This article provides a resource on how to set up HA floating IPs within an IBM Bluemix Private Cloud Local environment. These instructions assume that you already have the OpenStack Python API Clients installed.
NOTE: This feature works with IBM Bluemix Private Local Cloud ONLY. It does not apply to the IBM Bluemix Private Cloud (Dedicated Cloud) offering. The IBM Bluemix data center Network currently requires us to use L2 POP, a driver designed to support scaling to large networks. To quote one of our engineers:
“The L2Population mechanism driver we need to use to make VXLAN work on IBM Bluemix data center networks is incompatible with MAC learning or ARP responses used by HA IP methods. IPs are mapped to hosts through two translation mechanisms: ARP maps IPs to MAC addresses, and switches learn which MAC is associated with each port. At failover time, any HA IP must change at least one of these two mappings.”
As a possible workaround, in the OpenStack Mitaka release, there is an option to disable half of the L2 POP responder, which could allow you to set up the gratuitous ARP type of HA. (See this article: https://review.openstack.org/278597) If you really need HA, it’s best to use a Load Balancer for that, such as Neutron LBaaS v2. As another possible workaround, if your cloud is deployed within a single SoftLayer Pod, and it will never grow beyond that single Pod, you could possibly implement some type of HA IP in a custom way.
Configure your OpenStack instances
There are two portions to the OpenStack work. The first portion requires administrative credentials to set up availability zones, and the second portion can be done by a regular user. The first portion only needs to be done once.
First Portion: Administrative steps
Set up availability zones
We use availability zones to create a pool of resources to ensure that our two unique VMs don’t end up on the same physical hosts.
As an administrator, create two distinct availability zones:
View your availability zone information to get information on your hypervisors:
Selecting hosts from that list, add them to your two distinct availability zones:
That’s it!
Second Portion: Steps That Require Regular Permissions Only
Confirm that the allowed-address-pairs extension is loaded.
The allowed-address-pairs extension is required, and it is shipped by default with each IBM Bluemix Private Cloud installation. You can confirm it’s operating by running the following commands:
Note: You cannot have allowed_address_pairs enabled and port security disabled on the SAME Neutron port, because they are mutually exclusive.
Create a VRRP security group.
This security group is used to communicate to your HA nodes. In this instance, we’re permitting SSH access, but you can make this protocol HTTP, HTTPS, etc…
Add ICMP access:
Add SSH access:
Collect parameters required to boot the instances.
You’ll need to collect a few specific pieces of information to ensure that our HA load balancers are provisioned with the OS we want, and that they end up as unique physical hypervisors.
Select a particular flavor ID. In this case, we will use m1.medium with ID 3:
Select the ID of the particular image. In this case, we’ve selected ubuntu-14.04 and the ID is 1525c3f3-1224-4958-bd07-da9feaedf18b:
Collect the ID of the Internal network. In this case, that is ba0fdd03-72b5-41eb-bb67-fef437fd6cb4:
Select the IDs of the default and VRRP groups, in this case they are a963c698-473c-4182-8add-e1e6398629e5 and 7f09ac66-23e2-46cd-9af8-ca541dd99bc1 respectively:
Select the two unique availability zones we created previously. In this case, group1-az and group2-az.
Boot two unique instances on two unique hosts.
Here’s a synopsis of the values we collected from before:
Using those variables, let’s boot our two VMs.
Additional notes:
You’ll need to specify the key-name for the SSH key you use in the system. For example:
Host 1:
Host 2: (Notice that we’re changing the availability zone and the hostname.)
Collect instance data.
Now that your two instances have booted, you can collect the instance data.
Create a port.
NOTE: This action requires administrative credentials, but it can be executed to add the port to a specific tenant. If you want this port to be added to a tenant, use the --tenant-id parameter.
Also, be sure to make note of the IP address and the port id that’s returned. In this case, it is 10.230.7.33 and 6bed4a2a-62e6-4cb1-80ce-b5971fee782d.
If this is a public service, associate a floating IP to the VIP.
Using the port-id obtained in the previous step, now we can associate the floating IP to the VIP:
Determine the port IDs for your load balancer instances.
Use the IP addresses to map the instances to their ports.
In this case:
loadbalancer01 -> Port id: 23604992-c26c-426d-9634-f45d24b9ee83
loadbalancer02 -> Port id: 9f646d79-0599-4761-a4b3-cb9728bbb72a
Add the new VIP to the allowed address pairs for the instance ports
Keepalived
Now we will move along to the keepalived portion of this work, shown partly as sample code that follows.
Install keepalived
On your two hosts, install keepalived:
Configure keepalived on both hosts
Note: Set the password to a unique string.
The IP listed in the virtual IP address should be your VIP Host 1:
Host 2:
Run the following commands on both hosts:
Try connecting to your public floating IP:
Stop the first load balancer and confirm that the IP fails over.
This command sequence should give you an SSH key failure result, because you’re now connecting to the second host.
If Active Directory is not deployed, you can use a public DNS server, such as: