OpenStack Cloud Advanced Configuration Options

This article explains the advanced configuration options relevant to the creation of an Avi Vantage OpenStack cloud. These are visible in step 3 of the cloud wizard:

Step 3 within the Avi Vantage cloud editor
Figure 1. Step 3 within the Avi Vantage cloud editor

Security-Groups (default=True)

The security-groups Neutron extension supports specifying whitelist rules for both ingress and egress. Avi Vantage uses this extension to create one SG per Avi SE. This SG is created with ALL egress and SSH and ICMP ingress. As virtual services are created and placed on this SE, the corresponding service ports are added to the SG. Similarly, when the virtual services are unplaced from the SE, the corresponding service ports are removed from the SG (if no longer used by any other VS on the same SE). If True (the default), the security-group extension will be used. If the underlying network plugin doesn’t support this feature, then VIP traffic will not work unless there are other means by which to achieve the same effect. This option can be turned off if the underlying network supports turning off security filter rules on ports.

The below example shows the security group of an SE with a VS with service port ‘80’ placed on it.


[root@sivacos ~(keystone_admin)]# neutron security-group-list
| 5544b75d-2a57-4f56-b1d0-ef68242293ba | avi-se-30af06c4-09c6-4c94-92be-f39d4dfddf91 | egress, IPv4                                       |
|                                      |                                             | egress, IPv6                                       |
|                                      |                                             | ingress, IPv4,22/tcp, remote_ip_prefix: 0.0.0.0/0  |
|                                      |                                             | ingress, IPv4,80/tcp, remote_ip_prefix: 0.0.0.0/0  |
|                                      |                                             | ingress, IPv4,icmp, remote_ip_prefix: 0.0.0.0/0    |

Anti-Affinity (default=True)

Compute uses the nova-scheduler service to determine the host upon which to launch a VM, based on various criteria and filters. One such filter, ServerGroupAntiAffinityFilter, ensures that each instance in an anti-affinity group is on a different host of the group. Avi Vantage uses one anti-affinity group per SE group, thereby allowing each SE in the SE group to be placed on a different host. This provides better isolation of SEs in the event of host failures. If this option is set to False, anti-affinity filters will not be used. This option can be turned off if nova-compute has only one compute node.

The below example shows an anti-affinity group, serviceenginegroup-37dac996-7c88-4761-a920-6dc9d265c786 in a tenant with two SE VMs.


root@node-17:~# nova server-group-list

+--------------------------------------+------------------------------------------------------------------+----------------------------------+----------------------------------+--------------------+------------------------------------------------------------------------------------+----------+
| Id                                   | Name                                                             | Project Id                       | User Id                          | Policies           | Members                                                                            | Metadata |
+--------------------------------------+------------------------------------------------------------------+----------------------------------+----------------------------------+--------------------+------------------------------------------------------------------------------------+----------+
| c605a898-86fa-457f-80c8-f1db21dfb68a | avi-aasg-serviceenginegroup-37dac996-7c88-4761-a920-6dc9d265c786 | fefb594ef03e4670beaffe3305440e24 | aba3667db25e44afb5aff73f3f363027 | [u'anti-affinity'] | [u'd7509390-6afe-4865-ade2-231e9a664421', u'1867c24e-8495-4cbf-80d0-06a2328656c6'] | {}       |
+--------------------------------------+------------------------------------------------------------------+----------------------------------+----------------------------------+--------------------+------------------------------------------------------------------------------------+----------+

root@node-17:~# nova list | egrep "d7509390|1867c24e"| d7509390-6afe-4865-ade2-231e9a664421 | cc_os-se-ozmkj                    | ACTIVE | -          | Running     | avimgmt=10.10.44.231                                                                                                                                                                                             |
| 1867c24e-8495-4cbf-80d0-06a2328656c6 | cc_os-se-xmrzn                    | ACTIVE | -          | Running     | network-80.21=10.80.21.13;avimgmt=10.10.44.230

External-Networks (default=False)

If True, this option enables selection of OpenStack networks marked ‘external’ for Avi management, VIP or data networks.

