability (so, not VLANs), Layer 7 load balancing with Octavia, along with VPNaaS, in a brand new install with the latest version of OpenStack?
Using Amphorae with an OVN fabric should still work fine. They are VMs and don't really care what they attached to so long as Neutron responds to the appropriate requests. The OVN Octavia driver has the benefit of native load balancers without VMs, but you are correct that you'd lose your L7 functionality. Note that we used Midonet long long ago, and it seemed to have
everything we wanted, but shortly after purchasing it, Midokura immediately decided to abandon support for OpenStack and went the Kubernetes route. Not sure if they still do this, but needless to say, Midonet isn't a valid solution unfortunately. Tungsten Fabric appears like an alternate solution to Midonet, but that project is sunsetting in 2024, so that's dead too. :(
Thank you for any suggestions!
Eric
-Erik