Network: Internal OVN load balancers and forwards #16162
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nmezhenskyi
commented
Aug 6, 2025
Comment on lines
277
to
294
| SELECT | ||
| projects.name, | ||
| networks.name, | ||
| networks_load_balancers.listen_address | ||
| networks.type, | ||
| networks_load_balancers.listen_address, | ||
| nc_ipv4.value AS ipv4_address, | ||
| nc_ipv6.value AS ipv6_address | ||
| FROM networks_load_balancers | ||
| JOIN networks on networks.id = networks_load_balancers.network_id | ||
| JOIN networks_config on networks.id = networks_config.network_id | ||
| JOIN networks ON networks.id = networks_load_balancers.network_id | ||
| JOIN projects ON projects.id = networks.project_id | ||
| JOIN networks_config AS nc_filter on networks.id = nc_filter.network_id | ||
| LEFT JOIN networks_config AS nc_ipv4 ON networks.id = nc_ipv4.network_id AND nc_ipv4.key = 'ipv4.address' | ||
| LEFT JOIN networks_config AS nc_ipv6 ON networks.id = nc_ipv6.network_id AND nc_ipv6.key = 'ipv6.address' | ||
| WHERE ( | ||
| (networks_config.key = "network" AND networks_config.value = ?1) | ||
| (nc_filter.key = "network" AND nc_filter.value = ?1) | ||
| OR (projects.name = "default" AND networks.name = ?1) | ||
| ) | ||
| `) |
Contributor
Author
There was a problem hiding this comment.
This query is used in:
lxd/lxd/network/driver_common.go
Line 214 in 7b3a50b
lxd/lxd/network/driver_common.go
Line 1224 in 7b3a50b
lxd/lxd/project/limits/permissions.go
Line 1770 in 7b3a50b
In all these contexts, it is safe to omit listen addresses that are internal OVN IPs.
But alternatively, I can add an additional bool parameter (i.e., externalOnly) to the GetProjectNetworkLoadBalancerListenAddressesByUplink() function signature to explicitly determine whether internal listen addresses should be filtered out.
Member
There was a problem hiding this comment.
at least you should update the function's comment to explain it I think.
Contributor
Author
There was a problem hiding this comment.
Makes sense, I'll update it
nmezhenskyi
force-pushed
the
ovn-lb-internal
branch
4 times, most recently
from
7920bdd to
6e7dc46
Compare
…isten addresses by uplink Update the `GetProjectNetworkLoadBalancerListenAddressesByUplink()` function to skip the listen addresses that are internal OVN IPs. Internal OVN IPs are not dependent on the uplink's IP routes. Signed-off-by: Nikita Mezhenskyi <[email protected]>
…addresses by uplink Update the `GetProjectNetworkForwardListenAddressesByUplink()` function to skip the listen addresses that are internal OVN IPs. Internal OVN IPs are not dependent on the uplink's IP routes. Signed-off-by: Nikita Mezhenskyi <[email protected]>
…balancers Allow using internal OVN IP as a listen address for OVN network forwards and load balancers. Ensure proper validation for internal OVN IPs used as listen addresses. Signed-off-by: Nikita Mezhenskyi <[email protected]>
Signed-off-by: Nikita Mezhenskyi <[email protected]>
nmezhenskyi
force-pushed
the
ovn-lb-internal
branch
from
6e7dc46 to
2d3e224
Compare
nmezhenskyi
changed the title
tomponline
reviewed
Aug 8, 2025
| return true, fmt.Errorf("Listen address %q is already in use by %q of network %q", listenAddress, netIPKey, n.name) | ||
| } | ||
|
|
||
| var forwards map[int64]string |
Member
There was a problem hiding this comment.
tip:
var forwards, loadBalancers map[int64]string
tomponline
approved these changes
Aug 8, 2025
Member
tomponline
left a comment
tomponline
left a comment
There was a problem hiding this comment.
LGTM thanks!
Things to follow up on:
- Add functional tests to
lxd-cifor internal load balancers and forwarders (in addition to the thorough validation logic tests youve added here). - Update docs with mention of this capability - please also add an API extension to document programatically this new capability.
- Address minor comments in PR.
This was referenced Aug 8, 2025
tomponline
added a commit
to canonical/lxd-ci
that referenced
this pull request
Aug 13, 2025
This PR adds tests to check that internal load balancers and forwards are reachable from inside of the OVN network, but are unreachable from outside. Follow-up to canonical/lxd#16162. This should be merged together with canonical/lxd#16179 (adds `ovn_internal_load_balancer` API extension for LXD).
tomponline
added a commit
that referenced
this pull request
Aug 18, 2025
Follow-up to #16162. ## Changes: - Updated the documentation with mention of ability to use internal IPs for OVN load balancers and network forwards. - Added API extension `ovn_internal_load_balancer`. - Addressed code improvement comments from the original PR.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for internal OVN load balancers and network forwards, enabling the use of internal OVN IPs as a listen address.
Changes:
GetProjectNetworkLoadBalancerListenAddressesByUplink()andGetProjectNetworkForwardListenAddressesByUplink()functions to skip listen addresses that are internal OVN IPs. This is needed for the following functions to work correctly with the introduction of internal load balancers and network forwards:lxd/lxd/network/driver_common.go
Line 214 in 7b3a50b
lxd/lxd/network/driver_common.go
Line 1224 in 7b3a50b
lxd/lxd/project/limits/permissions.go
Line 1770 in 7b3a50b
Updated
allocateUplinkAddress()function for OVN networks to allow allocating internal OVN IPs for load balancers and network forwards.Added
checkInternalAddressNotInUse()function for OVN networks to validate internal OVN IPs before allocation.