neutron

RFE - Support Distributed SNAT with DVR

Bug #1467471 reported by Takanori Miyagishi
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Expired
Wishlist
Unassigned

Bug Description

In Juno release, DVR was implemented to Neutron.
So virtual router can running on each Compute node.
However, SNAT is still running on Network node and not distributed yet.

Our proposal is to distribute SNAT to each Compute node.
If we use SNAT feature, the packet doesn't need to go Network node.

Tags: rfe
Takanori Miyagishi (miyagishi-t)
Changed in neutron:
assignee: nobody → Takanori Miyagishi (miyagishi-t)
Revision history for this message
Assaf Muller (amuller) wrote :

FYI: We have a plan to integrate DVR with L3 HA so that the centralized / SNAT portion of distributed routers will no longer pose a single point of failure. There are patches up for review:
https://review.openstack.org/#/q/status:open+project:openstack/neutron+branch:master+topic:bug/1365473,n,z

I hope to merge them during the Liberty time cycle.

Revision history for this message
Takanori Miyagishi (miyagishi-t) wrote :

In my understanding, your proposal is SNAT is no longer SPOF due to enabling HA
of network nodes?
On the other hand, our proposal is not only no longer SPOF but network load is
shared by each compute node due to packet doesn't necessary to go Network node.
So, in case of SNAT communication, the performance will be improved.
On another benefits, we can reduce the number of nodes than HA.
Therefore, we think that our proposal as well as your feature are necessary.

Eugene Nikanorov (enikanorov)
Changed in neutron:
status: New → Confirmed
Revision history for this message
Carl Baldwin (carl-baldwin) wrote :

How would you like this done. This question has been out there for a while. There are different ways to do it and the choice has big effects on deployers. For example, some suggest that we use a single IP per compute host. Others object strongly to that because they do not want tenants to share the same IP address for security and accountability purposes. Others have suggested that we distribute to compute host based on ingress port. Others object due to the complexity of providing and supporting this feature.

There has been an etherpad [1] out there for a while outlining some of the pros and cons of each approach that has come up. We need someone to drive consensus around this before we proceed.

[1] https://etherpad.openstack.org/p/decentralized-snat

Changed in neutron:
status: Confirmed → Incomplete
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Until more details are provided, this is a pipe dream.

Changed in neutron:
assignee: Takanori Miyagishi (miyagishi-t) → nobody
Akihiro Motoki (amotoki)
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.