[openstack-dev] [Octavia] Object Model and DB Structure

Eichberger, German german.eichberger at hp.com
Mon Aug 18 17:21:49 UTC 2014


Hi,

My 2 cents for the multiple listeners per load balancer discussion: We have customers who like to have a listener on port 80 and one on port 443 on the same VIP (we had to patch libra to allow two "listeners" in one single haproxy) - so having that would be great.

I like the proposed status :-)

Thanks,
German

-----Original Message-----
From: Brandon Logan [mailto:brandon.logan at RACKSPACE.COM] 
Sent: Sunday, August 17, 2014 8:57 PM
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [Octavia] Object Model and DB Structure

Oh hello again!

You know the drill!

On Sat, 2014-08-16 at 11:42 -0700, Stephen Balukoff wrote:
> Hi Brandon,
> 
> 
> Responses in-line:
> 
> On Fri, Aug 15, 2014 at 9:43 PM, Brandon Logan 
> <brandon.logan at rackspace.com> wrote:
>         Comments in-line
>         
>         On Fri, 2014-08-15 at 17:18 -0700, Stephen Balukoff wrote:
>         > Hi folks,
>         >
>         >
>         > I'm OK with going with no shareable child entities
>         (Listeners, Pools,
>         > Members, TLS-related objects, L7-related objects, etc.).
>         This will
>         > simplify a lot of things (like status reporting), and we can
>         probably
>         > safely work under the assumption that any user who has a use
>         case in
>         > which a shared entity is useful is probably also technically
>         savvy
>         > enough to not only be able to manage consistency problems
>         themselves,
>         > but is also likely to want to have that level of control.
>         >
>         >
>         > Also, an haproxy instance should map to a single listener.
>         This makes
>         > management of the configuration template simpler and the
>         behavior of a
>         > single haproxy instance more predictable. Also, when it
>         comes to
>         > configuration updates (as will happen, say, when a new
>         member gets
>         > added to a pool), it's less risky and error prone to restart
>         the
>         > haproxy instance for just the affected listener, and not for
>         all
>         > listeners on the Octavia VM. The only down-sides I see are
>         that we
>         > consume slightly more memory, we don't have the advantage of
>         a shared
>         > SSL session cache (probably doesn't matter for 99.99% of
>         sites using
>         > TLS anyway), and certain types of persistence wouldn't carry
>         over
>         > between different listeners if they're implemented poorly by
>         the
>         > user. :/  (In other words, negligible down-sides to this.)
>         
>         
>         This is fine by me for now, but I think this might be
>         something we can
>         revisit later after we have the advantage of hindsight.  Maybe
>         a
>         configurable option.
> 
> 
> Sounds good, as long as we agree on a path forward. In the mean time, 
> is there anything I'm missing which would be a significant advantage 
> of having multiple Listeners configured in a single haproxy instance?
> (Or rather, where a single haproxy instance maps to a loadbalancer
> object?)

No particular reason as of now.  Just feel like that could be something that could hinder a particular feature or even performance in the future.  It's not rooted in any fact or past experience.

>  
>         I have no problem with this. However, one thing I often do
>         think about
>         is that it's not really ever going to be load balancing
>         anything with
>         just a load balancer and listener.  It has to have a pool and
>         members as
>         well.  So having ACTIVE on the load balancer and listener, and
>         still not
>         really load balancing anything is a bit odd.  Which is why I'm
>         in favor
>         of only doing creates by specifying the entire tree in one
>         call
>         (loadbalancer->listeners->pool->members).  Feel free to
>         disagree with me
>         on this because I know this not something everyone likes.  I'm
>         sure I am
>         forgetting something that makes this a hard thing to do.  But
>         if this
>         were the case, then I think only having the provisioning
>         status on the
>         load balancer makes sense again.  The reason I am advocating
>         for the
>         provisioning status on the load balancer is because it still
>         simpler,
>         and only one place to look to see if everything were
>         successful or if
>         there was an issue.
> 
> 
> Actually, there is one case where it makes sense to have an ACTIVE 
> Listener when that listener has no pools or members:  Probably the 2nd 
> or 3rd most common type of "load balancing" service we deploy is just 
> an HTTP listener on port 80 that redirects all requests to the HTTPS 
> listener on port 443. While this can be done using a (small) pool of 
> back-end servers responding to the port 80 requests, there's really no 
> point in not having the haproxy instance do this redirect directly for 
> sites that want all access to happen over SSL. (For users that want 
> them we also insert HSTS headers when we do this... but I digress. ;)
> )
> 
> 
> Anyway, my point is that there is a common production use case that 
> calls for a listener with no pools or members.

Yeah we do HTTPS redirect too (or HTTP redirect as I would call it...I could digress myself).  I don't think its common for our customers, but it obviously should still be supported.  Also, wouldn't that break the only one listener per instance rule? Also also, I think haproxy 1.5 has "redirect scheme" option that might do away with the extra frontend section.  I could be wrong though.

>  
>         
>         Again though, what you've proposed I am entirely fine with
>         because it
>         works great with having to create a load balancer first, then
>         listener,
>         and so forth.  It would also work fine with a single create
>         call as
>         well.
> 
> 
> We should probably create more formal API documentation, eh. :)  (Let 
> me pull up my drafts from 5 months ago...)

What I'm hoping the API will look like will be different than those drafts, similar though.  So they're probably a good starting point.
Then again the neutron lbaas api google doc is probably a good one too.

>  
>         >
>         > I don't think that these kinds of status are useful /
>         appropriate for
>         > Pool, Member, Healthmonitor, TLS certificate id, or L7
>         Policy / Rule
>         > objects, as ultimately this boils down to configuration
>         lines in an
>         > haproxy config somewhere, and really the Listener status is
>         what will
>         > be affected when things are changed.
>         
>         
>         Total agreement on this.
>         >
>         > I'm basically in agreement with Brandon on his points with
>         operational
>         > status, though I would like to see these broken out into
>         their various
>         > meanings for the different object types. I also think some
>         object
>         > types won't need an operational status (eg. L7 Policies,
>         > healthmonitors, etc.) since these essentially boil down to
>         lines in an
>         > haproxy configuration file.
>         
>         
>         Yeah I was thinking could be more descriptive status names for
>         the load
>         balancer and listener statuses.  I was thinking load balancer
>         could have
>         PENDING_VIP_CREATE/UPDATE/DELETE, but then that'd be painting
>         us into a
>         corner.  More general is needed.  With that in mind, the
>         generic
>         PENDING_CREATE/UPDATE/DELETE is adequate enough as long as the
>         docs
>         explain what they mean for each object clearly.
> 
> 
> Right. Let's get this documented. :) Or rather-- let's get drafts of 
> this documentation going in gerrit so people can give specific 
> feedback.  (I'm happy to work on this, so long as I'm not a blocker on 
> anything else-- I want to make sure anyone who wants to put time into 
> the Octavia project knows how they can be useful, eh. It's a major pet 
> peeve of mine to find out after the fact that somebody was waiting on 
> something for me, and that this was a blocker for them being
> productive.)

I like your documentation skills and attention to detail.  If you don't mind doing it, unless someone else wants something to do.

>  
> Stephen
> 
> 
> 
> --
> Stephen Balukoff
> Blue Box Group, LLC
> (800)613-4305 x807
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list