Installing Avi Vantage for OpenStack

Overview

OpenStack

OpenStack is a set of software tools for building and managing cloud computing platforms for public and private clouds. OpenStack allows you to deploy virtual machines and other instances that handle different tasks for managing a cloud environment instantly. It makes horizontal scaling easy, which means that tasks that benefit from running concurrently can easily serve more or fewer users on the fly by just spinning up more instances. OpenStack provides Infrastructure as a Service (IaaS).

Avi Vantage

The Avi Vantage platform provides enterprise-grade distributed ADC solutions for on-premises as well as public-cloud infrastructure. Avi Vantage also provides built-in analytics to diagnose and improve the end-user application experience, while making operation easier for network administrators.

Avi Vantage is a complete software solution which runs on commodity x86 servers or as a virtual machine and is entirely enabled by its REST API.

OpenStack Integration

Avi Vantage integrates with OpenStack infrastructure components to provide centralized automation, monitoring, and management of application discovery and delivery.

Avi Vantage integrates with the following OpenStack services:

  • Keystone — The Avi Controller uses Keystone API to authenticate any OpenStack user accessing Avi API. Also, when an OpenStack user logs in, the Avi Controller can also automatically import tenant/project and role information from Keystone to provide appropriate privileges on Avi Controller.
  • Glance — The Avi Controller uses Glance for storing Service Engine (SE) image.
  • Nova — The Avi Controller uses Nova API to automatically create and destroy application delivery Service Engines (Avi SEs) as needed to support high availability and guarantees performance.
  • Neutron — The Avi Controller uses Neutron API to plug Service Engines into right Neutron networks for receiving and sending the application traffic.
  • Heat — OpenStack administrators can optionally install Avi Heat package on the Heat Engine servers to expose all Avi Controller API resource types for users to use in their heat templates. In contrast to LBaaS (v1 or v2) resource types, Avi Heat resource types expose significantly advanced features.

Avi Vantage’s integration with OpenStack is shown as follows:

Deployment Modes

Avi Vantage can be deployed into an OpenStack cloud in one of the following modes. These modes differ depending on whether the Avi Controller and Service Engines (SEs) are placed in the same OpenStack tenant, and whether Neutron LBaaS API or Avi Vantage API is used to create load balancers.

  • Single-tenant mode — The Avi Controller and the SEs are deployed together in the same single tenant. The Avi Controller has administrator privileges within the tenant. Tenant users with administrator privileges within the tenant can install and manage Avi Vantage. Use this deployment mode if you do not have administrator privileges for the cloud.
  • Avi-managed mode — The Avi Controller and SEs are installed in separate tenants. The Controller has administrator privileges for the cloud and can manage SEs that are in different tenants. A tenant administrator can log onto the Avi Controller to manage the infrastructure resources within the administrator’s own tenant but cannot access the resources within other tenants. The tenant administrator can configure and manage load balancing services through the Avi Controller web interface or through the Avi REST API.

Note: The Avi-managed option is recommended for its ease of use and advanced feature accessibility.

The following table compares each deployment mode:

Single-tenant Mode Avi-managed Mode
Require administrator privileges for cloud? No Yes
Managed by tenant user No Yes
Automated tenant creation N/A Yes
Advanced load-balancing features available Yes Yes
Analytics service Yes Yes

Deployment Prerequisites

The physical and software requirements differ depending on the deployment mode.

Software Requirements

The following table lists the software requirements:

Software Version
Avi Controller 18.2
OpenStack (and Neutron service) One of the following: Newton, Ocata, Pike, Queens. Also supports Rocky since 18.2.3 and Stein since 18.2.6.
Neutron extension for allowed-address-pair

The Avi Vantage image is available in qcow2 (QEMU Copy ON Write) format or raw image of the Controller and SEs. The SE software is embedded in the Controller image and does not require separate installation. In case of OpenStack generic cloud (with Avi Cloud Connector), the Avi Controller pushes qcow2 image for SE towards OpenStack Glance. In case of a no-access cloud, you need to download the qcow2 image for SE and then manually upload to OpenStack Glance.

Note: In KVM/OpenStack, the Service Engines have a limitation of 24 vNICs. In order to support them, Service Engine (SE) should be configured with at flavor which has at least 3 GB of memory.

Protocol Ports used by Avi Vantage for Management Communication

In an OpenStack deployment, the Avi Controller and Avi Service Engines use the following ports for management. The firewall should allow traffic to these ports.

