Shulou(Shulou.com)05/31 Report--

How to analyze the Neutron network, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

CL210 examination environment

The author participated in the OpenStack CL210 training this year. However, the network topology of the experimental environment in the training process was not understood at that time, and then I read some materials and finally got a general understanding.

The topology diagram of the experiment in the book is shown above. At first glance, isn't it a little complicated?

In the experiment, everyone was assigned a desktop computer, which is a RHEL operating system. Through the KVM virtualization, two virtual machines, Server-an and Server-b, are virtualized. Server-a has two network cards: eth2 and eth3. What we did later was to install OpenStack as All-in-one on Server-a, and the second experiment was to add ServerB as Nova-Compute to OpenStack.

When openstack on server-an is installed, the virtual machine instance created is based on KVM in servera RHEL. In other words, the openstack instance we eventually created is actually three layers of nested virtualization.

When it comes to the network of OpenStack, many people do not know the details, but everyone knows the network of vSphere. Let's start with a familiar picture:

A standard virtual machine switch can have uplinks or no uplinks (Uplink). It depends on whether the VSS wants to communicate with the outside world. A VSS is actually a virtual layer 2 bridging device.

A VSS can be connected to multiple VM, and vLAN can be distinguished by different PortGroup.

The communication of VSS on an esxi is done in VMKernel. VSS on different esxi communicates through physical networks.

In vSphere, the physical network card is called Nic and the virtual network card is called vNIC.

Next, let's look at the following picture:

In the figure above, the rightmost Instance is the OpenStack instance under three layers of nesting. In this example, to achieve the completion of communication, there are several steps.

Step 1: the virtual machine sends out network packets. The virtual machine instance has a virtual network card called eth0. After the packet comes out of the eth0, it is first connected to the vnet0. Vnet0 is a tap device. So, what is tap?

Tap realizes the connection function and realizes the two-layer packet communication. In the figure above, tap connects the qbr to the eth0 in the instance. We can understand that tap connects the virtual network card of the virtual machine with the qbr device.

Step 2: the network packet arrives at qbr.

So what is qbr?

Qbr is a Linux bridge. This bridge exists on server-a. There are two devices from qbr to br-ex: qvo and qvb. These two devices appear in pairs and are used to connect linux bridge and OVS bridge. Qvb is located on the bridge side and qvo on the OVS bridge side.

Step 3: the network packet arrives at br-int.

So, what is br-int? Br-int is a virtual bridge created by OVS, and its function is similar to VSS in vSphere. (in fact, OVS itself is similar to Linux Bridge as a bridge function.) The purpose of Br-int is to connect all virtual machine instances on this KVM Hypervisor to this virtual switch.

We know that on vSphere's VSS, vLAN can be distinguished by portgroup. Similarly, br-int 's port also has this feature.

An important aspect of Port is VLANConfiguration, which has two modes:

Trunk port

Access port

Step 4: the network packet arrives at Router1

Let's go on to see that the br-int is connected to the qdhcp to the right, and its purpose is to provide dhcp functions for the virtual network.

Br-int is connected to the router1 to the left, and router1 is connected to the br-ex. The connection between the Br-init and the router, through the qr device, qr provides the connection from the layer 2 virtual network to the layer 3 virtual network.

Router1 implements the routing function, which is also provided by OVS. It contains a series of routing tables that provide routing functions for different subnets. There is also a table of NAT in the router, which is responsible for assigning floating IP to the instance.

Step 5: network packets are sent to the physical network through br-ex:

Br-ex is also an OVS virtual bridge, and br-ex is actually a hybrid mode loaded on the physical network card, receiving data packets on the network in real time.

So some people may ask, in the OpenStack architecture, why use the Linux bridge when there is an OVS providing bridge? Why not have the eth0 (vnet0) in the virtual machine instance connect directly to the br-int?

The answers are as follows:

That is to say, ideally, it should be possible to connect the virtual network card of the virtual machine to the device tap0 and connect the br-ini directly. However, because Openstack's security group uses iptables, and OVS does not support iptables, a linux bridge is placed on vnet0 and br-int to store iptables rules. This is a compromise.

It should be pointed out that there are two major types of networks supported by Neutron, Provider Network and Self Network.

Provider network: a virtual network created by an administrator that is directly mapped to a physical network. With Provider Network, virtual machines do not need to use Router in Neutron to communicate with each other.

Tenant network: a network created by a tenant's ordinary user. The physical network is transparent to the creator, and its configuration is determined by the Neutron according to the administrator's configuration in the system. In this kind of network, the virtual machine needs to go through Router to communicate with each other. Router can also isolate tenants.

Either way, it is not very different for us to analyze the network packet direction of the internal virtual network, so, in the following figure (Provider network), how does the virtual machine in the example send the network packet to the physical network?

There are two virtual machines, instance1 and instance2, located in the same Hypervisor, and their network cards are in two vLAN. The physical network sent by instance1 network packets requires the following steps:

Step 1: network packets leave instance1

Step 2: network packets arrive at qbr, that is, linux bridge

Step 3: after the network packet arrives at the qvo, qvo marks the network packet with the internal vlan tag. (only Provider network requires the conversion of internal and external vLAN)

Part IV: the network packet arrives at br-ex (br-eth2), and the internal vlan tag is replaced with the real vlan tag.

Step 5: network packets are transmitted to the physical network through eth2.

In the above example, hypervisor is one, and if there are multiple nova nodes, it is obvious that one br-int can no longer connect to the VM on two servers. What should I do?

On a physical switch, it can be cascaded through cascaded lines. In OVS bridge, cascading through br-tun, the br-int on each physical server forms a unified communication layer.

Openvswitch supports three types of Tunnel

Gre

Vxlan

Many students may have bright eyes when they see vxlan. Yes, most of the layer 2 networks in the industry are implemented through the vxlan protocol. The sophomore level is usually the basis of the high-end term "double live data center".

In NSX, the encapsulation and unpacking of VXLAN is done through VTEP (A Virtual Tunnel End Point) on ESXi:

Let's take a look at the following figure: two instances belong to the same subnet, but on different physical servers, br-tun is needed to communicate.

In Neutron, you can package and unpack VXLAN. However, if you want to improve performance, you can also cooperate with physical network devices.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.