Description of problem: In the docs for configuring DVR, there is a mistaken section that instructs the user to create ports on the "External" network that is created by Director. This is incorrect, and could present a security violation. Version-Release number of selected component (if applicable): OSP 11 docs Steps to Reproduce: 1. Follow documentation for DVR configuration Actual results: The documentation instructs users to create ports on the External network for the Compute ports. This is not required, and is less secure than attaching only the Controllers to the "External" network created by Director. This network is generally only used for OpenStack Public APIs. This network is usually completely separate from the tenant external network(s), which is where DVR actually needs to be connected. Note that even in the case where the External Public API network is also used for tenant external traffic, the Compute nodes should not have a Director-deployed IP address on the External network. They only need an external bridge that matches the Controller external bridge, and the Neutron router will attach to the tenant external networks automatically. Expected results: Instead of directing users to create ports on the External (public API) network, the instructions should tell users to create an external bridge on the compute nodes which matches the external bridge on the controllers (same VLAN(s), same bridge name). Neutron DVR will create a router on each compute node on each external network. This will perform local floating IP and SNAT services for the VMs on that compute node. Additional info: Chapter 14.3 - Caveats Replace entire section: """ For floating IPs, each Compute node requires an interface on the External network. In addition, each Compute node now requires one additional IP address. This is due to the implementation of the external gateway port and the floating IP network namespace. """ with: """ For floating IPs, each Compute node requires an external bridge which mirrors the external bridge on the Controllers. This bridge should have the same trunked VLANs and same name as the bridge on the Controllers (the default name is "br-ex"). This is due to the implementation of the Neutron L3 agent and floating IP network namespace. """ Chapter 14.5 - Deploying DVR (a) - Insert "tenant" before "external network": (a) The interface connected to the physical network for _tenant_ external network traffic must be configured on both the Compute and Controller nodes. Completely remove sections 1) and 2) in this subchapter. There is no need to add ports on the "External" (public API) network on the Controllers. Even if the same network is used for both Public API and tenant external traffic, the Compute nodes themselves *should not* have a port/IP on the External network deployed by Director. Instead, Neutron will automatically create a router with an IP address on the tenant external network(s) when configured post-deployment. Replace sections 1) and 2) with a section that describes adding an external bridge to the Compute node NIC configs with an interface attached that carries the Neutron external VLANs. There doesn't need to be an IP address on the external bridge. There just has to be a bridge with the same name as the Controller. Like this: - type: ovs_bridge name: bridge_name members: - type: interface name: nic4 Note that in the above, "bridge_name" is a special token that will be replaced with the value of the NeutronPhysicalBridge parameter (default is "br-ex").
Forgot the URL for the incorrect docs: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/networking_guide/#known_issues_and_caveats
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828