Traffic Source Traffic Destination Ports To Allow
Avi Controller Avi Controller TCP 22 (SSH)
TCP 443
TCP 8443
TCP 5054
Avi Service Engine TCP 22
Management Net See section below the table.
Avi Service Engine Avi Controller TCP 22
TCP 8443
UDP 123
Management Net TCP 22
TCP 80 (optional)
TCP 443
TCP 5054 (if using the optional CLI shell for remote management access)

Ports used by the Controller for Network Services

The Controller may send traffic to the following UDP ports as part of the network operation:

  • TCP 25 (SMTP)
  • UDP 53 (DNS)
  • UDP 123 (NTP)
  • UDP 162 (SNMP traps)
  • UDP 514 (syslog)

The firewall should also allow traffic from the Controller to these ports.

Importing User Accounts from Keystone

Using the Avi REST API, you can export user roles from Keystone into the Avi Controller and directly map to role names in the Controller. You need not recreate the accounts on the Controller. Here is an example:

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "admin",
        "avi_role": "Tenant-Admin"},
       {"os_role": "_member_",
        "avi_role": "Tenant-Admin"},
       {"os_role": "*",
        "avi_role": "Application-Operator"}
    ],
    ....
}

The role_mapping parameter is an ordered list, where each item specifies how a Keystone role (os_role) maps to a role in the Controller (avi_role). You can define a default mapping for any Keystone role by specifying the “ /* ” wildcard for the os_role field. In the above example, roles administrator and member from Keystone are mapped to the Tenant-Admin role in the Controller. Further, any other role from Keystone is mapped to Application-Operator role on the Controller.

In the following example, only users with role lbaas_project_admin are allowed to access the Controller:

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "lbaas_project_admin",
        "avi_role": "Tenant-Admin"}
    ],
    ....
}

Metadata instead of config_drive for Avi SEs

In some OpenStack environments, config_drive support is either absent or not installed properly. Also, under certain conditions, you may not allow Avi SEs to use config_drive, as VM can prevent SE migration while configuring.

The Avi Vantage OpenStack configuration option uses metadata instead of config_drive for SE VMs. You can enable Avi Vantage to use metadata by disabling config_drive.

CLI to Disable Config_drive

 : > configure cloud Default-Cloud
: cloud> openstack_configuration
: cloud:openstack_configuration> no config_drive
: cloud:openstack_configuration> save
: cloud> save

Deploying Single-Tenant Mode

This section provides the steps for deploying Avi Vantage into an OpenStack cloud in single-tenant mode.

OpenStack-deploy-topo-tenantmode

In single-tenant mode, the Avi Controller and SEs are installed in the same tenant, and have member privileges for that tenant. The member privilege grants the Avi Controller full access to the tenant so that it can automatically spin-up and spin-down an SE. Each tenant is responsible for installing and operating Avi Vantage.

Deploying Avi-managed Mode

This section provides the steps for deploying Avi Vantage in an OpenStack cloud in Avi-managed mode.

OpenStack-deploy-topo-avilbaas

Avi-managed mode provides tenant users with the advantages of Avi Vantage, without the need to deploy or maintain Avi Vantage. Instead, the cloud administrator deploys and manages Avi Vantage. The Avi Controller and SEs in the administrative tenant are shared by other tenants. Users of those tenants are able to secure and optimize their applications using the Avi Vantage resources that reside in the administrative tenant.

Note: Although you can use an existing tenant instead of creating a new one, it is recommended to create a new tenant for easy maintenance.

Deployment Process

The following are the procedure to install single-tenant:

Uploading the Controller Image

The following are the steps to upload the Controller image:

  1. Copy the Avi Vantage Controller image onto your hard drive.
  2. Log into the OpenStack tenant account on the Horizon dashboard.
  3. Navigate to Project > Images.
  4. Click on Create Image and fill out the form.

Creating Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

The following are the step to create management network:

  1. On the Horizon dashboard, navigate to Network > Networks.
  2. Click on Create Network and follow the wizard’s instructions. For instance,
    • Network name: avi-mgmt
    • DHCP: Enabled
  3. Connect the network to your Neutron router.
    a. Navigate to Network > Routers.
    b. On the Name column in the router list, click on Router to add an interface to the network.
    c. Click on the Interfaces tab, then click on Add Interface.

Creating Security Group

A security group is required to allow the Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed.

  • For ingress traffic, the group must allow these ports.
  • For egress traffic, the group can allow all ports.