Metadata Provisioning: (default=’config-drive’)

OpenStack allows metadata to be passed on to VMs using:

  • Config-drive: Metadata is written to a special configuration drive that attaches to the instance when it boots. The instance can mount this drive and read the data. Please refer to this OpenStack document for further details.
  • Metadata-service: Instances can access the metadata-service at some URL to be furnished, not http://169.254.169.254 to retrieve instance-specific data. Avi Vantage supports both options, with config-drive preferred over metadata-service; and requires the OpenStack deployment to support one of these options.

VIP Placement (default=’allowed-address-pairs’)

Avi Vantage supports multiple VIP placement methodologies using:

  • Allowed-address-pairs (default=True), a Neutron extension that allows traffic with specific CIDRs to egress from a port. Avi Vantage uses this extension to place VIPs on SE data ports, thereby allowing VIP traffic to egress these data ports. If True, the allowed-address-pairs extension will be used. If the underlying network plugin doesn’t support this feature, then VIP traffic will not work unless there are other means by which to achieve the same effect. This option can be turned off if the underlying network supports turning off security/firewall/spoof filter rules on ports.

Example: On OVS with iptables, the “a” rule for 172.24.10.7 would be added to the Avi data port with UUID prefix 019ec61b.


[root@sivacos ~(keystone_admin)]# neutron port-show 019ec61b-3be2-4e25-a4a8-d48740ffa3a
+-----------------------+--------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                            |
+-----------------------+--------------------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                             |
| allowed_address_pairs | {"ip_address": "172.24.10.7", "mac_address": "fa:16:3e:47:a2:0e"}                                |
| binding:vif_details   | {"port_filter": true, "ovs_hybrid_plug": true}                                                   |
| device_id             | c32926e6-6c86-49a0-90a4-9e634a7ac6dd                                                             |
| device_owner          | compute:None                                                                                     |
| fixed_ips             | {"subnet_id": "b679630f-f3d1-4a32-86ca-04ef04534adc", "ip_address":"172.24.10.11"}               |
| id                    | 019ec61b-3be2-4e25-a4a8-d48740ffa3ad                                                             |
| mac_address           | fa:16:3e:47:a2:0e                                                                                |

[root@sivacos ~(keystone_admin)]# iptables -S | grep -i fa:16:3e:47:a2:0e-A neutron-openvswi-s019ec61b-3 -s 172.24.10.7/32 -m mac --mac-source FA:16:3E:47:A2:0E -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN-A neutron-openvswi-s019ec61b-3 -s 172.24.10.11/32 -m mac --mac-source FA:16:3E:47:A2:0E -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN

  • Port-security (default=False)

The port-security Neutron extension enables or disables packet filtering on Neutron networks and/or ports. If the underlying network plugin doesn’t support this feature, then VIP traffic will not work unless there are other means by which to achieve the same effect. By default, on an OpenStack network and/or port, setting port_security_enabled=True activates the rules defined by the port’s security_groups and allowed_address_pairs on that port.

For example, the following shows an Avi data SE interface with a VIP placed on it via allowed-address-pairs.



root@node-17:~# neutron port-show b264479e-5c2c-49ff-86fc-ed6c044785e4
+-----------------------+----------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                    |
+-----------------------+----------------------------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                                     |
| allowed_address_pairs | {"ip_address": "10.80.59.150", "mac_address": "fa:16:3e:de:e5:5b"}                                       |
| device_id             | 6b558e67-c593-4c7b-a921-ad973ec05e45                                                                     |
| device_owner          | compute:None                                                                                             |
| fixed_ips             | {"subnet_id": "2deddcd7-1ddf-463d-86e1-d725cb7d98ef", "ip_address":"10.80.59.34"}                        |
| id                    | b264479e-5c2c-49ff-86fc-ed6c044785e4                                                                     |
| mac_address           | fa:16:3e:de:e5:5b                                                                                        |
| name                  | Avi-Data:cluster-f02ac01e-0de3-4b6b-9a06-4caff55c1e46:cloud-3a7bcd5f-7842-448a-86cc-aa21e2361bc2         |
| network_id            | 71bd03e1-db0e-419f-899b-754c9058ed12                                                                     |
| port_security_enabled | True                                                                                                     |
| security_groups       | 83454846-4eb2-4b43-94b7-dd4e90a27916                                                                     |

