neutron

[RFE] VPNaaS support for OVN

Bug #1905391 reported by Bodo Petermann
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Bodo Petermann

Bug Description

Problem Description

The current VPNaaS plugin only supports L3 routers and relies on the L3 agent.
It does not support the OVN distributed router without an L3 agent.

Proposed Change

Implement VPN functionality in a new stand-alone VPN agent and a new service
driver to support it. On the agent side a new device driver will deal with
namespace management.
The existing VPN solution will not be impacted. One may choose between the
existing VPN plugin (for non-OVN) or the new one (for OVN) in the neutron
server configuration.

Revision history for this message
Bodo Petermann (bpetermann) wrote :

We already prepared an implementation, originally based on MingShuang Xian's effort in 2016.
Back then there was a blueprint https://blueprints.launchpad.net/neutron/+spec/vpn-ovn
Our new implementation will be submitted to Gerrit soon.

Changed in neutron:
assignee: nobody → Bodo Petermann (bpetermann)
Revision history for this message
Lucas Alvares Gomes (lucasagomes) wrote :

Thanks for working on this. Are you planning to submit the code for review soon ? Feel free to add me to the gerrit I will glad review the work. Thanks again.

tags: added: ovn
Changed in neutron:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Bodo Petermann (bpetermann) wrote :

I submitted the code: https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Lets discuss that on the next drivers meeting which will be Friday 11.12.2020: http://eavesdrop.openstack.org/#Neutron_drivers_Meeting - so it would be great if You could join there if there would be any additional questions. But RFE should be discussed even if You will not be able to attend this meeting.

tags: added: rfe-triaged
removed: rfe
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I haven't looked into the proposed implementation in gerrit, but this RFE and the approach proposed in the uploaded patch make sense in general.

When we approve the RFE, we need the following in addition to the implementation itself:

- document: how to configure the VPN feature for OVN (networking guide in the neutron repo or doc in neutron-vpnaas repo)
- API reference: the implementation proposes a standalone VPN agent scheduler, so the new API for the standalone VPN agent needs to be documented
- testing: what kinds of testing need to be implemented in addition to UT? (functional tests or a new variant of tempest tests)

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

On the last drivers meeting we decided to approve this rfe.
In addition to the patch with implementation of the new driver, please provide also some doc which will described details about how this new driver works.

tags: added: rfe-approved
removed: rfe-triaged
Revision history for this message
Bodo Petermann (bpetermann) wrote :

I added a spec document to neutron-specs.
See https://review.opendev.org/c/openstack/neutron-specs/+/767292

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-specs (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-specs/+/767292
Committed: https://opendev.org/openstack/neutron-specs/commit/aa641b223ff0137c520321111455c9d4fe23e39d
Submitter: "Zuul (22348)"
Branch: master

commit aa641b223ff0137c520321111455c9d4fe23e39d
Author: Bodo Petermann <email address hidden>
Date: Wed Dec 16 10:51:38 2020 +0100

    Add spec for VPNaaS for OVN

    Adding the spec to support VPNaaS for OVN for the RFE
    https://bugs.launchpad.net/neutron/+bug/1905391

    Related-Bug: #1905391
    Change-Id: If14135d42459296158a09641c880768994a1c9ac

Revision history for this message
Boris Lukashev (rageltman) wrote :

The spec and patch make sense from a semi-naive perspective (not a contributor, been hacking on Neutron since Juno) - separate out the function and address to its own namespace, keep it from having to chase the state of other elements in the topology.
Anyone run the proposed patch for more than a few test cycles yet? I've a kolla-stack here, so should be able to beta test if i can get it backported to wallaby and build the relevant bits into a container image.

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The development of the OVN variant of the VPNaaS plugin finished a while ago. I'd appreciate a review to get the changes merged eventually.

Revision history for this message
Christian Rohmann (christian-rohmann) wrote :

The implementation of VPNaaS for OVN is great - thank you Bodo.
We are currently still on linuxbridge and have active users for VPNaaS, so a migration to OVN would require us to drop this functionality.

There recently was a call out for maintainers of VPNaaS as it's currently rather unmaintained http://lists.openstack.org/pipermail/openstack-discuss/2022-April/028123.html

(this was likely inspired by my ask for help on an actual issue with VPNaaS on linuxbridge (https://bugs.launchpad.net/neutron/+bug/1943449) and a discussion on the ML at http://lists.openstack.org/pipermail/openstack-discuss/2022-April/028132.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/847005

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/847005
Committed: https://opendev.org/openstack/neutron/commit/a7ea4909d98679715c059ce4f44c952ca6d985e5
Submitter: "Zuul (22348)"
Branch: master

commit a7ea4909d98679715c059ce4f44c952ca6d985e5
Author: Bodo Petermann <email address hidden>
Date: Tue Jun 21 13:43:11 2022 +0200

    Add vpnaas to extensions supported by ovn

    This addition is required to run a devstack setup with ovn
    that includes vpnaas from the proposed patch [1]

    [1] https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353

    Related-Bug: #1905391
    Change-Id: Id41e7c1a67ea9a8fcda1d5d331ab8192aff7dc48

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007
Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/af70af3e07e08b21a6e6d9e50b4cd7f9bea09d8a
Submitter: "Zuul (22348)"
Branch: master

commit af70af3e07e08b21a6e6d9e50b4cd7f9bea09d8a
Author: Bodo Petermann <email address hidden>
Date: Tue Jun 21 13:48:42 2022 +0200

    Test job for VPNaaS on OVN

    Add a new test job to test VPNaaS on OVN, that will be picked up
    by the proposed patch [1] in neutron-vpnaas.
    Since VPNaaS for OVN doesn't support IPv6 VMs, skip 6in4 and 6in6 tests.

    [1] https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353

    Related-Bug: #1905391
    Change-Id: I9e9e8e78fd22b5edbc794ec68dbe40302ed0f3fd

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353
Committed: https://opendev.org/openstack/neutron-vpnaas/commit/256464aea691f8b4957ba668a117963353f34e4c
Submitter: "Zuul (22348)"
Branch: master

commit 256464aea691f8b4957ba668a117963353f34e4c
Author: Bodo Petermann <email address hidden>
Date: Thu Dec 3 17:56:27 2020 +0100

    VPNaaS support for OVN

    Adds VPNaaS support for OVN.
    Add a new stand-alone VPN agent to support OVN+VPN. Add OVN-specific
    service and device drivers that support this new VPN agent. This will
    have no impact on the existing VPN solution for ML2/OVS, the existing
    L3 agent and its VPN extension will still work.

    Add a new VPN agent scheduler that will schedule VPN services to VPN
    agents on a per-router basis.

    Add two new database tables: vpn_ext_gws (to store extra port IDs)
    and routervpnagentbindings (to store VPN agent ID per router).

    More details see spec (neutron-specs/specs/xena/vpnaas-ovn.rst).

    This work is based on work of MingShuan Xian (<email address hidden>),
    see https://bugs.launchpad.net/networking-ovn/+bug/1586253

    Depends-On: https://review.opendev.org/c/openstack/neutron/+/847005
    Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/847007

    Closes-Bug: #1905391
    Change-Id: I632f86762d63edbfe225727db11ea21bbb1ffc25

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-vpnaas 24.0.0.0rc1

This issue was fixed in the openstack/neutron-vpnaas 24.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.