Note: The Controller automatically creates a security group for the SEs.

The following are the steps to create a security group (in this example, Avi-mgmt-sg) to allow management traffic:

  1. On the Horizon dashboard, navigate to Project > Access & Security, and click on Create Security Groups.
  2. Add rules as shown in the following example, where 192.168.10.0/24 is the management network.
    openstack-portgroup-excerpt

Deploying Controller and Assigning it a Floating IP

The following are the steps to deploy an Avi Controller instance:

  • Flavor — Deploy the same flavor that was chosen in the previous steps.
  • Network — Use avi-mgmt to attach the Controller to the management network.
  • Security group — Use avi-mgmt-sg to allow management traffic.
  • Enable config-drive.

The following are the steps to assign a floating IP address to the Controller:

  1. On the Horizon dashboard, navigate to Project > Compute > Access & Security.
  2. Assign the floating IP address:
    • If floating IP address is not available, click on Allocate IP to Project.
    • If a floating IP address is available, you can associate it with the Avi Controller instance.

Performing Initial Controller Setup

This section shows the steps to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller’s web interface.

Note: While the system is booting up, a blank web page or 503 status code may appear. In this case, wait for 5 to 10 minutes; then follow the instructions for the setup wizard.

  1. Configure basic system settings, such as,
    • Administrator account
    • DNS and NTP server information
    • Email and SMTP information



  2. Set the Infrastructure Type to OpenStack as shown in the image below.
    Infrastructure

  3. Specify the OpenStack settings.
    • Provide the tenant user credentials (username, password). If you are using Keystone V3 and want to provide a user in the non-default domain, then use the notation user@domain-name in the Username field as shown below.
      openstack-v3-user-config
    • If you create a username test as a Keystone v3 user in a domain named default, then explicitly specify test@testdomain while logging into the Avi Controller. If the domain name is not specified, Keystone looks for a domain with UUID testdomain and not the name testdomain. Since no domain with a UUID of testdomain exists, Keystone fails, thereby returning the error as invalid user/password.
    • Use the full value in the Keystone Auth URL field. Avi Vantage determines the Keystone API version automatically. When the auth URL is a secure URL (HTTPS), the system will display an option to either allow or disallow self-signed certificates. You should disable that checkbox in a production environment, since OpenStack services should use proper, trusted certificates.
    • Enable the Keystone Auth option.
      openstack-login-v2-full
      openstack-login-v3-cert
  4. In Management Network window, select a tenant. In this deployment, it should be the same tenant into which the Avi Controller is deployed. Choose the management network created previously.
    ctlr-setup-mgmtnetwork
  5. In Keystone Role Mapping window, select an Avi Vantage user role as the default user role.
    ctlr-setup-openstack-keystonemapping-162-1

    ctlr-setup-openstack-keystonemapping-2

    If an Avi Vantage user logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To disallow access for any user who does not have a role that is defined on the Controller, skip this option.
  6. In Virtual Service Placement Settings window, select Import Tenants to import from tenants Keystone and click on Next. Then, in the Support Multiple Tenants window, click on No.
  7. You can configure tenant settings by navigating to Administration > Settings > Tenant Settings. The following window is displayed:

    tenant-settings

    Click on Edit. The Tenant Settings Config window is displayed:

    tenant-settings-config

    Starting with NSX Advanced Load Balancer version 22.1.3, you can configure tenant settings by navigating to Administration > System Settings > TENANCY MODE. Click Edit in the System Settings page. The EDIT SYSTEM SETTINGS window is displayed. navigate to Tenancy Mode tab. The following window is displayed:
    tenant-settings-config-2213

a) IP Route Domain — This options allows you to select tenant’s IP route domain.
i) Per tenant IP route domain — If you select this option, each tenant gets its own routing domain that is not shared with any other tenant.
Note: Starting with NSX Advanced Load Balancer version 22.1.3, the field name is changed to Per Tenant.
ii) Share IP route domain across tenants —’ If you select this option, all tenants share the same routing domain. Note: Starting with NSX Advanced Load Balancer version 22.1.3, the field name is changed to Share Across Tenants.
b) Service Engines Context — This option controls the ownership of Service Engines. Service Engines can either be exclusively owned by each tenant or owned by the administrator and shared by all tenants. When Service Engines are owned by the administrator, each tenant can have either read access or no access to their Service Engines. You can select one of the following options:
i) Service Engines are managed within the tenant context, not shared across tenants. Note: Starting with NSX Advanced Load Balancer version 22.1.3, the field name is changed to Tenant Context.
ii) Service Engines are managed within the provider context, shared across tenants. If you select this option, you also need to select access rights of the tenant to Service Engine by choosing either Tenant has Read Access to Service Engines or Tenant has No Access to Service Engines options. Note: Starting with NSX Advanced Load Balancer version 22.1.3, the field name is changed to Provider Context (Shared) and the field options Read or No Access options

