Installing Avi Vantage for OpenStack

Introduction

About OpenStack

OpenStack is a set of software tools for building and managing cloud computing platforms for public and private clouds. OpenStack lets users deploy virtual machines and other instances that handle different tasks for managing a cloud environment on the fly. It makes horizontal scaling easy, which means that tasks that benefit from running concurrently can easily serve more or fewer users on the fly by just spinning up more instances. OpenStack provides Infrastructure as a Service (IaaS).

About Avi Vantage

The Avi Vantage Platform provides enterprise-grade distributed ADC solutions for on-premises as well as public-cloud infrastructure. Avi Vantage also provides built-in analytics to diagnose and improve the end-user application experience, while making operationalizing easier for network administrators.

Avi Vantage is a complete software solution which runs on commodity x86 servers or as a virtual machine and is entirely enabled by its REST API.

OpenStack Integration

Avi Vantage integrates with OpenStack infrastructure components to provide centralized automation, monitoring, and management of application discovery and delivery. Avi Vantage integrates with the following OpenStack services:

  • Keystone: The Avi Controller uses Keystone API to authenticate any OpenStack user accessing Avi API. Also, when an OpenStack user logs in, the Avi Controller can also automatically import tenant/project and role information from Keystone to provide appropriate privileges on Avi Controller.
  • Glance: The Avi Controller uses Glance for storing service engine (Avi SE) image.
  • Nova: The Avi Controller uses Nova API to automatically create and destroy application delivery service engines (Avi SEs) as needed to support high availability and performance guarantees.
  • Neutron: The Avi Controller uses Neutron API to plug service engines into right Neutron networks for receiving and sending the application traffic.
  • Neutron LBaaS v2: Users can either use the Avi Controller API (or UI or CLI) to directly configure load balancer instances. Optionally, the OpenStack admins can install Avi LBaaS driver on the Neutron API servers and enable Avi as a provider for Neutron LBaaS API.
  • Horizon: OpenStack admins can optionally install Avi Horizon Dashboard extensions to expose full Avi UI directly embedded in Horizon Dashboard. Users can then not only configure load balancer instances but can also access the full analytics of their applications.
  • Heat: OpenStack admins can optionally install Avi Heat package on the Heat Engine servers to expose all Avi Controller API resource types for users to use in their heat templates. In contrast to LBaaS (v1 or v2) resource types, Avi Heat resource types expose significantly advanced features.

Note: LBaaS v1 is deprecated from Avi Vantage 17.2.x.

Avi Vantage’s integration with OpenStack is as shown below.

Port Security and Allowed Address Pairs

If port-security is enabled, the ports are used in AAP mode. If port-security is disabled, the Controller ports are untouched, and the SE ports are created with security disabled.

Port-security is set to False by default. Don’t use it unless explicitly requested by the configuration.

Deployment Modes

Avi Vantage can be deployed into an OpenStack cloud in one of the following modes. These modes differ depending on whether the Avi Controller and Service Engines (SEs) are placed in the same OpenStack tenant, and whether Neutron LBaaS API or Avi Vantage API is used to create load balancers.

  • Single-tenant mode: The Avi Controller and the SEs are deployed together in the same single tenant. The Avi Controller has administrator privileges within the tenant. Tenant users who have administrator privileges within the tenant can install and manage Avi Vantage. (Use this deployment mode if you do not have administrator privileges for the cloud.)
  • Avi-managed LBaaS mode: The Avi Controller and SEs are installed in separate tenants. The Controller has administrator privileges for the cloud and can manage SEs that are in different tenants. A tenant administrator can log onto the Avi Controller to manage the infrastructure resources within the administrator’s own tenant but cannot access the resources within other tenants. The tenant administrator can configure and manage load balancing services through the Avi Controller web interface or through the Avi REST API.
  • OpenStack-managed LBaaS mode: This is Similar to Avi-managed LBaaS mode, except the tenant administrator configures and manages load-balancing services through OpenStack’s Neutron service and Horizon dashboard. Neither the Controller web interface nor Avi API are used. (This mode also requires installation of an LBaaS driver and SSL extension from Avi Networks.)

Note: The Avi-managed LBaaS option is recommended for its ease of use and advanced feature accessibility.

The following table compares each deployment mode:

Single-tenant Mode Avi-managed LBaaS Mode OpenStack-managed LBaaS Mode
Administrator privileges for cloud required No Yes Yes
Managed by tenant user No Yes Yes
Automated tenant creation N/A Yes Yes
Advanced load-balancing features Yes Yes Limited
Analytics service Yes Yes Yes
Avi LBaaS driver install required No No Yes
Avi extension for Horizon dashboard required No No Yes (required for SSL offload and analytics)

Deployment Prerequisites

The physical and software requirements differ depending on the deployment mode.

