Beliebte Suchanfragen

Cloud Native

DevOps

IT-Security

Agile Methoden

Java

//

Highly available VIPs on OpenStack VMs with VRRP

11.11.2016 | 6 minutes of reading time

Introduction

Virtual IPs (VIPs) are widely used to enable high availabilty for IT infrastructure services. Although the use case is very common, it is surprisingly tricky to set up in an OpenStack environment without a deeper knowledge about neutron and its port security mechanisms. In this blog post I will walk you through the creation of a pair of VMs that share a VIP via the Virtual Router Redundancy Protocol (VRRP) on an OpenStack cloud.

Neutron setup

My OpenStack project has an internal network (192.168.0.0/24) and a router connecting it to an external network (10.98.208.0/24). To setup a HA VIP I need 3 ports that I named vip-port, vm1-port and vm2-port. The VM ports will connect my virtual machines to the internal network, the VIP port actually is just a dummy port that allocates an internal IP address. Neutron will not instantiate this port, it s just a database entry that “blocks” an IP address that will later be used on the VM ports. I want both VMs to be able to communicate via their own IP and the VIP, but the neutron port security mechanisms will drop all traffic not coming from the IP and MAC address pair owned by the VM. Therefore I need to explicitly tell neutron to also allow the IP address of the VIP on the VM ports. This can be done with the --allowed-address-pair parameter on the neutron port-create command:

1$ neutron port-create --name vip-port demo-net
2Created a new port:
3+-----------------------+-------------------------------------------------------------------------------------+
4| Field                 | Value                                                                               |
5+-----------------------+-------------------------------------------------------------------------------------+
6| admin_state_up        | True                                                                                |
7| allowed_address_pairs |                                                                                     |
8| binding:host_id       |                                                                                     |
9| binding:profile       | {}                                                                                  |
10| binding:vif_details   | {}                                                                                  |
11| binding:vif_type      | unbound                                                                             |
12| binding:vnic_type     | normal                                                                              |
13| device_id             |                                                                                     |
14| device_owner          |                                                                                     |
15| fixed_ips             | {"subnet_id": "9bc8ad9b-fa50-41c3-8381-7b86e8fd554b", "ip_address": "192.168.0.14"} |
16| id                    | ae020587-e870-4e38-b72a-6c8980bb92f6                                                |
17| mac_address           | fa:16:3e:03:84:81                                                                   |
18| name                  | vip-port                                                                            |
19| network_id            | f2592a01-e31d-4bdc-8aa7-ca66f938eb83                                                |
20| security_groups       | da933f24-4b8f-4478-909a-ca19aece379d                                                |
21| status                | DOWN                                                                                |
22| tenant_id             | 619a60d46b1349f7998116abec50b088                                                    |
23+-----------------------+-------------------------------------------------------------------------------------+
24$ neutron port-create --name vm1-port --allowed-address-pair ip_address=192.168.0.14 demo-net
25Created a new port:
26+-----------------------+-------------------------------------------------------------------------------------+
27| Field                 | Value                                                                               |
28+-----------------------+-------------------------------------------------------------------------------------+
29| admin_state_up        | True                                                                                |
30| allowed_address_pairs | {"ip_address": "192.168.0.14", "mac_address": "fa:16:3e:69:b2:d2"}                  |
31| binding:host_id       |                                                                                     |
32| binding:profile       | {}                                                                                  |
33| binding:vif_details   | {}                                                                                  |
34| binding:vif_type      | unbound                                                                             |
35| binding:vnic_type     | normal                                                                              |
36| device_id             |                                                                                     |
37| device_owner          |                                                                                     |
38| fixed_ips             | {"subnet_id": "9bc8ad9b-fa50-41c3-8381-7b86e8fd554b", "ip_address": "192.168.0.15"} |
39| id                    | 9ef8a695-0409-43db-9878-bf6b555dcfee                                                |
40| mac_address           | fa:16:3e:69:b2:d2                                                                   |
41| name                  | vm1-port                                                                            |
42| network_id            | f2592a01-e31d-4bdc-8aa7-ca66f938eb83                                                |
43| security_groups       | da933f24-4b8f-4478-909a-ca19aece379d                                                |
44| status                | DOWN                                                                                |
45| tenant_id             | 619a60d46b1349f7998116abec50b088                                                    |
46+-----------------------+-------------------------------------------------------------------------------------+
47$ neutron port-create --name vm2-port --allowed-address-pair ip_address=192.168.0.14 demo-net
48Created a new port:
49+-----------------------+-------------------------------------------------------------------------------------+
50| Field                 | Value                                                                               |
51+-----------------------+-------------------------------------------------------------------------------------+
52| admin_state_up        | True                                                                                |
53| allowed_address_pairs | {"ip_address": "192.168.0.14", "mac_address": "fa:16:3e:9e:8c:66"}                  |
54| binding:host_id       |                                                                                     |
55| binding:profile       | {}                                                                                  |
56| binding:vif_details   | {}                                                                                  |
57| binding:vif_type      | unbound                                                                             |
58| binding:vnic_type     | normal                                                                              |
59| device_id             |                                                                                     |
60| device_owner          |                                                                                     |
61| fixed_ips             | {"subnet_id": "9bc8ad9b-fa50-41c3-8381-7b86e8fd554b", "ip_address": "192.168.0.16"} |
62| id                    | 928c8761-b98b-4c2f-be41-e4ab5ee82eab                                                |
63| mac_address           | fa:16:3e:9e:8c:66                                                                   |
64| name                  | vm2-port                                                                            |
65| network_id            | f2592a01-e31d-4bdc-8aa7-ca66f938eb83                                                |
66| security_groups       | da933f24-4b8f-4478-909a-ca19aece379d                                                |
67| status                | DOWN                                                                                |
68| tenant_id             | 619a60d46b1349f7998116abec50b088                                                    |
69+-----------------------+-------------------------------------------------------------------------------------+