Integrating Neutron SDN Plugin

Avi Vantage integrates with the following Neutron SDN plugins to provide VIP placement and floating IP (FIP) association to VIP.

Contrail SDN

Using the Avi UI

During cloud configuration, select the Integration with Contrail checkbox and provide the endpoint URL of Contrail VNC API-server. The Keystone credentials from the OpenStack configuration will be used to authenticate with the API-server service.

Note: Contrail-Interface-IP is handled gracefully by Avi Vantage. So, creating and editing the cloud should be left intact while integrating Contrail SDN under Network Settings.

b.1-Contrail-OpenStack-DefCloud

If you are creating a new cloud, the wizard looks as follows:

b.2-Contrail-OpenStack-NewCloud

Starting with NSX Advanced Load Balancer version 22.1.3, the following window will be displayed:

b.2-Contrail-OpenStack-NewCloud-2213

If you are editing an existing cloud, the cloud editor looks as follows:

cloud editor

Starting with NSX Advanced Load Balancer version 22.1.3, the following window will be displayed:

cloud editor

Using the Avi CLI


configure cloud oscontrail
vtype cloud_openstack
openstack_configuration

privilege write_access
username admin
password xxxyyyzzz
admin_tenant admin
mgmt_network_name avi-mgmt
region RegionOne
use_keystone_auth
import_keystone_tenants
no use_admin_url
auth_url http://172.16.11.50:5000/v2.0
no neutron_rbac
contrail_endpoint http://10.10.10.100:8082
role_mapping os_role * avi_role Tenant-Admin
New object being created
save
save
save

Creating a Tenant for the Controller and SEs

The following are the steps to create a tenant for the Controller and SEs:

  1. Log into the OpenStack Horizon dashboard with an account that has cloud administrator privileges.
  2. Navigate to Identity > Projects.
  3. Click on New Project and follow the wizard’s instructions.
  4. To deploy Avi Vantage, use the following settings:
    a. Specify a project name (for instance, “avi-tenant”).
    b. Click on the Project Members tab.
    c. Add a user account to Project Members and assign the admin role to the account.
    d. Click on the Quota tab and modify the maximum resources. These settings allow for three Avi Controllers (for redundancy), up to 1000 SEs and some other managerial instances, if required as shown below.

Screen Shot 2017-02-07 at 11.37.13 AM

Creating Multiple Flavors of Controller Image

The following are the steps to create multiple flavors of Avi Vantage:

  1. In the Horizon dashboard, navigate to Admin > System > Flavors and click on Create Flavor.
  2. Create an appropriate flavor for Service Engine. Refer to Service Engine Sizing guide to check minimum and recommended resources required for Service Engine.
  3. Create appropriate flavor for Controller. Refer to Controller Sizing guide to check minimum and recommended resources required for Controller.

You can manually configure the flavor if you want to use flavors other than the recommended flavor using CLI.

Note: The OpenStack flavour name should be specified and not the flavor ID or UUID.

Uploading Controller Image

The following are the steps to upload Controller image:

  1. Copy the Avi Vantage Controller qcow2 image onto your hard drive.
  2. In the Horizon dashboard, navigate to Project > Images.
  3. Click on Create Image and fill out the form. Use at least these resource allocations.

Creating Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

The following are the steps to create management network:

  1. On the Horizon dashboard, navigate to Network > Networks.
  2. Click on Create Network and follow the wizard’s instructions. For instance, specify the values as follows:
    • Network name: avi-mgmt
    • DHCP: Enabled
  3. Connect the network to your Neutron router.
    a. Navigate to Network > Routers.
    b. In the Name column in the router list, click on the router to add an interface to the network.
    c. Click on the Interfaces tab; then click on Add Interface.

Creating Security Group

A security group is required to allow the Avi Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed. For ingress traffic, the group must allow these ports.

For egress traffic, the group can allow all ports.

Note: The Avi Controller automatically creates a security group for the SEs.