Virtual Machine Requirements

The following table lists the minimum requirements for the virtual machines (VMs)on which the Avi Controller and SEs are installed.

Component Memory vCPUs HD
Avi Controller 24 GB 8 64 GB
Service Engine 2 GB 2 10 GB

Add 3 GB for each additional vCPU in the Controller. Add 1 GB for each additional vCPU in an SE.

If you allocate more than the minimum number of vCPUs required, make sure to also allocate at least the minimum required additional memory. Cloud administrators can create m1.xlarge flavor of controller image.

Software Requirements

The following table lists the software requirements.

Software Version
Avi Controller 18.2
OpenStack (and Neutron service) One of the following: Havana, Icehouse, Juno, Kilo, Liberty, Mitaka, Newton, Ocata, Pike
Neutron extension for allowed-address-pair and/or port-security
Avi LBaaS driver 17.2
Avi SSL extension for OpenStack Horizon 17.2

The Avi Vantage image is available in qcow (QEMU Copy ON Write)2 format or raw image of the Controller and SEs. The SE software is embedded in the Controller image and does not require separate installation. In case of OpenStack Generic cloud ( with Avi Cloud Connector), qcow2 image for SE is pushed by the Avi Controller towards OpenStack Glance. In case of a no-access cloud, the qcow2 image for SE has to be downloaded and then manually uploaded to OpenStack Glance.

Note: Installation of Avi Vantage into DevStack is supported only if the DevStack/Nova-launched VMs can run in Kernel-based Virtual Machine (KVM) mode, as opposed to Quick Emulator (QEMU) mode. Refer to the DevStack KVM Guide for information.

Protocol Ports Used by Avi Vantage for Management Communication

In an OpenStack deployment, the Avi Controller and Avi Service Engines use the following ports for management. The firewall should allow traffic to these ports.

Traffic Source Traffic Destination Ports To Allow
Avi Controller Avi Controller TCP 22 (SSH)
TCP 443
TCP 8443
TCP 5054
Avi Service Engine TCP 22
Management Net See section below the table.
Avi Service Engine Avi Controller TCP 22
TCP 8443
UDP 123
Management Net TCP 22
TCP 80 (optional)
TCP 443
TCP 5054 (if using the optional CLI shell for remote management access)

Ports Used by the Controller for Network Services

The Controller may send traffic to the following UDP ports as part of network operation:

  • TCP 25 (SMTP)
  • UDP 53 (DNS)
  • UDP 123 (NTP)
  • UDP 162 (SNMP traps)
  • UDP 514 (syslog)

The firewall also should allow traffic from the Controller to these ports.

Importing User Accounts from Keystone

Using the Avi REST API, user roles can be exported from Keystone into the Avi Controller and directly mapped to role names in the Controller. The accounts do not need to be recreated on the Controller. Here is an example:

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "admin",
        "avi_role": "Tenant-Admin"},
       {"os_role": "_member_",
        "avi_role": "Tenant-Admin"},
       {"os_role": "*",
        "avi_role": "Application-Operator"}
    ],
    ....
}

The role_mapping parameter is an ordered list, where each item specifies how a Keystone role (os_role) maps to a role in the Controller (avi_role). A default mapping can be defined for any Keystone role by specifying the “ /* ” wildcard for the os_role field. In the above example, roles admin and member from Keystone are mapped to the role Tenant-Admin in the Controller. Further, any other role from Keystone is mapped to role Application-Operator on the Controller.

In the following example, only users with role lbaas_project_admin are allowed to access the Controller:

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "lbaas_project_admin",
        "avi_role": "Tenant-Admin"}
    ],
    ....
}

Metadata Instead of config_drive for Avi SEs

In some OpenStack environments, config_drive support is either absent or not installed well. Also, sometimes customers prefer that Avi SEs not use config_drive, since using it to configure the VM might prevent SE migration under certain conditions.

The Avi Vantage OpenStack configuration option uses metadata instead of config_drive for SE VMs. To have Avi Vantage use metadata, disable config_drive.

CLI to disable Config_drive

 : > configure cloud Default-Cloud
: cloud> openstack_configuration
: cloud:openstack_configuration> no config_drive
: cloud:openstack_configuration> save
: cloud> save

.

Deploying Single-tenant Mode

This section provides the steps for deploying Avi Vantage into an OpenStack cloud in single-tenant mode.