To allow VRRP traffic between the VMs I will now create a security group and assign it to the VM ports we created. Just for convenience reasons I will also add rules for allowing incoming SSH (for login) and ICMP (for ping) traffic.

1$ neutron security-group-rule-create --protocol 112 vrrp
2Created a new security_group_rule:
3+-------------------+--------------------------------------+
4| Field             | Value                                |
5+-------------------+--------------------------------------+
6| direction         | ingress                              |
7| ethertype         | IPv4                                 |
8| id                | a6602f3b-9c5b-427d-a2b1-fa589e4cabd5 |
9| port_range_max    |                                      |
10| port_range_min    |                                      |
11| protocol          | 112                                  |
12| remote_group_id   |                                      |
13| remote_ip_prefix  |                                      |
14| security_group_id | 171563a6-25ce-43dd-8b4f-4fbc5109330e |
15| tenant_id         | 619a60d46b1349f7998116abec50b088     |
16+-------------------+--------------------------------------+
17$ neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 vrrp
18Created a new security_group_rule:
19+-------------------+--------------------------------------+
20| Field             | Value                                |
21+-------------------+--------------------------------------+
22| direction         | ingress                              |
23| ethertype         | IPv4                                 |
24| id                | 717af275-c4bf-41de-9494-2942fa0eae2a |
25| port_range_max    | 22                                   |
26| port_range_min    | 22                                   |
27| protocol          | tcp                                  |
28| remote_group_id   |                                      |
29| remote_ip_prefix  |                                      |
30| security_group_id | 171563a6-25ce-43dd-8b4f-4fbc5109330e |
31| tenant_id         | 619a60d46b1349f7998116abec50b088     |
32+-------------------+--------------------------------------+
33$ neutron security-group-rule-create --protocol icmp vrrp
34Created a new security_group_rule:
35+-------------------+--------------------------------------+
36| Field             | Value                                |
37+-------------------+--------------------------------------+
38| direction         | ingress                              |
39| ethertype         | IPv4                                 |
40| id                | 1bd25b24-33a1-4f13-be8a-361a9c3bff21 |
41| port_range_max    |                                      |
42| port_range_min    |                                      |
43| protocol          | icmp                                 |
44| remote_group_id   |                                      |
45| remote_ip_prefix  |                                      |
46| security_group_id | 171563a6-25ce-43dd-8b4f-4fbc5109330e |
47| tenant_id         | 619a60d46b1349f7998116abec50b088     |
48+-------------------+--------------------------------------+
49$ neutron port-update --security-group vrrp vm1-port
50Updated port: vm1-port
51$ neutron port-update --security-group vrrp vm2-port
52Updated port: vm2-port

As I want to access the VMs and the VIP from outside the cloud I create three floating IPs from my external network called floating and assign them to the three ports.

