Bug 1465583 - [Director][Docs] DVR documentation has incorrect explanation of external connections.
[Director][Docs] DVR documentation has incorrect explanation of external conn...
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
11.0 (Ocata)
Unspecified Unspecified
high Severity high
: async
: 11.0 (Ocata)
Assigned To: RHOS Documentation Team
RHOS Documentation Team
: ZStream
Depends On:
  Show dependency treegraph
Reported: 2017-06-27 12:48 EDT by Dan Sneddon
Modified: 2018-02-23 08:15 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The current DVR documentation is incorrect. Consequence: If deployers follow the current documentation, a security policy violation will occur (Compute nodes should not have a host-level IP on the External Public API network). Also, since the current documentation doesn't cover adding the external bridge, DVR won't work if the installer follows only the official instructions. Fix: The references to the port/IP on the External network should be replaced with instructions for adding an external bridge that matches the controller bridge. Result: DVR requires an attachment to the tenant external bridge, but Compute nodes should not be attached to the External Public API network.
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan Sneddon 2017-06-27 12:48:11 EDT
Description of problem:
In the docs for configuring DVR, there is a mistaken section that instructs the user to create ports on the "External" network that is created by Director. This is incorrect, and could present a security violation.

Version-Release number of selected component (if applicable):
OSP 11 docs

Steps to Reproduce:
1. Follow documentation for DVR configuration

Actual results:
The documentation instructs users to create ports on the External network for the Compute ports. This is not required, and is less secure than attaching only the Controllers to the "External" network created by Director. This network is generally only used for OpenStack Public APIs. This network is usually completely separate from the tenant external network(s), which is where DVR actually needs to be connected.

Note that even in the case where the External Public API network is also used for tenant external traffic, the Compute nodes should not have a Director-deployed IP address on the External network. They only need an external bridge that matches the Controller external bridge, and the Neutron router will attach to the tenant external networks automatically.

Expected results:
Instead of directing users to create ports on the External (public API) network, the instructions should tell users to create an external bridge on the compute nodes which matches the external bridge on the controllers (same VLAN(s), same bridge name).

Neutron DVR will create a router on each compute node on each external network. This will perform local floating IP and SNAT services for the VMs on that compute node.

Additional info:

Chapter 14.3 - Caveats
Replace entire section:
""" For floating IPs, each Compute node requires an interface on the External network. In addition, each Compute node now requires one additional IP address. This is due to the implementation of the external gateway port and the floating IP network namespace. """


""" For floating IPs, each Compute node requires an external bridge which mirrors the external bridge on the Controllers. This bridge should have the same trunked VLANs and same name as the bridge on the Controllers (the default name is "br-ex"). This is due to the implementation of the Neutron L3 agent and floating IP network namespace. """

Chapter 14.5 - Deploying DVR
(a) - Insert "tenant" before "external network":
(a) The interface connected to the physical network for _tenant_ external network traffic must be configured on both the Compute and Controller nodes. 

Completely remove sections 1) and 2) in this subchapter. There is no need to add ports on the "External" (public API) network on the Controllers. Even if the same network is used for both Public API and tenant external traffic, the Compute nodes themselves *should not* have a port/IP on the External network deployed by Director. Instead, Neutron will automatically create a router with an IP address on the tenant external network(s) when configured post-deployment.

Replace sections 1) and 2) with a section that describes adding an external bridge to the Compute node NIC configs with an interface attached that carries the Neutron external VLANs. There doesn't need to be an IP address on the external bridge. There just has to be a bridge with the same name as the Controller. Like this:

              type: ovs_bridge
              name: bridge_name
                  type: interface
                  name: nic4

Note that in the above, "bridge_name" is a special token that will be replaced with the value of the NeutronPhysicalBridge parameter (default is "br-ex").

Note You need to log in before you can comment on or make changes to this bug.