OpenStack-deploy-topo-tenantmode

In single-tenant mode, the Avi Controller and SEs are installed in the same tenant, and have member privileges for that tenant. The member privilege grants the Avi Controller full access to the tenant so that it can automatically spin-up and spin-down an SE. Each tenant is responsible for installing and operating Avi Vantage.

Deployment Process

Single-tenant installation requires the following procedure.

  • Add the Avi Controller QCOW2 or raw image into the tenant from Glance.
  • Create a management network for the Avi Controller and SEs.
  • Create a security group.
  • Deploy an Avi Controller instance and assign a floating IP address to it.
  • Create a security group to allow Avi management traffic.
  • Use the setup wizard to perform initial configuration of the Controller.

Detailed steps are provided below.

Upload the Controller Image

To upload the Controller Image, execute the following steps.

  1. Copy the Avi Vantage Controller image onto your hard drive.
  2. Log into the OpenStack tenant account on the Horizon dashboard.
  3. Navigate to Project > Images.
  4. Click on Create Image and fill out the form.

Create Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

  1. On the Horizon Dashboard, navigate to Network > Networks.
  2. Click on Create Network and follow the wizard’s instructions. For this example,
    • Network name: avi-mgmt
    • DHCP: Enabled
  3. Connect the network to your neutron router.
    a. Navigate to Network > Routers.
    b. On the Name column in the router list, click on the router to add an interface to the network.
    c. Click on the Interfaces tab, then click on Add Interface.

Create Security Group

A security group is required to allow the Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed.

  • For ingress traffic, the group must allow these ports.
  • For egress traffic, the group can allow all ports.

Note: The Controller automatically creates a security group for the SEs.

To create a security group (in this example, “Avi-mgmt-sg”) to allow management traffic,

  1. On the Horizon Dashboard, navigate to Project > Access & Security, and click on Create Security Groups.
  2. Add rules as shown in the following example, where 192.168.10.0/24 is the management network.
    openstack-portgroup-excerpt

Deploy Controller and Assign It a Floating IP

To deploy an Avi Controller instance, execute the following steps.

  • Flavor: Deploy the same flavor that was chosen in the previous steps.
  • Network: Use avi-mgmt to attach the Controller to the management network.
  • Security group: Use avi-mgmt-sg to allow management traffic.
  • Enable config-drive.

To assign a floating IP address to the Controller:

  1. On the Horizon Dashboard, navigate to Project > Compute > Access & Security.
  2. Assign the floating IP address:
    • If no floating IP address is already available, click on Allocate IP to Project.
    • Otherwise, if a floating IP address is already available, associate it with the Avi Controller instance.

Perform Initial Controller Setup

This section shows how to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller’s web interface.

Note: While the system is booting up, a blank web page or 503 status code may appear. In this case, wait for 5 to 10 minutes; then follow the instructions for the setup wizard.

This section shows how to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller’s web interface.

  1. Configure basic system settings.
    • Administrator account
    • DNS and NTP server information
    • Email and SMTP information



  2. Set the Infrastructure Type to OpenStack as shown in the image below.
  3. Enter the OpenStack settings.
    • Provide the tenant user credentials (username, password). If you are using Keystone V3 and want to provide a user in the non-Default domain, then please use the notation user@domain-name for the Username field. Refer to following example.
      openstack-v3-user-config
    • If a username test is created as a Keystone v3 user in a domain named default, then explicitly specify test@testdomain when logging into the Avi Controller. If the domain name is not specified, Keystone looks for a domain with UUID testdomain and not the name testdomain. Since no domain with a UUID of testdomain exists, Keystone fails, returning the error invalid user/password.
    • Using the full value in the Keystone Auth URL field. Avi Vantage determines the Keystone API version automatically. When the auth URL is a secure URL (HTTPS), an option to either allow or disallow self-signed certificates will show up. Disable that checkbox in a production environment, since OpenStack services should use proper, trusted certificates.
    • Enable the Keystone Auth option. openstack-login-v2-full
      openstack-login-v3-cert
  4. In the Management Network window, select a tenant. In this deployment, it should be the same tenant into which the Avi Controller is deployed. Choose the management network created previously. ctlr-setup-mgmtnetwork-161
  5. In the Keystone Role Mapping window, select an Avi Vantage user role to use as the default user role.
    If an Avi Vantage user who logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To instead disallow access by any user who does not have a role that is defined on the Controller, leave the selection empty (None).
  6. In the Virtual Service Placement Settings window, select Import Tenants to import from tenants Keystone and click on Next. Then, in the Support Multiple Tenants window, click on No.
  7. To verify installation, navigate to Infrastructure > Clouds, click on Default-Cloud, then click on the Status button. If the status is green, the installation is successful.
    openstack-deploy-verify-162

Neutron SDN Plugin Integration

Avi Vantage integrates with the following Neutron SDN plugins to provide VIP placement and floating-IP (FIP) association to VIP.

Nuage SDN

During cloud configuration, select the Integration with Nuage VSD checkbox and provide the VSD host, port and authentication details.

a.1 Nuage-OpenStack-DefCloud
a.1 Nuage-OpenStack-DefCloud2

If you are creating a new cloud, the wizard looks as below:

Nuage-OpenStack-NewCloud wizard setup

Contrail SDN

Using the Avi UI

During Cloud configuration, select the Integration with Contrail checkbox and provide the endpoint URL of Contrail VNC api-server. The Keystone credentials from the OpenStack configuration will be used to authenticate with the api-server service.

Note: Contrail-Interface-IP is handled gracefully by Avi Vantage. So, creating and editing the cloud should be left intact while integrating Contrail SDN under Network Settings.

b.1 Contrail-OpenStack-DefCloud

If you are creating a new cloud, the wizard looks as below.

b.2 Contrail-OpenStack-NewCloud

If you are editing an existing cloud, the cloud editor looks as below.

cloud editor

Using the Avi CLI


configure cloud oscontrail
vtype cloud_openstack
openstack_configuration

privilege write_access
username admin
password xxxyyyzzz
admin_tenant admin
mgmt_network_name avi-mgmt
region RegionOne
use_keystone_auth
import_keystone_tenants
no use_admin_url
auth_url http://172.16.11.50:5000/v2.0
no neutron_rbac
contrail_endpoint http://10.10.10.100:8082
role_mapping os_role * avi_role Tenant-Admin
New object being created
save
save
save

Deploying Avi-managed LBaaS Mode

This section provides the steps for deploying Avi Vantage into an OpenStack cloud in Avi-managed LBaaS mode.

OpenStack-deploy-topo-avilbaas

Avi-managed LBaaS mode provides tenant users with the advantages of Avi Vantage, without the need for them to perform deployment or maintenance of Avi Vantage. Instead, the cloud administrator deploys and manages Avi Vantage. The Avi Controller and SEs in the administrative tenant are shared by other tenants. Users of those tenants are able to secure and optimize their applications using the Avi Vantage resources that reside in the administrative tenant.

Note: Although using an existing tenant instead of creating a new one also is supported, creating a new tenant is recommended for easy maintenance.

Deployment Process

Deployment of Avi-managed LBaaS mode requires the following procedure.

  1. Create a tenant for the Controller and SE.
  2. Create multiple flavors of the Avi Vantage image, with different resource allocations to fit different sizes of user tenant, if required. (For example: avi_ctrl.small and avi_se.medium).
  3. Upload the Avi Controller qcow2 or raw image into the tenant from Glance.
  4. Create a management network for the Avi Controller and SEs.
  5. Create a security group to allow Avi management traffic.
  6. Deploy an Avi Controller instance and assign a floating IP address to it.
  7. Use the setup wizard to perform initial configuration of the Controller.

Detailed steps are provided below.

Create a Tenant for the Controller and SEs

  1. Log into the OpenStack Horizon dashboard with an account that has cloud administrator privileges.
  2. Navigate to Identity > Projects.
  3. Click on New Project and follow the wizard’s instructions.
  4. For Avi Vantage deployment, use the following settings:
    a. Enter a project name (e.g., “avi-tenant”).
    b. Click on the Project Members tab.
    c. Add a user account to Project Members and assign the admin role to the account.
    d. Click on the Quota tab and modify the maximum resources. These settings allow for three Avi Controllers (for redundancy), up to 1000 SEs and some other managerial instances, if required as shown below.

Screen Shot 2017-02-07 at 11.37.13 AM

Create Multiple Flavors of Controller Image

Use these steps to create multiple flavors of Avi Vantage, avi_ctrl.small and avi_se.medium.

  1. In the Horizon dashboard, navigate to Admin > System > Flavors and click on Create Flavor.
  2. Fill out the forms for flavor avi_ctrl.small. Assign minimal resources to this flavor.
  3. Repeat for avi_se.medium but assign more resources to this flavor than to the avi_ctrl.small flavor.