1$ neutron floatingip-create floating
2Created a new floatingip:
3+---------------------+--------------------------------------+
4| Field               | Value                                |
5+---------------------+--------------------------------------+
6| fixed_ip_address    |                                      |
7| floating_ip_address | 10.98.208.217                        |
8| floating_network_id | 74621f62-b07b-4543-83e5-f6d8504b1aae |
9| id                  | 55009db5-3720-4880-943e-266690356748 |
10| port_id             |                                      |
11| router_id           |                                      |
12| status              | DOWN                                 |
13| tenant_id           | 619a60d46b1349f7998116abec50b088     |
14+---------------------+--------------------------------------+
15$ neutron floatingip-create floating
16Created a new floatingip:
17+---------------------+--------------------------------------+
18| Field               | Value                                |
19+---------------------+--------------------------------------+
20| fixed_ip_address    |                                      |
21| floating_ip_address | 10.98.208.218                        |
22| floating_network_id | 74621f62-b07b-4543-83e5-f6d8504b1aae |
23| id                  | 4377aa79-d2f4-4977-ad63-4d9f8a7f2a42 |
24| port_id             |                                      |
25| router_id           |                                      |
26| status              | DOWN                                 |
27| tenant_id           | 619a60d46b1349f7998116abec50b088     |
28+---------------------+--------------------------------------+
29$ neutron floatingip-create floating
30Created a new floatingip:
31+---------------------+--------------------------------------+
32| Field               | Value                                |
33+---------------------+--------------------------------------+
34| fixed_ip_address    |                                      |
35| floating_ip_address | 10.98.208.219                        |
36| floating_network_id | 74621f62-b07b-4543-83e5-f6d8504b1aae |
37| id                  | 73dea280-4edf-49cc-8432-c3f56d87d531 |
38| port_id             |                                      |
39| router_id           |                                      |
40| status              | DOWN                                 |
41| tenant_id           | 619a60d46b1349f7998116abec50b088     |
42+---------------------+--------------------------------------+
43$ neutron floatingip-associate 55009db5-3720-4880-943e-266690356748 ae020587-e870-4e38-b72a-6c8980bb92f6
44Associated floating IP 55009db5-3720-4880-943e-266690356748
45$ neutron floatingip-associate 4377aa79-d2f4-4977-ad63-4d9f8a7f2a42 9ef8a695-0409-43db-9878-bf6b555dcfee
46Associated floating IP 4377aa79-d2f4-4977-ad63-4d9f8a7f2a42
47$ neutron floatingip-associate 73dea280-4edf-49cc-8432-c3f56d87d531 928c8761-b98b-4c2f-be41-e4ab5ee82eab
48Associated floating IP 73dea280-4edf-49cc-8432-c3f56d87d531

That is all that is needed within neutron.

Create the VMs

Now I am able to create two Ubuntu VMs and conenct them to the VM ports:

1$ nova boot --flavor m1.small --image ec83428f-39e3-4675-a3c6-eff37238dbbe --key-name my_keypair --nic port-id=9ef8a695-0409-43db-9878-bf6b555dcfee vm1
2$ nova boot --flavor m1.small --image ec83428f-39e3-4675-a3c6-eff37238dbbe --key-name my_keypair --nic port-id=928c8761-b98b-4c2f-be41-e4ab5ee82eab vm2

I wait until the VMs are running and log in to install keepalived:

1$ ssh ubuntu@10.98.208.218
2ubuntu@vm1:~$ sudo apt install -y keepalived

To configure keepalived I lookup the name of the network interface on the VM:

1ubuntu@vm1:~$ ip a
21: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
3    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4    inet 127.0.0.1/8 scope host lo
5       valid_lft forever preferred_lft forever
6    inet6 ::1/128 scope host
7       valid_lft forever preferred_lft forever
82: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
9    link/ether fa:16:3e:69:b2:d2 brd ff:ff:ff:ff:ff:ff
10    inet 192.168.0.15/24 brd 192.168.0.255 scope global ens3
11       valid_lft forever preferred_lft forever
12    inet6 fe80::f816:3eff:fe69:b2d2/64 scope link
13       valid_lft forever preferred_lft forever

With the interface name and the IP of the vip-port I can now continue to configure keepalived by editing /etc/keepalived/keepalived.conf:

1vrrp_instance VIP_1 {
2    state MASTER
3    interface ens3
4    virtual_router_id 51
5    priority 150
6    advert_int 1
7    authentication {
8        auth_type PASS
9        auth_pass supersecretpassword
10    }
11    virtual_ipaddress {
12        192.168.0.14
13    }
14}

Now I restart the keepalived service:

1ubuntu@vm1:~$ sudo systemctl restart keepalived

And repeat those steps on the second VM.

Checking the output of ip a on the VMs I see that one of my VMs assigned the VIP IP address 192.168.0.14 to its ens3 interface.

Testing failover

I open a terminal and ping the VIP:

1$ ping 10.98.208.217
2PING 10.98.208.217 (10.98.208.217): 56 data bytes
364 bytes from 10.98.208.217: icmp_seq=0 ttl=59 time=23.294 ms
464 bytes from 10.98.208.217: icmp_seq=1 ttl=59 time=20.879 ms
564 bytes from 10.98.208.217: icmp_seq=2 ttl=59 time=20.152 ms
6...

In a second terminal I log in to the VM that currently has the VIP listed under the ens3 and stop the keepalived:

1ubuntu@vm1:~$ sudo service keepalived stop

If everything worked I should now see that the ping in my first terminal is still working and checking ip a on both VMs shows that the VIP failed over to the other VM.

share post

Likes

1

//

More articles in this subject area

Discover exciting further topics and let the codecentric world inspire you.

//

Gemeinsam bessere Projekte umsetzen.

Wir helfen deinem Unternehmen.

Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.

Hilf uns, noch besser zu werden.

Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.