The following are the steps to create a security group (in this example, Avi-mgmt-sg) and to allow management traffic:

  1. Navigate to Project > Access & Security and click on Create Security Groups.

  2. Add rules as shown in the following example, where 192.168.10.0/24 is the management network.

Deploying Controller and Assigning it a Floating IP

The following are the steps to deploy an Avi Controller instance:

  1. Flavor: Deploy avi_ctrl.small or bigger.
  2. Network: Use avi-mgmt to attach the Controller to the management network.
  3. Security group: Use avi-mgmt-sg to allow management traffic.
  4. Enable config-drive.

The following are the steps to assign a floating IP address to the Controller:

  1. On the Horizon dashboard, navigate to Project > Compute > Access & Security. Assign the floating IP address.

    • If no floating IP address is available, click on Allocate IP to Project.
    • If a floating IP address is already available, associate it with the Avi Controller instance.

Performing Initial Controller Setup

This section shows how to perform initial configuration of the Avi Controller using its deployment wizard.

You can change or customize settings following initial deployment using the Avi Controller’s web interface.

  1. Configure basic system settings:
    • Administrator account
    • DNS and NTP server information
    • Email and SMTP information



  2. Set the infrastructure type to OpenStack.
  3. Specify OpenStack settings,
    • Tenant user credentials (username, password).
    • IP address of Keystone server.
    • Enable the Keystone Auth option.
      openstack-deploy-openstacklogin-selectkeystone
  4. In the Management Network window, select a tenant. In this deployment, it should be the same tenant into which the Avi Controller is deployed. Choose the management network created previously.
    openstack-deploy-openstacklogin-selectkeystonectlr-setup-mgmtnetwork-lbass-mgdmode-161
  5. In the Keystone Role Mapping window, select an Avi Vantage user role to use as the default user role.

    ctlr-setup-openstack-keystonemapping-161
    If an Avi Vantage user logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To instead disallow access by any user who does not have a role that is defined on the Controller, leave the selection empty (None).

  6. In the Virtual Service Placement Settings window, select Import Tenants to import from tenants Keystone and click on Next. Then, in the Support Multiple Tenants window, click on Yes.
  7. In Tenant Settings window, select the following settings. * Per tenant IP route domain. * Service Engines are managed within the provider context, shared across tenants. * Tenant has Read Access to Service Engines.

    openstack-deploy-openstackmulttenantsettings

  8. Navigate to Infrastructure > Service Engine Group > Default-Cloud.
  9. Click on Default-Group checkbox and click on the edit icon.

    Notes:

    1. Starting with NSX Advanced Load Balancer version 22.1.3, you need to navigate to Infrastructure > Cloud Resources > Service Engine Group. Select Default Cloud. Click edit icon to edit the cloud.
    2. Ensure that compact placement is selected and maximum number of Service Engines is high enough to meet the needs of all tenants.
      service-engine-group

      22.1.3 version: service-engine-group-2213
  10. To verify installation, navigate to Infrastructure > Clouds. Click on Default-Cloud, and then click on the Status button. If the status is green, installation is successful.
    openstack-deploy-verify-162

Installing Valid Certificate on Avi Controller

This section gives steps for replacing the Avi Controller’s self-signed certificate with one signed by a Certificate Authority (CA). The Avi Controller requires a CA-signed certificate to access the Avi Controller through the Horizon dashboard.

  1. Log into Avi Controller’s web interface.
  2. Navigate to Templates > Security. Note: Starting with NSX Advanced Load Balancer version 22.1.3, you need to navigate to Templates > Security > SSL/TLS Certificates and click on Controller Certificate. Select Import option from the drop-down list.
  3. Click on Create.
  4. Click on Controller Certificate to create it.
  5. Click on the Import button to import the new certificate and key.
  6. Click on the Upload File button and select the certificate from your system.
  7. Enter Key(PEM) or PKCS12 or upload the file.
  8. Enter the SSL/TLS Passphrase. Note: Starting with NSX Advanced Load Balancer version 22.1.3, enter Key Passphrase
  9. After uploading the new certificate and key, configure the Controller to use them.
    a. Navigate to Administration > Settings > Access Settings.
    b. Click the edit icon.
    c. Select the imported certificate(s) and click on Save.
    Note: Starting with NSX Advanced Load Balancer version 22.1.3, you need to navigate to Administration > Settings > System Settings > ACCESS. Click edit icon for system settings.