ovn central #0

Supports: bionic eoan focal
Add to new model

Description

Principal charm that deploys ovn-northd, the OVN central control daemon, and ovsdb-server, the Open vSwitch Database (OVSDB).

The ovn-northd daemon is responsible for translating the high-level OVN configuration into logical configuration consumable by daemons such as ovn-controller.

The ovn-northd process talks to OVN Northbound- and Southbound- databases.

The ovsdb-server exposes endpoints over relations implemented by the ovsdb interface.

The charm supports clustering of the OVSDB, you must have a odd number of units for this to work. Note that write performance decreases as you increase the number of units.

Running multiple ovn-northd daemons is supported and they will operate in active/passive mode. The daemon uses a locking feature in the OVSDB to automatically choose a single active instance.


Overview

This charm provides the Northbound and Southbound OVSDB Databases and the Open Virtual Network (OVN) central control daemon (ovn-northd).

Usage

OVN makes use of Public Key Infrastructure (PKI) to authenticate and authorize control plane communication. The charm requires a Certificate Authority to be present in the model as represented by the certificates relation.

The OpenStack Base bundle gives an example of how you can deploy OpenStack and OVN with Vault to automate certificate lifecycle management.

Please refer to the OVN Appendix in the OpenStack Charms Deployment Guide for details.

Network Spaces support

This charm supports the use of Juju Network Spaces.

By binding the ovsdb, ovsdb-cms and ovsdb-peer endpoints you can influence which interface will be used for communication with consumers of the Southbound DB, Cloud Management Systems (CMS) and cluster internal communication.

juju deploy ovn-central --bind "''=oam-space ovsdb=data-space"

OVN RBAC and securing the OVN services

The charm enables RBAC in the OVN Southbound database by default. The RBAC feature enforces authorization of individual chassis connecting to the database, and also restricts database operations.

In the event of a individual chassis being compromised, RBAC will make it more difficult to leverage database access for compromising other parts of the network.

Note: Due to how RBAC is implemented in ovsdb-server the charm opens up a separate listener at port 16642 for connections from ovn-northd.

The charm automatically enables the firewall and will allow traffic from its cluster peers to port 6641, 6643, 6644 and 16642. CMS clients will be allowed to talk to port 6641.

Anyone will be allowed to connect to port 6642.

Bugs

Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.


Configuration

bridge-interface-mappings
(string) A space-delimited list of key-value pairs that map a network interface MAC address or name to a local ovs bridge to which it should be connected. Note: MAC addresses of physical interfaces that belong to a bond will be resolved to the bond name and the bond will be added to the ovs bridge. Bridges referenced here must be mentioned in the `ovn-bridge-mappings` configuration option. If a match is found the bridge will be created if it does not already exist, the matched interface will be added to it and the mapping found in `ovn-bridge-mappings` will be added to the local OVSDB under the `external_ids:ovn-bridge-mappings` key in the Open_vSwitch table. An example value mapping two network interface mac address to two ovs bridges would be: br-internet:00:00:5e:00:00:42 br-provider:enp3s0f0 Note: OVN gives you distributed East/West and highly available North/South routing by default. You do not need to add provider networks for use with external Layer3 connectivity to all chassis. Doing so will create a scaling problem at the physical network layer that needs to be resolved with globally shared Layer2 (does not scale) or tunneling at the top-of-rack switch layer (adds complexity) and is generally not a recommended configuration. Add provider networks for use with external Layer3 connectivity to individual chassis located near the datacenter border gateways by adding the MAC address of the physical interfaces of those units.
ovsdb-server-inactivity-probe
(int) Maximum number of seconds of idle time on connection to client before sending an inactivity probe message. The Open vSwitch ovsdb-server default of 5 seconds may not be sufficient depending on type and load of the CMS you want to connect to OVN.
60
source
(string) Repository from which to install OVS+OVN May be one of the following: distro (default) ppa:somecustom/ppa (PPA name must include UCA OpenStack Release name) deb url sources entry|key id or a supported Ubuntu Cloud Archive pocket. Supported Ubuntu Cloud Archive pockets include: cloud:xenial-pike cloud:xenial-queens cloud:bionic-rocky Note that updating this setting to a source that is known to provide a later version of Ceph will trigger a software upgrade.
distro
ssl_ca
(string) TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_cert
(string) TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
ssl_key
(string) TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.
use-internal-endpoints
(boolean) Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.
use-syslog
(boolean) Setting this to True will allow supporting services to log to syslog.
verbose
(boolean) Enable verbose logging