If port_security_enabled is False on a port, neither security_groups nor allowed_address_pairs are associated with that port. This completely disables any anti-spoof and packet filtering on that port. For example, the following shows an Avi data SE interface with a VIP placed on it via port-security.



root@node-17:~# neutron port-show 9fcac544-20ef-4744-82ec-ebd93c8620
+-----------------------+-------------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                       |
+-----------------------+-------------------------------------------------------------------------------------------------------------+
| admin_state_up        | False                                                                                                       |
| allowed_address_pairs |                                                                                                             |
| device_id             | 6e15f087-f2a8-4e1a-a54c-6fef3b641c94                                                                        |
| device_owner          | compute:None                                                                                                |
| fixed_ips             | {"subnet_id": "810fd752-cb67-486d-95e1-845fe316362b", "ip_address":"192.168.10.5"}                          |
"192.168.10.5"}                          |
| id                    | 9fcac544-20ef-4744-82ec-ebd93c8620c9                                                                        |
| mac_address           | fa:16:3e:c8:d7:c0                                                                                           |
| name                  | Avi-Data:cluster-f02ac01e-0de3-4b6b-9a06-4caff55c1e46:cloud-3a7bcd5f-7842-448a-86cc-aa21e2361bc2            |
| network_id            | f221556d-d204-4906-8fe7-1312d841df7d                                                                        |
| port_security_enabled | False                                                                                                       |
| security_groups       |                                                                                                             |

  • Interface-secondary-ips (default=False)

The interface-secondary-ips method enables addition of secondary IP addresses to a Neutron port, thereby allowing traffic to/from the port without any special extension support. This mode is supported only in a tenant-mode SE configuration (and not in a provider-mode SE configuration).



root@node-17:~# neutron port-show 9fcac544-20ef-4744-82ec-ebd93c8620c9
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field                 | Value                                                                                                        |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up        | True                                                                                                         |
| device_id             | 6e15f087-f2a8-4e1a-a54c-6fef3b641c94                                                                         |
| device_owner          | compute:None                                                                                                 |
| dns_assignment        | {"hostname": "host-192-168-10-5", "ip_address": "192.168.10.5", "fqdn": "host-192-168-10-5.openstacklocal."} |
|                       | {"hostname": "host-192-168-10-6", "ip_address": "192.168.10.6", "fqdn": "host-192-168-10-6.openstacklocal."} |
| fixed_ips             | {"subnet_id": "810fd752-cb67-486d-95e1-845fe316362b", "ip_address":"192.168.10.5"}                           |
|                       | {"subnet_id": "810fd752-cb67-486d-95e1-845fe316362b", "ip_address":"192.168.10.6"}                           |
| id                    | 9fcac544-20ef-4744-82ec-ebd93c8620c9                                                                         |
| mac_address           | fa:16:3e:c8:d7:c0                                                                                            |
| name                  | Avi-Data:cluster-f02ac01e-0de3-4b6b-9a06-4caff55c1e46:cloud-3a7bcd5f-7842-448a-86cc-aa21e2361bc2             |
| network_id            | f221556d-d204-4906-8fe7-1312d841df7d                                                                         |

Map-admin-to-cloudadmin (default: False)

By default, the Avi admin tenant maps to OpenStack admin tenant. If True, then the Avi admin tenant maps to the admin_tenant configured in the Avi cloud. This directly maps the load-balancer-related operations onto the corresponding tenant in OpenStack.

Neutron-rbac: (default: True)

By default, Avi Vantage consults the Neutron role-based-access-control (RBAC) rules to retrieve the ‘usable’ list of networks for a tenant. This list would normally include the tenant’s own networks, any non-tenant networks widely shared with ‘all’, and any non-tenant networks explicitly shared with the tenant using RBAC. This flag is useful in a provider-mode SE configuration and, if False, the RBAC shared networks are not included in the ‘usable’ list.

Usable-networks: (default: None)

By default, Avi Vantage only displays the ‘usable’ list of networks for a tenant as described in the Neturon-rbac section above. In some deployments, it may be required to have some extra networks visible to the tenant. This repeated field allows such a configuration.

NOTE: The networks listed here must still be accessible by the admin-user configured in the Avi dloud - this is verified at every network listing and is determined by the OpenStack role of admin-user in that tenant.

Updated: 2018-01-23 10:30:05 +0000