Upload Controller Image

  1. Copy the Avi Vantage Controller qcow2 image onto your hard drive.
  2. In the Horizon dashboard, navigate to Project > Images.
  3. Click on Create Image and fill out the form. Use at least these resource allocations:
    • Minimum disk: 64 GB
    • Minimum memory: 24 GB

Create Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

  1. On the Horizon Dashboard, navigate to Network > Networks.
  2. Click on Create Network and follow the wizard’s instructions. For this example let’s use,
    • Network name: avi-mgmt
    • DHCP: Enabled
  3. Connect the network to your Neutron router.
    a. Navigate to Network > Routers.
    b. In the Name column in the router list, click on the router to add an interface to the network.
    c. Click on the Interfaces tab; then click on Add Interface.

Create Security Group

A security group is required to allow the Avi Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed. For ingress traffic, the group must allow these ports.

For egress traffic, the group can allow all ports.

Note: The Avi Controller automatically creates a security group for the SEs.

To create a security group (in this example, Avi-mgmt-sg) to allow management traffic:

  • Navigate to Project > Access & Security, and click on Create Security Groups.
  • Add rules as shown in the following example, where 192.168.10.0/24 is the management network.

Deploy Controller and Assign it a Floating IP

Deploy an Avi Controller instance:

  • Flavor: Deploy avi_ctrl.small or bigger.
  • Network: Use avi-mgmt to attach the Controller to the management network.
  • Security group: Use avi-mgmt-sg to allow management traffic.
  • Enable config-drive.

To assign a floating IP address to the Controller:

On the Horizon Dashboard, navigate to Project > Compute > Access & Security. Assign the floating IP address:

  • If no floating IP address is already available, click on Allocate IP to Project.
  • If a floating IP address is already available, associate it with the Avi Controller instance.

Perform Initial Controller Setup

This section shows how to perform initial configuration of the Avi Controller using its deployment wizard.

You can change or customize settings following initial deployment using the Avi Controller’s web interface.

  1. Configure basic system settings:
    • Administrator account
    • DNS and NTP server information
    • Email and SMTP information



  2. Set the infrastructure type to OpenStack.
  3. Enter OpenStack settings,
    • Tenant user credentials (username, password).
    • IP address of Keystone server.
    • Enable the Keystone Auth option.
      openstack-deploy-openstacklogin-selectkeystone
  4. In the Management Network window, select a tenant. In this deployment, it should be the same tenant into which the Avi Controller is deployed. Choose the management network created previously. ctlr-setup-mgmtnetwork-lbass-mgdmode-161
  5. In the Keystone Role Mapping window, select an Avi Vantage user role to use as the default user role. ctlr-setup-openstack-keystonemapping-161
    If an Avi Vantage user logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To instead disallow access by any user who does not have a role that is defined on the Controller, leave the selection empty (None).
  6. In the Virtual Service Placement Settings window, select Import Tenants to import from tenants Keystone and click on Next. Then, in the Support Multiple Tenants window, click on Yes. ctlr-setup-vsplacement-openstack-161
  7. In the Tenant Settings window, select the following settings.
    • Per tenant IP route domain
    • Service Engines are managed within the provider context, shared across tenants
    • Tenant has Read Access to Service Engines openstack-deploy-openstackmulttenantsettings
  8. Navigate to Infrastructure > Clouds and select the Default-Cloud.
  9. Click on the Service Engine Group tab.
  10. Click on the edit icon. Note: Ensure that compact placement is selected and Max Number of Service Engines is high enough to meet the needs of all tenants. Screen Shot 2016-07-13 at 12.50.49 PM
  11. To verify installation, navigate to Infrastructure > Clouds, click on Default-Cloud, then click on the Status button. If the status is green, installation is successful.
    openstack-deploy-verify-162

Install Valid Certificate on Avi Controller

This section gives steps for replacing the Avi Controller’s self-signed certificate with one signed by a Certificate Authority (CA). The Avi Controller requires a CA-signed certificate to access the Avi Controller through the Horizon dashboard.

  1. Log into Avi Controller’s web interface.
  2. Navigate to Templates > Security.
  3. Click on Create.
  4. click on Controller Certificate to create it.
  5. Click on the Import button to import the new certificate and key.
  6. Click on the Upload File button and select the certificate from your system.
  7. Enter Key(PEM) or PKCS12 or upload the file.
  8. Enter the SSL/TLS Passphrase.
  9. After uploading the new certificate and key, configure the Avi Controller to use them.
    a. Navigate to Administration > Settings > Access Settings.
    b. Click the edit icon.
    c. Select the imported certificate and click on Save.